mimikatz | sample[.]zip

Sharing

Copy URL

Twitter E-mail

General

Target

sample.zip
Size

21.2MB
MD5

dd2ae63fda290349d4872d076c3999fa
SHA1

d071bf47cb2eb4a8ade4c356c2da448fb5bf2ff8
SHA256

b6ae167bc7a98a16120698f2f11452449118662dd3f1cc88e6ef7286465b45ca
SHA512

7b01261129b1944d90ac79be21f104095c408995cf80b190287d37805d198ff8729db8011c73b0a4387614f68d4872ab5715f170b5a06ccd73603419674056e3
SSDEEP

393216:6MUztzHK7whMRoPVnksbllihtvB4Jdgho+TtdGSa0n+jfnYAdylxQ0C1/Okd+:6Mm9K7waRckqlIhtv+JKhaG+jTdEe1v+

Score

10^/10

ransomware mimikatz medusalocker

Malware Config

Extracted

Family

medusalocker

Ransom Note

Your personal ID: 2YfZTHQAYUl7kqDJYxaXaCaffwquavSjUP24kjLnTnrpeJuLdxD4T6h4Q9iZj+8XvI1Yjjz+/Wif2pnjz8LXyL3ZICXdy1EJbcn12KlzsLeLtxzOrVUtywGvseN6Td/GxgeXoJUdhB3ZPKuyIgUlPzrHX29VvwBr61OfVZq2IMv+aqhx55n1UQLyzQ2tg9eXSYytu8l+k7k6O5lm8xkSqCUGdhwVrh81v3w1oHQ9A0ajsdq1lAkTLaBXh8HzU6GFK3G05cflF2tlsb0movkB412dw0ZznhfcBNHSlF2NAQuRPa4Ga+XYkaYfzIKm3zyxFX724KkmjPsSyma+L9WWGw==� /!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\ All your important files have been encrypted! Your files are safe! Only modified. (RSA+AES) ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. No software available on internet can help you. We are the only ones able to solve your problem. We gathered highly confidential/personal data. These data are currently stored on a private server. This server will be immediately destroyed after your payment. If you decide to not pay, we will release your data to public or re-seller. So you can expect your data to be publicly available in the near future.. We only seek money and our goal is not to damage your reputation or prevent your business from running. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. Contact us for price and get decryption software. email: [email protected] [email protected] * To contact us, create a new free email account on the site: protonmail.com IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER. * Tor-chat to always be in touch: qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion

Emails

[email protected]

Signatures

Medusalocker family
medusalocker
Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 5 IoCs

resource	yara_rule
static1/unpack001/Videos/64/64.exe	mimikatz
static1/unpack001/Videos/64/86.exe	mimikatz
static1/unpack001/Videos/64/mimidrv.sys	mimikatz
static1/unpack001/Videos/64/mimikatz.dll	mimikatz
static1/unpack001/Videos/64/mimilib.dll	mimikatz

Unsigned PE 4 IoCs

Checks for missing Authenticode signature.

resource
unpack001/Videos/64/64.exe
unpack001/Videos/64/mimilib.dll
unpack001/Videos/64/mimispool.dll
unpack001/Videos/crypt154.exe

Files

sample.zip
.zip
Videos/64/64.exe
.exe windows:6 windows x64 arch:x64

23e9f1e1d6aeb789637571e507824244

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

CryptReleaseContext
CryptGenKey
CryptGetProvParam
CryptGetHashParam
CryptImportKey
CryptSetKeyParam
CryptDestroyHash
CryptSetHashParam
CryptHashData
CryptCreateHash
CryptExportKey
CryptDecrypt
SystemFunction007
CryptDuplicateKey
CryptEncrypt
CryptAcquireContextW
CryptGetKeyParam
CryptAcquireContextA
CryptDestroyKey
GetLengthSid
CopySid
LsaClose
LsaOpenPolicy
LsaQueryInformationPolicy
CreateWellKnownSid
CreateProcessAsUserW
CreateProcessWithLogonW
RegQueryValueExW
RegEnumValueW
RegOpenKeyExW
RegSetValueExW
RegEnumKeyExW
RegQueryInfoKeyW
RegCloseKey
SystemFunction032
ConvertSidToStringSidW
SystemFunction033
QueryServiceObjectSecurity
QueryServiceStatusEx
BuildSecurityDescriptorW
OpenServiceW
StartServiceW
FreeSid
ControlService
SetServiceObjectSecurity
DeleteService
AllocateAndInitializeSid
OpenSCManagerW
CloseServiceHandle
CreateServiceW
IsTextUnicode
GetTokenInformation
LookupAccountNameW
LookupAccountSidW
DuplicateTokenEx
CheckTokenMembership
OpenProcessToken
CryptSetProvParam
CryptEnumProvidersW
ConvertStringSidToSidW
LsaFreeMemory
IsValidSid
GetSidSubAuthority
GetSidSubAuthorityCount
SetThreadToken
SystemFunction006
CryptEnumProviderTypesW
CryptGetUserKey
OpenEventLogW
ClearEventLogW
GetNumberOfEventLogRecords
CryptSignHashW
LsaRetrievePrivateData
LsaOpenSecret
LsaQueryTrustedDomainInfoByName
CryptDeriveKey
LsaQuerySecret
SystemFunction001
SystemFunction005
LsaSetSecret
LsaEnumerateTrustedDomainsEx
SystemFunction023
LookupPrivilegeValueW
StartServiceCtrlDispatcherW
RegisterServiceCtrlHandlerW
SetServiceStatus
OpenThreadToken
LookupPrivilegeNameW
EqualSid
CredFree
CredEnumerateW
ConvertStringSecurityDescriptorToSecurityDescriptorW
SystemFunction027
SystemFunction026
SystemFunction041
CredUnmarshalCredentialW
CredIsMarshaledCredentialW
A_SHAInit
A_SHAFinal
A_SHAUpdate

cabinet

ord14
ord10
ord13
ord11

crypt32

CertGetNameStringW
CryptQueryObject
CertEnumCertificatesInStore
CertAddCertificateContextToStore
CertEnumSystemStore
CertAddEncodedCertificateToStore
CertFreeCertificateContext
CryptStringToBinaryA
CertCloseStore
PFXExportCertStoreEx
CertSetCertificateContextProperty
CertOpenStore
CryptStringToBinaryW
CryptUnprotectData
CryptBinaryToStringW
CryptBinaryToStringA
CryptAcquireCertificatePrivateKey
CryptExportPublicKeyInfo
CryptFindOIDInfo
CryptSignAndEncodeCertificate
CertNameToStrW
CryptEncodeObject
CertFindCertificateInStore
CertGetCertificateContextProperty
CryptProtectData
CryptDecodeObjectEx

cryptdll

CDLocateCheckSum
CDLocateCSystem
MD5Final
MD5Update
MD5Init
CDGenerateRandomBits

dnsapi

DnsQuery_A
DnsFree

fltlib

FilterFindNext
FilterFindFirst

mpr

WNetCancelConnection2W
WNetAddConnection2W

netapi32

DsGetDcNameW
NetApiBufferFree
NetWkstaUserEnum
NetShareEnum
NetStatisticsGet
NetSessionEnum
NetRemoteTOD
NetServerGetInfo
DsEnumerateDomainTrustsW
I_NetServerAuthenticate2
I_NetServerReqChallenge
I_NetServerTrustPasswordsGet

odbc32

ord31
ord24
ord13
ord75
ord111
ord43
ord9
ord141

ole32

CoInitializeEx
CoSetProxyBlanket
CoTaskMemFree
CoUninitialize
CoCreateInstance

oleaut32

SysFreeString
VariantInit
VariantClear
SysAllocString

rpcrt4

NdrClientCall2
RpcBindingInqAuthClientW
RpcBindingSetOption
RpcBindingFromStringBindingW
RpcStringBindingComposeW
RpcBindingSetAuthInfoExW
RpcStringFreeW
MesHandleFree
RpcImpersonateClient
RpcRevertToSelf
MesEncodeIncrementalHandleCreate
MesDecodeIncrementalHandleCreate
RpcBindingFree
MesIncrementalHandleReset
NdrMesTypeEncode2
NdrMesTypeDecode2
NdrMesTypeFree2
NdrMesTypeAlignSize2
RpcBindingVectorFree
RpcServerUseProtseqEpW
RpcServerUnregisterIfEx
RpcBindingToStringBindingW
UuidToStringW
RpcServerRegisterIf2
RpcMgmtWaitServerListen
RpcServerListen
RpcServerRegisterAuthInfoW
RpcEpUnregister
RpcEpRegisterW
RpcServerInqBindings
RpcMgmtStopServerListening
I_RpcBindingInqSecurityContext
I_RpcGetCurrentCallHandle
NdrServerCall2
UuidCreate
RpcEpResolveBinding
RpcBindingSetObject
RpcBindingSetAuthInfoW
RpcMgmtEpEltInqBegin
RpcMgmtEpEltInqDone
RpcMgmtEpEltInqNextW

shlwapi

PathIsDirectoryW
PathCombineW
PathCanonicalizeW
PathIsRelativeW
UrlUnescapeW
PathFindFileNameW

samlib

SamiChangePasswordUser
SamGetAliasMembership
SamOpenAlias
SamRidToSid
SamEnumerateAliasesInDomain
SamGetGroupsForUser
SamGetMembersInAlias
SamGetMembersInGroup
SamEnumerateUsersInDomain
SamLookupNamesInDomain
SamOpenDomain
SamEnumerateDomainsInSamServer
SamOpenUser
SamEnumerateGroupsInDomain
SamLookupIdsInDomain
SamConnect
SamCloseHandle
SamLookupDomainInSamServer
SamFreeMemory
SamQueryInformationUser
SamSetInformationUser
SamOpenGroup

secur32

LsaFreeReturnBuffer
LsaLookupAuthenticationPackage
LsaCallAuthenticationPackage
LsaDeregisterLogonProcess
LsaConnectUntrusted
QueryContextAttributesW
AcquireCredentialsHandleW
EnumerateSecurityPackagesW
FreeCredentialsHandle
InitializeSecurityContextW
FreeContextBuffer
DeleteSecurityContext

shell32

CommandLineToArgvW

user32

GetMessageW
DefWindowProcW
PostMessageW
DestroyWindow
SetClipboardViewer
CreateWindowExW
SendMessageW
UnregisterClassW
RegisterClassExW
OpenClipboard
DispatchMessageW
ChangeClipboardChain
CloseClipboard
EnumClipboardFormats
TranslateMessage
GetClipboardData
GetClipboardSequenceNumber
GetKeyboardLayout
IsCharAlphaNumericW

userenv

CreateEnvironmentBlock
DestroyEnvironmentBlock

version

VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW

hid

HidD_FreePreparsedData
HidD_GetPreparsedData
HidD_GetAttributes
HidD_GetFeature
HidD_SetFeature
HidP_GetCaps
HidD_GetHidGuid

