MalScore
100/100

klws.exe

Is DLL Packer Anti Debug Anti VM Signed XOR AntiVirus 9/67 Related 2135
File details Download PDF Report
File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
File size: 434.50 KB (444928 bytes)
Compile time: 2017-11-01 11:30:15
MD5: 1ddf0cc50a2d10f346dfa7099dc2ea1b
SHA1: a47f9cdc0bb635b0eeee226667754de2953fdcab
SHA256: 173257d2e71eb249c2687c90874b8354a9b0e386af246291d3a38456155b222f
Import hash: f34d5f2d4577ed6d9ceec516c1f5a744
Sections 4 .text .sdata .rsrc .reloc
Directories 3 import resource relocation
First submission: 2017-11-01 14:51:03
Last submission: 2017-11-01 14:51:03
Filename detected: - klws.exe (1)
URL file hosting
hXXp://dokumenty-office.powiat.pl/play-mobile/klws.exeVirusTotal
Antivirus Report
Report Date Detection Ratio Permalink Update
2017-11-01 12:28:23 [9/67] VirusTotal
PE Sections 1 suspicious
Name VAddress VSize Size MD5 SHA1
.text 0x2000 0x64ef4 413696 8f22747b5a823cbbed9a2e2183e3319f 17e9d6b5a01e00119c0a27070bb6647230a575f3
.sdata 0x68000 0x16a 512 2cd3429a7270cf67f0960d8fe6f9ba44 f9da156423f91aeb5a48123bdd42b0917c585958
.rsrc 0x6a000 0x702c 29184 35e3d9847221198642bc8544609725ef 7b3d62dd41ee2ae631ae920555fd80c882a08708
.reloc 0x72000 0xc 512 34ade7e2b03459b8648c89834362938b 5ea30ef1a35af2c76f8851284980f44e0082e883
PE Resources
Name Offset Size Language Sublanguage Data
RT_ICON 0x705d8 1128 LANG_NEUTRAL SUBLANG_NEUTRAL
RT_GROUP_ICON 0x70a40 118 LANG_NEUTRAL SUBLANG_NEUTRAL
RT_VERSION 0x70ab8 904 LANG_NEUTRAL SUBLANG_NEUTRAL
RT_MANIFEST 0x70e40 490 LANG_NEUTRAL SUBLANG_NEUTRAL
  • API Alert
  • Anti Debug
Meta Info
LegalCopyright: \xa92013 NVIDIA Corporation, All Rights Reserved.
Assembly Version: 1.0.0.0
InternalName: NvLedServiceHost.exe
FileVersion: 1.0
FileDescription: Nvidia LED Visualizer
OriginalFilename: NvLedServiceHost.exe
ProductVersion: 1.0
Translation: 0x0000 0x04b0
Comments: Nvidia LED Visualizer application
ProductName: Nvidia LED Visualizer
XOR
No XOR informations found in this file.
Signature
This file isn't digitally signed
Packer(s)
Microsoft Visual C# / Basic .NET
Microsoft Visual Studio .NET
.NET executable
Microsoft Visual C# v7.0 / Basic .NET
File found
FIle type: Text
!!$ O D Z Y S K A J P L I K I.txt
FIle type: Library
KERNEL32.dll
mscoree.dll
IP Found
No IP detected
URL(s)
file:///
1.0
VarFileInfo
!!$ O D Z Y S K A J P L I K I.txt
HmacSHA256
{11111-22222-60001-00002}
Nvidia LED Visualizer application
6fcf0dba-de99-477a-a373-8264481086e5
Location
System.Security.Cryptography.CryptoConfig
{11111-22222-50001-00000}
11e5cac0-b9e5-49e3-b44e-6bdf5e01f7bd
get_AllowOnlyFipsAlgorithms
{11111-22222-30001-00001}
"!#!'&,+-,.+32425262
{11111-22222-40001-00002}
utf-16
SHA-256
Rijndael
1.0.0.0
NvLedServiceHost.exe
StringFileInfo
m7$
Translation
Assembly Version
mzw
SHA1PRNG
FileVersion
Nvidia LED Visualizer
VS_VERSION_INFO
InternalName
qE6
file:///
uGD
000004b0
.Kn.St.Cn.3O.;n
Comments
2013 NVIDIA Corporation, All Rights Reserved.
FileDescription
{11111-22222-50001-00001}
{11111-22222-60001-00001}
n.#@.+O.
AESxWin.Properties.Resources
OriginalFilename
$this.Icon
LegalCopyright
{11111-22222-50001-00002}
.{n.k
{11111-22222-40001-00001}
mrr
ProductName
{11111-22222-30001-00002}
9KIIKiYKiaKiiKiqKiyKi
ProductVersion
R0Q @
EncryptAESKey2
gxVhu8Xqp
DateTime
AppendMessage
Int32
JZ^VF
qr"
X]*w4
yaZ"
DataHMACMismatch
get_ErrorLogPath
/xmfo
-/-@
DoWorkEventArgs
T
AutoScaleMode
txtPassword
N 0Z{DG
set_Exclude
FilesHelper
$$method0x60001c5-1
a)/|
Decrypt
Substring
P*8
<PrivateImplementationDetails>
get_Controls
outputpath
?KRE
Version
CryptoStream
m ~
DebuggerStepThroughAttribute
t=9a8
5+E:
btnEncrypt
PNG

