Sample details: 6eb66288a6716ebfc6a09e9af1a68788 --

Hashes
MD5: 6eb66288a6716ebfc6a09e9af1a68788
SHA1: f8c152e4230c42e751506fca814b8e678009fd9e
SHA256: de6d77799e15afb038e2982571c548b3d3474ec445951ca4e1429b95600d3635
SSDEEP: 768:5me77yskh9pIdu9rZiDN0dc8kglmbysnsFmFzI+OwntQpltEFiEh9hFUPEhYl:skwZOCdrLlmb/sFGfPtQpltWiEf3sEe
Details
File Type: PE32+
Yara Hits
YRP/IsPE64 | YRP/IsDLL | YRP/IsConsole | YRP/HasOverlay | YRP/HasDigitalSignature | YRP/HasRichSignature | YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/win_token | YRP/mimikatz |
Parent Files
6acec394718b86af1cab369f7a25f430
Strings
		!This program cannot be run in DOS mode.
`.rdata
@.data
.pdata
@.rsrc
@.reloc
VWATAUAVH
|$TRUUU
pA^A]A\_^
x ATAUAVH
$JcD7(
D70fB+D7,f
JcL7,D
9\$$vOHk
A^A]A\
WATAUH
WATAUH
 A]A\_
WATAUAVAWH
A_A^A]A\_
UVWATAUAVAWH
0tDHcG,
HcO E3
HcO$E3
Lc_(E3
@A_A^A]A\_^]
UVWATAUAVAWH
PA_A^A]A\_^]
[ UVWATAUAVAWH
t$HcG<
H;|80u	I
pA_A^A]A\_^]
VWATAUAVH
 A^A]A\_^
LcA<E3
EP=csm
Ep=csm
E`=csm
E(=csm
E@=csm
EX=csm
Ex=csm
bcrypt.dll
```hhh
xppwpp
DhcpServerCalloutEntry
CredentialKeys
Primary
	 [%08x] %Z
n.e. (Lecture KIWI_MSV1_0_PRIMARY_CREDENTIALS KO)
n.e. (Lecture KIWI_MSV1_0_CREDENTIALS KO)
	 * Key List
	 [%08x]
	 [%08x]
	 * GUID      :	
	 * Time      :	
	 * MasterKey :	
\x%02x
0x%02x, 
null             
des_plain        
des_cbc_crc      
des_cbc_md4      
des_cbc_md5      
des_cbc_md5_nt   
rc4_plain        
rc4_plain2       
rc4_plain_exp    
rc4_lm           
rc4_md4          
rc4_sha          
rc4_hmac_nt      
rc4_hmac_nt_exp  
rc4_plain_old    
rc4_plain_old_exp
rc4_hmac_old     
rc4_hmac_old_exp 
aes128_hmac_plain
aes256_hmac_plain
aes128_hmac      
aes256_hmac      
unknow           
[ERROR] [RPC Decode] Exception 0x%08x: (%u)
[ERROR] [RPC Decode] MesIncrementalHandleReset: %08x
[ERROR] [RPC Decode] MesDecodeIncrementalHandleCreate: %08x
[ERROR] [RPC Free] Exception 0x%08x: (%u)
[ERROR] [RPC Free] MesDecodeIncrementalHandleCreate: %08x
credman
dpapisrv!g_MasterKeyCacheList
lsasrv!g_MasterKeyCacheList
masterkey
msv1_0!SspCredentialList
kerberos!KerbGlobalLogonSessionTable
kerberos
livessp!LiveGlobalLogonSessionList
livessp
wdigest!l_LogSessList
wdigest
tspkg!TSGlobalCredTable
CachedUnlock
CachedRemoteInteractive
CachedInteractive
RemoteInteractive
NewCredentials
NetworkCleartext
Unlock
Service
Network
Interactive
Unknown !
UndefinedLogonType
  .#####.   mimikatz 2.1 alpha (x64) built on Feb  3 2018 23:33:14
 .## ^ ##.  "A La Vie, A L'Amour" - Windows build %hu
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
  '#####'                                  WinDBG extension ! * * */
===================================
#         * Kernel mode *         #
===================================
# Search for LSASS process
0: kd> !process 0 0 lsass.exe
# Then switch to its context
0: kd> .process /r /p <EPROCESS address>
# And finally :
0: kd> !mimikatz
===================================
#          * User mode *          #
===================================
0:000> !mimikatz
===================================
    ( (
     ) )
  .______.
