Manalyze report for 0741605deb3e2513a766312359d526026705bdf6a6a7966d5f2e33aab3e3b7d6

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2026-May-26 13:40:33
Detected languages	English - United States

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0`
Suspicious	PEiD Signature:	`UPolyX V0.1 -> Delikon`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`Contains references to system / monitoring tools: regedit.exe taskmgr.exe` `Miscellaneous malware strings: cmd.exe exploit` `Contains code from Mimikatz.` `Contains strings from Mimikatz: BCryptCloseAlgorithmProvider BCryptDecrypt BCryptDestroyKey BCryptEncrypt BCryptGenerateSymmetricKey BCryptGetProperty BCryptOpenAlgorithmProvider BCryptSetProperty CredentialKeys Primary` `Contains domain names: blog.gentilkiwi.com gentilkiwi.com gmail.com https://blog.gentilkiwi.com https://blog.gentilkiwi.com/mimikatz https://login.microsoftonline.com https://mysmartlogon.com https://pingcastle.com login.microsoftonline.com microsoftonline.com mysmartlogon.com pingcastle.com`
Info	Libraries used to perform cryptographic operations:	`Microsoft's Cryptography API`
Suspicious	The PE is possibly packed.	`Unusual section name found: .fptable`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: LoadLibraryExW LoadLibraryExA LoadLibraryA GetProcAddress LoadLibraryW` `Functions which can be used for anti-debugging purposes: NtQueryInformationProcess NtQuerySystemInformation` `Code injection capabilities: CreateRemoteThread VirtualAllocEx VirtualAlloc WriteProcessMemory OpenProcess` `Code injection capabilities (mapping injection): CreateRemoteThread MapViewOfFile CreateFileMappingW` `Can access the registry: RegQueryValueExW RegEnumValueW RegOpenKeyExW RegSetValueExW RegEnumKeyExW RegQueryInfoKeyW RegCloseKey` `Possibly launches other programs: CreateProcessAsUserW CreateProcessWithLogonW CreateProcessW` `Uses Windows's Native API: NtOpenDirectoryObject NtCompareTokens NtQueryInformationProcess NtQuerySystemInformation NtQueryObject NtResumeProcess NtQueryDirectoryObject NtTerminateProcess NtSuspendProcess NtSetSystemEnvironmentValueEx NtQuerySystemEnvironmentValueEx NtEnumerateSystemEnvironmentValuesEx` Uses Microsoft's cryptographic API: CryptReleaseContext CryptGenKey CryptGetProvParam CryptGetHashParam CryptImportKey CryptSetKeyParam CryptDestroyHash CryptSetHashParam CryptHashData CryptCreateHash CryptExportKey CryptDecrypt CryptDuplicateKey CryptEncrypt CryptAcquireContextW CryptGetKeyParam CryptAcquireContextA CryptDestroyKey CryptSetProvParam CryptEnumProvidersW CryptEnumProviderTypesW CryptGetUserKey CryptSignHashW CryptDeriveKey CryptQueryObject CryptStringToBinaryA CryptStringToBinaryW CryptUnprotectData CryptBinaryToStringW CryptBinaryToStringA CryptAcquireCertificatePrivateKey CryptExportPublicKeyInfo CryptFindOIDInfo CryptSignAndEncodeCertificate CryptEncodeObject CryptProtectData CryptDecodeObjectEx `Can create temporary files: GetTempPathW CreateFileA GetTempPathA CreateFileW` `Memory manipulation functions often used by packers: VirtualAllocEx VirtualProtectEx VirtualAlloc VirtualProtect` `Functions related to the privilege level: DuplicateTokenEx CheckTokenMembership OpenProcessToken SamQueryInformationUser` `Interacts with services: QueryServiceObjectSecurity QueryServiceStatusEx OpenServiceW ControlService DeleteService OpenSCManagerW CreateServiceW` `Manipulates other processes: ReadProcessMemory WriteProcessMemory OpenProcess` `Deletes entries from the event log: ClearEventLogW` `Queries user information on remote machines: NetWkstaUserEnum` `Reads the contents of the clipboard: GetClipboardData` `Interacts with the certificate store: CertAddCertificateContextToStore CertAddEncodedCertificateToStore CertOpenStore`
Suspicious	No VirusTotal score.	`This file has never been scanned on VirusTotal.`