pA2PN5iOW
path

Marshal
voADn9NC1
Dequeue
d? !
get_Exclude
8|QK[
ClassesRoot
ProcessStartInfo
RuntimeFieldHandle
FA@a
get_CanReuseTransform
CurrentPassword
,Dv<
9?
A'lR7 j%
'%&`
OpenProcess
?%A4Uv`
:#<////0/(+(((()+;
'''''''''''''''
btnRemovePath_Click
9$
IEnumerator
5R ~
\Cc3
9V
AESxWin.AESxWinAuto+<GetIP>d__56
ScrollBars
a{ms
PathsQueue
J/"
RegistryValueKind
EnableVisualStyles
Iila:
''''''
FinishedPathFinder
gbOptions
GetFolderFilesPaths
\Roq
AssemblyCompanyAttribute
XU-~0
BwEncryptor_DoWork
K7jp
8 8$+
zYUfu
ListControl
TextBoxBase
5LYZVH
Format
rX/R9
feature
.NET Framework 4.5
_#L
timer5
timer4
timer3
timer2
timer1
U -n
Enumerable
MatchCollection
Sterowniki Dzwiekowe
timer2_Tick
sxr6]
cdD3YJXtR
CcK;>?
z7A]Q
ThreadExceptionEventArgs
S H&!
checkBox1_CheckedChanged
btnAddFile_Click
~}A{{
set_LogPath
btnAddFile
vvNF0V2Jr
@~>q
WriteStatusFile
OpenSubKey
q3oMVe54wE47w4v68C7s2I
,8O?
O-W Q
InvalidOperationMode
KEY_SIZE
FromBase64String
}/MQ
MainWindow
K-3-c
AssemblyTrademarkAttribute
V_Ml
T
UnRegisterApp
FormatMessage
]sf"
Path
set_Text
@Em#
I6;6
Sq
zFQ D"
<DecryptFilesAsync>b__0
#Blob
Control
6 x~
]-{
add_Tick
F4Up6
set_MinimumSize
ToUInt32
|sEV\
StartPaths
BindingFlags
Type
y#vnt
ApplyToMembers
@{dzm
i9sLT
d \#
<>c__DisplayClass3_0
2015-05-06T12:28:59-05:00
<>c__DisplayClass5_0
lstPaths_SelectedIndexChanged
m} x
e53w34m968awCm9P85taUZe
v_^V
NeutralResourcesLanguageAttribute
get_ExecutablePath
Char
A6yJVNZuoAn9NC1LAS
_locker
f-.&
<T[I
J8a8
get_Name
GetValue
*&8
;.-N
HashAlgorithm
set_Multiline
tbK7tExBr
)999n
Padding
V#H4
\q=@
5hhlFGg
EncryptFilesAsync
EmWT1u1C4
BEB<U2%
[ED+H`)
''''




dQ _]
S H"
S H#
##############,,
S H
/; {|.
Og~
*
AsyncTaskMethodBuilder
<EncryptFilesAsync>d__2
EncodingNotSupported
DialogResult
6<J%
RegisterInStartup
.text
List`1
GetString
set_DisplayMember
set_InitialDirectory
GetObject
riZpDw1jO
GetDirectoryName
.~eu-Jv|
vA^a
Convert
h$'&`T
Button
o+KVK~
System.Configuration
FlushFinalBlock
fVG|
System.Reflection
26hi~
m_crypto
FlagsAttribute
MAX_FILE_VERSION
;iT
X0 0
Single
%#C
S I(#
SU7ZEI44M
$$method0x6000028-1
Monitor
RunWorkerCompletedEventArgs
StaticText
QvM-sD
CreateDirectory
Resources
get_IgnoredPaths
CipherMode
}-?=
aiCyYVZDy
m_payloadLength
SetLogViewer
label1
c+F|;
RuntimeTypeHandle
jX8
DriveType
System.Net
1Ds^m
BwEncryptor_RunWorkerCompleted
set_ReadOnly
Unittest
4.0.0.0
yVx^
IpAPI
CreateDecryptor
s3g+a
get_Default
<count>5__1
1@xV
kernel32.dll
3 -j2
w/pm
Enumerator
get_CodeBase
DeleteValue
%tEXtdate:modify
.k4x
set_CurrentIP
webBrowser1
Settings
GetTypeFromHandle
timer1_Tick
(C) 2017 Microsoft
get_Crypto
add_ThreadException
AsyncStateMachineAttribute
t ?
QYSo
Focus
oXc1W
,
wC M
Regex
compressed_ext
# C C C C C C ,,
NullReferenceException
set_SearchExtensions
get_Task
S9t|A
BackgroundWorker
m_hash
VQM|P
<>4__this
LC4Fb3DwS8CZ3A2N5i
^"Le$F Ss?
GetBytes
TargetFrameworkAttribute
Process
RunWorkerAsync
Culture
P
ErrorLogPath
PasswordAPI
Write
set_Checked
IDataObject
set_AutoScaleDimensions
J#F
AESxWin.Properties.Resources.resources
b>16
8]Kd
X$z}M
G^bebU
cTXR
u
get_Assembly
RRRRRRRRRRRRRRPRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
Stop
AnchorStyles
9Tvx
UInt16
Enqueue
set_CheckFileExists


