mimikatz | 51535b1784d6ef85ddb949730111be95_JaffaCakes118

Sharing

Copy URL

Twitter E-mail

General

Target

51535b1784d6ef85ddb949730111be95_JaffaCakes118
Size

1.2MB
MD5

51535b1784d6ef85ddb949730111be95
SHA1

96d8707ed79932a4c6d810df21079855f24a3f71
SHA256

9ed0f409e7fb369f83c3aeaad4085a2146778faed15d421734aa13fe22cf7ee4
SHA512

6d302d4910461636936c4d225011245ac8dbafd114035b6df148f7a7e422f0e1f96e11d70575ed277c90d5d714bfe39b0e9d045439187c891168ce4ca90bfc6c
SSDEEP

24576:tk1C2eXGJqbre8CnmYtVIhD6UedDXhq6/KFkewQJfgx:a1CrGEby8WHDDXhkCx

Score

10^/10

mimikatz

Malware Config

Signatures

Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 2 IoCs

Processes:

resource	yara_rule
static1/unpack001/Win32/mimikatz.sys	mimikatz
static1/unpack001/x64/mimikatz.sys	mimikatz

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

Processes:

resource
unpack001/tools/tee.exe
unpack001/tools/winmine.exe

Files

51535b1784d6ef85ddb949730111be95_JaffaCakes118
.zip
Win32/kappfree.dll
.dll windows:5 windows x86 arch:x86

a950efacc4c17f075516de39eed670c1

Code Sign

04:00:00:00:00:01:20:19:c1:90:66
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

18-03-2009 11:00

Not After

28-01-2028 12:00

Subject

CN=GlobalSign Timestamping CA,OU=Timestamping CA,O=GlobalSign

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13-04-2011 10:00

Not After

13-04-2019 10:00

Subject

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

01:00:00:00:00:01:25:b0:b4:cc:01
Certificate

Issuer

CN=GlobalSign Timestamping CA,OU=Timestamping CA,O=GlobalSign

Not Before

21-12-2009 09:32

Not After

22-12-2020 09:32

Subject

CN=GlobalSign Time Stamping Authority,O=GlobalSign NV,C=BE

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

11:21:69:41:7a:1c:3e:f4:6a:30:1f:99:38:5f:50:68:0f:a0
Certificate

Issuer

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

28-06-2011 09:46

Not After

28-06-2014 09:46

Subject

CN=Benjamin Delpy,C=FR

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

a8:12:09:38:08:1b:46:7d:a6:d4:23:de:c8:6b:8c:ea:dd:2a:97:b0
Signer

Actual PE Digest

a8:12:09:38:08:1b:46:7d:a6:d4:23:de:c8:6b:8c:ea:dd:2a:97:b0

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

advapi32

CreateRestrictedToken
CreateProcessAsUserW
OpenProcessToken

kernel32

GetCurrentProcess
CloseHandle
GetLastError
HeapFree
GetCurrentThreadId
DecodePointer
GetCommandLineA
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
HeapCreate
HeapDestroy
EncodePointer
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
InterlockedIncrement
GetModuleHandleW
SetLastError
InterlockedDecrement
GetProcAddress
Sleep
ExitProcess
SetHandleCount
GetStdHandle
InitializeCriticalSectionAndSpinCount
GetFileType
GetStartupInfoW
DeleteCriticalSection
GetModuleFileNameA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
HeapAlloc
LeaveCriticalSection
EnterCriticalSection
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
HeapReAlloc
LoadLibraryW
WriteFile
GetModuleFileNameW
RtlUnwind
IsProcessorFeaturePresent
LCMapStringW
MultiByteToWideChar
GetStringTypeW
HeapSize

Exports

Exports

startW

Sections

.text
Size: 18KB - Virtual size: 17KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Win32/kelloworld.dll
.dll windows:5 windows x86 arch:x86

f7d0c5296ed2154c7e0acdbbe5cf9c94

Code Sign

04:00:00:00:00:01:20:19:c1:90:66
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

18-03-2009 11:00

Not After

28-01-2028 12:00

Subject

CN=GlobalSign Timestamping CA,OU=Timestamping CA,O=GlobalSign

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13-04-2011 10:00

Not After

13-04-2019 10:00

Subject

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

01:00:00:00:00:01:25:b0:b4:cc:01
Certificate

Issuer

CN=GlobalSign Timestamping CA,OU=Timestamping CA,O=GlobalSign

Not Before

21-12-2009 09:32

Not After

22-12-2020 09:32

Subject

CN=GlobalSign Time Stamping Authority,O=GlobalSign NV,C=BE

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

11:21:69:41:7a:1c:3e:f4:6a:30:1f:99:38:5f:50:68:0f:a0
Certificate

Issuer

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

28-06-2011 09:46

Not After

28-06-2014 09:46

Subject

CN=Benjamin Delpy,C=FR

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

72:6b:b5:4c:80:b3:c4:f0:5a:ae:ca:78:3c:da:3c:10:57:f4:8c:16
Signer

Actual PE Digest

72:6b:b5:4c:80:b3:c4:f0:5a:ae:ca:78:3c:da:3c:10:57:f4:8c:16

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

user32

MessageBoxW

kernel32

SetUnhandledExceptionFilter
LoadLibraryW
Sleep
FreeLibraryAndExitThread
GetProcAddress
CloseHandle
CreateThread
WaitNamedPipeW
WriteFile
ReadFile
CreateFileW
DisconnectNamedPipe
FlushFileBuffers
GetLastError
SetNamedPipeHandleState
WideCharToMultiByte
InterlockedIncrement
InterlockedDecrement
InterlockedCompareExchange
InterlockedExchange
MultiByteToWideChar
GetStringTypeW
EncodePointer
DecodePointer
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
HeapFree
GetCurrentThreadId
GetCommandLineA
RaiseException
GetCPInfo
RtlUnwind
HeapAlloc
LCMapStringW
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
IsDebuggerPresent
IsProcessorFeaturePresent
HeapCreate
HeapDestroy
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetModuleHandleW
SetLastError
ExitProcess
SetHandleCount
GetStdHandle
InitializeCriticalSectionAndSpinCount
GetFileType
GetStartupInfoW
GetModuleFileNameA
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
GetLocaleInfoW
GetModuleFileNameW
HeapSize
GetACP
GetOEMCP
IsValidCodePage
GetUserDefaultLCID
GetLocaleInfoA
EnumSystemLocalesA
IsValidLocale
HeapReAlloc

Exports

Exports

helloworld
ping

Sections

.text
Size: 58KB - Virtual size: 58KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 19KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Win32/klock.dll
.dll windows:5 windows x86 arch:x86

95aa4ec46472ba1b9508deda58f4c7bb

Code Sign

04:00:00:00:00:01:20:19:c1:90:66
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

