Well, What have we here. We see a file operation on my C:\test folder, it renamed the folder "CHKDSK.100ÿÿ" and that is followed by a registry key creation at "HKCU\Software\Microsoft\Windows\CurrentVersion\Namespace\getPrefix0".
First let's confirm the folder was renamed. since it is hidden I will run the command line command "DIR /A:SH CHKDSK.*" (the /A:SH will show hidden and system files and folders). Wow... It's right there, great hiding trick.... is it accessible? Run a "cd CHKDSK.100ÿÿ". Looks like we can.
Okay, Let's see whats hidden here with a "Dir" command and we see private.txt. Okay, well it should be encrypted right? guess again... "Type private.txt".
Well We are off a bad start for security. But how do we know where these are hidden if we didn't hide them? How can we find them? Well lets check out that registry key. Okay. Let's take a look at the keys here.
- getPrefix0 = E
- Declaration0 = X:*XSPWHP.377ÿÿ
- Javax0 = X:*gvhg
- getPrefix1 = E
- Declaration1 = X:*XSPWHP.373ÿÿ
- Javax1 = X:*gvhg321
The last is the getPrefix key. I had one folder unhidden when I was working and the key value changed to "W". So it seems that "E" means it is hidden, "W" means not hidden. So I'd Say we have this down now.
Last thing to attack is the password for the program (in this case it is "Password"). Let's check more into the registry. There is one more key here:
- BAR - Kzhhdliw
Substitution cipher solver:
Free Unhide Folder (Source[vb.net 2008] and Binary):