YxUv,
axR<8
VZwZ
QtPdCl3GL
System.IO
WrapNonExceptionThrows
get_Now
O<un
System.Runtime.Versioning
n0I+"
O-BKn ^b
Console
dYx'
z"<
,-7-
DecryptFileAsync
s Yv
bxn?T*
SY!`
AttributeUsageAttribute
IjdXlXDmQ
6 *5
n/GO

STAThreadAttribute
~+%
get_ComputerId
i-k0
IHDR
Length
OpenFileDialog
Urls
{8cH
audio_ext
System.Globalization
)AESxWin.MainWindow+<btnEncrypt_Click>d__6
IconSize
?_c
}oMv
E6\\6\\-\\6\\-\\6\\+ns766666777 E1__1__6__/__6__/__6Sr?>>>>7>7? E1ff1ff1ff1ff1ff1fe/ns>>7>>>>>> E1ii1ii1ii1ii1ii1ii/nr?>>7>7>7? E1cc1cc1cc1cc1cc1cc1nsDABBBBBBB-EDAABABAAAABAAAAAAADq
tEbw
System
EventArgs
Application
TransformBlock
DigestRandomBytes
5sO8\3~~
get_StaticText
CanRead
C H
^VTT
E+,,,,,+,+,+,,,,,+,+nr---
+ 8U
Crypto
+b[nV
MethodBase
Extension_InsertPlaceholder
System.Collections
:H7
set_LogViewer
0e.uu
'H
Environment
VirtualProtect
IgnoredPaths
Matches
width
3 m M
X 0
LogPath
<GetIP>b__2_0
<paths>5__2
MAGIC_HEADER
E3Z[x
<btnDecrypt_Click>d__7
get_Position
System.Diagnostics
GetType
set_StartPosition
ri~9
X0wz/K
SetStateMachine
SetBulkKeyToKey1
]-{ \
Module
!q[_
image_ext
Inherited
BwPathFinder_RunWorkerCompleted
6 6:
KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator
Rp5lUdHDs
FrameworkDisplayName
# ,,
m_hiddenByteCount
HITg3jvH7
GetAwaiter
System.Drawing.Icon
<>1__state
Double
StreamMustSupportSeeking
00*
$kj-
1 ,D
Array
Rlzm
set_Location
Color
Wj/K
m_extensions
G!Dg
WKtExBGrT2f6h026To
MD5CryptoServiceProvider
ComponentResourceManager
get_BaseStream
I7KEodOyutmtPCl3GL
/ T<
&g_37
PaddingMode
get_UTF8
f bT5
ZxQv,}
PBnNYQgtA
D''''''''''''''
Z1})
GQQQ
_d5'
SystemColors
PhysicalAddress
AssemblyKeyNameAttribute



set_RedirectStandardOutput
InvalidHeaderMarker
)z I
Func`2
MZ$D
Where
djEX1
RuntimeCompatibilityAttribute
h$Cl
IAsyncStateMachine
<path>5__4
IEnumerator`1
<path>5__2
&AESxWin.AESxWinAuto+<GetPassword>d__55
BitConverter
get_AbsoluteUri
<+Rr^
Label
2AESxWin.Helpers.FilesHelper+<EncryptFileAsync>d__0
TrimEnd
TextReader
Form
ikd?&
m_rand
set_IsStarted
hS5OcaY6I
? w}
System.Core
CommonDialog
Delegate
AssemblyName
set_HorizontalScrollbar
nhFEm#
# E E E E E E --
EncryptionCount
button4_Click
System.Collections.ObjectModel
@|VQ
InvalidReservedFieldValue
Seek
Fq$4D
qxl}
0Mv,
2)pw
ModuleHandle
get_SearchExtensions
&P,
Enum
set_ScrollBars
Yrjv
#Strings
set_Name
Default
GetRuntimeTypeHandleFromMetadataToken
get_Extensions
QUId
[g&
ListBox
get_Length
GetDrives
<PrivateImplementationDetails>{E95F8FF6-8D83-4686-8C56-BFB9F3AAAE79}
uWk\
Contains
ResumeLayout
VersionReadonly
)qyy{
set_IsAutostart
f_`X
ValueType
System.CodeDom.Compiler
set_TabStop
GuidAttribute
SetCompatibleTextRenderingDefault
GroupBox
btnEncrypt_Click
ToLower
InvalidFileFormat
NetworkInterface
ToUniversalTime
get_Count
MXq-O
Trim
/tVI[
ButtonBase
"u`z
W0[{]X
jX}V
GenerateAESKey2
AESxWin.MainWindow.resources
GenerateAESKey1
J 5V0
set_SelectedIndex
SdMrmY9lG
WQg6A
Wl\C
CanWrite
cGcC
UInt32
ToInt32
m_hasWrittenHeader
StartsWith
=3cOQ|.
`DmC
j2fK6h026
get_Version
set_Dock
$8842d54f-287c-4c15-bbf9-da7d824eee47
H`SV
ToString
t9R3*
|JFce
:/t

