274017647fc0398c6029298b4cdc3292

PE Executable
|
MD5: 274017647fc0398c6029298b4cdc3292
|
Size: 49.16 KB
|
application/x-dosexec

Infection Chain

Summary by MalvaGPT

Characteristics

Hash	Hash Value
MD5	274017647fc0398c6029298b4cdc3292
Sha1	9436a044baaff50806bec1f75ecb387de6723a37
Sha256	5602551d459db46d9d5544ba762622c1879acd55ea6e56ba724c5305b6a39605
Sha384	3fb78d360964e046f28f5e5d55bd6feb94d6fd1bf0930b3fb47225c6880753955c7ad9a57ceeacfcf5ed1e4db15ac1c6
Sha512	ac22958c635018546470648b5cc962bed302fd22de4d153a0523238011c5ec42b83f55eb06d4e7cefb6de4cc20f39f0c5198b663cf1c76c6288640f272a8acc6
SSDeep	384:xxiHABz9q3FxmHu+JjOdb4iLaFRCOHu419awgncpMQiW4zmkZXOfq1aK2rkLp9ij:xCIFqb4waTCOOuKXbOfq1ck+nj
TLSH	79234B18ABACC61FE1EF0E7D64631A21127293911303DBC64EDC64FEADAB78406257D7

