[{"_id":{"$oid":"69354e0290de064513d4f6e8"},"statistics":{"processing":[{"name":"CAPE","time":2.005},{"name":"AnalysisInfo","time":0.028},{"name":"BehaviorAnalysis","time":0.001},{"name":"Debug","time":0.001},{"name":"Memory","time":3.003},{"name":"NetworkAnalysis","time":0.002},{"name":"Sysmon","time":0},{"name":"UrlAnalysis","time":0},{"name":"Usage","time":0},{"name":"script_log_processing","time":0},{"name":"TraceeAnalysis","time":0.006},{"name":"ProcessMemory","time":0}],"signatures":[{"name":"packer_themida","time":0},{"name":"stealth_network","time":0},{"name":"disable_driver_via_blocklist","time":0},{"name":"disable_driver_via_hvcidisallowedimages","time":0},{"name":"disable_hypervisor_protected_code_integrity","time":0},{"name":"pendingfilerenameoperations_Operations","time":0},{"name":"anomalous_deletefile","time":0},{"name":"antiav_servicestop","time":0},{"name":"antidebug_guardpages","time":0},{"name":"antidebug_outputdebugstring","time":0},{"name":"antidebug_windows","time":0},{"name":"antisandbox_cuckoocrash","time":0},{"name":"antisandbox_foregroundwindows","time":0},{"name":"mouse_movement_detect","time":0},{"name":"antisandbox_script_timer","time":0},{"name":"antisandbox_sleep","time":0},{"name":"antisandbox_unhook","time":0},{"name":"antivm_directory_objects","time":0},{"name":"antivm_generic_system","time":0},{"name":"antivm_checks_available_memory","time":0},{"name":"detect_virtualization_via_recent_files","time":0},{"name":"antivm_vmware_events","time":0},{"name":"api_spamming","time":0},{"name":"api_uuidfromstringa","time":0},{"name":"bcdedit_command","time":0},{"name":"potential_overwrite_mbr","time":0},{"name":"suspicious_ioctl_scsipassthough","time":0},{"name":"suspicious_iocontrol_codes","time":0},{"name":"browser_needed","time":0},{"name":"uac_bypass_cmstp","time":0},{"name":"uac_bypass_eventvwr","time":0},{"name":"dotnet_code_compile","time":0},{"name":"queries_computer_name","time":0},{"name":"queries_user_name","time":0},{"name":"creates_largekey","time":0},{"name":"creates_nullvalue","time":0},{"name":"access_windows_passwords_vault","time":0},{"name":"lsass_credential_dumping","time":0},{"name":"critical_process","time":0},{"name":"cryptopool_domains","time":0},{"name":"dead_connect","time":0},{"name":"dead_link","time":0},{"name":"decoy_document","time":0},{"name":"decoy_image","time":0},{"name":"deletes_consolehost_history","time":0},{"name":"dep_bypass","time":0},{"name":"dep_disable","time":0},{"name":"disables_wfp","time":0},{"name":"add_windows_defender_exclusions","time":0},{"name":"document_script_exe_drop","time":0},{"name":"guloader_apis","time":0},{"name":"driver_load","time":0},{"name":"dynamic_function_loading","time":0},{"name":"encrypted_ioc","time":0},{"name":"process_creation_suspicious_location","time":0},{"name":"exploit_getbasekerneladdress","time":0},{"name":"exploit_gethaldispatchtable","time":0},{"name":"exploit_heapspray","time":0},{"name":"koadic_apis","time":0},{"name":"koadic_network_activity","time":0},{"name":"downloads_from_filehosting","time":0},{"name":"generic_phish","time":0},{"name":"http_request","time":0},{"name":"infostealer_browser","time":0},{"name":"infostealer_browser_password","time":0},{"name":"infostealer_cookies","time":0},{"name":"cryptbot_network","time":0},{"name":"purplewave_network_activity","time":0},{"name":"quilclipper_behavior","time":0},{"name":"raccoon_behavior","time":0},{"name":"captures_screenshot","time":0},{"name":"vidar_behavior","time":0},{"name":"injection_network_traffic","time":0},{"name":"injection_themeinitapihook","time":0},{"name":"resumethread_remote_process","time":0},{"name":"injection_write_exe_process","time":0},{"name":"injection_write_process","time":0},{"name":"internet_dropper","time":0},{"name":"escalate_privilege_via_named_pipe","time":0},{"name":"ipc_namedpipe","time":0},{"name":"js_phish","time":0},{"name":"js_suspicious_redirect","time":0},{"name":"loader_alien","time":0},{"name":"execute_binary_via_internet_explorer_exporter","time":0},{"name":"execute_binary_via_run_exe_helper_utility","time":0},{"name":"execute_ps_via_syncappvpublishingserver","time":0},{"name":"malicious_dynamic_function_loading","time":0},{"name":"encrypt_pcinfo","time":0},{"name":"encrypt_data_agenttesla_http","time":0},{"name":"encrypt_data_agentteslat2_http","time":0},{"name":"encrypt_data_nanocore","time":0},{"name":"reads_memory_remote_process","time":0},{"name":"mimics_filetime","time":0},{"name":"amsi_bypass_via_com_registry","time":0},{"name":"access_auto_logons_via_registry","time":0},{"name":"access_boot_key_via_registry","time":0},{"name":"create_suspicious_lnk_files","time":0},{"name":"credential_access_via_windows_credential_history","time":0},{"name":"dll_hijacking_via_microsoft_exchange","time":0},{"name":"dll_hijacking_via_waas_medic_svc_com_typelib","time":0},{"name":"execute_file_downloaded_via_openssh","time":0},{"name":"execute_safe_mode_from_suspicious_process","time":0},{"name":"execute_scripts_via_microsoft_management_console","time":0},{"name":"execute_suspicious_processes_via_windows_mssql_service","time":0},{"name":"execution_from_self_extracting_archive","time":0},{"name":"ip_address_discovery_via_trusted_program","time":0},{"name":"load_dll_via_control_panel","time":0},{"name":"network_connection_via_suspicious_process","time":0},{"name":"potential_location_discovery_via_unusual_process","time":0},{"name":"store_executable_registry","time":0},{"name":"Suspicious_Execution_Via_MicrosoftExchangeTransportAgent","time":0},{"name":"suspicious_java_execution_via_win_scripts","time":0},{"name":"Suspicious_Scheduled_Task_Creation_Via_Masqueraded_XML_File","time":0},{"name":"uses_restart_manager_for_suspicious_activities","time":0},{"name":"modify_desktop_wallpaper","time":0},{"name":"move_file_on_reboot","time":0},{"name":"multiple_useragents","time":0},{"name":"network_anomaly","time":0},{"name":"network_bind","time":0},{"name":"network_cnc_https_archive","time":0},{"name":"network_cnc_https_free_webhosting","time":0},{"name":"network_cnc_https_generic","time":0},{"name":"network_cnc_https_interactsh","time":0},{"name":"network_cnc_https_opensource","time":0},{"name":"network_cnc_https_pastesite","time":0},{"name":"network_cnc_https_payload","time":0},{"name":"network_cnc_https_serviceinterface","time":0},{"name":"network_cnc_https_socialmedia","time":0},{"name":"network_cnc_https_telegram","time":0},{"name":"network_cnc_https_tempstorage","time":0},{"name":"network_cnc_https_temp_urldns","time":0},{"name":"network_cnc_https_urlshortener","time":0},{"name":"network_cnc_https_useragent","time":0},{"name":"network_cnc_smtps_exfil","time":0},{"name":"network_cnc_smtps_generic","time":0},{"name":"network_dns_idn","time":0},{"name":"network_dns_suspicious_querytype","time":0},{"name":"network_dns_tunneling_request","time":0},{"name":"network_document_http","time":0},{"name":"explorer_http","time":0},{"name":"network_fake_useragent","time":0},{"name":"legitimate_domain_abuse","time":0},{"name":"suspicious_communication_trusted_site","time":0},{"name":"network_tor","time":0},{"name":"office_cve2017_11882","time":0},{"name":"office_cve2017_11882_network","time":0},{"name":"office_cve_2021_40444","time":0},{"name":"office_cve_2021_40444_m2","time":0},{"name":"office_flash_load","time":0},{"name":"office_postscript","time":0},{"name":"office_suspicious_processes","time":0},{"name":"office_write_exe","time":0},{"name":"persistence_via_autodial_dll_registry","time":0},{"name":"persistence_autorun","time":0},{"name":"persistence_autorun_tasks","time":0},{"name":"persistence_bootexecute","time":0},{"name":"persistence_registry_script","time":0},{"name":"powershell_network_connection","time":0},{"name":"powershell_download","time":0},{"name":"powershell_request","time":0},{"name":"createtoolhelp32snapshot_module_enumeration","time":0},{"name":"enumerates_running_processes","time":0},{"name":"process_interest","time":0},{"name":"process_needed","time":0},{"name":"mass_data_encryption","time":0},{"name":"ransomware_file_modifications","time":0},{"name":"nemty_network_activity","time":0},{"name":"nemty_note","time":0},{"name":"sodinokibi_behavior","time":0},{"name":"stop_ransomware_registry","time":0},{"name":"blackrat_apis","time":0},{"name":"blackrat_network_activity","time":0},{"name":"blackrat_registry_keys","time":0},{"name":"dcrat_behavior","time":0},{"name":"karagany_system_event_objects","time":0},{"name":"rat_luminosity","time":0},{"name":"rat_nanocore","time":0},{"name":"netwire_behavior","time":0},{"name":"obliquerat_network_activity","time":0},{"name":"orcusrat_behavior","time":0},{"name":"trochilusrat_apis","time":0},{"name":"reads_self","time":0},{"name":"recon_beacon","time":0},{"name":"recon_programs","time":0},{"name":"accesses_recyclebin","time":0},{"name":"remcos_shell_code_dynamic_wrapper_x","time":0},{"name":"script_created_process","time":0},{"name":"script_network_activity","time":0},{"name":"suspicious_js_script","time":0},{"name":"javascript_timer","time":0},{"name":"secure_login_phishing","time":0},{"name":"securityxploded_modules","time":0},{"name":"get_clipboard_data","time":0},{"name":"sets_autoconfig_url","time":0},{"name":"spoofs_procname","time":0},{"name":"stack_pivot","time":0},{"name":"stack_pivot_file_created","time":0},{"name":"stack_pivot_process_create","time":0},{"name":"set_clipboard_data","time":0},{"name":"stealth_childproc","time":0},{"name":"stealth_file","time":0},{"name":"stealth_window","time":0},{"name":"queries_keyboard_layout","time":0},{"name":"queries_locale_api","time":0},{"name":"terminates_remote_process","time":0},{"name":"user_enum","time":0},{"name":"virus","time":0},{"name":"neshta_files","time":0},{"name":"neshta_regkeys","time":0},{"name":"webmail_phish","time":0},{"name":"persists_dev_util","time":0},{"name":"spawns_dev_util","time":0},{"name":"alters_windows_utility","time":0},{"name":"overwrites_accessibility_utility","time":0},{"name":"Potential_Lateral_Movement_Via_SMBEXEC","time":0},{"name":"potential_WebShell_Via_ScreenConnectServer","time":0},{"name":"uses_Microsoft_HTML_Help_Executable","time":0},{"name":"wiper_zeroedbytes","time":0},{"name":"wmi_create_process","time":0},{"name":"wmi_script_process","time":0},{"name":"deletes_files","time":0},{"name":"drops_files","time":0},{"name":"reads_files","time":0},{"name":"writes_files","time":0},{"name":"antianalysis_tls_section","time":0},{"name":"antivirus_clamav","time":0},{"name":"antivirus_virustotal","time":0},{"name":"bad_certs","time":0},{"name":"bad_ssl_certs","time":0},{"name":"banker_zeus_p2p","time":0},{"name":"banker_zeus_url","time":0},{"name":"binary_yara","time":0},{"name":"bot_athenahttp","time":0},{"name":"bot_dirtjumper","time":0},{"name":"bot_drive","time":0},{"name":"bot_drive2","time":0},{"name":"bot_madness","time":0},{"name":"phishing_kit_detected","time":0},{"name":"family_proxyback","time":0},{"name":"flare_capa_antianalysis","time":0},{"name":"flare_capa_collection","time":0},{"name":"flare_capa_communication","time":0},{"name":"flare_capa_compiler","time":0},{"name":"flare_capa_datamanipulation","time":0},{"name":"flare_capa_executable","time":0},{"name":"flare_capa_hostinteraction","time":0},{"name":"flare_capa_impact","time":0},{"name":"flare_capa_lib","time":0},{"name":"flare_capa_linking","time":0},{"name":"flare_capa_loadcode","time":0},{"name":"flare_capa_malwarefamily","time":0},{"name":"flare_capa_nursery","time":0},{"name":"flare_capa_persistence","time":0},{"name":"flare_capa_runtime","time":0},{"name":"flare_capa_targeting","time":0},{"name":"threatfox","time":0},{"name":"log4shell","time":0},{"name":"mimics_extension","time":0},{"name":"network_country_distribution","time":0},{"name":"network_cnc_http","time":0},{"name":"network_ip_exe","time":0},{"name":"network_dga","time":0},{"name":"network_dga_fraunhofer","time":0},{"name":"network_dyndns","time":0},{"name":"network_excessive_udp","time":0},{"name":"network_http","time":0},{"name":"network_icmp","time":0},{"name":"network_irc","time":0},{"name":"network_open_proxy","time":0},{"name":"network_questionable_http_path","time":0},{"name":"network_questionable_https_path","time":0},{"name":"network_smtp","time":0},{"name":"network_torgateway","time":0},{"name":"origin_langid","time":0},{"name":"origin_resource_langid","time":0},{"name":"overlay","time":0},{"name":"packer_unknown_pe_section_name","time":0},{"name":"packer_aspack","time":0},{"name":"packer_aspirecrypt","time":0},{"name":"packer_bedsprotector","time":0},{"name":"packer_confuser","time":0},{"name":"packer_enigma","time":0},{"name":"packer_entropy","time":0},{"name":"packer_mpress","time":0},{"name":"packer_nate","time":0},{"name":"packer_nspack","time":0},{"name":"packer_smartassembly","time":0},{"name":"packer_spices","time":0},{"name":"packer_themida","time":0},{"name":"packer_titan","time":0},{"name":"packer_upx","time":0},{"name":"packer_vmprotect","time":0},{"name":"packer_yoda","time":0},{"name":"pdf_annot_urls_checker","time":0},{"name":"polymorphic","time":0},{"name":"punch_plus_plus_pcres","time":0},{"name":"procmem_yara","time":0},{"name":"recon_checkip","time":0},{"name":"static_authenticode","time":0},{"name":"invalid_authenticode_signature","time":0},{"name":"static_dotnet_anomaly","time":0},{"name":"static_java","time":0},{"name":"static_pdf","time":0},{"name":"contains_pe_overlay","time":0},{"name":"static_pe_anomaly","time":0},{"name":"pe_compile_timestomping","time":0},{"name":"static_pe_pdbpath","time":0},{"name":"static_rat_config","time":0},{"name":"static_versioninfo_anomaly","time":0},{"name":"suricata_alert","time":0},{"name":"suspicious_html_body","time":0},{"name":"suspicious_html_name","time":0},{"name":"suspicious_html_title","time":0},{"name":"volatility_devicetree_1","time":0},{"name":"volatility_handles_1","time":0},{"name":"volatility_ldrmodules_1","time":0},{"name":"volatility_ldrmodules_2","time":0},{"name":"volatility_malfind_1","time":0},{"name":"volatility_malfind_2","time":0},{"name":"volatility_modscan_1","time":0},{"name":"volatility_svcscan_1","time":0},{"name":"volatility_svcscan_2","time":0},{"name":"volatility_svcscan_3","time":0},{"name":"whois_create","time":0},{"name":"accesses_mailslot","time":0},{"name":"accesses_netlogon_regkey","time":0},{"name":"accesses_public_folder","time":0},{"name":"accesses_sysvol","time":0},{"name":"writes_sysvol","time":0},{"name":"adds_admin_user","time":0},{"name":"adds_user","time":0},{"name":"overwrites_admin_password","time":0},{"name":"antianalysis_detectfile","time":0},{"name":"antianalysis_detectreg","time":0},{"name":"modify_attachment_manager","time":0},{"name":"antiav_detectfile","time":0.001},{"name":"antiav_detectreg","time":0.001},{"name":"antiav_srp","time":0},{"name":"antiav_whitespace","time":0},{"name":"antidebug_devices","time":0},{"name":"antiemu_windefend","time":0},{"name":"antiemu_wine_reg","time":0},{"name":"antisandbox_cuckoo_files","time":0},{"name":"antisandbox_fortinet_files","time":0},{"name":"antisandbox_joe_anubis_files","time":0},{"name":"antisandbox_sboxie_mutex","time":0},{"name":"antisandbox_sunbelt_files","time":0},{"name":"antisandbox_threattrack_files","time":0},{"name":"antivm_bochs_keys","time":0},{"name":"antivm_generic_bios","time":0},{"name":"antivm_generic_diskreg","time":0},{"name":"antivm_hyperv_keys","time":0},{"name":"antivm_parallels_keys","time":0},{"name":"antivm_recentdocs","time":0},{"name":"antivm_vbox_devices","time":0},{"name":"antivm_vbox_files","time":0},{"name":"antivm_vbox_keys","time":0},{"name":"antivm_vmware_devices","time":0},{"name":"antivm_vmware_files","time":0},{"name":"antivm_vmware_keys","time":0},{"name":"antivm_vmware_mutexes","time":0},{"name":"antivm_vpc_files","time":0},{"name":"antivm_vpc_keys","time":0},{"name":"antivm_vpc_mutex","time":0},{"name":"antivm_xen_keys","time":0},{"name":"asyncrat_mutex","time":0},{"name":"gulpix_behavior","time":0},{"name":"ketrican_regkeys","time":0},{"name":"okrum_mutexes","time":0},{"name":"banker_cridex","time":0},{"name":"geodo_banking_trojan","time":0},{"name":"banker_spyeye_mutexes","time":0},{"name":"banker_zeus_mutex","time":0},{"name":"bitcoin_opencl","time":0},{"name":"accesses_primary_patition","time":0},{"name":"direct_hdd_access","time":0},{"name":"enumerates_physical_drives","time":0},{"name":"physical_drive_access","time":0},{"name":"bot_russkill","time":0},{"name":"browser_addon","time":0},{"name":"chromium_browser_extension_directory","time":0},{"name":"browser_helper_object","time":0},{"name":"browser_security","time":0},{"name":"browser_startpage","time":0},{"name":"ie_disables_process_tab","time":0},{"name":"odbcconf_bypass","time":0},{"name":"squiblydoo_bypass","time":0},{"name":"squiblytwo_bypass","time":0},{"name":"bypass_chromium_protection","time":0},{"name":"bypass_firewall","time":0},{"name":"checks_uac_status","time":0},{"name":"uac_bypass_cmstpcom","time":0},{"name":"uac_bypass_delegateexecute_sdclt","time":0},{"name":"uac_bypass_fodhelper","time":0},{"name":"cape_extracted_content","time":0},{"name":"carberp_mutex","time":0},{"name":"clears_logs","time":0},{"name":"cmdline_obfuscation","time":0},{"name":"cmdline_switches","time":0},{"name":"cmdline_terminate","time":0},{"name":"cmdline_forfiles_wildcard","time":0},{"name":"cmdline_http_link","time":0},{"name":"cmdline_long_string","time":0},{"name":"cmdline_reversed_http_link","time":0},{"name":"long_commandline","time":0},{"name":"powershell_renamed_commandline","time":0},{"name":"copies_self","time":0},{"name":"credwiz_credentialaccess","time":0},{"name":"enables_wdigest","time":0},{"name":"vaultcmd_credentialaccess","time":0},{"name":"file_credential_store_access","time":0},{"name":"file_credential_store_write","time":0},{"name":"kerberos_credential_access_via_rubeus","time":0},{"name":"registry_credential_dumping","time":0},{"name":"registry_credential_store_access","time":0},{"name":"registry_lsa_secrets_access","time":0},{"name":"comsvcs_credentialdump","time":0},{"name":"cryptomining_stratum_command","time":0},{"name":"cypherit_mutexes","time":0},{"name":"darkcomet_regkeys","time":0},{"name":"datop_loader","time":0},{"name":"deepfreeze_mutex","time":0},{"name":"deletes_executed_files","time":0},{"name":"disables_app_launch","time":0},{"name":"disables_auto_app_termination","time":0},{"name":"disables_appv_virtualization","time":0},{"name":"disables_backups","time":0},{"name":"disables_browser_warn","time":0},{"name":"disables_context_menus","time":0},{"name":"disables_cpl_disable","time":0},{"name":"disables_crashdumps","time":0},{"name":"disables_event_logging","time":0},{"name":"disables_folder_options","time":0},{"name":"disables_notificationcenter","time":0},{"name":"disables_power_options","time":0},{"name":"disables_restore_default_state","time":0},{"name":"disables_run_command","time":0},{"name":"disables_smartscreen","time":0},{"name":"disables_startmenu_search","time":0},{"name":"disables_system_restore","time":0},{"name":"disables_uac","time":0},{"name":"disables_wer","time":0},{"name":"disables_windows_defender","time":0},{"name":"disables_windows_defender_logging","time":0},{"name":"removes_windows_defender_contextmenu","time":0},{"name":"removes_windows_defender_updates","time":0},{"name":"windows_defender_powershell","time":0},{"name":"disables_windows_file_protection","time":0},{"name":"disables_windowsupdate","time":0},{"name":"disables_winfirewall","time":0},{"name":"adfind_domain_enumeration","time":0},{"name":"domain_enumeration_commands","time":0},{"name":"andromut_mutexes","time":0},{"name":"downloader_cabby","time":0},{"name":"phorpiex_mutexes","time":0},{"name":"protonbot_mutexes","time":0},{"name":"driver_filtermanager","time":0},{"name":"dropper","time":0},{"name":"dll_archive_execution","time":0},{"name":"lnk_archive_execution","time":0},{"name":"script_archive_execution","time":0},{"name":"excel4_macro_urls","time":0},{"name":"escalate_privilege_via_ntlm_relay","time":0},{"name":"spooler_access","time":0},{"name":"spooler_svc_start","time":0},{"name":"mapped_drives_uac","time":0},{"name":"hides_recycle_bin_icon","time":0},{"name":"apocalypse_stealer_file_behavior","time":0},{"name":"arkei_files","time":0},{"name":"azorult_mutexes","time":0},{"name":"infostealer_bitcoin","time":0},{"name":"cryptbot_files","time":0},{"name":"echelon_files","time":0},{"name":"infostealer_ftp","time":0.001},{"name":"infostealer_im","time":0},{"name":"infostealer_mail","time":0},{"name":"masslogger_files","time":0},{"name":"poullight_files","time":0},{"name":"purplewave_mutexes","time":0},{"name":"quilclipper_mutexes","time":0},{"name":"qulab_files","time":0},{"name":"qulab_mutexes","time":0},{"name":"asyncrat_mutex","time":0},{"name":"Evade_Execution_Via_ASPNet_Compiler","time":0},{"name":"Evade_Execute_Via_DeviceCredentialDeployment","time":0},{"name":"Evade_Execution_Via_Filter_Manager_Control","time":0},{"name":"Evade_Execution_Via_Intel_GFXDownloadWrapper","time":0},{"name":"execute_binary_via_appvlp","time":0},{"name":"execute_binary_via_pcalua","time":0},{"name":"Execute_Binary_Via_OpenSSH","time":0},{"name":"execute_binary_via_pcalua","time":0},{"name":"Execute_Binary_Via_PesterPSModule","time":0},{"name":"Execute_Binary_Via_ScriptRunner","time":0},{"name":"execute_binary_via_ttdinject","time":0},{"name":"Execute_Binary_Via_VisualStudioLiveShare","time":0},{"name":"Execute_Msiexec_Via_Explorer","time":0},{"name":"execute_remote_msi","time":0},{"name":"execute_suspicious_powershell_via_runscripthelper","time":0},{"name":"execute_suspicious_powershell_via_sqlps","time":0},{"name":"Indirect_Command_Execution_Via_ConsoleWindowHost","time":0},{"name":"Perform_Malicious_Activities_Via_Headless_Browser","time":0},{"name":"Register_DLL_Via_CertOC","time":0},{"name":"Register_DLL_Via_MSIEXEC","time":0},{"name":"Register_DLL_Via_Odbcconf","time":0},{"name":"Scriptlet_Proxy_Execution_Via_Pubprn","time":0},{"name":"ie_martian_children","time":0},{"name":"office_martian_children","time":0},{"name":"mimics_icon","time":0},{"name":"masquerade_process_name","time":0},{"name":"mimikatz_modules","time":0},{"name":"ms_office_cmd_rce","time":0},{"name":"mount_copy_to_webdav_share","time":0},{"name":"potential_protocol_tunneling_via_legit_utilities","time":0},{"name":"potential_protocol_tunneling_via_qemu","time":0},{"name":"suspicious_execution_via_dotnet_remoting","time":0},{"name":"modify_certs","time":0},{"name":"dotnet_clr_usagelog_regkeys","time":0},{"name":"modify_hostfile","time":0},{"name":"modify_oem_information","time":0},{"name":"modify_security_center_warnings","time":0},{"name":"modify_uac_prompt","time":0},{"name":"network_dns_blockchain","time":0},{"name":"network_dns_opennic","time":0},{"name":"network_dns_paste_site","time":0},{"name":"network_dns_reverse_proxy","time":0},{"name":"network_dns_temp_file_storage","time":0},{"name":"network_dns_temp_urldns","time":0},{"name":"network_dns_url_shortener","time":0},{"name":"network_dns_doh_tls","time":0},{"name":"suspicious_tld","time":0},{"name":"network_tor_service","time":0},{"name":"office_code_page","time":0},{"name":"office_addinloading","time":0},{"name":"office_perfkey","time":0},{"name":"office_macro","time":0},{"name":"changes_trust_center_settings","time":0},{"name":"disables_vba_trust_access","time":0},{"name":"office_macro_autoexecution","time":0},{"name":"office_macro_ioc","time":0},{"name":"office_macro_malicious_prediction","time":0},{"name":"office_macro_suspicious","time":0},{"name":"rtf_aslr_bypass","time":0},{"name":"rtf_anomaly_characterset","time":0},{"name":"rtf_anomaly_version","time":0},{"name":"rtf_embedded_content","time":0},{"name":"rtf_embedded_office_file","time":0},{"name":"rtf_exploit_static","time":0},{"name":"office_security","time":0},{"name":"accesses_office_username","time":0},{"name":"office_anomalous_feature","time":0},{"name":"office_dde_command","time":0},{"name":"packer_armadillo_mutex","time":0},{"name":"packer_armadillo_regkey","time":0},{"name":"persistence_safeboot","time":0},{"name":"persistence_ifeo","time":0},{"name":"persistence_silent_process_exit","time":0},{"name":"persistence_rdp_registry","time":0},{"name":"persistence_rdp_shadowing","time":0},{"name":"persistence_shim_database","time":0},{"name":"powerpool_mutexes","time":0},{"name":"powershell_scriptblock_logging","time":0},{"name":"powershell_command_suspicious","time":0},{"name":"powershell_history_save_mod","time":0},{"name":"powershell_renamed","time":0},{"name":"powershell_reversed","time":0},{"name":"powershell_variable_obfuscation","time":0},{"name":"prevents_safeboot","time":0},{"name":"cmdline_process_discovery","time":0},{"name":"cryptomix_mutexes","time":0},{"name":"dharma_mutexes","time":0},{"name":"ransomware_extensions","time":0.001},{"name":"ransomware_files","time":0.002},{"name":"fonix_mutexes","time":0},{"name":"gandcrab_mutexes","time":0},{"name":"germanwiper_mutexes","time":0},{"name":"medusalocker_mutexes","time":0},{"name":"medusalocker_regkeys","time":0},{"name":"nemty_mutexes","time":0},{"name":"nemty_regkeys","time":0},{"name":"pysa_mutexes","time":0},{"name":"ransomware_radamant","time":0},{"name":"ransomware_recyclebin","time":0},{"name":"revil_mutexes","time":0},{"name":"ransomware_revil_regkey","time":0},{"name":"satan_mutexes","time":0},{"name":"snake_ransom_mutexes","time":0},{"name":"stop_ransom_mutexes","time":0},{"name":"stop_ransomware_cmd","time":0},{"name":"rat_beebus_mutexes","time":0},{"name":"blacknet_mutexes","time":0},{"name":"blackrat_mutexes","time":0},{"name":"crat_mutexes","time":0},{"name":"dcrat_files","time":0},{"name":"dcrat_mutexes","time":0},{"name":"rat_fynloski_mutexes","time":0},{"name":"limerat_mutexes","time":0},{"name":"limerat_regkeys","time":0},{"name":"lodarat_file_behavior","time":0},{"name":"modirat_behavior","time":0},{"name":"njrat_regkeys","time":0},{"name":"obliquerat_files","time":0},{"name":"obliquerat_mutexes","time":0},{"name":"parallax_mutexes","time":0},{"name":"rat_pcclient","time":0},{"name":"rat_plugx_mutexes","time":0},{"name":"rat_poisonivy_mutexes","time":0},{"name":"rat_quasar_mutexes","time":0},{"name":"ratsnif_mutexes","time":0},{"name":"rat_spynet","time":0},{"name":"venomrat_mutexes","time":0},{"name":"warzonerat_files","time":0},{"name":"warzonerat_regkeys","time":0},{"name":"xpertrat_files","time":0},{"name":"xpertrat_mutexes","time":0},{"name":"rat_xtreme_mutexes","time":0},{"name":"reads_password_database","time":0},{"name":"recon_fingerprint","time":0},{"name":"remcos_files","time":0},{"name":"remcos_mutexes","time":0},{"name":"remcos_regkeys","time":0},{"name":"rdptcp_key","time":0},{"name":"uses_rdp_clip","time":0},{"name":"uses_remote_desktop_session","time":0},{"name":"removes_networking_icon","time":0},{"name":"removes_pinned_programs","time":0},{"name":"removes_security_maintenance_icon","time":0},{"name":"removes_startmenu_defaults","time":0},{"name":"removes_username_startmenu","time":0},{"name":"spicyhotpot_behavior","time":0},{"name":"sniffer_winpcap","time":0},{"name":"spreading_autoruninf","time":0},{"name":"stealth_hidden_extension","time":0},{"name":"stealth_hiddenreg","time":0},{"name":"stealth_hide_notifications","time":0},{"name":"stealth_webhistory","time":0},{"name":"sysinternals_psexec","time":0},{"name":"sysinternals_tools","time":0},{"name":"language_check_registry","time":0},{"name":"tampers_etw","time":0},{"name":"lsa_tampering","time":0},{"name":"tampers_powershell_logging","time":0},{"name":"targeted_flame","time":0},{"name":"territorial_disputes_sigs","time":0.001},{"name":"trickbot_mutex","time":0},{"name":"fleercivet_mutex","time":0},{"name":"lokibot_mutexes","time":0},{"name":"ursnif_behavior","time":0},{"name":"uses_adfind","time":0},{"name":"uses_ms_protocol","time":0},{"name":"neshta_mutexes","time":0},{"name":"renamer_mutexes","time":0},{"name":"owa_web_shell_files","time":0},{"name":"web_shell_files","time":0},{"name":"web_shell_processes","time":0},{"name":"dotnet_csc_build","time":0},{"name":"mavinject_lolbin","time":0},{"name":"multiple_explorer_instances","time":0},{"name":"script_tool_executed","time":0},{"name":"suspicious_certutil_use","time":0},{"name":"suspicious_command_tools","time":0},{"name":"suspicious_mpcmdrun_use","time":0},{"name":"suspicious_ping_use","time":0},{"name":"uses_powershell_copyitem","time":0},{"name":"uses_windows_utilities","time":0},{"name":"uses_windows_utilities_appcmd","time":0},{"name":"uses_windows_utilities_csvde_ldifde","time":0},{"name":"uses_windows_utilities_cipher","time":0},{"name":"uses_windows_utilities_clickonce","time":0},{"name":"uses_windows_utilities_curl","time":0},{"name":"uses_windows_utilities_dsquery","time":0},{"name":"uses_windows_utilities_esentutl","time":0},{"name":"uses_windows_utilities_finger","time":0},{"name":"uses_windows_utilities_mode","time":0},{"name":"uses_windows_utilities_ntdsutil","time":0},{"name":"uses_windows_utilities_nltest","time":0},{"name":"uses_windows_utilities_xcopy","time":0},{"name":"wmic_command_suspicious","time":0},{"name":"scrcons_wmi_script_consumer","time":0},{"name":"allaple_mutexes","time":0}],"reporting":[{"name":"BinGraph","time":0},{"name":"MITRE_TTPS","time":0},{"name":"ReportHTML","time":0.056},{"name":"ReportHTMLSummary","time":0.053}]},"target":{"category":"file","file":{"name":"360e6f2288b6c8364159.exe","path":"/opt/CAPEv2/storage/binaries/360e6f2288b6c8364159e80330b9af83f2d561929d206bc1e1e5f1585432b28f","guest_paths":"","size":228352,"crc32":"101B020C","md5":"9a5ff998dbf0f6923d0b454d89800fb4","sha1":"4f4fa23e9c503b941a5e91584d6ecc3813962ba1","sha256":"360e6f2288b6c8364159e80330b9af83f2d561929d206bc1e1e5f1585432b28f","sha512":"cee9cbb97f8f256a039b009bc3e0c286945d14ce80c51e5f7be51e27ddfbee2864eb7c04c33a52e4cd82767921a073075dffa3ddb4cac5cb769329f1d98b172e","rh_hash":null,"ssdeep":"3072:y7P9YD7qHKLnO89zkxt2WpZirqaN5Eq52qPyFmrvixQhgtVA7fTFAbH+3ljZUaO7:Z7Or8rqc2q0qPyMKCes7fT2bU","type":"PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows","yara":[{"name":"INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore","meta":{"author":"ditekSHen","description":"Detects