Manalyze report for 1bc9cdc758c28ea95946fe51a016377d

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2016-Aug-09 19:44:19
Detected languages	English - United States
ProductName	mimikatz
ProductVersion	`2.1.0.0`
CompanyName	gentilkiwi (Benjamin DELPY)
FileDescription	mimikatz for Windows
FileVersion	`2.1.0.0`
InternalName	mimikatz
LegalCopyright	Copyright (c) 2007 - 2016 gentilkiwi (Benjamin DELPY)
OriginalFilename	mimikatz.exe
PrivateBuild	Build with love for POC only
SpecialBuild	kiwi flavor !

Plugin Output

Suspicious	Strings found in the binary may indicate undesirable behavior:	`Contains references to system / monitoring tools: regedit.exe taskmgr.exe` `Miscellaneous malware strings: cmd.exe` `Contains code from Mimikatz.` `Contains strings from Mimikatz: BCryptCloseAlgorithmProvider BCryptDecrypt BCryptDestroyKey BCryptEncrypt BCryptGenerateSymmetricKey BCryptGetProperty BCryptOpenAlgorithmProvider BCryptSetProperty CredentialKeys Primary`
Info	Libraries used to perform cryptographic operations:	`Microsoft's Cryptography API`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryW` `Functions which can be used for anti-debugging purposes: NtQueryInformationProcess NtQuerySystemInformation` `Code injection capabilities: CreateRemoteThread WriteProcessMemory VirtualAllocEx VirtualAlloc OpenProcess` `Code injection capabilities (mapping injection): CreateFileMappingA CreateRemoteThread CreateFileMappingW MapViewOfFile` `Can access the registry: RegQueryValueExW RegQueryInfoKeyW RegEnumValueW RegOpenKeyExW RegEnumKeyExW RegCloseKey RegSetValueExW` `Possibly launches other programs: CreateProcessWithLogonW CreateProcessAsUserW CreateProcessW` `Uses Windows's Native API: NtQueryInformationProcess NtQuerySystemInformation NtResumeProcess NtSuspendProcess NtTerminateProcess NtQuerySystemEnvironmentValueEx NtSetSystemEnvironmentValueEx NtEnumerateSystemEnvironmentValuesEx NtQueryObject` Uses Microsoft's cryptographic API: CryptSetHashParam CryptGetHashParam CryptExportKey CryptAcquireContextW CryptSetKeyParam CryptGetKeyParam CryptReleaseContext CryptDuplicateKey CryptAcquireContextA CryptGetProvParam CryptImportKey CryptEncrypt CryptCreateHash CryptGenKey CryptDestroyKey CryptDecrypt CryptDestroyHash CryptHashData CryptGenRandom CryptEnumProvidersW CryptEnumProviderTypesW CryptGetUserKey CryptUnprotectData CryptBinaryToStringW CryptStringToBinaryW CryptProtectData CryptAcquireCertificatePrivateKey `Can create temporary files: GetTempPathA GetTempPathW CreateFileA CreateFileW` `Memory manipulation functions often used by packers: VirtualProtect VirtualAllocEx VirtualProtectEx VirtualAlloc` `Functions related to the privilege level: OpenProcessToken DuplicateTokenEx CheckTokenMembership SamQueryInformationUser` `Interacts with services: DeleteService OpenSCManagerW OpenServiceW QueryServiceStatusEx ControlService CreateServiceW QueryServiceObjectSecurity` `Manipulates other processes: WriteProcessMemory ReadProcessMemory OpenProcess` `Deletes entries from the event log: ClearEventLogW` `Interacts with the certificate store: CertAddEncodedCertificateToStore CertOpenStore CertAddCertificateContextToStore`
Suspicious	No VirusTotal score.	`This file has never been scanned on VirusTotal.`