18-03-2009 11:00

Not After

28-01-2028 12:00

Subject

CN=GlobalSign Timestamping CA,OU=Timestamping CA,O=GlobalSign

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13-04-2011 10:00

Not After

13-04-2019 10:00

Subject

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

01:00:00:00:00:01:25:b0:b4:cc:01
Certificate

Issuer

CN=GlobalSign Timestamping CA,OU=Timestamping CA,O=GlobalSign

Not Before

21-12-2009 09:32

Not After

22-12-2020 09:32

Subject

CN=GlobalSign Time Stamping Authority,O=GlobalSign NV,C=BE

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

11:21:69:41:7a:1c:3e:f4:6a:30:1f:99:38:5f:50:68:0f:a0
Certificate

Issuer

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

28-06-2011 09:46

Not After

28-06-2014 09:46

Subject

CN=Benjamin Delpy,C=FR

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

9b:9e:09:15:e6:7c:f9:69:64:3e:3a:80:df:8f:21:8d:fd:d7:b0:32
Signer

Actual PE Digest

9b:9e:09:15:e6:7c:f9:69:64:3e:3a:80:df:8f:21:8d:fd:d7:b0:32

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

user32

OpenInputDesktop
OpenDesktopW
CloseDesktop
SwitchDesktop
GetUserObjectInformationW

kernel32

RtlUnwind
WriteConsoleW
SetStdHandle
LoadLibraryW
GetConsoleMode
GetConsoleCP
SetFilePointer
HeapReAlloc
IsValidLocale
EnumSystemLocalesA
Sleep
FreeLibraryAndExitThread
GetProcAddress
CloseHandle
CreateThread
WaitNamedPipeW
WriteFile
ReadFile
CreateFileW
DisconnectNamedPipe
FlushFileBuffers
GetLastError
SetNamedPipeHandleState
GetModuleHandleW
FormatMessageW
LocalFree
WideCharToMultiByte
InterlockedIncrement
InterlockedDecrement
InterlockedCompareExchange
InterlockedExchange
MultiByteToWideChar
GetStringTypeW
EncodePointer
DecodePointer
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
HeapFree
GetCurrentThreadId
GetCommandLineA
RaiseException
GetCPInfo
HeapAlloc
LCMapStringW
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
IsProcessorFeaturePresent
HeapCreate
HeapDestroy
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
SetLastError
GetACP
GetOEMCP
IsValidCodePage
ExitProcess
SetHandleCount
GetStdHandle
InitializeCriticalSectionAndSpinCount
GetFileType
GetStartupInfoW
GetModuleFileNameA
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
GetLocaleInfoW
GetModuleFileNameW
HeapSize
GetUserDefaultLCID
GetLocaleInfoA

Exports

Exports

echange
getDescription
getDesktop
ping

Sections

.text
Size: 92KB - Virtual size: 91KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 22KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Win32/mimikatz.exe
.exe windows:5 windows x86 arch:x86

6bbd59cea665c4afcc2814c1327ec91f

Code Sign

04:00:00:00:00:01:20:19:c1:90:66
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

18-03-2009 11:00

Not After

28-01-2028 12:00

Subject

CN=GlobalSign Timestamping CA,OU=Timestamping CA,O=GlobalSign

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13-04-2011 10:00

Not After

13-04-2019 10:00

Subject

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

01:00:00:00:00:01:25:b0:b4:cc:01
Certificate

Issuer

CN=GlobalSign Timestamping CA,OU=Timestamping CA,O=GlobalSign

Not Before

21-12-2009 09:32

Not After

22-12-2020 09:32

Subject

CN=GlobalSign Time Stamping Authority,O=GlobalSign NV,C=BE

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

11:21:69:41:7a:1c:3e:f4:6a:30:1f:99:38:5f:50:68:0f:a0
Certificate

Issuer

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

28-06-2011 09:46

Not After

28-06-2014 09:46

Subject

CN=Benjamin Delpy,C=FR

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

16:23:50:3f:25:9b:f5:e9:23:04:c2:fe:f1:72:a2:69:b0:55:c0:b4
Signer

Actual PE Digest

16:23:50:3f:25:9b:f5:e9:23:04:c2:fe:f1:72:a2:69:b0:55:c0:b4

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

psapi

GetModuleInformation

advapi32

CredEnumerateW
CreateServiceW
CryptAcquireContextW
CryptReleaseContext
CryptImportKey
CryptDestroyKey
CryptDecrypt
CryptExportKey
CryptEnumProvidersW
CryptGetProvParam
CryptGetHashParam
CryptCreateHash
CryptDestroyHash
CryptHashData
LookupPrivilegeNameW
OpenProcessToken
GetTokenInformation
LookupPrivilegeValueW
AdjustTokenPrivileges
CreateProcessWithLogonW
SetServiceObjectSecurity
BuildSecurityDescriptorW
QueryServiceObjectSecurity
LookupAccountSidW
DuplicateTokenEx
SetKernelObjectSecurity
AllocateAndInitializeSid
FreeSid
ConvertSidToStringSidW
CloseServiceHandle
DeleteService
OpenSCManagerW
OpenServiceW
StartServiceW
ControlService
EnumServicesStatusExW
IsTextUnicode
CryptGetKeyParam
CryptGetUserKey
CredFree
RevertToSelf
ReadEncryptedFileRaw
CloseEncryptedFileRaw
QueryRecoveryAgentsOnEncryptedFile
FreeEncryptionCertificateHashList
QueryUsersOnEncryptedFile
OpenEncryptedFileRawW
ImpersonateLoggedOnUser
RegQueryValueExW
RegOpenKeyExW
RegCloseKey
RegQueryInfoKeyW
RegEnumKeyExW

user32

WaitForInputIdle
GetWindowThreadProcessId
EnumWindows
InvalidateRect
UpdateWindow
PostThreadMessageW

secur32

LsaFreeReturnBuffer
GetUserNameExW
LsaEnumerateLogonSessions
LsaGetLogonSessionData

crypt32

CertEnumCertificatesInStore
CryptAcquireCertificatePrivateKey
PFXExportCertStoreEx
CertEnumSystemStore
CertGetCertificateContextProperty
CertCloseStore
CertAddCertificateContextToStore
CertFreeCertificateContext
CertOpenStore
CertGetNameStringW

shlwapi

PathCanonicalizeW
PathCombineW
PathIsRelativeW

wtsapi32

WTSFreeMemory
WTSEnumerateProcessesW
WTSCloseServer
WTSOpenServerW
WTSEnumerateSessionsW

kernel32

HeapSize
GetConsoleMode
GetConsoleCP
IsValidLocale
EnumSystemLocalesA
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
WriteConsoleW
SetEndOfFile
GetProcessHeap
VirtualProtectEx
GetLocaleInfoA
GetLocaleInfoW
GetUserDefaultLCID
SetStdHandle
IsValidCodePage
GetOEMCP
GetACP
SetFilePointer
GetStartupInfoW
WriteFile
CreateFileW
FlushFileBuffers
GetLastError
CloseHandle
FreeLibrary
LoadLibraryW
SetLastError
GetProcAddress
GetModuleHandleW
WaitForSingleObject
CreateRemoteThread
OpenProcess
VirtualFreeEx
VirtualAllocEx
GetCurrentProcess
ReadProcessMemory
VirtualProtect
WriteProcessMemory
GetNativeSystemInfo
ConnectNamedPipe
CreateNamedPipeW
ReadFile
DisconnectNamedPipe
CreateProcessW
IsBadReadPtr
TerminateProcess
Process32FirstW
Module32FirstW
Process32NextW
CreateToolhelp32Snapshot
Module32NextW
LocalFree
FormatMessageW
GetVersionExW
GetCurrentDirectoryW
GetComputerNameExW
Thread32First
TerminateThread
Thread32Next
OpenThread
SuspendThread
ResumeThread
SetConsoleTitleW
CreateJobObjectW
AssignProcessToJobObject
GetProcessId
DuplicateHandle
TerminateJobObject
VirtualQueryEx
Sleep
SetConsoleCursorPosition
GetStdHandle
FillConsoleOutputCharacterW
GetConsoleScreenBufferInfo
WideCharToMultiByte
InterlockedIncrement
InterlockedDecrement
InterlockedCompareExchange
InterlockedExchange
MultiByteToWideChar
GetStringTypeW
EncodePointer
DecodePointer
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
HeapFree
HeapAlloc
HeapReAlloc
GetCommandLineW
HeapSetInformation
GetCPInfo
RaiseException
RtlUnwind
LCMapStringW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
IsProcessorFeaturePresent
HeapCreate
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetCurrentThreadId
InitializeCriticalSectionAndSpinCount
ExitProcess
GetModuleFileNameW
SetHandleCount
GetFileType

