{ "cells": [ { "cell_type": "markdown", "metadata": {}, "source": [ "# Title: msticpy - Base64 Decoder\n", "## Description:\n", "This module allows you to extract base64 encoded content from a string or columns of a Pandas DataFrame.\n", "The library returns the following information:\n", "- decoded string (if decodable to utf-8 or utf-16)\n", "- hashes of the decoded segment (MD5, SHA1, SHA256)\n", "- string of printable byte values (e.g. for submission to a disassembler)\n", "- the detected decoded file type (limited)\n", "\n", "If the results of the decoding contain further encoded strings these will be decoded recursively. If the encoded string appears to be a zip, gzip or tar archive, the contents will be decompressed after decoding. In the case of zip and tar, the contents of the archive will also be checked for base64 encoded content and decoded/decompressed if possible.\n", "\n", "You must have msticpy installed to run this notebook:\n", "```\n", "%pip install --upgrade msticpy\n", "```\n" ] }, { "cell_type": "markdown", "metadata": { "toc": true }, "source": [ "
\n", " | CommandLine | \n", "
---|---|
0 | \n", ".\\ftp -s:C:\\RECYCLER\\xxppyy.exe | \n", "
1 | \n", ".\\reg not /domain:everything that /sid:shines is /krbtgt:golden ! | \n", "
2 | \n", "cmd /c \"systeminfo && systeminfo\" | \n", "
3 | \n", ".\\rundll32 /C 42424.exe | \n", "
4 | \n", ".\\rundll32 /C c:\\users\\MSTICAdmin\\42424.exe | \n", "
\n", " | reference | \n", "original_string | \n", "file_name | \n", "file_type | \n", "input_bytes | \n", "decoded_string | \n", "encoding_type | \n", "file_hashes | \n", "md5 | \n", "sha1 | \n", "sha256 | \n", "printable_bytes | \n", "src_index | \n", "CommandLine | \n", "full_decoded_string | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", "(, 1., 1) | \n", "JAB0ACAAPQAgACcAZABpAHIAJwA7AA0ACgAmACAAKAAnAEkAbgB2AG8AawBlACcAKwAnAC0ARQB4AHAAcgBlAHMAcwBpAG8A... | \n", "unknown | \n", "None | \n", "b\"$\\x00t\\x00 \\x00=\\x00 \\x00'\\x00d\\x00i\\x00r\\x00'\\x00;\\x00\\r\\x00\\n\\x00&\\x00 \\x00(\\x00'\\x00I\\x00n\\... | \n", "$\u0000t\u0000 \u0000=\u0000 \u0000'\u0000d\u0000i\u0000r\u0000'\u0000;\u0000\\r\u0000\\n\u0000&\u0000 \u0000(\u0000'\u0000I\u0000n\u0000v\u0000o\u0000k\u0000e\u0000'\u0000+\u0000'\u0000-\u0000E\u0000x\u0000p\u0000r\u0000e\u0000s\u0000s\u0000i\u0000o\u0000n\u0000'\u0000)\u0000 \u0000$\u0000t\u0000 | \n", "utf-8 | \n", "{'md5': '6cd1486db221e532cc2011c9beeb4ffc', 'sha1': '6e485467d7e06502046b7c84a8ef067cfe1512ad', ... | \n", "6cd1486db221e532cc2011c9beeb4ffc | \n", "6e485467d7e06502046b7c84a8ef067cfe1512ad | \n", "d3291dab1ae552b91e6b50d7460ceaa39f6f92b2cda4335dd77e28d25c62ce34 | \n", "24 00 74 00 20 00 3d 00 20 00 27 00 64 00 69 00 72 00 27 00 3b 00 0d 00 0a 00 26 00 20 00 28 00 ... | \n", "39 | \n", ".\\powershell -enc JAB0ACAAPQAgACcAZABpAHIAJwA7AA0ACgAmACAAKAAnAEkAbgB2AG8AawBlACcAKwAnAC0ARQB4A... | \n", ".\\powershell -enc <decoded type='string' name='[None]' index='1' depth='1'>$\u0000t\u0000 \u0000=\u0000 \u0000'\u0000d\u0000i\u0000r\u0000'\u0000... | \n", "