setupapi

SetupDiEnumDeviceInterfaces
SetupDiDestroyDeviceInfoList
SetupDiGetClassDevsW
SetupDiGetDeviceInterfaceDetailW

winscard

SCardDisconnect
SCardConnectW
SCardControl
SCardListReadersW
SCardGetCardTypeProviderNameW
SCardListCardsW
SCardReleaseContext
SCardEstablishContext
SCardGetAttrib
SCardFreeMemory
SCardTransmit

winsta

WinStationQueryInformationW
WinStationCloseServer
WinStationFreeMemory
WinStationConnectW
WinStationEnumerateW
WinStationOpenServerW

wldap32

ord27
ord147
ord157
ord224
ord203
ord26
ord133
ord167
ord309
ord304
ord301
ord127
ord310
ord208
ord73
ord13
ord36
ord79
ord41
ord142
ord77
ord145
ord88
ord14
ord140
ord113
ord223
ord96
ord69
ord12
ord139
ord122
ord97
ord54

msasn1

ASN1_FreeEncoded
ASN1_CloseEncoder
ASN1BERDotVal2Eoid
ASN1_CreateEncoder
ASN1_CloseModule
ASN1_CreateModule
ASN1_CloseDecoder
ASN1_CreateDecoder

ntdll

RtlDowncaseUnicodeString
RtlAdjustPrivilege
RtlCreateUserThread
RtlGUIDFromString
RtlStringFromGUID
NtSuspendProcess
RtlEqualUnicodeString
RtlInitUnicodeString
RtlFreeUnicodeString
RtlGetCompressionWorkSpaceSize
RtlCompressBuffer
NtSetSystemEnvironmentValueEx
NtQuerySystemEnvironmentValueEx
NtEnumerateSystemEnvironmentValuesEx
RtlIpv4AddressToStringW
RtlIpv6AddressToStringW
NtQuerySystemInformation
RtlUnicodeStringToAnsiString
RtlGetCurrentPeb
RtlFreeAnsiString
NtQueryObject
NtCompareTokens
RtlGetNtVersionNumbers
RtlEqualString
RtlAppendUnicodeStringToString
RtlUpcaseUnicodeString
RtlAnsiStringToUnicodeString
RtlFreeOemString
RtlUpcaseUnicodeStringToOemString
NtResumeProcess
NtOpenDirectoryObject
NtQueryDirectoryObject
NtTerminateProcess
NtQueryInformationProcess

kernel32

GetACP
IsValidCodePage
FindFirstFileExW
SetStdHandle
GetConsoleMode
GetOEMCP
LCMapStringW
CompareStringW
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
GetFileType
GetModuleHandleExW
TerminateProcess
GetModuleFileNameW
GetCommandLineW
GetCommandLineA
RtlPcToFileHeader
EncodePointer
LoadLibraryExW
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
InitializeCriticalSectionAndSpinCount
RtlUnwindEx
IsProcessorFeaturePresent
GetStartupInfoW
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
InitializeSListHead
GetCurrentThreadId
LoadLibraryExA
SetFilePointerEx
GetProcessId
GetComputerNameW
IsWow64Process
ProcessIdToSessionId
GetCurrentThread
SetConsoleCursorPosition
SetCurrentDirectoryW
FillConsoleOutputCharacterW
GetTimeZoneInformation
GetSystemDirectoryW
GetStdHandle
GetConsoleScreenBufferInfo
SetEvent
CreateEventW
DeleteCriticalSection
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
CreatePipe
SetHandleInformation
GlobalSize
SetFileAttributesW
SetConsoleTitleW
ExitProcess
RaiseException
ExitThread
SetConsoleCtrlHandler
GetTickCount
QueryPerformanceCounter
FormatMessageA
GetSystemTime
GetProcessHeap
GetCurrentProcessId
GetFileSize
LockFileEx
UnlockFile
HeapDestroy
HeapCompact
HeapAlloc
GetSystemInfo
HeapReAlloc
DeleteFileW
WaitForSingleObjectEx
LoadLibraryA
FlushViewOfFile
OutputDebugStringW
GetFileAttributesExW
GetFileAttributesA
GetDiskFreeSpaceA
FormatMessageW
MultiByteToWideChar
HeapSize
HeapValidate
CreateMutexW
GetTempPathW
UnlockFileEx
SetEndOfFile
GetFullPathNameA
LockFile
OutputDebugStringA
GetDiskFreeSpaceW
GetFullPathNameW
HeapFree
HeapCreate
AreFileApisANSI
GetDateFormatW
GetSystemTimeAsFileTime
WideCharToMultiByte
SystemTimeToFileTime
GetTimeFormatW
lstrlenA
ClearCommError
PurgeComm
CreateRemoteThread
WaitForSingleObject
CreateProcessW
SetConsoleOutputCP
GetConsoleOutputCP
MapViewOfFile
CreateFileMappingW
UnmapViewOfFile
VirtualQueryEx
VirtualQuery
VirtualFreeEx
ReadProcessMemory
VirtualAllocEx
VirtualProtectEx
VirtualAlloc
VirtualFree
SetLastError
VirtualProtect
WriteProcessMemory
GetComputerNameExW
DeviceIoControl
OpenProcess
DuplicateHandle
GetCurrentProcess
GetCPInfo
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
GetStringTypeW
ReadConsoleW
WriteConsoleW
FlushFileBuffers
GetCurrentDirectoryW
RtlUnwind
GetFileAttributesW
FindClose
ExpandEnvironmentStringsW
FindNextFileW
GetFileSizeEx
FindFirstFileW
lstrlenW
FreeLibrary
GetModuleHandleW
GetProcAddress
LoadLibraryW
FileTimeToDosDateTime
GetTempFileNameA
FileTimeToLocalFileTime
DeleteFileA
CreateFileA
GetTempPathA
GetFileInformationByHandle
GetCurrentDirectoryA
SetFilePointer
LocalFree
CreateThread
CloseHandle
TerminateThread
GetLastError
Sleep
CreateFileW
LocalAlloc
WriteFile
ReadFile
FileTimeToSystemTime

Sections

.text
Size: 933KB - Virtual size: 932KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 461KB - Virtual size: 460KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 26KB - Virtual size: 33KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 31KB - Virtual size: 31KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 348B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 17KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Videos/64/86.exe
.exe windows:5 windows x86 arch:x86

ca37f3f3e8c3bc5843cfddf0de356d3a

Code Sign

0f:10:c0:55:a6:79:3b:59:c7:d8:f5:2d:64:b3:98:8d
Certificate

Issuer

CN=Certum Code Signing 2021 CA,O=Asseco Data Systems S.A.,C=PL

Not Before

29-05-2021 04:32

Not After

29-05-2022 04:32

Subject

CN=Open Source Developer\, Benjamin Delpy,O=Open Source Developer,L=Montreuil,C=FR,1.2.840.113549.1.9.1=#0c1762656e6a616d696e4067656e74696c6b6977692e636f6d

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

99:a3:80:0a:26:55:3b:65:ab:dc:6e:84:a6:b3:ea:39
Certificate

Issuer

CN=Certum Trusted Network CA 2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Not Before

19-05-2021 05:32

Not After

18-05-2036 05:32

Subject

CN=Certum Code Signing 2021 CA,O=Asseco Data Systems S.A.,C=PL

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

f1:64:25:8c:09:b6:e2:7b:e2:0e:32:60:8e:4b:f4:a8
Certificate

Issuer

CN=Certum Timestamping 2021 CA,O=Asseco Data Systems S.A.,C=PL

Not Before

19-05-2021 05:42

Not After

18-05-2032 05:42

Subject

CN=Certum Timestamp 2021,O=Asseco Data Systems S.A.,C=PL

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

e7:ff:69:c7:3b:35:ce:4b:91:26:d8:74:7c:68:a5:87
Certificate

Issuer

CN=Certum Trusted Network CA 2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Not Before

19-05-2021 05:32

Not After

18-05-2036 05:32

Subject

CN=Certum Timestamping 2021 CA,O=Asseco Data Systems S.A.,C=PL

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

1b:b5:8f:25:2a:df:23:00:49:28:c9:ae:3d:7e:ed:27
Certificate

Issuer

CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Not Before

31-05-2021 06:43

Not After

17-09-2029 06:43

Subject

CN=Certum Trusted Network CA 2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0f:10:c0:55:a6:79:3b:59:c7:d8:f5:2d:64:b3:98:8d
Certificate

Issuer

CN=Certum Code Signing 2021 CA,O=Asseco Data Systems S.A.,C=PL

Not Before

29-05-2021 04:32

Not After

29-05-2022 04:32

Subject

CN=Open Source Developer\, Benjamin Delpy,O=Open Source Developer,L=Montreuil,C=FR,1.2.840.113549.1.9.1=#0c1762656e6a616d696e4067656e74696c6b6977692e636f6d

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

99:a3:80:0a:26:55:3b:65:ab:dc:6e:84:a6:b3:ea:39
Certificate

Issuer

CN=Certum Trusted Network CA 2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Not Before

19-05-2021 05:32

Not After

18-05-2036 05:32

Subject

CN=Certum Code Signing 2021 CA,O=Asseco Data Systems S.A.,C=PL

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

f1:64:25:8c:09:b6:e2:7b:e2:0e:32:60:8e:4b:f4:a8
Certificate

Issuer

CN=Certum Timestamping 2021 CA,O=Asseco Data Systems S.A.,C=PL

Not Before

19-05-2021 05:42

Not After

18-05-2032 05:42

Subject

CN=Certum Timestamp 2021,O=Asseco Data Systems S.A.,C=PL

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

e7:ff:69:c7:3b:35:ce:4b:91:26:d8:74:7c:68:a5:87
Certificate

Issuer

CN=Certum Trusted Network CA 2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Not Before

19-05-2021 05:32

Not After

18-05-2036 05:32

Subject

CN=Certum Timestamping 2021 CA,O=Asseco Data Systems S.A.,C=PL

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

1b:b5:8f:25:2a:df:23:00:49:28:c9:ae:3d:7e:ed:27
Certificate

Issuer

CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Not Before

31-05-2021 06:43

Not After

17-09-2029 06:43

Subject

CN=Certum Trusted Network CA 2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

26:c4:63:f1:5b:51:8f:9d:18:5e:b3:f3:1f:30:81:15:4e:26:8d:b6:87:d4:c1:fa:45:45:8d:f5:ac:a6:9b:cd
Signer

Actual PE Digest

26:c4:63:f1:5b:51:8f:9d:18:5e:b3:f3:1f:30:81:15:4e:26:8d:b6:87:d4:c1:fa:45:45:8d:f5:ac:a6:9b:cd