Sections

.text
Size: 240KB - Virtual size: 239KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 68KB - Virtual size: 68KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 60KB - Virtual size: 60KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Win32/mimikatz.sys
.sys windows:6 windows x86 arch:x86

303a0942e125f3191eae6d8ab1431f82

Code Sign

04:00:00:00:00:01:20:19:c1:90:66
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

18-03-2009 11:00

Not After

28-01-2028 12:00

Subject

CN=GlobalSign Timestamping CA,OU=Timestamping CA,O=GlobalSign

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13-04-2011 10:00

Not After

13-04-2019 10:00

Subject

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

01:00:00:00:00:01:25:b0:b4:cc:01
Certificate

Issuer

CN=GlobalSign Timestamping CA,OU=Timestamping CA,O=GlobalSign

Not Before

21-12-2009 09:32

Not After

22-12-2020 09:32

Subject

CN=GlobalSign Time Stamping Authority,O=GlobalSign NV,C=BE

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

11:21:69:41:7a:1c:3e:f4:6a:30:1f:99:38:5f:50:68:0f:a0
Certificate

Issuer

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

28-06-2011 09:46

Not After

28-06-2014 09:46

Subject

CN=Benjamin Delpy,C=FR

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:0b:7f:6b:00:00:00:00:00:19
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23-05-2006 17:00

Not After

23-05-2016 17:10

Subject

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

50:6b:b5:97:8e:81:dc:3c:37:c3:ea:61:85:8a:87:83:18:a3:03:31
Signer

Actual PE Digest

50:6b:b5:97:8e:81:dc:3c:37:c3:ea:61:85:8a:87:83:18:a3:03:31

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

c:\security\mimikatz\driver\objfre_wnet_x86\i386\mimikatz.pdb

Imports

ntoskrnl.exe

NtBuildNumber
RtlCompareMemory
DbgPrint
IoCreateSymbolicLink
IoCreateDevice
PsDereferencePrimaryToken
PsReferencePrimaryToken
ZwClose
ZwSetInformationProcess
ZwDuplicateToken
ZwOpenProcessTokenEx
ObOpenObjectByPointer
PsProcessType
PsGetProcessId
RtlInitUnicodeString
PsInitialSystemProcess
ExFreePoolWithTag
ExAllocatePoolWithTag
ObfDereferenceObject
IoEnumerateRegisteredFiltersList
KeServiceDescriptorTable
PsSetCreateProcessNotifyRoutine
IoConnectInterrupt
PsSetCreateThreadNotifyRoutine
PsSetLoadImageNotifyRoutine
CmUnRegisterCallback
MmGetSystemRoutineAddress
KeTickCount
KeBugCheckEx
IoDeleteSymbolicLink
IoDeleteDevice
IofCompleteRequest
memset
PsGetProcessImageFileName
_vsnwprintf
PsGetVersion
ExAllocatePoolWithQuotaTag
ZwQuerySystemInformation
RtlUnwind

fltmgr.sys

FltGetFilterInformation
FltEnumerateInstances
FltGetVolumeFromInstance
FltObjectDereference
FltEnumerateFilters

Sections

.text
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 232B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

PAGE
Size: 1024B - Virtual size: 614B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1024B - Virtual size: 782B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Win32/sekurlsa.dll
.dll windows:5 windows x86 arch:x86

f3b5f060004e64bf439309ca830b9704

Code Sign

04:00:00:00:00:01:20:19:c1:90:66
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

18-03-2009 11:00

Not After

28-01-2028 12:00

Subject

CN=GlobalSign Timestamping CA,OU=Timestamping CA,O=GlobalSign

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13-04-2011 10:00

Not After

13-04-2019 10:00

Subject

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

01:00:00:00:00:01:25:b0:b4:cc:01
Certificate

Issuer

CN=GlobalSign Timestamping CA,OU=Timestamping CA,O=GlobalSign

Not Before

21-12-2009 09:32

Not After

22-12-2020 09:32

Subject

CN=GlobalSign Time Stamping Authority,O=GlobalSign NV,C=BE

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

11:21:69:41:7a:1c:3e:f4:6a:30:1f:99:38:5f:50:68:0f:a0
Certificate

Issuer

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

28-06-2011 09:46

Not After

28-06-2014 09:46

Subject

CN=Benjamin Delpy,C=FR

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

e1:a3:0a:74:c2:92:4f:48:e5:93:ce:38:54:3e:cd:dc:3a:f6:da:85
Signer

Actual PE Digest

e1:a3:0a:74:c2:92:4f:48:e5:93:ce:38:54:3e:cd:dc:3a:f6:da:85

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

psapi

GetModuleInformation

secur32

LsaFreeReturnBuffer
LsaEnumerateLogonSessions
LsaGetLogonSessionData

advapi32

IsTextUnicode
RegCloseKey
RegEnumKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
LsaFreeMemory
LsaClose
GetTokenInformation
CreateProcessAsUserW
CredFree
SetTokenInformation
LsaQueryInformationPolicy
LsaOpenPolicy

kernel32

GetConsoleMode
LoadLibraryW
SetStdHandle
WriteConsoleW
InterlockedIncrement
GetConsoleCP
SetFilePointer
HeapReAlloc
IsValidLocale
Sleep
FreeLibraryAndExitThread
GetProcAddress
CloseHandle
CreateThread
GetCurrentProcess
GetModuleHandleW
WaitNamedPipeW
WriteFile
ReadFile
CreateFileW
DisconnectNamedPipe
FlushFileBuffers
GetLastError
SetNamedPipeHandleState
CreateProcessW
TerminateProcess
FormatMessageW
GetVersionExW
LocalFree
FileTimeToSystemTime
WideCharToMultiByte
InterlockedDecrement
InterlockedCompareExchange
InterlockedExchange
MultiByteToWideChar
GetStringTypeW
EncodePointer
DecodePointer
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
HeapFree
GetCurrentThreadId
GetCommandLineA
RaiseException
GetCPInfo
RtlUnwind
HeapAlloc
LCMapStringW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
IsProcessorFeaturePresent
HeapCreate
HeapDestroy
GetACP
GetOEMCP
IsValidCodePage
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
SetLastError
ExitProcess
SetHandleCount
GetStdHandle
InitializeCriticalSectionAndSpinCount
GetFileType
GetStartupInfoW
GetModuleFileNameA
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
GetLocaleInfoW
GetModuleFileNameW
HeapSize
GetUserDefaultLCID
GetLocaleInfoA
EnumSystemLocalesA

