46f366e3ee36c05ab5a7a319319f7c72

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date 2020-Feb-29 10:13:28
Detected languages English - United States
ProductName mimikatz
ProductVersion 2.2.0.0
CompanyName gentilkiwi (Benjamin DELPY)
FileDescription mimikatz for Windows
FileVersion 2.2.0.0
InternalName mimikatz
LegalCopyright Copyright (c) 2007 - 2020 gentilkiwi (Benjamin DELPY)
OriginalFilename mimikatz.exe
PrivateBuild Build with love for POC only
SpecialBuild :)

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ 6.0 - 8.0
MASM/TASM - sig2(h)
MASM/TASM - sig1(h)
Suspicious PEiD Signature: UPolyX V0.1 -> Delikon
Suspicious Strings found in the binary may indicate undesirable behavior: Contains references to system / monitoring tools:
  • regedit.exe
  • taskmgr.exe
Miscellaneous malware strings:
  • cmd.exe
Contains code from Mimikatz.
Contains strings from Mimikatz:
  • BCryptCloseAlgorithmProvider
  • BCryptDecrypt
  • BCryptDestroyKey
  • BCryptEncrypt
  • BCryptGenerateSymmetricKey
  • BCryptGetProperty
  • BCryptOpenAlgorithmProvider
  • BCryptSetProperty
  • CredentialKeys
  • Primary
Contains domain names:
  • blog.gentilkiwi.com
  • gentilkiwi.com
  • gmail.com
  • http://blog.gentilkiwi.com
  • http://blog.gentilkiwi.com/mimikatz
  • http://mysmartlogon.com
  • http://pingcastle.com
  • mysmartlogon.com
  • pingcastle.com
Info Libraries used to perform cryptographic operations: Microsoft's Cryptography API
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • LoadLibraryW
  • GetProcAddress
  • LoadLibraryA
Functions which can be used for anti-debugging purposes:
  • NtQuerySystemInformation
  • NtQueryInformationProcess
Code injection capabilities:
  • CreateRemoteThread
  • WriteProcessMemory
  • VirtualAllocEx
  • VirtualAlloc
  • OpenProcess
Code injection capabilities (mapping injection):
  • CreateRemoteThread
  • CreateFileMappingW
  • MapViewOfFile
  • CreateFileMappingA
Can access the registry:
  • RegQueryValueExW
  • RegQueryInfoKeyW
  • RegEnumValueW
  • RegOpenKeyExW
  • RegEnumKeyExW
  • RegCloseKey
  • RegSetValueExW
Possibly launches other programs:
  • CreateProcessWithLogonW
  • CreateProcessAsUserW
  • CreateProcessW
Uses Windows's Native API:
  • NtQueryObject
  • NtQuerySystemInformation
  • NtQueryInformationProcess
  • NtCompareTokens
  • NtResumeProcess
  • NtSuspendProcess
  • NtTerminateProcess
  • NtQuerySystemEnvironmentValueEx
  • NtSetSystemEnvironmentValueEx
  • NtEnumerateSystemEnvironmentValuesEx
Uses Microsoft's cryptographic API:
  • CryptSetHashParam
  • CryptGetHashParam
  • CryptExportKey
  • CryptAcquireContextW
  • CryptSetKeyParam
  • CryptGetKeyParam
  • CryptReleaseContext
  • CryptDuplicateKey
  • CryptAcquireContextA
  • CryptGetProvParam
  • CryptImportKey
  • CryptEncrypt
  • CryptCreateHash
  • CryptGenKey
  • CryptDestroyKey
  • CryptDecrypt
  • CryptDestroyHash
  • CryptHashData
  • CryptSetProvParam
  • CryptEnumProvidersW
  • CryptEnumProviderTypesW
  • CryptGetUserKey
  • CryptDeriveKey
  • CryptSignHashW
  • CryptDecodeObjectEx
  • CryptUnprotectData
  • CryptBinaryToStringW
  • CryptBinaryToStringA