1 | \n", "(, 1., 1) | \n", "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa | \n", "unknown | \n", "None | \n", "b'i\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9a' | \n", "None | \n", "binary | \n", "{'md5': '9a45b2520e930dc9186f6d93a7798a13', 'sha1': 'f526c90fa0744e3a63d84421ff25e3f5a3d697cb', ... | \n", "9a45b2520e930dc9186f6d93a7798a13 | \n", "f526c90fa0744e3a63d84421ff25e3f5a3d697cb | \n", "c1f6c05bdbe28a58557a9477cd0fa96fbc5e7c54ceb6057ec15eca4c664c4239 | \n", "69 a6 9a 69 a6 9a 69 a6 9a 69 a6 9a 69 a6 9a 69 a6 9a 69 a6 9a 69 a6 9a | \n", "40 | \n", "cmd /c \"echo # aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa >> blah.ps1\" | \n", "cmd /c \"echo # <decoded value='binary' name='[None]' type='None' index='1' depth='1'>69 a6 9a ... | \n", "
2 | \n", "(, 1., 1) | \n", "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa | \n", "unknown | \n", "None | \n", "b'i\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9a' | \n", "None | \n", "binary | \n", "{'md5': '9a45b2520e930dc9186f6d93a7798a13', 'sha1': 'f526c90fa0744e3a63d84421ff25e3f5a3d697cb', ... | \n", "9a45b2520e930dc9186f6d93a7798a13 | \n", "f526c90fa0744e3a63d84421ff25e3f5a3d697cb | \n", "c1f6c05bdbe28a58557a9477cd0fa96fbc5e7c54ceb6057ec15eca4c664c4239 | \n", "69 a6 9a 69 a6 9a 69 a6 9a 69 a6 9a 69 a6 9a 69 a6 9a 69 a6 9a 69 a6 9a | \n", "41 | \n", "cmd /c \"echo # aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa >> blah.ps1\" | \n", "cmd /c \"echo # <decoded value='binary' name='[None]' type='None' index='1' depth='1'>69 a6 9a ... | \n", "
3 | \n", "(, 1., 1) | \n", "81ed03caf6901e444c72ac67d192fb9c | \n", "unknown | \n", "None | \n", "b'\\xf3W\\x9d\\xd3w\\x1a\\x7f\\xaft\\xd5\\xee8\\xe1\\xce\\xf6i\\xce\\xbbw_v}\\xbf\\\\' | \n", "None | \n", "binary | \n", "{'md5': '1c8cc6299bd654bbcd85710968d6a87c', 'sha1': '55377391141f59a2ff5ae4765d9f0b4438adfd73', ... | \n", "1c8cc6299bd654bbcd85710968d6a87c | \n", "55377391141f59a2ff5ae4765d9f0b4438adfd73 | \n", "fd80ceba7cfb49d296886c10d9a3497d63c89a589587cda7d818cb4644842660 | \n", "f3 57 9d d3 77 1a 7f af 74 d5 ee 38 e1 ce f6 69 ce bb 77 5f 76 7d bf 5c | \n", "44 | \n", "implant.exe 81ed03caf6901e444c72ac67d192fb9c | \n", "implant.exe <decoded value='binary' name='[None]' type='None' index='1' depth='1'>f3 57 9d d3 ... | \n", "
