Viewing Collection: pestudio_analysis

Simple
Advanced

_id	sha256	analysis_data	timestamp	md5
69e716e159a6632dae07ddfb	e37c838dc5eaa1b302ffbd8721c6a5f52a068e8f78bbec63b…	* LARGE PROPERTY * ~257 KB Preview:{"success":true,"output": Click to fetch this property	2026-04-26 23:28:39
69e917a559a6632dae07de0e		{ "success": true, "output": "\n================================================================================\nPESTUDIO ANALYSIS REPORT\n================================================================================\nFile: /home/apogean/projects/malware/windows/all_runs/360e6f2288b6c8364159e80330b9af83f2d561929d206bc1e1e5f1585432b28f.exe\nExit Code: 0\nCommand: /home/apogean/projects/static_decompilation_malware/sdm/bin/python3 /home/apogean/projects/static_decompilation_malware/pestudio-cli-main/pestudio.py -f /home/apogean/projects/malware/windows/all_runs/360e6f2288b6c8364159e80330b9af83f2d561929d206bc1e1e5f1585432b28f.exe --header -i --indicators -e -r --relocations -s --strings -u -d\n================================================================================\nIndicators:\n\u001b[1;34m\tNo connection to VirusTotal possible\u001b[0;0m\n\u001b[1;31m\tThe PE file has no digital signature\u001b[0;0m\n\u001b[1;31m\tFile Header: Suspicious value for TimeDateStamp (2088-03-07 00:06:34)\u001b[0;0m\n\u001b[0;32m\tNumber of imports is in a reasonable range (1) \u001b[0;0m\n\u001b[1;31m\tThe binary uses relocations\u001b[0;0m\n\u001b[1;31m\t20 strings are blacklisted\u001b[0;0m\n+---------------------------------------------------------------+------------+\n\| Description \| level(0/0) \|\n+---------------------------------------------------------------+------------+\n\| \u001b[1;31mThe file opts for Data Execution Prevention (DEP)\u001b[0;0m \| 0 \|\n\| \u001b[1;31mThe file opts for Address Space Layout Randomization (ASLR)\u001b[0;0m \| 0 \|\n\| \u001b[1;31mThe file ignores Structured Exception Handling (SEH)\u001b[0;0m \| 0 \|\n\| \u001b[1;31mThe age (2068-05-04 23:34:16) of the debug file is suspicious\u001b[0;0m \| 0 \|\n\| \u001b[1;31mThe file has (0) blacklisted section name(s)\u001b[0;0m \| 0 \|\n\| <class 'str'> \| 0 \|\n+---------------------------------------------------------------+------------+\nFile Header: \u001b[1;31mSuspicious value for TimeDateStamp (2088-03-07 00:06:34)\u001b[0;0m\n\t+----------------------+-----------------------------------+\n\t\| Property \| Value \|\n\t+----------------------+-----------------------------------+\n\t\| Signature \| 50450000 \|\n\t\| Machine \| Intel 386 or later and compatible \|\n\t\| Number of sections \| 3 \|\n\t\| timeDateStamp \| \u001b[1;31m2088-03-07 00:06:34\u001b[0;0m \|\n\t\| pointerToSymbolTable \| 0x0 \|\n\t\| numberOfSymbols \| 0 \|\n\t\| sizeOfOptionalHeader \| 224 \|\n\t\| characteristics \| 0x22 \|\n\t\| Processor 32-bit \| False \|\n\t+----------------------+-----------------------------------+\n\u001b[1;31mSuspicious number of imports (1)\u001b[0;0m\n\u001b[0;32mNone of the imports is blacklisted. \u001b[0;0m\n\u001b[0;32mThe binary has no exports\u001b[0;0m\nRelocations of the binary:\n\t+-----------------+----------+---------+------+\n\t\| Virtual address \| Position \| Type \| Size \|\n\t+-----------------+----------+---------+------+\n\t\| 0x38000 \| 0xf60 \| HIGHLOW \| 32 \|\n\t\| 0x38000 \| 0x0 \| ABS \| 0 \|\n\t+-----------------+----------+---------+------+\nNo blacklisted resources found\nList of all resources: \n\t+---------------+------+----------------------------------+----------+\n\t\| Type \| Name \| MD5 \| Language \|\n\t+---------------+------+----------------------------------+----------+\n\t\| Accelerator \| 0x1 \| 4D3263466F07BEEBE7760E4B406185DC \| neutral \|\n\t\| Accelerator \| 0x2 \| 671411510B63CCB34B60793179ABDF5A \| neutral \|\n\t\| Accelerator \| 0x3 \| 43B9BB3A960FC7307EDC9FA0FCF853B7 \| neutral \|\n\t\| Plug-and-play \| 0x1 \| F9D1BE20B1C4063BF31C7A1022305641 \| neutral \|\n\t\| Executable \| 0x1 \| B7DB84991F23A680DF8E95AF8946F9C9 \| neutral \|\n\t+---------------+------+----------------------------------+----------+\nStrings in the PE file:\nget_CurrentMonitor\n<ShowMessage>b__2\nFK\ty\ndmPositionY\nNewGuid\nCompilationRelaxationsAttribute\nAutofillData\nZ\n!j\npszProperty\nINVALID_HANDLE_VALUE\nGetOS\nset_ClassName\n<GetServiceList>b__1_0\nSTALE_CONNECTION_TIMEOUT\n<GetNetworkAdapters>b__1_0\nFromSeconds\n\n~r\nLUID\n<Security>k__BackingField\ndwPromptFlags\nGetDrives\n<SendBinaryFrameAsync>b__0\nFrameworkDisplayName\nSystem.Security.Principal\nEnqueue\nget_IsCancellationRequested\nSystem.Drawing.Imaging\ndmPanningHeight\nSetQuality\nEnum\nCloseCDTray\nbase64Chunk\n\n-\u000bb\u000b}\u000b\nTrimEnd\nWideCharToMultiByte\n<HandlePacket>b__23\nToByte\nSpecialFolder\nKq\u000b)\n\n,\fr\n YE\t\n,)~\u000b\nNI.\"\n<>9__1_0\nget_SSID\npasswordsDir\nSPIF_SENDWININICHANGE\nToInt64\nConcurrentQueue`1\nDateTime\nsqlite3_finalize\ndmTTOption\nGetCredentialsZipPath\nHasData\nset_RedirectStandardError\n<HandlePacket>b__51_6\ndwThreadId\nSetValueAsync\n<DateCreated>k__BackingField\nToUpper\n<HandlePacket>b__32\nSwapMouseButtons\nget_IsConnected\nBCryptCloseAlgorithmProvider\ndmSize\nNetworkStream\nhWndNewParent\npbOutput\n%rTL\nNameValueCollection\n<ValueType>k__BackingField\nget_Message\nset_MinimizeBox\nget_MainWindowHandle\n,\nr(\n,^rS \n<MemoryUsage>k__BackingField\nremoteInput\nhWnd\np+\n(\nSystem.Diagnostics\nEventHandler\nget_ActiveConnections\n\nF~#\nSPI_SETMOUSEBUTTONSWAP\nsqlite3_step\nChangeDisplaySettings\ndirPath\nProcessInfo\nCryptUnprotectData\nXOR_KEY\npszProviderName\nWin32Exception\nExtractJsonValue\n 8(\"$\nhResInfo\npvReserved\n<SetValueAsync>b__1_2\nPrivilegeCount\nset_GenerateExecutable\n\n&8W\nSetWindowsHookEx\n<SendDesktopFrame>b__0\nindent\n\n.sh\n<HandlePacket>b__30\n-\frl\nget_ASCII\nprofileName\nBSJB\nC~#m\n<URL>k__BackingField\nT@\tL\nmessageLoopThread\n\nrg6\nAE#U\n<<HandlePacket>b__48>d\nJN~\"\nlpType\n%\n}\"\n<>9__51_20\nCreatePackage\ncbNonce\ntotal\npszImplementation\nSystem.Threading\nReadToEnd\nRuntimeFieldHandle\nSTAThreadAttribute\nget_DateCreated\ndwLegacyKeySpec\nOpenNotepadWithText\npbMacContext\nReconnectionLoop\nRemoveFromStartup\nnetworkSemaphore\nmessage\nThreadAccess\nget_Item1\nGetText\n,\nr\n\nget_UnicastAddresses\n&S!&\n\nr!5\nWrJ!\nMouseDown\ncbOutput\nCurrentUser\noperationQueue\nOpenCalculator\nReadAllBytes\n<Error>k__BackingField\nHEALTH_CHECK_INTERVAL\n<HandlePacket>b__35\nCancel\nBitmap\n<Exists>k__BackingField\n\n^r\nSW_SHOW\n\nr&w\nSetException\nget_SocketErrorCode\n\n.sQ\ndmDisplayOrientation\nBypassUACFodHelper\n\n&+R\nGraphics\nChangeWallpaper\noutputRoot\nlpLuid\ndmMediaType\nForceReconnect\nstreamLock\nSystem.Runtime.InteropServices\nRandom\ndestPath\nset_DateLastUsed\nForm\nKEYEVENTF_KEYUP\nExecuteFile\nget_Title\n<LastVisit>k__BackingField\nset_Name\nCreateDirectory\n\n&+$\n\t,>r\n<RunLimitedOperation>b__0\nIsAdmin\n<RecoverPasswordsAsync>b__0_0\n<GetNetworkAdapters>b__1_2\n\u000b)\nD\npCipherText\nClipboardWindow\nget_ErrorNumber\n<>c__DisplayClass51_2\nproc\nget_Error\nDuplicateTokenHandle\nWalletGrabber\nFileInfo\nStartHealthMonitor\n2Client.BrowserHistory+<GetBrowserHistoryAsync>d__1\nfileManager\nReceivePacket\nistepIfAniCur\n<ListDirectory>b__2_1\nEnumerable\ndmSpecVersion\ndmDeviceName\nget_FlatAppearance\nGetNetworkAdapters\n,j~)\nSE_PRIVILEGE_ENABLED\n<DateLastUsed>k__BackingField\n1T_\nlastClipboardText\n<Letter>k__BackingField\n,ar\t \n<HandlePacket>b__51_18\n<<HandlePacket>b__50>d\n<>c__DisplayClass51_0\nNCryptOpenKey\nget_TotalMilliseconds\nop_GreaterThanOrEqual\nconsecutiveErrors\n<HandlePacket>b__51_11\nConnectAsync\nset_Modified\n,Client.NetworkInfo+<GetNetworkInfoAsync>d__0\nhwndCallback\nLocalMachine\nget_StackTrace\nDrawIconEx\nhmod\nset_ValueType\nEndsWith\ntotalCookiesCount\npr\ny\ndmPanningWidth\nGatewayIPAddressInformationCollection\n.s>\n\n\nr9\ncbAuthData\nIsNullOrEmpty\ndmPelsHeight\nGetTotalCookies\n\\rC\nSECURITY_IMPERSONATION\nLoadFrom\nCreateParams\nprG\ncaptureHeight\nVS% \nset_QueuedAt\nmouse_event\n\n,A+\n\f.\np\nchunkIndex\nQueuedOperation\nSocketOptionName\nlpMultiByteStr\nget_IsKey\nBrowserHistory\n%,\fr$\nAssemblyConfigurationAttribute\nRelease\n.~#\n<Name>j__TPar\n\n\u000bsr\nToList\nIsInRole\nUnicastIPAddressInformationCollection\nptScreenPos\nGetLastWin32Error\n\nRMM Client\nSQLITE_DONE\n\fA4\nBufferLength\nStringCollection\nget_CompiledAssembly\n,8(Y\nset_Icon\nCopy\nGetNetworkInfoAsync\nCompileAssemblyFromSource\nImpersonateLoggedOnUser\n-Client.WebcamCapture+<CaptureWebcamAsync>d__0\nget_Attributes\nPostThreadMessage\n\n-3+6\nProcessQueue\n#Blob\nWebcamCapture\n\n-Cr#\n<GetBrowserHistoryAsync>d__1\n<HandlePacket>b__24\n<SendBinaryFrameAsync>b__1\n<>9__51_44\nuploadPath\n<>9__51_45\nget_Data\nadvapi32.dll\n<HandlePacket>b__51_17\nSystem.Core\n\n:p\n\n^~\nsourceHeight\nTryReadWithPython\n<>c__DisplayClass51_16\nlYE\f\n<>9__51_49\nReadOnlyCollectionBase\nuserDataPath\n&^r\nGetHostname\nget_Description\nchunkPath\n\n 0u\nPropertyInfo\nkeylogger\nget_Modified\nmasterKey\ndmDriverVersion\nSND_ASYNC\n M[8#B\n\n.sa\n\n\n+4\t\nset_Description\n\n\u000b+/\npdwFlags\n\n\frD\nUnicastIPAddressInformation\nTextWriter\nget_Bottom\nset_WiFiNetworks\nSuspendThreadNative\nBCryptDecrypt\nGetWindowRect\n\n~W\nGetCurrentProcess\nGetHashCode\n<SSID>k__BackingField\nhookThread\nAdjustTokenPrivileges\ncbData\nTryParse\nkeyloggerActive\n0Client.NetworkOptimized+<HealthMonitorLoop>d__30\n<>9__51_19\nidHook\nManagementBaseObject\nget_Password\n<SendPacketAsync>b__0\n8H9'9.\npszSound\n<GetBrowserHistoryAsync>b__1_1\nctrlKey\nIAsyncStateMachine\nSystem.Collections.Concurrent\nset_Location\nget_DataAvailable\n<GetAutofillDataAsync>b__0\nget_X\nAppendToFile\n<Size>k__BackingField\n<>c__DisplayClass51_18\nP-7N\n.Client.ScriptExecutor+<ExecuteScriptAsync>d__1\nget_ExitCode\nadd_Tick\n\n-\fr\n<X/r\nCaptureScreen\nTryReadAutofillWithPython\npr16\n\n&+h\t\nX\u000b+Z\nExtractCookies\n<>9__1\nisV20\nGCCollectionMode\n<HandlePacket>b__51_0\n\n%r8$\n AsJ\n,\\sn\n\n\toz\naltKey\nSetSocketOption\nset_CreateNoWindow\nset_CurrentMonitor\ndmDisplayFrequency\nMAX_RECONNECT_ATTEMPTS\ncbInput\n&V%)\n<HandlePacket>b__51_5\nset_NoDelay\nGetServices\npPromptStruct\nQ._8\nflags\npPaddingInfo\n 3\nr\nGetChromeV20MasterKey\nCancellationTokenSource\n-\u000brG\nset_FlatStyle\n\n\f(A\nWriteFile\nget_HasErrors\nSWP_NOMOVE\nSelfDelete\nget_Value\nSystem.Collections.Specialized\nMath\nncrypt.dll\nserverPort\nframeData\n<>u__2\nset_Credentials\n\n,.\t(X\nDPAPIDecrypt\nFromImage\nget_LastWriteTime\nset_Height\nDI_NORMAL\n,Fra\nConsole\nServiceController\nMove\nWriteLog\nMIN_ALL_UNDO\ndata\nduration\nGetAddressBytes\nset_StartPosition\nWebClient\nSystem.Net.NetworkInformation\npszAlgId\nencryptedData\nmonitorBounds\nintensity\noperationSemaphore\nset_UsePassive\n\n&+]\t\ntime\nset_Arguments\nget_VolumeLabel\nGetAllNetworkInterfaces\nConcat\nMIN_ALL\n<<SendPacketNonBlocking>b__0>d\nExtractEdgeCookies\nframe\nNetworkCredential\nphAlgorithm\n\tp\tx\t\nset_Width\nwinmm.dll\nciphertext\n /'r\n<>c__DisplayClass51_17\nReturnLength\nReadSQLitePasswords\n<IsDirectory>k__BackingField\nget_TotalSize\npPrompt\n&c%.