Sample details: 9d991e19a0759bfc0471d30024e8e7a2 --

Hashes
MD5: 9d991e19a0759bfc0471d30024e8e7a2
SHA1: 7871e72ddf20bd787b2e57466a34ea0b3513d6bb
SHA256: 162436482cd205e4ea37f980319e14012662d6f906671d9ca2b92fcd2a08267d
SSDEEP: 768:bbow/B5lTvFfOne7ps3sd3+rxtQplifnFxEhlFKwEh5j:PdrFfEe7i8d8xtQplSFxEV5E7j
Details
File Type: PE32
Yara Hits
YRP/Visual_Cpp_2005_DLL_Microsoft | YRP/Visual_Cpp_2003_DLL_Microsoft | YRP/IsPE32 | YRP/IsDLL | YRP/IsConsole | YRP/HasOverlay | YRP/HasDigitalSignature | YRP/HasRichSignature | YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/win_token | YRP/mimikatz |
Parent Files
6acec394718b86af1cab369f7a25f430
Strings
		!This program cannot be run in DOS mode.
`.rdata
@.data
@.reloc
PVVVVVVj
|UVj hhV
|nVj h
KSSMuw
|$4Wj@
Y9|$4vN
GY;|$4r
FVWWWW
t$(hHb
tWHt!Ht
Ht-Ht#Ht
t$|hpe
URPQQh
v	N+D$
UQPXY]Y[
bcrypt.dll
```hhh
xppwpp
DhcpServerCalloutEntry
CredentialKeys
Primary
	 [%08x] %Z
n.e. (Lecture KIWI_MSV1_0_PRIMARY_CREDENTIALS KO)
n.e. (Lecture KIWI_MSV1_0_CREDENTIALS KO)
	 * Key List
	 [%08x]
	 [%08x]
	 * GUID      :	
	 * Time      :	
	 * MasterKey :	
\x%02x
0x%02x, 
null             
des_plain        
des_cbc_crc      
des_cbc_md4      
des_cbc_md5      
des_cbc_md5_nt   
rc4_plain        
rc4_plain2       
rc4_plain_exp    
rc4_lm           
rc4_md4          
rc4_sha          
rc4_hmac_nt      
rc4_hmac_nt_exp  
rc4_plain_old    
rc4_plain_old_exp
rc4_hmac_old     
rc4_hmac_old_exp 
aes128_hmac_plain
aes256_hmac_plain
aes128_hmac      
aes256_hmac      
unknow           
[ERROR] [RPC Decode] Exception 0x%08x: (%u)
[ERROR] [RPC Decode] MesIncrementalHandleReset: %08x
[ERROR] [RPC Decode] MesDecodeIncrementalHandleCreate: %08x
[ERROR] [RPC Free] Exception 0x%08x: (%u)
[ERROR] [RPC Free] MesDecodeIncrementalHandleCreate: %08x
credman
dpapisrv!g_MasterKeyCacheList
lsasrv!g_MasterKeyCacheList
masterkey
msv1_0!SspCredentialList
kerberos!KerbGlobalLogonSessionTable
kerberos
livessp!LiveGlobalLogonSessionList
livessp
wdigest!l_LogSessList
wdigest
tspkg!TSGlobalCredTable
CachedUnlock
CachedRemoteInteractive
CachedInteractive
RemoteInteractive
NewCredentials
NetworkCleartext
Unlock
Service
Network
Interactive
Unknown !
UndefinedLogonType
  .#####.   mimikatz 2.1 alpha (x86) built on Feb  3 2018 23:32:58
 .## ^ ##.  "A La Vie, A L'Amour" - Windows build %hu
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
  '#####'                                  WinDBG extension ! * * */
===================================
#         * Kernel mode *         #
===================================
# Search for LSASS process
0: kd> !process 0 0 lsass.exe
# Then switch to its context
0: kd> .process /r /p <EPROCESS address>
# And finally :
0: kd> !mimikatz
===================================
#          * User mode *          #
===================================
0:000> !mimikatz
===================================
    ( (
     ) )
  .______.