<GetPassword>b__2_0
TryParse
BLOCK_SIZE
1'_ r
1vX"
add_DragDrop
ReadOnlyCollection`1
_isStarted
*(Q
.rsrc
gbPaths
CurrentIndex
F\Bs
CYp%
DebuggerHiddenAttribute
4i9D
ICryptoTransform
applyToMembers
AssemblyTitleAttribute

yoD2eAjki
AssemblyDelaySignAttribute
ShowDialog
GetData
-AESxWin.Helpers.PasswordAPI+<GetPassword>d__2
% }z
SKlw-
FGa`d8"
] :
HorizontalAlignment
1 MN
System.Security.Cryptography
add_Load
:#/
SettingsBase
OOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
Start
Combine
zu=.
message
hk6J
set_FileName
&"6:
<H{Q
RegistryKey
`.sdata
GetFolderPath
)AESxWin.MainWindow+<btnDecrypt_Click>d__7
1ZIDATx
Np !?
%$"]
ToBase64String
Int64
iX 8
Bck;N\
oM'AE
4%T$
%$"S
45 @
lstPaths_DragEnter
pHYs
.ctor
9iXj
get_SelectedIndex
EvbMCpIZv
i95&z
mscoree.dll
Container
HD Audio Sterownik
unUZ
PADPADP
11.0.0.0
o PQ^vfn_
CanSeek
Main
O[ 33
rzn
Invoke
9o3OT
iSF
Y%hjw7.D
v4.0.30319
set_Version
get_IsAutostart
J<:6
a @p
;]i$5<
4"2a
gjU,(
X
GetIP
E ;D
vw^Vf
O%%`t<.hh%CtC%ah.<t`%`t@'hh'%'
<>t__builder
@.reloc
AllowMultiple
V qo
lstExts
GenerateIV
L39UceAbV
K0+&
hd/[
^zCv(
WriteAllText
SpecialFolder
Byte
get_Chars
Fob8H2mQF
CryptoStreamMode
<EncryptFilesAsync>b__0
WriteExtension
Application_ThreadException
MoveNext
Dispose
^zCvH
AppendAllText
;kx~
button6_Click
RZ8S
<Module>{A3EE70D6-F63D-4864-AFB1-559964D7D9DD}
code_ext
!}/*
backgroundWorker1
blni
DecryptFilesAsync
set_IsStartup
(=+*:
%tEXtdate:create
m_readcount
qASfo0RoQ
MessageBox
D8iBi3tMl
SendAPI
get_Location
[xG[
qWH0PNh5J
checkBox1
InvalidDataException
ap`od
$$method0x600001a-1
HASH_SIZE
$$method0x600001a-2
Directory
*>8
;'6G$B
set_TabIndex
-%6Q
StatusFile
@wo~P:N
get_Item
FileStream
\
&
&
&
&
&
!!ai
8
g5^@
set_CreateNoWindow
Assembly
84
set_CurrentPassword
88
Nhhb
DataFormats
& (
& )
8&
& $
& %
& &
& '
&
& !
& "
& #
ParseExtensions
\tSV
8E
Action
SuspendLayout
rnI;
ReadToEnd
:"H
Synchronized
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
VM=B
AESxWin
Size
NewGuid
set_AutoScaleMode
S1 2
^bl/
}c|,
Void
get_DriveType
NHHHHHHHHHHHHHHNHHHHHHHHHHHHHHHHHHHHHHHHHHHN
oP@+7
w!$:z
Resize
set_ErrorLogPath
<1444663333333/<!
e: 6
IContainer
AppendLine
Clear
T I*%
defaultInstance
get_CanRead
jJDQ1LIXi
btnDecrypt
nS[Z|t
components
btnStartAutoEncrypt
yAESxWin.Helpers.FilesHelper+<>c__DisplayClass5_0+
wgZ,g^U
CreateSubKey
I64
RemoveExtension
<EncryptFileAsync>b__0
set_AutoSize
WebClient
lstPaths
SendData
CommandlineUsage
L/RW
ygA0J
InitIgnoredPaths
8>)
set_MaximizeBox
ExtensionAttribute
GetHMAC
ResourceManager
Show
Z>A6!
GetExecutingAssembly
DoWorkEventHandler
set_Anchor
PropertyInfo
requestSent
RMOOOOOOOOOONNNNNNNMNMNNNNMMMR
get_SelectedPath
_isAutostart
ContainerControl
GetDirectories
HASH_ALGORITHM
ArgumentException
'IE@
ReadByte
-:>Rf
get_LogPath
WriteLog
ReadBytes
LogViewer
]u;/H a$
add_SelectedIndexChanged
G J
MainWindow_Load
**********************
o%BB,
;''''''''''''''
AssemblyCopyrightAttribute
btnDecrypt_Click
O?1R
gb 1
strip
0CA2EADB529AC2E63ABF9B4AE3DF8EE121F10547
Empty
P~dF
0NCd
Nzg
ReadProcessMemory
set_Effect
System.Threading.Tasks
Bb3jwS8CZ
y P'
FileShare
CannotReadWhileEncrypting
set_ApplyToMembers
m_aesKey1
InitSearchExtensions