executables containing SQL queries to confidential data stores. Observed in infostealers"},"strings":["S\u0000E\u0000L\u0000E\u0000C\u0000T\u0000 \u0000"," \u0000F\u0000R\u0000O\u0000M\u0000 \u0000l\u0000o\u0000g\u0000i\u0000n\u0000s\u0000"," \u0000F\u0000R\u0000O\u0000M\u0000 \u0000c\u0000o\u0000o\u0000k\u0000i\u0000e\u0000s\u0000"," \u0000F\u0000R\u0000O\u0000M\u0000 \u0000m\u0000o\u0000z\u0000_\u0000c\u0000o\u0000o\u0000k\u0000i\u0000e\u0000s\u0000","Name","NAME","name","N\u0000a\u0000m\u0000e\u0000","n\u0000a\u0000m\u0000e\u0000","p\u0000a\u0000s\u0000s\u0000w\u0000o\u0000r\u0000d\u0000_\u0000v\u0000a\u0000l\u0000u\u0000e\u0000","e\u0000n\u0000c\u0000r\u0000y\u0000p\u0000t\u0000e\u0000d\u0000_\u0000v\u0000a\u0000l\u0000u\u0000e\u0000"],"addresses":{"select":205130,"table2":203063,"table3":204537,"table4":205226,"column1":227183,"column2":203035,"column3":204447}},{"name":"INDICATOR_Binary_Embedded_Cryptocurrency_Wallet_Browser_Extension_IDs","meta":{"author":"ditekSHen","description":"Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs."},"strings":["i\u0000b\u0000n\u0000e\u0000j\u0000d\u0000f\u0000j\u0000m\u0000m\u0000k\u0000p\u0000c\u0000n\u0000l\u0000p\u0000e\u0000b\u0000k\u0000l\u0000m\u0000n\u0000k\u0000o\u0000e\u0000o\u0000i\u0000h\u0000o\u0000f\u0000e\u0000c\u0000","f\u0000h\u0000b\u0000o\u0000h\u0000i\u0000m\u0000a\u0000e\u0000l\u0000b\u0000o\u0000h\u0000p\u0000j\u0000b\u0000b\u0000l\u0000d\u0000c\u0000n\u0000g\u0000c\u0000n\u0000a\u0000p\u0000n\u0000d\u0000o\u0000d\u0000j\u0000p\u0000","j\u0000b\u0000d\u0000a\u0000o\u0000c\u0000n\u0000e\u0000i\u0000i\u0000i\u0000n\u0000m\u0000j\u0000b\u0000j\u0000l\u0000g\u0000a\u0000l\u0000h\u0000c\u0000e\u0000l\u0000g\u0000b\u0000e\u0000j\u0000m\u0000n\u0000i\u0000d\u0000","a\u0000f\u0000b\u0000c\u0000b\u0000j\u0000p\u0000b\u0000p\u0000f\u0000a\u0000d\u0000l\u0000k\u0000m\u0000h\u0000m\u0000c\u0000l\u0000h\u0000k\u0000e\u0000e\u0000o\u0000d\u0000m\u0000a\u0000m\u0000c\u0000f\u0000l\u0000c\u0000","h\u0000n\u0000f\u0000a\u0000n\u0000k\u0000n\u0000o\u0000c\u0000f\u0000e\u0000o\u0000f\u0000b\u0000d\u0000d\u0000g\u0000c\u0000i\u0000j\u0000n\u0000m\u0000h\u0000n\u0000f\u0000n\u0000k\u0000d\u0000n\u0000a\u0000a\u0000d\u0000","n\u0000k\u0000b\u0000i\u0000h\u0000f\u0000b\u0000e\u0000o\u0000g\u0000a\u0000e\u0000a\u0000o\u0000e\u0000h\u0000l\u0000e\u0000f\u0000n\u0000k\u0000o\u0000d\u0000b\u0000e\u0000f\u0000g\u0000p\u0000g\u0000k\u0000n\u0000n\u0000","b\u0000f\u0000n\u0000a\u0000e\u0000l\u0000m\u0000o\u0000m\u0000e\u0000i\u0000m\u0000h\u0000l\u0000p\u0000m\u0000g\u0000j\u0000n\u0000j\u0000o\u0000p\u0000h\u0000h\u0000p\u0000k\u0000k\u0000o\u0000l\u0000j\u0000p\u0000a\u0000","e\u0000j\u0000b\u0000a\u0000l\u0000b\u0000a\u0000k\u0000o\u0000p\u0000l\u0000c\u0000h\u0000l\u0000g\u0000h\u0000e\u0000c\u0000d\u0000a\u0000l\u0000m\u0000e\u0000e\u0000e\u0000a\u0000j\u0000n\u0000i\u0000m\u0000h\u0000m\u0000","e\u0000g\u0000j\u0000i\u0000d\u0000j\u0000b\u0000p\u0000g\u0000l\u0000i\u0000c\u0000h\u0000d\u0000c\u0000o\u0000n\u0000d\u0000b\u0000c\u0000b\u0000d\u0000n\u0000b\u0000e\u0000e\u0000p\u0000p\u0000g\u0000d\u0000p\u0000h\u0000"],"addresses":{"s1":155578,"s2":155363,"s4":155787,"s5":156006,"s6":155140,"s33":158043,"s44":157838,"s67":156928,"s91":157358}}],"cape_yara":[],"clamav":[],"tlsh":"T1B324C55563F94600F2FF6F79A9B145210A73B897AC36E30E0989549E1FB3B81D821B73","sha3_384":"e4a453c1b4678ad4d9b39dacbb1ccf78bf27919b48798c7231815741c296561507ae5fd62236c3c7f4e187763e06448e","pe":{"guest_signers":{},"digital_signers":[],"imagebase":"0x00400000","entrypoint":"0x00038f5e","ep_bytes":"ff250020400000000000e98f37d7f4e1","peid_signatures":null,"reported_checksum":"0x00000000","actual_checksum":"0x0004498b","osversion":"4.0","pdbpath":"C:\\Users\\sulum\\OneDrive\\Desktop\\datacenter\\stubCsharp\\obj\\Release\\Client.pdb","imports":{"mscoree":{"dll":"mscoree.dll","imports":[{"address":"0x402000","name":"_CorExeMain"}]}},"exported_dll_name":null,"exports":[],"dirents":[{"name":"IMAGE_DIRECTORY_ENTRY_EXPORT","virtual_address":"0x00000000","size":"0x00000000"},{"name":"IMAGE_DIRECTORY_ENTRY_IMPORT","virtual_address":"0x00038f09","size":"0x0000004f"},{"name":"IMAGE_DIRECTORY_ENTRY_RESOURCE","virtual_address":"0x0003a000","size":"0x000006ac"},{"name":"IMAGE_DIRECTORY_ENTRY_EXCEPTION","virtual_address":"0x00000000","size":"0x00000000"},{"name":"IMAGE_DIRECTORY_ENTRY_SECURITY","virtual_address":"0x00000000","size":"0x00000000"},{"name":"IMAGE_DIRECTORY_ENTRY_BASERELOC","virtual_address":"0x0003c000","size":"0x0000000c"},{"name":"IMAGE_DIRECTORY_ENTRY_DEBUG","virtual_address":"0x00038e6c","size":"0x00000038"},{"name":"IMAGE_DIRECTORY_ENTRY_COPYRIGHT","virtual_address":"0x00000000","size":"0x00000000"},{"name":"IMAGE_DIRECTORY_ENTRY_GLOBALPTR","virtual_address":"0x00000000","size":"0x00000000"},{"name":"IMAGE_DIRECTORY_ENTRY_TLS","virtual_address":"0x00000000","size":"0x00000000"},{"name":"IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG","virtual_address":"0x00000000","size":"0x00000000"},{"name":"IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT","virtual_address":"0x00000000","size":"0x00000000"},{"name":"IMAGE_DIRECTORY_ENTRY_IAT","virtual_address":"0x00002000","size":"0x00000008"},{"name":"IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT","virtual_address":"0x00000000","size":"0x00000000"},{"name":"IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR","virtual_address":"0x00002008","size":"0x00000048"},{"name":"IMAGE_DIRECTORY_ENTRY_RESERVED","virtual_address":"0x00000000","size":"0x00000000"}],"sections":[{"name":".text","raw_address":"0x00000200","virtual_address":"0x00002000","virtual_size":"0x00036fd0","size_of_data":"0x00037000","characteristics":"IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ","characteristics_raw":"0x60000020","entropy":"5.56"},{"name":".rsrc","raw_address":"0x00037200","virtual_address":"0x0003a000","virtual_size":"0x000006ac","size_of_data":"0x00000800","characteristics":"IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ","characteristics_raw":"0x40000040","entropy":"4.51"},{"name":".reloc","raw_address":"0x00037a00","virtual_address":"0x0003c000","virtual_size":"0x0000000c","size_of_data":"0x00000200","characteristics":"IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ","characteristics_raw":"0x42000040","entropy":"0.10"}],"overlay":null,"resources":[{"name":"RT_RCDATA","offset":"0x0003a148","size":"0x0000001e","filetype":null,"language":"LANG_NEUTRAL","sublanguage":"SUBLANG_NEUTRAL","entropy":"2.48"},{"name":"RT_RCDATA","offset":"0x0003a168","size":"0x0000000a","filetype":null,"language":"LANG_NEUTRAL","sublanguage":"SUBLANG_NEUTRAL","entropy":"1.37"},{"name":"RT_RCDATA","offset":"0x0003a174","size":"0x0000004c","filetype":null,"language":"LANG_NEUTRAL","sublanguage":"SUBLANG_NEUTRAL","entropy":"2.88"},{"name":"RT_VERSION","offset":"0x0003a1c0","size":"0x00000300","filetype":null,"language":"LANG_NEUTRAL","sublanguage":"SUBLANG_NEUTRAL","entropy":"3.16"},{"name":"RT_MANIFEST","offset":"0x0003a4c0","size":"0x000001ea","filetype":null,"language":"LANG_NEUTRAL","sublanguage":"SUBLANG_NEUTRAL","entropy":"5.00"}],"versioninfo":[{"name":"Translation","value":"0x0000 0x04b0"},{"name":"Comments","value":"RMM Client"},{"name":"CompanyName","value":""},{"name":"FileDescription","value":"Client"},{"name":"FileVersion","value":"1.0.0.0"},{"name":"InternalName","value":"Client.exe"},{"name":"LegalCopyright","value":""},{"name":"LegalTrademarks","value":""},{"name":"OriginalFilename","value":"Client.exe"},{"name":"ProductName","value":"Client"},{"name":"ProductVersion","value":"1.0.0.0"},{"name":"Assembly Version","value":"1.0.0.0"}],"imphash":"f34d5f2d4577ed6d9ceec516c1f5a744","timestamp":"2088-03-06 18:36:34","icon":null,"icon_hash":null,"icon_fuzzy":null,"icon_dhash":null,"imported_dll_count":1},"data":null,"die":[],"strings":["ppszDataDescr","Version","python3.exe","browser_history","baseNetwork","[ERROR] ReadFile failed with error: {0}","uiParam","Error grabbing all wallets: ","            visit_count = int(row['visit_count']) if row['visit_count'] is not None else 0","<HandlePacket>b__34","progress","DuplicateToken","GetInt64","SND_ASYNC","{\"message\":\"","intensity","keylog_data","UnescapeJson","N=M  ","<>9__51_2","get_Item3","<>c__DisplayClass51_7","get_DisplayName","[CHROME V20] ChaCha20-Poly1305 not available, falling back to AES-GCM","FindWindow","EscapeJson","    if ($count -eq 0) {","[BrowserHistory] Parsing database: ","add_to_startup","    $cmd = $conn.CreateCommand()","lpRect","passwords_recovered","get_DNSServers","[DECRYPT SUCCESS] {0}: {1} chars","[SQLITE] Total valid password entries: {0}","[BrowserHistory] File.Copy failed: ","Quality changed to {0}x{1} in real-time","[AES-GCM ERROR] BCryptOpenAlgorithmProvider failed: 0x{0:X8}","[CHROME V20] Extracting Chrome v20 master key...","Win32Exception","Encoder","[AES-GCM ERROR] Exception: ","INVALID_HANDLE_VALUE","CryptUnprotectData","\",\"displayName\":\"","SetValueAsync","<ReconnectionLoop>d__27","Concat","[[O#[","FileItem","fun_message","ExtractCookies","],\"wifi\":[","    cursor.execute(\"SELECT name FROM sqlite_master WHERE type='table' AND name='autofill'\")","File set to hidden + system attributes (melt enabled)","list_registry","System.Text","ENUM_CURRENT_SETTINGS","ParseValueType","cbData","BraveSoftware","set_DateCreated","dwThreadId","<CaptureWebcamAsync>d__0","DeleteValueAsync","set_Padding","set_BackColor","[DEBUG] Edge: Found {0} profile directories","pDataIn","lpSecurityAttributes","        'System.Data.SQLite.dll'","[BrowserHistory] AppData: ","set_Status","CRYPT_STRING_BASE64","ReadFile","Network","pvParam","SeDebugPrivilege","[LSASS] Token duplicated","stream"," bytes","get_MessageLoop","        $title = if ($reader['title']) { $reader['title'].ToString() } else { '' }","=== RMM Client Starting ===","SocketOptionLevel","CaptureScreen","fun_hide_taskbar","<>c__DisplayClass51_12","Software\\Classes\\ms-settings\\Shell\\Open\\command","<Count>k__BackingField","\\com.liberty.jaxx","get_Out","onKey","pOptionalEntropy","MOUSEEVENTF_MIDDLEDOWN","<HandlePacket>b__27","Windows WiFi","remoteInputEnabled","[BrowserHistory] Stack trace: ","PROCESS_QUERY_LIMITED_INFORMATION","    <security>","Combine","ParseHistoryDatabase","ProcessPendingOperations","get_OperationalStatus","pagefile.sys","[BrowserHistory] PowerShell returned error: ","[BrowserHistory] Error scanning Brave profiles: ","[PASSWORDS SUCCESS] Decrypted password for {0}: {1} chars","<HandlePacket>b__29","ReadAllText","System.Collections","        required_columns = ['url', 'title', 'visit_count', 'last_visit_time']","<>9__51_11","[LSASS] Failed to open process (error: 0x{0:X8}) - need Administrator privileges","[AutofillData] Successfully copied using File.Copy","get_Location","Release","startup_status","[SUCCESS] Credentials uploaded: {0} ({1:N0} bytes)","Too many consecutive errors ({0}), disconnecting...","cbInput","get_Attributes","SPI_SETDESKWALLPAPER","\"data\":","\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\afbcbjpbpfadlkmhmclhkeeodmamcflc","fun_change_wallpaper","browser_history_debug.log","set_DateLastUsed","GetResult","GC_CLEANUP_INTERVAL_SECONDS","set_IsDirectory","[CHROME V20] Using ChaCha20-Poly1305 with hardcoded key","ConnectAsync","set_Location","indentStr","<>9__2_0","hWndChild","    cursor.execute('SELECT name, value, date_created, date_last_used, count FROM autofill ORDER BY date_last_used DESC LIMIT 500')","FileShare","<HandlePacket>b__51_9","set_Path","nCmdShow","<TotalSize>k__BackingField","[ERROR]","<>c__DisplayClass51_18","ReadFirefoxCookies","CreateParams","del \"%~f0\"","PtrToStructure","Reconnected successfully!","Empty packet received","<Password>k__BackingField","Error changing quality: ","<HandlePacket>b__51_1","C:\\Windows\\System32\\fodhelper.exe","Error in Run: ","using System.Net;","$ErrorActionPreference = 'Stop'","<MonitorClipboardAsync>d__15","CryptStringToBinaryA","[{0:yyyy-MM-dd HH:mm:ss}] UAC bypass failed, continuing without elevation","NCRYPT_PAD_PKCS1_FLAG","using System.IO;","SetAttributes","indent","Nifty_Chrome","CompilerParameters","\",\"location\":\"","Sent {0} registry items successfully","rd_mouse_move","[BrowserHistory] Successfully parsed {0} entries using PowerShell","get_Width","<Location>k__BackingField","[LSASS] PROCESS_QUERY_INFORMATION failed (error: 0x{0:X8}), trying PROCESS_QUERY_LIMITED_INFORMATION","GetComputerNameA","<>9__1_0","<<HandlePacket>b__40>d","firefox_cookies_","System.ServiceProcess.dll","set_SendTimeout","fun_close_cd_tray","        Write-Output 'ERROR:Database file not found'","NewGuid","dirPath","IButtonControl","duration","get_StandardError","set_Style","\",\"gateway\":\"","get_IsCancellationRequested","disable_firewall","<HandlePacket>b__51_18","    $cmd.CommandText = 'SELECT name, value, date_created, date_last_used, count FROM autofill ORDER BY date_last_used DESC LIMIT 500'","ScanWallets","REG_BINARY","[LSASS] Exception: ","get_AddressFamily","CodeDomProvider","PasswordEntry","start \"\" \"","<GetServiceList>b__1_0","Firefox: Not installed","[ERROR] No credentials ZIP file to upload","set_Label","[BrowserHistory] Error scanning Edge profiles: ","[AutofillData] Error reading SQLite: ","FileManager","[BrowserHistory] Trying Python method","edge_cookies_","<<HandlePacket>b__42>d","Microsoft.CSharp","startup_list","<X/*r_","lpNumberOfBytesWritten","[BrowserHistory] System.Data.SQLite not available, skipping direct method","set_ActiveConnections","=== Log started at {0:yyyy-MM-dd HH:mm:ss} ===","    print(f'ERROR:{str(e)}')","<URL>k__BackingField","dmDisplayFrequency","BypassUACFodHelper","OrderByDescending","get_Password","get_Count","MAX_RECONNECT_ATTEMPTS","Client","REG_DWORD","Connection lost. Reconnecting in {0}ms (attempt {1})...","!This program cannot be run in DOS mode.","CHACHA20_KEY","ExtractEdgeCookies","computerName","Mozilla","Resize","ARROWDOWN","WPA/WPA2","MOUSEEVENTF_LEFTUP","walletGrabber","get_Now","set_Value","<Name>i__Field","System.Runtime.Versioning","USERPROFILE","ProcessThreadCollection","advfirewall set allprofiles state off","POINT","<Path>j__TPar","set_Success","pszImplementation","        $count = if ($reader['count']) { [int]$reader['count'] } else { 0 }","Uninstall command received","GetKeyName","rd_key_up","ReceivePacket","System.Collections.Concurrent","captureHeight","AsyncCallback","\",\"error\":\"","            } catch { continue }","autofillData",": Extracting cookies...","<Modified>k__BackingField","soundPath"," N&:!