\n\t\t\t\t\n\nAL\nClose\nhObject\n\n\nsr\nFromBase64String\nUnhookWindowsHookEx\n<Name>i__Field\nIEnumerable`1\nset_Application\npReserved\nget_Output\nset_ActiveConnections\nget_DisplayName\nRSDS\nget_Exists\nget_Item3\n\n&+\u000b~6\n\n-\u000br\nbInheritHandle\nCopyTo\nReadCookies\ndmBitsPerPel\nLockScreen\nSetApartmentState\nstartupManager\n<ListKeysAsync>b__0\n<HandlePacket>b__39\n<>t__builder\nset_Text\n,/(A\n\nr\ny\nfdwSound\nDeleteValue\nprD$\ncchString\nSendPacket\nPOINT\nautofillData\n\n\n\trX.\nUploadToServer\nset_IsRunning\n[G7N\n\nHealthMonitorLoop\nget_IPAddress\n<HandlePacket>b__10\nStringBuilder\npPlainText\nget_Warning\n<CaptureWebcamAsync>b__0_0\n<HandlePacket>b__51_1\n\f,>re\n\nr6.\nsourceWidth\nget_Available\nDeleteObject\ninput\nSetAttributes\n\t-\frZ\f\n,Jr#\n-3\n\t\nget_Current\nset_Count\npDataIn\nGetCursorInfo\ngdi32.dll\n!YoS\nset_DNSServers\nDisconnect\nGetValueKind\nMain\nnVirtKey\nYf +\nSystem.Collections.Generic\nGetRegistryRoot\nform\nProcessModule\nCreate\n.s;\nResourceReader\n1YE\t\nEnableDebugPrivilege\n\n\nr\"1\nlogWriter\nShakeWindowInternal\n\n\n+G\t\nSWP_NOSIZE\ncbAAD\n%\n}\ncustomOutputPath\n<>9__51_9\nGetEdgeMasterKey\nhwndApp\n<>c__DisplayClass51_8\nFileAttributes\nPoint\nset_Pid\nFileItem\ncbKeyObject\nDATA_BLOB\ndwShareMode\n\n(A\nAssemblyCopyrightAttribute\nget_Client\n<>9__51_17\nKBDLLHOOKSTRUCT\nVK_SHIFT\nget_Out\n7-\tY\nxHotspot\nGetProperty\nWriteAllBytes\n\n\n\t(;\n\n\n\t9\n\n&+@\nCancellationToken\nEndInvoke\n\n&8#\f\nNativeWindow\nOpenCDTray\nmodeNum\nCP_UTF8\nAppend\n>W3S\n\nIsDigit\n<Username>k__BackingField\nSelectMode\nCRYPT_STRING_BASE64\n<HandlePacket>b__51_12\n@Mt\"\nset_SSID\nReport\nBrowserDataExtractor\nget_FreeSpace\nScriptExecutor\nSocket\nphProvider\nset_DisplayName\n\n\u000b(Y\nGetProcesses\nset_URL\nlogPath\nUsers\nGetIconInfo\nuMapType\nprK\t\np\toT\nbS \n<Browser>k__BackingField\nICredentials\nIFormatProvider\nreconnectTask\nget_Now\n<Success>k__BackingField\n<ShowMessage>b__0\nhToken\nget_DnsAddresses\n<WiFiNetworks>k__BackingField\n\nr!3\nDestroyHandle\nWZL3\nWriteAllText\nwidth\nget_IsReady\npvParam\nserviceManager\n\n&~W\nIntPtr\nMethodInfo\nset_IsBackground\nset_Style\nResize\n<Status>k__BackingField\nLookupPrivilegeValueW\n<<HandlePacket>b__40>d\n-G<Q\ntryV20\n\n%rH\n<RunLimitedOperation>b__1\nfilename\nDeleteValueAsync\nqueueLock\nhModule\nGetFolderPath\nGetImageEncoders\nget_UTF8\n$a1b2c3d4-e5f6-7890-abcd-ef1234567890\nTuple`6\n\n&8I\n<GetNetworkInfoAsync>b__0_0\nKillProcess\n\n-g+z\nSuspendProcess\n1.0.0.0\nGetComputerNameA\nRestoreScreen\nstateLock\ncbSize\nGetAutofillDataAsync\n\n\nsx\n<>c__DisplayClass22_0\nOpenWebsite\nwMsgFilterMax\nThreadStart\n<>9__41\nSystem.IO.Compression.FileSystem\ncookiesPath\nAESGCMDecrypt\nnCmdShow\n<ListKeysAsync>d__0\nRunLimitedOperation\nGetResponse\nP3S\n\n<>c__DisplayClass2_0\n,6\t(0\n<>c__DisplayClass51_4\nget_Headers\nFlipScreen\nset_ExStyle\nlpOverlapped\n\n&+\t\t\n<HandlePacket>b__38\n<>9__51_8\nnetwork\nWalletPath\n\n\u000bsN\nGetStartupList\n<>c__DisplayClass51_5\n<>9__51_37\n<HandlePacket>b__40\nSystem.ComponentModel\nGetFiles\npDataOut\nset_ForeColor\nIOException\nget_Question\nBlockInputAPI\nGetCurrent\nMAX_CONSECUTIVE_ERRORS\n<ListDirectory>b__2_0\nvalueType\nWait\n\n\fsr\nget_Controls\nbScan\nFileStream\nSendProgress\nGetIP\nEnsureSQLiteDLL\n-!(b\nReleaseHdc\nDrawImage\nVK_MENU\n\nh}x\nlpBuffer\n\nEtP\nStartupManager\nset_Interval\nmonitor\n<>9__1_1\nsoundPath\nSizeofResource\nListDirectory\nDispatchMessage\n,\\sT\n<HandlePacket>b__29\n\tYoS\nX\u000b+K\n\n&r{\nWaitForConnectionAsync\nbufferSize\n<>7__wrap2\nget_Param\nClient\nSleep\n<>9__51_43\nhwnd\n<>9__2_1\nSystem.Collections\ndmReserved2\nFtpWebRequest\nFlatButtonAppearance\nget_MACAddress\n<HandlePacket>b__21\n_bZ `\nhbmMask\ncurrentMonitor\niCol\nNetworkInterface\nFileSystemInfo\n<IPAddress>k__BackingField\nBCryptOpenAlgorithmProvider\nDecryptValue\nMulticastDelegate\nsourcePath\nDockStyle\nloginDataPath\n<>c__DisplayClass51_23\nCompilerResults\nconnected\n\n:T\n<>9__51_15\nTargetFrameworkAttribute\nSystem.Reflection\n1YoS\nSizeOf\n\nri`\n<HL3\n\npbInput\nWM_CLIPBOARDUPDATE\n<DeleteValueAsync>d__2\nAddStartupItem\nget_InnerException\nMemberInfo\nget_GatewayAddresses\nprJ!\n<Path>k__BackingField\nAsyncStateMachineAttribute\nIsNullOrWhiteSpace\n<HandlePacket>b__51_49\n )UU\n\n\t(2\nheight\n-%(Y\nblock\nGetBytes\nOQd!\nget_Path\nset_TextAlign\nSocketError\nGetMonitorCount\nprI6\nprY6\nOpenSubKey\n<>9__51_11\n<SendPacketNonBlocking>b__0\n<>9__51_5\nbutton\n\n F'\n\tr\ny\n<Name>k__BackingField\nGENERIC_READ\n\n\f%o\nWH_KEYBOARD_LL\nCurrentConfig\nGetFTPPasswords\n\fr(0\nReadSQLiteCookies\n\n,\f~W\n<HandlePacket>b__22\nhFile\nMinimizeAllWindows\n.cctor\nExpandEnvironmentVariables\n__StaticArrayInitTypeSize=32\npbBinary\nCreateHandle\nset_AutoFlush\n\n\nr<.\nscreenCapture\nwParam\nimagePath\nvalue\n,3rj\nIPInterfaceProperties\nFileAccess\nToArray\nset_Verb\n\ns<\nWiFiNetwork\nset_Title\nlpWideCharStr\n<SetValueAsync>d__1\nOrderByDescending\npra\nBCryptGenerateSymmetricKey\nMethodBase\nget_AddressFamily\n<HandlePacket>b__34\nHookCallback\n\t 0u\nCompilerError\nFunc`2\nset_UseShellExecute\n@6,(2\ndbPath\n3Client.NetworkOptimized+<SendBinaryFrameAsync>d__24\nxLeft\nLoadResource\nSuspendProcessThreads\nAddClipboardFormatListener\nRuntimeTypeHandle\ncaptureWidth\nWaitForExit\nCreateZipArchive\nDebuggerBrowsableAttribute\nset_Speed\nget_MainModule\nDistinct\nSPIF_UPDATEINIFILE\npszString\njson\nProcessStartInfo\nBCRYPT_AES_ALGORITHM\nKEYEVENTF_EXTENDEDKEY\nop_Subtraction\ncbMultiByte\nset_IsKey\n\n&8V\n\nGetVirtualKey\nICONINFO\nControlCollection\n<GetAutofillDataAsync>d__3\nRT_RCDATA\nCHACHA20_KEY\nGetBrowserPasswords\n<>f__AnonymousType0`2\nsqlite3_column_text\nFClient.NetworkOptimized+<>c__DisplayClass22_0+<<SendPacketAsync>b__0>d\nUnescapeJson\n_-Tr2-\n\n&8M\f\n<>c__DisplayClass24_0\n<<SendBinaryFrameAsync>b__0>d\nset_FormBorderStyle\n<HandlePacket>b__51_7\nedgeUserData\nSafeCopyDatabaseFile\nScreenCapture\nget_Ticks\ntargetHeight\nSystem.ServiceProcess\n\t$\t:\tE\tP\tV\t\npiconinfo\nToString\nisLogging\nget_Line\n\n&8d\u000b\nReadPasswords\n\t,\n\t\nAppendLine\nsqlite3_column_int\nargs\nSPI_SETDESKWALLPAPER\ndelta\nget_White\nshiftKey\nDriveInfo\nIYoS\ncyHeight\nmeltEnabled\nTryReadWithSystemDataSQLite\nGetAwaiter\nTrim\nprJ \nStartsWith\nprocessAccess\n__StaticArrayInitTypeSize=6\ndevMode\nSystem.Linq\n?\\<Q\n\nget_Username\nStringToHGlobalUni\nSendMessage\nClassesRoot\n N&:!{\n;T !\nGetResult\n03rh\n\n\t-\f~W\n<>9__51_4\nuiParam\ndmDriverExtra\nget_Handle\nsqlite3_prepare_v2\nhealthMonitorCts\n<SetValueAsync>b__1_1\nd4@\n\nbase64\nEncoderParameters\n)Client.RegistryEditor+<ListKeysAsync>d__0\nT@\tl\nExtractPasswords\n\|$L3\nfIcon\npr^'\n }&2!z\n\n-T+T\nTask`1\nget_IsDesktopActive\ndmCollate\nWindowsPrincipal\nDecodeBase64\nOPEN_EXISTING\nGetDriveTypeString\n<>c__DisplayClass23_0\n<VisitCount>k__BackingField\nFileManager\nget_ManagedThreadId\n\n-k+r\nPasswordEntry\nGetIPProperties\npath\nEncoding\npbKeyObject\nset_Status\nINITIAL_RECONNECT_DELAY\n\nVs\nWM_QUIT\nO(-$\nIPAddressCollection\nMOUSEEVENTF_RIGHTUP\n\n @B\n Q._!\n<>c__DisplayClass3_0\nvkCode\nEnumDisplaySettings\n<>c__DisplayClass51_10\npbAuthData\n<ReconnectionLoop>d__27\nRECT\nGetResponseStream\n<>9__51_47\nX\u000b+-\n<>9__0_0\nset_VisitCount\n\n.~#\n<ExecuteScriptAsync>d__1\nPlaySoundFile\n\n\n+Z\t\nget_Size\np+ \to\nDMDO_180\nget_AvailableFreeSpace\nProcessThread\nCURSOR_SHOWING\n<HandlePacket>b__51_45\nCloseHandle\nTOKEN_QUERY\nbcrypt.dll\nAutofillEntry\npbData\nMAPVK_VK_TO_VSC\n<>c__DisplayClass50_0\npbSecret\nSQLiteHelper\nhookId\nEncoder\npbIV\nAsyncVoidMethodBuilder\nCreateInstance\n\n-Crq\nhbmColor\nlastNetworkActivity\nHandlePacket\nget_IsActive\nDisableAllPrivileges\nShakeWindow\n<HandlePacket>b__36\nMicrosoft.Win32\n\\.\"+\\\npendingOperations\nhMem\nMouseWheel\nclipboardMonitor\n\u000b+_r'z\n\\X/r\nBCryptDestroyKey\n\n&rK\nAllocHGlobal\nget_MemoryUsage\n8<Q\n\nscanCode\nTranslateMessage\nSystem.IO\nreconnectAttempts\nX\u000b+<\nP<Q\n\n\n\to\nCodePage\nTryReadAutofillWithPowerShell\ngraphics\nTuple\nget_Application\nwS<Q\n\n-\ns_\ncancellationTokenSource\n<Pid>k__BackingField\nInitializeArray\nGetTypeFromHandle\n<GetBrowserHistoryAsync>b__0\nIj\u000b!\nhTemplateFile\nset_TopMost\n\n%r]\nShowTaskbar\nIsVolatile\np\n(A\n\n\u000bow\npEntropy\nEquals\nOpenNotepad\n',\"~\n..8+Tr\n\\( !\n<Modified>k__BackingField\nFunFunctions\nGuidAttribute\n2E69DC77B5DCFCCF57DD14F7E8BC6846C81B48D65C372C8970A25FA856421FE0\nKClient.NetworkOptimized+<>c__DisplayClass24_0+<<SendBinaryFrameAsync>b__0>d\nStreamWriter\ncbSecret\nPtrToStringAnsi\nset_BorderSize\n\n%s\|\n<Type>k__BackingField\nFromMilliseconds\nF!\nY\nSystem.Text\nLClient.NetworkOptimized+<>c__DisplayClass23_0+<<SendPacketNonBlocking>b__0>d\nS.38\nNewState\nDebuggingModes\ndwDesiredAccess\npr\u000b6\nAssemblyDescriptionAttribute\nTryReadWithPowerShell\nlParam\nuCode\n\n\n%o\n6H\n!\nA>#I\nButtonBase\n<>c__DisplayClass51_21\nnByte\n<HandlePacket>b__33\nFILE_ATTRIBUTE_NORMAL\ndrive\nStringSplitOptions\n.Client.AutofillData+<GetAutofillDataAsync>d__3\nset_MemoryUsage\ndmReserved1\nMOUSEEVENTF_MIDDLEDOWN\ncbMacContext\nnNumberOfBytesToRead\nset_AcceptButton\ndmPositionX\nserverIP\n_bZ(H\nSystemParametersInfo\nset_Gateway\nCompilerGeneratedAttribute\nScanWallets\n\nX(H\nIAsyncResult\n<DNSServers>k__BackingField\n<>c__DisplayClass11_0\nRegistry\n\u000b!\u000b'\u000b;\u000b\ndmFormName\n dY` \nSendClipboardData\nGetBrowserWebDataPaths\nget_Item2\nget_URL\nParseWebDataDatabase\n\nX )UU\nImageCodecInfo\n<HandlePacket>b__25\n\n\n\t(\npszKeyName\nKeyDown\nget_Token\nListKeysAsync\nFILE_SHARE_WRITE\nOrderBy\n<>u__1\nGC_CLEANUP_INTERVAL_SECONDS\n<>c__DisplayClass51_22\nSubstring\nCreateSubKey\nWrapCode\nhResData\n\n\t(u\ndmFields\n\tYoL\nPreviousState\ncommand\nset_Data\nSystem.CodeDom.Compiler\nQ\\%\n\nArgumentException\nhWndChild\nnetworkInfo\nGetSubKeyNames\nget_Address\nget_Information\nLowLevelKeyboardProc\n l&!y\nSQLITE_ROW\ndest\n<>c__DisplayClass51_13\n<>c__DisplayClass51_1\n<HandlePacket>b__46\nA1@\tt\nset_SendBufferSize\nCreateFromDirectory\nFILE_SHARE_DELETE\nset_Security\nwMsgFilterMin\nmscorlib\nLowPart\nset_ReceiveBufferSize\n<Adapters>k__BackingField\n\n-\\+c\nSetValue\nRegistryKeyInfo\nNetworkInfoData\nRemoveStartupItem\nSave\nset_SendTimeout\n654C721A221A4CE01BD08488563FF7277E68AF0564487CF36C519B881E39C7E4\nget_Errors\n\n\n(Y\nWaitForPendingFinalizers\nset_IncludeDebugInformation\nvN~\"\n,\\sj\n-\u000br{\ncxWidth\nBitConverter\npasswordRecovery\nFirstOrDefault\n\n\n\t9\f\n<Data>k__BackingField\nPlaySound\nPtrToStructure\nSND_FILENAME\n\n%rX.