Exports

Exports

addLogonSession
delLogonSession
find_tokens
getCredman
getCredmanFunctions
getDescription
getKerberos
getKerberosFunctions
getLiveSSP
getLiveSSPFunctions
getLocalAccounts
getLogonPasswords
getLogonSessions
getMSV
getMSVFunctions
getSAMFunctions
getSECFunctions
getSecrets
getTsPkg
getTsPkgFunctions
getWDigest
getWDigestFunctions
incognito
notsupported
ping

Sections

.text
Size: 125KB - Virtual size: 124KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 32KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
lisezmoi.txt
tools/PsExec.exe
.exe windows:5 windows x86 arch:x86

a04dd9f5ee88d7774203e0a0cfa1b941

Code Sign

2e:ab:11:dc:50:ff:5c:9d:cb:c0
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

22-08-2007 22:31

Not After

25-08-2012 07:00

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:01:cf:3e:00:00:00:00:00:0f
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

07-12-2009 22:40

Not After

07-03-2011 22:40

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

6a:0b:99:4f:c0:00:25:ab:11:db:45:1f:58:7a:67:a2
Certificate

Issuer

CN=Microsoft Root Authority,OU=Copyright (c) 1997 Microsoft Corp.+OU=Microsoft Corporation

Not Before

16-09-2006 01:04

Not After

15-09-2019 07:00

Subject

CN=Microsoft Timestamping PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:05:a2:30:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Timestamping PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

25-07-2008 19:01

Not After

25-07-2013 19:11

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:85D3-305C-5BCF,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

14:32:e4:ad:0e:d7:35:5e:37:df:24:21:cd:1a:8f:3b:b9:33:92:3f
Signer

Actual PE Digest

14:32:e4:ad:0e:d7:35:5e:37:df:24:21:cd:1a:8f:3b:b9:33:92:3f

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

c:\src\Pstools\psexec\EXE\Release\psexec.pdb

Imports

version

GetFileVersionInfoW
GetFileVersionInfoSizeW
VerQueryValueW

netapi32

NetApiBufferFree
NetServerEnum

ws2_32

WSAStartup
gethostname
inet_ntoa
gethostbyname

mpr

WNetAddConnection2W
WNetCancelConnection2W

kernel32

GetModuleFileNameW
SetEvent
ConnectNamedPipe
GetFileAttributesW
DisconnectNamedPipe
ReadConsoleW
ReadFile
GetFileTime
WaitNamedPipeW
SetFileAttributesW
CopyFileW
WaitForMultipleObjects
SetConsoleTitleW
DuplicateHandle
GetCurrentProcessId
TransactNamedPipe
SetNamedPipeHandleState
GetVersion
CreateEventW
GetExitCodeProcess
ResumeThread
SetProcessAffinityMask
GetEnvironmentVariableW
GetFullPathNameW
GetUserDefaultLCID
GetDateFormatA
GetTimeFormatA
GetStringTypeA
SetFilePointer
GetSystemTimeAsFileTime
QueryPerformanceCounter
GetEnvironmentStringsW
FreeEnvironmentStringsW
LCMapStringW
LoadResource
GetCurrentProcess
MultiByteToWideChar
WaitForSingleObject
GetComputerNameW
GetSystemDirectoryW
DeleteFileW
FindResourceW
SizeofResource
LockResource
GetConsoleScreenBufferInfo
LoadLibraryExW
FormatMessageA
GetStdHandle
WriteFile
FreeLibrary
CreateFileW
CloseHandle
GetTickCount
SetEnvironmentVariableA
Sleep
SetLastError
GetLastError
GetCommandLineW
LocalAlloc
GetModuleHandleW
LocalFree
SetPriorityClass
LoadLibraryW
GetProcAddress
GetLocaleInfoA
EnumSystemLocalesA
IsValidLocale
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
HeapSize
GetLocaleInfoW
GetTimeZoneInformation
SetEndOfFile
GetProcessHeap
CompareStringA
CompareStringW
SetConsoleCtrlHandler
HeapAlloc
HeapFree
EnterCriticalSection
LeaveCriticalSection
ExitThread
GetCurrentThreadId
CreateThread
ReadConsoleInputA
SetConsoleMode
GetConsoleMode
PeekConsoleInputA
GetNumberOfConsoleInputEvents
ExitProcess
DeleteCriticalSection
FatalAppExitA
VirtualFree
VirtualAlloc
HeapReAlloc
HeapCreate
HeapDestroy
GetModuleFileNameA
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetCPInfo
InterlockedIncrement
InterlockedDecrement
GetACP
GetOEMCP
IsValidCodePage
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
GetCurrentThread
SetHandleCount
GetFileType
GetStartupInfoA
WideCharToMultiByte
GetConsoleCP
RtlUnwind
CreateFileA
FlushFileBuffers
InterlockedExchange
LoadLibraryA
InitializeCriticalSectionAndSpinCount
GetStringTypeW
LCMapStringA

user32

LoadCursorW
SetCursor
SetWindowTextW
SendMessageW
EndDialog
GetSysColorBrush
GetDlgItem
DialogBoxIndirectParamW
InflateRect

gdi32

GetDeviceCaps
SetMapMode
StartDocW
StartPage
EndPage
EndDoc

comdlg32

PrintDlgW

advapi32

InitializeAcl
CreateProcessAsUserW
OpenProcessToken
AdjustTokenPrivileges
LogonUserW
ImpersonateLoggedOnUser
RegConnectRegistryW
RevertToSelf
DeleteService
ControlService
OpenSCManagerW
OpenServiceW
StartServiceW
QueryServiceStatus
CreateServiceW
CloseServiceHandle
RegCreateKeyW
RegQueryValueExW
RegSetValueExW
RegCloseKey
AllocateAndInitializeSid
GetTokenInformation
GetLengthSid
SetTokenInformation
GetSecurityInfo
GetAce
AddAce
AddAccessAllowedAce
SetSecurityInfo
FreeSid
LsaOpenPolicy
LsaEnumerateAccountRights
LookupPrivilegeValueW
LsaFreeMemory
LsaClose

Sections

.text
Size: 146KB - Virtual size: 145KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 33KB - Virtual size: 33KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 181KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 178KB - Virtual size: 178KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
tools/tee.exe
.exe windows:4 windows x86 arch:x86

154a3e3be799e1bcabf04dac8419cf6f

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_AGGRESIVE_WS_TRIM
IMAGE_FILE_32BIT_MACHINE

Imports

wsock32

gethostname

msvcrt

strncmp
strcmp
strlen
malloc
_sys_nerr
getenv
signal
calloc
realloc
strchr
strncpy
_strlwr
_stat
sprintf
_sys_errlist
_exit
_XcptFilter
__p___initenv
__getmainargs
fflush
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
putc
free
_iob
fprintf
exit
printf
_errno
_fstat
_get_osfhandle
_initterm
_write
_unlink
_close
_read
_open
_utime
_mktemp
_access
_chsize

kernel32

GetFileInformationByHandle
CreateFileA
CreateProcessA
GetCurrentProcessId
OpenProcess
TerminateProcess
CloseHandle
GetExitCodeProcess
GetVersion
GetFullPathNameA
Sleep