{","set_Credentials","PropertyInfo","get_Task","Firefox: Error - ","        if tables:","IPAddressCollection","<HandlePacket>b__51_5","BCryptDecrypt","list_dir","[SQLITE ERROR] sqlite3.dll not found: ","AsyncVoidMethodBuilder",".Client.ScriptExecutor+<ExecuteScriptAsync>d__1","Tuple`3","IsRunningElevated","set_AcceptButton","get_WorkingSet64","get_HasErrors","get_IsReady","mciSendString","Connection timeout","p*r?6","LockResource","[BrowserHistory] Cleaned up temp file","Calling ListKeysAsync for path: ","keyloggerActive","set_Text","ProcessQueue","ChangeDisplaySettings","CURSOR_SHOWING","        date_last_used = row['date_last_used'] if row['date_last_used'] else 0","<HandlePacket>b__51_13","idThread","AssemblyProductAttribute","Executing script (length: {0} chars)","FirstOrDefault","Where","pbKeyObject","empty_","hookThread","wallets_","EnableLUA","[DEBUG] Read {0:N0} bytes from source","loginDataPath","Format","Failed to add to Task Scheduler: ","op_Subtraction","AssemblyCopyrightAttribute","<Start>b__12_1","Building JSON for {0} registry items","fun_block_input","<Error>k__BackingField","CurrentUser","nVirtKey","System.Data.SQLite.SQLiteConnection, System.Data.SQLite","LocalFree","[AES-GCM ERROR] BCryptDecrypt failed: 0x{0:X8} (0xC000000D = STATUS_INVALID_PARAMETER, 0xC0000287 = STATUS_AUTH_TAG_MISMATCH)","GetDirectoryName",": Skipping cookies (file not found)","get_WiFiNetworks","ButtonBase",",^rS ","        ","schtasks.exe","[PASSWORDS ERROR] Exception: ","[DEBUG] ","Password recovery requested","        Join-Path $env:ProgramFiles 'System.Data.SQLite\\System.Data.SQLite.dll',","Sending empty browser history for ","isReconnecting","ReadAllBytes","[CHROME V20] Stage 1 DPAPI failed","reset","Litecoin","DateTime","WriteFile","[DEBUG] Source: ","SizeOf","<Adapters>k__BackingField","System.ComponentModel","sqlite3_step","<Speed>k__BackingField","cancellationToken","Sending autofill_data packet (JSON length: {0})","Error starting clipboard monitor: ","Preparing wallet extraction...","<GetBrowserHistoryAsync>d__1","get_NetworkInterfaceType","Error getting autofill data: ","wlan show profile name=\"","[CAPS]","get_IsDirectory","scanCode","GetStringResource","    </security>","SendClipboardData","set_StartInfo","            print(f'{url}|{title}|{visit_count}|{last_visit}')","System.IO.Compression.FileSystem.dll","    cursor.execute(\"SELECT name FROM sqlite_master WHERE type='table' AND name='urls'\")","chunkPath","fun_swap_mouse","ICONINFO","get_Length","ShowWindow","Code preview (first 200 chars): ","Exodus","firefox","List`1","set_Browser","SetException","pbMacContext","SystemIcons","Network is null, cannot handle packet","mscorlib","get_DriveType","ChaCha20Poly1305","Phantom_Brave","startupManager","[SQLITE ERROR] Unexpected step result: {0}","[{0:yyyy-MM-dd HH:mm:ss}]","SQLite format 3",",\"value\":\"","<HandlePacket>b__28","GetBrowserPasswords","MainLoop exited, connection lost. Will reconnect...","`.rsrc","GatewayIPAddressInformation","ProcessManager","[{0:yyyy-MM-dd HH:mm:ss}] Browser data uploaded successfully!","FromSeconds","masterKey","Registry list packet data: ","add_startup","Activator","\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\egjidjbpglichdcondbcbdnbeeppgdph","lpNumberOfBytesRead","Google Chromekey1","Failed to send error packet: ","sourcePath","CompilerResults","set_Error","ProcessWindowStyle","[CHROME V20] LSASS impersonation failed - cannot decrypt v20 keys","StringSplitOptions","Removed from Task Scheduler","[COOKIES] Summary: {0} succeeded, {1} failed, total={2}","object","<HandlePacket>b__51_11","set_Width","Tuple`6","process_result","<ExecuteScriptAsync>d__1","<VisitCount>k__BackingField",": Failed to copy cookies database","FromMilliseconds","  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v2\">","<HandlePacket>b__51_4","FromBase64String","GetFiles","[SUCCESS] Edge/{0}: Saved {1} cookies to {2}","<GetNetworkInfoAsync>b__0_0","[ERROR] SafeCopyDatabaseFile exception: ","<Size>k__BackingField","dwFlagsAndAttributes","Receive packet failed: ","<ListDirectory>b__2_1","<PrivateImplementationDetails>","CreatePackage","CloseHandle","keylogger","[PASSWORDS] Summary: {0} succeeded, {1} failed, total={2}","Archive created: ","\\Zcash","<IsKey>k__BackingField","networkSemaphore","[CTRL]","[AES-GCM] Starting decryption: key={0}, iv={1}, ciphertext={2}, tag={3}","[AutofillData] File.Copy failed: ","<>4__this","t.>+K","System.Drawing.Imaging","<X/*r","Send binary file failed: ","SWP_NOMOVE","TrimEnd","[DEBUG] {0}: Found {1} profile directories","E@>#F","[CHROME V20] Stage 1: DPAPI with LSASS impersonation...","Equals","get_AvailableFreeSpace","DestroyHandle","ThreadAccess","GetCurrentProcess",",\"size\":{0}","set_Height","file_result","AssemblyTitleAttribute","set_FormBorderStyle","Zcash","NetworkAdapter","get_MainModule","Contains","reconnectAttempts","Microsoft.Win32","ExtractJsonValue","mouse_event","[DECRYPT] Encrypted data: length={0}, prefix='{1}', isCookie={2}","get_X","GetBrowserHistoryAsync returned {0} entries","dmPositionY","ChangeWallpaper","{{\"letter\":\"{0}\",\"type\":\"{1}\",\"total\":{2},\"free\":{3}}}","webdata_{0}.db","<>9__51_3","pReserved","<GetNetworkAdapters>b__1_0","\",\"history\":[","Script execution failed: ","TryReadAutofillWithPython","service_result","dmReserved1","GetKeyState","        exit 1","<ExecuteScriptAsync>b__0","using System.Collections;","[CHROME V20] Stage 2 DPAPI failed or too small (size: {0})","Failed to create assembly","<>c__DisplayClass51_11","change_quality","base64","monitoring",",\"data\":\"","\",\"type\":\"","BindingFlags","MetaMask_Brave","            print('ERROR:Available columns: ' + ', '.join(columns))","get_Left","<SetValueAsync>b__0","DeleteSubKeyTree","        name = name.replace('|', '{PIPE}')","<<SendPacketAsync>b__0>d","[BrowserHistory] Error parsing ","<HandlePacket>b__41","public class","[ERROR] Edge cookies error: ","pEntropy","ContentAlignment","    # First, check if urls table exists","Total: {0} passwords, {1} cookies","SelfDelete","{\"success\":","Browser","[BrowserHistory] Trying PowerShell method","SizeofResource","        cursor.execute(\"SELECT name FROM sqlite_master WHERE type='table'\")","\",\"dns\":\"","wallets","SetParent","Listing registry (normalized): ","Credentials_{0}_{1:yyyyMMdd_HHmmss}.zip","ShakeWindow","Screenshot capture returned null or empty","SystemParametersInfo","edge_cookies_{0}_{1}.db","Removable","Data Source=","desktopActive","ISZ #","Registry","runas","System.Linq","[SQLITE] Cookie row {0}: host={1}, name={2}, blob_size={3}","import sys","[ERROR] CreateFile failed with error: {0}","Translation","Browser Data Extractor (.NET Framework)","        print('ERROR:Database file not found')","Phantom_Chrome","Remote desktop input control enabled","[BrowserHistory] Found {0} potential history paths","        name = row['name'] if row['name'] else ''","_bZ `","{0}: Master key OK ({1} bytes)","get_Id","Cancel","start_keylogger","[CHROME V20] Blob too small for AES-GCM (need {0}, got {1})","    conn = sqlite3.connect(db_path)","<>c__DisplayClass51_5","CompilerError","GetActiveConnections","vkCode","DownloadString","timeoutMs","HasData","[BrowserHistory] Found Opera version: ","FILE_ATTRIBUTE_NORMAL","fun_lock_screen","[DECRYPT SUCCESS] v20 cookie (trimmed): {0} chars","IsInRole","hModule","get_Application","{{\"text\":\"{0}\",\"timestamp\":\"{1:yyyy-MM-dd HH:mm:ss}\"}}","{\"error\":\"Failed to get network info\"}","<>c__DisplayClass51_15","$a1b2c3d4-e5f6-7890-abcd-ef1234567890","MAPVK_VK_TO_VSC","System.IO.Compression","\\Google\\Chrome\\User Data\\Profile 2\\Local Extension Settings\\nkbihfbeogaeaoehlefnkodbefgpgknn","phProvider","System.Xml.dll",".cctor","        count = row['count'] if row['count'] else 0","get_Chars","cbSecret","set_SendBufferSize","GetValue","DELETE","[DECRYPT ERROR] DPAPI decryption returned null/empty","FrameworkDisplayName","MIN_ALL_UNDO","CancellationToken","ServiceManager","DecryptWithNCrypt","Mutex","[BrowserHistory] Failed to load System.Data.SQLite from ","Handling packet: ","chunkIndex","get_Modified","FtpWebResponse","OriginalFilename","DeleteObject","GetProcessList","<SendBinaryFrameAsync>d__24","AES_KEY",": Failed to copy database","Default","        print('ERROR:Database file is empty')","add_Click","DriveInfo","ReadSQLitePasswords","OpenSubKey","OperaGX","browser","[CHROME V20] Using AES-GCM with hardcoded key","get_Item2","\"width\":","[DEBUG] Copying WAL file...","hiberfil.sys","get_startup","PAGEDOWN","IntPtr","<>c__DisplayClass51_23","[COOKIES] Decrypting entry {0}: host={1}, name={2}, encrypted_size={3}","{0}_login_{1}_{2}.db","GetBrowserHistoryAsync","<RunLimitedOperation>b__0","  <assemblyIdentity version=\"1.0.0.0\" name=\"MyApplication.app\"/>","[AES-GCM] GCM mode set","<>c__DisplayClass2_0",",Client.Program+<>c+<<HandlePacket>b__51_20>d","<>c__DisplayClass51_10","get_Right","WindowsIdentity","[CHROME V20] Unsupported flag: {0} (supported: 1=AES-GCM, 2=ChaCha20, 3=NCrypt)","[AutofillData] Robocopy failed: ","GetServices","Profiles","<RecoverPasswordsAsync>b__0_0","ENTER","\"countryCode\":\"","get_ErrorText","get_InnerException","Action`1","execute_script","===========================================","app_bound_encrypted_key","            title = row['title'] if row['title'] else ''","get_Item5","pbTag","Sleep","[BrowserHistory] PowerShell error: ","System.Drawing","[BrowserHistory] File exists: {0}, Size: {1} bytes, LastWrite: {2}","Profile 2","3Client.PasswordRecovery+<RecoverPasswordsAsync>d__0","start_desktop","MoveMouse","\",\"description\":\"","IndentCode","ImpersonateLsass","sqlite3.dll","{\"progress\":0,\"message\":\"Cannot download system file\"}","network_info","Packet too small: {0} bytes","get_Bounds","ToUpper","<HandlePacket>b__23","        print('ERROR:autofill table does not exist')","[BrowserHistory] Getting history for browser: ","<>9__51_44","BCryptSetProperty","[DECRYPT] Encrypted data is null or too small: {0} bytes","WH_KEYBOARD_LL","ExtractBrowserData","ScriptResult","error","GENERIC_READ","Timer","<HandlePacket>b__51_16",",\"modified\":\"","System.Net","File data cannot be empty","<SetValueAsync>d__1","[DEBUG] Copying SHM file...","lpSystemName","{\"type\":\"","serviceManager","SystemDefault",": Attempting safe copy...","[SQLITE ERROR] Failed to prepare cookies statement, code: {0}","REG_QWORD","hWndInsertAfter","\\Microsoft\\Edge\\User Data\\Default\\Local Extension Settings\\ejbalbakoplchlghecdalmeeeajnimhm","<ShowMessage>b__0","ReleaseHdc","MOUSEEVENTF_MIDDLEUP","<RecoverPasswordsAsync>d__0","SECURITY_IMPERSONATION","[LEFT]","get_Address","python.exe","DWORD","IAsyncStateMachine","get_Ticks","ToArray","[DECRYPT SUCCESS] DPAPI: {0} chars","    $sqlitePaths = @(","<Security>k__BackingField","totalPasswordsCount","{{\"name\":\"{0}\",\"value\":\"{1}\",\"dateCreated\":{2},\"dateLastUsed\":{3},\"count\":{4}}}","get_DnsAddresses","set_Icon","System.Data.SQLite.SQLiteDataReader, System.Data.SQLite","notepad.exe","            }","[ERROR] Fallback copy also failed: ","{\"items\":[","Unknown packet type: ","[CHROME V20] ChaCha20-Poly1305 error: ","VK_MBUTTON","<ListKeysAsync>b__0","get_Description","Error in main loop ({0}/{1}): {2}","System.Reflection","ShowTaskbar","No wallets found on this system.","FALSE","[AES-GCM] Algorithm provider opened","passwordsDir","{\"isInStartup\":","p*rY6","<>c__DisplayClass11_0","profileName","<Browser>k__BackingField","sqlite3_close","VK_MENU","op_Equality","MouseWheel","checkName","cbKeyObject","        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"/>","\" /R:3 /W:1 /NFL /NDL /NJH /NJS","deviceName","[{0:yyyy-MM-dd HH:mm:ss}] Not running as admin, attempting FodHelper UAC bypass...","stateMachine","<>9__51_0","Key Content","MetaMask_Chrome","[*] Read {0:N0} bytes from ZIP file","get_Errors","\"shiftKey\":true","get_ManagedThreadId",": Error - ","Dogecoin","ReadCookies","SPIF_UPDATEINIFILE","Self-delete initiated","\",\"ip\":\"","RemoteInput","Screenshot requested","flags","ManagementObjectSearcher","Autofill data packet received","ReadToEnd","GetTypeFromHandle","fun_open_website","<>c__DisplayClass51_22","{\"error\":\"","FClient.NetworkOptimized+<>c__DisplayClass22_0+<<SendPacketAsync>b__0>d","Outlook","ProductVersion","<>9__41","MetaMask_Edge","get_IsActive","[SQLITE] Preparing cookies query...","\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\nkbihfbeogaeaoehlefnkodbefgpgknn","get_Default","<Username>k__BackingField","tryV20","VK_SHIFT","FileZilla","AsyncTaskMethodBuilder","[SQLITE] Opening cookies