\nmciSendString\nRegistryKey\n<>9__51_12\nTrimStart\n\nr\"M\nSendPacketAsync\n\|F\n \nlpfn\n\n-\nr\\J\n@61~\nKeyUp\nMapVirtualKey\nCodeDomProvider\ndmColor\n\n-'~W\nWindowsBuiltInRole\n<MACAddress>k__BackingField\nset_TotalSize\nQ.X8\nGetConsoleWindow\n>3S\n\nISZ #\nAES_KEY\n\n E'\nClipboard\nConnect\nN=M \nManagementObjectSearcher\nIButtonControl\nThenBy\n<ActiveConnections>k__BackingField\nSetStateMachine\nList`1\n\n-8r_\nNCryptFreeObject\n\n\t,+rV\nPROCESS_QUERY_LIMITED_INFORMATION\n$\nr~\nset_Value\n9F7A3CA09774D6CDD2B19BC77593698706C324EB8D662D888826F5CC8E293EB5\nshouldReconnect\nWriteLine\nget_QueuedAt\nobject\n\n L'\n\n%r\nset_Letter\np\t(7\n<FreeSpace>k__BackingField\n,Client.Program+<>c+<<HandlePacket>b__51_20>d\n\n\nry\nFILE_SHARE_READ\nTuple`3\nLoadLibrary\n\n-[+k\nFtpWebResponse\nAsyncTaskMethodBuilder`1\nDMDO_DEFAULT\nCSharpCodeProvider\nkeyQueue\n\n&% \ntype\nGetMethod\nReadHistoryFromSQLite\nzSql\n<SetValueAsync>b__0\nContainsText\n5Client.NetworkOptimized+<WaitForConnectionAsync>d__25\nkeybd_event\nGetCountry\nCompilerErrorCollection\n<>c__DisplayClass51_15\nCreateFileW\n3Client.PasswordRecovery+<RecoverPasswordsAsync>d__0\nEnter\n<X/r_\nTOKEN_DUPLICATE\n<SendPacketAsync>d__22\nset_Path\nLockResource\nMoveNext\ntimeoutMs\nget_Pid\nMarshal\nCryptStringToBinaryA\n\nX\u000b+\nToInt32\nadd_Click\nFindWindow\n<>c__DisplayClass51_12\nBCRYPT_CHACHA20_POLY1305_ALGORITHM\nAction`1\nGetPort\n<>c__DisplayClass1_0\n<>9__51_6\n2~#\n\nrv0\nlIt$\nget_IsAlive\n<HandlePacket>b__51_14\nfWinIni\nTake\n<HandlePacket>b__51_47\nT-\tY\nHasCryptoWallets\nServiceManager\nresourceId\nSelect\npcbResult\n\nrNI\nIDisposable\nset_Browser\nMOUSEEVENTF_LEFTUP\ntitle\nT@\t\\\nget_WorkingSet64\nU+#=\nclassName\n\n\f+\n(k\npr?6\n<>c__DisplayClass51_7\nAssemblyTrademarkAttribute\nVkKeyScan\nppStmt\n<TotalSize>k__BackingField\n<Value>k__BackingField\nTryDequeue\nset_IsDirectory\nVK_RBUTTON\n\n\f8Z\nGetProcessById\ndmDisplayFlags\nbrowserHistory\nget_Millisecond\nFileMode\nDouble\nReplace\nOpenThread\nAddToStartup\nWaitForStatus\nWaitAsync\nget_Left\nMOUSEEVENTF_ABSOLUTE\nDllNotFoundException\nprocessManager\nget_IsRunning\n8>#L\nContains\n\n:\|\u000b\nSocketOptionLevel\nWrapNonExceptionThrows\nlpMsg\n\n\n+!\t\nlpDefaultChar\nidThread\nget_Speed\ntargetFPS\ncallback\n,Client.RegistryEditor+<DeleteValueAsync>d__2\nNetworkAdapter\nGetServiceList\nBCRYPT_CHAINING_MODE\nVK_MBUTTON\n=* ;\nsqlite3.dll\n\n\tr\|\nCU@\t\nset_DateCreated\nCRYPTPROTECT_PROMPTSTRUCT\n<HandlePacket>b__51_13\nGetString\nProcessWindowStyle\nTaskAwaiter\nStop\n<>9__51_1\n\n 3'\nAssemblyProductAttribute\n.NET Framework 4.83\nindentStr\nnNumberOfBytesToWrite\ndmICMIntent\ntimer\nencoded\n<Client.Program+<>c__DisplayClass51_19+<<HandlePacket>b__40>d\nGetThreadId\nset_InterpolationMode\nZero\n<HandlePacket>b__31\n#GUID\nCloseMainWindow\nCollect\nset_Success\nget_Connected\ndeviceName\n<HandlePacket>b__51_15\nGetValueNames\n<Output>k__BackingField\nSetHook\nset_GenerateInMemory\n4Client.ClipboardMonitor+<MonitorClipboardAsync>d__15\nfunFunctions\n<IsKey>k__BackingField\nMicrosoft.CSharp\nget_ModuleName\nOperatingSystem\n%r^L\n-,(b\nSystem.Drawing.Drawing2D\nRecoverPasswordsAsync\n\n&8:\u000b\nBindingFlags\n<HandlePacket>b__51_2\nattempt\nIsRunningElevated\nMemoryStream\nset_StartInfo\nlpName\nMouseUp\nPROCESS_QUERY_INFORMATION\nyTop\nset_RedirectStandardOutput\n<>9__51_16\n.ctor\nsqlite3_column_blob\nTextReader\n<Client.Program+<>c__DisplayClass51_20+<<HandlePacket>b__42>d\n\n\t,$r\nlastSuccessfulOperation\nEnvironment\nGetProcessesByName\nMOUSEEVENTF_MIDDLEUP\nStopService\nget_StandardError\n\n-\u000brp\nprogress\n)Client.RegistryEditor+<SetValueAsync>d__1\nset_Size\nbaseNetwork\nset_Label\ncredentialsZipPath\n<Start>b__21_0\nGr%3\nset_ShowInTaskbar\n<<SendPacketAsync>b__0>d\nset_Method\nset_Error\nFormStartPosition\nHistoryEntry\n9.L3\"\ndiFlags\nSetCursorPos\np\to6\nActivator\nget_Y\n\n&+s\t\nDebuggerHiddenAttribute\n\n&(A\nGetHdc\ndmDuplex\nT@\t<\nget_Item4\ncchWideChar\nGetWiFiNetworks\nDeleteSubKeyTree\npacket\nget_Threads\n\n,1r\n-i\ni\nsqlite3_open\nonKey\nO@E#O\npszDescription\nLocalFree\nSocketException\nlpRect\n\n-\t+\t\n<CaptureWebcamAsync>d__0\niamfine\nget_Security\n\n&sr\n25114D00A4033551266955CDD922C5EBB11B1E34BE80825C9553A3F258D5B1CE\n<Description>k__BackingField\n<SendBinaryFrameAsync>d__24\n<>9__51_14\nAsyncCallback\nNetworkInfo\nMonitorClipboardAsync\n<>c__DisplayClass51_19\nWindowsIdentity\nStartService\nget_MachineName\n<HandlePacket>b__51_16\nGetFileSystemInfos\nScriptResult\nOpenProcess\nSystem.IO.Compression\n\n,r(b\nhWndInsertAfter\nget_IsDirectory\n,$rF\n<MonitorClipboardAsync>d__15\n<HandlePacket>b__51_44\n\tr;\t\nE@>#F\n\u000b%ot\n<>c__DisplayClass0_0\nContentAlignment\ncheckName\nDirectoryInfo\nFYoS\n<Gateway>k__BackingField\nrootPath\nget_Item\nGetMessage\n<>c__DisplayClass51_11\nbMt\"\n\n&8w\f\nuiAction\nTimeSpan\nGetKeyState\n\f-2\t\nSystem.Globalization\nij(K\n\n&\tou\n&rZ\f\n<>7__wrap1\nBCRYPT_CHAIN_MODE_GCM\n&+\u000b \nYj +\nset_FreeSpace\npOptionalEntropy\nGetStream\nget_Type\nRegistryValueKind\nGetFileName\nAssemblyTitleAttribute\nget_ServiceName\ncancellationToken\n<<HandlePacket>b__42>d\ndwData\nset_MACAddress\n:rz#\nG6\nA\nclient\ncomputerName\nset_FileName\nReadFile\nGetEnumerator\nwallets\nCopyDirectory\nwalletGrabber\nSplit\nSECURITY_IMPERSONATION_LEVEL\nuser32.dll\n\n\n\tot\nSUSPEND_RESUME\nTimer\nget_Browser\nXorBytes\nSetOut\n\n:q\f\nget_Length\nget_ErrorText\n<>c__DisplayClass51_20\nExitThread\nRemoveClipboardFormatListener\nMutex\nSystem.Runtime.CompilerServices\nExistingTokenHandle\nFreeHGlobal\n<<HandlePacket>b__51_20>d\nisCookie\nExtractBrowserData\nNumberStyles\nset_Font\nget_OSVersion\ncrypt32.dll\nIsWhiteSpace\nyHotspot\nRegistryEditor\nNetworkOptimized\n@x .\n<HandlePacket>b__28\n.\t\t \n\n-@+E\nWndProc\n,\\sy\n<<HandlePacket>b__46>d\nERROR_SUCCESS\n\nr<L\np+4r\nget_FileName\ndmDitherType\nnSize\n<QueuedAt>k__BackingField\nCombinePath\nwOj\"\n@8&8\nGetModuleHandle\npbNonce\n\n-O+\\\n,^~\"\nppszDataDescr\nManagementObjectCollection\nGetPhysicalAddress\nencrypted\nGetValue\nset_Username\n<HandlePacket>b__41\n<HandlePacket>b__51_8\nVK_LBUTTON\nget_Letter\nlpModuleName\nsqlite3_close\n<Path>j__TPar\nszPrompt\n\n,(b\n<>9__51_18\nget_WiFiNetworks\nprpH\nOnClipboardChanged\nInitialize\nGetTotalPasswords\nget_Bounds\nGetConfig\n[[O#[\nWebHeaderCollection\nBoolean\nSendBinaryFrameAsync\nFormat\nIndentCode\nX\n\tj\n,hsX\n\n\nre\n%<Q\n\nProcessPendingOperations\nSystem.Windows.Forms\nop_Equality\nU\"#8\nNCRYPT_PAD_PKCS1_FLAG\nProcessThreadCollection\nAssemblyFileVersionAttribute\n<Count>k__BackingField\n\n:%\f\n\n:,\n\nMOUSEEVENTF_WHEEL\n\n%rF\f\n\nr~#\nGetEnvironmentVariable\n\n\t\nEventArgs\nsqlite3_column_bytes\nGetStringResource\nMOUSEEVENTF_LEFTDOWN\n<startTime>5__2\nSystem.Runtime.Versioning\nReadAllText\npr73\nget_Msg\np\u000bs\|\nFindResource\nget_ProcessName\nstream\nAssemblyCompanyAttribute\nBCryptSetProperty\n\n\u000b(\\\nMOUSEEVENTF_RIGHTDOWN\nManagementObject\n\n\n+5\n<HandlePacket>b__51_20\ntotalPasswordsCount\nGatewayIPAddressInformation\nget_Default\nu;L3\n<>9__51_0\nnetworkInstance\nProgram\nShowWindow\nGetLogPath\nget_Item5\nIOrderedEnumerable`1\nCombine\nCURSORINFO\n\n&+~\t\nComVisibleAttribute\nCompilerParameters\nDecryptWithNCrypt\nTOKEN_ADJUST_PRIVILEGES\nbuffer\n<>9__51_2\n<>4__this\nMAX_RECONNECT_DELAY\nfilePath\n\n,\u000br\nget_Location\n<HandlePacket>b__50\nSendDesktopFrame\nParseHistoryDatabase\n\n%(C\nDrawCursor\nGetWiFiPasswords\n\nrJ!\nget_DateLastUsed\n\nX\f+\nShowMessage\nget_Adapters\nGetMasterKey\n<WaitForConnectionAsync>d__25\nget_Label\nGetType\n<Title>k__BackingField\npr%6\n<HandlePacket>b__51_4\n<HandlePacket>b__26\nDownloadString\n<>9__51_7\n<>9__51_13\n_CorExeMain\nSendBinaryFile\n<Client.Program+<>c__DisplayClass51_23+<<HandlePacket>b__50>d\nZipFile\n,T~&\nv4.0.30319\nGetTempPath\n1.r2\nCaptureWebcamAsync\nCallNextHookEx\nlocalStatePath\n\n\t,(r\nRectangle\nSetResult\nCqX\n\nSemaphoreSlim\nBeginInvoke\nCheckConnectionHealth\nregistryEditor\nX\f+:\n/Client.NetworkOptimized+<ReconnectionLoop>d__27\nget_ReferencedAssemblies\n<Start>b__12_0\nStreamReader\n<Client.Program+<>c__DisplayClass51_21+<<HandlePacket>b__46>d\n<HandlePacket>b__48\n<Location>k__BackingField\nSW_HIDE\nMainLoop\nSQLITE_OK\np\u000b(\\\nRemoteInput\nX-7N\ncount\nget_VisitCount\n\n,%(b\n\n-C+M\nT@\t\f\n\nrhG\nbrowser\n<>9__2_0\n`\t`9\nlpUsedDefaultChar\nset_Output\nwalletName\nToLower\nTaskAwaiter`1\nJoin\nGetUsername\nX\fs<\nisReconnecting\nsysInfo\n<>c__DisplayClass51_3\n<ExecuteScriptAsync>b__0\nHideTaskbar\nLogger\nhMod\n6.\f\t\n\n,:(\nhIcon\n\n&8}\nHighPart\nBase64Decode\nDM_DISPLAYORIENTATION\n,G(Y\n#Strings\nkernel32.dll\nset_Caption\n-3(b\nget_StandardOutput\nsqlite3_column_int64\nactive\nt.>+K\nParseValueType\nExtractFirefoxData\nPasswordRecovery\n/.g8\n\n&+\"\n<Label>k__BackingField\nMoveMouse\nExtractJsonInt\nRuntimeCompatibilityAttribute\n\"\to\f\n<HealthMonitorLoop>d__30\nget_Top\n\n-v8\nSystem.Management\n.NETFramework,Version=v4.8\nwalletPath\nget_Count\nhbrFlickerFreeDraw\nremoteInputEnabled\nget_Right\n<HandlePacket>b__51_43\ndwFlagsAndAttributes\n-\u000br\t\nVK_CONTROL\nKeylogger\n\n.s\np\ns\|\n\n\frE\\\nget_MessageLoop\nIOControl\nbrowserName\nIEnumerator\nset_LastVisit\nget_Gateway\nmscoree.dll\nAddRange\n\n%ot\n\n\f% 0u\nNCryptOpenStorageProvider\nENUM_CURRENT_SETTINGS\nSystem.Net\nset_ReceiveTimeout\n<HandlePacket>b__51_37\nprocessId\nT` '\nExecuteScriptAsync\n\nL\nX\nq\n\nvalue__\nlpSystemName\nbasePath\nresult\nget_Unicode\n+AL\n<>c__DisplayClass11_1\nhealthMonitorTask\nSetWindowPos\nDebuggerBrowsableState\nSrJ!\nParsePacket\nIProgress`1\nset_Password\n\n,A~\nfileData\nAsyncTaskMethodBuilder\nTcpClient\nFunc`1\nCopyWALFiles\nget_Success\nqEH\n$\n%\n}\n\nprocess\n\n&% 0u\nCreateEmptyPackage\n\n&8,\n\n\nr%4\n<HandlePacket>b__51_19\nset_IsDesktopActive\nGetBrowserHistoryPaths\n<Client.Program+<>c__DisplayClass51_22+<<HandlePacket>b__48>d\ndmPelsWidth\n\n&+2\nClipboardMonitor\n<>c__DisplayClass51_6\nset_Adapters\nClient.exe\n.Client.NetworkOptimized+<SendPacketAsync>d__22\n<Password>k__BackingField\n<DeleteValueAsync>b__0\nNCryptDecrypt\n83S\n\nclipboardWindow\nget_AllScreens\n5YoS\nrunning\ndmICMMethod\n<IndentCode>b__0\n\n%r4\f\n\nrJP\nGetDirectoryName\nlpNumberOfBytesRead\n<RecoverPasswordsAsync>d__0\nGetEmailPasswords\ncbTag\nset_UseBinary\n\n^\f\nstateMachine\n\u000br<L\nAwaitUnsafeOnCompleted\nmethod\nGetActiveConnections\nC:\\Users\\sulum\\OneDrive\\Desktop\\datacenter\\stubCsharp\\obj\\Release\\Client.pdb\n%'ZB\nlpFileName\n\n&~7\nuFlags\nReadFirefoxCookies\n\n\nr1\ncbIV\n\nrNP\nGetExecutingAssembly\nGetBrowserHistoryAsync\n#YoS\nset_Exists\n<ShowMessage>b__1\n\n-\"+'\nClear\nmonitoring\nHWND_TOP\n<DisplayName>k__BackingField\nProcessHandle\n<PrivateImplementationDetails>\nT<Q\n\n<HandlePacket>b__27\nset_Dock\n<>9__51_3\nget_Height\n<HandlePacket>b__42\nlastGCCleanup\nCalculateBackoffDelay\nwindowName\nGetProcessList\nIOControlCode\nKill\nSendPacketNonBlocking\n\u000b#\f1\f6\fP\f\nSystemIcons\nImpersonateLsass\ndmLogPixels\nget_IsCompleted\nop_Explicit\nFromArgb\nGetDirectories\nSystem.Threading.Tasks\n\n&%ou\n\n\n\t-\nbase64Data\nRuntimeHelpers\nget_Item6\nReadAutofillFromSQLite\n%\n}&\nset_MaximizeBox\nY@6\u000b(1\nget_Name\nBlockInput\nkeyCode\nConvert\n\n\f(Y\n{3qX\n\n<>1__state\nget_Status\nFlagsAttribute\nget_IsDisposed\n,\n~!\nM3S\n\n\u000b @B\n\n I'\nDuplicateToken\nFileShare\n<GetNetworkAdapters>b__1_1\ndwExtraInfo\nget_OperationalStatus\nget_Id\n\n,#r\nOpenProcessToken\nEncoderParameter\nset_IPAddress\n\tr6.