Hashes

MD5	`5c7f526be5c270f4f4078e59ac20f854`
SHA1	`b051be38b26125a573152d909ebb3d561bf2a4f0`
SHA256	`0741605deb3e2513a766312359d526026705bdf6a6a7966d5f2e33aab3e3b7d6`
SHA3	`6aab76b5ef08dee153c3ac73455dda5398205befee0f410e668436b1e2ce9737`
SSDeep	`24576:L+YfdoxHNTj+JjhXTo4+YnMFzmqlDYNToF3MHZl6vh:6Yfd4RMFUUMtmqlDeoF3MXIh`
Imports Hash	`6751a1116901be1ee83831f3bb1fc0be`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x120`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`6`
TimeDateStamp	2026-May-26 13:40:33
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_DLL` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`14.0`
SizeOfCode	`0xe0000`
SizeOfInitializedData	`0x74a00`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000BCBF0 (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0xe1000`
ImageBase	`0x10000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.0`
ImageVersion	`0.0`
SubsystemVersion	`6.0`
Win32VersionValue	`0`
SizeOfImage	`0x159000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`251bccb706f1406a12f5de17eb1ea6ff`
SHA1	`26220e4f35477aefa32bca316346143499f5a2ba`
SHA256	`998b22f78dd6943735eb38a9e8db9d67f6882a8a5a360fbb5ae645525723ac81`
SHA3	`5bdc0b73baa0679e0652850934061992ef46d7e822ab2aacad974975134aaeb8`
VirtualSize	`0xdfe60`
VirtualAddress	`0x1000`
SizeOfRawData	`0xe0000`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.71917`

.rdata

MD5	`ec216e6fc9c6362fef2813e96f78b5de`
SHA1	`2417880d63ba054e02efe8b32bd42347a81cafff`
SHA256	`e7a17b751400842683baa747a9e967ac6f0e9f16d866b4bdd25e937106a4cf89`
SHA3	`30f17bafd1d18f7723bacf5a51fe8ea282982a57b1c03dd7a4e9f821db76fbbd`
VirtualSize	`0x65778`
VirtualAddress	`0xe1000`
SizeOfRawData	`0x65800`
PointerToRawData	`0xe0400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.49208`

.data

MD5	`2f43d611ff700073a79cfbde89873518`
SHA1	`ad5374bdd55462978e0463c7bce5379ac1554d9a`
SHA256	`cca9cf3d4c3dbf46bbfce27e932e538ea428175343f63bb785b1f7fe80fa18ff`
SHA3	`b640b779575ecbffa8d4297f674a7ab186294d5e285c78f39fd29e6d9b65e8e5`
VirtualSize	`0x51e4`
VirtualAddress	`0x147000`
SizeOfRawData	`0x4600`
PointerToRawData	`0x145c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.02657`

.fptable

MD5	`bf619eac0cdf3f68d496ea9344137e8b`
SHA1	`5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5`
SHA256	`076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560`
SHA3	`622de1e1568ddef36c4b89b706b05201c13481c3575d0fc804ff8224787fcb59`
VirtualSize	`0x80`
VirtualAddress	`0x14d000`
SizeOfRawData	`0x200`
PointerToRawData	`0x14a200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`0`