\n", " | TenantId | \n", "Account | \n", "EventID | \n", "TimeGenerated | \n", "Computer | \n", "SubjectUserSid | \n", "SubjectUserName | \n", "SubjectDomainName | \n", "SubjectLogonId | \n", "NewProcessId | \n", "NewProcessName | \n", "TokenElevationType | \n", "ProcessId | \n", "CommandLine_x | \n", "ParentProcessName | \n", "TargetLogonId | \n", "SourceComputerId | \n", "TimeCreatedUtc | \n", "NodeRole | \n", "Level | \n", "ProcessId1 | \n", "NewProcessId1 | \n", "reference | \n", "original_string | \n", "file_name | \n", "file_type | \n", "input_bytes | \n", "decoded_string | \n", "encoding_type | \n", "file_hashes | \n", "md5 | \n", "sha1 | \n", "sha256 | \n", "printable_bytes | \n", "src_index | \n", "CommandLine_y | \n", "full_decoded_string | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
SourceIndex | \n", "\n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " | \n", " |
39 | \n", "802d39e1-9d70-404d-832c-2de5e2478eda | \n", "MSTICAlertsWin1\\MSTICAdmin | \n", "4688 | \n", "2019-01-15 05:15:13.567 | \n", "MSTICAlertsWin1 | \n", "S-1-5-21-996632719-2361334927-4038480536-500 | \n", "MSTICAdmin | \n", "MSTICAlertsWin1 | \n", "0xfaac27 | \n", "0x1684 | \n", "C:\\Diagnostics\\UserTmp\\powershell.exe | \n", "%%1936 | \n", "0xbc8 | \n", ".\\powershell -enc JAB0ACAAPQAgACcAZABpAHIAJwA7AA0ACgAmACAAKAAnAEkAbgB2AG8AawBlACcAKwAnAC0ARQB4A... | \n", "C:\\Windows\\System32\\cmd.exe | \n", "0x0 | \n", "46fe7078-61bb-4bed-9430-7ac01d91c273 | \n", "2019-01-15 05:15:13.567 | \n", "sibling | \n", "1 | \n", "NaN | \n", "NaN | \n", "(, 1., 1) | \n", "JAB0ACAAPQAgACcAZABpAHIAJwA7AA0ACgAmACAAKAAnAEkAbgB2AG8AawBlACcAKwAnAC0ARQB4AHAAcgBlAHMAcwBpAG8A... | \n", "unknown | \n", "None | \n", "b\"$\\x00t\\x00 \\x00=\\x00 \\x00'\\x00d\\x00i\\x00r\\x00'\\x00;\\x00\\r\\x00\\n\\x00&\\x00 \\x00(\\x00'\\x00I\\x00n\\... | \n", "$\u0000t\u0000 \u0000=\u0000 \u0000'\u0000d\u0000i\u0000r\u0000'\u0000;\u0000\\r\u0000\\n\u0000&\u0000 \u0000(\u0000'\u0000I\u0000n\u0000v\u0000o\u0000k\u0000e\u0000'\u0000+\u0000'\u0000-\u0000E\u0000x\u0000p\u0000r\u0000e\u0000s\u0000s\u0000i\u0000o\u0000n\u0000'\u0000)\u0000 \u0000$\u0000t\u0000 | \n", "utf-8 | \n", "{'md5': '6cd1486db221e532cc2011c9beeb4ffc', 'sha1': '6e485467d7e06502046b7c84a8ef067cfe1512ad', ... | \n", "6cd1486db221e532cc2011c9beeb4ffc | \n", "6e485467d7e06502046b7c84a8ef067cfe1512ad | \n", "d3291dab1ae552b91e6b50d7460ceaa39f6f92b2cda4335dd77e28d25c62ce34 | \n", "24 00 74 00 20 00 3d 00 20 00 27 00 64 00 69 00 72 00 27 00 3b 00 0d 00 0a 00 26 00 20 00 28 00 ... | \n", "39.0 | \n", ".\\powershell -enc JAB0ACAAPQAgACcAZABpAHIAJwA7AA0ACgAmACAAKAAnAEkAbgB2AG8AawBlACcAKwAnAC0ARQB4A... | \n", ".\\powershell -enc <decoded type='string' name='[None]' index='1' depth='1'>$\u0000t\u0000 \u0000=\u0000 \u0000'\u0000d\u0000i\u0000r\u0000'\u0000... | \n", "
