5.0
中危
DACN
0.14
FACILE
1.00
IMCLNet
0.92
MFGraph
0.00
反病毒引擎
| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | Trojan:Win32/csharp.ali2000008 | 20190527 | 0.3.0.5 |
| Avast | Win32:Agent-AVLJ [Trj] | 20240329 | 23.9.8494.0 |
| Baidu | None | 20190318 | 1.0.0.2 |
| CrowdStrike | win/malicious_confidence_100% (W) | 20231026 | 1.0 |
| Kingsoft | malware.kb.c.1000 | 20230906 | None |
| McAfee | GenericRXCZ-AI!87FA2B140B3F | 20240329 | 6.0.6.653 |
| Tencent | Trojan.MSIL.Zilla.ha | 20240329 | 1.0.0.1 |
静态指标
查询计算机名称
(50 out of 85 个事件)
检查进程是否被调试器调试
(2 个事件)
| Time & API | Arguments | Status | Return | Repeated |
|---|---|---|---|---|
|
1727545269.81275 IsDebuggerPresent |
failed | 0 | 0 | |
|
1727545270.765875 IsDebuggerPresent |
failed | 0 | 0 |
一个或多个进程崩溃
(28 个事件)
动态指标
连接到动态 DNS 域
(1 个事件)
| domain | rwkeith.no-ip.org |
分配可读-可写-可执行内存(通常用于自解压)
(50 out of 60 个事件)
在文件系统上创建可执行文件
(2 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\tmpB5D3.tmp.exe |
| file | C:\Users\Administrator\AppData\Local\Temp\kcndlal1.0.vb |
投放一个二进制文件并执行它
(1 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\tmpB5D3.tmp.exe |
将可执行文件投放到用户的 AppData 文件夹
(2 个事件)
| file | C:\Users\Administrator\AppData\Local\Temp\0001c78a57a163f0c3602190cb230e805dfabad46c7dfb957c7a09879c0a2f98.exe |
| file | C:\Users\Administrator\AppData\Local\Temp\tmpB5D3.tmp.exe |
一个进程创建了一个隐藏窗口
(1 个事件)
检查适配器地址以检测虚拟网络接口
(10 个事件)
该二进制文件可能包含加密或压缩数据,表明使用了打包工具
(2 个事件)
| section | {'name': '.text', 'virtual_address': '0x00002000', 'virtual_size': '0x00013164', 'size_of_data': '0x00013200', 'entropy': 7.4821491575822545} | entropy | 7.4821491575822545 | description | 发现高熵的节 | |||||||||
| entropy | 0.9807692307692307 | description | 此PE文件的整体熵值较高 | |||||||||||
检查系统上可疑权限的本地唯一标识符
(2 个事件)
终止另一个进程
(1 个事件)
网络通信
与未执行 DNS 查询的主机进行通信
(2 个事件)
| host | 114.114.114.114 | |||
| host | 8.8.8.8 | |||
Attempts to identify installed AV products by registry key
(1 个事件)
| registry | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc |
在 Windows 启动时自我安装以实现自动运行
(1 个事件)
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mscorsvc | reg_value | "C:\Users\Administrator\AppData\Local\Temp\sortkey.exe" | ||||||
执行一个或多个 WMI 查询
(2 个事件)
| wmi | SELECT * FROM FirewallProduct |
| wmi | SELECT * FROM AntivirusProduct |
生成一些 ICMP 流量
连接到不再响应请求的 IP 地址(合法服务通常会保持运行)
(1 个事件)
| dead_host | 44.221.84.105:80 |
文件已被 VirusTotal 上 58 个反病毒引擎识别为恶意
(50 out of 58 个事件)
| ALYac | IL:Trojan.MSILZilla.21585 |
| APEX | Malicious |
| AVG | Win32:Agent-AVLJ [Trj] |
| AhnLab-V3 | Trojan/Win32.Injector.R344588 |
| Alibaba | Trojan:Win32/csharp.ali2000008 |
| Antiy-AVL | Trojan/Win32.AGeneric |
| Arcabit | IL:Trojan.MSILZilla.D5451 |
| Avast | Win32:Agent-AVLJ [Trj] |
| Avira | TR/Dropper.Gen |
| BitDefender | IL:Trojan.MSILZilla.21585 |
| BitDefenderTheta | Gen:NN.ZemsilF.36802.em0@aKdL2hk |
| Bkav | W32.AIDetectMalware.CS |
| CAT-QuickHeal | Trojan.Generic.TRFH959 |
| ClamAV | Win.Malware.Avlj-9877624-0 |
| CrowdStrike | win/malicious_confidence_100% (W) |
| Cybereason | malicious.40b3fe |
| Cylance | unsafe |
| DeepInstinct | MALICIOUS |
| DrWeb | Trojan.DownLoader7.54184 |
| ESET-NOD32 | a variant of MSIL/Kryptik.MSS |
| Elastic | malicious (high confidence) |
| Emsisoft | IL:Trojan.MSILZilla.21585 (B) |
| F-Secure | Trojan.TR/Dropper.Gen |
| FireEye | Generic.mg.87fa2b140b3fe945 |
| Fortinet | MSIL/Kryptik.JJC!tr |
| GData | MSIL.Trojan.PSE.105TIS2 |
| Detected | |
| Ikarus | Trojan.Dropper |
| Jiangmin | TrojanDropper.Injector.ioj |
| K7AntiVirus | Trojan ( 0056ae4d1 ) |
| K7GW | Trojan ( 005690671 ) |
| Kaspersky | HEUR:Trojan.Win32.Generic |
| Kingsoft | malware.kb.c.1000 |
| Lionic | Trojan.Win32.Generic.4!c |
| MAX | malware (ai score=100) |
| Malwarebytes | Generic.Malware.AI.DDS |
| MaxSecure | Trojan.Malware.300983.susgen |
| McAfee | GenericRXCZ-AI!87FA2B140B3F |
| MicroWorld-eScan | IL:Trojan.MSILZilla.21585 |
| Microsoft | PWS:MSIL/Mintluks!pz |
| NANO-Antivirus | Trojan.Win32.Generic.euparm |
| Rising | Backdoor.njRAT!1.AE81 (CLASSIC) |
| Sangfor | Suspicious.Win32.Save.a |
| SentinelOne | Static AI - Malicious PE |
| Skyhigh | BehavesLike.Win32.Generic.lc |
| Sophos | Mal/MSIL-TU |
| Symantec | Trojan.Gen.MBT |
| TACHYON | Trojan/W32.DN-Agent.80384.BF |
| Tencent | Trojan.MSIL.Zilla.ha |
| TrendMicro | TROJ_MINTLUKS.SM |
二进制图像
288x288
224x224
192x192
160x160
128x128
96x96
64x64
32x32
运行截图
暂无运行截图
该样本运行过程中未生成截图
PE Compile Time
2020-05-26 01:28:11
PE Imphash
f34d5f2d4577ed6d9ceec516c1f5a744
Sections
| Name | Virtual Address | Virtual Size | Size of Raw Data | Entropy |
|---|---|---|---|---|
| .text | 0x00002000 | 0x00013164 | 0x00013200 | 7.4821491575822545 |
| .rsrc | 0x00016000 | 0x000002b0 | 0x00000400 | 2.217591576446257 |
| .reloc | 0x00018000 | 0x0000000c | 0x00000200 | 0.10191042566270775 |
Resources
| Name | Offset | Size | Language | Sub-language | File type |
|---|---|---|---|---|---|
| RT_VERSION | 0x00016058 | 0x00000254 | LANG_NEUTRAL | SUBLANG_NEUTRAL | None |
Imports
Library mscoree.dll:
• 0x402000 _CorExeMain
L!This program cannot be run in DOS mode.
`.rsrc
@.reloc
?Xkl(N
?Xkl(N
&-;DNXl5
?Xkl(N
?Xkl(N
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
PADPADP
I%&/m{
iG#)*eVe]f
{{;N'?\fd
! ?~| ?"?
7]~]_?
M:[ltz
_cG=~_
5_5~=7~'
(mk_k5'~sK?"
@?KoS.
vM~#}}
o~C|77`B
Mj[:2p-FmG
5K~__~{o
0Kb.!]~#o
w6AI+b
{|[ O:
l?a_Sm^o[6o]}kX9o6k
y-~q_87e{
L{is/~o!MHk;c@o--
7|B|cM|~
@m=?'*{;
h'y"Xa
Jk1w/i
.\Fo$Xos
}:ml+>wg{
{)s~7O
P-aaoit{
o.p~m]
Oo~_77&"n1{?
~7;6[4
?o:xwZ
oc~mzA
h_o@:h Do
4>/<z5
jBS.k-T
2z!SkP
DR|[_
q|@u8/k;sWsI
u_[z!g{R
#i>7f|cn_
"oSuI~_cs
okI87-~mi
X8-w~_
~){)Gi_
okiQ>?G
0|?7+z
-w~_7$n-`o
WhK_c(
)8`{[7}w
.i/ooC_L
~f^abu"Q#
iui~_m~_
_cLV?$
o+:cm
d&EfzH
F m?PJ#yzw
b_4uxP
AcY_kA5\
5~eK,:
7~7F <bm(b[
f{kt%bK#g
~M75~Jd
T0oW?_ZIZ
* W?C lo
'O@+z}5_?F
~v] }[Zk
oAoc 6<
/5Ozo_/
`'O_^]y_%O2_
y/?8b*p0m.?O
gn\ 4 g}
.~P'6c9
6H|OD5
d;9t~?Mo
;_o-me~
#!?MvKES
HR,GA$j
} M&y5
O6'w~_
7!K/z(
0vJ154FB-
foPGH;[?jFoJ6
o[|7-~
WeSU~k[@X6og
sZF~CPE
.oc(.Q]~6;
o;35.F[]myW
Vg-5~?~
}v_Jsz
8A3[{k
woc;+[o:dZta~=6ky
%M_G?C*7 >e
} "4G'\RB)?;F
vfA33}
~'26oO
}f?|qm~|IOg
~a=o!$/o4~
o5k pk
~|mm omcU$
|[[h]=m5 b
<_o/WM%?