\ndecryptCallCount\n<GetNetworkInfoAsync>d__0\n<Start>b__12_1\nEqualityComparer`1\nstatus\nSystem.Drawing\nget_ValueType\n\n\nr^\n<Module>\nhThread\nBCRYPT_AUTHENTICATED_CIPHER_MODE_INFO_VERSION\nGetKeyName\ntargetWidth\nSendClientInfo\nset_WindowStyle\n<Application>k__BackingField\nSystem.Net.Sockets\n\n,,\t\ndmYResolution\n<>c__DisplayClass51_9\nRevertToSelf\n,>~'\nlpNumberOfBytesWritten\ndwCreationDisposition\nPoll\nProcessManager\nDEVMODE\n<>c__DisplayClass51_14\nDispose\n<>9__1_2\npcbBinary\nManagementObjectEnumerator\nSendBinaryFrame\nop_Inequality\nRestoreMouseButtons\nget_DNSServers\n:3#A\np\n(k\nget_UserName\nWhere\n<HandlePacket>b__51_9\npbTag\nBCRYPT_AUTHENTICATED_CIPHER_MODE_INFO\nStringWriter\n r(\"$\nget_DriveType\nhCursor\nset_BackColor\n<Path>i__Field\nToUInt32\nServiceControllerStatus\nDebuggableAttribute\ndwInfoVersion\nServiceInfo\nfBlockIt\nCopyFromScreen\nget_LastVisit\n@p -\nWM_KEYDOWN\ndesktopActive\n\n%rr.\n<Speed>k__BackingField\nget_NetworkInterfaceType\npdwSkip\nlpSecurityAttributes\npzTail\nset_Padding\nAppendAllText\nget_Task\n$\nrE\nget_TotalSeconds\nTOKEN_PRIVILEGES\n<GetProcessList>b__0_0\nline\nset_Type\nAbort\nSetParent\n\u000br+\n\nget_Width\nLastIndexOf\n<>c__DisplayClass42_0\nStartReconnectionThread\nget_Chars\n<HandlePacket>b__51_3\nphKey\nEscapeJson\n;W3S\n\nGetSubPath\ndmDisplayFixedOutput\nWM_COMMAND\n\nv~\n\n\u001b[0;32mNo insults found in the file\u001b[0;0m\n\u001b[0;32mNo keyboard keys are used in the file\u001b[0;0m\n\u001b[1;31mThe following 20 out of 2074 strings are blacklisted:\u001b[0;0m\n\t+----------------------+-----------------+\n\t\| String \| Group \|\n\t+----------------------+-----------------+\n\t\| time \| Utilities \|\n\t\| IsAdmin \| Further strings \|\n\t\| get_MachineName \| Further strings \|\n\t\| DisableAllPrivileges \| Further strings \|\n\t\| GetProcessesByName \| Further strings \|\n\t\| GetResponse \| Further strings \|\n\t\| Clipboard \| Further strings \|\n\t\| Socket \| Further strings \|\n\t\| Console \| Further strings \|\n\t\| attempt \| Further strings \|\n\t\| browser \| Further strings \|\n\t\| TcpClient \| Further strings \|\n\t\| CreateSubKey \| Further strings \|\n\t\| GetProcesses \| Further strings \|\n\t\| MemoryStream \| Further strings \|\n\t\| Keylogger \| Further strings \|\n\t\| Users \| Further strings \|\n\t\| SetHook \| Further strings \|\n\t\| CaptureScreen \| Further strings \|\n\t\| SE_PRIVILEGE_ENABLED \| Further strings \|\n\t+----------------------+-----------------+\n\u001b[0;32mNo packer signature was found in the PE file\u001b[0;0m\nNo URL found in the file's strings\n\n", "exit_code": 0, "output_file": "/home/apogean/projects/static_decompilation_malware/pe_studio_analysis.txt" }	2026-04-23 00:40:01	9a5ff998dbf0f6923d0b454d89800fb4
69e9bb8c59a6632dae07de20	360e6f2288b6c8364159e80330b9af83f2d561929d206bc1e…	{ "success": true, "output": "\n================================================================================\nPESTUDIO ANALYSIS REPORT\n================================================================================\nFile: /home/apogean/projects/malware/windows/all_runs/now_you_see_me_again.exe\nExit Code: 0\nCommand: /home/apogean/projects/static_decompilation_malware/sdm/bin/python3 /home/apogean/projects/static_decompilation_malware/pestudio-cli-main/pestudio.py -f /home/apogean/projects/malware/windows/all_runs/now_you_see_me_again.exe --header -i --indicators -e -r --relocations -s --strings -u -d\n================================================================================\nIndicators:\n\u001b[1;34m\tNo connection to VirusTotal possible\u001b[0;0m\n\u001b[1;31m\tThe PE file has no digital signature\u001b[0;0m\n\u001b[1;31m\tFile Header: Suspicious value for TimeDateStamp (2088-03-07 00:06:34)\u001b[0;0m\n\u001b[0;32m\tNumber of imports is in a reasonable range (1) \u001b[0;0m\n\u001b[1;31m\tThe binary uses relocations\u001b[0;0m\n\u001b[1;31m\t20 strings are blacklisted\u001b[0;0m\n+---------------------------------------------------------------+------------+\n\| Description \| level(0/0) \|\n+---------------------------------------------------------------+------------+\n\| \u001b[1;31mThe file opts for Data Execution Prevention (DEP)\u001b[0;0m \| 0 \|\n\| \u001b[1;31mThe file opts for Address Space Layout Randomization (ASLR)\u001b[0;0m \| 0 \|\n\| \u001b[1;31mThe file ignores Structured Exception Handling (SEH)\u001b[0;0m \| 0 \|\n\| \u001b[1;31mThe age (2068-05-04 23:34:16) of the debug file is suspicious\u001b[0;0m \| 0 \|\n\| \u001b[1;31mThe file has (0) blacklisted section name(s)\u001b[0;0m \| 0 \|\n\| <class 'str'> \| 0 \|\n+---------------------------------------------------------------+------------+\nFile Header: \u001b[1;31mSuspicious value for TimeDateStamp (2088-03-07 00:06:34)\u001b[0;0m\n\t+----------------------+-----------------------------------+\n\t\| Property \| Value \|\n\t+----------------------+-----------------------------------+\n\t\| Signature \| 50450000 \|\n\t\| Machine \| Intel 386 or later and compatible \|\n\t\| Number of sections \| 3 \|\n\t\| timeDateStamp \| \u001b[1;31m2088-03-07 00:06:34\u001b[0;0m \|\n\t\| pointerToSymbolTable \| 0x0 \|\n\t\| numberOfSymbols \| 0 \|\n\t\| sizeOfOptionalHeader \| 224 \|\n\t\| characteristics \| 0x22 \|\n\t\| Processor 32-bit \| False \|\n\t+----------------------+-----------------------------------+\n\u001b[1;31mSuspicious number of imports (1)\u001b[0;0m\n\u001b[0;32mNone of the imports is blacklisted. \u001b[0;0m\n\u001b[0;32mThe binary has no exports\u001b[0;0m\nRelocations of the binary:\n\t+-----------------+----------+---------+------+\n\t\| Virtual address \| Position \| Type \| Size \|\n\t+-----------------+----------+---------+------+\n\t\| 0x38000 \| 0xf60 \| HIGHLOW \| 32 \|\n\t\| 0x38000 \| 0x0 \| ABS \| 0 \|\n\t+-----------------+----------+---------+------+\nNo blacklisted resources found\nList of all resources: \n\t+---------------+------+----------------------------------+----------+\n\t\| Type \| Name \| MD5 \| Language \|\n\t+---------------+------+----------------------------------+----------+\n\t\| Accelerator \| 0x1 \| 4D3263466F07BEEBE7760E4B406185DC \| neutral \|\n\t\| Accelerator \| 0x2 \| 671411510B63CCB34B60793179ABDF5A \| neutral \|\n\t\| Accelerator \| 0x3 \| 43B9BB3A960FC7307EDC9FA0FCF853B7 \| neutral \|\n\t\| Plug-and-play \| 0x1 \| F9D1BE20B1C4063BF31C7A1022305641 \| neutral \|\n\t\| Executable \| 0x1 \| B7DB84991F23A680DF8E95AF8946F9C9 \| neutral \|\n\t+---------------+------+----------------------------------+----------+\nStrings in the PE file:\nCloseCDTray\n<IsKey>k__BackingField\nget_Handle\n<FreeSpace>k__BackingField\n<HandlePacket>b__51_2\nGetTempPath\npszString\n\nF~#\n.s;\n\nrJP\nRestoreScreen\nTuple\nnetworkSemaphore\nX\fs<\nset_CreateNoWindow\njson\nGCCollectionMode\n<MonitorClipboardAsync>d__15\npr73\nset_FlatStyle\n<startTime>5__2\nget_X\n_bZ(H\nget_IsCancellationRequested\n\n%r4\f\nRegistryKeyInfo\n-,(b\nGetProcessList\nIEnumerator\n\t,>r\nFileStream\nServiceController\nEscapeJson\nget_WorkingSet64\nIsRunningElevated\nSE_PRIVILEGE_ENABLED\nset_StartPosition\nget_Output\nFreeHGlobal\nStartHealthMonitor\nLoadResource\nget_UserName\nCompilerErrorCollection\n r(\"$\nGetSubKeyNames\npOptionalEntropy\nget_Msg\n\\rC\nScanWallets\nget_Ticks\ncaptureWidth\n5YoS\nuserDataPath\nReadCookies\n<>c__DisplayClass51_20\nyHotspot\npszAlgId\nFileAccess\nDeleteSubKeyTree\nSuspendProcess\nQ._8\n,j~)\nGetAutofillDataAsync\n<>c__DisplayClass51_4\nprogress\nsqlite3_column_blob\n<<SendPacketNonBlocking>b__0>d\nGetComputerNameA\n<HandlePacket>b__51_13\nget_Pid\n,8(Y\nClassesRoot\n\nX )UU\nRuntimeHelpers\nA>#I\n<SetValueAsync>d__1\n,\nr(\nset_RedirectStandardOutput\nget_MainWindowHandle\n.Client.AutofillData+<GetAutofillDataAsync>d__3\nClipboardWindow\nIsNullOrWhiteSpace\n<>c__DisplayClass51_9\nget_MachineName\nHistoryEntry\nget_Connected\n<<SendPacketAsync>b__0>d\nimagePath\nDockStyle\n<IsDirectory>k__BackingField\nvkCode\nTcpClient\nset_StartInfo\ntotalPasswordsCount\ncxWidth\nSystem.ComponentModel\n\u000br+\n\nSystem.Core\nTryDequeue\n#GUID\n\n&8}\nFrameworkDisplayName\nlpFileName\ndmMediaType\nGetCurrentProcess\n\n-Crq\n\n-O+\\\nFunc`1\nNCRYPT_PAD_PKCS1_FLAG\nIsInRole\n#YoS\nEncoder\nImpersonateLsass\nGatewayIPAddressInformation\nCP_UTF8\nhIcon\nnCmdShow\nhToken\nIsAdmin\n<SetValueAsync>b__1_2\n<HandlePacket>b__24\nP-7N\nset_Modified\n<Client.Program+<>c__DisplayClass51_21+<<HandlePacket>b__46>d\niamfine\nNetworkInfoData\nSystem.Runtime.CompilerServices\nEquals\n<DeleteValueAsync>d__2\nNetworkInterface\nFromImage\nshouldReconnect\ndelta\n\n&8M\f\n<>c__DisplayClass51_3\nfunFunctions\nget_Security\nSave\n\n.sa\nGENERIC_READ\n4Client.ClipboardMonitor+<MonitorClipboardAsync>d__15\nMOUSEEVENTF_RIGHTUP\n<>c__DisplayClass51_18\nGetMasterKey\nManagementObject\ntotal\nget_Errors\n<<HandlePacket>b__50>d\n<HandlePacket>b__40\nset_FormBorderStyle\nhWnd\n\n\f+\n(k\nNI.\"\nThreadAccess\n;T !\nlpType\n<HandlePacket>b__38\n<Speed>k__BackingField\nframe\nCreateFromDirectory\nlParam\nCreateDirectory\nRSDS\n<HandlePacket>b__51_17\n<<HandlePacket>b__40>d\nCancellationToken\nVK_SHIFT\ndmPelsWidth\nConnect\nConvert\n<>c__DisplayClass51_2\nget_Modified\nToUpper\n<WaitForConnectionAsync>d__25\ndmFormName\nWindowsPrincipal\nset_Username\nWndProc\nPlaySound\np\u000b(\\\nget_Title\nSetOut\nCreatePackage\n\n&+]\t\n\n,:(\nidThread\nTrim\n`\t`9\nBCRYPT_CHAIN_MODE_GCM\nBCryptDecrypt\nGetBrowserHistoryPaths\n\nrNP\nKeyUp\n<ExecuteScriptAsync>b__0\nXOR_KEY\nArgumentException\nWaitForExit\nSQLITE_OK\nlastClipboardText\nLocalMachine\nget_IsActive\nAdjustTokenPrivileges\n\n%rX.\n<GetAutofillDataAsync>b__0\nmscoree.dll\nsqlite3_column_int64\n6.\f\t\nParseValueType\n\nX\f+\n dY` \ndesktopActive\nset_URL\nRuntimeTypeHandle\naltKey\nget_ErrorText\n\nr!5\n M[8#B\nset_FileName\nSTAThreadAttribute\n<>c__DisplayClass51_22\npbMacContext\nconsecutiveErrors\nsqlite3.dll\nGetTypeFromHandle\nSetValue\n%rTL\n\"\to\f\nSuspendProcessThreads\nIYoS\nGetCurrent\nset_DateCreated\n2Client.BrowserHistory+<GetBrowserHistoryAsync>d__1\n.s>\nmonitorBounds\npbAuthData\ndmCollate\nGetProcesses\nGetBytes\nOpenWebsite\nprocessManager\nGetProcessById\nCRYPT_STRING_BASE64\nSetQuality\nuMapType\n\nr\"M\n<Path>j__TPar\nHookCallback\n&S!&\n\n\u000b(Y\nIEnumerable`1\ndmPanningHeight\nProgram\nSendClipboardData\nGetEmailPasswords\nMicrosoft.Win32\nCompilerParameters\nGetResponse\nVK_RBUTTON\nMethodInfo\nwalletGrabber\nContainsText\nget_Name\nset_GenerateExecutable\n\n,A+\nlIt$\nuFlags\ndmPositionY\nindentStr\n\nr&w\nBCRYPT_AUTHENTICATED_CIPHER_MODE_INFO_VERSION\n\n-\\+c\nAE#U\nCRYPTPROTECT_PROMPTSTRUCT\nconnected\nfileManager\nFileItem\nRECT\nTrimEnd\n\n,\f~W\nFILE_SHARE_READ\nSPI_SETDESKWALLPAPER\ngdi32.dll\nGetPort\nExtractJsonValue\nReadOnlyCollectionBase\nget_DNSServers\nCloseHandle\nSystem.Collections.Specialized\nSetCursorPos\n,3rj\nEqualityComparer`1\n\n 0u\nGetPhysicalAddress\n<>c__DisplayClass22_0\nIPAddressCollection\n,\\sy\nHEALTH_CHECK_INTERVAL\nget_Data\n,hsX\nNCryptDecrypt\n[G7N\n\nget_Item5\n\n\nre\n<<HandlePacket>b__46>d\n<ListKeysAsync>b__0\n\n%r]\n<HandlePacket>b__51_4\nFormStartPosition\nStreamWriter\nset_LastVisit\nReadSQLitePasswords\n\nr~#\n<DisplayName>k__BackingField\nTextWriter\n1.r2\nCloseMainWindow\nRecoverPasswordsAsync\n<HandlePacket>b__51_11\nVS% \n%\n}\"\n\nr%4\n&c%.\nList`1\n\n F'\nDebuggerBrowsableAttribute\nIndentCode\nset_Title\n<Exists>k__BackingField\nN=M \n\fA4\nhThread\n\u000b+_r'z\n<RunLimitedOperation>b__1\nReadAllText\n\n\nr\"1\nsqlite3_open\npr\ny\nisLogging\nget_Bottom\nWiFiNetwork\n-\u000br{\n<HandlePacket>b__51_19\n<>f__AnonymousType0`2\nGetHdc\nGetCountry\n-3\n\t\n\nr6.