  • CryptStringToBinaryW
  • CryptExportPublicKeyInfo
  • CryptFindOIDInfo
  • CryptAcquireCertificatePrivateKey
  • CryptStringToBinaryA
  • CryptSignAndEncodeCertificate
  • CryptEncodeObject
  • CryptProtectData
  • CryptQueryObject
Can create temporary files:
  • GetTempPathA
  • CreateFileA
  • CreateFileW
  • GetTempPathW
Memory manipulation functions often used by packers:
  • VirtualProtect
  • VirtualAllocEx
  • VirtualProtectEx
  • VirtualAlloc
Functions related to the privilege level:
  • OpenProcessToken
  • DuplicateTokenEx
  • CheckTokenMembership
  • SamQueryInformationUser
Interacts with services:
  • CreateServiceW
  • DeleteService
  • OpenSCManagerW
  • OpenServiceW
  • QueryServiceObjectSecurity
  • QueryServiceStatusEx
  • ControlService
Manipulates other processes:
  • WriteProcessMemory
  • ReadProcessMemory
  • OpenProcess
Deletes entries from the event log:
  • ClearEventLogW
Queries user information on remote machines:
  • NetWkstaUserEnum
Reads the contents of the clipboard:
  • GetClipboardData
Interacts with the certificate store:
  • CertAddCertificateContextToStore
  • CertAddEncodedCertificateToStore
  • CertOpenStore
Info The PE is digitally signed. Signer: Open Source Developer
Issuer: Certum Code Signing CA SHA2
Malicious VirusTotal score: 55/70 (Scanned on 2023-01-23 16:51:33) MicroWorld-eScan: Trojan.Mimikatz.B
ClamAV: Win.Tool.Mimikatz-9862700-0
FireEye: Generic.mg.46f366e3ee36c05a
CAT-QuickHeal: HackTool.Mimikatz.S13719266
ALYac: Trojan.Mimikatz.B
Cylance: Unsafe
Sangfor: Trojan.Win32.Save.a
K7AntiVirus: Riskware ( 004f0b6d1 )
Alibaba: Trojan:Win32/Mimikatz.4b2
K7GW: Riskware ( 004f0b6d1 )
Cybereason: malicious.3ee36c
BitDefenderTheta: Gen:NN.ZexaF.36212.8u2@a0Ld2bai
VirIT: PUP.Win32.Delpy.B
Cyren: W32/Mimikatz.A.gen!Eldorado
Symantec: Hacktool.Mimikatz
Elastic: Windows.Hacktool.Mimikatz
ESET-NOD32: a variant of Win32/RiskWare.Mimikatz.BC
APEX: Malicious
Cynet: Malicious (score: 100)
Kaspersky: Trojan-PSW.Win32.Mimikatz.gen
BitDefender: Trojan.Mimikatz.B
NANO-Antivirus: Trojan.Win32.Mimikatz.hddnuq
SUPERAntiSpyware: Trojan.Agent/Gen-Mimikatz
Avast: Win32:Malware-gen
Tencent: Malware.Win32.Gencirc.10bd6eef
Emsisoft: Trojan.Mimikatz.B (B)
DrWeb: Tool.Mimikatz.704
VIPRE: Trojan.Mimikatz.B
TrendMicro: HKTL_MIMIKATZ
McAfee-GW-Edition: HTool-Mimikatz
Sophos: Mal/Generic-R + ATK/Apteryx-Gen
GData: Win32.Riskware.Mimikatz.F
Jiangmin: Trojan.PSW.Mimikatz.bgi
Webroot: W32.Hacktool.Mimikatz
Avira: HEUR/AGEN.1216257
MAX: malware (ai score=100)
Antiy-AVL: Trojan[PSW]/Win32.Mimikatz
Kingsoft: Win32.PSWTroj.Mimikatz.g.(kcloud)
Gridinsoft: Hack.Mimikatz.ka!c
Xcitium: Malware@#3p7xsaxu4ql8i
Arcabit: Trojan.Mimikatz.B
ZoneAlarm: Trojan-PSW.Win32.Mimikatz.gen
Microsoft: HackTool:Win32/Mimikatz.D
Google: Detected
AhnLab-V3: Trojan/Win32.RL_Mimikatz.R290617
McAfee: HTool-Mimikatz
VBA32: BScope.TrojanPSW.Mimikatz
Malwarebytes: Mimikatz.Spyware.Stealer.DDS
TrendMicro-HouseCall: HKTL_MIMIKATZ
Rising: HackTool.Mimikatz!1.B3A8 (CLASSIC)
Ikarus: HackTool.Mimikatz
MaxSecure: Trojan.Malware.9460437.susgen
Fortinet: Riskware/Mimikatz
AVG: Win32:Malware-gen
Panda: HackingTool/Mimikatz