.rsrc

MD5	`5d637f90c2a7b12219786aeecb86606c`
SHA1	`76f1caf7be774f59ef382c588710753b4171118c`
SHA256	`f4d1ea135a816a99790d5e83f31e8c0b150b415cb0d99f83716d1915eb05ec61`
SHA3	`059ade573ef75a78e6ae911fee5dc8011d42cf028670b4b5fbca20ab1c1edb0e`
VirtualSize	`0x288`
VirtualAddress	`0x14e000`
SizeOfRawData	`0x400`
PointerToRawData	`0x14a400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`3.8528`

.reloc

MD5	`83271a7501c5b6276768461332783695`
SHA1	`2c19dd1ea3530dc77f7b91542865a7fa64d9f707`
SHA256	`9c2b11476e40d589bd6320293c31cf7be8fb4902eb8efada58ae5cac2b70efc8`
SHA3	`bc125fab0120be4e76c81a15b05f37d3787559acbae5507ae1163c400ceebd3e`
VirtualSize	`0x99c8`
VirtualAddress	`0x14f000`
SizeOfRawData	`0x9a00`
PointerToRawData	`0x14a800`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`6.74107`

Imports

ADVAPI32.dll	`CryptReleaseContext` `CryptGenKey` `CryptGetProvParam` `CryptGetHashParam` `CryptImportKey` `CryptSetKeyParam` `CryptDestroyHash` `CryptSetHashParam` `CryptHashData` `CryptCreateHash` `CryptExportKey` `CryptDecrypt` `SystemFunction007` `CryptDuplicateKey` `CryptEncrypt` `CryptAcquireContextW` `CryptGetKeyParam` `CryptAcquireContextA` `CryptDestroyKey` `GetLengthSid` `CopySid` `LsaClose` `LsaOpenPolicy` `LsaQueryInformationPolicy` `CreateWellKnownSid` `CreateProcessAsUserW` `CreateProcessWithLogonW` `RegQueryValueExW` `RegEnumValueW` `RegOpenKeyExW` `RegSetValueExW` `RegEnumKeyExW` `RegQueryInfoKeyW` `RegCloseKey` `SystemFunction032` `ConvertSidToStringSidW` `SystemFunction033` `QueryServiceObjectSecurity` `QueryServiceStatusEx` `BuildSecurityDescriptorW` `OpenServiceW` `StartServiceW` `FreeSid` `ControlService` `SetServiceObjectSecurity` `DeleteService` `AllocateAndInitializeSid` `OpenSCManagerW` `CloseServiceHandle` `CreateServiceW` `IsTextUnicode` `GetTokenInformation` `LookupAccountNameW` `LookupAccountSidW` `DuplicateTokenEx` `CheckTokenMembership` `OpenProcessToken` `CryptSetProvParam` `CryptEnumProvidersW` `ConvertStringSidToSidW` `LsaFreeMemory` `IsValidSid` `GetSidSubAuthority` `GetSidSubAuthorityCount` `SetThreadToken` `SystemFunction006` `CryptEnumProviderTypesW` `CryptGetUserKey` `OpenEventLogW` `ClearEventLogW` `GetNumberOfEventLogRecords` `CryptSignHashW` `LsaRetrievePrivateData` `LsaOpenSecret` `LsaQueryTrustedDomainInfoByName` `CryptDeriveKey` `LsaQuerySecret` `SystemFunction001` `SystemFunction005` `LsaSetSecret` `LsaEnumerateTrustedDomainsEx` `SystemFunction023` `LookupPrivilegeValueW` `StartServiceCtrlDispatcherW` `RegisterServiceCtrlHandlerW` `SetServiceStatus` `OpenThreadToken` `LookupPrivilegeNameW` `EqualSid` `CredFree` `CredEnumerateW` `ConvertStringSecurityDescriptorToSecurityDescriptorW` `SystemFunction027` `SystemFunction026` `SystemFunction041` `CredUnmarshalCredentialW` `CredIsMarshaledCredentialW`
Cabinet.dll	`#14` `#10` `#13` `#11`