Sections

.text
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
tools/winmine.exe
.exe windows:5 windows x86 arch:x86

de5490f8d3fb044d081bdaec5ef47bf7

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvcrt

_controlfp
__set_app_type
__p__fmode
_except_handler3
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
_acmdln
exit
__p__commode
_cexit
_XcptFilter
_exit
_c_exit
srand
rand

advapi32

RegQueryValueExW
RegSetValueExW
RegOpenKeyExA
RegQueryValueExA
RegCreateKeyExW
RegCloseKey

kernel32

FindResourceW
OutputDebugStringA
LockResource
LoadResource
lstrlenW
GetPrivateProfileIntW
GetPrivateProfileStringW
GetTickCount
GetModuleFileNameA
GetModuleHandleA
GetStartupInfoA
GetProcAddress
lstrcpyW
LoadLibraryA

gdi32

SetROP2
GetLayout
SetLayout
GetDeviceCaps
DeleteObject
LineTo
CreatePen
CreateCompatibleDC
CreateCompatibleBitmap
SelectObject
SetDIBitsToDevice
DeleteDC
MoveToEx
SetPixel
BitBlt
GetStockObject

user32

LoadIconW
GetDesktopWindow
SetTimer
MessageBoxW
LoadCursorW
CheckMenuItem
SetMenu
GetDlgItemInt
RegisterClassW
LoadStringW
LoadMenuW
ReleaseCapture
PeekMessageW
MapWindowPoints
SetCapture
PtInRect
WinHelpW
SetDlgItemInt
EndDialog
SetDlgItemTextW
wsprintfW
SendMessageW
GetDlgItem
GetDlgItemTextW
GetSystemMetrics
InvalidateRect
SetRect
MoveWindow
GetMenuItemRect
DialogBoxParamW
DefWindowProcW
ReleaseDC
GetDC
PostMessageW
ShowWindow
PostQuitMessage
KillTimer
EndPaint
BeginPaint
DispatchMessageW
TranslateMessage
TranslateAcceleratorW
GetMessageW
UpdateWindow
CreateWindowExW
LoadAcceleratorsW

shell32

ShellAboutW

winmm

PlaySoundW

comctl32

InitCommonControlsEx

Sections

.text
Size: 15KB - Virtual size: 14KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 100KB - Virtual size: 100KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
x64/kappfree.dll
.dll windows:5 windows x64 arch:x64

2b2dc22c8ca7487f2e22796288d36aca

Code Sign

04:00:00:00:00:01:20:19:c1:90:66
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

18-03-2009 11:00

Not After

28-01-2028 12:00

Subject

CN=GlobalSign Timestamping CA,OU=Timestamping CA,O=GlobalSign

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13-04-2011 10:00

Not After

13-04-2019 10:00

Subject

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

01:00:00:00:00:01:25:b0:b4:cc:01
Certificate

Issuer

CN=GlobalSign Timestamping CA,OU=Timestamping CA,O=GlobalSign

Not Before

21-12-2009 09:32

Not After

22-12-2020 09:32

Subject

CN=GlobalSign Time Stamping Authority,O=GlobalSign NV,C=BE

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

11:21:69:41:7a:1c:3e:f4:6a:30:1f:99:38:5f:50:68:0f:a0
Certificate

Issuer

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

28-06-2011 09:46

Not After

28-06-2014 09:46

Subject

CN=Benjamin Delpy,C=FR

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

cf:ff:d2:42:8d:c4:0a:29:51:d5:30:42:13:1e:a8:39:5c:0b:cb:57
Signer

Actual PE Digest

cf:ff:d2:42:8d:c4:0a:29:51:d5:30:42:13:1e:a8:39:5c:0b:cb:57

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

advapi32

CreateRestrictedToken
CreateProcessAsUserW
OpenProcessToken

kernel32

GetCurrentProcess
CloseHandle
GetLastError
HeapFree
GetCurrentThreadId
FlsSetValue
GetCommandLineA
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
HeapSetInformation
GetVersion
HeapCreate
HeapDestroy
EncodePointer
DecodePointer
RtlUnwindEx
FlsGetValue
FlsFree
SetLastError
FlsAlloc
Sleep
GetProcAddress
GetModuleHandleW
ExitProcess
SetHandleCount
GetStdHandle
InitializeCriticalSectionAndSpinCount
GetFileType
GetStartupInfoW
DeleteCriticalSection
GetModuleFileNameA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
HeapAlloc
LeaveCriticalSection
EnterCriticalSection
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
HeapReAlloc
LoadLibraryW
WriteFile
GetModuleFileNameW
LCMapStringW
MultiByteToWideChar
GetStringTypeW
HeapSize

Exports

Exports

startW

Sections

.text
Size: 20KB - Virtual size: 20KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 454B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
x64/kelloworld.dll
.dll windows:5 windows x64 arch:x64

c3260b634f6d64fc3f7a5bda66064395

Code Sign

04:00:00:00:00:01:20:19:c1:90:66
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

18-03-2009 11:00

Not After

28-01-2028 12:00

Subject

CN=GlobalSign Timestamping CA,OU=Timestamping CA,O=GlobalSign

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13-04-2011 10:00

Not After

13-04-2019 10:00

Subject

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

01:00:00:00:00:01:25:b0:b4:cc:01
Certificate

Issuer

CN=GlobalSign Timestamping CA,OU=Timestamping CA,O=GlobalSign

Not Before

21-12-2009 09:32

Not After

22-12-2020 09:32

Subject

CN=GlobalSign Time Stamping Authority,O=GlobalSign NV,C=BE

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

11:21:69:41:7a:1c:3e:f4:6a:30:1f:99:38:5f:50:68:0f:a0
Certificate

Issuer

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

28-06-2011 09:46

Not After

28-06-2014 09:46

Subject

CN=Benjamin Delpy,C=FR

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

49:38:66:11:02:f8:eb:b8:82:44:e5:ff:f8:52:f0:95:fe:62:8a:08
Signer

Actual PE Digest

49:38:66:11:02:f8:eb:b8:82:44:e5:ff:f8:52:f0:95:fe:62:8a:08

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

user32

MessageBoxW

kernel32

IsDebuggerPresent
LoadLibraryW
Sleep
FreeLibraryAndExitThread
GetProcAddress
CloseHandle
CreateThread
WaitNamedPipeW
WriteFile
ReadFile
CreateFileW
DisconnectNamedPipe
FlushFileBuffers
GetLastError
SetNamedPipeHandleState
WideCharToMultiByte
MultiByteToWideChar
GetStringTypeW
EncodePointer
DecodePointer
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
HeapFree
GetCurrentThreadId
FlsSetValue
GetCommandLineA
RaiseException
RtlPcToFileHeader
GetCPInfo
RtlLookupFunctionEntry
RtlUnwindEx
HeapAlloc
LCMapStringW
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
RtlVirtualUnwind
RtlCaptureContext
HeapSetInformation
GetVersion
HeapCreate
HeapDestroy
FlsGetValue
FlsFree
SetLastError
FlsAlloc
GetModuleHandleW
ExitProcess
SetHandleCount
GetStdHandle
InitializeCriticalSectionAndSpinCount
GetFileType
GetStartupInfoW
GetModuleFileNameA
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
GetLocaleInfoW
GetModuleFileNameW
HeapSize
GetACP
GetOEMCP
IsValidCodePage
GetUserDefaultLCID
GetLocaleInfoA
EnumSystemLocalesA
IsValidLocale
HeapReAlloc

Exports

Exports

helloworld
ping

Sections

.text
Size: 66KB - Virtual size: 66KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 27KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
x64/klock.dll
.dll windows:5 windows x64 arch:x64