Hashes

MD5	`1bc9cdc758c28ea95946fe51a016377d`
SHA1	`57300caf6e1dd32f59eabca00628642651349d42`
SHA256	`9b3992e2e2bf01519a35c78cc6b911209e640a57789c8b3fca91a5560f6e5b28`
SHA3	`e4cd0a190f422a9537bc5d8fdb82da6c07530af1002e13d4c6212e041bb0264b`
SSDeep	`12288:tuTrKHvP4HopiqKw6BQcgzBGYxmPumfyswqvNBCPRlfpjw:UT+HvwHopwwWQcIQYxMvdPCPl`
Imports Hash	`64fbae6a74afc6f0a3723815f869a8cb`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xf8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`6`
TimeDateStamp	2016-Aug-09 19:44:19
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`10.0`
SizeOfCode	`0x79e00`
SizeOfInitializedData	`0x43400`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00000000000685B4 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x140000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.2`
ImageVersion	`0.0`
SubsystemVersion	`5.2`
Win32VersionValue	`0`
SizeOfImage	`0xc4000`
SizeOfHeaders	`0x400`
Checksum	`0xcc6d5`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`a11057624a1ab238a7aa0c244ed4560d`
SHA1	`ad4e23afdadee45ed86707a785d7ed711081ba2d`
SHA256	`886be33e525ebcc5d206f6fad9f0408ea93b19140e4d65c4bc900aeb5774bcaa`
SHA3	`0be80e2b11e2f4649b526ee5d7e491e6bd920fc7459e1bd09132918485da2f95`
VirtualSize	`0x79c56`
VirtualAddress	`0x1000`
SizeOfRawData	`0x79e00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.51427`

.rdata

MD5	`f8c7cccca39768bfcf59934a382239dd`
SHA1	`11de11a4b0f473bd631afc11d7db484471b4dff2`
SHA256	`e0098b9093f6dd49c86806b447f9a5c7d599b816eb922273f60ed24618be92cb`
SHA3	`4f82555f499da881b5a1c9c664150a9c63759b045a246acd19a8b36653c6f267`
VirtualSize	`0x338cc`
VirtualAddress	`0x7b000`
SizeOfRawData	`0x33a00`
PointerToRawData	`0x7a200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.29247`

.data

MD5	`8e141ea730a56b848fe4091248a6f6be`
SHA1	`402aaab83ce14b9d55d6aef7b01e35f82dea16bc`
SHA256	`83d9a6854c55128f354b597f785263f12c9a70b5d643d3d375716a39847f55bc`
SHA3	`5cd7e1710262d930c649287b5e5d499d311b5af0e6ff4d5ff7b5fee7c15a2a83`
VirtualSize	`0x8738`
VirtualAddress	`0xaf000`
SizeOfRawData	`0x5c00`
PointerToRawData	`0xadc00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`2.65366`

.pdata

MD5	`f38ebf3c1c7a943150f93526712fcdbc`
SHA1	`8ee099b29cbe36e04ed04d4ae5f169d98d8b646d`
SHA256	`b1e901c106400630f7863b14e95a2a6141298bb7499a53bffd93e27e21329e15`
SHA3	`d3c1fa748ed94cc1811902c4a91201ce9a74c59eff94685004e81d7770518c94`
VirtualSize	`0x4338`
VirtualAddress	`0xb8000`
SizeOfRawData	`0x4400`
PointerToRawData	`0xb3800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.76892`

.rsrc

MD5	`48f694ac9662efdb09d41e88d1b9dcbe`
SHA1	`2972716310f0bb2b4969fd682a8cb8d6e337c3d8`
SHA256	`5f61a240ac65460bf4bc50ebb50c8f33163d58983d017a16fe2e5700d85d8ed1`
SHA3	`ebf8ea8ad7f48e2efb47d22019ca643f1f3a284f5de12a99a8a87764a7f1e94f`
VirtualSize	`0x4298`
VirtualAddress	`0xbd000`
SizeOfRawData	`0x4400`
PointerToRawData	`0xb7c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.63569`