database: ","SelectMode","KeyUp","        Write-Output \"$url|$title|$visitCount|$lastVisit\"","Connection appears stale (no activity for {0}ms), forcing reconnection...","        print('ERROR:urls table does not exist in database')","<>c__DisplayClass51_20","hTemplateFile","System.Threading.Tasks","[BrowserHistory] Error scanning Opera: ","[DEBUG] {0}/{1}: Found {2} password entries","        $count++","BrowserDataExtractor","<Data>k__BackingField","<Status>k__BackingField","rd_mouse_wheel","System.Data.SQLite.dll","ManagementObjectEnumerator","Opera GX","[CHROME V20] NCrypt+XOR+AES-GCM successful: {0} bytes","Sending registry_list packet (JSON length: {0})","GetBytes","\",\"speed\":\"","set_MACAddress","\"path\":\"","callback","WM_KEYDOWN","active","using System.Threading;","CreateZipArchive","decryptCallCount","    exit 1","GetCursorInfo","<MACAddress>k__BackingField","__StaticArrayInitTypeSize=32","hbrFlickerFreeDraw","Screenshot failed: screenCapture or network is null","cbOutput","\\Coinbase","get_Value","\\Binance","GetCountry","Stopping clipboard monitor","System.Net.Http.dll","MAX_CONSECUTIVE_ERRORS","pbNonce","Profile 3","System.Net.NetworkInformation","<HandlePacket>b__51_49","basePath","ForceReconnect","places.sqlite","[SQLITE ERROR] Stack: ","EnumDisplaySettings","AssemblyCompanyAttribute","{\"name\":\"","    # Check file size","AdjustTokenPrivileges","GetText","<Title>k__BackingField","<GetNetworkAdapters>b__1_1","dmSize","        value = row['value'] if row['value'] else ''","ProductName","[SQLITE] sqlite3_open result: {0} (0=OK)","DecodeBase64",": Cookies database copied successfully","hFile","    $cmd.CommandText = '","lpUsedDefaultChar","GetChromeV20MasterKey","<>c__DisplayClass51_4","\"ctrlKey\":true","Distinct","</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD","set_Title","_cookies_","WriteAllText","[SHIFT]","calc.exe","pcbResult","8H9'9.","shouldReconnect","[NCRYPT] Opening storage provider...","Remote desktop active at {0} FPS on monitor {1}","take_screenshot","[BrowserHistory] Trying ","set_URL","autofill_{0}.py","SafeCopyDatabaseFile","button","nByte","CP_UTF8","[BrowserHistory] Error scanning Chrome profiles: ","LockScreen","_passwords_","get_MemoryUsage","XorBytes","<>7__wrap1","System.Windows.Forms","sqlite3_finalize","pbOutput","rd_mouse_up","\"height\":","MetaMask_Opera","Abort","[BrowserHistory] File does not exist: ","Local State","Output: ","phAlgorithm","lpDefaultChar","Cannot start clipboard monitor: network not connected","public static void Main","set_Interval","NetworkInfo","CoinbaseWallet_Chrome","Building JSON for {0} history entries","KEYEVENTF_EXTENDEDKEY","get_drives","set_Dock","hwndCallback","LoadFrom","<HandlePacket>b__35","IsDigit","get_IPAddress","Sending empty registry list","<>c__DisplayClass1_0","[{0:yyyy-MM-dd HH:mm:ss}] Browser data upload failed!","pszSound","[SQLITE ERROR] Ensure sqlite3.dll is in the same directory as the executable","VarFileInfo","\\Litecoin","get_FreeSpace","ControlCollection","lpFileName","    $reader = $cmd.ExecuteReader()","dmColor","Replacing literal \\n with actual newlines","(empty)","FindResource","000004b0","BCRYPT_CHAINING_MODE","[{0:HH:mm:ss.fff}] {1}","set_RedirectStandardError","Clear","],\"connections\":[","Firefox: Checking...","hResInfo","import os","ERROR:","Browser_","PasswordRecovery","AwaitUnsafeOnCompleted","set_Letter","<>9__51_47","IOrderedEnumerable`1","get_ReferencedAssemblies","<Application>k__BackingField","IOControlCode","get_MachineName","Graphics","GetFTPPasswords","compressing","    table_exists = cursor.fetchone()","opera","CopyDirectory","[*] Creating credentials archive...","TaskAwaiter","edgeUserData","dmDisplayFlags","[BrowserHistory] Error in Python method: ","GetFileName","DeleteValue","    except sqlite3.OperationalError as e:","cbMultiByte","processManager","remove_startup","[ERROR] Stack: ","    if not table_exists:","        conn.close()","dmDriverExtra","Failed to create archive: ","<LastVisit>k__BackingField","    $conn.Open()","Screenshot captured: {0} bytes, sending...","<HandlePacket>b__51_6","ProcessHandle","<>c__DisplayClass50_0","dmMediaType","<IndentCode>b__0","<Pid>k__BackingField","<HandlePacket>b__51_14","IsNullOrWhiteSpace","Bitmap","185.163.204.93","<HandlePacket>b__51_45","SUSPEND_RESUME","<HandlePacket>b__26","SELECT host_key, name, encrypted_value, path, is_secure, expires_utc FROM cookies","CombinePath","BCryptCloseAlgorithmProvider","Found {0} actual newlines and {1} literal \\n sequences","clipboard_data","Func`2","\",\"status\":\"","GetCredentialsZipPath","<ShowMessage>b__2","set_ValueType","Added to Task Scheduler (runs every 1 minute)","        $visitCount = if ($reader['visit_count']) { [int]$reader['visit_count'] } else { 0 }","WrapNonExceptionThrows","set CDAudio door closed","<HandlePacket>b__51_20","dwExtraInfo","get_DateLastUsed","[BrowserHistory] Not a valid SQLite file (header: ","get_ProcessName","[NCRYPT] Opening key 'Google Chromekey1'...","System.Collections.Generic","hThread","get_TotalSize","System.Management.dll","<Output>k__BackingField","GetLastWin32Error","HighPart","Error in desktop frame capture: ","Getting browser history: ","GetStream","ConcurrentQueue`1","Microsoft.CSharp.dll","winmm.dll","            print('ERROR:Missing columns: ' + ', '.join(missing_columns))","PreviousState","<>c__DisplayClass51_1","<HandlePacket>b__39","empty_wallet_","[{0:yyyy-MM-dd HH:mm:ss}] UAC bypass successful, process will restart elevated","<ShowMessage>b__1","piconinfo","SQLiteHelper",": Local State not found","set_Caption","<HandlePacket>b__51_17","[COOKIES FAIL] Decryption failed for ","EncoderParameter","<>9__51_5","History","j k l m\"n\"o\"p\"q$r$s$t$u&v&w(x(y(z({+|+}-~.","<Path>k__BackingField","ClipboardMonitor","System.Runtime.InteropServices","Point","[AutofillData] Successfully read {0} entries using PowerShell","crypt32.dll","PAGEUP","start_clipboard_monitor","dwPromptFlags","[*] Uploading credentials to server {0}:{1}...","set_Pid","dmDitherType","Software\\Microsoft\\Windows\\CurrentVersion\\Run","modeNum","localStatePath","Connecting to {0}:{1}","ListKeysAsync","fun_spam_disk","(null)","/delete /tn \"","[BrowserHistory] Successfully read {0} entries using System.Data.SQLite","[CHROME V20] Header length: {0}, Flag: {1}","Fatal error: ","LOCALAPPDATA","\",\"isKey\":","LegalCopyright","Unknown","[AES-GCM] Symmetric key generated","RestoreMouseButtons","[AutofillData] Parsing Web Data database: ","pdwFlags","[COOKIES ERROR] Exception: ","[NCRYPT] Decrypting {0} bytes...","dmLogPixels","get_services","CreateDirectory","Profile 1","IAsyncResult","history_{0}.db","Capturing screenshot from monitor {0}","<SetValueAsync>b__1_1","EnableDebugPrivilege","\\Microsoft\\Edge\\User Data\\Default\\Local Extension Settings\\bfnaelmomeimhlpmgjnjophhpkkoljpa","ExtractPasswords","GetFileSystemInfos","dmPelsWidth","[BrowserHistory] Total unique paths: {0}","        for row in rows:","    $count = 0","copying","EndsWith","        # Check if columns exist","AssemblyFileVersionAttribute","except Exception as e:","NewState","walletName","IsWhiteSpace","CreateFromDirectory","ReconnectionLoop","istepIfAniCur","set_QueuedAt","set_MemoryUsage","\\Opera Software\\Opera Stable\\Local Extension Settings\\nkbihfbeogaeaoehlefnkodbefgpgknn","    $conn = New-Object System.Data.SQLite.SQLiteConnection('Data Source=''$dbPath'';Read Only=True;')","Process {0} kill result: {1}","dwData","set_Font","{{ Name = {0}, Path = {1} }}","Sending empty autofill data for ","processId","<>c__DisplayClass51_21","yyyy-MM-dd HH:mm","ToInt32","Error sending desktop frame: ","[{0:yyyy-MM-dd HH:mm:ss}] === RMM Client Starting ===","                continue","GetMonitorCount","registry_result","PlaySoundFile","set_ExStyle","GetIconInfo","ThenBy","uCode","ReturnLength","Wallet extraction completed successfully!","DebuggingModes","[{0:yyyy-MM-dd HH:mm:ss}] UAC bypass disabled, browser extraction requires admin privileges",",\"current\":{0},\"total\":{1}","<>9__51_4","[BrowserHistory] Successfully read {0} entries using Python","using System.ComponentModel;","<HandlePacket>b__31","monitor","System.Security.Principal","FreeHGlobal"," r(\"$","Error getting browser history: ","set_Data","{{\"success\":false,\"pid\":{0},\"error\":\"{1}\"}}","[BrowserHistory] Parsing {0} lines from PowerShell output","drives_list","[SQLITE] Opening database: ","closed","RemoveClipboardFormatListener","CheckConnectionHealth","GetHashCode","CRITICAL ERROR in HandlePacket: ","\\BraveSoftware\\Brave-Browser\\User Data\\Default\\Local Extension Settings\\nkbihfbeogaeaoehlefnkodbefgpgknn","AsyncStateMachineAttribute","INITIAL_RECONNECT_DELAY","[AutofillData] Attempting to copy database to temp: ","TOKEN_DUPLICATE","completed",": Cookies file not found","get_Browser","Task Scheduler creation failed (exit code: {0})","All User Profile","lastClipboardText","totalChunks","ManagementObjectCollection","MinimizeAllWindows","CreateSubKey","set_Verb","dmPanningWidth","[NCRYPT] Failed to get buffer size: 0x{0:X8}","fun_restore_mouse","Too many consecutive errors, connection appears dead. Will reconnect...","Task`1","{\"ping\":","OpenCDTray","    if file_size == 0:","get_Letter","set_GenerateExecutable","<>c__DisplayClass24_0","ftp://server09.mentality.cloud/public_html/sqlite3.dll","DrawImage","<HandlePacket>b__22","using System.Linq;","get_Security","SPACE","title","get_White","Atomic","[ALT]","get_Exists","{\"isAdmin\":","# Netscape HTTP Cookie File","<>9__51_15","set_AutoFlush","AssemblyTrademarkAttribute","BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO","block","Calling GetAutofillDataAsync for browser: ","Select","Screenshot sent successfully","BCRYPT_AES_ALGORITHM","\",\"history\":[]}","get_Available","ProcessInfo","Code length: {0}, contains newlines: {1}, contains \\n literal: {2}","set_WiFiNetworks","get_Item4","[SQLITE] Query complete. Total rows: {0}","IProgress`1","set_WindowStyle","GetProcessesByName","Phantom_Edge","get_ASCII","Setting registry value: ","Marshal","TranslateMessage","get_QueuedAt","<<HandlePacket>b__48>d","<>9__51_49","CD/DVD","download_file","\",\"autofill\":[","        Write-Output 'ERROR:No rows found'","<WiFiNetworks>k__BackingField","DuplicateTokenHandle","fIcon","set_IsKey","monitorBounds","ExecuteFile","uninstall_client","{\"adapters\":[","FlagsAttribute","{\"success\":false,\"error\":\"","AutofillData","pszProperty",": Skipping passwords (file not found)","\",\"items\":[]}","<>1__state","Remote desktop input control disabled","            } catch {","<HandlePacket>b__51_19","operationSemaphore","[BrowserHistory] Robocopy failed: ","base64Data",".Client.AutofillData+<GetAutofillDataAsync>d__3","set_Exists","[ERROR] Upload failed: ","MOUSEEVENTF_LEFTDOWN","[AutofillData] Error parsing ","    for row in rows:","[BrowserHistory] Checking path: ","<IsDirectory>k__BackingField","get_OSVersion","<HandlePacket>b__51_15","Output folder: ","RecoverPasswordsAsync","dmTTOption","set_Name","no_wallets_found.txt","{\"processes\":[","[SQLITE] Total valid cookie entries: {0}","#Strings","WiFiNetwork",".NETFramework,Version=v4.8","Opera Software","GetDriveTypeString","[LSASS] DuplicateToken failed (error: 0x{0:X8})","Create","\\Programs\\Exodus","MoveNext","MOUSEEVENTF_ABSOLUTE","Sent {0} autofill entries for {1} successfully","ppStmt","get_IsConnected","System32","{0}: {1} (Line {2})","[AES-GCM ERROR] BCryptSetProperty failed: 0x{0:X8}","lpMsg","get_SocketErrorCode","GetIPProperties","[{0:yyyy-MM-dd HH:mm:ss}] FodHelper failed, trying runas...","\",\"items\":[","Script class not found in compiled code","connected","        Write-Output \"$name|$value|$dateCreated|$dateLastUsed|$count\"","\\Microsoft\\Edge\\User Data\\Default\\Local Extension Settings\\egjidjbpglichdcondbcbdnbeeppgdph","walletPath","System.Drawing.Drawing2D","System.Management","<HandlePacket>b__32","get_DataAvailable","GetPort","get_LastWriteTime","[CHROME V20] Found app_bound_encrypted_key (base64 length: {0})","Socket","dwLegacyKeySpec","RuntimeHelpers",".NET Framework 4.83","altKey","SND_FILENAME","<ActiveConnections>k__BackingField",".text","NativeWindow","<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">","diFlags","get_FileName","    $reader.Close()","set_SSID","HKEY_CURRENT_USER","EnsureSQLiteDLL","get_UnicastAddresses","<RunLimitedOperation>b__1","set_RedirectStandardOutput","WebClient","Binance","dwInfoVersion","Error killing process {0}: {1}","ClassesRoot","MouseDown","Main method not found in Script class","    conn.row_factory = sqlite3.Row","OpenNotepad","http://","KClient.NetworkOptimized+<>c__DisplayClass24_0+<<SendBinaryFrameAsync>b__0>d","Creating ZIP archive...","get_Status","lastGCCleanup","bScan","STATIC","bInheritHandle","-Client.WebcamCapture+<CaptureWebcamAsync>d__0","{\"success\":false,\"error\":\"Cannot download system file: ","buffer","<HandlePacket>b__51_43","@.reloc","MOUSEEVENTF_RIGHTDOWN","GetAwaiter","[CHROME V20] APPB key extracted, size: {0} bytes","registry_list","X )UU","SendBinaryFrameAsync","Failed to set file attributes: ","__StaticArrayInitTypeSize=6","Connection closed","DockStyle","Received null packet from network","System.CodeDom.Compiler","Environment","ncrypt.dll","System.Drawing.dll","<Start>b__12_0","Unknown error","Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles","cchWideChar","System.dll","    # Try to query the urls table","get_Question","[SQLITE ERROR] Cookies exception: ","cbTag","DirectoryInfo","{{\"status\":\"{0}\",\"message\":\"{1}\",\"progress\":{2}","get_Item6","cbNonce","\\Bitcoin","<>9__1_1","network","[LSASS] OpenProcessToken failed (error: 0x{0:X8})","        if missing_columns:","Logger","FileVersion","using System.Threading.Tasks;","get_Name","Base64Decode","VS_VERSION_INFO","hwndApp","MulticastDelegate","<>9__0_0","AsyncTaskMethodBuilder`1","            url = url.replace('|', '{PIPE}')","BCryptGenerateSymmetricKey","Invalid PID for kill_process","captureWidth","Users","dmICMIntent","Edge: Extracting cookies...","SendBinaryFrame","ReadAutofillFromSQLite","<>9__51_1","ERROR_SUCCESS","nNumberOfBytesToWrite","<>9__51_8","fileManager","[BrowserHistory] Getting paths for browser: ","System.Web.dll","<HandlePacket>b__10","Filename cannot be empty","get_Item1","BCryptOpenAlgorithmProvider","check_startup","Execute script packet received","    sys.exit(1)","System.Windows.Forms.dll","pcbBinary","Error receiving packet: ","dmPelsHeight","<>c__DisplayClass22_0","Error in queued operation: ","CopyFromScreen","serverPort","WriteLog","CodePage","    if not cursor.fetchone():","Error during uninstall: ","Phantom_Chrome_Profile1","execute_file","Login Data","[LSASS] Impersonation successful","sqlite3_column_int64","GetBrowserHistoryPaths","[BrowserHistory] Robocopy succeeded but file not found at expected location","set_FreeSpace","MOUSEEVENTF_WHEEL","consecutiveErrors","<startTime>5__2","185.163.204.93|8080|false|false|false","CURSORINFO","NumberStyles","healthMonitorCts","SetApartmentState","System.IO.Compression.dll","Failed to remove from Task Scheduler: ","[BrowserHistory] Found Firefox profile: ","GetOS","<>c__DisplayClass51_17","networkInfo","<<SendPacketNonBlocking>b__0>d","set_DNSServers","Clipboard monitor stopped","BinanceChain_Chrome","GetAllNetworkInterfaces"," stderr: ","get_ModuleName","get_CurrentMonitor","Kill process packet data: ","fun_shake_windows","ProcessStartInfo","SQLITE_DONE","-ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -Command \"","<HandlePacket>b__38","GetType","System.Data.dll","<Module>","GetLogPath","ParsePacket","[SQLITE] Database closed","GetThreadId","SendProgress","[ERROR] Failed to connect to server {0}:{1}","Error grabbing wallet: ","GetServiceList","get_TotalSeconds","dwCreationDisposition","MemoryStream","pPaddingInfo","SELECT url, title, visit_count, last_visit_time FROM urls ORDER BY last_visit_time DESC LIMIT 1000","get_Handle","            print('ERROR:No rows found in urls table')","set_MaximizeBox","<>9__2_1","[SQLITE] sqlite3_open result: {0} (0=OK), handle: {1}","RT_RCDATA","powershell.exe","HasCryptoWallets","[NCRYPT] Failed to open provider: 0x{0:X8}","rd_key_down","Shell_TrayWnd"," Q._!","[AutofillData] Found {0} potential Web Data paths","ReadSQLiteCookies","set_ClassName","DebuggerHiddenAttribute","[AutofillData] Error in GetAutofillDataAsync: ","dmDisplayFixedOutput","GetConfig","\\.