Hashes

MD5 46f366e3ee36c05ab5a7a319319f7c72
SHA1 040fbf1325d51358606b710bc3bd774c04bdb308
SHA256 2e8092205a2ded4b07e9d10d0ec02eba0ffcf1d370cab88c5221a749915f678a
SHA3 5b2d809842b6112dca0f53153b32607b16a011491279bb351474150b8c9f4e42
SSDeep 24576:ZUawjJv4xFV1To1GPC31fILaq/K34UQCxWw:daOxnOB3aLbK3R5Qw
Imports Hash 9e68cf8b3fce7a5346adc7874d7cd067

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x118

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2020-Feb-29 10:13:28
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 9.0
SizeOfCode 0x93800
SizeOfInitializedData 0x5d000
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0008E242 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x95000
ImageBase 0x400000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 5.0
ImageVersion 0.0
SubsystemVersion 5.0
Win32VersionValue 0
SizeOfImage 0xf4000
SizeOfHeaders 0x400
Checksum 0x102bb0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_CUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 eb38917e924f7ca15cf520b71969c584
SHA1 14275d6cde14ae2e25c29c4f5e51327ff7ab57be
SHA256 bd01d08870906e91a81dffb7908b876f52763150ba5d9a0c082825c8421d9b12
SHA3 ec1fdc6d5508d0ca2fcfad344ca742664f2e37c381b728d0ac54234ead1edce2
VirtualSize 0x937dc
VirtualAddress 0x1000
SizeOfRawData 0x93800
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.68727

.rdata

MD5 2746b24bc1943ce1969b8822a0df0a02
SHA1 5f325de079b1bcac963987153eab99d2328d1713
SHA256 0719ee1fd1b4c5352c77dde0385671a983ee1c4bfc8add3d28389c39c60d1f05
SHA3 c4e633c8966959f501a97510a900f9bc631055d2ff6f9c61dabecb639ab4d354
VirtualSize 0x4d46e
VirtualAddress 0x95000
SizeOfRawData 0x4d600
PointerToRawData 0x93c00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 4.33214

.data

MD5 faca6191844c3bd4a3f47512b17ff9bd
SHA1 c50661bf0e38701f89316192afe7cc77e5f15c74
SHA256 97450bcfb4830ee3a95fd5d4d73dfc914aa528d0bdbe27941fd73b86be6979ac
SHA3 4e2de7dd38c57ae683beed3087da99e2d592b7dd6c5d094b26d269f40eb9f7c8
VirtualSize 0x41c8
VirtualAddress 0xe3000
SizeOfRawData 0x3800
PointerToRawData 0xe1200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 3.58629

.rsrc

MD5 cc72ca37bde1ba021c5498d9eef96981
SHA1 41cde6171a180f3279baa90a3d5d3c46b984c83b
SHA256 3e094cc1c18c76e98735e516a58ab0b16bca504415f6686f9710b7246f07648b
SHA3 08e2486090bb687efbe6d29cb69066159a11597e2036997d06d7306698f1e189
VirtualSize 0x3fe8
VirtualAddress 0xe8000
SizeOfRawData 0x4000
PointerToRawData 0xe4a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 6.54118

