popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

mimilib.dll

Generic Malware Malicious Library UPX Malicious Packer PE64 PE File DLL OS Processor Check
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Aug. 4, 2024, 1:23 p.m. Aug. 4, 2024, 1:32 p.m.
Size 149.5KB
Type PE32+ executable (DLL) (console) x86-64, for MS Windows
MD5 ddbd4a6269c999e0e32a2b523495ca39
SHA256 7fdb709e4e16ffe0bb98f6f534e49810610321dfab990fbc7354d4c0e755438f
CRC32 8D9B3295
ssdeep 3072:ua5y53R5YygRHEUQsNKJhGcoN3ejWXvA3bWsOI1G+vejil:uKrRkANoscz3bocH
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • Malicious_Packer_Zero - Malicious Packer
  • IsDLL - (no description)
  • IsPE64 - (no description)
  • UPX_Zero - UPX packed file
  • Generic_Malware_Zero - Generic Malware
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
DhcpNewPktHook+0x2b DnsPluginCleanup-0x75 mimilib+0x120f @ 0x7fef434120f
rundll32+0x2f42 @ 0xff892f42
rundll32+0x3b7a @ 0xff893b7a
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521

exception.instruction_r: 0f b7 47 1c 4b 8d 14 52 48 8d 2d 32 e0 01 00 66
exception.instruction: movzx eax, word ptr [rdi + 0x1c]
exception.exception_code: 0xc0000005
exception.symbol: DhcpNewPktHook+0x2b DnsPluginCleanup-0x75 mimilib+0x120f
exception.address: 0x7fef434120f
registers.r14: 0
registers.r15: 0
registers.rcx: 327962
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 1965872
registers.r11: 0
registers.r8: 3391674
registers.r9: 10
registers.rdx: 4287168512
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 327962
registers.r13: 0
1 0 0

__exception__

 stacktrace: 
RtlUnhandledExceptionFilter+0x2d2 LdrQueryModuleServiceTags-0x6e ntdll+0xc40f2 @ 0x76df40f2
EtwEnumerateProcessRegGuids+0x216 RtlTraceDatabaseLock-0x2a ntdll+0xc4736 @ 0x76df4736
RtlQueryProcessLockInformation+0x972 RtlTraceDatabaseEnumerate-0xe ntdll+0xc5942 @ 0x76df5942
RtlLogStackBackTrace+0x444 RtlTraceDatabaseCreate-0x4ec ntdll+0xc75f4 @ 0x76df75f4
RtlIsDosDeviceName_U+0x7afb NtdllDialogWndProc_A-0x26c71 ntdll+0x6157b @ 0x76d9157b
RtlAllocateHeap+0xd9d AlpcGetMessageAttribute-0x8c3 ntdll+0x5413d @ 0x76d8413d
LocalFree+0x32 LocalAlloc-0x2e kernelbase+0x1582 @ 0x7fefd4f1582
rundll32+0x3023 @ 0xff893023
rundll32+0x3b7a @ 0xff893b7a
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521

exception.instruction_r: eb 00 48 8b 9c 24 d0 00 00 00 48 81 c4 c0 00 00
exception.symbol: RtlUnhandledExceptionFilter+0x2d2 LdrQueryModuleServiceTags-0x6e ntdll+0xc40f2
exception.instruction: jmp 0x76df40f4
exception.module: ntdll.dll
exception.exception_code: 0xc0000374
exception.offset: 803058
exception.address: 0x76df40f2
registers.r14: 0
registers.r15: 0
registers.rcx: 1632944
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 1636416
registers.r11: 646
registers.r8: 517910911774623114
registers.r9: 2101371729
registers.rdx: 1994830928
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1996403250
registers.r13: 0
1 0 0

__exception__

 stacktrace: 
Msv1_0SubAuthenticationFilter+0x34 DllGetClassObject-0x59c mimilib+0x1564 @ 0x7fef4341564
rundll32+0x2f42 @ 0xff892f42
rundll32+0x3b7a @ 0xff893b7a
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521

exception.instruction_r: 0f b7 8b 30 01 00 00 4c 8d 46 30 44 8b 8b 14 01
exception.instruction: movzx ecx, word ptr [rbx + 0x130]
exception.exception_code: 0xc0000005
exception.symbol: Msv1_0SubAuthenticationFilter+0x34 DllGetClassObject-0x59c mimilib+0x1564
exception.address: 0x7fef4341564
registers.r14: 0
registers.r15: 0
registers.rcx: 3582656
registers.rsi: 0
registers.r10: 192
registers.rbx: 0
registers.rsp: 2358640
registers.r11: 2357648
registers.r8: 265
registers.r9: 2357520
registers.rdx: 8791600288528
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 3582608
registers.r13: 0
1 0 0