=o/O~? ~-roZ__
~W|;KK/C
!_J/ C?
|;K+/C
C;!w_o
Nv]'!woor
v]]!wow
3ma57_7
22Cooy
{vhW&vho
AAG?`C
oY Zo@
Oo@+v(
6d(n{8,
*m>y@*4
E~?H_V
k54H__
k[o__+-
o~u]_HW
6."[|5
__x7~w
`~__lh ~~H?
oT+7=P
3A!K~O@
ok>w`t;^/
mqJ~I;
6[%~h_'
k1s LG
~=sKf<WkG
G_X%oo
o[3}[zo
oo "7~_
o[z?L=o
o32mzo6
?IxCl\%
#u8.E~w~M
?m_&oTu5s
71wDuo[6
~c}Wd=
?7ba"k
CQ J yo?
x}4WA`~ )mB_o6G:
Wj|{5~
d?_ @cXm3_~?&
.S5~/aOD_i!FT!+'p|
d[4oPoLD7:~7
~^o_7?
o`77~1
K ]~oa
oohMT>
?oc7v7-
S`?p[E{I
3}nv75o>7
8(lzOC#B
0h>6hb7 7
o5"~ c7O
~)p/).
K6uz4@Ro|
];0&,o|r
~-3W_K?{GH{
?]E?x~
PpKl?6%Y
B.wIT.a
o7~D]~o}
~7M'w-
%k6?|:
EJwMf`=<
[/M~ 7L
:il5Em
-~=Z-~_Lml
;[Qd2;[z
ooO8[o
lq6N|i
q~cR3?C<
57]]=}
?&>g?O~k
w$h8-L~=Zouqy
_7Wu}_8|cw
"o8ZL??C
B<~]_~
)S AF?~
(R!q&7h7
sVTG@$2_)uPi
MhcZ[-}k%
HzWe> _gto
b9+b.PF
"M5^]H+
`)]f77u
W?O\Dcz'~Z$2=
|_eEXB
BOXN_c`k|X
cWto;_;_xFX<X
)lC6[D
ghk 5kim|N
boydd~
pi"w9;
noE,oUd~
:F,o[:
Z?k Px
9#9< J67?
^k~^97
u17tv!%9
~}oc?^
ua=+~ ?)O
~~grz~_o
:eC2{O(~oO?W
i5$N1
7>~_0Q
9~_x~(7=_
oko F7
He5JzZ G7?iq
Wiz27u?
Fny ]a>Q
9}6]W7
]bAO^FY
!M]}r>HC
_v+~7~1"+O;
_K~SB>
xvv8~}1
700,
c.|3," A
o"zx@m
2Nc"4BQ:]b
I7&C8)[e3N
,f47~r&,*
/K}PXU
[1^Vo*K#e.oI
~)v_xH?_IN
?9[o#h
^8: N?
nV6Y~oTDo _X/3
t%4oHI?'N
(9Ow6o
]d||>]FZ
7S.?d5c[B
~fqS_D
_w!G<_~_]~c|le
fkkbw-
[SX6N`
/ G 2N:;IB
_7_7Ovw!?&~.o
~om=oY~
BE?%?M7
iI[|r =
,$_S!r
G?{c5x
Y35~S_
15K~K~
HTiXvdZ
['[o[:VHU
@/XO-Z
"oF9yV
$oEgAX:=Y
E>D>o'~6
+?~_.&[o[
4uJAnEa2]/L
IXi7?=F$7
_[]_k
kN9~_cG
OG"$ BP
N.~' 0Lo$q
_5_CLocd
c@O5-n*
/")86o;
~?EXt/
JJ_@=I%
;.A6!=F
%RxV%>'o
O`Y|_e7_
AG&NAG
A?H;nt_
d~29U_V?u&#
o*U~_oc
~ S3f?wM
95Qjsy_~
_Z&/u\67
0|I!ok.;~
~K[ k`>
1A1|[_
zha=c~ukSoY7q
F`w3Ho[f
6'~_!"y&uZ{
_5 f"?+7
7aCE<R
.KR/a]7
"u~?hA~K
_iH^(A
Kk_?+D^'1
Zhge5(a1
79`_zB
"sCZ"RazR"snO
' _<>u[z{k>
?THk@W
bO>12k
['x;#"zqn
__~/HQ
]iok"WY]L5y]:%O
joL} F;
F$5@_H
W=HW_8
m "_ 'oT
#36A/=y'
u~uOjc
g05_ __
_cN~?~_
/]~_W.&[xa
_ K~w}A+:
3ok z_m
W?~W>B
g~G##?M~-~ _
x/o_ $~>
~ol5?vk
Iok?%I~
';C.>e|k
m~?okY/5
M85Pc_+?^g
kBh'%o
_s?c_/
}|1{?;
c?c3/
cC~3P/
??#?o1=
=~{|~=_75
_o-?#w
57|;[d~
%z_OAk$
aeJ~-w
~_w2&Kk}
e6Y_7]
m~?m#_
_&-Bk_
dJ?v ..zP
7okMqv
/5*&wO~k_IkJ
?_~_ H~_w5?
YPoo?'
k5~Lm~<5
<507U/~5
QoKo7_
wG7/~:5Voku
?~_ork=5
qO_OIM~_
?ky2m~o_
.~zkZ_?
{oskcoY? _
}~7;5kk
M_f__7C
oZ_kec
3~?oOZ
okm~VW
6?k___
o~k~_k
/_S.~o~
J:_5~Bz
{P_kk[
{og:uoW:.{
w{uv_S_
?07/h7o
/?65~kw>9_z?zMMo7
]__k?c]=8c
r_A mr
_/_E#W8musw
dokgyH-_!RJ
@+/5_?
~_WW[cRGc'$<
_'6G;?
F~rj GO@?
1__oWZcw
'~B?Yn/.
~_k9/Z_1~H-5_Kf
?kgHOZ
x_g>G~_
O+ ok ;@l~}~8}~
~oOA[K~?u
IGs -_
vk/dk s?
~rH|}o%
{vcF/~_/
M~ u7|kW#/
o~a9/3
?r3AF~{T
_ H/~?/_F
1{t_u~oI
?.`%wAog
7~H:Wo_~M_I~
v_wok_
oc>o~_w
~?wwugu
ogZ k{
K7{1|~
fl"?O_/' =_k?~__
_fw~
?<_~H~? ????$
kZfkyok
16_kDcF
co@ 5~_7
"/! 9_?OS>
a{[_M2O_?_~
75_7.O~
0Ou_u_
??co/cn
o&o;}7G
ozQ_F{ooN'c
Yof?A_#v/fofo)J5~_;k;[
_?H75#
i_>O_ G
>o<M^&'kW
?Z_7-~-J%
_kgk!sk_k
5 kk<5_
g-~_k_/5A
o}K~~k
C% '?N
[O(!=o
fZe15(uT'fO
_\ Ve1
Z_jZyM
yV/evAi0
.7<kT~
_U^gj?oOu
h~Y=+2j=
mNyq$:b
"{k<}z9
}ky}zr_/
7vlSybIs
YUM5P$0
I5/_qs
z3Oj\b(2{c
[Vw :_451K~k45o
zk|WO</z v
:)Tb<+I.
Qq _cb
syg|..~`yt9?ksQ,rf3B
3$&Df~?9~|1
?NO_+z
S^O^w8}z&''
/_w# :~c_
?i~}}S
6IG^d/O=g01Q^
Z'WY*Kc
@Ok<-x-
4+:[6bEm4w:XE5V
NC[1YU
vh~ov>
rsx^]V+4
kaI%a@i^
55t8'qhtR&^
:?7V\h
5b~5Lf?Y_
.X8s_ \z]
UqvQ=!
|_W;O=?WO
%;}kLm7o
zk} \ZEu_k
dtZAs{'x
oZA-C_%XeE
Hf@i_aAv
/{D~8~kB*t\
0"hEnX
^FG6.
+E m]]K_c]
l%Q ,25 _B=
/)_J>c
TR&1!Bc{Z
1S+%t:
:vDn )
%LV9Z$
Ou~E?jy-?~
kbO{:G
4/(/|?h>
Mh&EgO^
Xv>+pf
e^fu ~6)I
P|s^,5
G/^g&x6s
S}5V$d%9dV5V
d0y+`B&;;K]hm%we+
&w|;EUV~*l
}z=]}44u~
'F*\,X
75shP@
@I&k>D
v"^- `d7
b?0<X-
QM~Z~aF~
M/^ 'D9
7g/}7g_5~WO
/O_{yzR\
m'|y9T'
$~mZyk
dEtw)R
)5{WO.NY._
ZIE*sZu+=dd
Pn@}[J
nRLPevu
%-WG,2|4
}D$Q_eWF
^~cx~~
IF)OLHz~9}qL/|I"
}kha],
aUk-fJ2
0%:F up\&
ycd!#:$OJX
N5l]~>m*
15"x;c
9cYYO_}S*q</*_
cPf&/[
/ 2C/wq "
$B~C/7
}C%)BJ>En
5~dhX&t^W;\3vAcdiH
LzZQ07
pG%kp78
GXW9dO
}t ^4 =FN~F>c
QV8_a
95$;#[/!^;
PYHfuC/g/H89eJ [9I}$a'\j
2[ffIP?
