Static | ZeroBOX

Name	Virtual Address	Virtual Size	Size of Raw Data	Entropy
.text	0x00001000	0x00004b58	0x00004c00	6.09167139288
.rdata	0x00006000	0x00002dd5	0x00002e00	5.01570526989
.data	0x00009000	0x00000d50	0x00000800	4.19698236902
.pdata	0x0000a000	0x00000390	0x00000400	3.87021407094
.rsrc	0x0000b000	0x00000430	0x00000600	2.51960820356
.reloc	0x0000c000	0x00000128	0x00000200	2.09351560302

Name	Offset	Size	Language	Sub-language	File type
RT_VERSION	0x0000b060	0x000003cc	LANG_ENGLISH	SUBLANG_ENGLISH_US	data

Ordinal	Address	Name
1	0x1800011ec	DhcpNewPktHook
2	0x18000113c	DhcpServerCalloutEntry
3	0x180001c04	DllCanUnloadNow
4	0x180001b98	DllGetClassObject
5	0x180001474	DnsPluginCleanup
6	0x180001474	DnsPluginInitialize
7	0x1800012b0	DnsPluginQuery
8	0x180003150	ExtensionApiVersion
9	0x180001314	InitializeChangeNotify
10	0x180001570	Msv1_0SubAuthenticationFilter
11	0x180001570	Msv1_0SubAuthenticationRoutine
12	0x180001450	NPGetCaps
13	0x1800013a0	NPLogonNotify
14	0x180001318	PasswordChangeNotify
15	0x180001554	SpLsaModeInitialize
16	0x180003158	WinDbgExtensionDllInit
17	0x180003194	coffee
18	0x1800031a4	mimikatz
19	0x180001000	startW

!This program cannot be run in DOS mode.

`.rdata

@.data

.pdata

@.rsrc

@.reloc

x ATAUAVH

A^A]A\

VWATAUAVH

|$TRUUU

pA^A]A\_^

x ATAUAVH

$JcD7(

D70fB+D7,f

JcL7,D

9\$$vOHk

A^A]A\

WATAUH

A]A\_

WATAUAVAWH

A_A^A]A\_

UVWATAUAVAWH

0tDHcG,

0fD9%nb

HcO E3

HcO$E3

Lc_(E3

@A_A^A]A\_^]

UVWATAUAVAWH

PA_A^A]A\_^]

[ UVWATAUAVAWH

t$HcG<

H;|80u

pA_A^A]A\_^]