PeID

.NET executable

Microsoft Visual C# / Basic .NET

Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL

Microsoft Visual C# v7.0 / Basic .NET

Microsoft Visual Studio .NET

File Structure

Informations

Name0	Value
Info	PE Detect: PeReader FAIL, AsmResolver Mapped OK
Info	Remap: Mapped -> FileLayout (RAM only) as [Rebuild from dump]_749591d0.exe
Module Name	svchost.exe
Full Name	svchost.exe
EntryPoint	System.Int32 ModuleNameSpace.MainApp::Main(System.String[])
Scope Name	svchost.exe
Scope Type	ModuleDef
Kind	Windows
Runtime Version	v4.0.30319
Tables Header Version	512
WinMD Version	<null>
Assembly Name	svchost
Assembly Version	0.0.0.0
Assembly Culture	<null>
Has PublicKey	False
PublicKey Token	<null>
Target Framework	<null>
Total Strings	79
Main Method	System.Int32 ModuleNameSpace.MainApp::Main(System.String[])
Main IL Instruction Count	452
Main IL	ldnull <null> stloc.s V_22 ldnull <null> stloc.s V_23 ldnull <null> stloc.s V_24 newobj System.Void ModuleNameSpace.MainApp/<>c__DisplayClass6::.ctor() stloc.s V_25 call System.Void System.Windows.Forms.Application::EnableVisualStyles() newobj System.Void ModuleNameSpace.MainApp::.ctor() stloc.0 <null> ldc.i4.0 <null> stloc.1 <null> ldsfld System.String System.String::Empty stloc.2 <null> ldloc.s V_25 newobj System.Void ModuleNameSpace.MainModuleUI::.ctor() stfld ModuleNameSpace.MainModuleUI ModuleNameSpace.MainApp/<>c__DisplayClass6::ui ldloc.0 <null> ldloc.s V_25 ldfld ModuleNameSpace.MainModuleUI ModuleNameSpace.MainApp/<>c__DisplayClass6::ui newobj System.Void ModuleNameSpace.MainModule::.ctor(ModuleNameSpace.MainAppInterface,ModuleNameSpace.MainModuleUI) stloc.3 <null> ldloc.s V_25 ldc.i4.0 <null> newobj System.Void System.Threading.ManualResetEvent::.ctor(System.Boolean) stfld System.Threading.ManualResetEvent ModuleNameSpace.MainApp/<>c__DisplayClass6::mre call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void ModuleNameSpace.MainApp::CurrentDomain_UnhandledException(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) ldloc.3 <null> call System.Management.Automation.Runspaces.Runspace System.Management.Automation.Runspaces.RunspaceFactory::CreateRunspace(System.Management.Automation.Host.PSHost) stloc.s V_4 ldloc.s V_4 ldc.i4.0 <null> callvirt System.Void System.Management.Automation.Runspaces.Runspace::set_ApartmentState(System.Threading.ApartmentState) ldloc.s V_4 callvirt System.Void System.Management.Automation.Runspaces.Runspace::Open() call System.Management.Automation.PowerShell System.Management.Automation.PowerShell::Create() stloc.s V_5 ldloc.s V_5 ldloc.s V_4 callvirt System.Void System.Management.Automation.PowerShell::set_Runspace(System.Management.Automation.Runspaces.Runspace) ldloc.s V_5 callvirt System.Management.Automation.PSDataStreams System.Management.Automation.PowerShell::get_Streams() callvirt System.Management.Automation.PSDataCollection`1<System.Management.Automation.ErrorRecord> System.Management.Automation.PSDataStreams::get_Error() ldloc.s V_22 brtrue.s IL_00A6: ldloc.s V_22 ldloc.s V_25 ldftn System.Void ModuleNameSpace.MainApp/<>c__DisplayClass6::<Main>b__0(System.Object,System.Management.Automation.DataAddedEventArgs) newobj System.Void System.EventHandler`1<System.Management.Automation.DataAddedEventArgs>::.ctor(System.Object,System.IntPtr) stloc.s V_22 ldloc.s V_22 callvirt System.Void System.Management.Automation.PSDataCollection`1<System.Management.Automation.ErrorRecord>::add_DataAdded(System.EventHandler`1<System.Management.Automation.DataAddedEventArgs>) newobj System.Void System.Management.Automation.PSDataCollection`1<System.String>::.ctor() stloc.s V_6 call System.Boolean ModuleNameSpace.Console_Info::IsInputRedirected() brfalse.s IL_00D7: ldloc.s V_6 ldstr stloc.s V_7 br.s IL_00CD: call System.String System.Console::ReadLine() ldloc.s V_6 ldloc.s V_7 callvirt System.Void System.Management.Automation.PSDataCollection`1<System.String>::Add(System.String) call System.String System.Console::ReadLine() dup <null> stloc.s V_7 brtrue.s IL_00C4: ldloc.s V_6 ldloc.s V_6 callvirt System.Void System.Management.Automation.PSDataCollection`1<System.String>::Complete() newobj System.Void System.Management.Automation.PSDataCollection`1<System.Management.Automation.PSObject>::.ctor() stloc.s V_8 ldloc.s V_8 ldloc.s V_23 brtrue.s IL_00FA: ldloc.s V_23 ldloc.s V_25 ldftn System.Void ModuleNameSpace.MainApp/<>c__DisplayClass6::<Main>b__1(System.Object,System.Management.Automation.DataAddedEventArgs) newobj System.Void