40 | \n", "802d39e1-9d70-404d-832c-2de5e2478eda | \n", "MSTICAlertsWin1\\MSTICAdmin | \n", "4688 | \n", "2019-01-15 05:15:13.683 | \n", "MSTICAlertsWin1 | \n", "S-1-5-21-996632719-2361334927-4038480536-500 | \n", "MSTICAdmin | \n", "MSTICAlertsWin1 | \n", "0xfaac27 | \n", "0x16b8 | \n", "C:\\Diagnostics\\UserTmp\\cmd.exe | \n", "%%1936 | \n", "0xbc8 | \n", "cmd /c \"echo # aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa >> blah.ps1\" | \n", "C:\\Windows\\System32\\cmd.exe | \n", "0x0 | \n", "46fe7078-61bb-4bed-9430-7ac01d91c273 | \n", "2019-01-15 05:15:13.683 | \n", "sibling | \n", "1 | \n", "NaN | \n", "NaN | \n", "(, 1., 1) | \n", "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa | \n", "unknown | \n", "None | \n", "b'i\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9a' | \n", "None | \n", "binary | \n", "{'md5': '9a45b2520e930dc9186f6d93a7798a13', 'sha1': 'f526c90fa0744e3a63d84421ff25e3f5a3d697cb', ... | \n", "9a45b2520e930dc9186f6d93a7798a13 | \n", "f526c90fa0744e3a63d84421ff25e3f5a3d697cb | \n", "c1f6c05bdbe28a58557a9477cd0fa96fbc5e7c54ceb6057ec15eca4c664c4239 | \n", "69 a6 9a 69 a6 9a 69 a6 9a 69 a6 9a 69 a6 9a 69 a6 9a 69 a6 9a 69 a6 9a | \n", "40.0 | \n", "cmd /c \"echo # aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa >> blah.ps1\" | \n", "cmd /c \"echo # <decoded value='binary' name='[None]' type='None' index='1' depth='1'>69 a6 9a ... | \n", "
41 | \n", "802d39e1-9d70-404d-832c-2de5e2478eda | \n", "MSTICAlertsWin1\\MSTICAdmin | \n", "4688 | \n", "2019-01-15 05:15:13.793 | \n", "MSTICAlertsWin1 | \n", "S-1-5-21-996632719-2361334927-4038480536-500 | \n", "MSTICAdmin | \n", "MSTICAlertsWin1 | \n", "0xfaac27 | \n", "0x16ec | \n", "C:\\Diagnostics\\UserTmp\\cmd.exe | \n", "%%1936 | \n", "0xbc8 | \n", "cmd /c \"echo # aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa >> blah.ps1\" | \n", "C:\\Windows\\System32\\cmd.exe | \n", "0x0 | \n", "46fe7078-61bb-4bed-9430-7ac01d91c273 | \n", "2019-01-15 05:15:13.793 | \n", "sibling | \n", "1 | \n", "NaN | \n", "NaN | \n", "(, 1., 1) | \n", "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa | \n", "unknown | \n", "None | \n", "b'i\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9a' | \n", "None | \n", "binary | \n", "{'md5': '9a45b2520e930dc9186f6d93a7798a13', 'sha1': 'f526c90fa0744e3a63d84421ff25e3f5a3d697cb', ... | \n", "9a45b2520e930dc9186f6d93a7798a13 | \n", "f526c90fa0744e3a63d84421ff25e3f5a3d697cb | \n", "c1f6c05bdbe28a58557a9477cd0fa96fbc5e7c54ceb6057ec15eca4c664c4239 | \n", "69 a6 9a 69 a6 9a 69 a6 9a 69 a6 9a 69 a6 9a 69 a6 9a 69 a6 9a 69 a6 9a | \n", "41.0 | \n", "cmd /c \"echo # aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa >> blah.ps1\" | \n", "cmd /c \"echo # <decoded value='binary' name='[None]' type='None' index='1' depth='1'>69 a6 9a ... | \n", "