\ndmReserved1\nuser32.dll\nset_VisitCount\n<>9__1_2\n\n\frD\npszProperty\nbasePath\nset_UseShellExecute\nServiceInfo\n= ;\nGetCredentialsZipPath\nWaitForPendingFinalizers\nWrJ!\nstatus\nSystem.ServiceProcess\nprocess\nWebcamCapture\nhTemplateFile\nlpfn\ndmICMIntent\nget_IsConnected\n<SendPacketNonBlocking>b__0\n<HandlePacket>b__51_15\n/Client.NetworkOptimized+<ReconnectionLoop>d__27\nP<Q\n9.L3\"\nExpandEnvironmentVariables\nIAsyncStateMachine\nGetIPProperties\nAddClipboardFormatListener\nSPIF_UPDATEINIFILE\nGetTotalPasswords\nset_Password\n\n,r(b\n<Data>k__BackingField\nTaskAwaiter\n\n&~W\nSendClientInfo\n<HandlePacket>b__33\nConnectAsync\nManagementObjectEnumerator\n8<Q\n\nget_Username\nStringSplitOptions\nSystem.Linq\nprI6\nset_IsDirectory\n\n\n\t9\nBCRYPT_CHACHA20_POLY1305_ALGORITHM\n.\t\t \n<HandlePacket>b__35\n<>u__2\n25114D00A4033551266955CDD922C5EBB11B1E34BE80825C9553A3F258D5B1CE\n<HandlePacket>b__51_6\n\n-\u000br\nSystem.Threading\n\n.sQ\nhookId\ncomputerName\nbase64Data\n\n\nr1\nGetOS\nprY6\nget_SocketErrorCode\nSetAttributes\n$\nr~\n%\n}\nwalletName\ncbInput\n,)~\u000b\nSocket\nget_Task\n<MemoryUsage>k__BackingField\nClipboard\n<<HandlePacket>b__51_20>d\nhwnd\nSrJ!\npbOutput\nget_TotalMilliseconds\nset_IsBackground\nDeleteObject\nprD$\n<GetNetworkAdapters>b__1_0\noperationSemaphore\nMoveMouse\n\n\n%o\n<>9__51_37\nSQLITE_ROW\n\n:\|\u000b\nGetNetworkAdapters\nDebuggerBrowsableState\n83S\n\nEncoderParameters\n\n(A\n\nrv0\n1YE\t\nMOUSEEVENTF_WHEEL\nNetworkCredential\nManagementObjectSearcher\n\n-\u000bb\u000b}\u000b\nWriteLine\n,ar\t \n<URL>k__BackingField\nGetBrowserWebDataPaths\nget_AllScreens\ngraphics\nAddToStartup\n\fr(0\nWriteAllText\nSemaphoreSlim\n<MACAddress>k__BackingField\n,\n~!\nlpDefaultChar\nxLeft\nset_BorderSize\nsoundPath\n\n%r\nget_Letter\nget_MACAddress\nset_AutoFlush\n,\\sj\nWriteFile\nMOUSEEVENTF_LEFTDOWN\n\n\u000bsN\nTOKEN_PRIVILEGES\n<Adapters>k__BackingField\ndmLogPixels\nBSJB\nBlockInput\nProcessModule\nConcat\nvalue\nsqlite3_finalize\nOQd!\npendingOperations\n\n-\fr\n\n\n\t(\nv4.0.30319\nSystem.Windows.Forms\nlogWriter\nNetworkStream\nGuidAttribute\nTryReadAutofillWithPowerShell\nset_Path\nGetWindowRect\n\u000br<L\nGetUsername\nSocketException\nCreateFileW\nprocessAccess\nGetType\n,/(A\nKill\nTrimStart\nRuntimeFieldHandle\nGetVirtualKey\n\n @B\nIsWhiteSpace\nPoint\nGetMethod\n\n\f(Y\nGetAllNetworkInterfaces\n<>9__51_15\nSendMessage\n,>~'\nCodeDomProvider\nRemoveFromStartup\n\n%r8$\nX\u000b+<\nWait\nActivator\n<>9__51_49\nSQLITE_DONE\nmscorlib\nShakeWindow\n<GetNetworkInfoAsync>d__0\nCURSOR_SHOWING\nEndInvoke\ndmPositionX\nget_Param\nBCryptOpenAlgorithmProvider\nhbmColor\nkeybd_event\nCheckConnectionHealth\npr%6\nControlCollection\nPROCESS_QUERY_LIMITED_INFORMATION\nGetImageEncoders\nset_NoDelay\n<>c__DisplayClass51_7\nyTop\n\n-T+T\nset_Status\nget_Height\nGetAwaiter\n<SendBinaryFrameAsync>b__0\nJN~\"\nAES_KEY\nGetConfig\ndiFlags\nTaskAwaiter`1\nMIN_ALL_UNDO\nZero\np\to6\n@8&8\nCombine\nClose\n<>9__51_7\n\n^\f\nClear\nGetFileName\nFormat\nGetDirectoryName\n\n\nr<.\n\tr;\t\n\u000b!\u000b'\u000b;\u000b\nAssemblyFileVersionAttribute\nset_Count\n<>9__1_1\n,T~&\nwOj\"\nCompilerError\npr\u000b6\nWH_KEYBOARD_LL\n<Application>k__BackingField\nset_Caption\n\|$L3\nget_FreeSpace\n<Client.Program+<>c__DisplayClass51_22+<<HandlePacket>b__48>d\n<Name>k__BackingField\nLockScreen\nStopService\n2~#\nwParam\nT@\tl\nset_Success\nstream\n<Letter>k__BackingField\nParsePacket\nCalculateBackoffDelay\nEncoderParameter\n<HandlePacket>b__32\n<HandlePacket>b__48\nMemberInfo\nVkKeyScan\nset_CurrentMonitor\n,Client.NetworkInfo+<GetNetworkInfoAsync>d__0\npbBinary\nSpecialFolder\nCancel\nset_UseBinary\n.ctor\nBypassUACFodHelper\nhMem\n-3(b\nget_ReferencedAssemblies\n\\X/r\npDataOut\nAESGCMDecrypt\nnetworkInfo\n5Client.NetworkOptimized+<WaitForConnectionAsync>d__25\nDispose\ncustomOutputPath\nMove\nbInheritHandle\nReadFile\n<Name>j__TPar\nSelfDelete\n\n\u000bow\n,Client.RegistryEditor+<DeleteValueAsync>d__2\n\n~W\nget_Y\nnSize\nhbmMask\nEnvironment\nAssemblyCompanyAttribute\n<>9__1_0\n<SendPacketAsync>d__22\nMOUSEEVENTF_ABSOLUTE\n6H\n!\nbuffer\nget_Password\nHandlePacket\nmasterKey\ncbKeyObject\nprG\nUnescapeJson\n\n&+@\nStartsWith\n YE\t\nAssemblyTrademarkAttribute\nobject\nForceReconnect\ntitle\nExtractPasswords\nMOUSEEVENTF_MIDDLEUP\nGetMessage\nctrlKey\nCancellationTokenSource\n<TotalSize>k__BackingField\nget_Available\ndwLegacyKeySpec\nCreateZipArchive\n<SendPacketAsync>b__0\nBrowserDataExtractor\nPostThreadMessage\nget_Value\nGraphics\n\nAL\n%r^L\np+\n(\np+ \to\nget_Label\nget_AddressFamily\nDirectoryInfo\n)Client.RegistryEditor+<SetValueAsync>d__1\ncchWideChar\n<ListDirectory>b__2_0\nM3S\n\nproc\nWindowsBuiltInRole\nregistryEditor\nFileAttributes\nreconnectAttempts\n\n-Cr#\nScriptResult\n<>c__DisplayClass51_11\nget_ASCII\n\n\t,$r\nset_DisplayName\nAsyncVoidMethodBuilder\nExtractEdgeCookies\nhModule\ntimer\nProcessInfo\nDMDO_DEFAULT\ndwFlagsAndAttributes\ncommand\nT@\t<\n<>u__1\nStringToHGlobalUni\nget_Attributes\npbIV\nGetLastWin32Error\n\\( !\n[[O#[\nFileInfo\nT` '\n@p -\nrunning\nset_WiFiNetworks\n-%(Y\nget_ValueType\nMemoryStream\n<DateLastUsed>k__BackingField\nRuntimeCompatibilityAttribute\n\n-\t+\t\nDllNotFoundException\nget_Address\n\u000b)\nD\nResourceReader\nset_DNSServers\nServiceControllerStatus\n<HandlePacket>b__25\ntype\n\n&+$\n<DeleteValueAsync>b__0\nset_MACAddress\n__StaticArrayInitTypeSize=6\nset_ReceiveBufferSize\nCreate\nCURSORINFO\nDebuggerHiddenAttribute\n<>c__DisplayClass51_19\nmessageLoopThread\nbMt\"\n\n\n+5\n<>9__0_0\nGetCursorInfo\nUnhookWindowsHookEx\nMOUSEEVENTF_LEFTUP\n\n^~\nPlaySoundFile\n\t$\t:\tE\tP\tV\t\n\n&sr\n3Client.PasswordRecovery+<RecoverPasswordsAsync>d__0\nSystem.Drawing\n8H9'9.\nBindingFlags\n Q._!\nReconnectionLoop\n<GetNetworkAdapters>b__1_1\n<DateCreated>k__BackingField\nBCryptGenerateSymmetricKey\nGetAddressBytes\nhmod\nnByte\n<>c__DisplayClass1_0\nwS<Q\n\nget_ManagedThreadId\nKEYEVENTF_KEYUP\nop_Equality\nWM_COMMAND\n<Path>k__BackingField\nSetSocketOption\nGetText\nSystem.Threading.Tasks\n<ValueType>k__BackingField\nprJ \nProcessThreadCollection\nget_IsDirectory\nSystem.CodeDom.Compiler\n\ns<\n<Location>k__BackingField\nShakeWindowInternal\n#Strings\nE@>#F\npCipherText\n\n-8r_\n\tYoL\n..8+Tr\n\n\n\t(;\nstartupManager\nTextReader\nSleep\ndmDisplayFlags\ndevMode\nset_Type\nBufferLength\nGetValue\n }&2!z\n_-Tr2-\nscanCode\nLookupPrivilegeValueW\nWalletPath\nGetMonitorCount\n\n%ot\n<CaptureWebcamAsync>d__0\n<Client.Program+<>c__DisplayClass51_20+<<HandlePacket>b__42>d\nactive\n<HL3\n\nIOException\nGetValueKind\np\n(A\n\n\frE\\\nWM_QUIT\n1YoS\nContentAlignment\n<SetValueAsync>b__0\nFileMode\nEncoding\nRemoteInput\nRevertToSelf\n{3qX\n\nuiAction\n\n\nsr\nWaitForConnectionAsync\nDateTime\nReturnLength\nBCRYPT_CHAINING_MODE\nbrowser\nReport\n\n&+\"\nSystem.Collections\nhbrFlickerFreeDraw\ndwInfoVersion\nReadFirefoxCookies\nLockResource\nQ\\%\n\n<IPAddress>k__BackingField\nJoin\nget_Location\ndestPath\nIOControl\n9F7A3CA09774D6CDD2B19BC77593698706C324EB8D662D888826F5CC8E293EB5\nMAX_RECONNECT_DELAY\nGetResponseStream\np+4r\nY@6\u000b(1\n 3\nr\nSetResult\nget_Item3\n-\u000br\t\n<HandlePacket>b__23\nExtractFirefoxData\n<HandlePacket>b__51_12\n\u000b @B\nIProgress`1\nfilePath\nAssemblyConfigurationAttribute\n<>7__wrap1\nAssemblyCopyrightAttribute\nRegistryKey\nset_Error\nppStmt\nlYE\f\nNetworkAdapter\nF!\nY\nget_VolumeLabel\ncheckName\nBoolean\nset_TextAlign\n\nRMM Client\nGetWiFiNetworks\n<>c__DisplayClass23_0\nSECURITY_IMPERSONATION\nBeginInvoke\nget_LastVisit\n\n,\u000br\nReadAllBytes\nTargetFrameworkAttribute\n\n\t\n\u000b#\f1\f6\fP\f\nbrowserName\n!YoS\nkernel32.dll\nSetStateMachine\nLClient.NetworkOptimized+<>c__DisplayClass23_0+<<SendPacketNonBlocking>b__0>d\nRandom\nuploadPath\n\n:T\nget_DateLastUsed\nToByte\n\n,.\t(X\n<Title>k__BackingField\n<>9__41\n l&!y\nHideTaskbar\nSubstring\nwalletPath\nop_GreaterThanOrEqual\nget_OSVersion\npcbBinary\n<GetProcessList>b__0_0\nset_Arguments\n<>9__51_18\nlpRect\nFlipScreen\n@Mt\"\nget_DateCreated\nDeleteValue\nlocalStatePath\ndwShareMode\nset_Size\nget_DriveType\nStartService\nStringBuilder\nbS \nfileData\nAssemblyDescriptionAttribute\nAbort\nPasswordEntry\nAwaitUnsafeOnCompleted\n\nEtP\nloginDataPath\nautofillData\nLowPart\nset_FreeSpace\n\n&+\t\t\n\nrg6\nget_CompiledAssembly\nSendProgress\npDataIn\nfBlockIt\nset_Padding\nCompileAssemblyFromSource\nBrowserHistory\nwallets\n<>c__DisplayClass51_16\nDM_DISPLAYORIENTATION\nAsyncStateMachineAttribute\n<Start>b__12_1\nExtractCookies\n\n-C+M\ndmFields\nMouseWheel\nSystem.Collections.Concurrent\n_CorExeMain\n<VisitCount>k__BackingField\n<HandlePacket>b__51_16\nNativeWindow\n<SetValueAsync>b__1_1\nFILE_SHARE_DELETE\nCryptUnprotectData\nset_DateLastUsed\nclipboardMonitor\n<>c__DisplayClass51_12\nmonitoring\n\n\f% 0u\n.cctor\nset_Interval\ncrypt32.dll\n<>9__51_6\n<HandlePacket>b__51_49\n\n\n(Y\nMutex\nCallNextHookEx\nGetEnumerator\nDispatchMessage\n<>9__51_12\n<>c__DisplayClass51_23\nWriteLog\nForm\nGetFTPPasswords\nnetwork\npszDescription\n<>c__DisplayClass0_0\n\n:,\n\nget_TotalSeconds\n\n.s\nscreenCapture\n-\frl\n<HealthMonitorLoop>d__30\n3Client.NetworkOptimized+<SendBinaryFrameAsync>d__24\nSendPacketNonBlocking\n\n\t-\f~W\nRegistry\npszSound\n:3#A\nOpenCalculator\n\n&(A\nDEVMODE\n<>c__DisplayClass51_15\nTryReadWithPowerShell\nDuplicateTokenHandle\nget_UTF8\nsqlite3_column_text\n1T_\n<QueuedAt>k__BackingField\nisV20\nFlatButtonAppearance\nget_Line\nStringWriter\nAutofillData\nget_DisplayName\nStringCollection\nGetResult\n<Password>k__BackingField\n\n\n+4\t\ndata\nIDisposable\n\nrJ!