System.EventHandler`1<System.Management.Automation.DataAddedEventArgs>::.ctor(System.Object,System.IntPtr) stloc.s V_23 ldloc.s V_23 callvirt System.Void System.Management.Automation.PSDataCollection`1<System.Management.Automation.PSObject>::add_DataAdded(System.EventHandler`1<System.Management.Automation.DataAddedEventArgs>) ldc.i4.0 <null> stloc.s V_9 ldc.i4.0 <null> stloc.s V_10 ldarg.0 <null> stloc.s V_27 ldc.i4.0 <null> stloc.s V_28 br IL_01D9: ldloc.s V_28 ldloc.s V_27 ldloc.s V_28 ldelem.ref <null> stloc.s V_11 ldloc.s V_11 ldstr -wait ldc.i4.1 <null> call System.Int32 System.String::Compare(System.String,System.String,System.Boolean) brtrue.s IL_012F: ldloc.s V_11 ldc.i4.1 <null> stloc.1 <null> br IL_01CD: ldloc.s V_10 ldloc.s V_11 ldstr -extract ldc.i4.3 <null> callvirt System.Boolean System.String::StartsWith(System.String,System.StringComparison) brfalse.s IL_019F: ldloc.s V_11 ldloc.s V_11 ldc.i4.1 <null> newarr System.String stloc.s V_29 ldloc.s V_29 ldc.i4.0 <null> ldstr : stelem.ref <null> ldloc.s V_29 ldc.i4.2 <null> ldc.i4.1 <null> callvirt System.String[] System.String::Split(System.String[],System.Int32,System.StringSplitOptions) stloc.s V_12 ldloc.s V_12 ldlen <null> conv.i4 <null> ldc.i4.2 <null> beq.s IL_0183: ldloc.s V_12 ldstr If you specify the -extract option you need to add a file for extraction in this way -extract:"<filename>" call System.AppDomain System.AppDomain::get_CurrentDomain() callvirt System.String System.AppDomain::get_FriendlyName() ldc.i4.0 <null> ldc.i4.s 16 call System.Windows.Forms.DialogResult System.Windows.Forms.MessageBox::Show(System.String,System.String,System.Windows.Forms.MessageBoxButtons,System.Windows.Forms.MessageBoxIcon) pop <null> ldc.i4.1 <null> stloc.s V_26 leave IL_04FB: ldloc.s V_26 ldloc.s V_12 ldc.i4.1 <null> ldelem.ref <null> ldc.i4.1 <null> newarr System.Char stloc.s V_30 ldloc.s V_30 ldc.i4.0 <null> ldc.i4.s 34 stelem.i2 <null> ldloc.s V_30 callvirt System.String System.String::Trim(System.Char[]) stloc.2 <null> br.s IL_01CD: ldloc.s V_10 ldloc.s V_11 ldstr -end ldc.i4.1 <null> call System.Int32 System.String::Compare(System.String,System.String,System.Boolean) brtrue.s IL_01B6: ldloc.s V_11 ldloc.s V_10 ldc.i4.1 <null> add <null> stloc.s V_9 br.s IL_01E4: call System.Reflection.Assembly System.Reflection.Assembly::GetExecutingAssembly() ldloc.s V_11 ldstr -debug ldc.i4.1 <null> call System.Int32 System.String::Compare(System.String,System.String,System.Boolean) brtrue.s IL_01CD: ldloc.s V_10 call System.Boolean System.Diagnostics.Debugger::Launch() pop <null> br.s IL_01E4: call System.Reflection.Assembly System.Reflection.Assembly::GetExecutingAssembly() ldloc.s V_10 ldc.i4.1 <null> add <null> stloc.s V_10 ldloc.s V_28 ldc.i4.1 <null> add <null> stloc.s V_28 ldloc.s V_28 ldloc.s V_27 ldlen <null> conv.i4 <null> blt IL_0112: ldloc.s V_27 call System.Reflection.Assembly System.Reflection.Assembly::GetExecutingAssembly() stloc.s V_13 ldloc.s V_13 ldstr epta.ps1 callvirt System.IO.Stream System.Reflection.Assembly::GetManifestResourceStream(System.String) stloc.s V_14 ldloc.s V_14 call System.Text.Encoding System.Text.Encoding::get_UTF8() newobj System.Void System.IO.StreamReader::.ctor(System.IO.Stream,System.Text.Encoding) stloc.s V_15 ldloc.s V_15 callvirt System.String System.IO.TextReader::ReadToEnd() stloc.s V_16 ldloc.2 <null> call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue.s IL_0228: ldloc.s V_5 ldloc.2 <null> ldloc.s V_16 call System.Void System.IO.File::WriteAllText(System.String,System.String) ldc.i4.0 <null> stloc.s V_26 leave IL_04FB: ldloc.s V_26 ldloc.s V_5 ldloc.s V_16 callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddScript(System.String) pop <null> leave.s IL_0240: leave.s IL_024E ldloc.s V_15 brfalse.s IL_023F: endfinally ldloc.s V_15 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave.s IL_024E: ldnull ldloc.s V_14 brfalse.s IL_024D: endfinally ldloc.s V_14 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldnull <null> stloc.s V_17 ldstr ^-([^: ]+)[ :]?