44 | \n", "802d39e1-9d70-404d-832c-2de5e2478eda | \n", "MSTICAlertsWin1\\MSTICAdmin | \n", "4688 | \n", "2019-01-15 05:15:12.003 | \n", "MSTICAlertsWin1 | \n", "S-1-5-21-996632719-2361334927-4038480536-500 | \n", "MSTICAdmin | \n", "MSTICAlertsWin1 | \n", "0xfaac27 | \n", "0x1250 | \n", "C:\\Diagnostics\\UserTmp\\implant.exe | \n", "%%1936 | \n", "0xbc8 | \n", "implant.exe 81ed03caf6901e444c72ac67d192fb9c | \n", "C:\\Windows\\System32\\cmd.exe | \n", "0x0 | \n", "46fe7078-61bb-4bed-9430-7ac01d91c273 | \n", "2019-01-15 05:15:12.003 | \n", "sibling | \n", "1 | \n", "NaN | \n", "NaN | \n", "(, 1., 1) | \n", "81ed03caf6901e444c72ac67d192fb9c | \n", "unknown | \n", "None | \n", "b'\\xf3W\\x9d\\xd3w\\x1a\\x7f\\xaft\\xd5\\xee8\\xe1\\xce\\xf6i\\xce\\xbbw_v}\\xbf\\\\' | \n", "None | \n", "binary | \n", "{'md5': '1c8cc6299bd654bbcd85710968d6a87c', 'sha1': '55377391141f59a2ff5ae4765d9f0b4438adfd73', ... | \n", "1c8cc6299bd654bbcd85710968d6a87c | \n", "55377391141f59a2ff5ae4765d9f0b4438adfd73 | \n", "fd80ceba7cfb49d296886c10d9a3497d63c89a589587cda7d818cb4644842660 | \n", "f3 57 9d d3 77 1a 7f af 74 d5 ee 38 e1 ce f6 69 ce bb 77 5f 76 7d bf 5c | \n", "44.0 | \n", "implant.exe 81ed03caf6901e444c72ac67d192fb9c | \n", "implant.exe <decoded value='binary' name='[None]' type='None' index='1' depth='1'>f3 57 9d d3 ... | \n", "
\n", " | reference | \n", "original_string | \n", "file_name | \n", "file_type | \n", "input_bytes | \n", "decoded_string | \n", "encoding_type | \n", "file_hashes | \n", "md5 | \n", "sha1 | \n", "sha256 | \n", "printable_bytes | \n", "src_index | \n", "CommandLine | \n", "full_decoded_string | \n", "
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | \n", "(, 1., 1) | \n", "JAB0ACAAPQAgACcAZABpAHIAJwA7AA0ACgAmACAAKAAnAEkAbgB2AG8AawBlACcAKwAnAC0ARQB4AHAAcgBlAHMAcwBpAG8A... | \n", "unknown | \n", "None | \n", "b\"$\\x00t\\x00 \\x00=\\x00 \\x00'\\x00d\\x00i\\x00r\\x00'\\x00;\\x00\\r\\x00\\n\\x00&\\x00 \\x00(\\x00'\\x00I\\x00n\\... | \n", "$\u0000t\u0000 \u0000=\u0000 \u0000'\u0000d\u0000i\u0000r\u0000'\u0000;\u0000\\r\u0000\\n\u0000&\u0000 \u0000(\u0000'\u0000I\u0000n\u0000v\u0000o\u0000k\u0000e\u0000'\u0000+\u0000'\u0000-\u0000E\u0000x\u0000p\u0000r\u0000e\u0000s\u0000s\u0000i\u0000o\u0000n\u0000'\u0000)\u0000 \u0000$\u0000t\u0000 | \n", "utf-8 | \n", "{'md5': '6cd1486db221e532cc2011c9beeb4ffc', 'sha1': '6e485467d7e06502046b7c84a8ef067cfe1512ad', ... | \n", "6cd1486db221e532cc2011c9beeb4ffc | \n", "6e485467d7e06502046b7c84a8ef067cfe1512ad | \n", "d3291dab1ae552b91e6b50d7460ceaa39f6f92b2cda4335dd77e28d25c62ce34 | \n", "24 00 74 00 20 00 3d 00 20 00 27 00 64 00 69 00 72 00 27 00 3b 00 0d 00 0a 00 26 00 20 00 28 00 ... | \n", "39 | \n", ".\\powershell -enc JAB0ACAAPQAgACcAZABpAHIAJwA7AA0ACgAmACAAKAAnAEkAbgB2AG8AawBlACcAKwAnAC0ARQB4A... | \n", ".\\powershell -enc <decoded type='string' name='[None]' index='1' depth='1'>$\u0000t\u0000 \u0000=\u0000 \u0000'\u0000d\u0000i\u0000r\u0000'\u0000... | \n", "