.reloc

MD5 a1959cdafde98a153a23c6acc8a715d7
SHA1 1bf54b1670983022392691de9935c6a6a185dd3a
SHA256 9149a23a44a386640cf0f3ecb3625278cce4ee5b1c4df7f2ffac69ccfde5728d
SHA3 a7696b7e695bc0e5a900f5bb3fcde947db7f2effefbc62dd5df99d3a29fe644d
VirtualSize 0x779e
VirtualAddress 0xec000
SizeOfRawData 0x7800
PointerToRawData 0xe8a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 6.53639

Imports

ADVAPI32.dll CryptSetHashParam
CryptGetHashParam
CryptExportKey
CryptAcquireContextW
CryptSetKeyParam
CryptGetKeyParam
CryptReleaseContext
CryptDuplicateKey
CryptAcquireContextA
CryptGetProvParam
CryptImportKey
SystemFunction007
CryptEncrypt
CryptCreateHash
CryptGenKey
CryptDestroyKey
CryptDecrypt
CryptDestroyHash
CryptHashData
CopySid
GetLengthSid
LsaQueryInformationPolicy
LsaOpenPolicy
LsaClose
CreateWellKnownSid
CreateProcessWithLogonW
CreateProcessAsUserW
RegQueryValueExW
RegQueryInfoKeyW
RegEnumValueW
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
RegSetValueExW
SystemFunction032
ConvertSidToStringSidW
CreateServiceW
CloseServiceHandle
DeleteService
OpenSCManagerW
SetServiceObjectSecurity
OpenServiceW
BuildSecurityDescriptorW
QueryServiceObjectSecurity
StartServiceW
AllocateAndInitializeSid
QueryServiceStatusEx
FreeSid
ControlService
IsTextUnicode
OpenProcessToken
GetTokenInformation
LookupAccountNameW
LookupAccountSidW
DuplicateTokenEx
CheckTokenMembership
CryptSetProvParam
CryptEnumProvidersW
ConvertStringSidToSidW
LsaFreeMemory
GetSidSubAuthority
GetSidSubAuthorityCount
IsValidSid
SetThreadToken
CryptEnumProviderTypesW
SystemFunction006
CryptGetUserKey
OpenEventLogW
GetNumberOfEventLogRecords
ClearEventLogW
SystemFunction001
CryptDeriveKey
SystemFunction005
LsaQueryTrustedDomainInfoByName
CryptSignHashW
LsaOpenSecret
LsaQuerySecret
SystemFunction013
LsaRetrievePrivateData
LsaEnumerateTrustedDomainsEx
LookupPrivilegeValueW
StartServiceCtrlDispatcherW
SetServiceStatus
RegisterServiceCtrlHandlerW
LookupPrivilegeNameW
OpenThreadToken
CredFree
CredEnumerateW
SystemFunction025
ConvertStringSecurityDescriptorToSecurityDescriptorW
SystemFunction024
CredIsMarshaledCredentialW
CredUnmarshalCredentialW
Cabinet.dll #11
#14
#10
#13
CRYPT32.dll CertFindCertificateInStore
CertEnumSystemStore
CertEnumCertificatesInStore
CertAddCertificateContextToStore
CryptDecodeObjectEx
CertAddEncodedCertificateToStore
CertOpenStore
CertFreeCertificateContext
CertCloseStore
CertSetCertificateContextProperty
PFXExportCertStoreEx
CryptUnprotectData
CryptBinaryToStringW
CryptBinaryToStringA
CryptStringToBinaryW
CryptExportPublicKeyInfo
CryptFindOIDInfo
CryptAcquireCertificatePrivateKey
CertNameToStrW