VWATAUAVH

A^A]A\_^

LcA<E3

EP=csm

Ep=csm

E`=csm

E(=csm

E@=csm

EX=csm

Ex=csm

bcrypt.dll

```hhh

xppwpp

DhcpServerCalloutEntry

CredUnPackAuthenticationBufferW

CredIsProtectedW

CredUnprotectW

CredentialKeys

Primary

[%08x] %Z

n.e. (Lecture KIWI_MSV1_0_PRIMARY_CREDENTIALS KO)

n.e. (Lecture KIWI_MSV1_0_CREDENTIALS KO)

* Key List

[%08x]

* GUID :

* Time :

* MasterKey :

\x%02x

0x%02x,

null

des_plain

des_cbc_crc

des_cbc_md4

des_cbc_md5

des_cbc_md5_nt

rc4_plain

rc4_plain2

rc4_plain_exp

rc4_lm

rc4_md4

rc4_sha

rc4_hmac_nt

rc4_hmac_nt_exp

rc4_plain_old

rc4_plain_old_exp

rc4_hmac_old

rc4_hmac_old_exp

aes128_hmac_plain

aes256_hmac_plain

aes128_hmac

aes256_hmac

unknow

[ERROR] [RPC Decode] Exception 0x%08x: (%u)

[ERROR] [RPC Decode] MesIncrementalHandleReset: %08x

[ERROR] [RPC Decode] MesDecodeIncrementalHandleCreate: %08x

[ERROR] [RPC Free] Exception 0x%08x: (%u)

[ERROR] [RPC Free] MesDecodeIncrementalHandleCreate: %08x

credman

dpapisrv!g_MasterKeyCacheList

lsasrv!g_MasterKeyCacheList

masterkey

msv1_0!SspCredentialList

kerberos!KerbGlobalLogonSessionTable

kerberos

livessp!LiveGlobalLogonSessionList

livessp

wdigest!l_LogSessList

wdigest

tspkg!TSGlobalCredTable

CachedUnlock

CachedRemoteInteractive

CachedInteractive

RemoteInteractive

NewCredentials

NetworkCleartext

Unlock

Service

Network

Interactive

Unknown !

UndefinedLogonType

.#####. mimikatz 2.2.0 (x64) built on Sep 19 2022 17:44:00

.## ^ ##. "A La Vie, A L'Amour" - Windows build %hu

## / \ ## /* * *

## \ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )

'## v ##' https://blog.gentilkiwi.com/mimikatz (oe.eo)

'#####' WinDBG extension ! * * */

===================================

# * Kernel mode * #

===================================

# Search for LSASS process

0: kd> !process 0 0 lsass.exe

# Then switch to its context

0: kd> .process /r /p <EPROCESS address>

# And finally :

0: kd> !mimikatz

===================================

# * User mode * #

===================================

0:000> !mimikatz

===================================

( (

) )

.______.

| |]

\ /

`----'

lsasrv!LogonSessionLeakList

lsasrv!InitializationVector

lsasrv!hAesKey

lsasrv!h3DesKey

lsasrv!LogonSessionList

lsasrv!LogonSessionListCount

kdcsvc!SecData

krbtgt keys

===========

Current

kdcsvc!KdcDomainList

Domain List

===========

SekurLSA

========

Authentication Id : %u ; %u (%08x:%08x)

Session : %s from %u

User Name : %wZ

Domain : %wZ

Logon Server : %wZ

Logon Time :

SID :

[ERROR] [LSA] Symbols

%p - lsasrv!LogonSessionListCount

%p - lsasrv!LogonSessionList

[ERROR] [CRYPTO] Acquire keys

[ERROR] [CRYPTO] Symbols

%p - lsasrv!InitializationVector

%p - lsasrv!hAesKey

%p - lsasrv!h3DesKey

[ERROR] [CRYPTO] Init

* Username : %wZ

* Domain : %wZ

* LM :

* NTLM :

* SHA1 :

* DPAPI :

* Raw data :

* Smartcard

PIN code : %wZ

Model : %S

Reader : %S

Key name : %S

Provider : %S

Unknown version in Kerberos credentials structure

* Username : %wZ

* Domain : %wZ

* Password :

LUID KO

* RootKey :

* %08x :

* LSA Isolated Data: %.*s

Unk-Key :

Encrypted:

SS:%u, TS:%u, DS:%u

0:0x%x, 1:0x%x, 2:0x%x, 3:0x%x, 4:0x%x, E:

, 5:0x%x

* unkData1 :

unkData2 :

%s krbtgt:

%u credentials

* %s :

[%s]

-> %wZ

%wZ ->

from:

* %s :

Domain: %wZ (%wZ

* RSA key

PVK (private key)

DER (public key and certificate)

* Legacy key

* Unknown key (seen as %08x)

lsasrv!g_guidPreferredKey

lsasrv!g_pbPreferredKey

lsasrv!g_cbPreferredKey

lsasrv!g_guidW2KPreferredKey

lsasrv!g_pbW2KPreferredKey

lsasrv!g_cbW2KPreferredKey

lsasrv!g_fSystemCredsInitialized

lsasrv!g_rgbSystemCredMachine

lsasrv!g_rgbSystemCredUser

dpapisrv!g_guidPreferredKey

dpapisrv!g_pbPreferredKey

dpapisrv!g_cbPreferredKey

dpapisrv!g_guidW2KPreferredKey

dpapisrv!g_pbW2KPreferredKey

dpapisrv!g_cbW2KPreferredKey

dpapisrv!g_fSystemCredsInitialized

dpapisrv!g_rgbSystemCredMachine

dpapisrv!g_rgbSystemCredUser

DPAPI Backup keys

=================

Current prefered key:

Compatibility prefered key:

DPAPI System

============

full:

m/u :

bcrypt.dll

BCryptOpenAlgorithmProvider

BCryptGenerateSymmetricKey

BCryptCloseAlgorithmProvider

