{"id":942,"date":"2026-01-17T18:34:09","date_gmt":"2026-01-17T18:34:09","guid":{"rendered":"http:\/\/thetrueartist.co.uk\/?p=942"},"modified":"2026-01-22T12:44:11","modified_gmt":"2026-01-22T12:44:11","slug":"arechclient2-sectoprat-hijackloader-analysis-a-steganography-doge-based-rat-infostealer","status":"publish","type":"post","link":"http:\/\/thetrueartist.co.uk\/index.php\/2026\/01\/17\/arechclient2-sectoprat-hijackloader-analysis-a-steganography-doge-based-rat-infostealer\/","title":{"rendered":"Arechclient2 (SectopRAT) \/ Hijackloader Analysis; A Steganography (Doge) Based RAT + Infostealer"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">What is Arechclient2 (SectopRAT)?<\/h2>\n\n\n\n<p>Arechclient2 (SectopRAT) is a RAT and Infostealer<\/p>\n\n\n\n<p>Arechclient2, also known as SectopRAT, is a remote access trojan and infostealer initially observed in 2019. It&#8217;s primarily used as a post-compromise tool and is currently experiencing a significant surge in deployment during 2025 campaigns. The malware is delivered via the HijackLoader steganographic delivery mechanism, which embeds encrypted payloads within PNG image files using IDAT chunk manipulation.<\/p>\n\n\n\n<p>This particular sample represents a sophisticated, multi-component attack leveraging legitimate cloud infrastructure for data exfiltration and cryptocurrency theft operations. As far as I can tell, this is a variant that differs significantly from standard SectopRAT deployments.<\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>This is also the first time I&#8217;ve seen steganography used in the wild, and is quite unusual in a malware sample from what I&#8217;ve seen.<\/p>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Standard SectopRAT vs This Variant:<\/strong><\/h2>\n\n\n\n<p><\/p>\n\n\n\n<p><br>The sample represents a variant in the standard SectopRAT deployment, especially in its crypto and infostealing features:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Zero-detection dropper components bypassing traditional AV<\/li>\n\n\n\n<li>Steganographic payload delivery in PNG images (IDAT chunk manipulation)<\/li>\n\n\n\n<li>Multi-component architecture with intentional decoy modules<\/li>\n\n\n\n<li>Process injection into custom-created processes (FluInterface32.exe)<\/li>\n\n\n\n<li>Comprehensive financial data theft targeting 24 cryptocurrency wallets<\/li>\n\n\n\n<li>Calli obfuscator defeating dynamic analysis<\/li>\n<\/ul>\n\n\n\n<div style=\"height:63px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td>Feature<\/td><td>Standard SectopRAT<\/td><td>This Variant<\/td><\/tr><tr><td><strong>Injection Target<\/strong><\/td><td>MSBuild.exe<\/td><td>Custom FluInterface32.exe<\/td><\/tr><tr><td><strong>C2 Resolution<\/strong><\/td><td>Pastebin dynamic<\/td><td>Hardcoded Russian IP<\/td><\/tr><tr><td><strong>Port Range<\/strong><\/td><td>9000, 15647-15678<\/td><td>15847 (within range)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Surface Level Analysis<\/strong><\/h2>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Sample Identification:<\/strong><\/h2>\n\n\n\n<p><br>Our sample was disguised as XMouseButtonControl (legitimate mouse button remapping software.)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"mgscz3146\"><strong>Initial Dropper Metadata:<\/strong><\/h3>\n\n\n\n<p><strong>SHA-256: 7dc2ddaac0f6c54d774f6b336fa15a249fd0d5e74a903e7ada07cc00772c8341<br>File Name: XMouseButtonControlSetup.2.20.5.exe<br>File Type: PE32 executable (GUI) Intel 80386, for MS Windows<br>File Size: 2.80 MB<br>Signed: Yes (REVOKED GlobalSign certificate)<br>First Seen: <\/strong>02\/06\/2025 (2nd of June 2025)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"16c7i5692\"><strong>VirusTotal Detection Rates:<\/strong><\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td>Component<\/td><td>Detection Rate<\/td><td>Strategy<\/td><\/tr><tr><td>Steganographic PNG (memmmu.png)<\/td><td>0\/97<\/td><td>Clean payload carrier<\/td><\/tr><tr><td>Initial dropper (XMouseButtonSetup)<\/td><td>41\/71<\/td><td>Moderate detection despite signing<\/td><\/tr><tr><td>PowerShell dropper (goto.ps1)<\/td><td>14\/63<\/td><td>Some AV detection<\/td><\/tr><tr><td>E-Consol.exe (orchestrator)<\/td><td>0\/72<\/td><td><strong>Completely clean<\/strong><\/td><\/tr><tr><td>AliyunWrap.dll (crypto library)<\/td><td>39\/72<\/td><td><strong>Heavily flagged<\/strong> &#8211; functional but with unused cloud code<\/td><\/tr><tr><td>FluInterface32.exe (pre-injection)<\/td><td>0\/68<\/td><td>Clean host process<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p id=\"16c7i5692\">As you will see later on, AliyunWrap.dll is heavily detected (39\/72) but serves a dual purpose: it&#8217;s functionally required for crypto operations while also containing unused cloud\/credential code that may misdirect analysis efforts.