96153f24f6fe4c5d95a5c84264544094

Code Sign

04:00:00:00:00:01:20:19:c1:90:66
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

18-03-2009 11:00

Not After

28-01-2028 12:00

Subject

CN=GlobalSign Timestamping CA,OU=Timestamping CA,O=GlobalSign

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13-04-2011 10:00

Not After

13-04-2019 10:00

Subject

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

01:00:00:00:00:01:25:b0:b4:cc:01
Certificate

Issuer

CN=GlobalSign Timestamping CA,OU=Timestamping CA,O=GlobalSign

Not Before

21-12-2009 09:32

Not After

22-12-2020 09:32

Subject

CN=GlobalSign Time Stamping Authority,O=GlobalSign NV,C=BE

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

11:21:69:41:7a:1c:3e:f4:6a:30:1f:99:38:5f:50:68:0f:a0
Certificate

Issuer

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

28-06-2011 09:46

Not After

28-06-2014 09:46

Subject

CN=Benjamin Delpy,C=FR

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

c2:91:be:cd:e9:c9:d4:02:d6:7c:2c:0a:b2:f0:1c:d0:7a:1f:82:4f
Signer

Actual PE Digest

c2:91:be:cd:e9:c9:d4:02:d6:7c:2c:0a:b2:f0:1c:d0:7a:1f:82:4f

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

user32

OpenInputDesktop
OpenDesktopW
CloseDesktop
SwitchDesktop
GetUserObjectInformationW

kernel32

HeapAlloc
WriteConsoleW
SetStdHandle
LoadLibraryW
GetConsoleMode
GetConsoleCP
SetFilePointer
HeapReAlloc
IsValidLocale
EnumSystemLocalesA
Sleep
FreeLibraryAndExitThread
GetProcAddress
CloseHandle
CreateThread
WaitNamedPipeW
WriteFile
ReadFile
CreateFileW
DisconnectNamedPipe
FlushFileBuffers
GetLastError
SetNamedPipeHandleState
GetModuleHandleW
FormatMessageW
LocalFree
WideCharToMultiByte
MultiByteToWideChar
GetStringTypeW
EncodePointer
DecodePointer
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
HeapFree
GetCurrentThreadId
FlsSetValue
GetCommandLineA
RaiseException
RtlPcToFileHeader
GetCPInfo
RtlLookupFunctionEntry
RtlUnwindEx
LCMapStringW
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlCaptureContext
HeapSetInformation
GetVersion
HeapCreate
HeapDestroy
FlsGetValue
FlsFree
SetLastError
FlsAlloc
GetACP
GetOEMCP
IsValidCodePage
ExitProcess
SetHandleCount
GetStdHandle
InitializeCriticalSectionAndSpinCount
GetFileType
GetStartupInfoW
GetModuleFileNameA
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
GetLocaleInfoW
GetModuleFileNameW
HeapSize
GetUserDefaultLCID
GetLocaleInfoA

Exports

Exports

echange
getDescription
getDesktop
ping

Sections

.text
Size: 106KB - Virtual size: 106KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 32KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
x64/mimikatz.exe
.exe windows:5 windows x64 arch:x64

85c50addd23ce3c6233f8779bd6a32ab

Code Sign

04:00:00:00:00:01:20:19:c1:90:66
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

18-03-2009 11:00

Not After

28-01-2028 12:00

Subject

CN=GlobalSign Timestamping CA,OU=Timestamping CA,O=GlobalSign

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13-04-2011 10:00

Not After

13-04-2019 10:00

Subject

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

01:00:00:00:00:01:25:b0:b4:cc:01
Certificate

Issuer

CN=GlobalSign Timestamping CA,OU=Timestamping CA,O=GlobalSign

Not Before

21-12-2009 09:32

Not After

22-12-2020 09:32

Subject

CN=GlobalSign Time Stamping Authority,O=GlobalSign NV,C=BE

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

11:21:69:41:7a:1c:3e:f4:6a:30:1f:99:38:5f:50:68:0f:a0
Certificate

Issuer

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

28-06-2011 09:46

Not After

28-06-2014 09:46

Subject

CN=Benjamin Delpy,C=FR

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

93:cd:56:76:7f:c1:08:b4:7b:97:4e:58:d4:42:e2:ee:c7:5c:a4:69
Signer

Actual PE Digest

93:cd:56:76:7f:c1:08:b4:7b:97:4e:58:d4:42:e2:ee:c7:5c:a4:69

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

psapi

GetModuleInformation

advapi32

CredEnumerateW
CreateServiceW
CryptAcquireContextW
CryptReleaseContext
CryptImportKey
CryptDestroyKey
CryptDecrypt
CryptExportKey
CryptEnumProvidersW
CryptGetProvParam
CryptGetHashParam
CryptCreateHash
CryptDestroyHash
CryptHashData
LookupPrivilegeNameW
OpenProcessToken
GetTokenInformation
LookupPrivilegeValueW
AdjustTokenPrivileges
CreateProcessWithLogonW
SetServiceObjectSecurity
BuildSecurityDescriptorW
QueryServiceObjectSecurity
LookupAccountSidW
DuplicateTokenEx
SetKernelObjectSecurity
AllocateAndInitializeSid
FreeSid
ConvertSidToStringSidW
CloseServiceHandle
DeleteService
OpenSCManagerW
OpenServiceW
StartServiceW
ControlService
EnumServicesStatusExW
IsTextUnicode
CryptGetKeyParam
CryptGetUserKey
CredFree
RevertToSelf
ReadEncryptedFileRaw
CloseEncryptedFileRaw
QueryRecoveryAgentsOnEncryptedFile
FreeEncryptionCertificateHashList
QueryUsersOnEncryptedFile
OpenEncryptedFileRawW
ImpersonateLoggedOnUser
RegQueryValueExW
RegOpenKeyExW
RegCloseKey
RegQueryInfoKeyW
RegEnumKeyExW

user32

WaitForInputIdle
GetWindowThreadProcessId
EnumWindows
InvalidateRect
UpdateWindow
PostThreadMessageW

secur32

LsaFreeReturnBuffer
GetUserNameExW
LsaEnumerateLogonSessions
LsaGetLogonSessionData

crypt32

CertEnumCertificatesInStore
CryptAcquireCertificatePrivateKey
PFXExportCertStoreEx
CertEnumSystemStore
CertGetCertificateContextProperty
CertCloseStore
CertAddCertificateContextToStore
CertFreeCertificateContext
CertOpenStore
CertGetNameStringW

shlwapi

PathCanonicalizeW
PathCombineW
PathIsRelativeW

wtsapi32

WTSFreeMemory
WTSEnumerateProcessesW
WTSCloseServer
WTSOpenServerW
WTSEnumerateSessionsW