1 | \n", "(, 1., 1) | \n", "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa | \n", "unknown | \n", "None | \n", "b'i\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9a' | \n", "None | \n", "binary | \n", "{'md5': '9a45b2520e930dc9186f6d93a7798a13', 'sha1': 'f526c90fa0744e3a63d84421ff25e3f5a3d697cb', ... | \n", "9a45b2520e930dc9186f6d93a7798a13 | \n", "f526c90fa0744e3a63d84421ff25e3f5a3d697cb | \n", "c1f6c05bdbe28a58557a9477cd0fa96fbc5e7c54ceb6057ec15eca4c664c4239 | \n", "69 a6 9a 69 a6 9a 69 a6 9a 69 a6 9a 69 a6 9a 69 a6 9a 69 a6 9a 69 a6 9a | \n", "40 | \n", "cmd /c \"echo # aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa >> blah.ps1\" | \n", "cmd /c \"echo # <decoded value='binary' name='[None]' type='None' index='1' depth='1'>69 a6 9a ... | \n", "
2 | \n", "(, 1., 1) | \n", "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa | \n", "unknown | \n", "None | \n", "b'i\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9ai\\xa6\\x9a' | \n", "None | \n", "binary | \n", "{'md5': '9a45b2520e930dc9186f6d93a7798a13', 'sha1': 'f526c90fa0744e3a63d84421ff25e3f5a3d697cb', ... | \n", "9a45b2520e930dc9186f6d93a7798a13 | \n", "f526c90fa0744e3a63d84421ff25e3f5a3d697cb | \n", "c1f6c05bdbe28a58557a9477cd0fa96fbc5e7c54ceb6057ec15eca4c664c4239 | \n", "69 a6 9a 69 a6 9a 69 a6 9a 69 a6 9a 69 a6 9a 69 a6 9a 69 a6 9a 69 a6 9a | \n", "41 | \n", "cmd /c \"echo # aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa >> blah.ps1\" | \n", "cmd /c \"echo # <decoded value='binary' name='[None]' type='None' index='1' depth='1'>69 a6 9a ... | \n", "
3 | \n", "(, 1., 1) | \n", "81ed03caf6901e444c72ac67d192fb9c | \n", "unknown | \n", "None | \n", "b'\\xf3W\\x9d\\xd3w\\x1a\\x7f\\xaft\\xd5\\xee8\\xe1\\xce\\xf6i\\xce\\xbbw_v}\\xbf\\\\' | \n", "None | \n", "binary | \n", "{'md5': '1c8cc6299bd654bbcd85710968d6a87c', 'sha1': '55377391141f59a2ff5ae4765d9f0b4438adfd73', ... | \n", "1c8cc6299bd654bbcd85710968d6a87c | \n", "55377391141f59a2ff5ae4765d9f0b4438adfd73 | \n", "fd80ceba7cfb49d296886c10d9a3497d63c89a589587cda7d818cb4644842660 | \n", "f3 57 9d d3 77 1a 7f af 74 d5 ee 38 e1 ce f6 69 ce bb 77 5f 76 7d bf 5c | \n", "44 | \n", "implant.exe 81ed03caf6901e444c72ac67d192fb9c | \n", "implant.exe <decoded value='binary' name='[None]' type='None' index='1' depth='1'>f3 57 9d d3 ... | \n", "