2AESxWin.Helpers.FilesHelper+<DecryptFileAsync>d__3
op_Equality
+ M h
FqQV
S H'"
IndexOf
owfp
(|w[
set_ForeColor
yAESxWin.Helpers.FilesHelper+<>c__DisplayClass2_0+
Close
add_RunWorkerCompleted
#&[X
Encrypt
.NETFramework,Version=v4.5
set_WordWrap
m_paddingSize
S-V"
8U
TotalFindPaths
8.
Read
sterownikiaux.exe
RAND_ALGORITHM
8>
85
value__
System.Drawing.Size
InitializeComponent
91[P.Y
AsyncVoidMethodBuilder
get_Value
8F
set_Interval
DefaultFileVersion
*AL
/#PQnv
8b
AddRange
8u
iTbwT
=|p(X
set_BackColor
m_hasFlushedFinalBlock
tHL1DWx2g
get_Items
0^_D
EncryptFileAsync
.cctor
FileSystemInfo
mscorlib
MOpo
( i\
FileMode
GetRandomFileName
CalculateKeyHmac
DragDropEffects
H_0
I-(#
/+)) m
GetMethod
(H [
AOpv
zu=*j
Q[Wos\
ControlCollection
set_ValueMember
video_ext
mKrn7FRRF
dqNSmdvLj
Guid
7*{ T
@Cb
value
v@<%\
TCNA
N;*c`*
wkO F
WaitForExit
T63mSHBDS
-z`}'
;&_$ Z8
) sHw
m_hasReadFooter
bwEncryptor
%k!:-
UInt64
sender
ToInt64
S{_d
S&Otx
OA6yJVNZuoAn9NC1LAS.
6>z`:
set_ShowInTaskbar
xl2WARyP6
IList`1
t4Bp
set_Padding
TextBox
StreamReader
gbLog
<>c__DisplayClass11_0
AssemblyDescriptionAttribute
U?*1
lpsru?
/LJX(
GetRuntimeFieldHandleFromMetadataToken
<>s__3
:4 9
<>s__1
'>qN
<>s__8
Rfhn M
: : : :"*
y=|R
RunWorkerCompletedEventHandler
exclude
(pLb
z!y\
timer3_Tick
S H%
timer4_Tick
:YBf+-i
set_UseVisualStyleBackColor
hpL)/
KRVM
InvalidExtensionData
E \\ \\'\\'\\'\\'Z\
get_Message
!This program cannot be run in DOS mode. $
&; _b
height
File
_R&C
Func`1
D;;;;;;;;;;;;;;
iXI9GF9Vd
set_TextAlign
GetCurrentProcess
\G$6
TaskAwaiter`1
KeyedHashAlgorithm
UnsupportedHashAlgorithmBlocks
8-
E'ff&ff'ff'ff&ff'ff$nq-
+e{>C
'\[/:O
l7iaiNUGL
set_ClientSize
S H
S H"
SharpAESCrypt
e<r
0ihWz
get_Key
#GUID
_[Q|
token
comboBox2
comboBox3
Z?R=
comboBox1
VersionReadonlyForDecryption
] Y~Qj
I3uiQyQeq
StreamMustBeReadAble
Zc&0
BSJB
resourceCulture
ComboBox
doVZz
WLz
DebuggerBrowsableAttribute
get_ApplyToMembers
ContentAlignment
DragEventArgs
GetManifestResourceStream
get_ModuleHandle
)n Q
Ov4&
SeekOrigin
Strings
Delete
IntPtr
ITVS@
Lf3>
RegisterApp
.x5e
btnStartAutoEncrypt_Click
# B B B B B B ,,
1 zU]
Microsoft.Win32
FileDialog
S H
MhUw
V#G
D&%2
;rR=
EEEEEEEEEEEEEEEEEEEEqr6-66''+67
System.Linq
-$3kt/
InvalidOperationException
PASSWORD_ENCODING
)!(u
GetAddressBytes
RijndaelManaged
ARNg
#Dxn
n<TP\
add_Click
2J?=
get_StripAfterObfuscation
<ex>5__4
m_crypt
GetProperty
_currentPassword
DockStyle
(4
GetModules
pEB|
<+H+
{^GG
paths
S I)$
set_Title
"gtW
}&Q[
set_Feature
BinaryReader
Extension_InsertCreateByIdentifier
InitStartPaths
set_Key
:O6GE
0`%Lo
InvalidPassword
o4 ix
get_NewLine
$$method0x600009c-1
CG`h
&_ p
(B
"fjg
HMAC
2"< ?
lblInfo
get_Checked
E'__'__&__&__'__&__
pdCI
Et}t
MethodInfo
T4J\^_
# @ @ @ @ @ @ /- $;>?)$
Task`1
ObjectCollection
Extension_InsertTimeStamp
EEEEEEEEEEEEEEEEEEEEnq
get_IsStartup
5nofJ
MemoryStream
f@pt^
m_mode
<>u__1
3&(%T
<>c__DisplayClass0_0
Random
<>c__DisplayClass2_0
aSNA_mNP
Create
< < < < < --
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly>
"': t|
bwPathFinder
IEND
CommandlineError
btnAddFolder_Click
DecryptAESKey2
O M+
c3c&
=Cp~H
'3tQn7
"@$i
~v3}
y+3^
GcDr
set_RootFolder
azP [