CryptStringToBinaryA
CertGetCertificateContextProperty
CryptSignAndEncodeCertificate
CryptEncodeObject
CryptProtectData
CryptQueryObject
CertGetNameStringW
cryptdll.dll MD5Init
MD5Update
MD5Final
CDLocateCSystem
CDGenerateRandomBits
CDLocateCheckSum
DNSAPI.dll DnsFree
DnsQuery_A
FLTLIB.DLL FilterFindFirst
FilterFindNext
NETAPI32.dll NetServerGetInfo
NetStatisticsGet
NetShareEnum
DsEnumerateDomainTrustsW
DsGetDcNameW
NetApiBufferFree
NetRemoteTOD
NetSessionEnum
NetWkstaUserEnum
ole32.dll CoInitializeEx
CoUninitialize
CoCreateInstance
OLEAUT32.dll VariantInit
SysFreeString
SysAllocString
RPCRT4.dll RpcMgmtEpEltInqNextW
RpcMgmtEpEltInqBegin
I_RpcGetCurrentCallHandle
NdrClientCall2
RpcMgmtEpEltInqDone
RpcBindingFromStringBindingW
RpcStringBindingComposeW
MesEncodeIncrementalHandleCreate
RpcBindingSetAuthInfoExW
RpcBindingInqAuthClientW
RpcBindingSetOption
RpcImpersonateClient
RpcBindingFree
RpcStringFreeW
RpcRevertToSelf
MesDecodeIncrementalHandleCreate
MesHandleFree
MesIncrementalHandleReset
NdrMesTypeDecode2
NdrMesTypeAlignSize2
NdrMesTypeFree2
NdrMesTypeEncode2
RpcServerUnregisterIfEx
I_RpcBindingInqSecurityContext
RpcServerInqBindings
RpcServerListen
RpcMgmtWaitServerListen
RpcEpRegisterW
RpcMgmtStopServerListening
RpcBindingToStringBindingW
RpcServerRegisterIf2
RpcServerRegisterAuthInfoW
RpcBindingVectorFree
UuidToStringW
RpcServerUseProtseqEpW
RpcEpUnregister
NdrServerCall2
RpcEpResolveBinding
UuidCreate
SHLWAPI.dll PathIsDirectoryW
PathCanonicalizeW
PathCombineW
PathFindFileNameW
PathIsRelativeW
SAMLIB.dll SamEnumerateGroupsInDomain
SamiChangePasswordUser
SamSetInformationUser
SamGetGroupsForUser
SamConnect
SamGetMembersInGroup
SamRidToSid
SamGetMembersInAlias
SamEnumerateAliasesInDomain
SamGetAliasMembership
SamOpenGroup
SamQueryInformationUser
SamCloseHandle
SamEnumerateDomainsInSamServer
SamFreeMemory
SamEnumerateUsersInDomain
SamOpenUser
SamLookupDomainInSamServer
SamLookupNamesInDomain
SamLookupIdsInDomain
SamOpenDomain
SamOpenAlias
Secur32.dll QueryContextAttributesW
FreeContextBuffer
LsaConnectUntrusted
LsaLookupAuthenticationPackage
LsaFreeReturnBuffer
DeleteSecurityContext
LsaCallAuthenticationPackage
FreeCredentialsHandle
EnumerateSecurityPackagesW
AcquireCredentialsHandleW
InitializeSecurityContextW
LsaDeregisterLogonProcess
SHELL32.dll CommandLineToArgvW
USER32.dll IsCharAlphaNumericW
GetKeyboardLayout
DispatchMessageW
DefWindowProcW
SetClipboardViewer
SendMessageW
GetClipboardSequenceNumber
OpenClipboard
CreateWindowExW
ChangeClipboardChain
GetClipboardData
RegisterClassExW
TranslateMessage
EnumClipboardFormats
PostMessageW
UnregisterClassW