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Delivery Method:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Embedded in PNG image via steganography (PostImg hosting)<\/li>\n\n\n\n<li>XOR encryption (single-byte key at offset 436)<\/li>\n\n\n\n<li>Packaged as ZIP archive containing full malware suite<\/li>\n\n\n\n<li>Delivered via PowerShell dropper script goto.ps1<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<p>Processes Graph:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"2029\" height=\"622\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2025\/10\/image.png\" alt=\"\" class=\"wp-image-949\"\/><\/figure>\n\n\n\n<p>(<a href=\"http:\/\/any.run\" target=\"_blank\" rel=\"noreferrer noopener\">any.run<\/a>)<\/p>\n\n\n\n<div style=\"height:63px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Initial Triage<\/strong><\/h2>\n\n\n\n<p>The infection chain begins with what appears to be legitimate XMouseButtonControl software.<\/p>\n\n\n\n<p>The mouse software appears to be fully working. Upon excecution, the Xmouse installer:<br><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Installs legitimate XMouseButtonControl software to <code>%LOCALAPPDATA%\\XMouseButtonControl\\<\/code><br><\/li>\n\n\n\n<li>Writes a malicious PowerShell script<code>, goto.ps1<\/code> to disk alongside the legitimate installation<\/li>\n<\/ul>\n\n\n\n<p>The initial Xmouse install binary writes goto.ps1 to disk, which contains the actual steganographic payload extraction logic. I downloaded the &#8220;goto.ps1&#8221; from a sandbox and started to statically analyze it.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"979\" height=\"382\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2025\/10\/Screenshot-2025-07-17-170614.png\" alt=\"\" class=\"wp-image-953\"\/><\/figure>\n\n\n\n<p>(goto.ps1 SHA-256 hash: 163810b5276c23ddccfdcbcb85ac97c58957b7968aae5312cb06668e68f6ac98)<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>The script downloads a doge png named &#8220;memmmu.png&#8221;:<br><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1586\" height=\"851\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2025\/10\/Screenshot-2025-07-17-174613.png\" alt=\"\" class=\"wp-image-955\"\/><figcaption class=\"wp-element-caption\">The PNG contains a Doge meme image with the encrypted malware ZIP embedded after the IDAT chunk<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>The powershell script then extracts the XOR decryption key from byte 436, before finding the IDAT PNG chunk marker, as the payload starts four bytes after. It extracts and XOR decrypts the payload to reveal a ZIP archive. It defines the target directory, kills e-consol, but only if the system is already infected (only works if already infected &#8211; <code>SilentlyContinue<\/code> suppresses errors on first run). It removes old installation files if they exist and creates a fresh directory. It writes the decrypted ZIP, extracts its contents before deleting the zip. The PS script then hides the directory, creates a startup persistence shortcut and finally executres the malware with a hidden window.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1040\" height=\"811\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2025\/10\/image-1.png\" alt=\"\" class=\"wp-image-956\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>In order to more efficiently fetch the malware without execution I wrote a script to extract it:<\/p>\n\n\n\n<p><a href=\"https:\/\/github.com\/thetrueartist\/HijackLoader-IDATloaderPayloadExtractor\" data-type=\"link\" data-id=\"https:\/\/github.com\/thetrueartist\/HijackLoader-IDATloaderPayloadExtractor\" target=\"_blank\" rel=\"noopener\">https:\/\/github.com\/thetrueartist\/HijackLoader-IDATloaderPayloadExtractor<\/a><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1146\" height=\"810\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2025\/10\/Screenshot-2025-07-17-201854.png\" alt=\"\" class=\"wp-image-958\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>After using this tool and extracting the ZIP folder we get everything that the malware writes to disk.