([^:]*)$ newobj System.Void System.Text.RegularExpressions.Regex::.ctor(System.String) stloc.s V_18 ldloc.s V_9 stloc.s V_19 br IL_0414: ldloc.s V_19 ldloc.s V_18 ldarg.0 <null> ldloc.s V_19 ldelem.ref <null> callvirt System.Text.RegularExpressions.Match System.Text.RegularExpressions.Regex::Match(System.String) stloc.s V_20 ldloc.s V_20 callvirt System.Boolean System.Text.RegularExpressions.Group::get_Success() brfalse IL_03EB: ldloc.s V_17 ldloc.s V_20 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() callvirt System.Int32 System.Text.RegularExpressions.GroupCollection::get_Count() ldc.i4.3 <null> bne.un IL_03EB: ldloc.s V_17 ldarg.0 <null> ldloc.s V_19 ldelem.ref <null> ldloca.s V_21 call System.Boolean System.Double::TryParse(System.String,System.Double&) brtrue IL_03EB: ldloc.s V_17 ldloc.s V_17 brfalse.s IL_02AF: ldloc.s V_20 ldloc.s V_5 ldloc.s V_17 callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddParameter(System.String) pop <null> ldloc.s V_20 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.2 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() callvirt System.String System.String::Trim() ldstr call System.Boolean System.String::op_Equality(System.String,System.String) brfalse.s IL_02EB: ldloc.s V_20 ldloc.s V_20 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.1 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() stloc.s V_17 br IL_040E: ldloc.s V_19 ldloc.s V_20 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.2 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() ldstr True call System.Boolean System.String::op_Equality(System.String,System.String) brtrue.s IL_032C: ldloc.s V_5 ldloc.s V_20 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.2 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() callvirt System.String System.String::ToUpper() ldstr $TRUE call System.Boolean System.String::op_Equality(System.String,System.String) brfalse.s IL_0354: ldloc.s V_20 ldloc.s V_5 ldloc.s V_20 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.1 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() ldc.i4.1 <null> box System.Boolean callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddParameter(System.String,System.Object) pop <null> ldnull <null> stloc.s V_17 br IL_040E: ldloc.s V_19 ldloc.s V_20 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.2 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() ldstr False call System.Boolean System.String::op_Equality(System.String,System.String) brtrue.s IL_0395: ldloc.s V_5 ldloc.s V_20 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.2 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() callvirt System.String System.String::ToUpper() ldstr $FALSE call System.Boolean System.String::op_Equality(System.String,System.String) brfalse.s IL_03BA: ldloc.s V_5 ldloc.s V_5 ldloc.s V_20 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.1 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() ldc.i4.0 <null> box System.Boolean callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddParameter(System.String,System.Object) pop <null> ldnull <null> stloc.s V_17 br.s IL_040E: ldloc.s V_19 ldloc.s V_5 ldloc.s V_20 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.1 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() ldloc.s V_20 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.2 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddParameter(System.String,System.Object) pop <null> ldnull <null> stloc.s V_17 br.s IL_040E: ldloc.s V_19 ldloc.s V_17 brfalse.s IL_0402: ldloc.s V_5 ldloc.s V_5 ldloc.s V_17 ldarg.0 <null> ldloc.s V_19 ldelem.ref <null> callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddParameter(System.String,System.Object) pop <null> ldnull <null> stloc.s V_17 br.s IL_040E: ldloc.s V_19 ldloc.s V_5 ldarg.0 <null> ldloc.s V_19 ldelem.ref <null> callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddArgument(System.Object) pop <null> ldloc.s V_19 ldc.i4.1 <null> add <null> stloc.s V_19 ldloc.s V_19 ldarg.0 <null> ldlen <null> conv.i4 <null> blt IL_0266: ldloc.s V_18 ldloc.s V_17 brfalse.s IL_042C: ldloc.s V_5 ldloc.s V_5 ldloc.s V_17 callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddParameter(System.String) pop <null> ldloc.s V_5 ldstr Out-String callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddCommand(System.String) pop <null> ldloc.s V_5 ldstr Stream callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddParameter(System.String) pop <null> ldloc.s V_5 ldloc.s V_6 ldloc.s V_8 ldnull <null> ldloc.s V_24 brtrue.s IL_0460: ldloc.s V_24 ldloc.s V_25 ldftn System.Void ModuleNameSpace.MainApp/<>c__DisplayClass6::<Main>b__2(System.IAsyncResult) newobj System.Void System.AsyncCallback::.ctor(System.Object,System.IntPtr) stloc.s V_24 ldloc.s V_24 ldnull <null> callvirt System.IAsyncResult