\n\n,#r\n<HandlePacket>b__21\nget_CurrentMonitor\nFClient.NetworkOptimized+<>c__DisplayClass22_0+<<SendPacketAsync>b__0>d\nAsyncCallback\nlpOverlapped\nencrypted\nheight\nThenBy\nget_InnerException\ntargetHeight\nget_Bounds\nSelect\nDecodeBase64\ndmDisplayFixedOutput\npPaddingInfo\nget_Error\n\nri`\nIsVolatile\nNumberStyles\n1.0.0.0\nC~#m\nERROR_SUCCESS\ndmDisplayOrientation\n<RecoverPasswordsAsync>b__0_0\nmouse_event\nstateMachine\nEnumDisplaySettings\ndmBitsPerPel\nbScan\nExecuteFile\n\n-3+6\nTuple`3\nAssemblyProductAttribute\nget_ProcessName\nhMod\nhWndNewParent\n<>c__DisplayClass51_21\ncbOutput\nToList\nLocalFree\nINITIAL_RECONNECT_DELAY\n<>9__2_1\nGetDriveTypeString\nncrypt.dll\nsourceHeight\nWM_CLIPBOARDUPDATE\nIPInterfaceProperties\nDisconnect\nBlockInputAPI\nlpNumberOfBytesRead\nWrapCode\nGetNetworkInfoAsync\nduration\n<>c__DisplayClass42_0\nreconnectTask\nset_SSID\nRemoveStartupItem\nRegistryEditor\nget_MainModule\n 8(\"$\nset_ForeColor\nhealthMonitorCts\nUnicastIPAddressInformation\ndmDitherType\nWriteAllBytes\nget_Warning\ndeviceName\nset_SendBufferSize\npbKeyObject\nwMsgFilterMax\nProcessQueue\nGetServices\nget_Item6\nget_Threads\nset_ValueType\nhealthMonitorTask\nSystem.Net.NetworkInformation\nTOKEN_ADJUST_PRIVILEGES\n<HandlePacket>b__27\n<>c__DisplayClass24_0\nWaitAsync\nParseHistoryDatabase\nA1@\tt\n<ShowMessage>b__1\nop_Inequality\nlpModuleName\n<>9__51_13\nget_Adapters\n2E69DC77B5DCFCCF57DD14F7E8BC6846C81B48D65C372C8970A25FA856421FE0\nGr%3\nGetActiveConnections\nget_Success\nkeyQueue\nSetWindowsHookEx\nButtonBase\ncbAuthData\n,G(Y\n AsJ\npath\ndest\nToArray\n<>9__2_0\n<>c__DisplayClass51_10\ntargetWidth\n\nVs\nrootPath\npr16\nget_IsReady\nOrderBy\n8>#L\nMAX_CONSECUTIVE_ERRORS\n<>c__DisplayClass50_0\nget_MemoryUsage\n<GetBrowserHistoryAsync>b__1_1\npra\n\n L'\nEnter\nget_Current\n<HandlePacket>b__46\npPlainText\nclient\n,Jr#\nset_Security\nENUM_CURRENT_SETTINGS\n\n-v8\nlpSecurityAttributes\n<>c__DisplayClass51_17\nget_IsDesktopActive\nblock\n<GetNetworkAdapters>b__1_2\nnetworkInstance\nScriptExecutor\n<Output>k__BackingField\n@6,(2\nprpH\nget_DataAvailable\nSND_FILENAME\nSafeCopyDatabaseFile\nidHook\nSWP_NOSIZE\nGetProcessesByName\n<HandlePacket>b__50\nConcurrentQueue`1\ndwCreationDisposition\n\nX(H\nDuplicateToken\nflags\nReplace\nEnumerable\nWM_KEYDOWN\nszPrompt\n\n%s\|\nGetWiFiPasswords\nKClient.NetworkOptimized+<>c__DisplayClass24_0+<<SendBinaryFrameAsync>b__0>d\nSendDesktopFrame\nset_MinimizeBox\nfdwSound\nEnsureSQLiteDLL\nSendBinaryFrame\nSystem.Drawing.Drawing2D\n\n&8d\u000b\nget_LastWriteTime\nExtractJsonInt\nOrderByDescending\nT@\t\f\ntotalCookiesCount\n<X/r_\n<HandlePacket>b__51_9\nSystemParametersInfo\nlpMsg\n<HandlePacket>b__36\nTOKEN_QUERY\n\nrhG\nToInt32\nset_Description\nFindResource\n\n&8,\n\nToLower\nbufferSize\nGetRegistryRoot\nCreateInstance\nBCRYPT_AES_ALGORITHM\nCurrentConfig\n<>t__builder\n\t\t\t\t\nset_Exists\ncallback\ncbTag\nset_Font\n,\\sn\n<RecoverPasswordsAsync>d__0\nNewState\nhFile\n<>9__51_2\nNCryptOpenStorageProvider\nCSharpCodeProvider\nget_Chars\nset_TotalSize\nAction`1\npbTag\n>3S\n\nGetFileSystemInfos\n\n&8w\f\nUploadToServer\nciphertext\n<<SendBinaryFrameAsync>b__0>d\nPtrToStringAnsi\nset_MaximizeBox\n\n&rK\nAllocHGlobal\nSetValueAsync\nRelease\nFileShare\n\n-\u000brp\nWebHeaderCollection\nsqlite3_prepare_v2\nT<Q\n\nget_Size\n<CaptureWebcamAsync>b__0_0\nlpMultiByteStr\n<>c__DisplayClass51_0\nfIcon\n<Error>k__BackingField\nEnableDebugPrivilege\nset_Credentials\nDMDO_180\nMouseUp\nInitialize\ncbSecret\n\f.\np\nToUInt32\n\\.\"+\\\nDebuggingModes\nattempt\n\f-2\t\nSocketOptionLevel\nCodePage\nSystem.IO.Compression\nget_StandardError\n-Client.WebcamCapture+<CaptureWebcamAsync>d__0\n<Count>k__BackingField\nGetIP\np\t(7\nisReconnecting\nCreateSubKey\nTuple`6\nphProvider\nProcessManager\ntargetFPS\ninput\n\n&8V\n\nX\u000b+K\nget_IsKey\ndmReserved2\nset_ActiveConnections\nFYoS\n<Module>\nRestoreMouseButtons\n\n&% 0u\nCHACHA20_KEY\n<IndentCode>b__0\nFindWindow\nset_IsKey\nOnClipboardChanged\nP3S\n\nxHotspot\nResize\nTake\nMonitorClipboardAsync\nSendPacket\nwinmm.dll\nget_DnsAddresses\nget_SSID\n+AL\nParseWebDataDatabase\nset_Verb\nCopy\n<>9__51_8\nShowWindow\nCqX\n\nAppendToFile\nset_InterpolationMode\nGetStringResource\nSetApartmentState\n<GetAutofillDataAsync>d__3\npasswordRecovery\n<>9__51_20\n<Value>k__BackingField\nGetDirectories\nMath\nGetProperty\n<HandlePacket>b__42\n,^rS \n<GetBrowserHistoryAsync>d__1\nget_URL\n<<HandlePacket>b__48>d\nOpenThread\nWin32Exception\n\n,,\t\nget_Left\n\n\n\tot\nprofileName\nset_IsRunning\nistepIfAniCur\nCompilationRelaxationsAttribute\nencryptedData\ndmColor\n@61~\nSystem.Security.Principal\n\n-\nr\\J\n<Label>k__BackingField\n<Pid>k__BackingField\nset_IncludeDebugInformation\nget_ModuleName\n<>c__DisplayClass51_14\nFtpWebRequest\ntimeoutMs\nphKey\nTOKEN_DUPLICATE\npvParam\nDPAPIDecrypt\n#Blob\n,\nr\n\n\n\f8Z\nProcessHandle\ndmDriverVersion\ntime\n\n\u000bsr\nkeylogger\nset_ReceiveTimeout\nadd_Tick\n,^~\"\nstreamLock\npzTail\nFILE_SHARE_WRITE\n<>9__51_0\n\n,1r\n.~#\n<>9__51_3\nGetModuleHandle\nserverIP\nSWP_NOMOVE\nsysInfo\npr^'\n\n\f%o\n__StaticArrayInitTypeSize=32\n<>9__51_11\n\n\n+G\t\nDestroyHandle\n<Security>k__BackingField\nSystem.Globalization\nSetParent\n<Client.Program+<>c__DisplayClass51_19+<<HandlePacket>b__40>d\n\f,>re\n&V%)\nSystem.Text\n<HandlePacket>b__41\nget_Id\nDisableAllPrivileges\n\n\t(2\n\n~r\np\toT\ncookiesPath\nIsDigit\nSendBinaryFile\ndmDriverExtra\nPrivilegeCount\n<>c__DisplayClass51_6\nremoteInput\nGetStream\nBCryptSetProperty\nPtrToStructure\nServiceManager\nonKey\ndmTTOption\n\n%rH\nhObject\nset_QueuedAt\ncaptureHeight\nEnum\ndwDesiredAccess\ndecryptCallCount\nlastGCCleanup\np\ns\|\nIOControlCode\ncancellationToken\n<>9__1\nManagementObjectCollection\npdwSkip\nX\u000b+-\npbData\nGatewayIPAddressInformationCollection\n<>c__DisplayClass3_0\nSystem.Runtime.InteropServices\nSwapMouseButtons\n%,\fr$\n\u000b%ot\nScreenCapture\nWaitForStatus\nGetBrowserHistoryAsync\n\nr!3\ndwData\nppszDataDescr\nComVisibleAttribute\nDeleteValueAsync\n\n\n\to\nClipboardMonitor\nCaptureWebcamAsync\np\u000bs\|\ndmPelsHeight\nget_AvailableFreeSpace\nphAlgorithm\npr?6\n<Type>k__BackingField\nSelectMode\nmciSendString\nRegistryValueKind\n<>1__state\nlpSystemName\n$\nrE\nget_Width\n<Start>b__12_0\n\n-[+k\nop_Subtraction\nset_MemoryUsage\nlastSuccessfulOperation\n<>4__this\ncchString\nAppendAllText\nWhere\nRunLimitedOperation\nset_Location\nhResData\n&^r\ndmDeviceName\nOpenNotepadWithText\nT@\tL\nTimer\noutputRoot\nQueuedOperation\n\n,(b\nPreviousState\nPROCESS_QUERY_INFORMATION\n<DNSServers>k__BackingField\n<>9__51_1\nsqlite3_column_bytes\nsqlite3_step\n\tr6.\nT@\t\\\nGetHostname\nRT_RCDATA\nzSql\nDecryptWithNCrypt\nhResInfo\nMain\nExtractBrowserData\nIAsyncResult\nresourceId\n.NET Framework 4.83\n\n,A~\n-i\ni\nMoveNext\ndmSize\nset_ShowInTaskbar\nGetKeyState\nget_Message\nSendBinaryFrameAsync\nFromSeconds\ncbMacContext\nget_Question\nlpWideCharStr\nSystem.Runtime.Versioning\n,$rF\n\|F\n \npszImplementation\n<HandlePacket>b__51_14\nDI_NORMAL\n,Fra\n<Username>k__BackingField\nvalue__\nlogPath\nWindowsIdentity\n<ListKeysAsync>d__0\n\tp\tx\t\nget_Information\nSPIF_SENDWININICHANGE\nKBDLLHOOKSTRUCT\nAppend\nwidth\nprJ!\nget_TotalSize\nS.38\nset_Data\nSizeofResource\nset_TopMost\n\n.~#\n<HandlePacket>b__51_20\nset_IsDesktopActive\nHWND_TOP\ncbIV\ncbNonce\n\n\u000b+/\nget_White\nEventArgs\n03rh\n%\n}\n\nget_Now\n<RunLimitedOperation>b__0\nget_HasErrors\n.Client.ScriptExecutor+<ExecuteScriptAsync>d__1\nFromArgb\nframeData\n>W3S\n\nSECURITY_IMPERSONATION_LEVEL\nDrawCursor\nIj\u000b!\nVK_MENU\nindent\nVK_LBUTTON\nSocketError\nget_Right\npdwFlags\nTimeSpan\nget_FlatAppearance\n\n%rF\f\nnVirtKey\n<>c__DisplayClass51_8\ncyHeight\n\nh}x\nReceivePacket\n<HandlePacket>b__34\nFileManager\n\nr<L\nlpName\n\n&+s\t\nget_Item\nget_ErrorNumber\n\n-'~W\nptScreenPos\n?\\<Q\n\n\t,\n\t\n<>9__51_17\nget_OperationalStatus\nShowMessage\nOpenProcess\n<SendDesktopFrame>b__0\n\nr\ny\nO@E#O\nset_SendTimeout\nQ.X8\n<LastVisit>k__BackingField\n<>c__DisplayClass11_0\nMicrosoft.CSharp\nget_Exists\n\n,\fr\nuCode\n\n\toz\ndmPanningWidth\niCol\nWideCharToMultiByte\nset_Letter\nProcessStartInfo\nGetServiceList\nsourcePath\nOpenSubKey\nReadHistoryFromSQLite\nvalueType\nZipFile\n654C721A221A4CE01BD08488563FF7277E68AF0564487CF36C519B881E39C7E4\n<>9__51_4\nMinimizeAllWindows\nset_Width\n<>9__51_5\n\n\nr^\nset_Label\n\n\t,(r\n<HandlePacket>b__51_8\nSPI_SETMOUSEBUTTONSWAP\nDriveInfo\nserviceManager\nGetBrowserPasswords\nMouseDown\nCurrentUser\nU\"#8\nCU@\t\nget_Gateway\nget_ExitCode\nremoteInputEnabled\n<>c__DisplayClass51_1\ndmSpecVersion\nSetHook\nAsyncTaskMethodBuilder`1\n.Client.NetworkOptimized+<SendPacketAsync>d__22\n\n&8:\u000b\n<Success>k__BackingField\nset_Application\n<Path>i__Field\n\n&+\u000b~6\nvN~\"\ncount\n<GetBrowserHistoryAsync>b__0\n<>c__DisplayClass51_5\n<HandlePacket>b__26\n<Start>b__21_0\npacket\nGetEdgeMasterKey\nbase64\nget_Application\nlpNumberOfBytesWritten\nDrawIconEx\ncbAAD\nKeylogger\nline\n\nv~\nLUID\nImageCodecInfo\n\n\nr9\nEventHandler\nMIN_ALL\nprK\t\n<HandlePacket>b__31\nset_WindowStyle\nlpBuffer\nFK\ty\nMapVirtualKey\nKeyDown\nget_Token\nEnqueue\nBCryptCloseAlgorithmProvider\nget_UnicastAddresses\nGC_CLEANUP_INTERVAL_SECONDS\nCopyDirectory\nget_NetworkInterfaceType\nset_IPAddress\nGetChromeV20MasterKey\nSystem.IO.Compression.FileSystem\nget_Browser\nGetStartupList\nHasCryptoWallets\nSuspendThreadNative\n\nX\u000b+\n\n,%(b\nserverPort\nDistinct\nget_Item2\nset_Browser\n-G<Q\nSocketOptionName\npszKeyName\nFromBase64String\n-!(b\npPromptStruct\nij(K\nTryReadAutofillWithPython\nCollect\nedgeUserData\nGetThreadId\nqueueLock\n\n&+2\n<>9__51_16\nMarshal\nYf +\nset_RedirectStandardError\nAssemblyTitleAttribute\nGetValueNames\nDecryptValue\nu;L3\nSystem.Collections.Generic\nsourceWidth\nIButtonControl\nCopyWALFiles\n\n:q\f\nGetHashCode\n<HandlePacket>b__51_7\nDownloadString\nFileSystemInfo\nt.>+K\nChangeDisplaySettings\nToString\n\n&8#\f\nget_Unicode\nMOUSEEVENTF_RIGHTDOWN\ndwExtraInfo\n<HandlePacket>b__51_47\nSystem.Management\nNetworkInfo\n\n E'\n<SSID>k__BackingField\nTryReadWithSystemDataSQLite\nget_VisitCount\nFunFunctions\nget_Headers\nmethod\nset_Adapters\nset_Output\n\n\n\t9\f\nwindowName\nGetEnvironmentVariable\ndmDisplayFrequency\n<WiFiNetworks>k__BackingField\nLastIndexOf\n\nrNI\nISZ #\nLogger\nSystem.IO\nget_MessageLoop\nDouble\n<ReconnectionLoop>d__27\nStartReconnectionThread\nget_Status\nchunkPath\nGetDrives\nReadAutofillFromSQLite\nset_GenerateInMemory\nAddRange\n<Status>k__BackingField\nget_IsRunning\n<GetNetworkInfoAsync>b__0_0\nContains\nConsole\nPOINT\ncbSize\nset_Text\n<HandlePacket>b__51_5\nWalletGrabber\n\n&% \nGetConsoleWindow\nget_StackTrace\nNCryptOpenKey\nMAX_RECONNECT_ATTEMPTS\n\t-\frZ\f\ndmYResolution\nTask`1\nSystem.Net.Sockets\n<>c__DisplayClass2_0\n\n&8W\n<SendBinaryFrameAsync>d__24\nlpUsedDefaultChar\nNewGuid\nShowTaskbar\nset_UsePassive\nwMsgFilterMin\npbNonce\nCopyFromScreen\nSetWindowPos\nNCryptFreeObject\nDrawImage\n<ListDirectory>b__2_1\nkeyloggerActive\nMethodBase\nget_ServiceName\n_bZ `\n\n%rr.\nProcessPendingOperations\nCompilerResults\nset_Value\nKq\u000b)\noperationQueue\nbutton\n\n&+R\nHighPart\nImpersonateLoggedOnUser\nget_Controls\n<Client.Program+<>c__DisplayClass51_23+<<HandlePacket>b__50>d\nset_Icon\nbrowserHistory\n\n\n\t-\nhwndCallback\n<HandlePacket>b__51_44\nadd_Click\npcbResult\nfWinIni\nGetIconInfo\n<PrivateImplementationDetails>\nInitializeArray\n\n:p\n;W3S\n\n\n-k+r\n<Modified>k__BackingField\n<>9__51_47\nIFormatProvider\nHasData\nCompilerGeneratedAttribute\nFromMilliseconds\nStop\n\n:%\f\nLoadFrom\nhWndInsertAfter\nchunkIndex\nSystem.Drawing.Imaging\nOpenNotepad\nReadToEnd\nPasswordRecovery\n\n^r\nTryReadWithPython\n\n 3'\nFunc`2\nYj +\nSND_ASYNC\nget_WiFiNetworks\n%\n}&\nset_Dock\nToInt64\n<HandlePacket>b__51_18\nX\n\tj\n,\\sT\ntryV20\nSUSPEND_RESUME\nICONINFO\nnNumberOfBytesToWrite\nget_Top\nAsyncTaskMethodBuilder\n<>c__DisplayClass51_13\nset_Style\n,6\t(0\n\n&%ou\nget_GatewayAddresses\n\n\t,+rV\nClient\nGetSubPath\np\n(k\ndirPath\nadvapi32.dll\nFirstOrDefault\n\n-@+E\nKEYEVENTF_EXTENDEDKEY\nEndsWith\n )UU\n%<Q\n\n7-\tY\n<ExecuteScriptAsync>d__1\nmeltEnabled\nclassName\nget_Count\n\n&r{\nExecuteScriptAsync\nset_BackColor\nMulticastDelegate\nGetFiles\nOPEN_EXISTING\nReadPasswords\n\n-\"+'\ndmICMMethod\nChangeWallpaper\ncancellationTokenSource\nReadSQLiteCookies\nmessage\nsqlite3_close\nget_Item4\n<ActiveConnections>k__BackingField\n\n\tr\|\nbaseNetwork\npvReserved\nhWndChild\nStartupManager\nX\f+:\nget_Speed\n$a1b2c3d4-e5f6-7890-abcd-ef1234567890\nset_ClassName\nget_Millisecond\n\n-g+z\n@x .