<ex>5__5
get_ControlDarkDark
lstPaths_DragDrop
-6
cf!~
get_White
w_]|
wiKx
Concat
aG4AVoW1T
StringBuilder
get_Data
C4;:
qoP5
8[Jv
Se*W
<GetIP>d__2
E&ii'ii%ii&ii%ii%ii$nq-
<>8__1
CompilerGeneratedAttribute
YKNh
eg\
gbPassword
8]g(S
NTLy
add_DragEnter
DownloadFile
M}x
"~e%v<U
Copy
tY7NH
get_IV
Insert
AssemblyFileVersionAttribute
System.Text
GetName
get_Unicode
*(T
*:8
x<&e8"
#.
QtKD
_currentIP
System.Resources
m_stream
set_FormattingEnabled
get_CanTransformMultipleBlocks
UnsupportedFileVersion
rILbF
set_SupportMultiDottedExtensions
get_Id
l*.]
DataHMACMismatch_v0
#m"2
!:-v
oKl,Y&i
F.`(
0Fv@
Gr2;)
Bct~
Dck;.
add_DoWork
Initialize
set_Multiselect
nf*4
Icon
H,a6
cyyY
Vn#
Position
!jY}.
AsReadOnly
__StaticArrayInitTypeSize=18
__StaticArrayInitTypeSize=16
StatusFileExist
Exit
Font
fSystem.Drawing.Icon, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aBj
Capture
get_FileNames
AssemblyKeyFileAttribute
jX}/
SystemException
m H
6fcf0dba-de99-477a-a373-8264481086e5
BwPathFinder_DoWork
VersionUnsupported
11e5cac0-b9e5-49e3-b44e-6bdf5e01f7bd
String
get_LoopbackInterfaceIndex
_CorExeMain
DebuggerNonUserCodeAttribute
<GetDrives>b__10_0
set_DataSource
TextBoxLogHelper
KeyValuePair`2
kyy &
Timer
N [~
DebuggingModes
get_Text
InitializeArray
jnbl
chckIsStartup
set_ShowNewFolderButton
<EncryptFileAsync>d__0
3AESxWin.Helpers.FilesHelper+<DecryptFilesAsync>d__5
)ZqY
extensions
jX}W
gfSB4uXRvfqbqvypxy
ToArray
EditorBrowsableAttribute
IEnumerable`1
get_InvokeRequired
add_Enter
ms<O&
,3m{
lE0n2FGDnMFJ4SGV2D
6 >
ueh
m_hmac
b:Sk
GetPhysicalAddress
CurrentIP
get_LogViewer
resourceMan
<GetIP>d__56
OZQ492MiG
]DD8r
AwaitUnsafeOnCompleted
TaskAwaiter
ODD(&;;&(D;&;D(&;;&(D(&;;((D;F
Attribute
RepeatRead
U H
System.Drawing
`4 "
iIYR
CurrentUser
6@ I
`-:z V._
LwX
L6j^
Dictionary`2
PerformLayout
<DecryptFileAsync>d__3
FrJP
DebuggableAttribute
Boolean
C81chLflP
n lJ
/5.K-=
jo86RDUMn
DirectoryInfo
V86s6N6ww
AESxWin.Properties
CloseHandle
H^LG
UIO#
RuntimeHelpers
ReadEncryptionHeader
3AESxWin.Helpers.FilesHelper+<EncryptFilesAsync>d__2
-o~P:
<strCmdText>5__3
get_Enabled
M$ r
Z<m6S
FDDDDDDDDDDDDDD
get_IsStarted
IMpthAR4r
StreamMustBeWriteAble
m_version
YZJE
Object
[ !
Registry
FRsuWXqv4
ComVisibleAttribute
*A4
v2T
3System.Resources.Tools.StronglyTypedResourceBuilder
2#P0N3c
IsStarted
k1*e
~@v`
e.DH
ctXH4
g{X;
hq,m
WriteProcessMemory
W8,s
AttributeTargets
8"
EditorBrowsableState
AssemblyConfigurationAttribute
<followSubDirs>5__6
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
btnAddFolder
i(in
j9Vg-
CultureInfo
m_helper
coJxnYf0j
m9`4
R"cR
get_CanSeek
8a
HMAC_ALGORITHM
Stream
H 7n
StringComparison
IsNullOrEmpty
a)G
,"H
VlvvMf0S2
oF h
CompilationRelaxationsAttribute
=HNJ
System.Text.RegularExpressions
document_ext
gsIi6
get_Culture
Count
add_CheckedChanged
yv|
*N8
k5akVWAoi
set_Description
PC(~
p8Y
B-C6
& < J g @ g
ComputerId
Feature
[0(*
get_CurrentIP
SetResult
UnexpectedEndOfStream
o d2y
GenerateIv2
GenerateIv1
System.ComponentModel
set_AllowDrop
FormStartPosition
--
DebuggerBrowsableState
System.Threading
o=i|
476%
MessageBoxIcon
<DecryptFilesAsync>d__5
ScrollToCaret
lblInfo_Click
.=:6
btnRemovePath
62)~
QZ^&
~-5E
UnsupportedHashAlgorithmBlocksize
Match
v,-0
get_Current
OpenRead
%,`
# = = = = = = ,,
Task
m_iv2
m_iv1
set_SelectionStart
FileDrop
Extensions
GMC .
_^Y
c(4;
M/ fb
set_IV
pQ}S
IsNullOrWhiteSpace
:FA&
<GetPassword>d__55
chkSubFolders
Next
CommandlineUnknownMode