kernel32

HeapSize
GetConsoleMode
GetConsoleCP
IsValidLocale
EnumSystemLocalesA
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
WriteConsoleW
SetEndOfFile
GetProcessHeap
VirtualProtectEx
GetLocaleInfoA
GetLocaleInfoW
GetUserDefaultLCID
SetStdHandle
IsValidCodePage
GetOEMCP
GetACP
SetFilePointer
GetStartupInfoW
WriteFile
CreateFileW
FlushFileBuffers
GetLastError
CloseHandle
FreeLibrary
LoadLibraryW
SetLastError
GetProcAddress
GetModuleHandleW
WaitForSingleObject
CreateRemoteThread
OpenProcess
VirtualFreeEx
VirtualAllocEx
GetCurrentProcess
ReadProcessMemory
VirtualProtect
WriteProcessMemory
GetNativeSystemInfo
ConnectNamedPipe
CreateNamedPipeW
ReadFile
DisconnectNamedPipe
CreateProcessW
IsBadReadPtr
TerminateProcess
Process32FirstW
Module32FirstW
Process32NextW
CreateToolhelp32Snapshot
Module32NextW
LocalFree
FormatMessageW
GetVersionExW
GetCurrentDirectoryW
GetComputerNameExW
Thread32First
TerminateThread
Thread32Next
OpenThread
SuspendThread
ResumeThread
SetConsoleTitleW
CreateJobObjectW
AssignProcessToJobObject
GetProcessId
DuplicateHandle
TerminateJobObject
VirtualQueryEx
Sleep
SetConsoleCursorPosition
GetStdHandle
FillConsoleOutputCharacterW
GetConsoleScreenBufferInfo
WideCharToMultiByte
MultiByteToWideChar
GetStringTypeW
EncodePointer
DecodePointer
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
HeapFree
HeapAlloc
HeapReAlloc
GetCommandLineW
GetCPInfo
RaiseException
RtlPcToFileHeader
RtlLookupFunctionEntry
RtlUnwindEx
LCMapStringW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlCaptureContext
HeapSetInformation
GetVersion
HeapCreate
FlsGetValue
FlsSetValue
FlsFree
GetCurrentThreadId
FlsAlloc
InitializeCriticalSectionAndSpinCount
ExitProcess
GetModuleFileNameW
SetHandleCount
GetFileType

Sections

.text
Size: 315KB - Virtual size: 314KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 94KB - Virtual size: 93KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 10KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 13KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 60KB - Virtual size: 60KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
x64/mimikatz.sys
.sys windows:6 windows x64 arch:x64

8ca50f3593ef53b29272e72d4aa19baa

Code Sign

04:00:00:00:00:01:20:19:c1:90:66
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

18-03-2009 11:00

Not After

28-01-2028 12:00

Subject

CN=GlobalSign Timestamping CA,OU=Timestamping CA,O=GlobalSign

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13-04-2011 10:00

Not After

13-04-2019 10:00

Subject

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

01:00:00:00:00:01:25:b0:b4:cc:01
Certificate

Issuer

CN=GlobalSign Timestamping CA,OU=Timestamping CA,O=GlobalSign

Not Before

21-12-2009 09:32

Not After

22-12-2020 09:32

Subject

CN=GlobalSign Time Stamping Authority,O=GlobalSign NV,C=BE

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

11:21:69:41:7a:1c:3e:f4:6a:30:1f:99:38:5f:50:68:0f:a0
Certificate

Issuer

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

28-06-2011 09:46

Not After

28-06-2014 09:46

Subject

CN=Benjamin Delpy,C=FR

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:0b:7f:6b:00:00:00:00:00:19
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23-05-2006 17:00

Not After

23-05-2016 17:10

Subject

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

85:67:46:80:24:59:c3:01:3b:e6:81:bc:89:b0:90:a9:f9:ef:85:ed
Signer

Actual PE Digest

85:67:46:80:24:59:c3:01:3b:e6:81:bc:89:b0:90:a9:f9:ef:85:ed

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

c:\security\mimikatz\driver\objfre_wnet_amd64\amd64\mimikatz.pdb

Imports

ntoskrnl.exe

RtlCompareMemory
IoCreateSymbolicLink
IoCreateDevice
DbgPrint
PsProcessType
PsGetProcessImageFileName
PsReferencePrimaryToken
ZwOpenProcessTokenEx
ZwSetInformationProcess
ZwClose
ZwDuplicateToken
PsInitialSystemProcess
ObOpenObjectByPointer
IofCompleteRequest
PsDereferencePrimaryToken
ExAllocatePoolWithTag
ExFreePoolWithTag
IoEnumerateRegisteredFiltersList
ObfDereferenceObject
MmGetSystemRoutineAddress
CcMdlRead
SeImpersonateClientEx
PsSetCreateThreadNotifyRoutine
PsSetLoadImageNotifyRoutine
CmUnRegisterCallback
KeBugCheckEx
_vsnwprintf
IoDeleteDevice
RtlInitUnicodeString
NtBuildNumber
PsGetProcessId
IoDeleteSymbolicLink
PsGetVersion
ExAllocatePoolWithQuotaTag
ZwQuerySystemInformation
RtlUnwindEx

fltmgr.sys

FltGetFilterInformation
FltEnumerateInstances
FltEnumerateFilters
FltObjectDereference
FltGetVolumeFromInstance

Sections

.text
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 696B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 504B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 1024B - Virtual size: 651B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 164B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
x64/sekurlsa.dll
.dll windows:5 windows x64 arch:x64

b0c6ee1af5ec8011378dd6f01d311dad

Code Sign

04:00:00:00:00:01:20:19:c1:90:66
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

18-03-2009 11:00

Not After

28-01-2028 12:00

Subject

CN=GlobalSign Timestamping CA,OU=Timestamping CA,O=GlobalSign

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13-04-2011 10:00

Not After

13-04-2019 10:00

Subject

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

01:00:00:00:00:01:25:b0:b4:cc:01
Certificate

Issuer

CN=GlobalSign Timestamping CA,OU=Timestamping CA,O=GlobalSign

Not Before

21-12-2009 09:32

Not After

22-12-2020 09:32

Subject

CN=GlobalSign Time Stamping Authority,O=GlobalSign NV,C=BE

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

11:21:69:41:7a:1c:3e:f4:6a:30:1f:99:38:5f:50:68:0f:a0
Certificate

Issuer

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

28-06-2011 09:46

Not After

28-06-2014 09:46

Subject

CN=Benjamin Delpy,C=FR

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

ee:11:a6:db:f7:50:37:1b:da:f5:a5:9f:5a:d0:7d:f6:c3:f7:b7:2b
Signer

Actual PE Digest

ee:11:a6:db:f7:50:37:1b:da:f5:a5:9f:5a:d0:7d:f6:c3:f7:b7:2b

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

psapi

GetModuleInformation

secur32

LsaFreeReturnBuffer
LsaEnumerateLogonSessions
LsaGetLogonSessionData

advapi32

IsTextUnicode
RegCloseKey
RegEnumKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
LsaFreeMemory
LsaClose
GetTokenInformation
CreateProcessAsUserW
CredFree
SetTokenInformation
LsaQueryInformationPolicy
LsaOpenPolicy

kernel32

GetConsoleMode
LoadLibraryW
SetStdHandle
WriteConsoleW
GetStringTypeW
GetConsoleCP
SetFilePointer
HeapReAlloc
IsValidLocale
Sleep
FreeLibraryAndExitThread
GetProcAddress
CloseHandle
CreateThread
GetCurrentProcess
GetModuleHandleW
WaitNamedPipeW
WriteFile
ReadFile
CreateFileW
DisconnectNamedPipe
FlushFileBuffers
GetLastError
SetNamedPipeHandleState
CreateProcessW
TerminateProcess
FormatMessageW
GetVersionExW
LocalFree
FileTimeToSystemTime
WideCharToMultiByte
MultiByteToWideChar
EncodePointer
DecodePointer
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
HeapFree
GetCurrentThreadId
FlsSetValue
GetCommandLineA
RaiseException
RtlPcToFileHeader
GetCPInfo
RtlLookupFunctionEntry
RtlUnwindEx
HeapAlloc
LCMapStringW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlCaptureContext
HeapSetInformation
GetVersion
HeapCreate
HeapDestroy
GetACP
GetOEMCP
IsValidCodePage
FlsGetValue
FlsFree
SetLastError
FlsAlloc
ExitProcess
SetHandleCount
GetStdHandle
InitializeCriticalSectionAndSpinCount
GetFileType
GetStartupInfoW
GetModuleFileNameA
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
GetLocaleInfoW
GetModuleFileNameW
HeapSize
GetUserDefaultLCID
GetLocaleInfoA
EnumSystemLocalesA