.reloc

MD5	`3f9360d9235e4e808f4b521a12c599c0`
SHA1	`26ef8a65dbb3a9026e90cedf19661439a7500207`
SHA256	`9e55ce3ab3c701963494223791a92d930e2c13a72d20f82cb816df3ebcaaeac8`
SHA3	`d689996738df50c1d35d28aa6f7b7c24276c934d2190cbd6ee4d5b91980fd927`
VirtualSize	`0x1558`
VirtualAddress	`0xc2000`
SizeOfRawData	`0x1600`
PointerToRawData	`0xbc000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`4.17626`

Imports

ADVAPI32.dll	`CryptSetHashParam` `CryptGetHashParam` `CryptExportKey` `CryptAcquireContextW` `CryptSetKeyParam` `CryptGetKeyParam` `CryptReleaseContext` `CryptDuplicateKey` `CryptAcquireContextA` `CryptGetProvParam` `CryptImportKey` `SystemFunction007` `CryptEncrypt` `CryptCreateHash` `CryptGenKey` `CryptDestroyKey` `CryptDecrypt` `CryptDestroyHash` `CryptHashData` `CopySid` `GetLengthSid` `LsaQueryInformationPolicy` `LsaOpenPolicy` `LsaClose` `CreateWellKnownSid` `CreateProcessWithLogonW` `CreateProcessAsUserW` `RegQueryValueExW` `RegQueryInfoKeyW` `RegEnumValueW` `RegOpenKeyExW` `RegEnumKeyExW` `RegCloseKey` `RegSetValueExW` `SystemFunction032` `CloseServiceHandle` `DeleteService` `OpenSCManagerW` `OpenServiceW` `StartServiceW` `QueryServiceStatusEx` `ControlService` `IsTextUnicode` `CryptGenRandom` `ConvertSidToStringSidW` `OpenProcessToken` `GetTokenInformation` `LookupAccountNameW` `LookupAccountSidW` `ConvertStringSidToSidW` `LsaFreeMemory` `CryptEnumProvidersW` `CryptEnumProviderTypesW` `SystemFunction006` `CryptGetUserKey` `OpenEventLogW` `GetNumberOfEventLogRecords` `ClearEventLogW` `CreateServiceW` `SetServiceObjectSecurity` `BuildSecurityDescriptorW` `QueryServiceObjectSecurity` `AllocateAndInitializeSid` `FreeSid` `GetSidSubAuthority` `SystemFunction001` `GetSidSubAuthorityCount` `SystemFunction005` `LsaQueryTrustedDomainInfoByName` `SystemFunction025` `LsaOpenSecret` `LsaQuerySecret` `SystemFunction013` `LsaRetrievePrivateData` `LsaEnumerateTrustedDomainsEx` `LookupPrivilegeValueW` `IsValidSid` `OpenThreadToken` `SetThreadToken` `DuplicateTokenEx` `CheckTokenMembership` `CredFree` `CredEnumerateW`
CRYPT32.dll	`CryptUnprotectData` `CryptBinaryToStringW` `CryptStringToBinaryW` `CryptProtectData` `CryptAcquireCertificatePrivateKey` `CertGetNameStringW` `CertAddEncodedCertificateToStore` `CertOpenStore` `CertFreeCertificateContext` `CertAddCertificateContextToStore` `CertCloseStore` `CertGetCertificateContextProperty` `CertEnumCertificatesInStore` `CertEnumSystemStore` `CertSetCertificateContextProperty` `PFXExportCertStoreEx`
cryptdll.dll	`CDLocateCSystem` `CDGenerateRandomBits` `MD5Final` `MD5Update` `CDLocateCheckSum` `MD5Init`
NETAPI32.dll	`DsGetDcNameW` `NetApiBufferFree`