  |      |]
  \      /
   `----'
lsasrv!LogonSessionLeakList
lsasrv!InitializationVector
lsasrv!hAesKey
lsasrv!h3DesKey
lsasrv!LogonSessionList
lsasrv!LogonSessionListCount
kdcsvc!SecData
krbtgt keys
===========
Current
Previous
SekurLSA
========
Authentication Id : %u ; %u (%08x:%08x)
Session           : %s from %u
User Name         : %wZ
Domain            : %wZ
Logon Server      : %wZ
Logon Time        : 
SID               : 
	%s : 
[ERROR] [LSA] Symbols
%p - lsasrv!LogonSessionListCount
%p - lsasrv!LogonSessionList
[ERROR] [CRYPTO] Acquire keys
[ERROR] [CRYPTO] Symbols
%p - lsasrv!InitializationVector
%p - lsasrv!hAesKey
%p - lsasrv!h3DesKey
[ERROR] [CRYPTO] Init
	 * Username : %wZ
	 * Domain   : %wZ
	 * LM       : 
	 * NTLM     : 
	 * SHA1     : 
	 * DPAPI    : 
	 * Raw data : 
	 * Smartcard
	     PIN code : %wZ
	     Model    : %S
	     Reader   : %S
	     Key name : %S
	     Provider : %S
	   %s 
<no size, buffer is incorrect>
Unknown version in Kerberos credentials structure
%wZ	%wZ	
	 * Username : %wZ
	 * Domain   : %wZ
	 * Password : 
LUID KO
	 * RootKey  : 
	 * %08x : 
	   * LSA Isolated Data: %.*s
	     Unk-Key  : 
	     Encrypted: 
		   SS:%u, TS:%u, DS:%u
		   0:0x%x, 1:0x%x, 2:0x%x, 3:0x%x, 4:0x%x, E:
, 5:0x%x
	   * unkData1 : 
	     unkData2 : 
%s krbtgt: 
%u credentials
	 * %s : 
  * RSA key
	PVK (private key)
	DER (public key and certificate)
  * Legacy key
  * Unknown key (seen as %08x)
lsasrv!g_guidPreferredKey
lsasrv!g_pbPreferredKey
lsasrv!g_cbPreferredKey
lsasrv!g_guidW2KPreferredKey
lsasrv!g_pbW2KPreferredKey
lsasrv!g_cbW2KPreferredKey
lsasrv!g_fSystemCredsInitialized
lsasrv!g_rgbSystemCredMachine
lsasrv!g_rgbSystemCredUser
dpapisrv!g_guidPreferredKey
dpapisrv!g_pbPreferredKey
dpapisrv!g_cbPreferredKey
dpapisrv!g_guidW2KPreferredKey
dpapisrv!g_pbW2KPreferredKey
dpapisrv!g_cbW2KPreferredKey
dpapisrv!g_fSystemCredsInitialized
dpapisrv!g_rgbSystemCredMachine
dpapisrv!g_rgbSystemCredUser
DPAPI Backup keys
=================
Current prefered key:       
Compatibility prefered key: 
DPAPI System
============
full: 
m/u : 
bcrypt.dll
BCryptOpenAlgorithmProvider
BCryptGenerateSymmetricKey
BCryptCloseAlgorithmProvider
BCryptDecrypt
BCryptSetProperty
BCryptDestroyKey
BCryptGetProperty
OpenProcessToken
CreateRestrictedToken
CreateProcessAsUserW
ConvertSidToStringSidA
IsTextUnicode
ADVAPI32.dll
RtlEqualString
RtlStringFromGUID
RtlFreeUnicodeString
ntdll.dll
MesDecodeIncrementalHandleCreate
MesHandleFree
MesIncrementalHandleReset
NdrMesTypeDecode2
NdrMesTypeFree2
RPCRT4.dll
GetCurrentProcess
CloseHandle
FreeLibrary
LoadLibraryW
lstrlenW
GetProcAddress
LocalAlloc
LocalFree
GetTimeFormatA
GetDateFormatA
FileTimeToSystemTime
FileTimeToLocalFileTime
RaiseException
InterlockedExchange
GetLastError
LoadLibraryA
KERNEL32.dll
_wfopen
fclose
_stricmp
vfwprintf
fflush
msvcrt.dll
memset
memcpy
_XcptFilter
malloc
_initterm
_amsg_exit
RtlUnwind
InterlockedCompareExchange
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
_except_handler3
mimilib.dll
DhcpNewPktHook
DhcpServerCalloutEntry
DnsPluginCleanup
DnsPluginInitialize
DnsPluginQuery
ExtensionApiVersion
InitializeChangeNotify
PasswordChangeNotify
SpLsaModeInitialize
WinDbgExtensionDllInit
coffee
mimikatz
startW
/060O0U0u0
2(2\2c2n2s2y2
3&3+313I3N3T3f3n3s3
4%454E4K4P4`4p4v4
4!555o5
647:7P7V7k7z7
8(8.8O8]8
929=9]9d9j9
:*:4:;:A:x:
;+;C;I;|;
<N<[<a<z<
=$=P=t=
>/>C>^>y>
?,?2?I?Y?_?
0#0:0N0~0
2!2'2-23292?2E2j2p2v2|2
3;3P3w3
4-4h4n4
5;5L5X5b5v5|5
6$616A6Q6W6]6l6
7N8W8]8b8h8{8
9(9-939@9F9K9Q9
;M;S;s;y;
;-<3<><m<s<
=!='=-=3=d=j=*>d>|>
>&?,?F?L?T?[?b?i?o?
0&060<0O0U0
1:1P1U1[1}1
2!2'2?2
3*3F3L3g3m3
4#4=4D4J4O4W4\4d4i4q4v4
5(5M5S5Z5g5
6!666<6Q6W6m6v6
6	7(7-7:7I7N7Y7^7i7n7y7~7
7(8Y8f8
9'9,9|9
:":E:Q:];x<
<]=c=h=
>->2>>>N>T>[>r>x>
?%?A?N?