Digest Algorithm

sha256

PE Digest Matches

true

92:e5:5f:17:b1:ee:ba:6a:77:97:4b:d7:9b:5c:ef:1d:91:77:5d:a0
Signer

Actual PE Digest

92:e5:5f:17:b1:ee:ba:6a:77:97:4b:d7:9b:5c:ef:1d:91:77:5d:a0

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

advapi32

CryptSetHashParam
CryptGetHashParam
CryptExportKey
CryptAcquireContextW
CryptSetKeyParam
CryptGetKeyParam
CryptReleaseContext
CryptDuplicateKey
CryptAcquireContextA
CryptGetProvParam
CryptImportKey
SystemFunction007
CryptEncrypt
CryptCreateHash
CryptGenKey
CryptDestroyKey
CryptDecrypt
CryptDestroyHash
CryptHashData
CopySid
GetLengthSid
LsaQueryInformationPolicy
LsaOpenPolicy
LsaClose
CreateWellKnownSid
CreateProcessWithLogonW
CreateProcessAsUserW
RegQueryValueExW
RegQueryInfoKeyW
RegEnumValueW
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
RegSetValueExW
SystemFunction033
SystemFunction032
ConvertSidToStringSidW
CreateServiceW
CloseServiceHandle
DeleteService
OpenSCManagerW
SetServiceObjectSecurity
OpenServiceW
BuildSecurityDescriptorW
QueryServiceObjectSecurity
StartServiceW
AllocateAndInitializeSid
QueryServiceStatusEx
FreeSid
ControlService
IsTextUnicode
OpenProcessToken
GetTokenInformation
LookupAccountNameW
LookupAccountSidW
DuplicateTokenEx
CheckTokenMembership
CryptSetProvParam
CryptEnumProvidersW
ConvertStringSidToSidW
LsaFreeMemory
GetSidSubAuthority
GetSidSubAuthorityCount
IsValidSid
SetThreadToken
CryptEnumProviderTypesW
SystemFunction006
CryptGetUserKey
OpenEventLogW
GetNumberOfEventLogRecords
ClearEventLogW
SystemFunction001
CryptDeriveKey
SystemFunction005
LsaQueryTrustedDomainInfoByName
CryptSignHashW
LsaSetSecret
SystemFunction023
LsaOpenSecret
LsaQuerySecret
LsaRetrievePrivateData
LsaEnumerateTrustedDomainsEx
LookupPrivilegeValueW
StartServiceCtrlDispatcherW
SetServiceStatus
RegisterServiceCtrlHandlerW
LookupPrivilegeNameW
OpenThreadToken
EqualSid
CredFree
CredEnumerateW
SystemFunction026
ConvertStringSecurityDescriptorToSecurityDescriptorW
SystemFunction027
CredIsMarshaledCredentialW
CredUnmarshalCredentialW
A_SHAFinal
A_SHAInit
A_SHAUpdate

cabinet

ord11
ord14
ord10
ord13

crypt32

CryptSignAndEncodeCertificate
CertEnumSystemStore
CertEnumCertificatesInStore
CertAddCertificateContextToStore
CryptDecodeObjectEx
CryptStringToBinaryA
CertAddEncodedCertificateToStore
CertOpenStore
CertFreeCertificateContext
CertCloseStore
CryptStringToBinaryW
CertSetCertificateContextProperty
PFXExportCertStoreEx
CryptUnprotectData
CryptBinaryToStringW
CryptBinaryToStringA
CryptExportPublicKeyInfo
CryptFindOIDInfo
CryptAcquireCertificatePrivateKey
CertNameToStrW
CertFindCertificateInStore
CertGetCertificateContextProperty
CertGetNameStringW
CryptEncodeObject
CryptProtectData
CryptQueryObject

cryptdll

MD5Update
MD5Final
CDLocateCSystem
MD5Init
CDLocateCheckSum
CDGenerateRandomBits

dnsapi

DnsFree
DnsQuery_A

fltlib

FilterFindFirst
FilterFindNext

mpr

WNetCancelConnection2W
WNetAddConnection2W

netapi32

NetStatisticsGet
DsGetDcNameW
NetApiBufferFree
NetRemoteTOD
NetSessionEnum
NetServerGetInfo
DsEnumerateDomainTrustsW
NetShareEnum
NetWkstaUserEnum
I_NetServerAuthenticate2
I_NetServerTrustPasswordsGet
I_NetServerReqChallenge

odbc32

ord75
ord9
ord43
ord24
ord31
ord111
ord141
ord13

ole32

CoTaskMemFree
CoSetProxyBlanket
CoInitializeEx
CoUninitialize
CoCreateInstance

oleaut32

SysAllocString
VariantInit
SysFreeString
VariantClear

rpcrt4

RpcBindingFree
RpcBindingFromStringBindingW
RpcStringBindingComposeW
MesEncodeIncrementalHandleCreate
RpcBindingSetAuthInfoExW
RpcBindingInqAuthClientW
RpcBindingSetOption
RpcImpersonateClient
RpcStringFreeW
RpcRevertToSelf
MesDecodeIncrementalHandleCreate
MesHandleFree
MesIncrementalHandleReset
NdrMesTypeDecode2
NdrMesTypeAlignSize2
NdrMesTypeFree2
NdrMesTypeEncode2
RpcServerUnregisterIfEx
I_RpcBindingInqSecurityContext
RpcServerInqBindings
RpcServerListen
RpcMgmtWaitServerListen
RpcEpRegisterW
RpcMgmtStopServerListening
RpcBindingToStringBindingW
RpcServerRegisterIf2
RpcServerRegisterAuthInfoW
RpcBindingVectorFree
UuidToStringW
RpcServerUseProtseqEpW
RpcEpUnregister
NdrServerCall2
NdrClientCall2
UuidCreate
RpcEpResolveBinding
RpcBindingSetObject
RpcBindingSetAuthInfoW
RpcMgmtEpEltInqDone
RpcMgmtEpEltInqNextW
RpcMgmtEpEltInqBegin
I_RpcGetCurrentCallHandle

shlwapi

PathIsDirectoryW
PathFindFileNameW
PathIsRelativeW
PathCanonicalizeW
PathCombineW

samlib

SamEnumerateAliasesInDomain
SamQueryInformationUser
SamCloseHandle
SamEnumerateDomainsInSamServer
SamFreeMemory
SamEnumerateUsersInDomain
SamOpenUser
SamLookupDomainInSamServer
SamLookupNamesInDomain
SamLookupIdsInDomain
SamOpenDomain
SamConnect
SamSetInformationUser
SamiChangePasswordUser
SamEnumerateGroupsInDomain
SamGetGroupsForUser
SamGetMembersInGroup
SamRidToSid
SamGetMembersInAlias
SamGetAliasMembership
SamOpenGroup
SamOpenAlias

secur32

InitializeSecurityContextW
FreeContextBuffer
LsaLookupAuthenticationPackage
LsaFreeReturnBuffer
LsaDeregisterLogonProcess
QueryContextAttributesW
AcquireCredentialsHandleW
EnumerateSecurityPackagesW
FreeCredentialsHandle
DeleteSecurityContext
LsaCallAuthenticationPackage
LsaConnectUntrusted

shell32

CommandLineToArgvW

user32

SetClipboardViewer
DefWindowProcW
GetClipboardSequenceNumber
OpenClipboard
CreateWindowExW
ChangeClipboardChain
GetClipboardData
TranslateMessage
EnumClipboardFormats
PostMessageW
DispatchMessageW
GetKeyboardLayout
IsCharAlphaNumericW
SendMessageW
UnregisterClassW
GetMessageW
CloseClipboard
DestroyWindow
RegisterClassExW

userenv

DestroyEnvironmentBlock
CreateEnvironmentBlock

version

VerQueryValueW
GetFileVersionInfoSizeW
GetFileVersionInfoW

hid

HidD_GetFeature
HidD_GetPreparsedData
HidP_GetCaps
HidD_FreePreparsedData
HidD_SetFeature
HidD_GetAttributes
HidD_GetHidGuid

setupapi

SetupDiGetDeviceInterfaceDetailW
SetupDiEnumDeviceInterfaces
SetupDiGetClassDevsW
SetupDiDestroyDeviceInfoList

winscard

SCardControl
SCardTransmit
SCardDisconnect
SCardGetAttrib
SCardEstablishContext
SCardFreeMemory
SCardListReadersW
SCardReleaseContext
SCardGetCardTypeProviderNameW
SCardListCardsW
SCardConnectW

winsta

WinStationCloseServer
WinStationOpenServerW
WinStationFreeMemory
WinStationConnectW
WinStationQueryInformationW
WinStationEnumerateW

wldap32

ord208
ord145
ord36
ord13
ord41
ord73
ord310
ord77
ord142
ord54
ord309
ord304
ord79
ord301
ord127
ord26
ord167
ord147
ord27
ord88
ord157
ord14
ord122
ord140
ord203
ord69
ord139
ord97
ord223
ord12
ord113
ord224
ord96
ord133

msasn1

ASN1_CreateEncoder
ASN1BERDotVal2Eoid
ASN1_CloseEncoder
ASN1_CreateDecoder
ASN1_FreeEncoded
ASN1_CloseModule
ASN1_CloseDecoder
ASN1_CreateModule

ntdll

RtlIpv6AddressToStringW
RtlUnicodeStringToAnsiString
RtlFreeAnsiString
RtlDowncaseUnicodeString
RtlFreeUnicodeString
RtlInitUnicodeString
RtlEqualUnicodeString
NtQueryObject
RtlCompressBuffer
RtlGetCompressionWorkSpaceSize
NtQuerySystemInformation
RtlGetCurrentPeb
NtQueryInformationProcess
RtlCreateUserThread
RtlGUIDFromString
RtlStringFromGUID
NtCompareTokens
RtlGetNtVersionNumbers
RtlEqualString
RtlUpcaseUnicodeString
RtlAppendUnicodeStringToString
RtlAnsiStringToUnicodeString
RtlFreeOemString
RtlUpcaseUnicodeStringToOemString
NtQueryDirectoryObject
NtResumeProcess
NtOpenDirectoryObject
RtlAdjustPrivilege
NtSuspendProcess
NtTerminateProcess
NtQuerySystemEnvironmentValueEx
NtSetSystemEnvironmentValueEx
NtEnumerateSystemEnvironmentValuesEx
RtlIpv4AddressToStringW

