MZ����@���	�!�
L�!This program cannot be run in DOS mode.

$PEL
ͺZ�"
0>3 @@ �`��2O@�`�1  H.textD  `.rsrc�@@@.reloc`@B 3Hp"��0�0.

+X���
�
,+X
�i�
	-�+*0z
s
+=(

	,+(
+Y(+(+o
�iX
�iYXX�i�iY�-�(
+(+o
o
+*0�r
p(
(
o

(
r�pr�p
(
	(
o 
(s!
+��"
("
o#
X��i�-��($
o%
�
%o&
�o'
&*&((
*09~
�

,"r�p�()
o*
s+
�
~
+*0
~
+*"�*0
~
+*"(,
*Vs	(-
t�*BSJB

v4.0.30319l�#~��#Strings�
�#US�#GUID��#Blob
W�			�
3
'
-

+
����
h��
�x�Y���������
{n
{<�#D?�<@
�
|
?�
hS
�/��
+
g
�
g

��
<�����);o`� ���
�����

�

�
}A

�
A

*
i���

m
P �F	

� �{
!��
�!�W�!�+"
"��'
/"��,
8"�T2
O"�WX"�]7

d7�
d�
3
%	W
WW
)W1W9WAWIWQWYWaWiWqWyW�W�W�W�W�W W�D�}D��Y\f�l�����������

�	
8�

!�W
^�\f�W��`��l!
���W)
��)
���W��W9
`�)��.J
.S
.r
.#{
.+�
.3�
.;�
.C{
.K�
.S�
.[�
.c�
.k�
.s�
I��`{+c�0c�+c�+��+��q&-r���
/;

@
XE

=��
�3����
�+U-U/UIEnumerable`1List`1<Module>get_ASCIISystem.IOmscorlibSystem.Collections.GenericLoadAddSynchronizeddefaultInstanceTakeInvokeEnumerableRuntimeTypeHandleGetTypeFromHandleFileConsoleWriteLineTypeSystem.Coreget_Cultureset_CultureresourceCultureMethodBaseApplicationSettingsBaseEditorBrowsableStateSTAThreadAttributeCompilerGeneratedAttributeGuidAttributeGeneratedCodeAttributeDebuggerNonUserCodeAttributeDebuggableAttributeEditorBrowsableAttributeComVisibleAttributeAssemblyTitleAttributeAssemblyTrademarkAttributeTargetFrameworkAttributeAssemblyFileVersionAttributeAssemblyConfigurationAttributeAssemblyDescriptionAttributeCompilationRelaxationsAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyCompanyAttributeRuntimeCompatibilityAttributeBytevaluemaldrop.exeoffEncodingSystem.Runtime.VersioningToStringSystem.ComponentModelProgramSystemresourceManMainget_LocationSystem.ConfigurationSystem.GlobalizationSystem.ReflectionsplitPatternpatternMethodInfoCultureInfoSkipmaldropSystem.Linqget_ResourceManagerSystem.CodeDom.Compiler.ctor.cctorarrSystem.DiagnosticsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.Resourcesmaldrop.Properties.Resources.resourcesDebuggingModesmaldrop.PropertiesReadAllBytesGetBytesSettingsargsConcatObjectCompareOffsetget_Defaultget_EntryPointSystem.TextSplitByteArrayToArrayget_AssemblyGetEntryAssembly��All the techniques implemented in this were found in malware samples I analyzed
[SPLITERATOR]9maldrop.Properties.Resourcesm��]�ЭN�!˭�� 

 
 

 

 

 
 

aE
E

q
q




q
 

 E


y 
�� 
E

y �� YY
���� y 
y
]

�����z\V4��Y]	

Y]

]
Y]


TWrapNonExceptionThrows



maldrop

Copyright ©  2018)
$0c1a951a-98ee-411d-acd4-3d0ded76a3ee
1.0.0.0M
.NETFramework,Version=v4.6.1
TFrameworkDisplayName.NET Framework 4.6.1
@
3System.Resources.Tools.StronglyTypedResourceBuilder4.0.0.0Y
KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator11.0.0.0
����
�lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSetPADPADP�ͺZ
�1�RSDSY��4�eH���*_'
K:\ezctf\testing\maldropper\maldrop\maldrop\obj\Debug\maldrop.pdb3.3  3_CorExeMainmscoree.dll�% @ �P�

8�
�

h�
��@4VS_VERSION_INFO���


?
D
VarFileInfo$Translation�l
StringFileInfoH
000004b0

Comments"

CompanyName8
FileDescriptionmaldrop0
FileVersion1.0.0.08
InternalNamemaldrop.exeH
LegalCopyrightCopyright �  2018*

LegalTrademarks@
OriginalFilenamemaldrop.exe0
ProductNamemaldrop4
ProductVersion1.0.0.08
Assembly Version1.0.0.0�C�
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
    <security>
      <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
        <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>0@3[SPLITERATOR]MZ����@���	�!�
L�!This program cannot be run in DOS mode.