*0f%^!L"NF.D
Z~"F^M
kaon&N
/;\B.dH
W0BF/ne
\I+~LD
%yNVG}KJFK
y&z,jD
!*R *
|_LzSg
~oBqyA/~
X!aEa:Qd}]h
sYaU=BbkF
9^E'O'
fG<~}rv
K-1I/D
w[)Z!-=11/
(OiVm?'4-
&M@_~E~k|E
ej"z_
3Hvs014
%q>[J5 )
?Q{]bo$5O)/
J|Yfo*;
&_/k\54\fF
.ivd<^M_I< o
Y#:1$ZjqVI<bLfAI2
F</_?[}/
9bku1O
(+O"qN_8}N/>t6V
$TK Co
^_=%E0s}I
/$py2{
kTFkFk
FF?_ck
5~_o;^
qFO~5h%
bh3k5~X
uAXQAn
w~__S?
{w_R_7|M
_'__76}+c~gx7D?
~@/oxk5M=d
o(%m}i
?elK0?g'[7
mkSmS%S
P3$[k[
A}5~9uJ
wIO'[o
9t6?~4X_h96!F
_?ck>O
X=g?o ?~R/
i~_#5GO~
~5~m2VvF?')t
5FO[Od'
k5$W'k!
w4"_7=!o4m
V u1KqL
eAP0!Nt
~[hYHIS
k|zo_g0
="Oonn'ou|3
olKIV>Me
_])3M%q;w5~r9Psb`k
toN"9s?x
a|Na^9~/
tX3^%#s7{
."k| z
H7.mKV8
svJQ(Oh
P]qcj2
CGc;gQ+q
P<>}}jTD
e>!?x1`d
2--nrp
k<|JkJIB^3O]>ZG7o
Y6<fKw9O~{
KbxU}XG|O
EFZA4 [[d&
R>&52io
Fse~8<;]
>~}p7oh3~7[>qC
L+}MC>1W@
P{x{fL?
vz`F*~
~RT%80
DN&]-^X_wD
a^>yZg
Pv6K@p
G>lG4@!+3O
qIYY<)t*
?rtxKp
<$KeB
E}kVx{0
_-d&6GR ]
o[(>&p.
w'XOS<%(& #ikx4er>%%
9Kw'H~
kcnY0;5~[pXD
+++oK_
3!?M8sz`
_zow~?
ozoo?~
;kf~_-
~~_-~gwu
c~_u~_/
~|}C 7~-~
Nw@7!~7 oo[~_M&
D~/? R
75?J~_7
AX_?7h
vM~_OM~_
#_/oF/Do7M
c|E} k5
G5?c $
oM~;o?
o:N-~7H
7?_xKP
7M~_H~/Vex
E>UMjt
_> k&jU
5}/^H5
$7~_cu
rJOfU5gRD
8d7a!/K
'AM~?M~
Jd&JM
5~?M~_#IO
IB 0PDf2
\uM+Ro;
7?qsGu
j%AM[k
!*nBhv
& fM~?
C~]ev0o4
E7k$!.o[k
~;H %kCA^
oNO4W0Z
C5_C>M
"%&2Ygd
-6Oo;N;
I~w~-rO0
_f?kZ 7C2
M8ZIBC#e_H'!+
D7H~w"N~
qRE!q$0(
C3_V8o
!>H&!:
M|k+!wM~'2
zF,:Q~_
o~uzQ-OM
hUYYwkg =??_
qv"6~_
ef,Y:e?W~?I17oZ
Ej%lh~
yy\%HS
,<5=[_
x5cvk +8=>
&]g~_7 M
nSW1wb3J0cyBTeXN0ZW0uSU8NCkltcG9ydHMgU3lzdGVtLklPLkNvbXByZXNzaW9uDQpJbXBvcnRzIFN5c3RlbQ0KSW1wb3J0cyBTeXN0ZW0uVGV4dA0KSW1wb3J0cyBTeXN0ZW0uRGlhZ25vc3RpY3MNCkltcG9ydHMgU3lzdGVtLkNvZGVEb20uQ29tcGlsZXINCkltcG9ydHMgU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcw0KSW1wb3J0cyBNaWNyb3NvZnQuVmlzdWFsQmFzaWMNCg0KUHVibGljIE1vZHVsZSBEQndoU0ZWeXFUDQoNCidBUEkxDQoNCiAgICBQdWJsaWMgU3ViIE1haW4oQnlWYWwgYXJncygpIEFzIFN0cmluZykNCg0KICAgICAgICBJZiBOb3QgYXJncy5MZW5ndGggPiAwIFRoZW4NCiAgICAgICAgICAgIE5Tc09DcEtvWE4udUVxTEhxa1V3SCgpDQogICAgICAgIEVsc2UNCiAgICAgICAgICAgIFRyeSA6IEZpbGUuRGVsZXRlKGFyZ3MoMCkpIDogQ2F0Y2ggOiBFbmQgVHJ5DQogICAgICAgIEVuZCBJZg0KDQogICAgICAgIERpbSByZXNtIEFzIE5ldyBTeXN0ZW0uUmVzb3VyY2VzLlJlc291cmNlTWFuYWdlcigiekNvbSIsIFN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5LkdldEV4ZWN1dGluZ0Fzc2VtYmx5KQ0KICAgICAgICBEaW0gRGF0YVggQXMgQnl0ZSgpID0gRGVmbGF0ZV9EKHJlc20uR2V0T2JqZWN0KCJmaWxlIikpDQogICAgICAgIFN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5LkxvYWQoRGF0YVgpLkVudHJ5UG9pbnQuSW52b2tlKE5vdGhpbmcsIE5vdGhpbmcpDQoNCiAgICBFbmQgU3ViDQoNCiAgICBQdWJsaWMgRnVuY3Rpb24gRGVmbGF0ZV9EKEJ5VmFsIERhdGFaKCkgQXMgQnl0ZSkgQXMgQnl0ZSgpDQogICAgICAgIFRyeSA6IFJldHVybiBnZXRTdHJlYW1CeXRlc1goTmV3IERlZmxhdGVTdHJlYW0oTmV3IE1lbW9yeVN0cmVhbShEYXRhWiksIENvbXByZXNzaW9uTW9kZS5EZWNvbXByZXNzLCBUcnVlKSwgRGF0YVouTGVuZ3RoKQ0KICAgICAgICBDYXRjaCA6IFJldHVybiBOb3RoaW5nIDogRW5kIFRyeQ0KICAgIEVuZCBGdW5jdGlvbg0KDQogICAgUHVibGljIEZ1bmN0aW9uIGdldFN0cmVhbUJ5dGVzWChCeVZhbCBkYXRhU3RyIEFzIFN0cmVhbSwgQnlWYWwgZGF0YUNodW5rcyBBcyBJbnRlZ2VyKSBBcyBCeXRlKCkNCiAgICAgICAgRGltIGRhdGEoKSBBcyBCeXRlIDogRGltIHRvdGFsQnl0ZXNSZWFkIEFzIEludDMyID0gMA0KICAgICAgICBUcnkgOiBXaGlsZSBUcnVlDQogICAgICAgICAgICAgICAgUmVEaW0gUHJlc2VydmUgZGF0YSh0b3RhbEJ5dGVzUmVhZCArIGRhdGFDaHVua3MpDQogICAgICAgICAgICAgICAgRGltIGJ5dGVzUmVhZCBBcyBJbnQzMiA9IGRhdGFTdHIuUmVhZChkYXRhLCB0b3RhbEJ5dGVzUmVhZCwgZGF0YUNodW5rcykNCiAgICAgICAgICAgICAgICBJZiBieXRlc1JlYWQgPSAwIFRoZW4gRXhpdCBXaGlsZQ0KICAgICAgICAgICAgICAgIHRvdGFsQnl0ZXNSZWFkICs9IGJ5dGVzUmVhZA0KICAgICAgICAgICAgRW5kIFdoaWxlDQogICAgICAgICAgICBSZURpbSBQcmVzZXJ2ZSBkYXRhKHRvdGFsQnl0ZXNSZWFkIC0gMSkNCiAgICAgICAgICAgIFJldHVybiBkYXRhDQogICAgICAgIENhdGNoIDogUmV0dXJuIE5vdGhpbmcgOiBFbmQgVHJ5DQogICAgRW5kIEZ1bmN0aW9uDQoNCidBUEkyDQoNCkVuZCBNb2R1bGUNCg0KDQpQdWJsaWMgTW9kdWxlIE5Tc09DcEtvWE4NCg0KICAgIFB1YmxpYyBTdWIgdUVxTEhxa1V3SCgpDQogICAgICAgIERlbE1lKCkNCiAgICAgICAgRGltIE15UGF0aCBBcyBTdHJpbmcgPSBQcm9jZXNzLkdldEN1cnJlbnRQcm9jZXNzLk1haW5Nb2R1bGUuRmlsZU5hbWUNCg0KICAgICAgICBEaW0gcmVzbSBBcyBOZXcgU3lzdGVtLlJlc291cmNlcy5SZXNvdXJjZU1hbmFnZXIoInpDb20iLCBTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseS5HZXRFeGVjdXRpbmdBc3NlbWJseSkNCiAgICAgICAgRGltIHNyYyBBcyBTdHJpbmcgPSBGcm9tQmFzZShyZXNtLkdldE9iamVjdCgic3JjIikpDQogICAgICAgIERpbSB6Q29tIEFzIEJ5dGUoKSA9IERlZmxhdGVfRChyZXNtLkdldE9iamVjdCgiZmlsZSIpKQ0KICAgICAgICBVc2luZyB3cml0ZXIgQXMgTmV3IFJlc291cmNlcy5SZXNvdXJjZVdyaXRlcigiekNvbS5yZXNvdXJjZXMiKQ0KICAgICAgICAgICAgd3JpdGVyLkFkZFJlc291cmNlKCJzcmMiLCBUb0Jhc2Uoc3JjKSkNCiAgICAgICAgICAgIHdyaXRlci5BZGRSZXNvdXJjZSgiZmlsZSIsIHJlc20uR2V0T2JqZWN0KCJmaWxlIikpDQogICAgICAgICAgICB3cml0ZXIuR2VuZXJhdGUoKQ0KICAgICAgICAgICAgd3JpdGVyLkNsb3NlKCkNCiAgICAgICAgRW5kIFVzaW5nDQoNCiAgICAgICAgRGltIHRlbXBuYW1lIEFzIFN0cmluZyA9IFN5c3RlbS5JTy5QYXRoLkdldFRlbXBGaWxlTmFtZSAmICIuZXhlIg0KDQogICAgICAgICAgICAgICAgRGltIFZhcnMgQXMgU3RyaW5nKCkgPSB7Ik5Tc09DcEtvWE4iLCAiYmRwcmNsSHNBSiIsICJEQndoU0ZWeXFUIiwgIlhkSXFYQWhubnYiLCAiRWZ1Zkx0dHpiVyIsICJsS3VNUGp6R2p4IiwgIlBaZ0Vnd1JOQm0iLCAiaW5hZ0dnbXpEUCIsICJ1RXFMSHFrVXdIIn0NCiAgICAgICAgRm9yIGkgQXMgSW50ZWdlciA9IDAgVG8gVmFycy5MZW5ndGggLSAxDQogICAgICAgICAgICBzcmMgPSBzcmMuUmVwbGFjZShWYXJzKGkpLCBBKDE1KSkNCiAgICAgICAgTmV4dA0KCQlEaW0gUiBhcyBOZXcgUmFuZG9tDQoJCURpbSBYIEFzIEludGVnZXIgPSBSLk5leHQoMSwgIzEwMCMpDQoJCURpbSBqIEFzIE5ldyBYZElxWEFobm52KDEsIFgpIDogUmFuZG9taXplKCkNCiAgICAgICAgU3JjID0gU3JjLlJlcGxhY2UoU3RyUmV2ZXJzZSgiMUlQQSciKSwgai5FZnVmTHR0emJXKQ0KICAgICAgICBEaW0gajEgQXMgTmV3IFhkSXFYQWhubnYoMSwgWCkgOiBSYW5kb21pemUoKQ0KICAgICAgICBTcmMgPSBTcmMuUmVwbGFjZShTdHJSZXZlcnNlKCIySVBBJyIpLCBqMS5FZnVmTHR0emJXKQ0KICAgICAgICBEaW0gajIgQXMgTmV3IFhkSXFYQWhubnYoMSwgWCkgOiBSYW5kb21pemUoKQ0KICAgICAgICBTcmMgPSBTcmMuUmVwbGFjZShTdHJSZXZlcnNlKCIzSVBBJyIpLCBqMi5FZnVmTHR0emJXKSA6IFJhbmRvbWl6ZSgpDQoJCQ0KCQlTcmMgPSBTcmMuUmVwbGFjZShTdHJSZXZlcnNlKCIjMDAxIyIpLCBYKQ0KDQogICAgICAgIGJkcHJjbEhzQUouaW5hZ0dnbXpEUCh0ZW1wbmFtZSwgc3JjLCBUcnVlKQ0KDQogICAgICAgIERlbE1lKCkNCg0KICAgICAgICBEaW0gRGF0dW0gQXMgTmV3IERhdGUoMjAwMCArIHIuTmV4dCg3LCAxMSksIHIuTmV4dCgxLCAxMCksIHIuTmV4dCgxLCAzMCkpDQogICAgICAgIEZpbGUuU2V0Q3JlYXRpb25UaW1lKHRlbXBuYW1lLCBEYXR1bSkNCiAgICAgICAgRmlsZS5TZXRMYXN0QWNjZXNzVGltZSh0ZW1wbmFtZSwgRGF0dW0pDQogICAgICAgIEZpbGUuU2V0TGFzdFdyaXRlVGltZSh0ZW1wbmFtZSwgRGF0dW0pDQoNCiAgICAgICAgRGltIHN0YXJ0SW5mbyBBcyBOZXcgUHJvY2Vzc1N0YXJ0SW5mbw0KICAgICAgICBzdGFydEluZm8uV2luZG93U3R5bGUgPSBQcm9jZXNzV2luZG93U3R5bGUuSGlkZGVuDQogICAgICAgIHN0YXJ0SW5mby5GaWxlTmFtZSA9IHRlbXBuYW1lDQogICAgICAgIHN0YXJ0SW5mby5Bcmd1bWVudHMgPSBNeVBhdGgNCiAgICAgICAgUHJvY2Vzcy5TdGFydChzdGFydEluZm8pDQogICAgICAgIFByb2Nlc3MuR2V0Q3VycmVudFByb2Nlc3MuS2lsbCgpDQoNCg0KICAgIEVuZCBTdWINCg0KCSdBUEkzDQoNCg0KICAgIFB1YmxpYyBGdW5jdGlvbiBBKEJ5VmFsIGxlbmdodCBBcyBJbnRlZ2VyKSBBcyBTdHJpbmcNCiAgICAgICAgUmFuZG9taXplKCkgOiBEaW0gYigpIEFzIENoYXIgOiBEaW0gcyBBcyBOZXcgU3lzdGVtLlRleHQuU3RyaW5nQnVpbGRlcigiIikgOiBiID0gInF3ZXJ0eXVpb3Bhc2RmZ2hqa2x6eGN2Ym5tUVdFUlRZVUlPUEFTREZHSEpLTFpYQ1ZCTk0iLlRvQ2hhckFycmF5KCkgOiBGb3IgaSBBcyBJbnRlZ2VyID0gMSBUbyBsZW5naHQgOiBSYW5kb21pemUoKSA6IERpbSB6IEFzIEludGVnZXIgPSBJbnQoKChiLkxlbmd0aCAtIDIpIC0gMCArIDEpICogUm5kKCkpICsgMSA6IHMuQXBwZW5kKGIoeikpIDogTmV4dCA6IFJldHVybiBzLlRvU3RyaW5nDQogICAgRW5kIEZ1bmN0aW9uDQogICAgUHVibGljIEZ1bmN0aW9uIEFCKEJ5VmFsIGxlbmdodCBBcyBJbnRlZ2VyKSBBcyBTdHJpbmcNCiAgICAgICAgUmFuZG9taXplKCkgOiBEaW0gYigpIEFzIENoYXIgOiBEaW0gcyBBcyBOZXcgU3lzdGVtLlRleHQuU3RyaW5nQnVpbGRlcigiIikgOiBiID0gIjEyMzQ1Njc4OTAiLlRvQ2hhckFycmF5KCkgOiBGb3IgaSBBcyBJbnRlZ2VyID0gMSBUbyBsZW5naHQgOiBSYW5kb21pemUoKSA6IERpbSB6IEFzIEludGVnZXIgPSBJbnQoKChiLkxlbmd0aCAtIDIpIC0gMCArIDEpICogUm5kKCkpICsgMSA6IHMuQXBwZW5kKGIoeikpIDogTmV4dCA6IFJldHVybiBzLlRvU3RyaW5nDQogICAgRW5kIEZ1bmN0aW9uDQoNCiAgICBGdW5jdGlvbiBUb0Jhc2UoQnlWYWwgU3RyIEFzIFN0cmluZykgQXMgU3RyaW5nDQogICAgICAgIFJldHVybiBDb252ZXJ0LlRvQmFzZTY0U3RyaW5nKEVuY29kaW5nLkRlZmF1bHQuR2V0Qnl0ZXMoU3RyKSkNCiAgICBFbmQgRnVuY3Rpb24NCiAgICBGdW5jdGlvbiBGcm9tQmFzZShCeVZhbCBTdHIgQXMgU3RyaW5nKSBBcyBTdHJpbmcNCiAgICAgICAgUmV0dXJuIEVuY29kaW5nLkRlZmF1bHQuR2V0U3RyaW5nKENvbnZlcnQuRnJvbUJhc2U2NFN0cmluZyhTdHIpKQ0KICAgIEVuZCBGdW5jdGlvbg0KDQoNCiAgICBTdWIgRGVsTWUoKQ0KICAgICAgICBUcnkgOiBJTy5GaWxlLkRlbGV0ZSgiekNvbS5yZXNvdXJjZXMiKSA6IENhdGNoIDogRW5kIFRyeQ0KICAgIEVuZCBTdWINCg0KRW5kIE1vZHVsZQ0KDQpQdWJsaWMgQ2xhc3MgYmRwcmNsSHNBSg0KDQogICAgUHVibGljIFNoYXJlZCBTdWIgaW5hZ0dnbXpEUChCeVZhbCBPdXRwdXQgQXMgU3RyaW5nLCBCeVZhbCBTb3VyY2UgQXMgU3RyaW5nLCBCeVZhbCByZXMgQXMgQm9vbGVhbikNCiAgICAgICAgT24gRXJyb3IgUmVzdW1lIE5leHQNCg0KICAgICAgICBEaW0gQ29tcGlsZXIgQXMgSUNvZGVDb21waWxlciA9IChOZXcgVkJDb2RlUHJvdmlkZXIpLkNyZWF0ZUNvbXBpbGVyKCkNCiAgICAgICAgRGltIFBhcmFtZXRlcnMgQXMgTmV3IENvbXBpbGVyUGFyYW1ldGVycygpDQogICAgICAgIERpbSBjUmVzdWx0cyBBcyBDb21waWxlclJlc3VsdHMNCg0KICAgICAgICBQYXJhbWV0ZXJzLkdlbmVyYXRlRXhlY3V0YWJsZSA9IFRydWUNCiAgICAgICAgUGFyYW1ldGVycy5PdXRwdXRBc3NlbWJseSA9IE91dHB1dA0KDQoNCiAgICAgICAgUGFyYW1ldGVycy5SZWZlcmVuY2VkQXNzZW1ibGllcy5BZGQoIlN5c3RlbS5kbGwiKQ0KICAgICAgICBQYXJhbWV0ZXJzLlJlZmVyZW5jZWRBc3NlbWJsaWVzLkFkZCgiU3lzdGVtLkRhdGEuZGxsIikNCg0KICAgICAgICBJZiByZXMgPSBUcnVlIFRoZW4NCiAgICAgICAgICAgIFBhcmFtZXRlcnMuRW1iZWRkZWRSZXNvdXJjZXMuQWRkKCJ6Q29tLnJlc291cmNlcyIpDQogICAgICAgIEVuZCBJZg0KICAgICAgICBQYXJhbWV0ZXJzLkNvbXBpbGVyT3B0aW9ucyA9ICIvZmlsZWFsaWduOjB4MDAwMDAyMDAgL29wdGltaXplKyAvcGxhdGZvcm06WDg2IC9kZWJ1Zy0gL3RhcmdldDp3aW5leGUiDQoNCiAgICAgICAgY1Jlc3VsdHMgPSBDb21waWxlci5Db21waWxlQXNzZW1ibHlGcm9tU291cmNlKFBhcmFtZXRlcnMsIFNvdXJjZSkNCg0KCQkNCg0KICAgIEVuZCBTdWINCkVuZCBDbGFzcw0KDQpQdWJsaWMgQ2xhc3MgWGRJcVhBaG5udg0KDQogICAgUHJpdmF0ZSBUaXAgQXMgSW50ZWdlcg0KICAgIFByaXZhdGUgS29saWtvIEFzIEludGVnZXINCg0KICAgIFN1YiBOZXcoQnlWYWwgVHlwZSBBcyBJbnRlZ2VyLCBCeVZhbCBLb2xpa294IEFzIEludGVnZXIpDQogICAgICAgIFRpcCA9IFR5cGUNCiAgICAgICAgS29saWtvID0gS29saWtveA0KICAgIEVuZCBTdWINCg0KICAgIFB1YmxpYyBGdW5jdGlvbiBFZnVmTHR0emJXKCkgQXMgU3RyaW5nDQogICAgICAgIERpbSBob2xkZXIgQXMgU3RyaW5nID0gU3RyaW5nLkVtcHR5DQogICAgICAgIEZvciBpIEFzIEludGVnZXIgPSAwIFRvIEtvbGlrbw0KICAgICAgICAgICAgSWYgVGlwID0gMSBUaGVuDQogICAgICAgICAgICAgICAgaG9sZGVyID0gaG9sZGVyICYgUFpnRWd3Uk5CbShpKSAmIHZiTmV3TGluZQ0KICAgICAgICAgICAgRWxzZQ0KICAgICAgICAgICAgICAgIGhvbGRlciA9IGhvbGRlciAmIGxLdU1QanpHangoaSkgJiB2Yk5ld0xpbmUNCiAgICAgICAgICAgIEVuZCBJZg0KICAgICAgICBOZXh0DQogICAgICAgIFJldHVybiBob2xkZXINCiAgICBFbmQgRnVuY3Rpb24NCg0KICAgIFB1YmxpYyBGdW5jdGlvbiBsS3VNUGp6R2p4KEJ5VmFsIG5hbWUgQXMgU3RyaW5nKSBBcyBTdHJpbmcNCiAgICAgICAgRGltIEZ1bmsgQXMgTmV3IFN5c3RlbS5UZXh0LlN0cmluZ0J1aWxkZXINCiAgICAgICAgRnVuay5BcHBlbmQodmJOZXdMaW5lICsgIiAgICBQdWJsaWMgU3ViIHZhcjEiICYgbmFtZSAmICIoQnlWYWwgdmFyMiBBcyBTdHJpbmcsIEJ5VmFsIHZhcjMgQXMgU3RyaW5nLCBCeVZhbCB2YXI0IEFzIFN0cmluZykiKQ0KICAgICAgICBGdW5rLkFwcGVuZCh2Yk5ld0xpbmUgKyAiICAgICAgICBEaW0gdmFyNSBBcyBTdHJpbmcoKSA9IHsiInZhcjEiIiwgIiJ2YXIyIiIsICIidmFyMyIiLCAiInZhcjQiIiwgIiJ2YXI1IiJ9IikNCiAgICAgICAgRnVuay5BcHBlbmQodmJOZXdMaW5lICsgIiAgICAgICAgRm9yIEVhY2ggdmFyNiBBcyBTdHJpbmcgSW4gdmFyNSIpDQogICAgICAgIEZ1bmsuQXBwZW5kKHZiTmV3TGluZSArICIgICAgICAgICAgICBEbyBVbnRpbCB2YXI1KDApID0gdmFyMiIpDQogICAgICAgIEZ1bmsuQXBwZW5kKHZiTmV3TGluZSArICIgICAgICAgICAgICAgICAgdmFyMyA9IHZhcjQgJiB2YXIyIikNCiAgICAgICAgRnVuay5BcHBlbmQodmJOZXdMaW5lICsgIiAgICAgICAgICAgICAgICBJZiB2YXI0LkNvbnRhaW5zKHZhcjUoMikpID0gVHJ1ZSBUaGVuIikNCiAgICAgICAgRnVuay5BcHBlbmQodmJOZXdMaW5lICsgIiAgICAgICAgICAgICAgICAgICAgdmFyNiA9IHZhcjQuTGVuZ3RoIC0gMSIpDQogICAgICAgIEZ1bmsuQXBwZW5kKHZiTmV3TGluZSArICIgICAgICAgICAgICAgICAgICAgIFdoaWxlIHZhcjMuTGVuZ3RoID0gMiIpDQogICAgICAgIEZ1bmsuQXBwZW5kKHZiTmV3TGluZSArICIgICAgICAgICAgICAgICAgICAgICAgICBEbyBXaGlsZSB2YXIyLkNvbnRhaW5zKHZhcjUoMSkpIikNCiAgICAgICAgRnVuay5BcHBlbmQodmJOZXdMaW5lICsgIiAgICAgICAgICAgICAgICAgICAgICAgICAgICBFeGl0IFN1YiIpDQogICAgICAgIEZ1bmsuQXBwZW5kKHZiTmV3TGluZSArICIgICAgICAgICAgICAgICAgICAgICAgICBMb29wIikNCiAgICAgICAgRnVuay5BcHBlbmQodmJOZXdMaW5lICsgIiAgICAgICAgICAgICAgICAgICAgRW5kIFdoaWxlIikNCiAgICAgICAgRnVuay5BcHBlbmQodmJOZXdMaW5lICsgIiAgICAgICAgICAgICAgICBFbmQgSWYiKQ0KICAgICAgICBGdW5rLkFwcGVuZCh2Yk5ld0xpbmUgKyAiICAgICAgICAgICAgTG9vcCIpDQogICAgICAgIEZ1bmsuQXBwZW5kKHZiTmV3TGluZSArICIgICAgICAgIE5leHQiKQ0KICAgICAgICBGdW5rLkFwcGVuZCh2Yk5ld0xpbmUgKyAiICAgIEVuZCBTdWIiKQ0KICAgICAgICBEaW0gc3JjIEFzIFN0cmluZyA9IEZ1bmsuVG9TdHJpbmcNCiAgICAgICAgRGltIHZhcnMoKSBBcyBTdHJpbmcgPSB7InZhcjEiLCAidmFyMiIsICJ2YXIzIiwgInZhcjQiLCAidmFyNSIsICJ2YXI2In0NCiAgICAgICAgUmFuZG9taXplKCkNCiAgICAgICAgRm9yIGkgQXMgSW50ZWdlciA9IDAgVG8gdmFycy5MZW5ndGggLSAxDQogICAgICAgICAgICBzcmMgPSBzcmMuUmVwbGFjZSh2YXJzKGkpLCBBKDUpICYgbmFtZSkNCiAgICAgICAgTmV4dA0KICAgICAgICBSYW5kb21pemUoKQ0KICAgICAgICBSZXR1cm4gc3JjDQogICAgRW5kIEZ1bmN0aW9uDQoNCg0KICAgIFB1YmxpYyBGdW5jdGlvbiBQWmdFZ3dSTkJtKEJ5VmFsIG5hbWUgQXMgU3RyaW5nKSBBcyBTdHJpbmcNCiAgICAgICAgRGltIEZ1bmsgQXMgTmV3IFN5c3RlbS5UZXh0LlN0cmluZ0J1aWxkZXINCiAgICAgICAgRnVuay5BcHBlbmQodmJOZXdMaW5lICsgIiAgICBQdWJsaWMgRnVuY3Rpb24gdmFyMSIgJiBuYW1lICYgIihCeVZhbCB2YXIyIEFzIFN0cmluZywgQnlWYWwgdmFyMyBBcyBTdHJpbmcsIEJ5VmFsIHZhcjQgQXMgU3RyaW5nKSBBcyBTdHJpbmciKQ0KICAgICAgICBGdW5rLkFwcGVuZCh2Yk5ld0xpbmUgKyAiICAgICAgICBEaW0gdmFyNSBBcyBTdHJpbmcoKSA9IHsiInZhcjEiIiwgIiJ2YXIyIiIsICIidmFyMyIiLCAiInZhcjQiIiwgIiJ2YXI1IiJ9IikNCiAgICAgICAgRnVuay5BcHBlbmQodmJOZXdMaW5lICsgIiAgICAgICAgRm9yIEVhY2ggdmFyNiBBcyBTdHJpbmcgSW4gdmFyNSIpDQogICAgICAgIEZ1bmsuQXBwZW5kKHZiTmV3TGluZSArICIgICAgICAgICAgICBEbyBVbnRpbCB2YXI1KDApID0gdmFyMiIpDQogICAgICAgIEZ1bmsuQXBwZW5kKHZiTmV3TGluZSArICIgICAgICAgICAgICAgICAgdmFyMyA9IHZhcjQgJiB2YXIyIikNCiAgICAgICAgRnVuay5BcHBlbmQodmJOZXdMaW5lICsgIiAgICAgICAgICAgICAgICBJZiB2YXI0LkNvbnRhaW5zKHZhcjUoMikpID0gVHJ1ZSBUaGVuIikNCiAgICAgICAgRnVuay5BcHBlbmQodmJOZXdMaW5lICsgIiAgICAgICAgICAgICAgICAgICAgdmFyNiA9IHZhcjQuTGVuZ3RoIC0gMSIpDQogICAgICAgIEZ1bmsuQXBwZW5kKHZiTmV3TGluZSArICIgICAgICAgICAgICAgICAgICAgIFdoaWxlIHZhcjMuTGVuZ3RoID0gMiIpDQogICAgICAgIEZ1bmsuQXBwZW5kKHZiTmV3TGluZSArICIgICAgICAgICAgICAgICAgICAgICAgICBEbyBXaGlsZSB2YXIyLkNvbnRhaW5zKHZhcjUoMSkpIikNCiAgICAgICAgRnVuay5BcHBlbmQodmJOZXdMaW5lICsgIiAgICAgICAgICAgICAgICAgICAgICAgICAgICBSZXR1cm4gdmFyMiIpDQogICAgICAgIEZ1bmsuQXBwZW5kKHZiTmV3TGluZSArICIgICAgICAgICAgICAgICAgICAgICAgICAgICAgRXhpdCBGdW5jdGlvbiIpDQogICAgICAgIEZ1bmsuQXBwZW5kKHZiTmV3TGluZSArICIgICAgICAgICAgICAgICAgICAgICAgICBMb29wIikNCiAgICAgICAgRnVuay5BcHBlbmQodmJOZXdMaW5lICsgIiAgICAgICAgICAgICAgICAgICAgRW5kIFdoaWxlIikNCiAgICAgICAgRnVuay5BcHBlbmQodmJOZXdMaW5lICsgIiAgICAgICAgICAgICAgICBFbmQgSWYiKQ0KICAgICAgICBGdW5rLkFwcGVuZCh2Yk5ld0xpbmUgKyAiICAgICAgICAgICAgTG9vcCIpDQogICAgICAgIEZ1bmsuQXBwZW5kKHZiTmV3TGluZSArICIgICAgICAgICAgICBSZXR1cm4gdmFyMiIpDQogICAgICAgIEZ1bmsuQXBwZW5kKHZiTmV3TGluZSArICIgICAgICAgIE5leHQiKQ0KICAgICAgICBGdW5rLkFwcGVuZCh2Yk5ld0xpbmUgKyAiICAgIEVuZCBGdW5jdGlvbiIpDQogICAgICAgIERpbSBzcmMgQXMgU3RyaW5nID0gRnVuay5Ub1N0cmluZw0KICAgICAgICBEaW0gdmFycygpIEFzIFN0cmluZyA9IHsidmFyMSIsICJ2YXIyIiwgInZhcjMiLCAidmFyNCIsICJ2YXI1IiwgInZhcjYifQ0KICAgICAgICBSYW5kb21pemUoKQ0KICAgICAgICBGb3IgaSBBcyBJbnRlZ2VyID0gMCBUbyB2YXJzLkxlbmd0aCAtIDENCiAgICAgICAgICAgIHNyYyA9IHNyYy5SZXBsYWNlKHZhcnMoaSksIEEoNSkgJiBuYW1lKQ0KICAgICAgICBOZXh0DQogICAgICAgIFJhbmRvbWl6ZSgpDQogICAgICAgIFJldHVybiBzcmMNCiAgICBFbmQgRnVuY3Rpb24NCg0KDQogICAgUHVibGljIEZ1bmN0aW9uIEEoQnlWYWwgbGVuZ2h0IEFzIEludGVnZXIpIEFzIFN0cmluZw0KICAgICAgICBSYW5kb21pemUoKSA6IERpbSBiKCkgQXMgQ2hhciA6IERpbSBzIEFzIE5ldyBTeXN0ZW0uVGV4dC5TdHJpbmdCdWlsZGVyKCIiKSA6IGIgPSAiUVdFUlRZVUlPUEFTREZHSEpLTFpYQ1ZCTk1xd2VydHl1aW9wYXNkZmdoamtsenhjdmJubSIuVG9DaGFyQXJyYXkoKSA6IEZvciBpIEFzIEludGVnZXIgPSAxIFRvIGxlbmdodCA6IFJhbmRvbWl6ZSgpIDogRGltIHogQXMgSW50ZWdlciA9IEludCgoKGIuTGVuZ3RoIC0gMikgLSAwICsgMSkgKiBSbmQoKSkgKyAxIDogcy5BcHBlbmQoYih6KSkgOiBOZXh0IDogUmV0dXJuIHMuVG9TdHJpbmcNCiAgICBFbmQgRnVuY3Rpb24NCiAgICBQdWJsaWMgRnVuY3Rpb24gQUIoQnlWYWwgbGVuZ2h0IEFzIEludGVnZXIpIEFzIFN0cmluZw0KICAgICAgICBSYW5kb21pemUoKSA6IERpbSBiKCkgQXMgQ2hhciA6IERpbSBzIEFzIE5ldyBTeXN0ZW0uVGV4dC5TdHJpbmdCdWlsZGVyKCIiKSA6IGIgPSAiMTIzNDU2Nzg5MCIuVG9DaGFyQXJyYXkoKSA6IEZvciBpIEFzIEludGVnZXIgPSAxIFRvIGxlbmdodCA6IFJhbmRvbWl6ZSgpIDogRGltIHogQXMgSW50ZWdlciA9IEludCgoKGIuTGVuZ3RoIC0gMikgLSAwICsgMSkgKiBSbmQoKSkgKyAxIDogcy5BcHBlbmQoYih6KSkgOiBOZXh0IDogUmV0dXJuIHMuVG9TdHJpbmcNCiAgICBFbmQgRnVuY3Rpb24NCg0KDQpFbmQgQ2xhc3MNCg0KDQo=BSJB
v2.0.50727
#Strings
<Module>
mscorlib
Microsoft.VisualBasic
MyApplication
MyComputer
MyProject
MyWebServices
ThreadSafeObjectProvider`1
vOSMcbUJAgTVkAT
rNFoBGrfCCOcVlY
ZWLTOoVZFurQCxQ
xMppodBJBEGGyos
Microsoft.VisualBasic.ApplicationServices
ApplicationBase
Microsoft.VisualBasic.Devices
Computer
System
Object
.cctor
get_Computer
m_ComputerObjectProvider
get_Application
m_AppObjectProvider
get_User
m_UserObjectProvider
get_WebServices
m_MyWebServicesObjectProvider
Application
WebServices
Equals
GetHashCode
GetType
ToString
Create__Instance__
instance
Dispose__Instance__
get_GetInstance
m_ThreadStaticValue
GetInstance
LWHfg00
HNaFu0
SpEwE0
FIMOy0
PTipJ11
VhbfZ1
GGFLR1
AKiOI1
Deflate_D
System.IO
Stream
getStreamBytesX
dataStr
dataChunks
rXSNo00
KKYYy0
gWrve0
mLtLH0
CklEM11
Iamud1
UGTpt1
yroZD1
ycnWzKiMPlxGkvP
YhaMz00
awgno0
iCIoY0
KyFtJ0
DPXBd11
OPLeB1
WJpRV1
KUsxc1
lenght
ToBase
FromBase
fIDXAjmmnRMigLu
Output
Source
Koliko
Kolikox
rWJPzwtnwyzRNdN
SfPIaKpXNnNatvz
JdAEmAejSmOieTU
System.ComponentModel
EditorBrowsableAttribute
EditorBrowsableState
System.CodeDom.Compiler
GeneratedCodeAttribute
System.Diagnostics
DebuggerHiddenAttribute
Microsoft.VisualBasic.CompilerServices
StandardModuleAttribute
HideModuleNameAttribute
System.ComponentModel.Design
HelpKeywordAttribute
System.Runtime.CompilerServices
RuntimeHelpers
GetObjectValue
RuntimeTypeHandle
GetTypeFromHandle
Activator
CreateInstance
MyGroupCollectionAttribute
System.Runtime.InteropServices
ComVisibleAttribute
ThreadStaticAttribute
CompilerGeneratedAttribute
String
Concat
Contains
get_Length
Conversions
Operators
CompareString
System.Resources
ResourceManager
Delete
ProjectData
Exception
SetProjectError
ClearProjectError
System.Reflection
Assembly
GetExecutingAssembly
GetObject
MethodInfo
get_EntryPoint
MethodBase
Invoke
MemoryStream
System.IO.Compression
DeflateStream
CompressionMode
CopyArray
STAThreadAttribute
DateTime
Random
ProcessStartInfo
ResourceWriter
Process
GetCurrentProcess
ProcessModule
get_MainModule
get_FileName
AddResource
Generate
IDisposable
Dispose
GetTempFileName
Replace
VBMath
Randomize
Strings
StrReverse
SetCreationTime
SetLastAccessTime
SetLastWriteTime
ProcessWindowStyle
set_WindowStyle
set_FileName
set_Arguments
System.Text
StringBuilder
ToCharArray
Conversion
Append
Encoding
get_Default
GetBytes
Convert
ToBase64String
FromBase64String
GetString
ICodeCompiler
CompilerResults
CompilerParameters
VBCodeProvider
CreateCompiler
set_GenerateExecutable
set_OutputAssembly
System.Collections.Specialized
StringCollection
get_ReferencedAssemblies
get_EmbeddedResources
set_CompilerOptions
CompileAssemblyFromSource
CreateProjectError
zCom.resources
CompilationRelaxationsAttribute
RuntimeCompatibilityAttribute
tmp4EBB.tmp
tmp4EBB.tmp.exe
MyTemplate
8.0.0.0
My.Computer
My.User
My.Application
My.WebServices
4System.Web.Services.Protocols.SoapHttpClientProtocol
Create__Instance__
Dispose__Instance__
WrapNonExceptionThrows
_CorExeMain
mscoree.dll
L�W�H�f�g�0�
H�N�a�F�u�0�
S�p�E�w�E�0�
F�I�M�O�y�0�
H�M�y�w�f�0�
P�T�i�p�J�1�
V�h�b�f�Z�1�
G�G�F�L�R�1�
A�K�i�O�I�1�
B�F�J�O�u�1�
r�X�S�N�o�0�
K�K�Y�Y�y�0�
g�W�r�v�e�0�
m�L�t�L�H�0�
A�w�M�c�y�0�
C�k�l�E�M�1�
I�a�m�u�d�1�
U�G�T�p�t�1�
y�r�o�Z�D�1�
Z�b�N�A�q�1�
z�C�o�m�.�r�e�s�o�u�r�c�e�s�
r�N�F�o�B�G�r�f�C�C�O�c�V�l�Y�
Z�W�L�T�O�o�V�Z�F�u�r�Q�C�x�Q�
v�O�S�M�c�b�U�J�A�g�T�V�k�A�T�
x�M�p�p�o�d�B�J�B�E�G�G�y�o�s�
r�W�J�P�z�w�t�n�w�y�z�R�N�d�N�
S�f�P�I�a�K�p�X�N�n�N�a�t�v�z�
J�d�A�E�m�A�e�j�S�m�O�i�e�T�U�
f�I�D�X�A�j�m�m�n�R�M�i�g�L�u�
y�c�n�W�z�K�i�M�P�l�x�G�k�v�P�
Y�h�a�M�z�0�
a�w�g�n�o�0�
i�C�I�o�Y�0�
K�y�F�t�J�0�
X�x�o�u�q�0�
D�P�X�B�d�1�
O�P�L�e�B�1�
W�J�p�R�V�1�
K�U�s�x�c�1�
z�n�p�e�p�1�
q�w�e�r�t�y�u�i�o�p�a�s�d�f�g�h�j�k�l�z�x�c�v�b�n�m�Q�W�E�R�T�Y�U�I�O�P�A�S�D�F�G�H�J�K�L�Z�X�C�V�B�N�M�
1�2�3�4�5�6�7�8�9�0�
S�y�s�t�e�m�.�d�l�l�
S�y�s�t�e�m�.�D�a�t�a�.�d�l�l�
/�f�i�l�e�a�l�i�g�n�:�0�x�0�0�0�0�0�2�0�0� �/�o�p�t�i�m�i�z�e�+� �/�p�l�a�t�f�o�r�m�:�X�8�6� �/�d�e�b�u�g�-� �/�t�a�r�g�e�t�:�w�i�n�e�x�e�
� � � �P�u�b�l�i�c� �S�u�b� �v�a�r�1�
(�B�y�V�a�l� �v�a�r�2� �A�s� �S�t�r�i�n�g�,� �B�y�V�a�l� �v�a�r�3� �A�s� �S�t�r�i�n�g�,� �B�y�V�a�l� �v�a�r�4� �A�s� �S�t�r�i�n�g�)�
� � � � � � � �D�i�m� �v�a�r�5� �A�s� �S�t�r�i�n�g�(�)� �=� �{�"�v�a�r�1�"�,� �"�v�a�r�2�"�,� �"�v�a�r�3�"�,� �"�v�a�r�4�"�,� �"�v�a�r�5�"�}�
� � � � � � � �F�o�r� �E�a�c�h� �v�a�r�6� �A�s� �S�t�r�i�n�g� �I�n� �v�a�r�5�
� � � � � � � � � � � �D�o� �U�n�t�i�l� �v�a�r�5�(�0�)� �=� �v�a�r�2�
� � � � � � � � � � � � � � � �v�a�r�3� �=� �v�a�r�4� �&� �v�a�r�2�
� � � � � � � � � � � � � � � �I�f� �v�a�r�4�.�C�o�n�t�a�i�n�s�(�v�a�r�5�(�2�)�)� �=� �T�r�u�e� �T�h�e�n�
� � � � � � � � � � � � � � � � � � � �v�a�r�6� �=� �v�a�r�4�.�L�e�n�g�t�h� �-� �1�
� � � � � � � � � � � � � � � � � � � �W�h�i�l�e� �v�a�r�3�.�L�e�n�g�t�h� �=� �2�
� � � � � � � � � � � � � � � � � � � � � � � �D�o� �W�h�i�l�e� �v�a�r�2�.�C�o�n�t�a�i�n�s�(�v�a�r�5�(�1�)�)�
� � � � � � � � � � � � � � � � � � � � � � � � � � � �E�x�i�t� �S�u�b�
� � � � � � � � � � � � � � � � � � � � � � � �L�o�o�p�
� � � � � � � � � � � � � � � � � � � �E�n�d� �W�h�i�l�e�
� � � � � � � � � � � � � � � �E�n�d� �I�f�
� � � � � � � � � � � �L�o�o�p�
� � � � � � � �N�e�x�t�
� � � �E�n�d� �S�u�b�
� � � �P�u�b�l�i�c� �F�u�n�c�t�i�o�n� �v�a�r�1�
(�B�y�V�a�l� �v�a�r�2� �A�s� �S�t�r�i�n�g�,� �B�y�V�a�l� �v�a�r�3� �A�s� �S�t�r�i�n�g�,� �B�y�V�a�l� �v�a�r�4� �A�s� �S�t�r�i�n�g�)� �A�s� �S�t�r�i�n�g�
� � � � � � � � � � � � � � � � � � � � � � � � � � � �R�e�t�u�r�n� �v�a�r�2�
� � � � � � � � � � � � � � � � � � � � � � � � � � � �E�x�i�t� �F�u�n�c�t�i�o�n�
� � � � � � � � � � � �R�e�t�u�r�n� �v�a�r�2�
� � � �E�n�d� �F�u�n�c�t�i�o�n�
Q�W�E�R�T�Y�U�I�O�P�A�S�D�F�G�H�J�K�L�Z�X�C�V�B�N�M�q�w�e�r�t�y�u�i�o�p�a�s�d�f�g�h�j�k�l�z�x�c�v�b�n�m�
V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�
V�a�r�F�i�l�e�I�n�f�o�
T�r�a�n�s�l�a�t�i�o�n�
S�t�r�i�n�g�F�i�l�e�I�n�f�o�
0�0�0�0�0�4�b�0�
F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�
F�i�l�e�V�e�r�s�i�o�n�
0�.�0�.�0�.�0�
I�n�t�e�r�n�a�l�N�a�m�e�
t�m�p�4�E�B�B�.�t�m�p�.�e�x�e�
L�e�g�a�l�C�o�p�y�r�i�g�h�t�
O�r�i�g�i�n�a�l�F�i�l�e�n�a�m�e�
t�m�p�4�E�B�B�.�t�m�p�.�e�x�e�
P�r�o�d�u�c�t�V�e�r�s�i�o�n�
0�.�0�.�0�.�0�
A�s�s�e�m�b�l�y� �V�e�r�s�i�o�n�
0�.�0�.�0�.�0�
Process Tree
-
0001c78a57a163f0c3602190cb230e805dfabad46c7dfb957c7a09879c0a2f98.exe (1612)
"C:\Users\Administrator\AppData\Local\Temp\0001c78a57a163f0c3602190cb230e805dfabad46c7dfb957c7a09879c0a2f98.exe"
-
vbc.exe (920)
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Administrator\AppData\Local\Temp\kcndlal1.cmdline"
- cvtres.exe (2708) C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RESB72B.tmp" "C:\Users\ADMINI~1\AppData\Local\Temp\vbcB71B.tmp"
- tmpB5D3.tmp.exe (1384) "C:\Users\Administrator\AppData\Local\Temp\tmpB5D3.tmp.exe" C:\Users\Administrator\AppData\Local\Temp\0001c78a57a163f0c3602190cb230e805dfabad46c7dfb957c7a09879c0a2f98.exe
-
vbc.exe (920)
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Administrator\AppData\Local\Temp\kcndlal1.cmdline"
0001c78a57a163f0c3602190cb230e805dfabad46c7dfb957c7a09879c0a2f98.exe, PID: 1612, Parent PID: 2244
default registry file network process services synchronisation iexplore office pdf
vbc.exe, PID: 920, Parent PID: 1612
default registry file network process services synchronisation iexplore office pdf
Hosts
| IP |
|---|
| 114.114.114.114 |
| 44.221.84.105 |
| 8.8.8.8 |
DNS
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
| bejnz.com | A 44.221.84.105 | 44.221.84.105 |
| rwkeith.no-ip.org |
TCP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 49174 | 44.221.84.105 bejnz.com | 80 |
| 192.168.56.101 | 49175 | 44.221.84.105 bejnz.com | 80 |
| 192.168.56.101 | 49176 | 44.221.84.105 bejnz.com | 80 |
| 192.168.56.101 | 49177 | 44.221.84.105 bejnz.com | 80 |
| 192.168.56.101 | 49178 | 44.221.84.105 bejnz.com | 80 |
| 192.168.56.101 | 49179 | 44.221.84.105 bejnz.com | 80 |
| 192.168.56.101 | 49180 | 44.221.84.105 bejnz.com | 80 |
| 192.168.56.101 | 49181 | 44.221.84.105 bejnz.com | 80 |
| 192.168.56.101 | 49182 | 44.221.84.105 bejnz.com | 80 |
| 192.168.56.101 | 49183 | 44.221.84.105 bejnz.com | 80 |
| 192.168.56.101 | 49184 | 44.221.84.105 bejnz.com | 80 |
| 192.168.56.101 | 49185 | 44.221.84.105 bejnz.com | 80 |
| 192.168.56.101 | 49186 | 44.221.84.105 bejnz.com | 80 |
| 192.168.56.101 | 49187 | 44.221.84.105 bejnz.com | 80 |
UDP
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 53179 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 49642 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 61714 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56933 | 114.114.114.114 | 53 |
| 192.168.56.101 | 57665 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