kernel32

SystemTimeToFileTime
lstrlenA
GetDateFormatW
GetSystemTimeAsFileTime
ClearCommError
CreateRemoteThread
WaitForSingleObject
CreateProcessW
SetConsoleOutputCP
GetConsoleOutputCP
CreateFileMappingW
UnmapViewOfFile
MapViewOfFile
WriteProcessMemory
VirtualProtect
InterlockedExchange
SetFilePointerEx
GetProcessId
GetComputerNameW
ProcessIdToSessionId
VirtualAllocEx
VirtualProtectEx
VirtualAlloc
SetLastError
ReadProcessMemory
VirtualFreeEx
VirtualQueryEx
VirtualFree
VirtualQuery
GetComputerNameExW
DeviceIoControl
DuplicateHandle
OpenProcess
GetCurrentProcess
ExpandEnvironmentStringsW
FindNextFileW
FindClose
GetCurrentDirectoryW
GetFileSizeEx
FlushFileBuffers
GetFileAttributesW
FindFirstFileW
lstrlenW
GetProcAddress
LoadLibraryW
GetModuleHandleW
FreeLibrary
DeleteFileA
GetTempPathA
GetFileInformationByHandle
FileTimeToLocalFileTime
GetCurrentDirectoryA
GetTempFileNameA
SetFilePointer
CreateFileA
FileTimeToDosDateTime
CreateThread
LocalFree
CloseHandle
LocalAlloc
GetLastError
CreateFileW
ReadFile
Sleep
TerminateThread
WriteFile
FileTimeToSystemTime
GetTimeFormatW
GetFullPathNameW
GetFullPathNameA
HeapReAlloc
GetFileSize
CreateMutexW
HeapCompact
SetEndOfFile
HeapAlloc
QueryPerformanceCounter
HeapFree
InterlockedCompareExchange
UnlockFile
FlushViewOfFile
LockFile
WaitForSingleObjectEx
OutputDebugStringW
GetTickCount
UnlockFileEx
GetProcessHeap
FormatMessageA
FormatMessageW
GetVersionExW
WideCharToMultiByte
HeapDestroy
GetFileAttributesA
HeapCreate
HeapValidate
MultiByteToWideChar
GetTempPathW
HeapSize
LockFileEx
GetDiskFreeSpaceW
LoadLibraryA
CreateFileMappingA
GetDiskFreeSpaceA
GetSystemInfo
GetFileAttributesExW
OutputDebugStringA
GetVersionExA
DeleteFileW
GetCurrentProcessId
GetSystemTime
AreFileApisANSI
ExitProcess
ExitThread
RaiseException
SetConsoleCtrlHandler
SetConsoleTitleW
SetFileAttributesW
GlobalSize
SetHandleInformation
CreatePipe
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
SetEvent
CreateEventW
GetSystemDirectoryW
SetConsoleCursorPosition
GetTimeZoneInformation
GetStdHandle
FillConsoleOutputCharacterW
GetConsoleScreenBufferInfo
IsWow64Process
SetCurrentDirectoryW
GetCurrentThread
RtlUnwind
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetVersion
GetModuleHandleA
GetCurrentThreadId
PurgeComm

msvcrt

calloc
__set_app_type
_lseeki64
wctomb
__setusermatherr
isspace
mbtowc
__mb_cur_max
_itoa
isleadbyte
isxdigit
localeconv
_snprintf
__p__fmode
ferror
iswctype
wcstombs
?terminate@@YAXXZ
_write
_isatty
ungetc
_controlfp
__badioinfo
__pioinfo
__p__commode
_read
isdigit
_vsnprintf
_amsg_exit
_initterm
exit
_XcptFilter
_exit
_cexit
_errno
free
_wcsdup
_except_handler3
strrchr
_wcsicmp
vfwprintf
_vscwprintf
fflush
_wfopen
wprintf
_fileno
_iob
vwprintf
_setmode
fclose
_stricmp
wcsrchr
wcschr
wcsstr
strtoul
_wcsnicmp
_vscprintf
memmove
strncmp
malloc
_msize
strcspn
realloc
fgetws
wcstoul
strchr
wcstol
wcsncmp
_wcstoui64
towupper
_wpgmptr
strstr
_strcmpi
getchar
memset
memcpy
__wgetmainargs

Sections

.text
Size: 622KB - Virtual size: 621KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 356KB - Virtual size: 356KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 14KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 33KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Videos/64/READ_NOTE.html
.html
Videos/64/dump.bat
Videos/64/dump.zip
.zip
Videos/64/mimidrv.sys
.sys windows:6 windows x64 arch:x64

a63c276e82b09fa57509d7958aa9d208

Code Sign

11:21:69:41:7a:1c:3e:f4:6a:30:1f:99:38:5f:50:68:0f:a0
Certificate

Issuer

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

28-06-2011 09:46

Not After

28-06-2014 09:46

Subject

CN=Benjamin Delpy,C=FR

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

75:1e:3e:e9:c5:dc:2f:3e:8f:04:e5:9d:ee:5e:d4:09
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13-04-2011 10:00

Not After

13-04-2026 10:00

Subject

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageOCSPSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

61:0b:7f:6b:00:00:00:00:00:19
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23-05-2006 17:00

Not After

23-05-2016 17:10

Subject

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

40:f1:5e:7c:89:ab:3f:c6:6c:d5:65:2b:f1:8d:20:54:40:3d:e9:d2
Signer

Actual PE Digest

40:f1:5e:7c:89:ab:3f:c6:6c:d5:65:2b:f1:8d:20:54:40:3d:e9:d2

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

c:\security\mimikatz\mimidrv\objfre_wnet_amd64\amd64\mimidrv.pdb

Imports

ntoskrnl.exe

KeBugCheck
IofCompleteRequest
IoCreateSymbolicLink
IoCreateDevice
PsProcessType
PsGetProcessImageFileName
PsLookupProcessByProcessId
PsReferencePrimaryToken
ZwOpenProcessTokenEx
IoGetCurrentProcess
ZwSetInformationProcess
ZwClose
ZwDuplicateToken
PsInitialSystemProcess
_vsnwprintf
ObfDereferenceObject
ObOpenObjectByPointer
PsGetProcessId
PsDereferencePrimaryToken
ExAllocatePoolWithTag
ExFreePoolWithTag
IoFreeMdl
MmProbeAndLockPages
MmUnlockPages
IoAllocateMdl
ZwUnloadKey
IoEnumerateRegisteredFiltersList
KeBugCheckEx
MmGetSystemRoutineAddress
IoDeleteDevice
RtlInitUnicodeString
NtBuildNumber
RtlCompareMemory
IoDeleteSymbolicLink
PsGetVersion
ExAllocatePoolWithQuotaTag
ZwQuerySystemInformation
RtlUnwindEx

fltmgr.sys

FltGetFilterInformation
FltEnumerateInstances
FltEnumerateFilters
FltObjectDereference
FltGetVolumeFromInstance

Sections

.text
Size: 13KB - Virtual size: 12KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 432B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 1024B - Virtual size: 651B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 648B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Videos/64/mimikatz.dll
.dll windows:5 windows x64 arch:x64

5f7014bbc9816fb4fe5b6ea815ee88d8

Code Sign

6b:32:6a:0f:03:28:d3:7a:1d:53:0b:fd:23:bd:48:e2
Certificate

Issuer

CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Not Before

29-10-2015 11:30

Not After

09-06-2027 11:30

Subject

CN=Certum Code Signing CA SHA2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

15:19:af:35:17:02:ab:2d:86:96:8d:0b:e9:28:f5:29
Certificate

Issuer

CN=Certum Code Signing CA SHA2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Not Before

04-12-2017 09:50

Not After

04-12-2018 09:50

Subject

CN=Open Source Developer\, Benjamin Delpy,O=Open Source Developer,ST=Ile de France,C=FR,1.2.840.113549.1.9.1=#0c1762656e6a616d696e4067656e74696c6b6977692e636f6d

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

fe:67:e4:f1:5a:24:e3:c6:0d:54:7c:a0:20:c2:76:70
Certificate

Issuer

CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Not Before

08-03-2016 13:10

Not After

30-05-2027 13:10

Subject

CN=Certum EV TSA SHA2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

6b:32:6a:0f:03:28:d3:7a:1d:53:0b:fd:23:bd:48:e2
Certificate

Issuer

CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Not Before

29-10-2015 11:30

Not After

09-06-2027 11:30

Subject

CN=Certum Code Signing CA SHA2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

15:19:af:35:17:02:ab:2d:86:96:8d:0b:e9:28:f5:29
Certificate

Issuer

CN=Certum Code Signing CA SHA2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Not Before

04-12-2017 09:50

Not After

04-12-2018 09:50

Subject

CN=Open Source Developer\, Benjamin Delpy,O=Open Source Developer,ST=Ile de France,C=FR,1.2.840.113549.1.9.1=#0c1762656e6a616d696e4067656e74696c6b6977692e636f6d

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

fe:67:e4:f1:5a:24:e3:c6:0d:54:7c:a0:20:c2:76:70
Certificate

Issuer

CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Not Before

08-03-2016 13:10

Not After

30-05-2027 13:10

Subject

CN=Certum EV TSA SHA2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

7c:65:d6:3d:ba:16:50:e7:6f:14:77:62:61:83:f9:1d:51:3e:f8:9f:77:35:4c:d8:a9:51:79:d2:c8:9d:80:b5
Signer

Actual PE Digest

7c:65:d6:3d:ba:16:50:e7:6f:14:77:62:61:83:f9:1d:51:3e:f8:9f:77:35:4c:d8:a9:51:79:d2:c8:9d:80:b5

Digest Algorithm

sha256

PE Digest Matches

true

bc:b2:e5:09:90:9f:15:a6:e3:53:ba:05:05:6c:c1:11:df:d6:4a:5e
Signer

Actual PE Digest

bc:b2:e5:09:90:9f:15:a6:e3:53:ba:05:05:6c:c1:11:df:d6:4a:5e

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

advapi32

CryptSetHashParam
CryptGetHashParam
CryptExportKey
CryptAcquireContextW
CryptSetKeyParam
CryptGetKeyParam
CryptReleaseContext
CryptDuplicateKey
CryptAcquireContextA
CryptGetProvParam
CryptImportKey
SystemFunction007
CryptEncrypt
CryptCreateHash
CryptGenKey
CryptDestroyKey
CryptDecrypt
CryptDestroyHash
CryptHashData
CopySid
GetLengthSid
LsaQueryInformationPolicy
LsaOpenPolicy
LsaClose
CreateWellKnownSid
CreateProcessWithLogonW
CreateProcessAsUserW
RegQueryValueExW
RegQueryInfoKeyW
RegEnumValueW
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
RegSetValueExW
SystemFunction032
ConvertSidToStringSidW
CreateServiceW
CloseServiceHandle
DeleteService
OpenSCManagerW
SetServiceObjectSecurity
OpenServiceW
BuildSecurityDescriptorW
QueryServiceObjectSecurity
StartServiceW
AllocateAndInitializeSid
QueryServiceStatusEx
FreeSid
ControlService
IsTextUnicode
OpenProcessToken
GetTokenInformation
LookupAccountNameW
LookupAccountSidW
DuplicateTokenEx
CheckTokenMembership
CryptEnumProvidersW
ConvertStringSidToSidW
LsaFreeMemory
SetThreadToken
CryptSetProvParam
CryptEnumProviderTypesW
SystemFunction006
CryptGetUserKey
OpenEventLogW
GetNumberOfEventLogRecords
ClearEventLogW
SystemFunction001
CryptDeriveKey
SystemFunction005
LsaQueryTrustedDomainInfoByName
CryptSignHashW
LsaOpenSecret
LsaQuerySecret
SystemFunction013
LsaRetrievePrivateData
LsaEnumerateTrustedDomainsEx
LookupPrivilegeValueW
StartServiceCtrlDispatcherW
SetServiceStatus
RegisterServiceCtrlHandlerW
IsValidSid
LookupPrivilegeNameW
OpenThreadToken
CredFree
CredEnumerateW
GetSidSubAuthority
GetSidSubAuthorityCount
SystemFunction025
ConvertStringSecurityDescriptorToSecurityDescriptorW
SystemFunction024
A_SHAFinal
A_SHAInit
A_SHAUpdate