CRYPT32.dll	`CertGetNameStringW` `CryptQueryObject` `CertEnumCertificatesInStore` `CertAddCertificateContextToStore` `CertEnumSystemStore` `CertAddEncodedCertificateToStore` `CertFreeCertificateContext` `CryptStringToBinaryA` `CertCloseStore` `PFXExportCertStoreEx` `CertSetCertificateContextProperty` `CertOpenStore` `CryptStringToBinaryW` `CryptUnprotectData` `CryptBinaryToStringW` `CryptBinaryToStringA` `CryptAcquireCertificatePrivateKey` `CryptExportPublicKeyInfo` `CryptFindOIDInfo` `CryptSignAndEncodeCertificate` `CertNameToStrW` `CryptEncodeObject` `CertFindCertificateInStore` `CertGetCertificateContextProperty` `CryptProtectData` `CryptDecodeObjectEx`
cryptdll.dll	`CDGenerateRandomBits` `MD5Init` `MD5Update` `MD5Final` `CDLocateCSystem` `CDLocateCheckSum`
DNSAPI.dll	`DnsQuery_A` `DnsFree`
FLTLIB.DLL	`FilterFindNext` `FilterFindFirst`
MPR.dll	`WNetCancelConnection2W` `WNetAddConnection2W`
NETAPI32.dll	`DsGetDcNameW` `NetApiBufferFree` `NetWkstaUserEnum` `NetShareEnum` `NetStatisticsGet` `NetRemoteTOD` `NetServerGetInfo` `DsEnumerateDomainTrustsW` `NetSessionEnum`
ODBC32.dll	`#31` `#24` `#43` `#9` `#141` `#111` `#13` `#75`
ole32.dll	`CoUninitialize` `CoSetProxyBlanket` `CoTaskMemFree` `CoInitializeEx` `CoCreateInstance`
OLEAUT32.dll	`VariantInit` `VariantClear` `SysFreeString` `SysAllocString`
RPCRT4.dll	`RpcMgmtEpEltInqDone` `RpcMgmtEpEltInqBegin` `RpcMgmtEpEltInqNextW` `RpcBindingSetObject` `I_RpcGetCurrentCallHandle` `RpcBindingFree` `MesIncrementalHandleReset` `NdrMesTypeEncode2` `NdrMesTypeDecode2` `NdrMesTypeFree2` `NdrMesTypeAlignSize2` `RpcBindingVectorFree` `RpcServerUseProtseqEpW` `RpcServerUnregisterIfEx` `RpcBindingToStringBindingW` `UuidToStringW` `RpcEpResolveBinding` `RpcServerRegisterIf2` `RpcMgmtWaitServerListen` `RpcStringFreeW` `RpcServerListen` `RpcServerRegisterAuthInfoW` `RpcEpUnregister` `RpcEpRegisterW` `RpcServerInqBindings` `RpcMgmtStopServerListening` `UuidCreate` `NdrServerCall2` `NdrClientCall2` `RpcBindingSetAuthInfoW` `RpcBindingInqAuthClientW` `RpcBindingSetOption` `RpcBindingFromStringBindingW` `RpcStringBindingComposeW` `RpcBindingSetAuthInfoExW` `MesDecodeIncrementalHandleCreate` `MesHandleFree` `RpcImpersonateClient` `RpcRevertToSelf` `MesEncodeIncrementalHandleCreate` `I_RpcBindingInqSecurityContext`
SHLWAPI.dll	`PathFindFileNameW` `PathCombineW` `PathIsDirectoryW` `PathIsRelativeW` `UrlUnescapeW` `PathCanonicalizeW`
SAMLIB.dll	`SamGetGroupsForUser` `SamGetMembersInAlias` `SamGetMembersInGroup` `SamEnumerateGroupsInDomain` `SamGetAliasMembership` `SamOpenAlias` `SamRidToSid` `SamEnumerateAliasesInDomain` `SamOpenGroup` `SamSetInformationUser` `SamQueryInformationUser` `SamFreeMemory` `SamLookupDomainInSamServer` `SamCloseHandle` `SamConnect` `SamLookupIdsInDomain` `SamiChangePasswordUser` `SamOpenUser` `SamEnumerateDomainsInSamServer` `SamOpenDomain` `SamLookupNamesInDomain` `SamEnumerateUsersInDomain`
Secur32.dll	`LsaConnectUntrusted` `QueryContextAttributesW` `FreeContextBuffer` `LsaDeregisterLogonProcess` `LsaLookupAuthenticationPackage` `LsaFreeReturnBuffer` `DeleteSecurityContext` `AcquireCredentialsHandleW` `EnumerateSecurityPackagesW` `FreeCredentialsHandle` `LsaCallAuthenticationPackage` `InitializeSecurityContextW`