BCryptDecrypt

BCryptSetProperty

BCryptDestroyKey

BCryptGetProperty

OpenProcessToken

CreateRestrictedToken

CreateProcessAsUserW

ConvertSidToStringSidA

IsTextUnicode

ADVAPI32.dll

RtlEqualString

RtlStringFromGUID

RtlFreeUnicodeString

ntdll.dll

MesDecodeIncrementalHandleCreate

MesHandleFree

MesIncrementalHandleReset

NdrMesTypeDecode2

NdrMesTypeFree2

RPCRT4.dll

CoCreateInstance

ole32.dll

VirtualProtect

GetCurrentProcess

CloseHandle

FreeLibrary

LoadLibraryW

lstrlenW

GetProcAddress

GetLastError

LocalAlloc

LocalFree

GetTimeFormatA

GetDateFormatA

FileTimeToSystemTime

FileTimeToLocalFileTime

RaiseException

LoadLibraryA

KERNEL32.dll

_stricmp

_wfopen

fclose

malloc

vfwprintf

fflush

msvcrt.dll

memcpy

memset

__C_specific_handler

_XcptFilter

_initterm

_amsg_exit

RtlVirtualUnwind

RtlLookupFunctionEntry

RtlCaptureContext

TerminateProcess

UnhandledExceptionFilter

SetUnhandledExceptionFilter

QueryPerformanceCounter

GetTickCount

GetCurrentThreadId

GetCurrentProcessId

GetSystemTimeAsFileTime

memcmp

mimilib.dll

DhcpNewPktHook

DhcpServerCalloutEntry

DllCanUnloadNow

DllGetClassObject

DnsPluginCleanup

DnsPluginInitialize

DnsPluginQuery

ExtensionApiVersion

InitializeChangeNotify

Msv1_0SubAuthenticationFilter

Msv1_0SubAuthenticationRoutine

NPGetCaps

NPLogonNotify

PasswordChangeNotify

SpLsaModeInitialize

WinDbgExtensionDllInit

coffee

mimikatz

startW

kiwidns.log

%S (%hu)

kiwifilter.log

[%08x] %wZ

kiwinp.log

[%08x:%08x] %s %wZ\%wZ

KiwiSSP

Kiwi Security Support Provider

kiwissp.log

[%08x:%08x] [%08x] %wZ\%wZ (%wZ)

kiwisub.log

%u (%u) - %wZ\%wZ (%wZ) (%hu)

kcredentialprovider.log

Credui.dll

advapi32.dll

ChainingModeCBC

ChainingMode

ObjectLength

ChainingModeCFB

(null)

%02x%s

VS_VERSION_INFO

StringFileInfo

040904b0

ProductName

mimilib (mimikatz)

ProductVersion

2.2.0.0

CompanyName

gentilkiwi (Benjamin DELPY)

FileDescription

mimilib for Windows (mimikatz)

FileVersion

2.2.0.0

InternalName

mimilib

LegalCopyright

OriginalFilename

mimilib.dll

PrivateBuild

Build with love for POC only

SpecialBuild

VarFileInfo

Translation

Antivirus	Signature
Bkav	Clean
Lionic	Trojan.Win64.Mimikatz.i!c
Elastic	malicious (high confidence)
ClamAV	Clean
CMC	Clean
CAT-QuickHeal	Clean
McAfee	HTool-Mimikatz
Cylance	unsafe
VIPRE	Gen:Variant.Mimikatz.10
Sangfor	Riskware.Win64.Mimikatz.V0rc
K7AntiVirus	Hacktool ( 0043c1591 )
BitDefender	Gen:Variant.Mimikatz.10
K7GW	Hacktool ( 0043c1591 )
CrowdStrike	win/malicious_confidence_100% (W)
Baidu	Clean
VirIT	Clean
Cyren	W64/Mimikatz.N
Symantec	Hacktool.Mimikatz
ESET-NOD32	a variant of Win64/Riskware.Mimikatz.U
APEX	Clean
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan.Win32.Mimikatz.gen
Alibaba	Trojan:Win32/Mimikatz.4b1
NANO-Antivirus	Trojan.Win64.Mimikatz.jsrsjg
ViRobot	HackTool.S.Mimikatz.37376
MicroWorld-eScan	Gen:Variant.Mimikatz.10
Rising	HackTool.Mimikatz!1.B3A7 (CLASSIC)
Sophos	ATK/Apteryx-Gen
F-Secure	Trojan.TR/AD.Mimikatz.lqmhd
DrWeb	Tool.Mimikatz.1198
Zillya	Tool.Mimikatz.Win64.2153
TrendMicro	Trojan.Win64.BAZARLOADER.SMYXBIMZ
McAfee-GW-Edition	HTool-Mimikatz
Trapmine	Clean
FireEye	Generic.mg.67651e9d2da634ad
Emsisoft	Gen:Variant.Mimikatz.10 (B)
Ikarus	HackTool.Mimikatz
GData	Win32.Riskware.Mimikatz.C
Jiangmin	Trojan.PSW.Mimikatz.cqg
Webroot	W32.Hacktool.Gen
Avira	TR/AD.Mimikatz.lqmhd
MAX	malware (ai score=87)
Antiy-AVL	Trojan[PSW]/Win64.Mimikatz
Gridinsoft	Virtool.Win64.Mimikatz.dd!n
Xcitium	Clean
Arcabit	Trojan.Mimikatz.10
SUPERAntiSpyware	Clean
ZoneAlarm	HEUR:Trojan.Win32.Mimikatz.gen
Microsoft	HackTool:Win64/Mikatz!dha
Google	Detected
AhnLab-V3	Trojan/Win.Mimikatz.R451356
Acronis	Clean
VBA32	Clean
ALYac	Gen:Variant.Mimikatz.10
TACHYON	Clean
DeepInstinct	MALICIOUS
Malwarebytes	Mimikatz.Spyware.Stealer.DDS
Panda	Trj/CI.A
Zoner	Clean
TrendMicro-HouseCall	HKTL_MIMIKATZ64
Tencent	Trojan.Win64.Mimikatz.a
Yandex	Riskware.Mimikatz!5N98LJ61WxY
SentinelOne	Static AI - Suspicious PE
MaxSecure	Trojan.Malware.102080579.susgen
Fortinet	Riskware/Mimikatz
BitDefenderTheta	Clean
AVG	Win64:MalwareX-gen [Trj]
Avast	Win64:MalwareX-gen [Trj]

Static Analysis

PE Compile Time

PE Imphash

Sections

Resources

Imports

Exports