cabinet

ord11
ord14
ord10
ord13

crypt32

CertGetNameStringW
CryptEncodeObject
CertEnumSystemStore
CryptSignAndEncodeCertificate
CertEnumCertificatesInStore
CertAddEncodedCertificateToStore
CertOpenStore
CertFreeCertificateContext
CertCloseStore
CertSetCertificateContextProperty
PFXExportCertStoreEx
CryptUnprotectData
CryptBinaryToStringW
CryptStringToBinaryW
CryptProtectData
CryptExportPublicKeyInfo
CryptAcquireCertificatePrivateKey
CertNameToStrW
CertGetCertificateContextProperty
CertAddCertificateContextToStore
CertFindCertificateInStore

cryptdll

CDGenerateRandomBits
MD5Final
CDLocateCSystem
CDLocateCheckSum
MD5Init
MD5Update

fltlib

FilterFindFirst
FilterFindNext

netapi32

NetServerGetInfo
NetStatisticsGet
NetShareEnum
NetSessionEnum
DsGetDcNameW
NetApiBufferFree
NetRemoteTOD
NetWkstaUserEnum
I_NetServerAuthenticate2
I_NetServerReqChallenge
I_NetServerTrustPasswordsGet

ole32

CoInitializeEx
CoUninitialize
CoCreateInstance

oleaut32

VariantInit
SysFreeString
SysAllocString

rpcrt4

RpcMgmtEpEltInqNextW
RpcMgmtEpEltInqBegin
I_RpcGetCurrentCallHandle
NdrClientCall2
RpcMgmtEpEltInqDone
RpcBindingFromStringBindingW
RpcStringBindingComposeW
MesEncodeIncrementalHandleCreate
RpcBindingSetAuthInfoExW
RpcBindingInqAuthClientW
RpcBindingSetOption
RpcImpersonateClient
RpcBindingFree
RpcStringFreeW
RpcRevertToSelf
MesDecodeIncrementalHandleCreate
MesHandleFree
MesIncrementalHandleReset
NdrMesTypeDecode2
NdrMesTypeAlignSize2
NdrMesTypeFree2
NdrMesTypeEncode2
RpcServerUnregisterIfEx
I_RpcBindingInqSecurityContext
RpcServerInqBindings
RpcServerListen
RpcMgmtWaitServerListen
RpcEpRegisterW
RpcMgmtStopServerListening
RpcBindingToStringBindingW
RpcServerRegisterIf2
RpcServerRegisterAuthInfoW
RpcBindingVectorFree
UuidToStringW
RpcServerUseProtseqEpW
RpcEpUnregister
NdrServerCall2
RpcEpResolveBinding
UuidCreate

shlwapi

PathIsDirectoryW
PathCanonicalizeW
PathCombineW
PathFindFileNameW
PathIsRelativeW

samlib

SamGetGroupsForUser
SamEnumerateGroupsInDomain
SamiChangePasswordUser
SamGetMembersInGroup
SamSetInformationUser
SamRidToSid
SamGetMembersInAlias
SamEnumerateAliasesInDomain
SamGetAliasMembership
SamOpenGroup
SamOpenAlias
SamQueryInformationUser
SamCloseHandle
SamEnumerateDomainsInSamServer
SamFreeMemory
SamEnumerateUsersInDomain
SamOpenUser
SamLookupDomainInSamServer
SamLookupNamesInDomain
SamLookupIdsInDomain
SamOpenDomain
SamConnect

secur32

FreeContextBuffer
LsaLookupAuthenticationPackage
LsaConnectUntrusted
LsaFreeReturnBuffer
LsaDeregisterLogonProcess
DeleteSecurityContext
LsaCallAuthenticationPackage
FreeCredentialsHandle
AcquireCredentialsHandleW
InitializeSecurityContextW
QueryContextAttributesW
EnumerateSecurityPackagesW

shell32

CommandLineToArgvW

user32

IsCharAlphaNumericW
GetKeyboardLayout
DispatchMessageW
DefWindowProcW
SetClipboardViewer
SendMessageW
GetClipboardSequenceNumber
OpenClipboard
CreateWindowExW
ChangeClipboardChain
GetClipboardData
RegisterClassExW
TranslateMessage
EnumClipboardFormats
PostMessageW
UnregisterClassW
GetMessageW
CloseClipboard
DestroyWindow

userenv

CreateEnvironmentBlock
DestroyEnvironmentBlock

version

GetFileVersionInfoSizeW
VerQueryValueW
GetFileVersionInfoW

hid

HidD_GetPreparsedData
HidD_FreePreparsedData
HidP_GetCaps
HidD_GetFeature
HidD_GetAttributes
HidD_GetHidGuid
HidD_SetFeature

setupapi

SetupDiGetDeviceInterfaceDetailW
SetupDiEnumDeviceInterfaces
SetupDiGetClassDevsW
SetupDiDestroyDeviceInfoList

winscard

SCardGetCardTypeProviderNameW
SCardListCardsW
SCardControl
SCardReleaseContext
SCardListReadersW
SCardFreeMemory
SCardEstablishContext
SCardConnectW
SCardTransmit
SCardDisconnect
SCardGetAttrib

winsta

WinStationCloseServer
WinStationOpenServerW
WinStationFreeMemory
WinStationConnectW
WinStationQueryInformationW
WinStationEnumerateW

wldap32

ord140
ord122
ord14
ord88
ord133
ord142
ord77
ord27
ord13
ord147
ord96
ord208
ord224
ord36
ord79
ord157
ord26
ord41
ord127
ord73
ord301
ord304
ord309
ord54
ord310
ord69
ord139
ord97
ord223
ord12
ord145
ord113
ord167
ord203

msasn1

ASN1_CreateModule
ASN1_CloseEncoder
ASN1_CreateDecoder
ASN1_FreeEncoded
ASN1_CloseModule
ASN1_CreateEncoder
ASN1_CloseDecoder
ASN1BERDotVal2Eoid

ntdll

wcsncmp
_wcstoui64
towupper
wcstol
wcstoul
wcsstr
_wcsnicmp
strtoul
wcschr
wcsrchr
_stricmp
_vscwprintf
_wcsicmp
strrchr
_vsnprintf
memcmp
RtlUnicodeStringToAnsiString
RtlFreeAnsiString
RtlDowncaseUnicodeString
RtlFreeUnicodeString
RtlInitUnicodeString
RtlEqualUnicodeString
NtQueryObject
RtlCompressBuffer
RtlGetCompressionWorkSpaceSize
NtQuerySystemInformation
RtlGetCurrentPeb
NtQueryInformationProcess
RtlCreateUserThread
RtlGUIDFromString
RtlStringFromGUID
NtCompareTokens
RtlGetNtVersionNumbers
RtlEqualString
RtlUpcaseUnicodeString
RtlAppendUnicodeStringToString
RtlAnsiStringToUnicodeString
RtlFreeOemString
RtlUpcaseUnicodeStringToOemString
NtResumeProcess
RtlAdjustPrivilege
NtSuspendProcess
NtTerminateProcess
NtQuerySystemEnvironmentValueEx
NtSetSystemEnvironmentValueEx
NtEnumerateSystemEnvironmentValuesEx
RtlIpv4AddressToStringW
RtlIpv6AddressToStringW
memmove
__chkstk

kernel32

GetFullPathNameA
GetFullPathNameW
GetTimeFormatW
HeapReAlloc
GetSystemTimeAsFileTime
SystemTimeToFileTime
GetDateFormatW
lstrlenW
RtlVirtualUnwind
LoadLibraryA
GetProcessId
PurgeComm
ClearCommError
CreateRemoteThread
WaitForSingleObject
SetLastError
CreateProcessW
SetConsoleOutputCP
GetConsoleOutputCP
CreateFileMappingW
UnmapViewOfFile
MapViewOfFile
WriteProcessMemory
VirtualAllocEx
VirtualProtectEx
VirtualAlloc
ReadProcessMemory
VirtualFreeEx
VirtualQueryEx
VirtualFree
VirtualQuery
GetComputerNameExW
DeviceIoControl
DuplicateHandle
OpenProcess
GetCurrentProcess
ExpandEnvironmentStringsW
FindNextFileW
FindClose
GetCurrentDirectoryW
GetFileSizeEx
FlushFileBuffers
GetFileAttributesW
FindFirstFileW
DeleteFileA
GetTempPathA
GetFileInformationByHandle
FileTimeToLocalFileTime
GetCurrentDirectoryA
GetTempFileNameA
SetFilePointer
CreateFileA
FileTimeToDosDateTime
CreateThread
LocalFree
CloseHandle
LocalAlloc
GetLastError
CreateFileW
ReadFile
TerminateThread
WriteFile
FileTimeToSystemTime
Sleep
VirtualProtect
CreateMutexW
HeapCompact
TryEnterCriticalSection
SetEndOfFile
HeapAlloc
QueryPerformanceCounter
HeapFree
UnlockFile
FlushViewOfFile
LockFile
WaitForSingleObjectEx
OutputDebugStringW
GetTickCount
UnlockFileEx
GetProcessHeap
FormatMessageA
InitializeCriticalSection
FormatMessageW
GetVersionExW
HeapDestroy
LeaveCriticalSection
GetFileAttributesA
GetFileSize
HeapCreate
HeapValidate
MultiByteToWideChar
GetTempPathW
HeapSize
LockFileEx
EnterCriticalSection
GetDiskFreeSpaceW
CreateFileMappingA
GetDiskFreeSpaceA
GetSystemInfo
GetFileAttributesExW
DeleteCriticalSection
OutputDebugStringA
GetVersionExA
DeleteFileW
GetCurrentProcessId
GetSystemTime
AreFileApisANSI
AllocConsole
RaiseException
GetStdHandle
SetConsoleCtrlHandler
SetConsoleTitleW
lstrlenA
FreeLibrary
LoadLibraryW
GetProcAddress
GlobalSize
GetModuleHandleW
SetHandleInformation
CreatePipe
SetEvent
RtlLookupFunctionEntry
RtlCaptureContext
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentThreadId
WideCharToMultiByte
CreateEventW
GetSystemDirectoryW
SetConsoleCursorPosition
GetTimeZoneInformation
FillConsoleOutputCharacterW
GetComputerNameW
ProcessIdToSessionId
GetCurrentThread
SetCurrentDirectoryW
GetConsoleScreenBufferInfo

msvcrt

isdigit
isspace
_amsg_exit
mbtowc
__mb_cur_max
isleadbyte
isxdigit
localeconv
_snprintf
_itoa
calloc
wctomb
ferror
iswctype
wcstombs
__badioinfo
__pioinfo
_read
_fileno
_lseeki64
_write
_isatty
ungetc
strftime
_initterm
realloc
_msize
_XcptFilter
__C_specific_handler
memset
memcpy
malloc
getchar
_wpgmptr
_fdopen
_open_osfhandle
setvbuf
fgetws
_errno
free
_wcsdup
vfwprintf
fflush
_wfopen
wprintf
_iob
vwprintf
fclose
gmtime