SHELL32.dll	`CommandLineToArgvW`
USER32.dll	`CreateWindowExW` `IsCharAlphaNumericW` `GetKeyboardLayout` `GetClipboardSequenceNumber` `GetClipboardData` `TranslateMessage` `EnumClipboardFormats` `CloseClipboard` `ChangeClipboardChain` `DispatchMessageW` `GetMessageW` `DefWindowProcW` `PostMessageW` `DestroyWindow` `SetClipboardViewer` `OpenClipboard` `SendMessageW` `UnregisterClassW` `RegisterClassExW`
USERENV.dll	`DestroyEnvironmentBlock` `CreateEnvironmentBlock`
VERSION.dll	`GetFileVersionInfoW` `GetFileVersionInfoSizeW` `VerQueryValueW`
HID.DLL	`HidD_FreePreparsedData` `HidD_GetPreparsedData` `HidD_GetAttributes` `HidD_GetFeature` `HidD_SetFeature` `HidP_GetCaps` `HidD_GetHidGuid`
SETUPAPI.dll	`SetupDiGetClassDevsW` `SetupDiEnumDeviceInterfaces` `SetupDiDestroyDeviceInfoList` `SetupDiGetDeviceInterfaceDetailW`
WinSCard.dll	`SCardReleaseContext` `SCardListCardsW` `SCardEstablishContext` `SCardGetCardTypeProviderNameW` `SCardListReadersW` `SCardFreeMemory` `SCardTransmit` `SCardDisconnect` `SCardConnectW` `SCardControl` `SCardGetAttrib`
WINSTA.dll	`WinStationFreeMemory` `WinStationEnumerateW` `WinStationConnectW` `WinStationCloseServer` `WinStationQueryInformationW` `WinStationOpenServerW`
WLDAP32.dll	`#310` `#208` `#73` `#13` `#36` `#157` `#97` `#122` `#139` `#12` `#69` `#96` `#223` `#113` `#140` `#14` `#88` `#203` `#224` `#147` `#27` `#26` `#127` `#133` `#167` `#309` `#304` `#301` `#54` `#145` `#77` `#142` `#41` `#79`
advapi32.dll	`A_SHAFinal` `A_SHAUpdate` `A_SHAInit`
msasn1.dll	`ASN1_CloseEncoder` `ASN1BERDotVal2Eoid` `ASN1_FreeEncoded` `ASN1_CreateEncoder` `ASN1_CloseModule` `ASN1_CreateDecoder` `ASN1_CreateModule` `ASN1_CloseDecoder`
ntdll.dll	`RtlAppendUnicodeStringToString` `NtOpenDirectoryObject` `RtlGetNtVersionNumbers` `NtCompareTokens` `RtlStringFromGUID` `RtlGUIDFromString` `RtlCreateUserThread` `RtlAnsiStringToUnicodeString` `NtQueryInformationProcess` `NtQuerySystemInformation` `RtlCompressBuffer` `RtlGetCompressionWorkSpaceSize` `NtQueryObject` `RtlInitUnicodeString` `RtlUpcaseUnicodeString` `RtlFreeOemString` `RtlUpcaseUnicodeStringToOemString` `RtlEqualString` `RtlGetCurrentPeb` `RtlIpv6AddressToStringW` `RtlEqualUnicodeString` `RtlDowncaseUnicodeString` `RtlFreeUnicodeString` `RtlUnicodeStringToAnsiString` `RtlFreeAnsiString` `NtResumeProcess` `NtQueryDirectoryObject` `RtlAdjustPrivilege` `NtTerminateProcess` `NtSuspendProcess` `NtSetSystemEnvironmentValueEx` `NtQuerySystemEnvironmentValueEx` `NtEnumerateSystemEnvironmentValuesEx` `RtlIpv4AddressToStringW`
netapi32.dll	`I_NetServerAuthenticate2` `I_NetServerTrustPasswordsGet` `I_NetServerReqChallenge`