GetMessageW
CloseClipboard
DestroyWindow
USERENV.dll CreateEnvironmentBlock
DestroyEnvironmentBlock
VERSION.dll GetFileVersionInfoSizeW
VerQueryValueW
GetFileVersionInfoW
HID.DLL HidD_GetFeature
HidD_GetPreparsedData
HidD_GetHidGuid
HidD_GetAttributes
HidD_FreePreparsedData
HidP_GetCaps
HidD_SetFeature
SETUPAPI.dll SetupDiGetDeviceInterfaceDetailW
SetupDiEnumDeviceInterfaces
SetupDiGetClassDevsW
SetupDiDestroyDeviceInfoList
WinSCard.dll SCardControl
SCardTransmit
SCardDisconnect
SCardGetAttrib
SCardEstablishContext
SCardFreeMemory
SCardListReadersW
SCardReleaseContext
SCardGetCardTypeProviderNameW
SCardListCardsW
SCardConnectW
WINSTA.dll WinStationCloseServer
WinStationOpenServerW
WinStationFreeMemory
WinStationConnectW
WinStationQueryInformationW
WinStationEnumerateW
WLDAP32.dll #203
#140
#122
#14
#157
#88
#133
#27
#147
#167
#127
#96
#304
#309
#54
#142
#77
#13
#208
#145
#36
#79
#41
#73
#310
#139
#97
#223
#12
#113
#301
#224
#26
#69
advapi32.dll A_SHAFinal
A_SHAInit
A_SHAUpdate
msasn1.dll ASN1_CreateModule
ASN1BERDotVal2Eoid
ASN1_CloseEncoder
ASN1_CreateDecoder
ASN1_FreeEncoded
ASN1_CloseModule
ASN1_CreateEncoder
ASN1_CloseDecoder
ntdll.dll RtlUnicodeStringToAnsiString
RtlFreeAnsiString
RtlDowncaseUnicodeString
RtlFreeUnicodeString
RtlInitUnicodeString
RtlEqualUnicodeString
NtQueryObject
RtlCompressBuffer
RtlGetCompressionWorkSpaceSize
NtQuerySystemInformation
RtlGetCurrentPeb
NtQueryInformationProcess
RtlCreateUserThread
RtlGUIDFromString
RtlStringFromGUID
NtCompareTokens
RtlGetNtVersionNumbers
RtlEqualString
RtlUpcaseUnicodeString
RtlAppendUnicodeStringToString
RtlAnsiStringToUnicodeString
RtlFreeOemString
RtlUpcaseUnicodeStringToOemString
NtResumeProcess
RtlAdjustPrivilege
NtSuspendProcess
NtTerminateProcess
NtQuerySystemEnvironmentValueEx
NtSetSystemEnvironmentValueEx
NtEnumerateSystemEnvironmentValuesEx
RtlIpv4AddressToStringW
RtlIpv6AddressToStringW
netapi32.dll I_NetServerAuthenticate2
I_NetServerTrustPasswordsGet
I_NetServerReqChallenge
KERNEL32.dll GetFileSize
HeapReAlloc
GetFullPathNameA
GetFullPathNameW
GetTimeFormatW
WideCharToMultiByte
GetSystemTimeAsFileTime
SystemTimeToFileTime
GetDateFormatW
InterlockedExchange
SetFilePointerEx
GetProcessId
PurgeComm
ClearCommError
CreateRemoteThread
WaitForSingleObject
SetLastError
CreateProcessW
SetConsoleOutputCP
GetConsoleOutputCP
CreateFileMappingW
UnmapViewOfFile
MapViewOfFile
WriteProcessMemory
VirtualProtect
VirtualAllocEx
VirtualProtectEx
VirtualAlloc
ReadProcessMemory
VirtualFreeEx
VirtualQueryEx
VirtualFree
VirtualQuery
GetComputerNameExW
DeviceIoControl
DuplicateHandle
OpenProcess
GetCurrentProcess