Exports

Exports

mainW

Sections

.text
Size: 538KB - Virtual size: 538KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 294KB - Virtual size: 294KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 21KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 18KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Videos/64/mimilib.dll
.dll windows:5 windows x64 arch:x64

eaa79f1d9e8a00542b09cb462d0658ef

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

advapi32

CreateRestrictedToken
CreateProcessAsUserW
ConvertSidToStringSidA
IsTextUnicode
OpenProcessToken

ntdll

_stricmp
memcmp
RtlEqualString
RtlFreeUnicodeString
RtlStringFromGUID

rpcrt4

NdrMesTypeFree2
NdrMesTypeDecode2
MesIncrementalHandleReset
MesHandleFree
MesDecodeIncrementalHandleCreate

ole32

CoCreateInstance

kernel32

GetSystemTimeAsFileTime
GetCurrentProcessId
GetCurrentThreadId
GetTickCount
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
TerminateProcess
QueryPerformanceCounter
SetUnhandledExceptionFilter
VirtualProtect
Sleep
GetCurrentProcess
CloseHandle
FreeLibrary
LoadLibraryW
lstrlenW
GetProcAddress
GetLastError
LocalAlloc
LocalFree
GetTimeFormatA
GetDateFormatA
FileTimeToSystemTime
FileTimeToLocalFileTime
RaiseException
LoadLibraryA
UnhandledExceptionFilter

msvcrt

_wfopen
fclose
free
vfwprintf
fflush
memcpy
memset
__C_specific_handler
_XcptFilter
_initterm
_amsg_exit
malloc

Exports

Exports

DhcpNewPktHook
DhcpServerCalloutEntry
DllCanUnloadNow
DllGetClassObject
DnsPluginCleanup
DnsPluginInitialize
DnsPluginQuery
ExtensionApiVersion
InitializeChangeNotify
Msv1_0SubAuthenticationFilter
Msv1_0SubAuthenticationRoutine
NPGetCaps
NPLogonNotify
PasswordChangeNotify
SpLsaModeInitialize
WinDbgExtensionDllInit
coffee
mimikatz
startW

Sections

.text
Size: 19KB - Virtual size: 18KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1024B - Virtual size: 912B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 296B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Videos/64/mimispool.dll
.dll windows:5 windows x64 arch:x64

c38ebbf4627ca2303746c77210e5a12e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

advapi32

CreateProcessAsUserW
SetTokenInformation
DuplicateTokenEx
OpenProcessToken

userenv

DestroyEnvironmentBlock
CreateEnvironmentBlock

winsta

WinStationEnumerateW
WinStationFreeMemory

kernel32

GetCurrentProcessId
GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
SetUnhandledExceptionFilter
UnhandledExceptionFilter
Sleep
GetCurrentProcess
SetLastError
CloseHandle
TerminateProcess
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
GetSystemTimeAsFileTime

msvcrt

memset
__C_specific_handler
_XcptFilter
malloc
free
_amsg_exit
_initterm

Exports

Exports

DrvDisableDriver
DrvEnableDriver
DrvQueryDriverInfo
DrvResetConfigCache
GenerateCopyFilePaths
SpoolerCopyFileEvent

Sections

.text
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 252B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 100B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Videos/Advanced_Port_Scanner_2.5.3869.exe
.exe windows:5 windows x86 arch:x86

48aa5c8931746a9655524f67b25a47ef

Code Sign

7e:93:eb:fb:7c:c6:4e:59:ea:4b:9a:77:d4:06:fc:3b
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

21-12-2012 00:00

Not After

30-12-2020 23:59

Subject

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0e:cf:f4:38:c8:fe:bf:35:6e:04:d8:6a:98:1b:1a:50
Certificate

Issuer

CN=Symantec Time Stamping Services CA - G2,O=Symantec Corporation,C=US

Not Before

18-10-2012 00:00

Not After

29-12-2020 23:59

Subject

CN=Symantec Time Stamping Services Signer - G4,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

6d:4d:b1:3d:65:97:90:b6:ea:c4:1c:c3:ac:16:f2:2c
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Not Before

21-12-2018 00:00

Not After

21-12-2019 23:59

Subject

CN=Famatech Corp.,O=Famatech Corp.,L=Road Town,ST=Tortola,C=VG

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

08-02-2010 00:00

Not After

07-02-2020 23:59

Subject

CN=VeriSign Class 3 Code Signing 2010 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)10,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

44:82:06:ac:63:f0:b2:b4:be:d6:75:fa:ce:06:89:47
Certificate

Issuer

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

08-10-2018 00:00

Not After

28-12-2021 23:59

Subject

CN=Famatech Corp.,O=Famatech Corp.,L=Road Town,ST=Tortola,C=VG

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

3d:78:d7:f9:76:49:60:b2:61:7d:f4:f0:1e:ca:86:2a
Certificate

Issuer

CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

10-12-2013 00:00

Not After

09-12-2023 23:59

Subject

CN=Symantec Class 3 SHA256 Code Signing CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

7b:05:b1:d4:49:68:51:44:f7:c9:89:d2:9c:19:9d:12
Certificate

Issuer

CN=VeriSign Universal Root Certification Authority,OU=VeriSign Trust Network+OU=(c) 2008 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US

Not Before

12-01-2016 00:00

Not After

11-01-2031 23:59

Subject

CN=Symantec SHA256 TimeStamping CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

7b:d4:e5:af:ba:cc:07:3f:a1:01:23:04:22:41:4d:12
Certificate

Issuer

CN=Symantec SHA256 TimeStamping CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Not Before

23-12-2017 00:00

Not After

22-03-2029 23:59

Subject

CN=Symantec SHA256 TimeStamping Signer - G3,OU=Symantec Trust Network,O=Symantec Corporation,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

0f:77:a2:fb:92:6f:6a:58:a7:dd:73:b9:8d:11:fb:04:ee:e2:97:8d:9b:bd:45:18:fa:bb:75:d5:47:d0:58:32
Signer

Actual PE Digest

0f:77:a2:fb:92:6f:6a:58:a7:dd:73:b9:8d:11:fb:04:ee:e2:97:8d:9b:bd:45:18:fa:bb:75:d5:47:d0:58:32

Digest Algorithm

sha256

PE Digest Matches

true

db:05:f5:11:74:d5:47:d3:00:25:54:78:92:53:28:6c:98:77:3b:24
Signer

Actual PE Digest

db:05:f5:11:74:d5:47:d3:00:25:54:78:92:53:28:6c:98:77:3b:24

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Imports

oleaut32

SysFreeString
SysReAllocStringLen
SysAllocStringLen

advapi32

RegQueryValueExW
RegOpenKeyExW
RegCloseKey
RegQueryValueExW
RegOpenKeyExW
RegCloseKey
OpenProcessToken
LookupPrivilegeValueW
AdjustTokenPrivileges

user32

GetKeyboardType
LoadStringW
MessageBoxA
CharNextW
CreateWindowExW
TranslateMessage
SetWindowLongW
PeekMessageW
MsgWaitForMultipleObjects
MessageBoxW
LoadStringW
GetSystemMetrics
ExitWindowsEx
DispatchMessageW
DestroyWindow
CharUpperBuffW
CallWindowProcW

kernel32

GetACP
Sleep
VirtualFree
VirtualAlloc
GetSystemInfo
GetTickCount
QueryPerformanceCounter
GetVersion
GetCurrentThreadId
VirtualQuery
WideCharToMultiByte
MultiByteToWideChar
lstrlenW
lstrcpynW
LoadLibraryExW
GetThreadLocale
GetStartupInfoA
GetProcAddress
GetModuleHandleW
GetModuleFileNameW
GetLocaleInfoW
GetCommandLineW
FreeLibrary
FindFirstFileW
FindClose
ExitProcess
WriteFile
UnhandledExceptionFilter
RtlUnwind
RaiseException
GetStdHandle
CloseHandle
TlsSetValue
TlsGetValue
LocalAlloc
GetModuleHandleW
WriteFile
WideCharToMultiByte
WaitForSingleObject
VirtualQuery
VirtualProtect
VirtualFree
VirtualAlloc
SizeofResource
SignalObjectAndWait
SetLastError
SetFilePointer
SetEvent
SetErrorMode
SetEndOfFile
ResetEvent
RemoveDirectoryW
ReadFile
MultiByteToWideChar
LockResource
LoadResource
LoadLibraryW
GetWindowsDirectoryW
GetVersionExW
GetUserDefaultLangID
GetThreadLocale
GetSystemInfo
GetStdHandle
GetProcAddress
GetModuleHandleW
GetModuleFileNameW
GetLocaleInfoW
GetLastError
GetFullPathNameW
GetFileSize
GetFileAttributesW
GetExitCodeProcess
GetEnvironmentVariableW
GetDiskFreeSpaceW
GetCurrentProcess
GetCommandLineW
GetCPInfo
InterlockedExchange
InterlockedCompareExchange
FreeLibrary
FormatMessageW
FindResourceW
EnumCalendarInfoW
DeleteFileW
CreateProcessW
CreateFileW
CreateEventW
CreateDirectoryW
CloseHandle
Sleep

comctl32

InitCommonControls

Sections

.text
Size: 60KB - Virtual size: 60KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.itext
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.bss
Size: - Virtual size: 21KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: - Virtual size: 8B

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 64KB - Virtual size: 64KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Videos/Captures/READ_NOTE.html
.html
Videos/Captures/desktop.ini
Videos/PsExec.exe
.exe windows:5 windows x86 arch:x86

c1e59519b5e5d84af07afa6f5a8625f1

Code Sign

33:00:00:00:98:04:58:cb:7f:23:09:b0:9e:00:00:00:00:00:98
Certificate

Issuer

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

30-03-2016 19:21

Not After

30-06-2017 19:21

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:7AFA-E41C-E142,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