$PEL
2�Z�"
0�0 @@ �`�P0O@�`/  H.text�  `.rsrc�@@@.reloc`@B�0H�!�
`.�0�
s

+�(
o
X�i�-�o
s
s
 
�

s
	 
o
	(
+o
�-�o
(
o
o
&*&( 
*09~
�

,"r
p�(!
o"
s#
�
~
+*0
~
+*"�*0
~
+*"($
*Vs(%
t�*BSJB

v4.0.30319l#~�L#Strings�	<#US
#GUID
�#Blob
W�			�
3
'%



6
��
��
X��
���d���������
ky
kG�.B�K
�2}
r�
�
3�
X^
�#��
6
\
�
\

�+��
���
2@���

�����
#
�

�
�WA

��A

�q����p�P ���
� �K!��L!���c!���l!���!�K�!�Q



0	K
KK
)K1K9KAKIKQKYKaKiKqKyK�K�K�K�K�K K�0
C_H4N�KT�KZ�Mb

�j��
R�
%�!
���K)
��)
<��K��K9
c� {�
)��.
.
.>
.#G
.+T
.3T
.;T
.CG
.KZ
.ST
.[T
.cr
.k�
.s�
I��c��
c��
c��
���
��=&���
#




=�
W�)����
�7}IEnumerable`1List`1<Module>System.IOmscorlibSystem.Collections.GenericReadLoadpayloadAddSynchronizeddefaultInstanceCompressionModeAddRangeTakeInvokeEnumerableRuntimeTypeHandleGetTypeFromHandleTypeSystem.Coreget_Cultureset_CultureresourceCultureMethodBaseApplicationSettingsBaseParseEditorBrowsableStateSTAThreadAttributeCompilerGeneratedAttributeGuidAttributeGeneratedCodeAttributeDebuggerNonUserCodeAttributeDebuggableAttributeEditorBrowsableAttributeComVisibleAttributeAssemblyTitleAttributeAssemblyTrademarkAttributeTargetFrameworkAttributeAssemblyFileVersionAttributeAssemblyConfigurationAttributeAssemblyDescriptionAttributeCompilationRelaxationsAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyCompanyAttributeRuntimeCompatibilityAttributeBytevaluepayload.exeSystem.Runtime.VersioningSystem.ComponentModelGZipStreamMemoryStreamProgramSystemresourceManMainSystem.IO.CompressionSystem.ConfigurationSystem.GlobalizationSystem.ReflectionMethodInfoCultureInfoSystem.Linqget_ResourceManagerSystem.CodeDom.Compiler.ctor.cctorSystem.DiagnosticsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.Resourcespayload.Properties.Resources.resourcesDebuggingModespayload.PropertiesSettingsargsObjectget_Defaultget_EntryPointToArrayget_Assembly9payload.Properties.Resources\�bMA��I�#i 

 
 

 

 

 
 

i	I
MQI
I

 

  

 
y} 
��
��



 

��

�� �� aa
���� �� 
��
e

�����z\V4��ae

ae

e
ae


TWrapNonExceptionThrows



payload

Copyright ©  2018)
$59609974-b832-4210-8fc9-2f9e765d738e
1.0.0.0M
.NETFramework,Version=v4.6.1
TFrameworkDisplayName.NET Framework 4.6.1
@
3System.Resources.Tools.StronglyTypedResourceBuilder4.0.0.0Y
KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator11.0.0.0
����
�lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSetPADPADP�2�Z
4/4RSDS-�KA��pI�\���l��
K:\ezctf\testing\maldropper\maldrop\payload\obj\Debug\payload.pdbx0�0 �0_CorExeMainmscoree.dll�% @ �P�

8�
�

h�
��@4VS_VERSION_INFO���


?
D
VarFileInfo$Translation�l
StringFileInfoH
000004b0

Comments"

CompanyName8
FileDescriptionpayload0
FileVersion1.0.0.08
InternalNamepayload.exeH
LegalCopyrightCopyright �  2018*