ExpandEnvironmentStringsW
FindNextFileW
FindClose
GetCurrentDirectoryW
GetFileSizeEx
FlushFileBuffers
GetFileAttributesW
FindFirstFileW
lstrlenW
DeleteFileA
GetTempPathA
GetFileInformationByHandle
FileTimeToLocalFileTime
GetCurrentDirectoryA
GetTempFileNameA
SetFilePointer
CreateFileA
FileTimeToDosDateTime
CreateThread
CreateMutexW
CloseHandle
LocalAlloc
GetLastError
CreateFileW
ReadFile
Sleep
TerminateThread
WriteFile
FileTimeToSystemTime
SetEndOfFile
FreeLibrary
HeapAlloc
QueryPerformanceCounter
HeapFree
InterlockedCompareExchange
UnlockFile
FlushViewOfFile
LockFile
WaitForSingleObjectEx
OutputDebugStringW
GetTickCount
UnlockFileEx
GetProcessHeap
FormatMessageA
LoadLibraryW
HeapCompact
FormatMessageW
GetVersionExW
HeapDestroy
GetFileAttributesA
HeapCreate
HeapValidate
MultiByteToWideChar
GetTempPathW
GetProcAddress
HeapSize
LockFileEx
GetDiskFreeSpaceW
LoadLibraryA
CreateFileMappingA
GetDiskFreeSpaceA
GetSystemInfo
GetFileAttributesExW
OutputDebugStringA
GetVersionExA
DeleteFileW
GetCurrentProcessId
GetSystemTime
AreFileApisANSI
ExitProcess
RaiseException
SetConsoleCtrlHandler
SetConsoleTitleW
lstrlenA
GlobalSize
GetModuleHandleW
SetHandleInformation
CreatePipe
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
SetEvent
CreateEventW
GetCurrentThreadId
GetModuleHandleA
GetVersion
SetUnhandledExceptionFilter
UnhandledExceptionFilter
TerminateProcess
LocalFree
RtlUnwind
GetSystemDirectoryW
SetConsoleCursorPosition
GetTimeZoneInformation
GetStdHandle
FillConsoleOutputCharacterW
GetComputerNameW
ProcessIdToSessionId
GetCurrentThread
SetCurrentDirectoryW
IsWow64Process
GetConsoleScreenBufferInfo
msvcrt.dll calloc
__set_app_type
isdigit
_read
_lseeki64
mbtowc
__mb_cur_max
isleadbyte
isxdigit
localeconv
_snprintf
_itoa
wctomb
ferror
iswctype
wcstombs
_write
_isatty
ungetc
?terminate@@YAXXZ
_controlfp
__badioinfo
__pioinfo
__p__fmode
isspace
_wcsicmp
__p__commode
__setusermatherr
_amsg_exit
_initterm
_errno
free
_wcsdup
_vsnprintf
strrchr
_except_handler3
vfwprintf
_vscwprintf
fflush
_wfopen
wprintf
_fileno
_iob
vwprintf
_setmode
fclose
_stricmp
wcsrchr
wcschr
strtoul
_wcsnicmp
wcsstr
_vscprintf
memmove
strncmp
malloc
_msize
strcspn
realloc
fgetws
wcstoul
wcstol
towupper
_wpgmptr
strstr
strchr
_wcstoui64
wcsncmp
getchar
memset
memcpy
__wgetmainargs
_cexit
_exit
_XcptFilter
exit
bcrypt.dll (delay-loaded) BCryptEncrypt
BCryptOpenAlgorithmProvider
BCryptKeyDerivation
BCryptGenerateSymmetricKey
BCryptCloseAlgorithmProvider
BCryptDecrypt
BCryptSetProperty
BCryptDestroyKey
BCryptGetProperty
BCryptImportKeyPair
BCryptExportKey
BCryptFreeBuffer
BCryptEnumRegisteredProviders