33:00:00:01:0a:2c:79:ae:d7:79:7b:a6:ac:00:01:00:00:01:0a
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

04-06-2015 17:42

Not After

04-09-2016 17:42

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:33:26:1a:00:00:00:00:00:31
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

31-08-2010 22:19

Not After

31-08-2020 22:29

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:16:68:34:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

03-04-2007 12:53

Not After

03-04-2021 13:03

Subject

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:64:47:84:94:86:db:41:19:38:00:00:00:00:00:64
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

28-10-2015 20:31

Not After

28-01-2017 20:31

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08-07-2011 20:59

Not After

08-07-2026 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0c:4f:c5:97:fa:40:70:59:c9:4b:35:34:f4:9b:c0:90:a1:1c:cb:4e:4e:6d:96:9a:f2:67:e1:4d:69:35:9f:71
Signer

Actual PE Digest

0c:4f:c5:97:fa:40:70:59:c9:4b:35:34:f4:9b:c0:90:a1:1c:cb:4e:4e:6d:96:9a:f2:67:e1:4d:69:35:9f:71

Digest Algorithm

sha256

PE Digest Matches

true

b4:77:bc:a0:7b:c3:2e:88:63:11:99:73:bc:91:f6:a5:5f:10:40:5f
Signer

Actual PE Digest

b4:77:bc:a0:7b:c3:2e:88:63:11:99:73:bc:91:f6:a5:5f:10:40:5f

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

version

GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW

netapi32

NetServerEnum
NetApiBufferFree

ws2_32

gethostname
WSAStartup
inet_ntoa
gethostbyname

mpr

WNetCancelConnection2W
WNetAddConnection2W

kernel32

GetExitCodeProcess
ResumeThread
WaitForMultipleObjects
GetFileTime
DuplicateHandle
DisconnectNamedPipe
SetNamedPipeHandleState
TransactNamedPipe
CreateEventW
GetCurrentProcessId
GetFullPathNameW
SetFileAttributesW
GetFileAttributesW
CopyFileW
WaitNamedPipeW
SetConsoleCtrlHandler
SetConsoleTitleW
ReadConsoleW
GetVersion
SetProcessAffinityMask
ReadFile
GetConsoleScreenBufferInfo
MultiByteToWideChar
GetComputerNameW
DeleteFileW
CreateFileW
GetSystemDirectoryW
FindResourceW
LoadLibraryExW
FormatMessageA
GetTickCount
CloseHandle
WriteFile
SizeofResource
LoadResource
Sleep
WaitForSingleObject
SetEndOfFile
SetEvent
SetLastError
GetLastError
GetCurrentProcess
FreeLibrary
LockResource
SetPriorityClass
GetModuleFileNameW
GetCommandLineW
GetModuleHandleW
LoadLibraryW
GetStdHandle
GetFileType
LocalFree
LocalAlloc
GetProcAddress
FreeEnvironmentStringsW
LCMapStringW
OutputDebugStringW
HeapSize
HeapReAlloc
SetFilePointerEx
WriteConsoleW
GetEnvironmentVariableW
RaiseException
LoadLibraryExA
EncodePointer
DecodePointer
ExitProcess
GetModuleHandleExW
WideCharToMultiByte
HeapFree
HeapAlloc
GetConsoleMode
ReadConsoleInputA
SetConsoleMode
EnterCriticalSection
LeaveCriticalSection
SetStdHandle
CreateThread
GetCurrentThreadId
ExitThread
IsDebuggerPresent
IsProcessorFeaturePresent
GetStringTypeW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
DeleteCriticalSection
UnhandledExceptionFilter
SetUnhandledExceptionFilter
InitializeCriticalSectionAndSpinCount
TerminateProcess
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetStartupInfoW
GetProcessHeap
FlushFileBuffers
GetConsoleCP
RtlUnwind
QueryPerformanceCounter
GetSystemTimeAsFileTime
GetEnvironmentStringsW

comdlg32

PrintDlgW

advapi32

LsaClose
CreateProcessAsUserW
CryptHashData
CryptCreateHash
CryptDecrypt
CryptEncrypt
CryptImportKey
CryptExportKey
CryptDestroyKey
CryptDeriveKey
CryptGenKey
CryptReleaseContext
CryptAcquireContextW
StartServiceW
QueryServiceStatus
OpenServiceW
OpenSCManagerW
DeleteService
CreateServiceW
ControlService
CloseServiceHandle
OpenProcessToken
LsaEnumerateAccountRights
LsaOpenPolicy
LsaFreeMemory
SetSecurityInfo
GetSecurityInfo
LookupPrivilegeValueW
AddAccessAllowedAce
GetAce
AddAce
InitializeAcl
GetLengthSid
FreeSid
AllocateAndInitializeSid
SetTokenInformation
GetTokenInformation
RegSetValueExW
RegQueryValueExW
RegOpenKeyExW
RegOpenKeyW
RegCreateKeyW
RegCloseKey

Sections

.text
Size: 97KB - Virtual size: 97KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 58KB - Virtual size: 57KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 9KB - Virtual size: 183KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 144KB - Virtual size: 143KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Videos/PsExec64.exe
.exe windows:5 windows x64 arch:x64

159d56d406180a332fbc99290f30700e

Code Sign

33:00:00:00:9d:42:68:ee:31:1c:d7:56:bd:00:00:00:00:00:9d
Certificate

Issuer

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

30-03-2016 19:21

Not After

30-06-2017 19:21

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:148C-C4B9-2066,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

33:00:00:01:0a:2c:79:ae:d7:79:7b:a6:ac:00:01:00:00:01:0a
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

04-06-2015 17:42

Not After

04-09-2016 17:42

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:33:26:1a:00:00:00:00:00:31
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

31-08-2010 22:19

Not After

31-08-2020 22:29

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:16:68:34:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

03-04-2007 12:53

Not After

03-04-2021 13:03

Subject

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:64:47:84:94:86:db:41:19:38:00:00:00:00:00:64
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

28-10-2015 20:31

Not After

28-01-2017 20:31

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08-07-2011 20:59

Not After

08-07-2026 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

b2:69:2f:a4:eb:9e:f8:2f:9f:81:b0:ce:59:41:7d:90:d4:e4:1e:9a:0f:3b:44:46:bb:38:47:b7:16:dc:cc:bc
Signer

Actual PE Digest

b2:69:2f:a4:eb:9e:f8:2f:9f:81:b0:ce:59:41:7d:90:d4:e4:1e:9a:0f:3b:44:46:bb:38:47:b7:16:dc:cc:bc

Digest Algorithm

sha256

PE Digest Matches

true

30:c6:fd:26:33:2c:21:6a:6b:e9:02:f6:39:9e:9a:fb:2f:bc:8a:f5
Signer

Actual PE Digest

30:c6:fd:26:33:2c:21:6a:6b:e9:02:f6:39:9e:9a:fb:2f:bc:8a:f5

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

version

GetFileVersionInfoW
VerQueryValueW
GetFileVersionInfoSizeW

netapi32

NetServerEnum
NetApiBufferFree

ws2_32

WSAStartup
gethostname
inet_ntoa
gethostbyname

mpr

WNetCancelConnection2W
WNetAddConnection2W

kernel32

TransactNamedPipe
CreateEventW
GetEnvironmentVariableW
GetFullPathNameW
SetFileAttributesW
GetFileAttributesW
CopyFileW
WaitNamedPipeW
SetConsoleCtrlHandler
SetConsoleTitleW
ReadConsoleW
SetNamedPipeHandleState
GetEnvironmentStringsW
GetSystemTimeAsFileTime
QueryPerformanceCounter
GetConsoleCP
FlushFileBuffers
GetProcessHeap
RtlUnwindEx
GetStartupInfoW
TlsFree
TlsSetValue
DisconnectNamedPipe
DuplicateHandle
GetFileTime
WaitForMultipleObjects
ResumeThread
GetCurrentProcessId
GetExitCodeProcess
GetVersion
SetProcessAffinityMask
ReadFile
GetConsoleScreenBufferInfo
MultiByteToWideChar
GetComputerNameW
DeleteFileW
CreateFileW
GetSystemDirectoryW
FindResourceW
LoadLibraryExW
SetEndOfFile
FormatMessageA
GetTickCount
CloseHandle
WriteFile
SizeofResource
LoadResource
Sleep
WaitForSingleObject
SetEvent
SetLastError
GetLastError
GetCurrentProcess
FreeLibrary
LockResource
SetPriorityClass
GetModuleFileNameW
GetCommandLineW
GetModuleHandleW
LoadLibraryW
GetStdHandle
GetFileType
LocalFree
LocalAlloc
GetProcAddress
FreeEnvironmentStringsW
LCMapStringW
OutputDebugStringW
HeapSize
HeapReAlloc
SetFilePointerEx
WriteConsoleW
EncodePointer
DecodePointer
ExitProcess
GetModuleHandleExW
WideCharToMultiByte
HeapFree
HeapAlloc
GetConsoleMode
ReadConsoleInputA
SetConsoleMode
EnterCriticalSection
LeaveCriticalSection
SetStdHandle
CreateThread
GetCurrentThreadId
ExitThread
IsDebuggerPresent
IsProcessorFeaturePresent
GetStringTypeW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
DeleteCriticalSection
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
InitializeCriticalSectionAndSpinCount
TerminateProcess
TlsAlloc
TlsGetValue

user32

SetWindowTextW
GetDlgItem
SetCursor
DialogBoxIndirectParamW
SendMessageW
GetSysColorBrush
InflateRect
LoadCursorW
LoadStringW
EndDialog

gdi32

StartPage
EndDoc
StartDocW
SetMapMode
GetDeviceCaps
EndPage

comdlg32

PrintDlgW

advapi32

InitializeAcl
CreateProcessAsUserW
CryptHashData
CryptCreateHash
CryptDecrypt
CryptEncrypt
CryptImportKey
CryptExportKey
CryptDestroyKey
CryptDeriveKey
CryptGenKey
CryptReleaseContext
CryptAcquireContextW
StartServiceW
QueryServiceStatus
OpenServiceW
OpenSCManagerW
DeleteService
CreateServiceW
ControlService
CloseServiceHandle
OpenProcessToken
LsaEnumerateAccountRights
LsaOpenPolicy
LsaClose
LsaFreeMemory
SetSecurityInfo
GetSecurityInfo
LookupPrivilegeValueW
AddAccessAllowedAce
GetAce
AddAce
GetLengthSid
FreeSid
AllocateAndInitializeSid
SetTokenInformation
GetTokenInformation
RegSetValueExW
RegQueryValueExW
RegOpenKeyExW
RegOpenKeyW
RegCreateKeyW
RegCloseKey