2"20252;2F2M2
3"4(4.454R4
5%525:5
303d3l3
9 9$9,90989<9D9H9P9T9\9`9|9
(3,3034383<3@3D3H3L3P3T3X3\3`3l3p3t3|3
4044484<4
PL1"0 
Unizeto Technologies S.A.1'0%
Certum Certification Authority1"0 
Certum Trusted Network CA0
151029113029Z
270609113029Z0
PL1"0 
Unizeto Technologies S.A.1'0%
Certum Certification Authority1$0"
Certum Code Signing CA SHA20
http://crl.certum.pl/ctnca.crl0k
http://subca.ocsp-certum.com01
%http://repository.certum.pl/ctnca.cer09
http://www.certum.pl/CPS0
"3;vlG
PL1"0 
Unizeto Technologies S.A.1'0%
Certum Certification Authority1$0"
Certum Code Signing CA SHA20
171204095034Z
181204095034Z0
Open Source Developer1
Ile de France1.0,
%Open Source Developer, Benjamin Delpy1&0$
benjamin@gentilkiwi.com0
!http://crl.certum.pl/cscasha2.crl0q
http://cscasha2.ocsp-certum.com04
(http://repository.certum.pl/cscasha2.cer0
(}b?NON
cscasha2@certum.pl0
https://www.certum.pl/CPS0
PL1"0 
Unizeto Technologies S.A.1'0%
Certum Certification Authority1$0"
Certum Code Signing CA SHA2
$http://blog.gentilkiwi.com/mimikatz 0
20180203223355Z0
PL1"0 
Unizeto Technologies S.A.1'0%
Certum Certification Authority1
Certum EV TSA SHA2
PL1"0 
Unizeto Technologies S.A.1'0%
Certum Certification Authority1"0 
Certum Trusted Network CA0
160308131043Z
270530131043Z0w1
PL1"0 
Unizeto Technologies S.A.1'0%
Certum Certification Authority1
Certum EV TSA SHA20
http://crl.certum.pl/ctnca.crl0k
http://subca.ocsp-certum.com01
%http://repository.certum.pl/ctnca.cer0@
http://www.certum.pl/CPS0
=3+|y4N
8q={sd
<4b{gg
PL1"0 
Unizeto Technologies S.A.1'0%
Certum Certification Authority1"0 
Certum Trusted Network CA
180203223355Z0/
PL1"0 
Unizeto Technologies S.A.1'0%
Certum Certification Authority1"0 
Certum Trusted Network CA
PL1"0 
Unizeto Technologies S.A.1'0%
Certum Certification Authority1"0 
Certum Trusted Network CA0
151029113029Z
270609113029Z0
PL1"0 
Unizeto Technologies S.A.1'0%
Certum Certification Authority1$0"
Certum Code Signing CA SHA20
http://crl.certum.pl/ctnca.crl0k
http://subca.ocsp-certum.com01
%http://repository.certum.pl/ctnca.cer09
http://www.certum.pl/CPS0
"3;vlG
PL1"0 
Unizeto Technologies S.A.1'0%
Certum Certification Authority1$0"
Certum Code Signing CA SHA20
171204095034Z
181204095034Z0
Open Source Developer1
Ile de France1.0,
%Open Source Developer, Benjamin Delpy1&0$
benjamin@gentilkiwi.com0
!http://crl.certum.pl/cscasha2.crl0q
http://cscasha2.ocsp-certum.com04
(http://repository.certum.pl/cscasha2.cer0
(}b?NON
cscasha2@certum.pl0
https://www.certum.pl/CPS0
PL1"0 
Unizeto Technologies S.A.1'0%
Certum Certification Authority1$0"
Certum Code Signing CA SHA2
$http://blog.gentilkiwi.com/mimikatz 0
7ZX7(4
20180203223357Z0
PL1"0 
Unizeto Technologies S.A.1'0%
Certum Certification Authority1
Certum EV TSA SHA2
PL1"0 
Unizeto Technologies S.A.1'0%
Certum Certification Authority1"0 
Certum Trusted Network CA0
160308131043Z
270530131043Z0w1
PL1"0 
Unizeto Technologies S.A.1'0%
Certum Certification Authority1
Certum EV TSA SHA20
http://crl.certum.pl/ctnca.crl0k
http://subca.ocsp-certum.com01
%http://repository.certum.pl/ctnca.cer0@
http://www.certum.pl/CPS0
=3+|y4N
8q={sd
<4b{gg
PL1"0 
Unizeto Technologies S.A.1'0%
Certum Certification Authority1"0 
Certum Trusted Network CA
180203223357Z0/
PL1"0 
Unizeto Technologies S.A.1'0%
Certum Certification Authority1"0 
Certum Trusted Network CA
dem_*Y_