\ndwThreadId\npbInput\nVK_MBUTTON\n<HandlePacket>b__51_45\nGetString\n\n\u000b(\\\nBitmap\n<GetServiceList>b__1_0\nOpenCDTray\nBase64Decode\nbase64Chunk\n-\u000brG\nReleaseHdc\ncurrentMonitor\nPoll\nX-7N\ndwPromptFlags\n\n\t(u\nset_AcceptButton\nOpenProcessToken\n<HandlePacket>b__51_1\nKillProcess\nfilename\n\n\fsr\n\n\n+Z\t\nDebuggableAttribute\n\n&+h\t\nget_Length\n<Browser>k__BackingField\nSystem.Reflection\nSystemIcons\nFlagsAttribute\nget_Client\nSystem.Net\nget_StandardOutput\nop_Explicit\nBCryptDestroyKey\nSizeOf\n<>9__51_44\nget_QueuedAt\nmonitor\nd4@\n\n<>9__51_19\ncbData\n<Gateway>k__BackingField\nisCookie\n<<HandlePacket>b__42>d\nClient.exe\nU+#=\nWebClient\nHealthMonitorLoop\nCreateParams\n/.g8\nget_Out\n<>9__51_45\nTranslateMessage\nget_Default\n<HandlePacket>b__28\n\n%(C\nhwndApp\nO(-$\n<HandlePacket>b__22\n /'r\nlpLuid\npszProviderName\n\n\nsx\n<>9__51_9\nListDirectory\n<HandlePacket>b__51_3\nnNumberOfBytesToRead\nset_Pid\nLowLevelKeyboardProc\nget_FileName\nget_Path\nXorBytes\n&rZ\f\nFILE_ATTRIBUTE_NORMAL\nget_IsAlive\nIsNullOrEmpty\nget_Type\nRemoveClipboardFormatListener\nlastNetworkActivity\nUsers\nAddStartupItem\n<ShowMessage>b__0\n<HandlePacket>b__39\n<>c__DisplayClass11_1\n<HandlePacket>b__51_37\nZ\n!j\ndbPath\nTryParse\n',\"~\n\n.sh\n%'ZB\nFtpWebResponse\nThreadStart\nC:\\Users\\sulum\\OneDrive\\Desktop\\datacenter\\stubCsharp\\obj\\Release\\Client.pdb\nGetLogPath\n:rz#\nSQLiteHelper\nargs\ndrive\nset_Name\n\n I'\npiconinfo\nSTALE_CONNECTION_TIMEOUT\n\t 0u\nGetExecutingAssembly\nAppendLine\nT-\tY\nSetException\nBitConverter\n<Description>k__BackingField\nGetFolderPath\n\nL\nX\nq\n\nINVALID_HANDLE_VALUE\npEntropy\nSendPacketAsync\nbcrypt.dll\nListKeysAsync\nhCursor\nICredentials\nresult\nget_Item1\nSystem.Diagnostics\nWZL3\n<>9__51_43\n.NETFramework,Version=v4.8\n\n\nry\nform\n<Name>i__Field\nget_IsDisposed\nset_ExStyle\nget_IsCompleted\n\n\n+!\t\ncbMultiByte\nManagementBaseObject\n<>9__51_14\npasswordsDir\ncredentialsZipPath\nmodeNum\nPropertyInfo\n<>7__wrap2\nMOUSEEVENTF_MIDDLEDOWN\n)Client.RegistryEditor+<ListKeysAsync>d__0\nset_Method\nAutofillEntry\n N&:!{\n\n&8I\n\n&~7\nSW_SHOW\n<HandlePacket>b__29\nCryptStringToBinaryA\n\n&\tou\nclipboardWindow\n\tr\ny\n,Client.Program+<>c+<<HandlePacket>b__51_20>d\nprocessId\nVK_CONTROL\nCaptureScreen\nProcessWindowStyle\nRectangle\nhookThread\nG6\nA\nintensity\n<X/*r\nNetworkOptimized\nset_Height\nstateLock\nsqlite3_column_int\n\n&+~\t\nGetKeyName\nCombinePath\npReserved\nSW_HIDE\nkeyCode\nget_Description\n\n\f(A\nX\u000b+Z\nGetTotalCookies\nCopyTo\n\tYoS\nIOrderedEnumerable`1\nExistingTokenHandle\nencoded\nStreamReader\n0Client.NetworkOptimized+<HealthMonitorLoop>d__30\nget_ActiveConnections\npbSecret\n<SendBinaryFrameAsync>b__1\n\n\n\trX.\nSplit\n<HandlePacket>b__10\nUnicastIPAddressInformationCollection\n<Size>k__BackingField\nProcessThread\nWrapNonExceptionThrows\nset_Gateway\n<HandlePacket>b__51_0\nCreateEmptyPackage\nCreateHandle\n<ShowMessage>b__2\nget_IPAddress\nOperatingSystem\ndmDuplex\nMAPVK_VK_TO_VSC\nset_Speed\nIntPtr\nDATA_BLOB\n<HandlePacket>b__51_43\nshiftKey\nBCRYPT_AUTHENTICATED_CIPHER_MODE_INFO\nNameValueCollection\nuiParam\nExitThread\n&+\u000b \n-\ns_\nLoadLibrary\npPrompt\n<HandlePacket>b__30\nqEH\n$\nMainLoop\n\n\u001b[0;32mNo insults found in the file\u001b[0;0m\n\u001b[0;32mNo keyboard keys are used in the file\u001b[0;0m\n\u001b[1;31mThe following 20 out of 2074 strings are blacklisted:\u001b[0;0m\n\t+----------------------+-----------------+\n\t\| String \| Group \|\n\t+----------------------+-----------------+\n\t\| time \| Utilities \|\n\t\| IsAdmin \| Further strings \|\n\t\| get_MachineName \| Further strings \|\n\t\| DisableAllPrivileges \| Further strings \|\n\t\| GetProcessesByName \| Further strings \|\n\t\| GetResponse \| Further strings \|\n\t\| Clipboard \| Further strings \|\n\t\| Socket \| Further strings \|\n\t\| Console \| Further strings \|\n\t\| attempt \| Further strings \|\n\t\| browser \| Further strings \|\n\t\| TcpClient \| Further strings \|\n\t\| CreateSubKey \| Further strings \|\n\t\| GetProcesses \| Further strings \|\n\t\| MemoryStream \| Further strings \|\n\t\| Keylogger \| Further strings \|\n\t\| Users \| Further strings \|\n\t\| SetHook \| Further strings \|\n\t\| CaptureScreen \| Further strings \|\n\t\| SE_PRIVILEGE_ENABLED \| Further strings \|\n\t+----------------------+-----------------+\n\u001b[0;32mNo packer signature was found in the PE file\u001b[0;0m\nNo URL found in the file's strings\n\n", "exit_code": 0, "output_file": "/home/apogean/projects/static_decompilation_malware/pe_studio_analysis.txt" }	2026-04-29 20:28:48
69edc37d59a6632dae07de32	2aa5ce3561dc657a157460383c7c9b8db54ac8a6969627009…	* LARGE PROPERTY * ~1.60 MB Preview:{"success":true,"output": Click to fetch this property	2026-05-15 14:31:05
69edf0a359a6632dae07de44	02aa8cabeea2a0120a31adbf0886f821d10953fc6d4d9cd19…	{ "success": true, "output": "\n================================================================================\nPESTUDIO ANALYSIS REPORT\n================================================================================\nFile: /home/apogean/projects/malware/windows/all_runs/secondary_sample_try\nExit Code: 0\nCommand: /home/apogean/projects/static_decompilation_malware/sdm/bin/python3 /home/apogean/projects/static_decompilation_malware/pestudio-cli-main/pestudio.py -f /home/apogean/projects/malware/windows/all_runs/secondary_sample_try --header -i --indicators -e -r --relocations -s --strings -u -d\n================================================================================\nIndicators:\n\u001b[1;34m\tNo connection to VirusTotal possible\u001b[0;0m\n\u001b[1;31m\tThe PE file has no digital signature\u001b[0;0m\n\u001b[0;32m\tNumber of imports is in a reasonable range (1) \u001b[0;0m\n\u001b[1;31m\tThe binary uses relocations\u001b[0;0m\n\u001b[1;31m\t15 strings are blacklisted\u001b[0;0m\n+-------------------------------------------------------------+------------+\n\| Description \| level(0/0) \|\n+-------------------------------------------------------------+------------+\n\| \u001b[1;31mThe file opts for Data Execution Prevention (DEP)\u001b[0;0m \| 0 \|\n\| \u001b[1;31mThe file opts for Address Space Layout Randomization (ASLR)\u001b[0;0m \| 0 \|\n\| \u001b[1;31mThe file ignores Structured Exception Handling (SEH)\u001b[0;0m \| 0 \|\n\| \u001b[1;31mThe file has (0) blacklisted section name(s)\u001b[0;0m \| 0 \|\n\| <class 'str'> \| 0 \|\n+-------------------------------------------------------------+------------+\nFile Header:\n\t+----------------------+-----------------------------------+\n\t\| Property \| Value \|\n\t+----------------------+-----------------------------------+\n\t\| Signature \| 50450000 \|\n\t\| Machine \| Intel 386 or later and compatible \|\n\t\| Number of sections \| 3 \|\n\t\| timeDateStamp \| 2023-10-17 03:10:53 \|\n\t\| pointerToSymbolTable \| 0x0 \|\n\t\| numberOfSymbols \| 0 \|\n\t\| sizeOfOptionalHeader \| 224 \|\n\t\| characteristics \| 0x102 \|\n\t\| Processor 32-bit \| False \|\n\t+----------------------+-----------------------------------+\n\u001b[1;31mSuspicious number of imports (1)\u001b[0;0m\n\u001b[0;32mNone of the imports is blacklisted. \u001b[0;0m\n\u001b[0;32mThe binary has no exports\u001b[0;0m\nRelocations of the binary:\n\t+-----------------+----------+---------+------+\n\t\| Virtual address \| Position \| Type \| Size \|\n\t+-----------------+----------+---------+------+\n\t\| 0xc000 \| 0x730 \| HIGHLOW \| 32 \|\n\t\| 0xc000 \| 0x0 \| ABS \| 0 \|\n\t+-----------------+----------+---------+------+\nNo blacklisted resources found\nList of all resources: \n\t+---------------+------+----------------------------------+----------+\n\t\| Type \| Name \| MD5 \| Language \|\n\t+---------------+------+----------------------------------+----------+\n\t\| Icon \| 0x1 \| 9A8BD0CE3E119ABB5224E5F7B8558653 \| neutral \|\n\t\| Version \| 0x1 \| 4DB98A031BE83A48996CB84E9D5CBA92 \| neutral \|\n\t\| Plug-and-play \| 0x1 \| 17176A536FBE476351D1ABCAB42654D6 \| neutral \|\n\t\| Executable \| 0x1 \| F3D7095DE1636559AA56AD81B25BBFF9 \| neutral \|\n\t+---------------+------+----------------------------------+----------+\nStrings in the PE file:\nGetTypeFromHandle\nAddressFamily\nY\u000b8r\n\nr\"$\nset_AsFloat\nGetUtf8Bytes\nWriteSingle\nHwid\n\n.s\nUTF8Encoding\nSetAsUInt64\nSubstring\nWindowsPrincipal\nget_Buffer\n\nrJ\"\nset_Arguments\nCryptographicException\nset_IsConnected\nGetType\nGetValue\nBSJB\n\n\u000b8+\nSystem.Security.Principal\nVrt%\n<TcpClient>k__BackingField\nToInt64\nNetworkCredential\n\"5-d\nCipherMode\nfileName\n\nj(t\niVal\nT}P:\nGetCurrentProcess\nget_UTF8\nset_ErrorDialog\nset_Credentials\nToInt16\nset_Padding\n<SslClient>k__BackingField\nNativeMethods\nContains\nFailFast\norNT\nStreamWriter\nApplication\nRuntimeTypeHandle\nSplit\nHashAlgorithm\nRemoteCertificateValidationCallback\nMsgPackArray\nSystem.Threading\nProcessCritical\nIDisposable\nJ;g0\nPaddingMode\nIsInRole\nX509Certificate2\nutf8Encode\n%r(!\n%r@!\nget_Connected\nDateTime\nToUInt32\nCheckHostName\nrYdaY\nGetPathRoot\nGetBytes\nSha256\nisDebuggerPresent\nICredentials\ntext\nConvert\nThread\nget_AsFloat\nReplace\nWirteArray\nSystem.Runtime.InteropServices\nSystem.IO\nClient.Algorithm\nSystem.Management\nWriteBinary\nget_IsConnected\nhWnd\nWriteNull\nToUpperInvariant\n\nrF\"\nget_Interval\nSystem.IO.Compression\nGetTempPath\n87639126EA77B358F26532367DBA67C5310EF50A8D9888ED070CD40E1F605A8F\nInitializeArray\nget_FileName\n>9(\|c1\n=\fxw\n\trN%\nFileInfo\n#Strings\nSelectMode\n<Module>\n\n\n(U\nIdSender\nDetectSandboxie\nbVal\nMessagePackLib.MessagePack\nInitializeClient\nSystem.Windows.Forms\nRtlSetProcessIsCritical\nget_SslClient\nKeepAlivePacket\n\nIHDR\n%r2&\nAreEqual\nProcessModule\nDelete\nCreateEncryptor\nset_Interval\nWriteLine\nToList\nClose\nES_DISPLAY_REQUIRED\nClient.Helper\nStringBuilder\nSetAsSingle\nRegistryKey\nEXECUTION_STATE\n\nV(\nToSingle\nSendInfo\nGetCurrent\nSwapDouble\nget_IV\nchildren\nutf8Bytes\nget_ValueType\nTargetFrameworkAttribute\nset_Ping\nPNG\n\nFileStream\nget_Count\nIsValidDomainName\nDebuggableAttribute\nReadServertData\nReadAllBytes\nReadByte\nArgumentException\n%rv$\nJoin\nSymmetricAlgorithm\nWriteByte\n\nn(t\nGetAsBytes\nCallSite`1\nCreateInstance\nConcat\nSetValue\nset_BlockSize\nset_ReceiveBufferSize\nUnknown\nMicrosoft.Win32\nDebuggingModes\nFlushFinalBlock\nset_AsString\nFileShare\nAuthKeyLength\n2~.\nAssemblyConfigurationAttribute\n joN\n\nioE\n\n\n(8\nget_KeepAlive\nSystem.Collections.IEnumerator.MoveNext\nCSharpArgumentInfo\nExpandEnvironmentVariables\ngj(t\nBitConverter\nget_CurrentDomain\nSystem.Runtime.Versioning\n<SendSync>k__BackingField\nSystem.Collections.Generic\nset_Offset\nInvokeMember\nrefAsArray\nToBoolean\nToString\nWZ8XZ\nstrVal\nReadString\n%r:$\n\trh\"\nGetImageDecoders\nSetRegistry\nIEnumerable`1\nAssemblyCompanyAttribute\nSwapBytes\nCSharpArgumentInfoFlags\nAssemblyProductAttribute\nSslPolicyErrors\nValidateServerCertificate\nToBase64String\nCompilerGeneratedAttribute\nRegistryKeyPermissionCheck\nWriteFloat\nAppDomain\nDefaultMemberAttribute\nSetAsBytes\nRSACryptoServiceProvider\nRemove\nget_MachineName\ndata\nDeleteSubKey\n<HeaderSize>k__BackingField\nDownloadString\nchain\nSystem.Drawing.Imaging\nDetectManufacturer\n<ActivatePong>k__BackingField\nset_Mode\nposition\n<Buffer>k__BackingField\nAesCryptoServiceProvider\nSystemEvents\nCompilationRelaxationsAttribute\nget_Name\ninnerValue\n<Ping>k__BackingField\nO`\u000bl\nMicrosoft.VisualBasic.Devices\nAssemblyTrademarkAttribute\nClient.Connection\nCreateDecryptor\ncount\nCreateMutex\nIsXP\nSystem.Collections.IEnumerator.get_Current\nset_KeepAlive\nInstallFile\n.ctor\nAnti_Analysis\npr.