\"+\\","encryptedData","isLogging","get_processes","Disconnect","ServiceInfo","GetSubPath","Connect","\"monitor\":","credentialsZipPath","set_MinimizeBox","{0}: {1} passwords, {2} cookies","set CDAudio door open","<HandlePacket>b__30","system volume information","WindowsUpdate","<>f__AnonymousType0`2",";Read Only=True;","pszProviderName","127.0.0.1","DMDO_DEFAULT","ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/","client","<SSID>k__BackingField","NetworkCredential","registryEditor","WM_QUIT","fileData","GetEdgeMasterKey","BrowserData_","      <requestedPrivileges xmlns=\"urn:schemas-microsoft-com:asm.v3\">","BCRYPT_CHAIN_MODE_GCM","      </requestedPrivileges>","IsAdmin"," dY` ","ctrlKey","<>c__DisplayClass51_13","System.Net.Sockets","GetProperty","get_DateCreated","IPInterfaceProperties","Enqueue",": Not installed","GetFolderPath","Initialize","get_Label","CompanyName","[BrowserHistory] Successfully copied database using robocopy (exit code: {0})","queueLock","Trezor","processes_list","passwordRecovery","WrapCode","update_client","SendPacketAsync","fBlockIt","get_Y","Email","<DisplayName>k__BackingField","set_GenerateInMemory","GatewayIPAddressInformationCollection","lpWideCharStr","{\"ssid\":\"","Packet too large: {0} bytes (max: 50MB)","pzTail","get_MainWindowHandle","op_GreaterThanOrEqual","\",\"files\":[","FlatButtonAppearance"," (empty or error)","set_Method","SocketOptionName","Received null or invalid packet","CreateInstance","set_Arguments","/create /tn \"","            url = row['url'] if row['url'] else ''","cookies.sqlite"," Mbps","(Default)","fWinIni","set_Output","keybd_event","Starting clipboard monitor","    if not os.path.exists(db_path):","get_Bottom","FILE_SHARE_READ","get_Threads","isV20","Getting autofill data: ","http://ip-api.com/json/?fields=countryCode",",\"size\":",": Scanning profile: ","StartsWith","set_registry_value","bufferSize","p*r16","set_StartPosition","[AES-GCM ERROR] BCryptGenerateSymmetricKey failed: 0x{0:X8}","[LSASS] Process handle opened successfully","set_TotalSize","FILE_SHARE_WRITE","CSharpCodeProvider","Building JSON for {0} autofill entries","lsass","value","CloseMainWindow","GetResponse","ExecuteScriptAsync","System.Diagnostics","Script executed successfully. Output length: {0}","YandexBrowser","Profile","stop_clipboard_monitor","logWriter","GetProcesses","dmPositionX","suspend_process","timeout /t 2 /nobreak >nul","starting","<DateLastUsed>k__BackingField","VkKeyScan","get_URL","Execution error: ","dmCollate","<>u__1","FromArgb","imagePath","get_CompiledAssembly","Script code is empty after extraction","GetMessage","@echo off","CompileAssemblyFromSource","Switching to monitor {0}","lpModuleName","wallet_progress","<>c__DisplayClass51_0","OpenProcessToken","StreamReader","BrowserHistory","SELECT origin_url, username_value, password_value FROM logins","stop_keylogger","BufferLength","    $conn.Close()","[COOKIES SUCCESS] Decrypted cookie for {0}/{1}: {2} chars","processAccess","<HandlePacket>b__50"," browser completely and try again","LowLevelKeyboardProc","pPrompt","[AutofillData] Copy operation failed: ","admin_syn","serverIP","        }","operationQueue","set_CurrentMonitor","userDataPath","set_LastVisit","ThreadStart","DATA_BLOB","MOUSEEVENTF_RIGHTUP","width","yHotspot","GetTotalPasswords","BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO_VERSION","GetExecutingAssembly","autofill_debug.log","LocalMachine","xLeft","GetWindowRect","set_Password","OpenWebsite","\\Dash","funFunctions","<Client.Program+<>c__DisplayClass51_19+<<HandlePacket>b__40>d","rd_mouse_down","[AutofillData] Error in PowerShell method: ","get_Username","get_MACAddress","        if len(rows) == 0:","cbMacContext","<>9__51_43","Update: Restarting client...","<>c__DisplayClass51_16","get_ValueType","[CHROME V20] Invalid APPB prefix (got: ","<HealthMonitorLoop>d__30","System.Data.SQLite.SQLiteCommand, System.Data.SQLite","dbPath","encrypted","<ValueType>k__BackingField","<SendPacketAsync>b__0","Sending browser_history packet (JSON length: {0})","                break","<SendDesktopFrame>b__0","scan_wallets","OperatingSystem","NameValueCollection","Ethereum","aborted","Edge: User Data not found","<HandlePacket>b__25","GetRegistryRoot","pbInput","ARROWUP","Error taking screenshot: ","<DNSServers>k__BackingField","get_Gateway","MathWallet_Chrome","WebcamCapture","SuspendThreadNative","NCryptDecrypt","Mozilla/5.0","try {","        $lastVisit = if ($reader['last_visit_time']) { [long]$reader['last_visit_time'] } else { 0 }","ERROR",": Edge cookies handled separately","set_IPAddress","[RIGHT]","[SQLITE] Cookies query complete. Total rows: {0}","LastIndexOf","9F7A3CA09774D6CDD2B19BC77593698706C324EB8D662D888826F5CC8E293EB5","Segoe UI","get_IsDesktopActive","stop_desktop","[BrowserHistory] Successfully copied database using File.Copy","[BrowserHistory] No entries extracted from ","attempt","startup_result","using Microsoft.Win32;","IEnumerator","[CHROME V20] Exception: ","file_download_progress","AddToStartup","TryDequeue","[AutofillData] Successfully copied using robocopy","get_GatewayAddresses","using System.ServiceProcess;","<>c__DisplayClass0_0","ptScreenPos","hookId","lpBuffer","[BrowserHistory] Error in PowerShell method: ","[AutofillData] Extracted {0} autofill entries from {1}","AssemblyDescriptionAttribute","pDataOut","<HandlePacket>b__51_37","GetDrives","STRING","ServiceController","SuspendProcessThreads","get_UserName","get_ExitCode","hWndNewParent","[DEBUG] Edge/{0}: Found {1} raw cookie entries","[DEBUG] WAL copy failed (not critical): ","filename","IDisposable","ContainsText","ListKeysAsync returned {0} keys","method","lpMultiByteStr","get_IsRunning","[DECRYPT] Using DPAPI fallback (no v10/v11/v20 prefix)","[LSASS] lsass.exe process not found","[NCRYPT] Failed to decrypt: 0x{0:X8}","OctoRAT_Client_Mutex_{B4E5F6A7-8C9D-0E1F-2A3B-4C5D6E7F8A9B}","outputRoot","[AES-GCM SUCCESS] Decrypted {0} bytes","hCursor","C:\\Users\\sulum\\OneDrive\\Desktop\\datacenter\\stubCsharp\\obj\\Release\\Client.pdb","HKEY_CURRENT_CONFIG","Network info requested","[BrowserHistory] {0} output length: {1}","        value = value.replace('|', '{PIPE}')","fdwSound","Report","get_Path","uiAction","ToInt64","get_TotalMilliseconds","[BrowserHistory] Attempting to copy database to temp: ","WaitForExit","Console","9.L3\"","NCryptFreeObject","Log file: ","uFlags","get_network_info","running","RunLimitedOperation","WalletPath","TOKEN_QUERY","{\"progress\":50,\"message\":\"Sending file (","GetAddressBytes","set_UseBinary","\\Monero","HWND_TOP","CompilationRelaxationsAttribute","nNumberOfBytesToRead","get_Token","3Client.NetworkOptimized+<SendBinaryFrameAsync>d__24","GetModuleHandle","<>c__DisplayClass51_9","get_Line","<<SendBinaryFrameAsync>b__0>d","DebuggerBrowsableAttribute","stateLock","{\"passwords\":[],\"error\":\"Password recovery not yet implemented\"}","get_IsAlive","RegistryKey","Firefox: {0} cookies","get_Data","{\"success\":false,\"error\":\"Script code is empty\"}","remoteInput","SetValue","WriteAllBytes","OPEN_EXISTING","get_FlatAppearance","SocketException","    Write-Output ('ERROR:' + $_.Exception.Message)","set_IsDesktopActive","set_InterpolationMode","<HandlePacket>b__51_2","HKEY_LOCAL_MACHINE","upload_file","<>9__51_37","set_ForeColor","TaskAwaiter`1","Not connected","netsh","MouseUp","MemberInfo","<Client.Program+<>c__DisplayClass51_21+<<HandlePacket>b__46>d","[DEL]","SetStateMachine","ARROWLEFT","\\Exodus","[CHROME V20] Final AES-GCM decryption failed after NCrypt+XOR","pbBinary","<Value>k__BackingField","ToList","result","EqualityComparer`1","<HandlePacket>b__51_12","FileAccess","WindowsPrincipal","pdwSkip","dmPanningHeight","<>9__51_20",",\"data\":","op_Inequality"," not available: ","pbAuthData",".Client.NetworkOptimized+<SendPacketAsync>d__22","Yandex","[SQLITE ERROR] Failed to prepare statement, code: {0}","GetTempPath","{{\"success\":false,\"pid\":{0},\"error\":\"Failed to kill process\"}}","hResData","using System.Text;","[BrowserHistory] Error with System.Data.SQLite method: ","<>9__51_17","IsVolatile","SendPacket","cxWidth","            try {","ICredentials","\"altKey\":true","get_ErrorNumber","<HandlePacket>b__24","add_Tick","User-Agent","[BrowserHistory] Copy operation failed: ","[SQLITE ERROR] Failed to open cookies database, code: {0}","client_debug.log","FileSystemInfo","FromImage","<>9__51_7","{0} {1}","[ENTER]","[SQLITE ERROR] Exception: ","\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\fhbohimaelbohpjbbldcngcnapndodjp","Error showing message: ","HookCallback","windowName","<>9__51_19","dmDuplex","AppendLine","healthMonitorTask","Connection error detected in main loop, disconnecting to reconnect...","grab_wallets","GetIP","RuntimeTypeHandle","targetHeight","py.exe","stop_service","set_Description","SetOut","szPrompt","get_Current","HistoryEntry"," M[8#B","get_Param","CopyTo","SPIF_SENDWININICHANGE","        $name = if ($reader['name']) { $reader['name'].ToString() } else { '' }","public class Script","StreamWriter","[BrowserHistory] ","<Start>b__21_0","Random","clipboardWindow","{PIPE}","GetEnvironmentVariable","                Add-Type -Path $path -ErrorAction Stop","Encrypted in Registry","REG_SZ","Error listing registry: ","DEVMODE","CaptureWebcamAsync","LClient.NetworkOptimized+<>c__DisplayClass23_0+<<SendPacketNonBlocking>b__0>d","using System.Collections.Generic;","Software\\Classes\\ms-settings","ExtractJsonInt","#GUID","IsNullOrEmpty","Extraction complete!","TryReadWithSystemDataSQLite","<HandlePacket>b__51_47","BitConverter","[BrowserHistory] Parsing {0} lines from {1} output","services_list","<>u__2",": Login Data not found at ","v4.0.30319","MIN_ALL","set_IncludeDebugInformation","set_Count","RegistryValueKind","sourceWidth","WaitForPendingFinalizers","GetAutofillDataAsync returned {0} entries","sqlite3_prepare_v2","ScreenCapture","<>7__wrap2","set_Application","CompilerErrorCollection","get_Headers","[BrowserHistory] PowerShell output length: {0}","<>9__51_18","RevertToSelf","<HandlePacket>b__51_44","delta","<Gateway>k__BackingField","iamfine","[SQLITE ERROR] Failed to open database, code: {0}","{0}_cookies_{1}_{2}.db","ReadPasswords"," 8(\"$","Func`1","logPath","fun_flip_screen","uploadPath","<MemoryUsage>k__BackingField","using System.Windows.Forms;","        $value = if ($reader['value']) { $reader['value'].ToString() } else { '' }","op_Explicit","\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\jbdaocneiiinmjbjlgalhcelgbejmnid","System.Configuration.dll","PrivilegeCount","25114D00A4033551266955CDD922C5EBB11B1E34BE80825C9553A3F258D5B1CE","CommandText","SendMessage","<Client.Program+<>c__DisplayClass51_22+<<HandlePacket>b__48>d","[PASSWORDS] Processing {0} raw password entries","StringToHGlobalUni","WM_CLIPBOARDUPDATE","CreateHandle","set_UseShellExecute","<DeleteValueAsync>d__2","[DOWN]","set_ReceiveBufferSize","HKCU Run","\" /sc minute /mo 1 /f","[BrowserHistory] Created Python script: ","SQLITE_OK","dmDeviceName","wMsgFilterMin","WaitAsync","CreateCommand","[BACKSPACE]","<>c__DisplayClass11_1","Connection health check failed, disconnecting to reconnect...","Ledger Live","Client.exe","WideCharToMultiByte","KEYEVENTF_KEYUP","CreateEmptyPackage","    $loaded = $false","Brave","MethodInfo","[CHROME V20] Stage 2 OK, size: {0} bytes","{\"success\":true,\"output\":\"","System.IO.Compression.FileSystem","Cookies","RMM Client","BACKSPACE","4Client.ClipboardMonitor+<MonitorClipboardAsync>d__15","Connected successfully","set_Adapters","[BrowserHistory] Robocopy failed with exit code: {0}","VK_CONTROL","Clipboard","WriteLine","ArgumentException","ParseWebDataDatabase","HandlePacket","5Client.NetworkOptimized+<WaitForConnectionAsync>d__25","get_Millisecond","set_NoDelay","command","static void Main","[BrowserHistory] Found Chrome profile: ","<>9__51_14","networkInstance","SetHook","{\"path\":\"","[ESC]","DllNotFoundException","  </trustInfo>","Close","SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System","browserName","totalCookiesCount","<GetNetworkAdapters>b__1_2","[DEBUG] {0}/{1}: Found {2} cookie entries","autofill_data","Browser history packet data: ","{\"progress\":100,\"message\":\"Download complete!