Exports

Exports

addLogonSession
delLogonSession
find_tokens
getCredman
getCredmanFunctions
getDescription
getKerberos
getKerberosFunctions
getLiveSSP
getLiveSSPFunctions
getLocalAccounts
getLogonPasswords
getLogonSessions
getMSV
getMSVFunctions
getSAMFunctions
getSECFunctions
getSecrets
getTsPkg
getTsPkgFunctions
getWDigest
getWDigestFunctions
incognito
notsupported
ping

Sections

.text
Size: 156KB - Virtual size: 156KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 45KB - Virtual size: 45KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

a950efacc4c17f075516de39eed670c1

Code Sign

04:00:00:00:00:01:20:19:c1:90:66Certificate

Key Usages

04:00:00:00:00:01:2f:4e:e1:35:5cCertificate

Extended Key Usages

Key Usages

01:00:00:00:00:01:25:b0:b4:cc:01Certificate

Extended Key Usages

Key Usages

11:21:69:41:7a:1c:3e:f4:6a:30:1f:99:38:5f:50:68:0f:a0Certificate

Extended Key Usages

Key Usages

a8:12:09:38:08:1b:46:7d:a6:d4:23:de:c8:6b:8c:ea:dd:2a:97:b0Signer

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

kernel32

Exports

Exports

Sections

.text Size: 18KB - Virtual size: 17KB

.rdata Size: 8KB - Virtual size: 8KB

.data Size: 3KB - Virtual size: 6KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 2KB - Virtual size: 1KB

f7d0c5296ed2154c7e0acdbbe5cf9c94

Code Sign

04:00:00:00:00:01:20:19:c1:90:66Certificate

Key Usages

04:00:00:00:00:01:2f:4e:e1:35:5cCertificate

Extended Key Usages

Key Usages

01:00:00:00:00:01:25:b0:b4:cc:01Certificate

Extended Key Usages

Key Usages

11:21:69:41:7a:1c:3e:f4:6a:30:1f:99:38:5f:50:68:0f:a0Certificate

Extended Key Usages

Key Usages

72:6b:b5:4c:80:b3:c4:f0:5a:ae:ca:78:3c:da:3c:10:57:f4:8c:16Signer

Headers

DLL Characteristics

File Characteristics

Imports

user32

kernel32

Exports

Exports

Sections

.text Size: 58KB - Virtual size: 58KB

.rdata Size: 19KB - Virtual size: 18KB

.data Size: 4KB - Virtual size: 8KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 6KB - Virtual size: 6KB

95aa4ec46472ba1b9508deda58f4c7bb

Code Sign

04:00:00:00:00:01:20:19:c1:90:66Certificate

Key Usages

04:00:00:00:00:01:2f:4e:e1:35:5cCertificate

Extended Key Usages

Key Usages

01:00:00:00:00:01:25:b0:b4:cc:01Certificate

Extended Key Usages

Key Usages

11:21:69:41:7a:1c:3e:f4:6a:30:1f:99:38:5f:50:68:0f:a0Certificate

Extended Key Usages

Key Usages

9b:9e:09:15:e6:7c:f9:69:64:3e:3a:80:df:8f:21:8d:fd:d7:b0:32Signer

Headers

DLL Characteristics

File Characteristics

Imports

user32

04:00:00:00:00:01:20:19:c1:90:66
Certificate

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

01:00:00:00:00:01:25:b0:b4:cc:01
Certificate

11:21:69:41:7a:1c:3e:f4:6a:30:1f:99:38:5f:50:68:0f:a0
Certificate

a8:12:09:38:08:1b:46:7d:a6:d4:23:de:c8:6b:8c:ea:dd:2a:97:b0
Signer

.text
Size: 18KB - Virtual size: 17KB

.rdata
Size: 8KB - Virtual size: 8KB

.data
Size: 3KB - Virtual size: 6KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 2KB - Virtual size: 1KB

04:00:00:00:00:01:20:19:c1:90:66
Certificate

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

01:00:00:00:00:01:25:b0:b4:cc:01
Certificate

11:21:69:41:7a:1c:3e:f4:6a:30:1f:99:38:5f:50:68:0f:a0
Certificate

72:6b:b5:4c:80:b3:c4:f0:5a:ae:ca:78:3c:da:3c:10:57:f4:8c:16
Signer

.text
Size: 58KB - Virtual size: 58KB

.rdata
Size: 19KB - Virtual size: 18KB

.data
Size: 4KB - Virtual size: 8KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 6KB - Virtual size: 6KB

04:00:00:00:00:01:20:19:c1:90:66
Certificate

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

01:00:00:00:00:01:25:b0:b4:cc:01
Certificate

11:21:69:41:7a:1c:3e:f4:6a:30:1f:99:38:5f:50:68:0f:a0
Certificate

9b:9e:09:15:e6:7c:f9:69:64:3e:3a:80:df:8f:21:8d:fd:d7:b0:32
Signer

.text
Size: 92KB - Virtual size: 91KB

.rdata
Size: 22KB - Virtual size: 21KB

.data
Size: 6KB - Virtual size: 13KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 7KB - Virtual size: 7KB

04:00:00:00:00:01:20:19:c1:90:66
Certificate

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

01:00:00:00:00:01:25:b0:b4:cc:01
Certificate

11:21:69:41:7a:1c:3e:f4:6a:30:1f:99:38:5f:50:68:0f:a0
Certificate

16:23:50:3f:25:9b:f5:e9:23:04:c2:fe:f1:72:a2:69:b0:55:c0:b4
Signer

.text
Size: 240KB - Virtual size: 239KB

.rdata
Size: 68KB - Virtual size: 68KB

.data
Size: 8KB - Virtual size: 16KB

.rsrc
Size: 60KB - Virtual size: 60KB

.reloc
Size: 16KB - Virtual size: 15KB

04:00:00:00:00:01:20:19:c1:90:66
Certificate

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

01:00:00:00:00:01:25:b0:b4:cc:01
Certificate

11:21:69:41:7a:1c:3e:f4:6a:30:1f:99:38:5f:50:68:0f:a0
Certificate

61:0b:7f:6b:00:00:00:00:00:19
Certificate

50:6b:b5:97:8e:81:dc:3c:37:c3:ea:61:85:8a:87:83:18:a3:03:31
Signer

.text
Size: 10KB - Virtual size: 10KB

.rdata
Size: 2KB - Virtual size: 1KB

.data
Size: 512B - Virtual size: 232B

PAGE
Size: 1024B - Virtual size: 614B

INIT
Size: 1KB - Virtual size: 1KB

.reloc
Size: 1024B - Virtual size: 782B