System.Management.Automation.PowerShell::BeginInvoke<System.String,System.Management.Automation.PSObject>(System.Management.Automation.PSDataCollection`1<System.String>,System.Management.Automation.PSDataCollection`1<System.Management.Automation.PSObject>,System.Management.Automation.PSInvocationSettings,System.AsyncCallback,System.Object) pop <null> ldloc.0 <null> callvirt System.Boolean ModuleNameSpace.MainApp::get_ShouldExit() brtrue.s IL_0481: ldloc.s V_5 ldloc.s V_25 ldfld System.Threading.ManualResetEvent ModuleNameSpace.MainApp/<>c__DisplayClass6::mre ldc.i4.s 100 callvirt System.Boolean System.Threading.WaitHandle::WaitOne(System.Int32) brfalse.s IL_0469: ldloc.0 ldloc.s V_5 callvirt System.Void System.Management.Automation.PowerShell::Stop() ldloc.s V_5 callvirt System.Management.Automation.PSInvocationStateInfo System.Management.Automation.PowerShell::get_InvocationStateInfo() callvirt System.Management.Automation.PSInvocationState System.Management.Automation.PSInvocationStateInfo::get_State() ldc.i4.5 <null> bne.un.s IL_04B4: leave.s IL_04C2 ldloc.s V_25 ldfld ModuleNameSpace.MainModuleUI ModuleNameSpace.MainApp/<>c__DisplayClass6::ui ldloc.s V_5 callvirt System.Management.Automation.PSInvocationStateInfo System.Management.Automation.PowerShell::get_InvocationStateInfo() callvirt System.Exception System.Management.Automation.PSInvocationStateInfo::get_Reason() callvirt System.String System.Exception::get_Message() callvirt System.Void System.Management.Automation.Host.PSHostUserInterface::WriteErrorLine(System.String) leave.s IL_04C2: ldloc.s V_4 ldloc.s V_5 brfalse.s IL_04C1: endfinally ldloc.s V_5 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldloc.s V_4 callvirt System.Void System.Management.Automation.Runspaces.Runspace::Close() leave.s IL_04D7: leave.s IL_04DC ldloc.s V_4 brfalse.s IL_04D6: endfinally ldloc.s V_4 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave.s IL_04DC: ldloc.1 pop <null> leave.s IL_04DC: ldloc.1 ldloc.1 <null> brfalse.s IL_04F4: ldloc.0 ldstr Click OK to exit... call System.AppDomain System.AppDomain::get_CurrentDomain() callvirt System.String System.AppDomain::get_FriendlyName() call System.Windows.Forms.DialogResult System.Windows.Forms.MessageBox::Show(System.String,System.String) pop <null> ldloc.0 <null> callvirt System.Int32 ModuleNameSpace.MainApp::get_ExitCode() ret <null> ldloc.s V_26 ret <null>
Module Name	svchost.exe
Full Name	svchost.exe
EntryPoint	System.Int32 ModuleNameSpace.MainApp::Main(System.String[])
Scope Name	svchost.exe
Scope Type	ModuleDef
Kind	Windows
Runtime Version	v4.0.30319
Tables Header Version	512
WinMD Version	<null>
Assembly Name	svchost
Assembly Version	0.0.0.0
Assembly Culture	<null>
Has PublicKey	False
PublicKey Token	<null>
Target Framework	<null>
Total Strings	79
Main Method	System.Int32 ModuleNameSpace.MainApp::Main(System.String[])
Main IL Instruction Count	452
Main IL	ldnull <null> stloc.s V_22 ldnull <null> stloc.s V_23 ldnull <null> stloc.s V_24 newobj System.Void ModuleNameSpace.MainApp/<>c__DisplayClass6::.ctor() stloc.s V_25 call System.Void System.Windows.Forms.Application::EnableVisualStyles() newobj System.Void ModuleNameSpace.MainApp::.ctor() stloc.0 <null> ldc.i4.0 <null> stloc.1 <null> ldsfld System.String System.String::Empty stloc.2 <null> ldloc.s V_25 newobj System.Void ModuleNameSpace.MainModuleUI::.ctor() stfld ModuleNameSpace.MainModuleUI ModuleNameSpace.MainApp/<>c__DisplayClass6::ui ldloc.0 <null> ldloc.s V_25 ldfld ModuleNameSpace.MainModuleUI ModuleNameSpace.MainApp/<>c__DisplayClass6::ui newobj System.Void ModuleNameSpace.MainModule::.ctor(ModuleNameSpace.MainAppInterface,ModuleNameSpace.MainModuleUI) stloc.3 <null> ldloc.s V_25 ldc.i4.0 <null> newobj System.Void System.Threading.ManualResetEvent::.ctor(System.Boolean) stfld System.Threading.ManualResetEvent ModuleNameSpace.MainApp/<>c__DisplayClass6::mre call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void ModuleNameSpace.MainApp::CurrentDomain_UnhandledException(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) ldloc.3 <null> call System.Management.Automation.Runspaces.Runspace System.Management.Automation.Runspaces.RunspaceFactory::CreateRunspace(System.Management.Automation.Host.PSHost) stloc.s V_4 ldloc.s V_4 ldc.i4.0 <null> callvirt System.Void System.Management.Automation.Runspaces.Runspace::set_ApartmentState(System.Threading.ApartmentState) ldloc.s V_4 callvirt System.Void System.Management.Automation.Runspaces.Runspace::Open() call System.Management.Automation.PowerShell System.Management.Automation.PowerShell::Create() stloc.s V_5 ldloc.s V_5 ldloc.s V_4 callvirt System.Void