  |      |]
  \      /
   `----'
lsasrv!LogonSessionLeakList
lsasrv!InitializationVector
lsasrv!hAesKey
lsasrv!h3DesKey
lsasrv!LogonSessionList
lsasrv!LogonSessionListCount
kdcsvc!SecData
krbtgt keys
===========
Current
Previous
kdcsvc!KdcDomainList
Domain List
===========
SekurLSA
========
Authentication Id : %u ; %u (%08x:%08x)
Session           : %s from %u
User Name         : %wZ
Domain            : %wZ
Logon Server      : %wZ
Logon Time        : 
SID               : 
	%s : 
[ERROR] [LSA] Symbols
%p - lsasrv!LogonSessionListCount
%p - lsasrv!LogonSessionList
[ERROR] [CRYPTO] Acquire keys
[ERROR] [CRYPTO] Symbols
%p - lsasrv!InitializationVector
%p - lsasrv!hAesKey
%p - lsasrv!h3DesKey
[ERROR] [CRYPTO] Init
	 * Username : %wZ
	 * Domain   : %wZ
	 * LM       : 
	 * NTLM     : 
	 * SHA1     : 
	 * DPAPI    : 
	 * Raw data : 
	 * Smartcard
	     PIN code : %wZ
	     Model    : %S
	     Reader   : %S
	     Key name : %S
	     Provider : %S
	   %s 
<no size, buffer is incorrect>
Unknown version in Kerberos credentials structure
%wZ	%wZ	
	 * Username : %wZ
	 * Domain   : %wZ
	 * Password : 
LUID KO
	 * RootKey  : 
	 * %08x : 
	   * LSA Isolated Data: %.*s
	     Unk-Key  : 
	     Encrypted: 
		   SS:%u, TS:%u, DS:%u
		   0:0x%x, 1:0x%x, 2:0x%x, 3:0x%x, 4:0x%x, E:
, 5:0x%x
	   * unkData1 : 
	     unkData2 : 
%s krbtgt: 
%u credentials
	 * %s : 
  [%s] 
-> %wZ
%wZ ->
	from: 
	* %s : 
Domain: %wZ (%wZ
  * RSA key
	PVK (private key)
	DER (public key and certificate)
  * Legacy key
  * Unknown key (seen as %08x)
lsasrv!g_guidPreferredKey
lsasrv!g_pbPreferredKey
lsasrv!g_cbPreferredKey
lsasrv!g_guidW2KPreferredKey
lsasrv!g_pbW2KPreferredKey
lsasrv!g_cbW2KPreferredKey
lsasrv!g_fSystemCredsInitialized
lsasrv!g_rgbSystemCredMachine
lsasrv!g_rgbSystemCredUser
dpapisrv!g_guidPreferredKey
dpapisrv!g_pbPreferredKey
dpapisrv!g_cbPreferredKey
dpapisrv!g_guidW2KPreferredKey
dpapisrv!g_pbW2KPreferredKey
dpapisrv!g_cbW2KPreferredKey
dpapisrv!g_fSystemCredsInitialized
dpapisrv!g_rgbSystemCredMachine
dpapisrv!g_rgbSystemCredUser
DPAPI Backup keys
=================
Current prefered key:       
Compatibility prefered key: 
DPAPI System
============
full: 
m/u : 
bcrypt.dll
BCryptOpenAlgorithmProvider
BCryptGenerateSymmetricKey
BCryptCloseAlgorithmProvider
BCryptDecrypt
BCryptSetProperty
BCryptDestroyKey
BCryptGetProperty
OpenProcessToken
CreateRestrictedToken
CreateProcessAsUserW
ConvertSidToStringSidA
IsTextUnicode
ADVAPI32.dll
RtlEqualString
RtlStringFromGUID
RtlFreeUnicodeString
ntdll.dll
MesDecodeIncrementalHandleCreate
MesHandleFree
MesIncrementalHandleReset
NdrMesTypeDecode2
NdrMesTypeFree2
RPCRT4.dll
GetCurrentProcess
CloseHandle
FreeLibrary
LoadLibraryW
lstrlenW
GetProcAddress
LocalAlloc
LocalFree
GetTimeFormatA
GetDateFormatA
FileTimeToSystemTime
FileTimeToLocalFileTime
RaiseException
GetLastError
LoadLibraryA
KERNEL32.dll
_stricmp
_wfopen
fclose
vfwprintf
fflush
msvcrt.dll
memcpy
memset
__C_specific_handler
_XcptFilter
malloc
_initterm
_amsg_exit
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
mimilib.dll
DhcpNewPktHook
DhcpServerCalloutEntry
DnsPluginCleanup
DnsPluginInitialize
DnsPluginQuery
ExtensionApiVersion
InitializeChangeNotify
PasswordChangeNotify
SpLsaModeInitialize
WinDbgExtensionDllInit