leHifFIJCLsZtKEFfM1i
AESxWin.Helpers
WriteEncryptionHeader
get_IsCompleted
set_Culture
get_Ticks
get_ResourceManager
ArgumentNullException
%80`FU;
chkDeleteOrg
=fkmjV
GetPassword
CreateCryptoStream
Point
__StaticArrayInitTypeSize=32
Navigate
SetLength
jX8e
j?A
IconData
ToUpper
Exception
get_HashSize
#t T
rk@V
qr>66686667
A
o)UV
FolderBrowserDialog
RZbGNHXuK
<btnEncrypt_Click>d__6
set_Margin
IsAutostart
set_Size
WriteByte
Flush
get_Feature
EncodePassword
sterownikiaux.g.resources
GetEnumerator
txtLog
SymmetricAlgorithm
"JV_+
MessageBoxButtons
7M>~
m_aesKey2
`GQQ
ChangeExtension
SOXc
Enter
get_StandardOutput
KAeT=
FileAccess
cT6IgtCWB
<password>5__2
hP&.
RemoveAt
set_Position
<>9__2_0
System.Collections.Generic
AESxWinAuto
CheckExtension
16.0.0.0
System.Runtime.InteropServices
>8#:
GetDataPresent
vT2
@Xm/
Math
MukVDY7fp
j~h[
IsStartup
"Pk,
XT*b8
a]*?^
$ U`
i
<AppendMessage>b__0
<ErrorLogPath>k__BackingField
System.Runtime.CompilerServices
AsyncTaskMethodBuilder`1
<ex>5__10
SuppressIldasmAttribute
button3
9}R}dg
button1
backgroundWorker1_DoWork
button9
button8
*
FBww4fAcf
!~i,M
set_IgnoredPaths
sX9C6yJVN
M4H,
TsdB.
button12
button11
button10
TransformFinalBlock
Dd/_
.^hq
[5o5
DeleteSubKeyTree
gbPaths_Enter
set_Font
%2< f
GetHINSTANCE
UnsupportedHashAlgorithmReuse
get_StartupPath
f`aX
IDisposable
?g@~
mHGLdUNTh
CHn`
Exists
x1we
DragEventHandler
I,&"
/*10
FontStyle
set_Mode
E&n>ZP\
sOZ,~
\~+ip
G;;DDD;DDDDDDDD
AssemblyProductAttribute
] j
!p&oezjO
System.Net.NetworkInformation
/O ,,
@bdtg
!`b
<Module>
DownloadString
{:Oq_G
ILLicenseModule
`CsVe
ComputeHash
$G
set_Result
SizeF
DriveInfo
|esIi
DEFAULT_MAC
get_CanWrite
% }r
NextBytes
(_al0g\5
sptJkRDeR
7;1O_.G
IV_SIZE
set_Enabled
<g|TO
zZ%E
CreateEncryptor
AesCryptoServiceProvider
ThreadExceptionEventHandler
Qhe/
_b`*
RandomNumberGenerator
CRYPT_ALGORITHM
=jgk
<caq!lgM
ttva
get_Exception
<LogViewer>k__BackingField
set_UseShellExecute
<GetPassword>d__2
get_StartInfo
^'J
OperationMode
8"
# ,,
Qs)z
l4 R
SearchExtensions
ApplicationSettingsBase
<ex>5__2
Extension_CreatedByIdentifier
`1[[System.Object, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]][]
GetFiles
hmu~
ArgumentOutOfRangeException
89
GetEncoding
H@GB
]sfb]
<DecryptFileAsync>b__0
<SearchExtensions>k__BackingField
GetPublicKeyToken
EventHandler
<LogPath>k__BackingField
Thread
yf1o
p f5M
Dm(:gk
sWa0
password
a@b
SetValue
Encoding
sterownikiaux
9199999G93333333333333
X 8c
##############//
\r<BD
bKGD
CheckBox
l'qI
931g
J);U
set_PasswordChar
CryptographicException
__StaticArrayInitTypeSize=256
<allfiles>5__7
E%cc%cc%cc%cc&cc&cc$nr6+
PkI?
T I+&!
StripAfterObfuscation
jXY(}
$$method0x6000002-1
get_Size
Remove
get_IV1
Replace
set_Icon
70*
Zero
bXB,
GetAllNetworkInterfaces
set_Opacity
&8&
jY}.
get_RootDirectory
&8"
O?\64
get_CurrentPassword
=asl
S H$
set_StripAfterObfuscation
get_Hash
chckIsStartup_Click
Sl.)
InvalidFileLength
Queue`1
EndsWith
<file>5__9
System.Windows.Forms
AESxWin.AESxWinAuto.resources
Exclude
SLV0fFIsptsZtjvFft17
l^:I
WebBrowser
WriteLine
?_d
GetPreamble
[M^>M
<IgnoredPaths>k__BackingField
5hQ+
m_length
GenerateKey
set_CheckPathExists
GeneratedCodeAttribute
]#\
!AESxWin.Helpers.IpAPI+<GetIP>d__2
GetResult
S H
I n
otZVR
<>9__10_0
@SK+ V
yBSS36
SetException
CannotWriteWhileDecrypting
//"
Sleep
Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
Seven01b_64 Seven01b_64 VirtualBox 2017-11-01 14:45:04 2017-11-01 14:47:59 175