\"}","CloseCDTray","[{0}]","DM_DISPLAYORIENTATION","[AutofillData] File does not exist: ","Encrypted Database","QWORD","<HandlePacket>b__51_0","SetWindowsHookEx","BeginInvoke","cbAuthData","<Name>j__TPar","    while ($reader.Read()) {","<>9__51_16","ToLower","[DEBUG] {0}/{1}: Cookies size: {2:N0} bytes","logs.txt","LoadResource","gdi32.dll","[BrowserHistory] Error reading SQLite: ","Web Data","VK_LBUTTON","<>c__DisplayClass51_8","GetConsoleWindow","{\"success\":false,\"error\":\"File not found or cannot be read\"}","Network became null in MainLoop","GetString","PtrToStringAnsi","get_Top","            conn.close()","script_result","System.Core","[SQLITE] Row {0}: url={1}, user={2}, blob_size={3}","LegalTrademarks","ShowMessage","set_Size","idHook","[DECRYPT] AES-GCM decrypted: {0} bytes","SELECT host, name, value, path, isSecure, expiry FROM moz_cookies","Copying ","System Message","SQLITE_ROW","    if (-not $loaded) {","ProcessModule","DisableAllPrivileges","chrome","<>c__DisplayClass51_3","WebHeaderCollection","EncoderParameters","get_Adapters","RemoveFromStartup"," l&*!y","using System.Diagnostics;","<FreeSpace>k__BackingField","=== Log ended at {0:yyyy-MM-dd HH:mm:ss} ===","brave","RestoreScreen","RegistryKeyInfo","MainLoop","\\X/*r","Packet data length: {0}","RemoveStartupItem","[NCRYPT] Exception: ","} catch {","base64Chunk","        $dateCreated = if ($reader['date_created']) { [long]$reader['date_created'] } else { 0 }","set_UsePassive","ToByte","TcpClient","[AutofillData] Total autofill entries: {0}","StartReconnectionThread","CreateFileW",")Client.RegistryEditor+<SetValueAsync>d__1","Black900","dmICMMethod","keyCode","sqlite3_temp.dll","[BrowserHistory] Found Opera profile: ","timer","phKey"," error: ","<SendPacketNonBlocking>b__0","<WaitForConnectionAsync>d__25","[CHROME V20] AES-GCM fallback successful: {0} bytes","CallNextHookEx","lParam","get_ActiveConnections","set_Gateway","pszKeyName","GetWiFiNetworks","SendBinaryFile","TronLink_Chrome","    try:","[DECRYPT ERROR] AES-GCM decryption returned null/empty","Program","<HandlePacket>b__51_8","get_Msg","kernel32.dll","GetDirectories","GetStartupList","\\Trezor","[BrowserHistory] Error in GetBrowserHistoryAsync: ","Sent {0} history entries for {1} successfully","STALE_CONNECTION_TIMEOUT","GetPhysicalAddress","[BrowserHistory] Found Edge profile: ","netstat","<Path>i__Field","set_BorderSize","[DEBUG] {0}/{1}: Login Data size: {2:N0} bytes","ERROR: Administrator privileges required!","SetCursorPos","TargetFrameworkAttribute","[BrowserHistory] Robocopy exit code: {0}","Enter","ToUInt32","\\Ethereum","            sys.exit(1)","frame","Passwords","    print('ERROR:Traceback: ' + traceback.format_exc())","ImpersonateLoggedOnUser","                $loaded = $true","LoadLibrary","Keylogger",": Failed to get master key","Connection health check failed - connection appears dead","dmDriverVersion","ExistingTokenHandle","#Blob","GCCollectionMode","\\Google\\Chrome\\User Data\\Profile 1\\Local Extension Settings\\bfnaelmomeimhlpmgjnjophhpkkoljpa","[CHROME V20] Blob too small for ChaCha20 (need {0}, got {1})","        # List available tables for debugging","MetaMask_Chrome_Profile2","Boolean","false","EventArgs","keyQueue","IFormatProvider","<Exists>k__BackingField","RuntimeFieldHandle","DrawCursor","Removed from startup","<HandlePacket>b__33","EndInvoke","TryReadAutofillWithPowerShell","[BrowserHistory] Reading SQLite from: ","rd_enable_input","PROCESS_QUERY_INFORMATION","lpOverlapped","get_Message","/Client.NetworkOptimized+<ReconnectionLoop>d__27","UploadToServer","\\Google\\Chrome\\User Data\\Profile 1\\Local Extension Settings\\nkbihfbeogaeaoehlefnkodbefgpgknn","get_IsDisposed","HealthMonitorLoop","Error getting network info: ","NCryptOpenStorageProvider","GetEmailPasswords","[BrowserHistory] Robocopy output: ","SWP_NOSIZE","get_SSID","set_IsBackground","[{0:yyyy-MM-dd HH:mm:ss}] Uploading browser data to {1}:{2}...","upload_result","dmBitsPerPel","sqlite3_column_blob","<Client.Program+<>c__DisplayClass51_23+<<HandlePacket>b__50>d","get_Item","{{\"pid\":{0},\"name\":\"{1}\",\"memory\":{2}}}","using System.Text.RegularExpressions;","nSize","dir_list","        tables = cursor.fetchall()","Error setting registry value: ","set_Type","<>c__DisplayClass51_6","MapVirtualKey","sqlite3_column_bytes","[AES-GCM] Calling BCryptDecrypt...","[SQLITE] sqlite3_prepare_v2 result: {0}","AddClipboardFormatListener","Append","[CHROME V20] LSASS impersonation failed for NCrypt","TOKEN_PRIVILEGES","<>9__51_13","SE_PRIVILEGE_ENABLED","<SendBinaryFrameAsync>b__1","fun_minimize_all","IOControl","        Join-Path $env:ProgramFiles(x86) 'System.Data.SQLite\\System.Data.SQLite.dll',","get_IsKey","\",\"mac\":\"","[DECRYPT] AES-GCM: IV={0}, ciphertext={1}, tag={2}, masterKey={3}","NetworkOptimized","        missing_columns = [col for col in required_columns if col not in columns]","            last_visit = int(row['last_visit_time']) if row['last_visit_time'] is not None else 0","DIGIT","get_VisitCount","[BrowserHistory] PowerShell exit code: {0}","GetHdc","Google","6!9#>,DqG","set_Modified","StringBuilder","get_Size","QueuedOperation","KeyDown","Encoding","cyHeight","[ERROR] Edge/","Compilation errors:","OrderBy","KBDLLHOOKSTRUCT","        cursor.execute(\"PRAGMA table_info(urls)\")","[CHROME V20] Blob too small for NCrypt (need {0}, got {1})","{\"key\":\"","Opera Stable","APPDATA","<QueuedAt>k__BackingField","LookupPrivilegeValueW","{{\"success\":true,\"pid\":{0}}}","p*rI6","System.IO","get_VolumeLabel","get_browser_history","Microsoft Software Key Storage Provider","<ListKeysAsync>d__0","<Label>k__BackingField","sqlite3_open","GetCurrent","C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\sqlite3.dll","SendClientInfo","IEnumerable`1","[CHROME V20] AES-GCM decryption of master key failed","SECURITY_IMPERSONATION_LEVEL","GetResponseStream","Connection","className","get_Speed","Connection failed, retrying in 5 seconds...","Assembly Version","[CHROME V20] Stage 2: User DPAPI...","StartupManager","System.Collections.Specialized","<GetNetworkInfoAsync>d__0","set_Security","ExitThread","User Data","rd_disable_input","get_Warning","<SendPacketAsync>d__22","\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\ibnejdfjmmkpcnlpebklmnkoeoihofec","using System.Management;","{{\"url\":\"{0}\",\"title\":\"{1}\",\"visitCount\":{2},\"lastVisit\":{3}}}","WM_COMMAND","[AutofillData] Error in Python method: ","        rows = cursor.fetchall()","\",\"isDir\":","set_TopMost","Replace","CancellationTokenSource","[DEBUG] {0}/{1}: Saved {2} passwords","get_Information","TryReadWithPython","TimeSpan","FileDescription","Warning: Could not create log file: ","get_Output","cchString","[CHROME V20] ChaCha20-Poly1305 decryption successful: {0} bytes","set_ReceiveTimeout","dmReserved2","SPI_SETMOUSEBUTTONSWAP","[ERROR] File is locked by another process (browser still running?)","FILE_SHARE_DELETE","hIcon","devMode","FunFunctions","ClipboardWindow","\"type\":\"","CurrentConfig","hbmMask","kill_process","GetAutofillDataAsync","rootPath","SocketError","get_Unicode","ReadOnlyCollectionBase","[CHROME V20] Using NCrypt with XOR","Opera GX Stable","FormStartPosition","set_Username","dmSpecVersion"," cookies: ","Opera Developer","browserHistory","HideTaskbar","set_ShowInTaskbar","AllWallets.zip","[BrowserHistory] PowerShell failed - exit code: {0}","<Letter>k__BackingField","graphics","resourceId","PostThreadMessage","sqlite3_column_text","DebuggableAttribute","<DateCreated>k__BackingField","StopService","StringCollection","[DEBUG] {0}/{1}: Login Data exists: {2}","class ","Opera Next","UnhookWindowsHookEx","<<HandlePacket>b__46>d","set_Speed",".ctor","\\BraveSoftware\\Brave-Browser\\User Data\\Default\\Local Extension Settings\\bfnaelmomeimhlpmgjnjophhpkkoljpa","[DECRYPT ERROR] v10/v11/v20 data too small: {0} bytes (need 31+)","SELECT * FROM Win32_OperatingSystem","GetUsername","ARROWRIGHT","get_Connected","            title = title.replace('|', '{PIPE}')","2Client.BrowserHistory+<GetBrowserHistoryAsync>d__1","ping_result","ExpandEnvironmentVariables","get_Error","ZipFile","[CHROME V20] Master key extracted successfully: {0} bytes","WaitForStatus","LISTENING","pbData","&% 0u","SuspendProcess","File sent: {0} ({1} bytes)","[BrowserHistory] Found Brave profile: ","        'C:\\Windows\\System32\\System.Data.SQLite.dll'","using System;","[LSASS] ImpersonateLoggedOnUser failed (error: 0x{0:X8})","messageLoopThread","StringFileInfo","WaitForConnectionAsync","set_FlatStyle","fun_open_notepad","SetResult","<Description>k__BackingField","DrawIconEx","Edge: {0} cookies extracted","TrustWallet_Chrome","KillProcess","[SUCCESS] {0}/{1}: Saved {2} cookies",": Checking...","AutofillEntry","TrimStart","wParam","Substring","ServiceControllerStatus","Enumerable","<Client.Program+<>c__DisplayClass51_20+<<HandlePacket>b__42>d","    db_path = r'","<GetProcessList>b__0_0","VK_RBUTTON","dmFields","FtpWebRequest","Bitcoin","Sent network info: {0} adapters, {1} WiFi networks","using System.Net.Http;","value__","OnClipboardChanged","UnicastIPAddressInformation","    import traceback","TrustWallet_Edge","input","AESGCMDecrypt","user32.dll","WindowsBuiltInRole"," }&2!z","dmFormName","OpenThread","    cursor = conn.cursor()","<SetValueAsync>b__1_2","_-Tr2-","streamLock","MAX_RECONNECT_DELAY","Error sending client info: ","Brave-Browser","        columns = [row[1] for row in cursor.fetchall()]","pszAlgId","[LSASS] Found lsass.exe PID: {0}","\"name\":\"","[BrowserHistory] LocalAppData: ","<GetBrowserHistoryAsync>b__1_1","MonitorClipboardAsync","Opera","[AutofillData] Getting autofill data for browser: ","<>c__DisplayClass3_0","    $dbPath = r'","GetMethod",": Extracting cookies from ","\\Electrum","[SQLITE] Preparing query...","<CaptureWebcamAsync>b__0_0","ExtractFirefoxData","NetworkStream","\",\"valueType\":\"","drive","sqlite3_column_int","[BrowserHistory] Failed to delete temp file: ","GetHostname","Comments","GetImageEncoders","_bZ(H","GetSubKeyNames","    )","System.Threading","<>c__DisplayClass23_0","PlaySound","[SQLITE] Statement finalized","upload_file_chunk","get_UTF8","AddStartupItem","_CorExeMain","get_Controls","targetFPS","get_autofill_data","recentservers.xml","hbmColor","System.Data.SQLite","            # Escape pipe characters in URL/title","hObject","dwDesiredAccess","meltEnabled","TextReader","ManagementObject","{\"progress\":20,\"message\":\"Reading file from disk...\",\"filename\":\"","\\Atomic","ciphertext","0Client.NetworkOptimized+<HealthMonitorLoop>d__30","<HandlePacket>b__51_3","Tuple","screenCapture","[SOLUTION] Close ","<Success>k__BackingField","recover_passwords","grab_single_wallet","<HandlePacket>b__48","[PASSWORDS] Decrypting entry {0}: url={1}, user={2}, encrypted_size={3}","<HandlePacket>b__36","\",\"password\":\"","frameData","MetaMask_Chrome_Profile1","valueType","    file_size = os.path.getsize(db_path)","get_IsCompleted","[BrowserHistory] Error scanning Firefox: ","[LOG ERROR] ","    # Check if autofill table exists","STAThreadAttribute","open_webpage","fun_open_calculator","set_FileName","[BrowserHistory] File header: ","Electrum","        print(f'ERROR:Query error: {str(e)}')","{\"browser\":\"","<Type>k__BackingField","Caption","lpLuid","Monero","SetQuality","Right-click and 'Run as Administrator'","get_Success","[BrowserHistory] All methods failed to read SQLite database","using System.Reflection;","explorer.exe","<<HandlePacket>b__50>d","NetworkInterface","    except Exception as e:","[CHROME V20] No app_bound_encrypted_key found in Local State","import sqlite3","[PASSWORDS FAIL] Decryption failed for ","Split","[BrowserHistory] No valid entries parsed from output","ESCAPE","CopyWALFiles","pPromptStruct","Coinbase","BINARY","    {","FlipScreen","        $url = if ($reader['url']) { $reader['url'].ToString() } else { '' }","SendPacketNonBlocking","GetEnumerator","height","        Write-Output 'ERROR:SQLite library not found'",",Client.NetworkInfo+<GetNetworkInfoAsync>d__0","DispatchMessage","ListDirectory","Error stopping clipboard monitor: ","restart_{0}.bat","[BrowserHistory] Successfully parsed {0} entries from {1} lines using {2}","FileInfo","BlockInput","wMsgFilterMax","AssemblyConfigurationAttribute","[BrowserHistory] System.Data.SQLite already loaded in AppDomain","System.Globalization","Error executing script: ","GetNetworkAdapters","sourceHeight","RuntimeCompatibilityAttribute","HKEY_USERS","dmYResolution","Error during update: ","DecryptValue","GuidAttribute","        date_created = row['date_created'] if row['date_created'] else 0","get_Title","set_DisplayName","fun_unblock_input","ScriptExecutor","get_Client","        print(f'{name}|{value}|{date_created}|{date_last_used}|{count}')","ChainingModeGCM","get_StandardOutput","ChainingMode","status","{\"drives\":[","<HandlePacket>b__40","<GetAutofillDataAsync>b__0","@6,(2","GetValueNames","pszString","<IPAddress>k__BackingField","InitializeArray","StartService","lpName","bcrypt.dll","SemaphoreSlim","\" /tr \"","System.Core.dll","DMDO_180","OpenNotepadWithText","2E69DC77B5DCFCCF57DD14F7E8BC6846C81B48D65C372C8970A25FA856421FE0","set_VisitCount","        print(f'ERROR:SQL error: {str(e)}')","        'C:\\Windows\\System32\\System.Data.SQLite.dll',","Stack trace: ","\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\bfnaelmomeimhlpmgjnjophhpkkoljpa","[BrowserHistory] Successfully extracted {0} entries from {1}","<>9__1_2","<GetAutofillDataAsync>d__3","GetNetworkInfoAsync","Convert","lpType","\\Ledger Live","fun_open_cd_tray","<HandlePacket>b__51_7","filePath","start_service","<GetBrowserHistoryAsync>b__0","[TAB]","CompilerGeneratedAttribute","<>9__1",",Client.RegistryEditor+<DeleteValueAsync>d__2","<>9__51_6","get_Type","HEALTH_CHECK_INTERVAL","[AutofillData] Processing: ","FileStream","Double","ShakeWindowInternal","[CHROME V20] Stage 1 OK, size: {0} bytes","swapfile.sys","currentMonitor","count","Connection lost detected, disconnecting to reconnect...","Microsoft","pbSecret","Config File","Error in async operation: ","cbSize","lastSuccessfulOperation","customOutputPath","            print('ERROR:Available tables: ' + table_names)","cookiesPath","654C721A221A4CE01BD08488563FF7277E68AF0564487CF36C519B881E39C7E4","    conn.close()","Killing process PID: {0}","fun_restore_screen",")...