ole32.dll	`CoInitializeEx` `CoUninitialize` `CoCreateInstance`
OLEAUT32.dll	`#2` `#8` `#6`
RPCRT4.dll	`RpcBindingSetOption` `RpcBindingFromStringBindingW` `RpcStringBindingComposeW` `MesEncodeIncrementalHandleCreate` `RpcBindingSetAuthInfoExW` `RpcBindingFree` `RpcStringFreeW` `MesDecodeIncrementalHandleCreate` `MesHandleFree` `MesIncrementalHandleReset` `NdrMesTypeDecode2` `NdrMesTypeAlignSize2` `NdrMesTypeFree2` `NdrMesTypeEncode2` `I_RpcBindingInqSecurityContext` `NdrClientCall2`
SHLWAPI.dll	`PathFindFileNameW` `PathIsRelativeW` `PathCanonicalizeW` `PathCombineW` `PathIsDirectoryW`
SAMLIB.dll	`SamFreeMemory` `SamOpenAlias` `SamOpenGroup` `SamGetAliasMembership` `SamEnumerateAliasesInDomain` `SamGetMembersInAlias` `SamQueryInformationUser` `SamCloseHandle` `SamEnumerateUsersInDomain` `SamOpenUser` `SamLookupNamesInDomain` `SamLookupIdsInDomain` `SamOpenDomain` `SamConnect` `SamEnumerateGroupsInDomain` `SamEnumerateDomainsInSamServer` `SamGetGroupsForUser` `SamGetMembersInGroup` `SamRidToSid` `SamLookupDomainInSamServer`
Secur32.dll	`LsaLookupAuthenticationPackage` `LsaFreeReturnBuffer` `LsaConnectUntrusted` `LsaCallAuthenticationPackage` `LsaDeregisterLogonProcess` `QueryContextAttributesW` `FreeContextBuffer`
SHELL32.dll	`CommandLineToArgvW`
USER32.dll	`IsCharAlphaNumericW` `GetKeyboardLayout`
HID.DLL	`HidD_GetHidGuid` `HidD_GetAttributes` `HidD_FreePreparsedData` `HidP_GetCaps` `HidD_GetPreparsedData`
SETUPAPI.dll	`SetupDiDestroyDeviceInfoList` `SetupDiGetClassDevsW` `SetupDiEnumDeviceInterfaces` `SetupDiGetDeviceInterfaceDetailW`
WLDAP32.dll	`#145` `#310` `#54` `#309` `#304` `#301` `#73` `#127` `#26` `#157` `#79` `#36` `#208` `#167` `#147` `#13` `#27` `#77` `#142` `#133` `#41`
ntdll.dll	`RtlGetCurrentPeb` `NtQueryInformationProcess` `RtlCreateUserThread` `RtlGUIDFromString` `RtlStringFromGUID` `RtlGetNtVersionNumbers` `RtlUpcaseUnicodeString` `RtlAppendUnicodeStringToString` `NtQuerySystemInformation` `NtResumeProcess` `RtlAdjustPrivilege` `NtSuspendProcess` `NtTerminateProcess` `NtQuerySystemEnvironmentValueEx` `NtSetSystemEnvironmentValueEx` `NtEnumerateSystemEnvironmentValuesEx` `RtlEqualString` `RtlGetCompressionWorkSpaceSize` `RtlCompressBuffer` `NtQueryObject` `RtlEqualUnicodeString` `RtlInitUnicodeString` `RtlFreeUnicodeString` `RtlDowncaseUnicodeString` `RtlFreeAnsiString` `RtlAnsiStringToUnicodeString` `RtlUnicodeStringToAnsiString`
netapi32.dll	`I_NetServerAuthenticate2` `I_NetServerReqChallenge` `I_NetServerTrustPasswordsGet`