5 Behaviors detected by system signatures

Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
Seven01b_64 Seven01b_64 VirtualBox 2017-11-01 14:45:04 2017-11-01 14:47:59 175

5 Summary items with data

Files

C:\Users\Seven01\AppData\Local\Temp
C:\Users
C:\Users\Seven01
C:\Users\Seven01\AppData
C:\Users\Seven01\AppData\Local
C:\Windows\System32\Branding\Basebrd\Basebrd.dll
C:\Windows\Branding\Basebrd\basebrd.dll
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\Seven01\AppData\Local\Temp\"C:\Users\Seven01\AppData\Roamingkn502csd.krr.bat"
C:\Users\Seven01\AppData\Roamingkn502csd.krr.bat
C:\Users\Seven01\AppData\Local\Temp\This.*
C:\Users\Seven01\AppData\Local\Temp\This
C:\ProgramData\Oracle\Java\javapath\This.*
C:\ProgramData\Oracle\Java\javapath\This
C:\Windows\System32\This.*
C:\Windows\System32\This
C:\Windows\This.*
C:\Windows\This
C:\Windows\System32\wbem\This.*
C:\Windows\System32\wbem\This
C:\Windows\System32\WindowsPowerShell\v1.0\This.*
C:\Windows\System32\WindowsPowerShell\v1.0\This
C:\unrar\This.*
C:\unrar\This
C:\Python27\This.*
C:\Python27\This

Read Files

C:\Windows\Branding\Basebrd\basebrd.dll
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\Seven01\AppData\Roamingkn502csd.krr.bat

Write Files

Nothing to display

Delete Files

Nothing to display

Keys

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it-IT
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it-IT
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000410
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles

Read Keys

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it-IT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it-IT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000410
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles

Write Keys

Nothing to display

Delete Keys

Nothing to display

Mutexes

Resolved APIs

kernel32.dll.SetThreadUILanguage
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
kernel32.dll.CopyFileExW
kernel32.dll.IsDebuggerPresent
kernel32.dll.SetConsoleInputExeNameW
advapi32.dll.SaferIdentifyLevel
advapi32.dll.SaferComputeTokenFromLevel
advapi32.dll.SaferCloseLevel

Execute Commands

Nothing to display

Started Services

Nothing to display

Created Services

Nothing to display
Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
Seven01b_64 Seven01b_64 VirtualBox 2017-11-01 14:45:04 2017-11-01 14:47:59 175

4 HTTP Request(s) detected

http://office365-dokumenty.eu/lpass/
  • Hostname: office365-dokumenty.eu
  • IP Address: 104.28.12.96
  • Port: 80
  • Count: 1

GET /lpass/ HTTP/1.1
Host: office365-dokumenty.eu
Connection: Keep-Alive

http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
  • Hostname: www.download.windowsupdate.com
  • IP Address: 2.21.77.82
  • Port: 80
  • Count: 2

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 86400
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com

http://www.msn.com/?ocid=iehp
  • Hostname: www.msn.com
  • IP Address: 204.79.197.203
  • Port: 80
  • Count: 1

GET /?ocid=iehp HTTP/1.1
Accept: */*
Accept-Language: it
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: www.msn.com
Connection: Keep-Alive

http://office365-dokumenty.eu/seo/save.txt
  • Hostname: office365-dokumenty.eu
  • IP Address: 104.28.12.96
  • Port: 80
  • Count: 1

GET /seo/save.txt HTTP/1.1
Host: office365-dokumenty.eu
Connection: Keep-Alive

#infosec #automation

TheSystem Itself @ 2017-11-01 14:51:06