\"}","<<HandlePacket>b__51_20>d","wallets_found","reconnectTask","SendDesktopFrame","TextWriter","        cursor.execute('SELECT url, title, visit_count, last_visit_time FROM urls ORDER BY last_visit_time DESC LIMIT 1000')","[DEBUG] Trying fallback File.Copy...","<SendBinaryFrameAsync>b__0","destPath","pszDescription","screenshot.png","Jaxx Liberty","ProcessThread","O@E#O","<>9__51_9","\"isLastChunk\":true","[ERROR] ","fun_show_taskbar","        $dateLastUsed = if ($reader['date_last_used']) { [long]$reader['date_last_used'] } else { 0 }","sysInfo","Connected to {0}:{1}","\",\"path\":\"","total","Script","[BrowserHistory] {0} failed - exit code: {1}, output: {2}","ImageCodecInfo","using ","+_r'z","GetInt32","SwapMouseButtons","advapi32.dll","ESTABLISHED","    }","cbAAD","<>9__51_45","clipboardMonitor","<>c__DisplayClass51_2","NetworkInfoData","[COOKIES] Processing {0} raw cookie entries","user32.dll,LockWorkStation","SetSocketOption","wlan show profiles","[{0:yyyy-MM-dd HH:mm:ss}] Error uploading browser data: {1}","Error: ","<HandlePacket>b__46","DPAPIDecrypt","hToken","p*r%6","[BrowserHistory] Total entries extracted: {0}","GetWiFiPasswords","WndProc","<HandlePacket>b__42","WalletGrabber","GetMasterKey","[BrowserHistory] {0} exit code: {1}","System.Runtime.CompilerServices","IOException","UnicastIPAddressInformationCollection","get_Pid","[DECRYPT ERROR] All decryption methods failed","[DEBUG] Edge/","[DEBUG] Fallback copy succeeded","GetBrowserWebDataPaths","        if (Test-Path $path) {","firefox_cookies.db","1.0.0.0","HKLM Run",".update","[CHROME V20] NCrypt decryption failed","<>c__DisplayClass51_14","keylogger_started","fun_play_sound","    # Try to load System.Data.SQLite if available","Dispose","    # Query autofill data","[BrowserHistory] Successfully read {0} entries using PowerShell","DI_NORMAL","using System.Runtime.InteropServices;","SW_SHOW","Calling GetBrowserHistoryAsync for browser: ","history_{0}.py",": Reading SQLite database...","shiftKey","encoded","disable_uac","<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>","dwShareMode","<Name>k__BackingField","get_StackTrace","Rectangle","AddRange","GetProcessById","pendingOperations","GetVirtualKey","<>c__DisplayClass51_19","Collect","{\"success\":false,\"error\":\"Invalid PID\"}","Update command received","[BrowserHistory] All copy methods failed, will try to read directly (may fail if browser is open)","        print('ERROR:Database file not found: ' + db_path)","using System.Net.NetworkInformation;","targetWidth","[DEBUG] {0}/{1}: Cookies exists: {2}","[LSASS] Process token opened","[AutofillData] All copy methods failed, using original path","dmDisplayOrientation","[BrowserHistory] Skipping empty path","ResourceReader","set_TextAlign","get_ServiceName","    if (-not (Test-Path $dbPath)) {","AppendAllText","ComVisibleAttribute","{{\"hostname\":\"{0}\",\"username\":\"{1}\",\"os\":\"{2}\",\"country\":\"{3}\",\"monitors\":{4},\"wallets\":{5}}}","\",\"autofill\":[]}","<>t__builder","ReadHistoryFromSQLite","[BrowserHistory] Loaded System.Data.SQLite from: ","[BrowserHistory] System.Data.SQLite types not found","Connection error detected, disconnecting to reconnect...","set_IsRunning","\",\"security\":\"","pPlainText","lastNetworkActivity","GetValueKind","StringWriter","ManagementBaseObject","ExecuteReader","wallet_grab_","HKEY_CLASSES_ROOT","uMapType","BlockInputAPI",", trying robocopy","TOKEN_ADJUST_PRIVILEGES","        sys.exit(1)","SetWindowPos","NCryptOpenKey","TryParse","mscoree.dll","[AutofillData] Not a valid SQLite file","xHotspot","Local Disk","[AutofillData] Successfully read {0} entries using Python","Unexpected error: ","<HandlePacket>b__21","EventHandler","SW_HIDE","BCryptDestroyKey","    foreach ($path in $sqlitePaths) {","            table_names = ', '.join([t[0] for t in tables])","<DeleteValueAsync>b__0","XOR_KEY","using System.Security;",")Client.RegistryEditor+<ListKeysAsync>d__0","RegistryEditor","AppendToFile","pvReserved",",\"services\":[","CRYPTPROTECT_PROMPTSTRUCT","LowPart","chunk","<>9__51_12","BCRYPT_CHACHA20_POLY1305_ALGORITHM","FileMode","get_AllScreens","\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\hnfanknocfeofbddgcijnmhnfnkdnaad","AllocHGlobal","CalculateBackoffDelay","RAM Disk","get_LastVisit","{\"wallets\":[","    rows = cursor.fetchall()","InternalName","FileAttributes","Firefox","encrypted_key","DelegateExecute","pCipherText","packet","get_Height","    public static void Main()","MethodBase","isCookie","set_CreateNoWindow","StartHealthMonitor","TryReadWithPowerShell","SpecialFolder","[NCRYPT] Failed to open key: 0x{0:X8}","message","ToString","..8+Tr","\" key=clear","[DEBUG] Written to destination: ","rundll32.exe","System.ServiceProcess","<>c__DisplayClass42_0","Chrome","<ListDirectory>b__2_0","\\Dogecoin","DebuggerBrowsableState","GetTotalCookies","Connection failed: ","Clipboard monitor started successfully","OpenProcess","process","https://","[NCRYPT] Decryption successful: {0} bytes","OpenCalculator","robocopy.exe","cancellationTokenSource"],"virustotal":{"error":true,"msg":"Unable to complete connection to VirusTotal. Status code: 429"},"selfextract":{"de4dot":{"extracted_files":[{"name":"ccf59548ea17a15240cadc6ca7eaa20e6bee4a80582e10d0f1d302d4085a792f","path":"/opt/CAPEv2/storage/analyses/26/selfextracted/ccf59548ea17a15240cadc6ca7eaa20e6bee4a80582e10d0f1d302d4085a792f","guest_paths":["360e6f2288b6c8364159e80330b9af83f2d561929d206bc1e1e5f1585432b28f"],"size":226816,"crc32":"B7ABD954","md5":"0f05769a9b6911a01ab7c2ce51f6833f","sha1":"bef11e6cf37451b7126cf8fe42d0df9beff04ad5","sha256":"ccf59548ea17a15240cadc6ca7eaa20e6bee4a80582e10d0f1d302d4085a792f","sha512":"1f77ad4d6cddee11717b5fb06eac5300044f64e0cc458517a2d6c21568e2ed7fa5beb5ac3c6432b0d02cf22e9662c500db2f69d8d386dd1bd3b96949b8c8ae8a","rh_hash":null,"ssdeep":"3072:U5PVz+7qzN2azaUB9dP9ZkTym7Y9ePcq+kmZXxQPeO4ifTFAbHd7ljZUaOxApPMp:0IcqTyMcePcqJmZXCP4ifT2b","type":"PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows","yara":[{"name":"INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore","meta":{"author":"ditekSHen","description":"Detects executables containing SQL queries to confidential data stores. Observed in infostealers"},"strings":["S\u0000E\u0000L\u0000E\u0000C\u0000T\u0000 \u0000"," \u0000F\u0000R\u0000O\u0000M\u0000 \u0000l\u0000o\u0000g\u0000i\u0000n\u0000s\u0000"," \u0000F\u0000R\u0000O\u0000M\u0000 \u0000c\u0000o\u0000o\u0000k\u0000i\u0000e\u0000s\u0000"," \u0000F\u0000R\u0000O\u0000M\u0000 \u0000m\u0000o\u0000z\u0000_\u0000c\u0000o\u0000o\u0000k\u0000i\u0000e\u0000s\u0000","Name","NAME","name","N\u0000a\u0000m\u0000e\u0000","n\u0000a\u0000m\u0000e\u0000","p\u0000a\u0000s\u0000s\u0000w\u0000o\u0000r\u0000d\u0000_\u0000v\u0000a\u0000l\u0000u\u0000e\u0000","e\u0000n\u0000c\u0000r\u0000y\u0000p\u0000t\u0000e\u0000d\u0000_\u0000v\u0000a\u0000l\u0000u\u0000e\u0000"],"addresses":{"select":203818,"table2":201751,"table3":203225,"table4":203914,"column1":225647,"column2":201723,"column3":203135}},{"name":"INDICATOR_Binary_Embedded_Cryptocurrency_Wallet_Browser_Extension_IDs","meta":{"author":"ditekSHen","description":"Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs."},"strings":["i\u0000b\u0000n\u0000e\u0000j\u0000d\u0000f\u0000j\u0000m\u0000m\u0000k\u0000p\u0000c\u0000n\u0000l\u0000p\u0000e\u0000b\u0000k\u0000l\u0000m\u0000n\u0000k\u0000o\u0000e\u0000o\u0000i\u0000h\u0000o\u0000f\u0000e\u0000c\u0000","f\u0000h\u0000b\u0000o\u0000h\u0000i\u0000m\u0000a\u0000e\u0000l\u0000b\u0000o\u0000h\u0000p\u0000j\u0000b\u0000b\u0000l\u0000d\u0000c\u0000n\u0000g\u0000c\u0000n\u0000a\u0000p\u0000n\u0000d\u0000o\u0000d\u0000j\u0000p\u0000","j\u0000b\u0000d\u0000a\u0000o\u0000c\u0000n\u0000e\u0000i\u0000i\u0000i\u0000n\u0000m\u0000j\u0000b\u0000j\u0000l\u0000g\u0000a\u0000l\u0000h\u0000c\u0000e\u0000l\u0000g\u0000b\u0000e\u0000j\u0000m\u0000n\u0000i\u0000d\u0000","a\u0000f\u0000b\u0000c\u0000b\u0000j\u0000p\u0000b\u0000p\u0000f\u0000a\u0000d\u0000l\u0000k\u0000m\u0000h\u0000m\u0000c\u0000l\u0000h\u0000k\u0000e\u0000e\u0000o\u0000d\u0000m\u0000a\u0000m\u0000c\u0000f\u0000l\u0000c\u0000","h\u0000n\u0000f\u0000a\u0000n\u0000k\u0000n\u0000o\u0000c\u0000f\u0000e\u0000o\u0000f\u0000b\u0000d\u0000d\u0000g\u0000c\u0000i\u0000j\u0000n\u0000m\u0000h\u0000n\u0000f\u0000n\u0000k\u0000d\u0000n\u0000a\u0000a\u0000d\u0000","n\u0000k\u0000b\u0000i\u0000h\u0000f\u0000b\u0000e\u0000o\u0000g\u0000a\u0000e\u0000a\u0000o\u0000e\u0000h\u0000l\u0000e\u0000f\u0000n\u0000k\u0000o\u0000d\u0000b\u0000e\u0000f\u0000g\u0000p\u0000g\u0000k\u0000n\u0000n\u0000","b\u0000f\u0000n\u0000a\u0000e\u0000l\u0000m\u0000o\u0000m\u0000e\u0000i\u0000m\u0000h\u0000l\u0000p\u0000m\u0000g\u0000j\u0000n\u0000j\u0000o\u0000p\u0000h\u0000h\u0000p\u0000k\u0000k\u0000o\u0000l\u0000j\u0000p\u0000a\u0000","e\u0000j\u0000b\u0000a\u0000l\u0000b\u0000a\u0000k\u0000o\u0000p\u0000l\u0000c\u0000h\u0000l\u0000g\u0000h\u0000e\u0000c\u0000d\u0000a\u0000l\u0000m\u0000e\u0000e\u0000e\u0000a\u0000j\u0000n\u0000i\u0000m\u0000h\u0000m\u0000","e\u0000g\u0000j\u0000i\u0000d\u0000j\u0000b\u0000p\u0000g\u0000l\u0000i\u0000c\u0000h\u0000d\u0000c\u0000o\u0000n\u0000d\u0000b\u0000c\u0000b\u0000d\u0000n\u0000b\u0000e\u0000e\u0000p\u0000p\u0000g\u0000d\u0000p\u0000h\u0000"],"addresses":{"s1":154266,"s2":154051,"s4":154475,"s5":154694,"s6":153828,"s33":156731,"s44":156526,"s67":155616,"s91":156046}}],"cape_yara":[],"clamav":[],"tlsh":"T17824D49563F94600F5FF6F79A9B142210A73B857AC36D30E0989548E0FB3B81D922B73","sha3_384":"eb5fb032e0f2bd0e517aa825093f024ce0091e9432dbcf9b81c7427996af0c57ba29d6f2ab268242ffa6136575386704","die":[],"data":null}],"extracted_files_time":0.858941848971881,"password":""}},"cape_type_code":0,"cape_type":""}},"CAPE":{"payloads":[],"configs":[]},"info":{"version":"2.4-CAPE","started":"2025-12-07 09:50:28","ended":"2025-12-07 09:50:45","duration":17,"id":26,"category":"file","custom":"","machine":{"id":26,"status":"stopping","name":"ubuntu22","label":"ubuntu22","platform":"linux","manager":"KVM","started_on":"2025-12-07 09:50:28","shutdown_on":"2025-12-07 09:50:38"},"package":"exe","timeout":false,"tlp":null,"parent_sample":null,"options":{},"source_url":null,"route":"false","user_id":0,"CAPE_current_commit":"9cf8bf5a0ee601c0afc7068413c59a1049674c64"},"behavior":{"processes":[]},"debug":{"log":"2025-12-07 09:50:37,001 [root] DEBUG: Starting analyzer from: /l82_nda2\n2025-12-07 09:50:37,001 [root] DEBUG: Storing results at: /tmp/XABTxZOGG\n2025-12-07 09:50:37,002 [root] ERROR: Traceback (most recent call last):\n  File \"/l82_nda2/lib/core/packages.py\", line 39, in choose_package_class\n    module = __import__(full_name, globals(), locals(), [\"*\"])\nModuleNotFoundError: No module named 'modules.packages.exe'\n\nDuring handling of the above exception, another exception occurred:\n\nTraceback (most recent call last):\n  File \"/l82_nda2/analyzer.py\", line 453, in <module>\n    success = analyzer.run()\n  File \"/l82_nda2/analyzer.py\", line 244, in run\n    package_class = choose_package_class(self.config.file_type, self.config.file_name, **kwargs)\n  File \"/l82_nda2/lib/core/packages.py\", line 41, in choose_package_class\n    raise Exception(f'Unable to import package \"{name}\": it does not exist')\nException: Unable to import package \"exe\": it does not exist\nTraceback (most recent call last):\n  File \"/l82_nda2/lib/core/packages.py\", line 39, in choose_package_class\n    module = __import__(full_name, globals(), locals(), [\"*\"])\nModuleNotFoundError: No module named 'modules.packages.exe'\n\nDuring handling of the above exception, another exception occurred:\n\nTraceback (most recent call last):\n  File \"/l82_nda2/analyzer.py\", line 453, in <module>\n    success = analyzer.run()\n  File \"/l82_nda2/analyzer.py\", line 244, in run\n    package_class = choose_package_class(self.config.file_type, self.config.file_name, **kwargs)\n  File \"/l82_nda2/lib/core/packages.py\", line 41, in choose_package_class\n    raise Exception(f'Unable to import package \"{name}\": it does not exist')\nException: Unable to import package \"exe\": it does not exist\n","errors":[]},"memory":{"memory_path":"/opt/CAPEv2/storage/analyses/26/memory.dmp","memory_strings_path":"/opt/CAPEv2/storage/analyses/26/memory.dmp.strings"},"network":{"pcap_sha256":"2d7f3afc91361e0b9d0176e4debe70c09e4b4e953cfd078c76b4491e75a08145","hosts":[],"domains":[],"tcp":[],"udp":[{"src":"192.168.122.133","sport":5353,"dst":"224.0.0.251","dport":5353,"offset":234,"time":0.5013740062713623}],"icmp":[],"http":[],"dns":[],"smtp":[],"irc":[],"dead_hosts":[]},"sysmon":null,"url_analysis":{},"usage":{},"tracee":"eJwljcEKwkAMRH9lyUnBg2dv1ZMXBe1NRJYk4MLaLUkqlLL/braeZnjMYxb4sEWKFuEQFlDGSZLNL/7yYOrs8dwFGKWgCfO6GRN57h2TqynrSokVvcCmO977W3fqz9fLNkgpFprNqlBdwXfKJDw0p9ZGdFaMOf+/6g9hFS71","procmemory":[],"signatures":[{"name":"static_pe_pdbpath","description":"The PE file contains a suspicious PDB path","categories":["static"],"severity":2,"weight":1,"confidence":80,"references":["https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"],"data":[{"anomaly":"the pdb path contains a reference to a development path or term that may suggest a non-enterprise environment development/compilation"},{"pdbpath":"C:\\Users\\sulum\\OneDrive\\Desktop\\datacenter\\stubCsharp\\obj\\Release\\Client.pdb"}],"new_data":[],"alert":false,"families":[]},{"name":"binary_yara","description":"Binary file triggered multiple YARA rules","categories":["static"],"severity":3,"weight":1,"confidence":80,"references":[],"data":[{"Binary triggered YARA rule":"INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore"},{"Binary triggered YARA rule":"INDICATOR_Binary_Embedded_Cryptocurrency_Wallet_Browser_Extension_IDs"}],"new_data":[],"alert":false,"families":[]},{"name":"pe_compile_timestomping","description":"Binary compilation timestomping detected","categories":["generic"],"severity":3,"weight":1,"confidence":100,"references":[],"data":[{"anomaly":"Compilation timestamp is in the future"}],"new_data":[],"alert":false,"families":[]}],"malscore":2,"ttps":[{"signature":"pe_compile_timestomping","ttps":["T1070.006","T1070"],"mbcs":["OB0006","F0005","F0005.004"]},{"signature":"static_pe_pdbpath","ttps":["T1071"],"mbcs":["OC0006","C0002"]}],"malstatus":"Clean","shots":[],"local_conf":{"enabled":true,"screenshots":false,"apicalls":false}}]