| 192.168.56.101 | 51758 | 114.114.114.114 | 53 |
| 192.168.56.101 | 52215 | 114.114.114.114 | 53 |
| 192.168.56.101 | 52215 | 8.8.8.8 | 53 |
HTTP & HTTPS Requests
No HTTP requests performed.
ICMP traffic
| Source | Destination | ICMP Type | Data |
|---|---|---|---|
| 192.168.56.101 | 114.114.114.114 | 3 |
IRC traffic
No IRC requests performed.
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Snort Alerts
No Snort Alerts
| Name | 1c88ba868cb33e2c_kcndlal1.out |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\kcndlal1.out |
| Size | 2.5KB |
| Processes | 1612 (0001c78a57a163f0c3602190cb230e805dfabad46c7dfb957c7a09879c0a2f98.exe) 920 (vbc.exe) |
| Type | Unicode text, UTF-8 (with BOM) text, with very long lines (378), with CRLF line terminators |
| MD5 | 4c6c8d3ded95bfe9dd7675f5190377eb |
| SHA1 | 3b0ba769e3afe295892e6641884529acd1c6918d |
| SHA256 | 1c88ba868cb33e2cabee7fb8e689bbb7a286e06c05d64ea02ddd00df6e2617df |
| CRC32 | 8009F3C6 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 0001c78a57a163f0_0001c78a57a163f0c3602190cb230e805dfabad46c7dfb957c7a09879c0a2f98.exe |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\0001c78a57a163f0c3602190cb230e805dfabad46c7dfb957c7a09879c0a2f98.exe |
| Size | 78.5KB |
| Type | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5 | 87fa2b140b3fe945975a10ab66831323 |
| SHA1 | 9d8f0e84a10d204667339bd06744092568aeb7e3 |
| SHA256 | 0001c78a57a163f0c3602190cb230e805dfabad46c7dfb957c7a09879c0a2f98 |
| CRC32 | 19C2C0CA |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | d6df146181f61bf8_RESB72B.tmp |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\RESB72B.tmp |
| Size | 1.2KB |
| Processes | 2708 (cvtres.exe) 920 (vbc.exe) |
| Type | Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x416, 9 symbols, created Sat Sep 28 13:01:10 2024, 1st section name ".debug$S" |
| MD5 | dbfcff468fdafb24136c4716fd4fffc8 |
| SHA1 | 9c57ab6d2cf635a28cc45efdcd56eda2080d92b6 |
| SHA256 | d6df146181f61bf8415ecc77085dd0a2540dedf55a829d5d30f79cc3e9b75c5f |
| CRC32 | 77C4CF66 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | e3b0c44298fc1c14_tmpB5D3.tmp.exe |
|---|---|
| Size | 0.0B |
| Type | empty |
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| CRC32 | 00000000 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | b0b8c0024dd50561_kcndlal1.cmdline |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\kcndlal1.cmdline |
| Size | 282.0B |
| Processes | 1612 (0001c78a57a163f0c3602190cb230e805dfabad46c7dfb957c7a09879c0a2f98.exe) |
| Type | Unicode text, UTF-8 (with BOM) text, with no line terminators |
| MD5 | 925ab2bf0f759d69f8b32f31370b9f8a |
| SHA1 | cd254b559713f64f0479cf661264c3be1f5e8b00 |
| SHA256 | b0b8c0024dd5056112f9d2fe660af1e66f319a5990e7a3939146ce4c4b6c3885 |
| CRC32 | 9674BCA8 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 69db906941dec2a7_zCom.resources |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\zCom.resources |
| Size | 62.7KB |
| Processes | 1612 (0001c78a57a163f0c3602190cb230e805dfabad46c7dfb957c7a09879c0a2f98.exe) |
| Type | data |
| MD5 | 6870a276e0bed6dd5394d178156ebad0 |
| SHA1 | 9b6005e5771bb4afb93a8862b54fe77dc4d203ee |
| SHA256 | 69db906941dec2a7f1748ea1d15a058751c77d851ce54ea9e2ebdf1d6c7ed4f4 |
| CRC32 | D9F35CF7 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 9b36f4586d7e69e2_vbcB71B.tmp |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\vbcB71B.tmp |
| Size | 660.0B |
| Processes | 920 (vbc.exe) |
| Type | MSVC .res |
| MD5 | 05b81786376c0c879ebdb345aed88666 |
| SHA1 | a804dd210e7858f44a6ecef962658a7b9c8eab9c |
| SHA256 | 9b36f4586d7e69e2f6189c2c77dc5c4f21abdac87adeced0cc6d0f5d3f5348eb |
| CRC32 | D7F6F2C0 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 9eb97537480231a7_tmpb5d3.tmp.exe |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\tmpB5D3.tmp.exe |
| Size | 78.5KB |
| Processes | 920 (vbc.exe) |
| Type | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5 | c9570ca8b886c1d005786728e46060eb |
| SHA1 | 2c641bf0495397b31952eab6b626331eb6e97e08 |
| SHA256 | 9eb97537480231a7f7389c6097ec1ca1c576bc25981d283ba8edcf812b971413 |
| CRC32 | A9947CB5 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
| Name | 00ccc5fac2d7a580_kcndlal1.0.vb |
|---|---|
| Filepath | C:\Users\Administrator\AppData\Local\Temp\kcndlal1.0.vb |
| Size | 14.9KB |
| Processes | 1612 (0001c78a57a163f0c3602190cb230e805dfabad46c7dfb957c7a09879c0a2f98.exe) |
| Type | Unicode text, UTF-8 (with BOM) text, with very long lines (311), with CRLF line terminators |
| MD5 | 13c004d976c927884142fafca979bcd4 |
| SHA1 | a1a7fe6cc88ce011e150aefc956c1a96341388da |
| SHA256 | 00ccc5fac2d7a580ddef254186d0d8558a95b62cb0cb06a58bae1045f2c90eae |
| CRC32 | 31E5F559 |
| ssdeep | None |
| Yara | None matched |
| VirusTotal | Search for analysis |
Sorry! No dropped buffers.