KERNEL32.dll	`ReadFile` `WriteConsoleW` `ReadConsoleW` `SetStdHandle` `GetStringTypeW` `FreeEnvironmentStringsW` `GetEnvironmentStringsW` `GetCPInfo` `GetOEMCP` `GetACP` `IsValidCodePage` `FindFirstFileExW` `GetConsoleMode` `GetConsoleOutputCP` `LCMapStringW` `LoadLibraryExW` `GetFileType` `UnhandledExceptionFilter` `IsDebuggerPresent` `GetModuleFileNameW` `GetModuleHandleExW` `TerminateProcess` `ExitProcess` `GetCommandLineW` `GetCommandLineA` `EncodePointer` `InitializeCriticalSectionEx` `FlsFree` `FlsSetValue` `FlsGetValue` `FlsAlloc` `RtlUnwind` `InterlockedFlushSList` `WriteFile` `IsProcessorFeaturePresent` `GetStartupInfoW` `SetUnhandledExceptionFilter` `InitializeSListHead` `GetCurrentThreadId` `LoadLibraryExA` `SetFilePointerEx` `GetProcessId` `GetComputerNameW` `ProcessIdToSessionId` `GetCurrentThread` `IsWow64Process` `SetConsoleCursorPosition` `SetCurrentDirectoryW` `FillConsoleOutputCharacterW` `GetTimeZoneInformation` `GetSystemDirectoryW` `GetStdHandle` `GetConsoleScreenBufferInfo` `SetEvent` `CreateEventW` `DeleteCriticalSection` `InitializeCriticalSection` `LeaveCriticalSection` `EnterCriticalSection` `CreatePipe` `SetHandleInformation` `GlobalSize` `SetConsoleCtrlHandler` `SetFileAttributesW` `GetTickCount` `QueryPerformanceCounter` `FormatMessageA` `GetSystemTime` `GetProcessHeap` `GetCurrentProcessId` `GetFileSize` `LockFileEx` `UnlockFile` `HeapDestroy` `HeapCompact` `HeapAlloc` `GetSystemInfo` `RaiseException` `GetNativeSystemInfo` `HeapReAlloc` `DeleteFileW` `WaitForSingleObjectEx` `LoadLibraryA` `FlushViewOfFile` `OutputDebugStringW` `GetFileAttributesExW` `GetFileAttributesA` `GetDiskFreeSpaceA` `FormatMessageW` `MultiByteToWideChar` `HeapSize` `HeapValidate` `CreateMutexW` `GetTempPathW` `UnlockFileEx` `SetEndOfFile` `GetFullPathNameA` `LockFile` `OutputDebugStringA` `GetDiskFreeSpaceW` `GetFullPathNameW` `HeapFree` `HeapCreate` `AreFileApisANSI` `GetDateFormatW` `GetSystemTimeAsFileTime` `WideCharToMultiByte` `SystemTimeToFileTime` `GetTimeFormatW` `lstrlenA` `ClearCommError` `PurgeComm` `CreateRemoteThread` `WaitForSingleObject` `CreateProcessW` `MapViewOfFile` `CreateFileMappingW` `UnmapViewOfFile` `VirtualQueryEx` `VirtualQuery` `VirtualFreeEx` `ReadProcessMemory` `VirtualAllocEx` `VirtualProtectEx` `VirtualAlloc` `VirtualFree` `SetLastError` `VirtualProtect` `WriteProcessMemory` `GetComputerNameExW` `DeviceIoControl` `OpenProcess` `DuplicateHandle` `GetCurrentProcess` `FlushFileBuffers` `GetCurrentDirectoryW` `GetFileAttributesW` `FindClose` `ExpandEnvironmentStringsW` `DecodePointer` `FindNextFileW` `GetFileSizeEx` `FindFirstFileW` `lstrlenW` `FreeLibrary` `GetModuleHandleW` `GetProcAddress` `LoadLibraryW` `FileTimeToDosDateTime` `GetTempFileNameA` `FileTimeToLocalFileTime` `DeleteFileA` `CreateFileA` `GetTempPathA` `GetFileInformationByHandle` `GetCurrentDirectoryA` `SetFilePointer` `LocalFree` `CreateThread` `CloseHandle` `TerminateThread` `GetLastError` `Sleep` `CreateFileW` `LocalAlloc` `FileTimeToSystemTime`
bcrypt.dll (delay-loaded)	`BCryptDeriveKeyPBKDF2` `BCryptEnumRegisteredProviders` `BCryptDestroyKey` `BCryptKeyDerivation` `BCryptGetProperty` `BCryptOpenAlgorithmProvider` `BCryptFinishHash` `BCryptCloseAlgorithmProvider` `BCryptDestroyHash` `BCryptHashData` `BCryptCreateHash` `BCryptGenerateSymmetricKey` `BCryptEncrypt` `BCryptDecrypt` `BCryptSetProperty` `BCryptExportKey` `BCryptImportKeyPair` `BCryptFreeBuffer`