KERNEL32.dll	`GetEnvironmentStringsW` `FreeEnvironmentStringsW` `LCMapStringW` `GetStringTypeW` `GetTimeZoneInformation` `GetModuleFileNameW` `SetStdHandle` `GetConsoleMode` `GetConsoleCP` `GetStartupInfoW` `GetFileType` `InitializeCriticalSectionAndSpinCount` `SetHandleCount` `RtlUnwindEx` `FlsAlloc` `GetCurrentThreadId` `FlsFree` `FlsSetValue` `FlsGetValue` `IsValidCodePage` `GetOEMCP` `GetACP` `GetCPInfo` `GetVersion` `HeapSetInformation` `TerminateProcess` `RtlCaptureContext` `RtlLookupFunctionEntry` `RtlVirtualUnwind` `IsDebuggerPresent` `SetUnhandledExceptionFilter` `GetCommandLineW` `ExitProcess` `DecodePointer` `EncodePointer` `GetTimeFormatA` `GetDateFormatA` `GetCurrentThread` `SetCurrentDirectoryW` `GetConsoleScreenBufferInfo` `FillConsoleOutputCharacterW` `GetStdHandle` `SetConsoleCursorPosition` `GetModuleHandleW` `GetProcAddress` `LoadLibraryW` `FreeLibrary` `SetConsoleTitleW` `SetConsoleCtrlHandler` `DeleteFileA` `AreFileApisANSI` `GetSystemTime` `GetTempPathA` `GetCurrentProcessId` `DeleteFileW` `GetVersionExA` `OutputDebugStringA` `DeleteCriticalSection` `GetFileAttributesExW` `GetSystemInfo` `GetDiskFreeSpaceA` `CreateFileMappingA` `GetDiskFreeSpaceW` `EnterCriticalSection` `LockFileEx` `HeapSize` `WriteConsoleW` `CompareStringW` `UnhandledExceptionFilter` `SetEnvironmentVariableA` `GetTempPathW` `MultiByteToWideChar` `HeapValidate` `HeapCreate` `GetFileAttributesA` `LeaveCriticalSection` `HeapDestroy` `GetVersionExW` `FormatMessageW` `InitializeCriticalSection` `FormatMessageA` `GetSystemTimeAsFileTime` `GetProcessHeap` `UnlockFileEx` `GetTickCount` `OutputDebugStringW` `WaitForSingleObjectEx` `LockFile` `FlushViewOfFile` `UnlockFile` `HeapFree` `QueryPerformanceCounter` `SystemTimeToFileTime` `HeapAlloc` `SetEndOfFile` `TryEnterCriticalSection` `HeapCompact` `CreateMutexW` `GetFileSize` `CreateFileA` `HeapReAlloc` `GetFullPathNameA` `GetFullPathNameW` `FileTimeToLocalFileTime` `GetTimeFormatW` `WideCharToMultiByte` `GetDateFormatW` `CreateRemoteThread` `WaitForSingleObject` `SetLastError` `CreateProcessW` `SetConsoleOutputCP` `GetConsoleOutputCP` `CreateFileMappingW` `UnmapViewOfFile` `MapViewOfFile` `WriteProcessMemory` `VirtualProtect` `VirtualAllocEx` `VirtualProtectEx` `VirtualAlloc` `ReadProcessMemory` `VirtualFreeEx` `VirtualQueryEx` `VirtualFree` `VirtualQuery` `SetFilePointer` `DeviceIoControl` `DuplicateHandle` `FileTimeToSystemTime` `WriteFile` `TerminateThread` `Sleep` `ReadFile` `CreateFileW` `GetLastError` `LocalAlloc` `CloseHandle` `LocalFree` `CreateThread` `FindFirstFileW` `GetFileAttributesW` `FlushFileBuffers` `GetFileSizeEx` `GetCurrentDirectoryW` `FindClose` `FindNextFileW` `ExpandEnvironmentStringsW` `GetCurrentProcess` `OpenProcess`