Delayed Imports

Attributes 0x1
Name bcrypt.dll
ModuleHandle 0xe6800
DelayImportAddressTable 0xe6790
DelayImportNameTable 0xdeb3c
BoundDelayImportTable 0xded90
UnloadDelayImportTable 0
TimeStamp 1970-Jan-01 00:00:00

1

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x25a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 6.58742
MD5 af7f63ed38ac1eea9f4f45699b287a7b
SHA1 522c0952585ee2c23e67587066b08b0e2d3dd5be
SHA256 bb14aef3a976374d7a2d7032e95e8b7d339402547705c07768f5e523aa227dbc
SHA3 a68ddf26a5d32eedb129dab32b61508dcc34a8ed6deebb6cb5b44ba5127a683d

2

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x10a8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 6.68627
MD5 4c8a1f13f0a76817ab4af037499713df
SHA1 2718541330281136297f4bc485008207083850d6
SHA256 4a5ff11cfc675db544c54be18d5f1c2a29ef4c9e02b931792b48263f773fe477
SHA3 33eee9e3eb0435d89035cdbec166c38fb5b85ef16070807dc41a6bae7044297e

3

Type RT_ICON
Language English - United States
Codepage UNKNOWN
Size 0x468
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 6.69825
MD5 893e8ba8f9644997d70dcc5392c9fa68
SHA1 18b71655fa7f4e0dd880c6c05dca48984d792d37
SHA256 268a8b9081b620341e20e68861b379f8d9a72d2e44a5f9910ce6c67c5fcfcbc5
SHA3 50cf487748a5dc0a1e99f74c45a77af100a44c584b1eed23775946a22c09dd70

100

Type RT_GROUP_ICON
Language English - United States
Codepage UNKNOWN
Size 0x30
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.45849
Detected Filetype Icon file
MD5 1ec6a7b3300970378c29695a6cc13d36
SHA1 99ce74251d19d800608e30bed6e0d793931da56e
SHA256 77a1efb6136f52dd2372987b13bf486aa75baeacb93bad009aa3e284c57b8694
SHA3 7a94ba315b3ab461cec9dad3048599d32b0e597047f9655159bd6dfdc694e4a3

1 (#2)

Type RT_VERSION
Language English - United States
Codepage UNKNOWN
Size 0x3ac
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.45704
MD5 d72cdc063b023e58f12737a2bed14def
SHA1 22a33a08178663f16da6c820fa55200ffac8557f
SHA256 6e0b4a8ccd9ad5acac6479e32eeba3535ccbbae01c63d269d6b2d9138d69ea16
SHA3 994a8ca8562a3063b6142dc0ad1ee3627800323d724333de6c550a7b6340ff4c

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 2.2.0.0
ProductVersion 2.2.0.0
FileFlags VS_FF_PRERELEASE
VS_FF_PRIVATEBUILD
VS_FF_SPECIALBUILD
FileOs VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
FileType VFT_APP
Language English - United States
ProductName mimikatz
ProductVersion (#2) 2.2.0.0
CompanyName gentilkiwi (Benjamin DELPY)
FileDescription mimikatz for Windows
FileVersion (#2) 2.2.0.0
InternalName mimikatz
LegalCopyright Copyright (c) 2007 - 2020 gentilkiwi (Benjamin DELPY)
OriginalFilename mimikatz.exe
PrivateBuild Build with love for POC only
SpecialBuild :)
Resource LangID English - United States

TLS Callbacks

Load Configuration

RICH Header

XOR Key 0xca2952eb
Unmarked objects 0
ASM objects (VS2008 SP1 build 30729) 16
C++ objects (VS2008 SP1 build 30729) 14
Imports (VS2008 SP1 build 30729) 2
C objects (VS2008 SP1 build 30729) 67
Imports (VS2010 SP1 build 40219) 2
Imports (VS2012 UPD4 build 61030) 4
Imports (VS2012 UPD2 build 60315) 2
C objects (VS2003 (.NET) build 4035) 2
C++ objects (VS2008 build 21022) 2
Imports (VS2003 (.NET) build 4035) 47
Total imports 626
126 (VS2012 build 50727 / VS2005 build 50727) 1
137 (VS2008 SP1 build 30729) 99
Linker (VS2008 SP1 build 30729) 1
Resource objects (VS2008 SP1 build 30729) 1

Errors

<-- -->