System.Management.Automation.PowerShell::set_Runspace(System.Management.Automation.Runspaces.Runspace) ldloc.s V_5 callvirt System.Management.Automation.PSDataStreams System.Management.Automation.PowerShell::get_Streams() callvirt System.Management.Automation.PSDataCollection`1<System.Management.Automation.ErrorRecord> System.Management.Automation.PSDataStreams::get_Error() ldloc.s V_22 brtrue.s IL_00A6: ldloc.s V_22 ldloc.s V_25 ldftn System.Void ModuleNameSpace.MainApp/<>c__DisplayClass6::<Main>b__0(System.Object,System.Management.Automation.DataAddedEventArgs) newobj System.Void System.EventHandler`1<System.Management.Automation.DataAddedEventArgs>::.ctor(System.Object,System.IntPtr) stloc.s V_22 ldloc.s V_22 callvirt System.Void System.Management.Automation.PSDataCollection`1<System.Management.Automation.ErrorRecord>::add_DataAdded(System.EventHandler`1<System.Management.Automation.DataAddedEventArgs>) newobj System.Void System.Management.Automation.PSDataCollection`1<System.String>::.ctor() stloc.s V_6 call System.Boolean ModuleNameSpace.Console_Info::IsInputRedirected() brfalse.s IL_00D7: ldloc.s V_6 ldstr stloc.s V_7 br.s IL_00CD: call System.String System.Console::ReadLine() ldloc.s V_6 ldloc.s V_7 callvirt System.Void System.Management.Automation.PSDataCollection`1<System.String>::Add(System.String) call System.String System.Console::ReadLine() dup <null> stloc.s V_7 brtrue.s IL_00C4: ldloc.s V_6 ldloc.s V_6 callvirt System.Void System.Management.Automation.PSDataCollection`1<System.String>::Complete() newobj System.Void System.Management.Automation.PSDataCollection`1<System.Management.Automation.PSObject>::.ctor() stloc.s V_8 ldloc.s V_8 ldloc.s V_23 brtrue.s IL_00FA: ldloc.s V_23 ldloc.s V_25 ldftn System.Void ModuleNameSpace.MainApp/<>c__DisplayClass6::<Main>b__1(System.Object,System.Management.Automation.DataAddedEventArgs) newobj System.Void System.EventHandler`1<System.Management.Automation.DataAddedEventArgs>::.ctor(System.Object,System.IntPtr) stloc.s V_23 ldloc.s V_23 callvirt System.Void System.Management.Automation.PSDataCollection`1<System.Management.Automation.PSObject>::add_DataAdded(System.EventHandler`1<System.Management.Automation.DataAddedEventArgs>) ldc.i4.0 <null> stloc.s V_9 ldc.i4.0 <null> stloc.s V_10 ldarg.0 <null> stloc.s V_27 ldc.i4.0 <null> stloc.s V_28 br IL_01D9: ldloc.s V_28 ldloc.s V_27 ldloc.s V_28 ldelem.ref <null> stloc.s V_11 ldloc.s V_11 ldstr -wait ldc.i4.1 <null> call System.Int32 System.String::Compare(System.String,System.String,System.Boolean) brtrue.s IL_012F: ldloc.s V_11 ldc.i4.1 <null> stloc.1 <null> br IL_01CD: ldloc.s V_10 ldloc.s V_11 ldstr -extract ldc.i4.3 <null> callvirt System.Boolean System.String::StartsWith(System.String,System.StringComparison) brfalse.s IL_019F: ldloc.s V_11 ldloc.s V_11 ldc.i4.1 <null> newarr System.String stloc.s V_29 ldloc.s V_29 ldc.i4.0 <null> ldstr : stelem.ref <null> ldloc.s V_29 ldc.i4.2 <null> ldc.i4.1 <null> callvirt System.String[] System.String::Split(System.String[],System.Int32,System.StringSplitOptions) stloc.s V_12 ldloc.s V_12 ldlen <null> conv.i4 <null> ldc.i4.2 <null> beq.s IL_0183: ldloc.s V_12 ldstr If you specify the -extract option you need to add a file for extraction in this way -extract:"<filename>" call System.AppDomain System.AppDomain::get_CurrentDomain() callvirt System.String System.AppDomain::get_FriendlyName() ldc.i4.0 <null> ldc.i4.s 16 call System.Windows.Forms.DialogResult System.Windows.Forms.MessageBox::Show(System.String,System.String,System.Windows.Forms.MessageBoxButtons,System.Windows.Forms.MessageBoxIcon) pop <null> ldc.i4.1 <null> stloc.s V_26 leave IL_04FB: ldloc.s V_26 ldloc.s V_12 ldc.i4.1 <null> ldelem.ref <null> ldc.i4.1 <null> newarr System.Char stloc.s V_30 ldloc.s V_30 ldc.i4.0 <null> ldc.i4.s 34 stelem.i2 <null> ldloc.s V_30 callvirt System.String System.String::Trim(System.Char[]) stloc.2 <null> br.s IL_01CD: ldloc.s V_10 ldloc.s V_11 ldstr -end ldc.i4.1 <null> call System.Int32 System.String::Compare(System.String,System.String,System.Boolean) brtrue.s IL_01B6: ldloc.s V_11 ldloc.s V_10 ldc.i4.1 <null> add <null> stloc.s V_9 br.s IL_01E4: call System.Reflection.Assembly System.Reflection.Assembly::GetExecutingAssembly() ldloc.s V_11 ldstr -debug ldc.i4.1 <null> call System.Int32 System.String::Compare(System.String,System.String,System.Boolean) brtrue.s IL_01CD: ldloc.s V_10 call System.Boolean System.Diagnostics.Debugger::Launch() pop <null> br.s IL_01E4: call System.Reflection.Assembly