Delayed Imports

1

Type	`RT_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x25a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.58742`
MD5	`af7f63ed38ac1eea9f4f45699b287a7b`
SHA1	`522c0952585ee2c23e67587066b08b0e2d3dd5be`
SHA256	`bb14aef3a976374d7a2d7032e95e8b7d339402547705c07768f5e523aa227dbc`
SHA3	`a68ddf26a5d32eedb129dab32b61508dcc34a8ed6deebb6cb5b44ba5127a683d`

2

Type	`RT_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x10a8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.68627`
MD5	`4c8a1f13f0a76817ab4af037499713df`
SHA1	`2718541330281136297f4bc485008207083850d6`
SHA256	`4a5ff11cfc675db544c54be18d5f1c2a29ef4c9e02b931792b48263f773fe477`
SHA3	`33eee9e3eb0435d89035cdbec166c38fb5b85ef16070807dc41a6bae7044297e`

3

Type	`RT_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x468`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.69825`
MD5	`893e8ba8f9644997d70dcc5392c9fa68`
SHA1	`18b71655fa7f4e0dd880c6c05dca48984d792d37`
SHA256	`268a8b9081b620341e20e68861b379f8d9a72d2e44a5f9910ce6c67c5fcfcbc5`
SHA3	`50cf487748a5dc0a1e99f74c45a77af100a44c584b1eed23775946a22c09dd70`

100

Type	`RT_GROUP_ICON`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x30`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`2.45849`
Detected Filetype	Icon file
MD5	`1ec6a7b3300970378c29695a6cc13d36`
SHA1	`99ce74251d19d800608e30bed6e0d793931da56e`
SHA256	`77a1efb6136f52dd2372987b13bf486aa75baeacb93bad009aa3e284c57b8694`
SHA3	`7a94ba315b3ab461cec9dad3048599d32b0e597047f9655159bd6dfdc694e4a3`

1 (#2)

Type	`RT_VERSION`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x3c0`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.46754`
MD5	`d589dd1fc3fbcb95b850a84818c30655`
SHA1	`3328947ce6d57bb3e5bf40c090792ce1049f0d2c`
SHA256	`8f8c310b0b4bf9aeb885cfc782435f4cb673fb874ae6cb629088252a597427ee`
SHA3	`b04ec5f3417381f642cec22a086240c7c4102856272a67b29f37a221981cc29f`

1 (#3)

Type	`RT_MANIFEST`
Language	English - United States
Codepage	Latin 1 / Western European
Size	`0x25f`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.94904`
MD5	`e54df675446f104f3e6153a586774b18`
SHA1	`2f5a10f15684b67189b923111f804cace29d5ae2`
SHA256	`45cb3493020782cfcd906fb9afbf72d7f973b6e425fc5d3bd88a429e8ea395b1`
SHA3	`0c19618a4c7e6c8a7d54b8702d0132f746eb83cfff35aa7a8d49792cfda314df`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	2.1.0.0
ProductVersion	2.1.0.0
FileFlags	`VS_FF_PRERELEASE` `VS_FF_PRIVATEBUILD` `VS_FF_SPECIALBUILD`
FileOs	`VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE`
FileType	`VFT_APP`
Language	English - United States
ProductName	mimikatz
ProductVersion (#2)	2.1.0.0
CompanyName	gentilkiwi (Benjamin DELPY)
FileDescription	mimikatz for Windows
FileVersion (#2)	2.1.0.0
InternalName	mimikatz
LegalCopyright	Copyright (c) 2007 - 2016 gentilkiwi (Benjamin DELPY)
OriginalFilename	mimikatz.exe
PrivateBuild	Build with love for POC only
SpecialBuild	kiwi flavor !

Resource LangID	English - United States

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x743305f`
Unmarked objects	`0`
C++ objects (VS2010 SP1 build 40219)	`44`
C objects (VS2010 SP1 build 40219)	`137`
ASM objects (VS2010 SP1 build 40219)	`9`
Imports (VS2012 UPD4 build 61030)	`4`
135 (VS2008 SP1 build 30729)	`2`
Imports (40310)	`6`
Imports (VS2008 SP1 build 30729)	`27`
Total imports	`382`
174 (VS2010 SP1 build 40219)	`74`
Resource objects (VS2010 SP1 build 40219)	`1`
Linker (VS2010 SP1 build 40219)	`1`

1bc9cdc758c28ea95946fe51a016377d

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.rdata

.data

.pdata

.rsrc

.reloc

Imports

Delayed Imports

1

2

3

100

1 (#2)

1 (#3)

Version Info

TLS Callbacks

Load Configuration

RICH Header

Errors