LegalTrademarks@
OriginalFilenamepayload.exe0
ProductNamepayload4
ProductVersion1.0.0.08
Assembly Version1.0.0.0�C�
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
    <security>
      <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
        <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>0�0[SPLITERATOR]��Xkl�>��~&1� �&k��Ğ�E��q�cmǍ��c^�����z`vf��5޴�Q�*��F��"ZJ�C��Bjʣ��R���WBj�U *~�JU��;3�����P��Ι{�9��sϽ��{g��3'����#:�7�>	?,��p��
�\�k��+c�m��3=��:9Wϫ�nێ�f��mմ��Ѵ�w�B۰���P��ј���%�v���Ni'j�6�j��V���a���F��pY�<�����rX�|�_���5��\�#z��++�	��@}��h�
�6ղ钭�C4_,�hw_��-�-YT���ZҶ>Tx��x*J��\a9`d[���OE�#�h�j#��m�Qe��^GX1R���֥5!?ll��xз��{�j�6��{���q�/8�����
��j���Qw`h����o�P��bbc�)��F����Z�\
��.x;��J;��v\��I�:�I���hHl���W�&��B��c}�v`��O
xW
��Yd��{�.���QC��9p`�~U�LRl�;#:�
��
�W�);��xl�����"�@�@�s
{��g�[k׺ڻ:�h��|�-�mB�'�}״ss��=��w˱4u�K�e��h
��)X�2`9fFAS����*u���J��\U�@4�On��ģ��1Ӹ�o�Ƃw5m�����%�Q��/�a�Wӂ2�{^��c�
	�I�5��*�������R�������&�Uq�"��D=ŕ���]��b�����j�9����ЅX=V>L��V)!/a���N���qPy,�Hx>�Fz7���Qgl#5%�%��l$�<<R��^_�
}�3t�&T��m�?��uj��ЯЯd�l���3h��Ɯgk]�Z-a�X�P�l}���G�sP��,��hL���,43�X=W`
����l�	�I�/ᨄ7Hx��:�d����$���������g%�����ss�Tj�tb0*���菱>��B��I�t��M�3`�ӟ%^Q6��>��sʵ�-�Ӱמ#�6�K�W��-��.z�K��J8(��?��%�V	
ڤht��
F�d�N�#�A@�Ag
O���U���C�O��~*�8f����b�G�v��U��/�5PC��h��Q�wx���.�H(�qy�dQ��Ɲl�)��k�J�lc�ul��R� �,eŬ^��Q��u�4Y�}3/�JqH�����sk�u�!fб=�]�c�-�('��!��
�*��k��͖i���i���tO�P��w�u���%Ҿ�JO�O͹B����W�"P�N�`Z��p�SA)����ag���)�)�r�=���<�Ed�KV�D�%Ӧg.c��<��X�)ӯ�QF�zV�u��%)S��
�D#�r*	Q�a�vZ���+"b2f�\�X���ᚅ�����Ǥ��Y�V˞p��5a�)�\37�&)_���R�pE�N�ɘ��WP�u�(h��s��ie����z��E^�j��Rh�	�V��b[�>V����0��$����h��6�립Թ�wryN�̓�)rR�Z�`/R��G�Y�[�+G!7�d��V�z�d�K9y-��5�P�¡�L=g;�o^�/�ƨ��)��;ob9��Z�Uک�a�����\G�`�z�8���~=)��t4s;�$�
�ch8�)�s��/Ǭ&A:bk	1ާY�o�ߍ 6�S�N9Dt�\b0Kۈ�gCZ�����<M:T�-�!`'��
�Y���������^}�У�o=v������(�HHJ*MM�l`�RcJC�Ċ�������Z`��_+kܳ!A�SS�5o>�D�\l*%Tj���E4ߝ�Q�u�� .އ�OO�L_�}��xu�q<:�F}A��89���ژ�e$�Π�V	o/W��b*vٍ�^@XZ0������
�j83P#Ο{
gC��\���V�v�w�%�V�k�{�t����h����m��{����N���G��22�Fw����ЁC'~D�
mՎM�CZk��{q0ݣu�ԆMeb��
�^:��{�e�*�lb�B]QP��6�8��a:v
9(��pK��AX�t�B��M�u<g��������Y�т�Aa2B�4sH-eD���Ô㸵��¹Q�}���7���-~����ȾId4ᶪQnnU#���a��E�wu�U�(f�7�Ҕs��{3==�u�u{:�uu����ZV+ry���m4џ�?��%�3�V��G_��q2�J?\��ț�\=���~��3-<���g�Iß��������V��$��T,�'s���&�X��Ͱ�OhI�w[6�*��\[]�;p@�m�q��LDr��в�����Ӥ����&���*����`����I=��̷	L�?���+�Z�3}D��^&Q�w�2�S�m�C�i�׏��G
���5�R❋�i<�ԉ���1�//)��F�r!�3��LY͑���^S���z2�q�r�
ʏb*���	|n
Is��w���MԈ�HB^?��~��_��W
� ��0Z]�ʩ_����̕�}M��J;�ο������߅���u ��Du�Ez�s�{u�dɪ��h�]��ߔ�����ɣ+�$��h6��r��[��_'l� �5|�a�,�	f�Oy�uq���C�棡�!�9�mn��	s�_V�Q"��J_'�,�&|�Y�����<����Vzz����>��'ǔ�m%x����:H�V�"煗\������6қDL��6�,R@o���p�ޤ�wɬn�\ޛ,	/y��
�����H���M]{�g��:����f8������;�j^��Y�(9J}��ea�Y�q�Xf���j�Hћ/U\85�PH�$�n���w����t&e?���Q�ݷ��qŝE�)��9��BNxQjW$UEY��a��1&慥Z{��7j�#��I�h�8�Í���pPR��5��L߽����NÁ����15�&�ΏI���|2<�_a�U