$\nUriHostNameType\nEnter\n\nl#\nImageCodecInfo\nToUInt16\nSetThreadExecutionState\nCallSite\nKill\nsender\n\n&8R\nGetHash\nunpack_msgpack\nManagementObjectCollection\nItem\nMutexControl\nVerifyHash\nSystem.Text\n\n\n8&\nset_SendBufferSize\nGenerateIV\npr\"!\nGetAsUInt64\nMicrosoft.CSharp\nv4.0.30319\nGetActiveWindowTitle\nset_IV\n\nr~#\nHosts\nGetFileNameWithoutExtension\nMicrosoft.CSharp.RuntimeBinder\nProcessWindowStyle\nTimer\nSetAsNull\nSystem.Diagnostics\nClientOnExit\n<>p__0\nCallSiteBinder\ncu\f~\nServersignature\nError\nSystem.Security.Authentication\nWaitHandle\nget_Ping\n_authKey\nInitializeSettings\nClientSocket\nGetModuleHandle\nBlockCopy\n1DB2A1F9902B35F8F880EF1692CE9947A193D5A698D8F568BDA721658ED4C58B\nMsgPackType\nAssembly\n\trT#\nSetAsBoolean\nWrite\nSetAsInteger\nIsSmallDisk\nReadTools\nManagementObjectEnumerator\nBeginRead\nIEnumerator\nadd_SessionEnding\n\ngj(t\njY(\nset_UseShellExecute\nFileMode\n_CorExeMain\nStringSplitOptions\n\nr`#\n#Blob\n#GUID\n1.0.0.0\nHwidGen\nRegistryValueKind\n.NET Framework 4 Client Profile\t\nuser32.dll\nDeleteSubKeyTree\nClient.Install\nProtocolType\nAuthenticateAsClient\nMsgPack\n\u000bF \|\nlistObj\nMD5CryptoServiceProvider\nget_OSVersion\nget_UserName\n\nj(\n).NETFramework,Version=v4.0,Profile=Client\nlpModuleName\nGZipStream\n\n\f8D\nmasterKey\np\t@x\nset_CreateNoWindow\nset_TcpClient\nDecodeFromFile\nAntivirus\nPacks\nEncode2Stream\nMsgPackEnum\nInvoke\nmsgpackObj\n\nr\f$\nGetAsString\nEquals\nWriteBoolean\nstrFlag\nCSharpBinderFlags\nname\nES_CONTINUOUS\nNormalStartup\n__StaticArrayInitTypeSize=6\nSystem.Collections.IEnumerator.Reset\nSslProtocols\nManagementObjectSearcher\nIEnumerable\nget_MainModule\n\nrj$\nAnti\n<>o__2\nWriteTools\nSetName\nop_Equality\nAction`10\nGetFileName\nProgram\nParameterizedThreadStart\nX509CertificateCollection\nToUInt64\nFromBase64String\nget_ExecutablePath\nWindowsIdentity\nset_Buffer\nIsNullOrEmpty\nIvLength\nAes256\nSystem.Collections.IEnumerable.GetEnumerator\nWrapNonExceptionThrows\nStrings\nWriteUInt64\nget_ProcessorCount\n\nNIDATx\nmscorlib\nAppend\nBytesTools\nvalue__\nget_PublicKey\nset_SslClient\nget_Is64BitOperatingSystem\nDecodeFromStream\nFileSystemInfo\nMonitor\n<KeepAlive>k__BackingField\nCollect\n\n\n~%\nToLower\nList`1\nAssemblyCopyrightAttribute\nIEND\nInstallFolder\nInnerAdd\nDeleteValue\nRuntimeFieldHandle\nGetAsInteger\nSaveBytesToFile\nComVisibleAttribute\nMicrosoft.VisualBasic\nClear\nAsyncCallback\nset_KeySize\nDecompress\nCombine\nSystem.Security.Cryptography.X509Certificates\nToBinary\nSHA256Managed\n_key\nLoadFileAsBytes\nToUpper\n/\frM \nWriteInteger\nget_Handle\nget_Key\nPorts\nH\u000b/g\nSessionEndingEventArgs\n\tAd\nFindObject\nSystem.Net\n\nn~\nSystem.Security.Cryptography\nSwapInt16\nIsAdmin\nSystem.Core\nowner\nTextWriter\nset_Position\nget_ActivatePong\nSystem.Collections.IEnumerator.Current\n%rD$\nSystem.Net.Security\nget_Length\nget_SendSync\nEndRead\n+%\|9(\nSystem.Net.Sockets\n\trT\"\nDecrypt\nset_WindowStyle\nAssemblyTitleAttribute\nImageFormat\nOpenSubKey\nSalt\nindex\nComputerInfo\ncertificate\nntdll.dll\nrawBytes\nToDouble\nSystemEvents_SessionEnding\nPreventSleep\n\n2~.\n\n\n\tr\nformat\n~Q:y\n\nr`$\ntks{\nSetAsString\nkernel32.dll\nToUniversalTime\n[eV&\nset_AsInteger\n9'IJ`\nGetAsFloat\nRunAntiAnalysis\nAsymmetricAlgorithm\nLoad\nSwapInt64\n\n\u000b8[\nhProcess\nWriteMap\nset_FileName\nAssemblyFileVersionAttribute\nget_Guid\nSessionEndingEventHandler\nEnvironment\n<Interval>k__BackingField\nSwapInt32\nget_TotalSize\nvalue\nget_ASCII\nEnterDebugMode\nArgumentNullException\nD;'>\nget_SystemDirectory\nGroup\nSocketType\nInnerAddMapChild\nParse\nget_AsArray\nget_AsString\nBytesAsString\nGetProcesses\nRuntimeHelpers\nInnerAddArrayChild\nget_Message\nset_ActivatePong\nTarget\n.8u$\nX509Certificate\nSystem.Collections\nop_Inequality\nfVal\npath\nX509Chain\nChar\n&rf%\nReconnect\nGoogle Keep\n.cctor\nEncrypt\n<Offset>k__BackingField\nGetForegroundWindow\ninput\nIndexOf\nUl\nDecodeFromBytes\nmscoree.dll\nIPAddress\nES_SYSTEM_REQUIRED\nIntPtr\nPoll\nActivator\nPastebin\nHmacSha256Length\nSetAsFloat\nGetTempFileName\n2~\u000b\nGetHostAddresses\nget_FullName\nComputeHash\nGetString\nprT$\nSystem.Reflection\nsslPolicyErrors\nAssemblyDescriptionAttribute\nDelay\n__StaticArrayInitTypeSize=32\n%rT$\n<IsConnected>k__BackingField\nReceived\nparent\nGetWindowText\nget_TcpClient\nGoogle Keep.exe\nFlush\nset_Key\nSystem.Runtime.CompilerServices\nDriveInfo\nBytesAsHexString\nget_RemoteEndPoint\nWriteString\nHWID\nCryptoStream\nCompress\nTrim\nMessagePackLib.<PrivateImplementationDetails>\nSystem.Drawing\nvalueType\nget_AsInteger\nstrToHash\nFrameworkDisplayName\nMapNameToOID\nget_LastWriteTime\nRandom\nStrReverse\nCreateSubKey\n\nr\"!\nget_HeaderSize\nClient.Handle_Packet\nCloseMutex\naes256\nlowerName\nIAsyncResult\n\n*^(\nTimerCallback\nCryptoStreamMode\nCompressionMode\nSslStream\nMain\nget_Offset\nWebClient\nSend\nToArray\nset_HeaderSize\nDetectDebugger\nExists\nManagementBaseObject\nget_FormatID\ni @B\nBDOS\nCurrentUser\nCheckRemoteDebuggerPresent\nSystem.Linq\nGetEncoder\nget_Item\nWindowsBuiltInRole\nCreate\nCryptoConfig\nFileAccess\nget_OSFullName\nRuntimeCompatibilityAttribute\nbytes\nICryptoTransform\nProcessStartInfo\nRfc2898DeriveBytes\nesFlags\nEncode2Bytes\nHMACSHA256\nForcePathObject\nToInt32\nMemoryStream\nNetworkStream\nDispose\nConnect\ncurrentApp\n\n\u001b[0;32mNo insults found in the file\u001b[0;0m\n\u001b[0;32mNo keyboard keys are used in the file\u001b[0;0m\n\u001b[1;31mThe following 15 out of 624 strings are blacklisted:\u001b[0;0m\n\t+--------------------------+-----------------+\n\t\| String \| Group \|\n\t+--------------------------+-----------------+\n\t\| Application \| File extensions \|\n\t\| text \| File extensions \|\n\t\| IsAdmin \| Further strings \|\n\t\| get_MachineName \| Further strings \|\n\t\| CreateDecryptor \| Further strings \|\n\t\| MD5CryptoServiceProvider \| Further strings \|\n\t\| PaddingMode \| Further strings \|\n\t\| ComputeHash \| Further strings \|\n\t\| CreateSubKey \| Further strings \|\n\t\| Monitor \| Further strings \|\n\t\| GetProcesses \| Further strings \|\n\t\| MemoryStream \| Further strings \|\n\t\| GZipStream \| Further strings \|\n\t\| Delete \| Further strings \|\n\t\| CipherMode \| Further strings \|\n\t+--------------------------+-----------------+\n\u001b[0;32mNo packer signature was found in the PE file\u001b[0;0m\nNo URL found in the file's strings\n\n", "exit_code": 0, "output_file": "/home/apogean/projects/static_decompilation_malware/pe_studio_analysis.txt" }	2026-04-29 18:18:24
69edf34859a6632dae07de56	6ba13af0263cd61f957f2ce738120c8a419e1eb157e489bc7…	* LARGE PROPERTY * ~380 KB Preview:{"success":true,"output": Click to fetch this property	2026-04-27 00:04:56
69f0fb6c59a6632dae07de66	c5ae6f6ec23fd8d5ba1343e49bf805bbc016545715a413227…	* LARGE PROPERTY * ~1.58 MB Preview:{"success":true,"output": Click to fetch this property	2026-04-28 23:54:44
69f1fc2159a6632dae07de7c	778c2e260d8d3982c7b93c1ecc8201fb16bd62f085004c288…	{ "success": false, "output": "\n================================================================================\nPESTUDIO ANALYSIS REPORT\n================================================================================\nFile: /home/apogean/projects/malware/windows/all_runs/custom_edid.bin\nExit Code: 1\nCommand: /home/apogean/projects/static_decompilation_malware/sdm/bin/python3 /home/apogean/projects/static_decompilation_malware/pestudio-cli-main/pestudio.py -f /home/apogean/projects/malware/windows/all_runs/custom_edid.bin --header -i --indicators -e -r --relocations -s --strings -u -d\n================================================================================\nIndicators:\n\u001b[1;31mThe file is not a PE file\u001b[0;0m\n\nTraceback (most recent call last):\n File \"/home/apogean/projects/static_decompilation_malware/pestudio-cli-main/pestudio.py\", line 513, in <module>\n checkFile(args)\n ~~~~~~~~~^^^^^^\n File \"/home/apogean/projects/static_decompilation_malware/pestudio-cli-main/pestudio.py\", line 406, in checkFile\n peAnalyzer.printHeaderInformation()\n ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^\n File \"/home/apogean/projects/static_decompilation_malware/pestudio-cli-main/PeAnalyzer.py\", line 1210, in printHeaderInformation\n table.add_row([\"Signature\", \"\".join([\"{0:02x}\".format(x) for x in self.peFile.header.signature])])\n ^^^^^^^^^^^^^^^^^^\nAttributeError: 'NoneType' object has no attribute 'header'\n", "exit_code": 1, "output_file": "/home/apogean/projects/static_decompilation_malware/pe_studio_analysis.txt" }	2026-04-29 18:10:01
6a049826204ca8b07f91707a	0d6e72e20edd52cf3f8cb41446a5eff46c59fb2b79700fb79…	{ "success": false, "output": "\n================================================================================\nPESTUDIO ANALYSIS REPORT\n================================================================================\nFile: /home/apogean/projects/malware/windows/all_runs/Server_Encrypted.ps1.bin\nExit Code: 1\nCommand: /home/apogean/projects/static_decompilation_malware/sdm/bin/python3 /home/apogean/projects/static_decompilation_malware/pestudio-cli-main/pestudio.py -f /home/apogean/projects/malware/windows/all_runs/Server_Encrypted.ps1.bin --header -i --indicators -e -r --relocations -s --strings -u -d\n================================================================================\nIndicators:\n\u001b[1;31mThe file is not a PE file\u001b[0;0m\n\nTraceback (most recent call last):\n File \"/home/apogean/projects/static_decompilation_malware/pestudio-cli-main/pestudio.py\", line 513, in <module>\n checkFile(args)\n ~~~~~~~~~^^^^^^\n File \"/home/apogean/projects/static_decompilation_malware/pestudio-cli-main/pestudio.py\", line 406, in checkFile\n peAnalyzer.printHeaderInformation()\n ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^\n File \"/home/apogean/projects/static_decompilation_malware/pestudio-cli-main/PeAnalyzer.py\", line 1210, in printHeaderInformation\n table.add_row([\"Signature\", \"\".join([\"{0:02x}\".format(x) for x in self.peFile.header.signature])])\n ^^^^^^^^^^^^^^^^^^\nAttributeError: 'NoneType' object has no attribute 'header'\n", "exit_code": 1, "output_file": "/home/apogean/projects/static_decompilation_malware/pe_studio_analysis.txt" }	2026-05-13 20:56:30
6a070f71204ca8b07f91707d	f450cef035a0355bdc9c5da156a92a83ea1ca3787cf8ccc6a…	* LARGE PROPERTY * ~2.02 MB Preview:{"success":false,"output" Click to fetch this property	2026-05-15 17:50:01

Rename Collection

Tools

Export Standard

Export --jsonArray

Import --mongoexport json

Collection Stats

Documents	14
Total doc size	3.02 MB
Average doc size	221.03 KB
Pre-allocated size	1.23 MB
Indexes	1
Total index size	36 KB
Padding factor
Extents

Indexes

Name	Columns	Size	Attributes	Actions
_id_	_id ASC	36 KB		DEL