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1401\" height=\"780\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2025\/10\/image-2.png\" alt=\"\" class=\"wp-image-959\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1393\" height=\"779\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2025\/10\/image-4.png\" alt=\"\" class=\"wp-image-961\"\/><\/figure>\n\n\n\n<div style=\"height:63px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>My first impressions of the files were that &#8220;E-consol.exe&#8221; was potentially the main malware, followed by the &#8220;AliyunWrap.dll&#8221;. Both &#8220;Jeadpietpour.rky&#8221; &#8220;Meck.xkd&#8221; were kept intentionally murky by the malware author, with &#8220;AliyunConfig.ini&#8221; likely being of use, even despite the small file size.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>After submitting some of the files to VirusTotal, it would have you think that all apart from the &#8220;AliyunWrap.dll&#8221; harmless. At this point I was questioning what files were potentially a decoy to waste my time (however this happened to not be the case, as I&#8217;ll explain later).<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>After extracting the files I ended up dynamically analyzing &#8220;E-consol.exe&#8221; after finding lacking leads with basic static analysis. <\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>After letting it run, it writes and creates a process called &#8220;FluInterface32.exe&#8221; 10 seconds after E-consol.exe has been executed. <\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>Based off of the name, I had guessed that it (&#8220;FluInterface32.exe&#8221;) was used for the network functionality, maybe alone, and at this point &#8220;AliyunWrap.dll&#8221; was potentially where the main functionality of the malware was hiding, especially considering the VirusTotal detections for it.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"799\" height=\"32\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2025\/10\/image-7.png\" alt=\"\" class=\"wp-image-971\"\/><\/figure>\n\n\n\n<p><br><br>However I continued on with analyzing &#8220;FluInterface32.exe&#8221; to start. After investigating with strings\/FLOSS and quickly checking the malware on VirusTotal, it would have you think that &#8220;FluInterface32.exe&#8221; is clean or is harmless.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"779\" height=\"27\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2025\/10\/image-5.png\" alt=\"\" class=\"wp-image-969\"\/><\/figure>\n\n\n\n<div style=\"height:63px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">Network Discovery<br><\/h3>\n\n\n\n<p>I then checked network connections for all of the processes it wrote\/spawned and found (with Process Hacker 2, and Fakenet) that &#8220;FluInterface32.exe&#8221; was attempting to connect to a Russian IP as well as a Binance domain hosted on AWS.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"878\" height=\"637\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2025\/10\/Screenshot-2025-07-19-111559.png\" alt=\"\" class=\"wp-image-978\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"652\" height=\"54\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2025\/10\/image-9.png\" alt=\"\" class=\"wp-image-981\"\/><\/figure>\n\n\n\n<p>And sure enough, the IPs it contacted were in memory:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"875\" height=\"485\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2025\/10\/Screenshot-2025-07-19-110629-1.png\" alt=\"\" class=\"wp-image-985\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"372\" height=\"165\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2025\/10\/image-10.png\" alt=\"\" class=\"wp-image-986\"\/><\/figure>\n\n\n\n<p>I found it unusual that this was the only process it spawned that was making active network connections.<\/p>\n\n\n\n<div style=\"height:63px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">Process Injection Confirmation<br><\/h3>\n\n\n\n<p>To check to see if &#8220;FluInterface32.exe&#8221; was being process injected, I used Hollows Hunter to check.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1044\" height=\"598\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2025\/10\/Screenshot-2025-07-22-124837.png\" alt=\"\" class=\"wp-image-988\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>This confirmed that &#8220;FluInterface32.exe&#8221; was process injected, as the binary was native, yet there was .NET code running inside it.