__exception__

 stacktrace: 
Msv1_0SubAuthenticationFilter+0x34 DllGetClassObject-0x59c mimilib+0x1564 @ 0x7fef4341564
rundll32+0x2f42 @ 0xff892f42
rundll32+0x3b7a @ 0xff893b7a
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521

exception.instruction_r: 0f b7 8b 30 01 00 00 4c 8d 46 30 44 8b 8b 14 01
exception.instruction: movzx ecx, word ptr [rbx + 0x130]
exception.exception_code: 0xc0000005
exception.symbol: Msv1_0SubAuthenticationFilter+0x34 DllGetClassObject-0x59c mimilib+0x1564
exception.address: 0x7fef4341564
registers.r14: 0
registers.r15: 0
registers.rcx: 3058368
registers.rsi: 0
registers.r10: 192
registers.rbx: 0
registers.rsp: 718992
registers.r11: 718000
registers.r8: 265
registers.r9: 717872
registers.rdx: 8791600288528
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 3058320
registers.r13: 0
1 0 0

__exception__

 stacktrace: 
NPLogonNotify+0x38 NPGetCaps-0x74 mimilib+0x13ac @ 0x7fef43413ac
rundll32+0x2f42 @ 0xff892f42
rundll32+0x3b7a @ 0xff893b7a
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521

exception.instruction_r: 44 8b 46 04 4c 8d 4f 18 4c 89 4c 24 30 4c 8d 57
exception.instruction: mov r8d, dword ptr [rsi + 4]
exception.exception_code: 0xc0000005
exception.symbol: NPLogonNotify+0x38 NPGetCaps-0x74 mimilib+0x13ac
exception.address: 0x7fef43413ac
registers.r14: 0
registers.r15: 0
registers.rcx: 2861680
registers.rsi: 0
registers.r10: 192
registers.rbx: 0
registers.rsp: 850032
registers.r11: 849040
registers.r8: 265
registers.r9: 848912
registers.rdx: 8791600288528
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 2861632
registers.r13: 0
1 0 0

__exception__

 stacktrace: 
mimikatz+0x5702 mimilib+0x895e @ 0x7fef434895e
mimikatz+0x5683 mimilib+0x88df @ 0x7fef43488df
mimikatz+0x4ea9 mimilib+0x8105 @ 0x7fef4348105
mimikatz+0x490b mimilib+0x7b67 @ 0x7fef4347b67
mimikatz+0x46c5 mimilib+0x7921 @ 0x7fef4347921
mimikatz+0x42e2 mimilib+0x753e @ 0x7fef434753e
mimikatz+0x5829 mimilib+0x8a85 @ 0x7fef4348a85
mimikatz+0x1904 mimilib+0x4b60 @ 0x7fef4344b60
PasswordChangeNotify+0x4c NPLogonNotify-0x3c mimilib+0x1338 @ 0x7fef4341338
rundll32+0x2f42 @ 0xff892f42
rundll32+0x3b7a @ 0xff893b7a
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521

exception.instruction_r: 45 0f b7 06 8b 48 14 c1 e9 0c f6 c1 01 74 0a 48
exception.instruction: movzx r8d, word ptr [r14]
exception.exception_code: 0xc0000005
exception.symbol: mimikatz+0x5702 mimilib+0x895e
exception.address: 0x7fef434895e
registers.r14: 0
registers.r15: 0
registers.rcx: 1111304
registers.rsi: 0
registers.r10: 2
registers.rbx: 0
registers.rsp: 1112192
registers.r11: 1109856
registers.r8: 12836
registers.r9: 1110216
registers.rdx: 281474976776192
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 2992704
registers.r13: 0
1 0 0

__exception__

 stacktrace: 
SpLsaModeInitialize+0x7 Msv1_0SubAuthenticationFilter-0x15 mimilib+0x151b @ 0x7fef434151b
rundll32+0x2f42 @ 0xff892f42
rundll32+0x3b7a @ 0xff893b7a
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521

exception.instruction_r: c7 02 00 00 01 00 49 89 00 33 c0 41 c7 01 01 00
exception.instruction: mov dword ptr [rdx], 0x10000
exception.exception_code: 0xc0000005
exception.symbol: SpLsaModeInitialize+0x7 Msv1_0SubAuthenticationFilter-0x15 mimilib+0x151b
exception.address: 0x7fef434151b
registers.r14: 0
registers.r15: 0
registers.rcx: 262466
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 1441712
registers.r11: 1440800
registers.r8: 2670788
registers.r9: 10
registers.rdx: 4287168512
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 8791600286640
registers.r13: 0
1 0 0