coffee
mimikatz
startW
PL1"0 
Unizeto Technologies S.A.1'0%
Certum Certification Authority1"0 
Certum Trusted Network CA0
151029113029Z
270609113029Z0
PL1"0 
Unizeto Technologies S.A.1'0%
Certum Certification Authority1$0"
Certum Code Signing CA SHA20
http://crl.certum.pl/ctnca.crl0k
http://subca.ocsp-certum.com01
%http://repository.certum.pl/ctnca.cer09
http://www.certum.pl/CPS0
"3;vlG
PL1"0 
Unizeto Technologies S.A.1'0%
Certum Certification Authority1$0"
Certum Code Signing CA SHA20
171204095034Z
181204095034Z0
Open Source Developer1
Ile de France1.0,
%Open Source Developer, Benjamin Delpy1&0$
benjamin@gentilkiwi.com0
!http://crl.certum.pl/cscasha2.crl0q
http://cscasha2.ocsp-certum.com04
(http://repository.certum.pl/cscasha2.cer0
(}b?NON
cscasha2@certum.pl0
https://www.certum.pl/CPS0
PL1"0 
Unizeto Technologies S.A.1'0%
Certum Certification Authority1$0"
Certum Code Signing CA SHA2
$http://blog.gentilkiwi.com/mimikatz 0
20180203223356Z0
PL1"0 
Unizeto Technologies S.A.1'0%
Certum Certification Authority1
Certum EV TSA SHA2
PL1"0 
Unizeto Technologies S.A.1'0%
Certum Certification Authority1"0 
Certum Trusted Network CA0
160308131043Z
270530131043Z0w1
PL1"0 
Unizeto Technologies S.A.1'0%
Certum Certification Authority1
Certum EV TSA SHA20
http://crl.certum.pl/ctnca.crl0k
http://subca.ocsp-certum.com01
%http://repository.certum.pl/ctnca.cer0@
http://www.certum.pl/CPS0
=3+|y4N
8q={sd
<4b{gg
PL1"0 
Unizeto Technologies S.A.1'0%
Certum Certification Authority1"0 
Certum Trusted Network CA
180203223356Z0/
PL1"0 
Unizeto Technologies S.A.1'0%
Certum Certification Authority1"0 
Certum Trusted Network CA
/_}b%O
PL1"0 
Unizeto Technologies S.A.1'0%
Certum Certification Authority1"0 
Certum Trusted Network CA0
151029113029Z
270609113029Z0
PL1"0 
Unizeto Technologies S.A.1'0%
Certum Certification Authority1$0"
Certum Code Signing CA SHA20
http://crl.certum.pl/ctnca.crl0k
http://subca.ocsp-certum.com01
%http://repository.certum.pl/ctnca.cer09
http://www.certum.pl/CPS0
"3;vlG
PL1"0 
Unizeto Technologies S.A.1'0%
Certum Certification Authority1$0"
Certum Code Signing CA SHA20
171204095034Z
181204095034Z0
Open Source Developer1
Ile de France1.0,
%Open Source Developer, Benjamin Delpy1&0$
benjamin@gentilkiwi.com0
!http://crl.certum.pl/cscasha2.crl0q
http://cscasha2.ocsp-certum.com04
(http://repository.certum.pl/cscasha2.cer0
(}b?NON
cscasha2@certum.pl0
https://www.certum.pl/CPS0
PL1"0 
Unizeto Technologies S.A.1'0%
Certum Certification Authority1$0"
Certum Code Signing CA SHA2
$http://blog.gentilkiwi.com/mimikatz 0
4fv_T(
20180203223358Z0
PL1"0 
Unizeto Technologies S.A.1'0%
Certum Certification Authority1
Certum EV TSA SHA2
PL1"0 
Unizeto Technologies S.A.1'0%
Certum Certification Authority1"0 
Certum Trusted Network CA0
160308131043Z
270530131043Z0w1
PL1"0 
Unizeto Technologies S.A.1'0%
Certum Certification Authority1
Certum EV TSA SHA20
http://crl.certum.pl/ctnca.crl0k
http://subca.ocsp-certum.com01
%http://repository.certum.pl/ctnca.cer0@
http://www.certum.pl/CPS0
=3+|y4N
8q={sd
<4b{gg
PL1"0 
Unizeto Technologies S.A.1'0%
Certum Certification Authority1"0 
Certum Trusted Network CA
180203223358Z0/
PL1"0 
Unizeto Technologies S.A.1'0%
Certum Certification Authority1"0 
Certum Trusted Network CA