System.Reflection.Assembly::GetExecutingAssembly() ldloc.s V_10 ldc.i4.1 <null> add <null> stloc.s V_10 ldloc.s V_28 ldc.i4.1 <null> add <null> stloc.s V_28 ldloc.s V_28 ldloc.s V_27 ldlen <null> conv.i4 <null> blt IL_0112: ldloc.s V_27 call System.Reflection.Assembly System.Reflection.Assembly::GetExecutingAssembly() stloc.s V_13 ldloc.s V_13 ldstr epta.ps1 callvirt System.IO.Stream System.Reflection.Assembly::GetManifestResourceStream(System.String) stloc.s V_14 ldloc.s V_14 call System.Text.Encoding System.Text.Encoding::get_UTF8() newobj System.Void System.IO.StreamReader::.ctor(System.IO.Stream,System.Text.Encoding) stloc.s V_15 ldloc.s V_15 callvirt System.String System.IO.TextReader::ReadToEnd() stloc.s V_16 ldloc.2 <null> call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue.s IL_0228: ldloc.s V_5 ldloc.2 <null> ldloc.s V_16 call System.Void System.IO.File::WriteAllText(System.String,System.String) ldc.i4.0 <null> stloc.s V_26 leave IL_04FB: ldloc.s V_26 ldloc.s V_5 ldloc.s V_16 callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddScript(System.String) pop <null> leave.s IL_0240: leave.s IL_024E ldloc.s V_15 brfalse.s IL_023F: endfinally ldloc.s V_15 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave.s IL_024E: ldnull ldloc.s V_14 brfalse.s IL_024D: endfinally ldloc.s V_14 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldnull <null> stloc.s V_17 ldstr ^-([^: ]+)[ :]?([^:]*)$ newobj System.Void System.Text.RegularExpressions.Regex::.ctor(System.String) stloc.s V_18 ldloc.s V_9 stloc.s V_19 br IL_0414: ldloc.s V_19 ldloc.s V_18 ldarg.0 <null> ldloc.s V_19 ldelem.ref <null> callvirt System.Text.RegularExpressions.Match System.Text.RegularExpressions.Regex::Match(System.String) stloc.s V_20 ldloc.s V_20 callvirt System.Boolean System.Text.RegularExpressions.Group::get_Success() brfalse IL_03EB: ldloc.s V_17 ldloc.s V_20 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() callvirt System.Int32 System.Text.RegularExpressions.GroupCollection::get_Count() ldc.i4.3 <null> bne.un IL_03EB: ldloc.s V_17 ldarg.0 <null> ldloc.s V_19 ldelem.ref <null> ldloca.s V_21 call System.Boolean System.Double::TryParse(System.String,System.Double&) brtrue IL_03EB: ldloc.s V_17 ldloc.s V_17 brfalse.s IL_02AF: ldloc.s V_20 ldloc.s V_5 ldloc.s V_17 callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddParameter(System.String) pop <null> ldloc.s V_20 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.2 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() callvirt System.String System.String::Trim() ldstr call System.Boolean System.String::op_Equality(System.String,System.String) brfalse.s IL_02EB: ldloc.s V_20 ldloc.s V_20 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.1 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() stloc.s V_17 br IL_040E: ldloc.s V_19 ldloc.s V_20 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.2 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() ldstr True call System.Boolean System.String::op_Equality(System.String,System.String) brtrue.s IL_032C: ldloc.s V_5 ldloc.s V_20 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.2 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() callvirt System.String System.String::ToUpper() ldstr $TRUE call System.Boolean System.String::op_Equality(System.String,System.String) brfalse.s IL_0354: ldloc.s V_20 ldloc.s V_5 ldloc.s V_20 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.1 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() ldc.i4.1 <null> box System.Boolean callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddParameter(System.String,System.Object) pop <null> ldnull <null> stloc.s V_17 br IL_040E: ldloc.s V_19 ldloc.s V_20 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.2 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() ldstr False call System.Boolean System.String::op_Equality(System.String,System.String) brtrue.s IL_0395: ldloc.s V_5 ldloc.s V_20 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.2 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() callvirt System.String System.String::ToUpper() ldstr $FALSE call System.Boolean System.String::op_Equality(System.String,System.String) brfalse.s IL_03BA: ldloc.s V_5 ldloc.s V_5 ldloc.s V_20 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.1 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() ldc.i4.0 <null> box System.Boolean callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddParameter(System.String,System.Object) pop <null> ldnull <null> stloc.s V_17 br.s IL_040E: ldloc.s V_19 ldloc.s V_5 ldloc.s V_20 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.1 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() ldloc.s V_20 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.2 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddParameter(System.String,System.Object) pop <null> ldnull <null> stloc.s V_17 br.s IL_040E: ldloc.s V_19 ldloc.s V_17 brfalse.s IL_0402: ldloc.s V_5 ldloc.s V_5 ldloc.s V_17 ldarg.0 <null> ldloc.s V_19 ldelem.ref <null> callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddParameter(System.String,System.Object) pop <null> ldnull <null> stloc.s V_17 br.s IL_040E: ldloc.s V_19 ldloc.s V_5 ldarg.0 <null> ldloc.s V_19 ldelem.ref <null> callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddArgument(System.Object) pop <null> ldloc.s V_19 ldc.i4.1 <null> add <null> stloc.s V_19 ldloc.s V_19 ldarg.0 <null> ldlen <null> conv.i4 <null> blt IL_0266: ldloc.s V_18 ldloc.s V_17 brfalse.s IL_042C: ldloc.s V_5 ldloc.s V_5 ldloc.s V_17 callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddParameter(System.String) pop <null> ldloc.s V_5 ldstr Out-String callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddCommand(System.String) pop <null> ldloc.s V_5 ldstr Stream callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddParameter(System.String) pop <null> ldloc.s V_5 ldloc.s V_6 ldloc.s V_8 ldnull <null> ldloc.s V_24 brtrue.s IL_0460: ldloc.s V_24 ldloc.s V_25 ldftn System.Void ModuleNameSpace.MainApp/<>c__DisplayClass6::<Main>b__2(System.IAsyncResult) newobj System.Void System.AsyncCallback::.ctor(System.Object,System.IntPtr) stloc.s V_24 ldloc.s V_24 ldnull <null> callvirt System.IAsyncResult System.Management.Automation.PowerShell::BeginInvoke<System.String,System.Management.Automation.PSObject>(System.Management.Automation.PSDataCollection`1<System.String>,System.Management.Automation.PSDataCollection`1<System.Management.Automation.PSObject>,System.Management.Automation.PSInvocationSettings,System.AsyncCallback,System.Object) pop <null> ldloc.0 <null> callvirt System.Boolean ModuleNameSpace.MainApp::get_ShouldExit() brtrue.s IL_0481: ldloc.s V_5 ldloc.s V_25 ldfld System.Threading.ManualResetEvent ModuleNameSpace.MainApp/<>c__DisplayClass6::mre ldc.i4.s 100 callvirt System.Boolean System.Threading.WaitHandle::WaitOne(System.Int32) brfalse.s IL_0469: ldloc.0 ldloc.s V_5 callvirt System.Void System.Management.Automation.PowerShell::Stop() ldloc.s V_5 callvirt System.Management.Automation.PSInvocationStateInfo System.Management.Automation.PowerShell::get_InvocationStateInfo() callvirt System.Management.Automation.PSInvocationState System.Management.Automation.PSInvocationStateInfo::get_State() ldc.i4.5 <null> bne.un.s IL_04B4: leave.s IL_04C2 ldloc.s V_25 ldfld ModuleNameSpace.MainModuleUI ModuleNameSpace.MainApp/<>c__DisplayClass6::ui ldloc.s V_5 callvirt System.Management.Automation.PSInvocationStateInfo System.Management.Automation.PowerShell::get_InvocationStateInfo() callvirt System.Exception System.Management.Automation.PSInvocationStateInfo::get_Reason() callvirt System.String System.Exception::get_Message() callvirt System.Void System.Management.Automation.Host.PSHostUserInterface::WriteErrorLine(System.String) leave.s IL_04C2: ldloc.s V_4 ldloc.s V_5 brfalse.s IL_04C1: endfinally ldloc.s V_5 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldloc.s V_4 callvirt System.Void System.Management.Automation.Runspaces.Runspace::Close() leave.s IL_04D7: leave.s IL_04DC ldloc.s V_4 brfalse.s IL_04D6: endfinally ldloc.s V_4 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave.s IL_04DC: ldloc.1 pop <null> leave.s IL_04DC: ldloc.1 ldloc.1 <null> brfalse.s IL_04F4: ldloc.0 ldstr Click OK to exit... call System.AppDomain System.AppDomain::get_CurrentDomain() callvirt System.String System.AppDomain::get_FriendlyName() call System.Windows.Forms.DialogResult System.Windows.Forms.MessageBox::Show(System.String,System.String) pop <null> ldloc.0 <null> callvirt System.Int32 ModuleNameSpace.MainApp::get_ExitCode() ret <null> ldloc.s V_26 ret <null>

Artefacts

Name0	Value
PE Layout	MemoryMapped (process dump suspected)
PE Layout	MemoryMapped (process dump suspected)

274017647fc0398c6029298b4cdc3292 (49.16 KB)

274017647fc0398c6029298b4cdc3292

PE Executable | MD5: 274017647fc0398c6029298b4cdc3292 | Size: 49.16 KB | application/x-dosexec

PE Executable
|
MD5: 274017647fc0398c6029298b4cdc3292
|
Size: 49.16 KB
|
application/x-dosexec