__exception__

 stacktrace: 
WinDbgExtensionDllInit+0x5e coffee-0x6 mimilib+0x3246 @ 0x7fef4343246
rundll32+0x2f42 @ 0xff892f42
rundll32+0x3b7a @ 0xff893b7a
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521

exception.instruction_r: 48 ff e0 cc cc cc 48 8d 0d 2d d2 01 00 48 ff 25
exception.instruction: jmp rax
exception.exception_code: 0xc0000005
exception.symbol: WinDbgExtensionDllInit+0x5e coffee-0x6 mimilib+0x3246
exception.address: 0x7fef4343246
registers.r14: 0
registers.r15: 0
registers.rcx: 8791600267104
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 1374560
registers.r11: 1373648
registers.r8: 1818858
registers.r9: 10
registers.rdx: 49386
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 25896191786418287
registers.r13: 0
1 0 0

__exception__

 stacktrace: 

        
      
      
      

    
  
    
      
        exception.symbol:
        
        

      
        exception.exception_code:
        0xc0000005
        

      
        exception.address:
        0x0
        

      
    
  
    
      
        registers.r14:
        0
        

      
        registers.r15:
        0
        

      
        registers.rcx:
        8791600268512
        

      
        registers.rsi:
        0
        

      
        registers.r10:
        0
        

      
        registers.rbx:
        8791600264880
        

      
        registers.rsp:
        1440616
        

      
        registers.r11:
        1440528
        

      
        registers.r8:
        7000
        

      
        registers.r9:
        10
        

      
        registers.rdx:
        4287168512
        

      
        registers.r12:
        10
        

      
        registers.rbp:
        1440801
        

      
        registers.rdi:
        1622216
        

      
        registers.rax:
        58536
        

      
        registers.r13:
        0
        

      
    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
__exception__

  
  
    
      
    
  


  
    
      stacktrace:
      
        
          

        
      
      
      

    
  
    
      
        exception.symbol:
        
        

      
        exception.exception_code:
        0xc0000005
        

      
        exception.address:
        0x0
        

      
    
  
    
      
        registers.r14:
        0
        

      
        registers.r15:
        0
        

      
        registers.rcx:
        8791600268416
        

      
        registers.rsi:
        0
        

      
        registers.r10:
        0
        

      
        registers.rbx:
        66152
        

      
        registers.rsp:
        2357976
        

      
        registers.r11:
        2357616
        

      
        registers.r8:
        4243626
        

      
        registers.r9:
        10
        

      
        registers.rdx:
        4287168512
        

      
        registers.r12:
        10
        

      
        registers.rbp:
        4243520
        

      
        registers.rdi:
        4243656
        

      
        registers.rax:
        66152
        

      
        registers.r13:
        0
        

      
    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    

                                    
                                        

                                            Time & API
                                            Arguments
                                            Status
                                            Return
                                            Repeated
                                        

                                    

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          3004
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x000000007304c000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffffffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2940
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x000000007304c000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffffffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          192
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x000000007304c000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffffffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2264
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x000000007304c000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffffffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          800
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x000000007304c000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffffffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2536
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x000000007304c000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffffffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2724
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x000000007304c000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffffffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2764
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x000000007304c000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffffffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2320
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x000000007304c000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffffffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2524
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x000000007304c000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffffffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          3008
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x000000007304c000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffffffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2112
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x000000007304c000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffffffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2808
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x000000007304c000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffffffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2824
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x000000007304c000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffffffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2372
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x000000007304c000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffffffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2660
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x000000007304c000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffffffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          3400
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x000000007304c000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffffffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          3372
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x000000007304c000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffffffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          3628
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x000000007304c000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffffffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    Bkav
                                    W64.AIDetectMalware
                                    
                                


                            

                        

                            

                                

                                    Lionic
                                    Trojan.Win32.Mimikatz.i!c
                                    
                                


                            

                        

                            

                                

                                    Elastic
                                    malicious (high confidence)
                                    
                                


                            

                        

                            

                                

                                    Cynet
                                    Malicious (score: 100)
                                    
                                


                            

                        

                            

                                

                                    Skyhigh
                                    HTool-Mimikatz
                                    
                                


                            

                        

                            

                                

                                    ALYac
                                    Gen:Variant.Mimikatz.10
                                    
                                


                            

                        

                            

                                

                                    Cylance
                                    Unsafe
                                    
                                


                            

                        

                            

                                

                                    VIPRE
                                    Gen:Variant.Mimikatz.10
                                    
                                


                            

                        

                            

                                

                                    Sangfor
                                    HackTool.Win64.Mimikatz.uwccg
                                    
                                


                            

                        

                            

                                

                                    K7AntiVirus
                                    Hacktool ( 0043c1591 )
                                    
                                


                            

                        

                            

                                