Sections

.text
Size: 102KB - Virtual size: 102KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 69KB - Virtual size: 69KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 10KB - Virtual size: 186KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 160KB - Virtual size: 160KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Videos/READ_NOTE.html
.html
Videos/crypt154.exe
.exe windows:6 windows x64 arch:x64

ae5c56576b41c76e45888c3b9fb91934

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

rstrtmgr

RmShutdown
RmEndSession
RmStartSession
RmGetList
RmRegisterResources

urlmon

URLDownloadToFileW

shlwapi

StrStrIW
PathFileExistsW
PathIsDirectoryW
PathIsUNCW
PathFindExtensionW

crypt32

CryptBinaryToStringA
CryptBinaryToStringW
CryptStringToBinaryW
CryptStringToBinaryA

kernel32

CreateFileA
GlobalMemoryStatusEx
GetComputerNameExA
GetComputerNameA
GetFileAttributesExW
OpenProcess
FormatMessageA
LocalFree
FormatMessageW
WideCharToMultiByte
MultiByteToWideChar
GetModuleHandleW
FindResourceW
LoadResource
LockResource
SizeofResource
InitializeProcThreadAttributeList
UpdateProcThreadAttribute
FindClose
GetCurrentProcess
DeviceIoControl
CloseHandle
WaitForSingleObject
PeekNamedPipe
ReadFile
GetSystemTimes
AssignProcessToJobObject
IsValidCodePage
HeapReAlloc
ReadConsoleW
GetExitCodeProcess
GetConsoleMode
GetConsoleOutputCP
FlushFileBuffers
SetFilePointerEx
GetFileSizeEx
GetFileType
EnumSystemLocalesW
GetUserDefaultLCID
GetDriveTypeW
FindNextVolumeW
GetVolumePathNamesForVolumeNameW
FindVolumeClose
SetVolumeMountPointW
SetLastError
FindFirstVolumeW
GetLogicalDrives
QueryDosDeviceW
SetConsoleTitleW
GetConsoleWindow
GetCurrentProcessId
MoveFileW
WriteFile
FindNextFileW
FindFirstFileW
lstrcmpiW
GetLastError
SetFileAttributesW
CreatePipe
CreateFileW
GetACP
GetOEMCP
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
GetProcessHeap
SetStdHandle
HeapSize
WriteConsoleW
SetEndOfFile
CreateProcessW
AcquireSRWLockExclusive
IsValidLocale
GetLocaleInfoW
LCMapStringW
CompareStringW
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
GetLocaleInfoEx
ReleaseSRWLockExclusive
RtlUnwind
WakeAllConditionVariable
SleepConditionVariableSRW
IsProcessorFeaturePresent
GetProcAddress
GetStringTypeW
TryAcquireSRWLockExclusive
Sleep
GetCurrentThreadId
WaitForSingleObjectEx
SwitchToThread
GetExitCodeThread
GetNativeSystemInfo
GetCurrentDirectoryW
FindFirstFileExW
QueryPerformanceCounter
QueryPerformanceFrequency
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
DeleteCriticalSection
EncodePointer
DecodePointer
LoadLibraryExW
LCMapStringEx
GetSystemTimeAsFileTime
GetCPInfo
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsDebuggerPresent
GetStartupInfoW
InitializeSListHead
RtlUnwindEx
RtlPcToFileHeader
RaiseException
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
CreateThread
ExitThread
FreeLibraryAndExitThread
GetModuleHandleExW
DeleteFileW
ExitProcess
GetModuleFileNameW
GetStdHandle
GetCommandLineA
GetCommandLineW
HeapAlloc
HeapFree

user32

SystemParametersInfoW
GetForegroundWindow
EnumWindows
ShowWindow
IsWindowVisible
GetWindowThreadProcessId
FillRect
GetDC
GetShellWindow
GetAsyncKeyState

gdi32

CreateCompatibleBitmap
SelectObject
GetTextExtentPoint32A
CreateCompatibleDC
CreateFontW
GetBitmapBits
DeleteDC
SetTextColor
TextOutA
SetBkMode
GetObjectW
DeleteObject
CreateSolidBrush

advapi32

CryptEncrypt
CryptDuplicateKey
CryptGetKeyParam
CryptImportKey
CryptDestroyKey
CryptExportKey
CryptGenKey
CryptReleaseContext
CryptGenRandom
CryptAcquireContextW
GetTokenInformation
OpenProcessToken
RegGetValueA
RegCloseKey
RegCreateKeyExW
RegSetValueExW
RegGetValueW

shell32

SHGetFolderPathW
SHEmptyRecycleBinW

mpr

WNetGetConnectionW

Sections

.text
Size: 448KB - Virtual size: 448KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 241KB - Virtual size: 241KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 31KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 20KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Videos/desktop.ini
Videos/output.bmp

Sharing

General

Malware Config

Extracted

Signatures

Files

23e9f1e1d6aeb789637571e507824244

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

cabinet

crypt32

cryptdll

dnsapi

fltlib

mpr

netapi32

odbc32

ole32

oleaut32

rpcrt4

shlwapi

samlib

secur32

shell32

user32

userenv

version

hid

setupapi

winscard

winsta

wldap32

msasn1

ntdll

kernel32

Sections

.text Size: 933KB - Virtual size: 932KB

.rdata Size: 461KB - Virtual size: 460KB

.data Size: 26KB - Virtual size: 33KB

.pdata Size: 31KB - Virtual size: 31KB

_RDATA Size: 512B - Virtual size: 348B

.rsrc Size: 17KB - Virtual size: 16KB

.reloc Size: 8KB - Virtual size: 7KB

ca37f3f3e8c3bc5843cfddf0de356d3a

Code Sign

0f:10:c0:55:a6:79:3b:59:c7:d8:f5:2d:64:b3:98:8dCertificate

Extended Key Usages

Key Usages

99:a3:80:0a:26:55:3b:65:ab:dc:6e:84:a6:b3:ea:39Certificate

Extended Key Usages

Key Usages

f1:64:25:8c:09:b6:e2:7b:e2:0e:32:60:8e:4b:f4:a8Certificate

Extended Key Usages

Key Usages

e7:ff:69:c7:3b:35:ce:4b:91:26:d8:74:7c:68:a5:87Certificate

Extended Key Usages

Key Usages

1b:b5:8f:25:2a:df:23:00:49:28:c9:ae:3d:7e:ed:27Certificate

Key Usages

0f:10:c0:55:a6:79:3b:59:c7:d8:f5:2d:64:b3:98:8dCertificate

Extended Key Usages

Key Usages

99:a3:80:0a:26:55:3b:65:ab:dc:6e:84:a6:b3:ea:39Certificate

Extended Key Usages

Key Usages

f1:64:25:8c:09:b6:e2:7b:e2:0e:32:60:8e:4b:f4:a8Certificate

Extended Key Usages

Key Usages

e7:ff:69:c7:3b:35:ce:4b:91:26:d8:74:7c:68:a5:87Certificate

Extended Key Usages

Key Usages

1b:b5:8f:25:2a:df:23:00:49:28:c9:ae:3d:7e:ed:27Certificate

Key Usages

26:c4:63:f1:5b:51:8f:9d:18:5e:b3:f3:1f:30:81:15:4e:26:8d:b6:87:d4:c1:fa:45:45:8d:f5:ac:a6:9b:cdSigner

92:e5:5f:17:b1:ee:ba:6a:77:97:4b:d7:9b:5c:ef:1d:91:77:5d:a0Signer

Headers

DLL Characteristics

.text
Size: 933KB - Virtual size: 932KB

.rdata
Size: 461KB - Virtual size: 460KB

.data
Size: 26KB - Virtual size: 33KB

.pdata
Size: 31KB - Virtual size: 31KB

_RDATA
Size: 512B - Virtual size: 348B

.rsrc
Size: 17KB - Virtual size: 16KB

.reloc
Size: 8KB - Virtual size: 7KB

0f:10:c0:55:a6:79:3b:59:c7:d8:f5:2d:64:b3:98:8d
Certificate

99:a3:80:0a:26:55:3b:65:ab:dc:6e:84:a6:b3:ea:39
Certificate

f1:64:25:8c:09:b6:e2:7b:e2:0e:32:60:8e:4b:f4:a8
Certificate

e7:ff:69:c7:3b:35:ce:4b:91:26:d8:74:7c:68:a5:87
Certificate

1b:b5:8f:25:2a:df:23:00:49:28:c9:ae:3d:7e:ed:27
Certificate

0f:10:c0:55:a6:79:3b:59:c7:d8:f5:2d:64:b3:98:8d
Certificate

99:a3:80:0a:26:55:3b:65:ab:dc:6e:84:a6:b3:ea:39
Certificate

f1:64:25:8c:09:b6:e2:7b:e2:0e:32:60:8e:4b:f4:a8
Certificate

e7:ff:69:c7:3b:35:ce:4b:91:26:d8:74:7c:68:a5:87
Certificate

1b:b5:8f:25:2a:df:23:00:49:28:c9:ae:3d:7e:ed:27
Certificate

26:c4:63:f1:5b:51:8f:9d:18:5e:b3:f3:1f:30:81:15:4e:26:8d:b6:87:d4:c1:fa:45:45:8d:f5:ac:a6:9b:cd
Signer

92:e5:5f:17:b1:ee:ba:6a:77:97:4b:d7:9b:5c:ef:1d:91:77:5d:a0
Signer

.text
Size: 622KB - Virtual size: 621KB

.rdata
Size: 356KB - Virtual size: 356KB

.data
Size: 14KB - Virtual size: 16KB

.rsrc
Size: 16KB - Virtual size: 15KB

.reloc
Size: 33KB - Virtual size: 32KB

11:21:69:41:7a:1c:3e:f4:6a:30:1f:99:38:5f:50:68:0f:a0
Certificate

75:1e:3e:e9:c5:dc:2f:3e:8f:04:e5:9d:ee:5e:d4:09
Certificate

61:0b:7f:6b:00:00:00:00:00:19
Certificate

40:f1:5e:7c:89:ab:3f:c6:6c:d5:65:2b:f1:8d:20:54:40:3d:e9:d2
Signer

.text
Size: 13KB - Virtual size: 12KB

.rdata
Size: 5KB - Virtual size: 5KB

.data
Size: 7KB - Virtual size: 7KB

.pdata
Size: 512B - Virtual size: 432B

PAGE
Size: 1024B - Virtual size: 651B

INIT
Size: 1KB - Virtual size: 1KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 1024B - Virtual size: 648B

6b:32:6a:0f:03:28:d3:7a:1d:53:0b:fd:23:bd:48:e2
Certificate

15:19:af:35:17:02:ab:2d:86:96:8d:0b:e9:28:f5:29
Certificate