Delayed Imports

Attributes	`0x1`
Name	`bcrypt.dll`
ModuleHandle	`0x14b4c0`
DelayImportAddressTable	`0x14b434`
DelayImportNameTable	`0x142d14`
BoundDelayImportTable	`0x14300c`
UnloadDelayImportTable	`0`
TimeStamp	`1970-Jan-01 00:00:00`

powershell_reflective_mimikatz

Ordinal	`1`
Address	`0x8a131`

2

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x224`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`5.04378`
MD5	`245b863be176aab16ef1dbe168defe03`
SHA1	`c0a369f6f0e77b89c5d9d37fb94e1d5e2d431b5b`
SHA256	`59ba97d56a01766792386c3b379946bb613c8921e3daf8a878855a268ad5e4aa`
SHA3	`7efbe82f17422b353f747a146c1e8f1b9df37e90648150f2020442ff9477341e`

Version Info

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2026-May-26 13:40:33
Version	`0.0`
SizeofData	`824`
AddressOfRawData	`0x141f28`
PointerToRawData	`0x141328`

TLS Callbacks

Load Configuration

Size	`0xc0`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x10147040`
SEHandlerTable	`0`
SEHandlerCount	`0`

RICH Header

XOR Key	`0xce93b32d`
Unmarked objects	`0`
ASM objects (33145)	`13`
C++ objects (33145)	`160`
253 (35721)	`1`
ASM objects (35721)	`25`
C objects (35721)	`19`
Imports (VS2012 UPD4 build 61030)	`6`
Imports (VS2012 UPD2 build 60315)	`2`
C objects (33145)	`24`
C++ objects (35721)	`33`
Imports (VS2003 (.NET) build 4035)	`10`
Imports (33145)	`41`
Total imports	`596`
C objects (LTCG) (36243)	`114`
Exports (36243)	`1`
Resource objects (36243)	`1`
Linker (36243)	`1`

Errors

Leave a comment

No comments yet.