                                    BitDefender
                                    Gen:Variant.Mimikatz.10
                                    
                                


                            

                        

                            

                                

                                    K7GW
                                    Hacktool ( 0043c1591 )
                                    
                                


                            

                        

                            

                                

                                    Arcabit
                                    Trojan.Mimikatz.10
                                    
                                


                            

                        

                            

                                

                                    Symantec
                                    ML.Attribute.HighConfidence
                                    
                                


                            

                        

                            

                                

                                    ESET-NOD32
                                    a variant of Win64/Riskware.Mimikatz.U
                                    
                                


                            

                        

                            

                                

                                    McAfee
                                    HTool-Mimikatz
                                    
                                


                            

                        

                            

                                

                                    Avast
                                    Win64:Malware-gen
                                    
                                


                            

                        

                            

                                

                                    ClamAV
                                    Win.Tool.Mimikatz-10029462-0
                                    
                                


                            

                        

                            

                                

                                    Kaspersky
                                    HEUR:Trojan-PSW.Win64.Mimikatz.gen
                                    
                                


                            

                        

                            

                                

                                    Alibaba
                                    Trojan:Win32/Mimikatz.4b1
                                    
                                


                            

                        

                            

                                

                                    MicroWorld-eScan
                                    Gen:Variant.Mimikatz.10
                                    
                                


                            

                        

                            

                                

                                    Rising
                                    HackTool.Mimikatz!1.B3A7 (CLASSIC)
                                    
                                


                            

                        

                            

                                

                                    Emsisoft
                                    Gen:Variant.Mimikatz.10 (B)
                                    
                                


                            

                        

                            

                                

                                    Zillya
                                    Tool.Mimikatz.Win64.2822
                                    
                                


                            

                        

                            

                                

                                    TrendMicro
                                    Trojan.Win64.BAZARLOADER.SMYXBIMZ
                                    
                                


                            

                        

                            

                                

                                    McAfeeD
                                    ti!7FDB709E4E16
                                    
                                


                            

                        

                            

                                

                                    FireEye
                                    Generic.mg.ddbd4a6269c999e0
                                    
                                


                            

                        

                            

                                

                                    Sophos
                                    ATK/Apteryx-Gen
                                    
                                


                            

                        

                            

                                

                                    Ikarus
                                    HackTool.Mimikatz
                                    
                                


                            

                        

                            

                                

                                    Webroot
                                    W32.Hacktool.Gen
                                    
                                


                            

                        

                            

                                

                                    Google
                                    Detected
                                    
                                


                            

                        

                            

                                

                                    MAX
                                    malware (ai score=84)
                                    
                                


                            

                        

                            

                                

                                    Antiy-AVL
                                    RiskWare/Win64.Mimikatz
                                    
                                


                            

                        

                            

                                

                                    Kingsoft
                                    Win64.Trojan-PSW.Mimikatz.gen
                                    
                                


                            

                        

                            

                                

                                    Gridinsoft
                                    Virtool.Win64.Mimikatz.dd!n
                                    
                                


                            

                        

                            

                                

                                    Microsoft
                                    HackTool:Win64/Mikatz!dha
                                    
                                


                            

                        

                            

                                

                                    ZoneAlarm
                                    HEUR:Trojan-PSW.Win64.Mimikatz.gen
                                    
                                


                            

                        

                            

                                

                                    GData
                                    Gen:Variant.Mimikatz.10
                                    
                                


                            

                        

                            

                                

                                    AhnLab-V3
                                    Trojan/Win.Mimikatz.R453144
                                    
                                


                            

                        

                            

                                

                                    DeepInstinct
                                    MALICIOUS
                                    
                                


                            

                        

                            

                                

                                    Malwarebytes
                                    HackTool.Mimikatz
                                    
                                


                            

                        

                            

                                

                                    Panda
                                    Trj/GdSda.A
                                    
                                


                            

                        

                            

                                

                                    TrendMicro-HouseCall
                                    HKTL_MIMIKATZ64
                                    
                                


                            

                        

                            

                                

                                    Tencent
                                    Trojan.Win64.Mimikatz.a
                                    
                                


                            

                        

                            

                                

                                    SentinelOne
                                    Static AI - Malicious PE
                                    
                                


                            

                        

                            

                                

                                    Fortinet
                                    Riskware/Mimikatz
                                    
                                


                            

                        

                            

                                

                                    AVG
                                    Win64:Malware-gen
                                    
                                


                            

                        

                            

                                

                                    Paloalto
                                    generic.ml
                                    
                                


                            

                        

                            

                                

                                    CrowdStrike
                                    win/malicious_confidence_90% (W)
                                    
                                


                            

                        

                            

                                

                                    alibabacloud
                                    HackTool:Win/Mimikatz.k