<\/p>\n\n\n\n<p><br>After this I was pretty sure &#8220;E-Consol.exe&#8221; was just a dropper.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>I used ExtremeDumper to dump the injected payload from FluInterface32.exe&#8217;s memory to analyze what was actually running.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1913\" height=\"987\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2025\/10\/image-11.png\" alt=\"\" class=\"wp-image-992\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1100\" height=\"632\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2025\/10\/image-12.png\" alt=\"\" class=\"wp-image-993\"\/><\/figure>\n\n\n\n<div style=\"height:63px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">Architecture Discovery<br><\/h3>\n\n\n\n<p>Before I analyzed the memory dump, I wanted to investigate the component relationships, and to find out which files were actually required for E-consol.exe to run and function.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>I decided to test component dependencies by selectively removing binaries to see what E-Consol actually requires in order for it to work.<\/p>\n\n\n\n<p>In short;<br><br><strong>Test 1: E-Consol.exe alone<\/strong><\/p>\n\n\n\n<p>Failed immediately, it was missing AliyunWrap.dll. Hard dependency confirmed.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1256\" height=\"527\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2025\/10\/preview-1.webp\" alt=\"\" class=\"wp-image-1024\"\/><\/figure>\n\n\n\n<p><strong>Test 2: E-Consol.exe + AliyunWrap.dll + AliyunConfig.ini<\/strong><\/p>\n\n\n\n<p>Started but crashed with 0xc0000142 error. Before crashing, it created an empty Meck.xkd file. This means E-Consol.exe writes to Meck.xkd at runtime rather than reading from it.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1395\" height=\"525\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2025\/10\/preview.webp\" alt=\"\" class=\"wp-image-1025\"\/><\/figure>\n\n\n\n<p><strong>Test 3: Added Meck.xkd (83 KB)<\/strong><\/p>\n\n\n\n<p>Still crashed with the same error. Another component is missing.<\/p>\n\n\n\n<p><strong>Test 4: Added Jeadpietpour.rky (2 MB)<\/strong><\/p>\n\n\n\n<p>Finally executed successfully. Jeadpietpour.rky is essential for execution.<\/p>\n\n\n\n<p><strong>Required components:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>AliyunWrap.dll &#8211; hard dependency, crashes immediately without it<\/li>\n\n\n\n<li>Jeadpietpour.rky &#8211; required for successful execution, crashes without it<\/li>\n\n\n\n<li>Meck.xkd &#8211; runtime artifact, not an input file<\/li>\n<\/ul>\n\n\n\n<div style=\"height:63px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h4 class=\"wp-block-heading\">Analyzing Jeadpietpour.rky<\/h4>\n\n\n\n<p>I uploaded Jeadpietpour.rky to VirusTotal to get more information about the file.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1223\" height=\"693\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2025\/10\/previe3.webp\" alt=\"\" class=\"wp-image-1028\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>VirusTotal&#8217;s Magika classifier identified it as a PNG file despite the .rky extension. I decided to check the file header to confirm.<\/p>\n\n\n\n<p><strong>Checking the file signature:<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"986\" height=\"404\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2025\/10\/preview4.webp\" alt=\"\" class=\"wp-image-1029\"\/><\/figure>\n\n\n\n<p>The file doesn&#8217;t start with PNG magic bytes (<code>89 50 4E 47<\/code>). It starts with <code>77 4D...<\/code> instead. The file is likely encrypted or compressed on disk.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Checking Meck.xkd as well:<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"870\" height=\"233\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2025\/10\/preview5.webp\" alt=\"\" class=\"wp-image-1030\"\/><\/figure>\n\n\n\n<p><br><br>Meck.xkd has null-byte patterns suggesting either wide-character encoding or encrypted data. The scattered ASCII strings (<code>LIA<\/code>, <code>MSLG<\/code>, <code>jEF<\/code>) suggest this might be partially decrypted or compressed data.<\/p>\n\n\n\n<div style=\"height:63px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">My Hypothesis<\/h3>\n\n\n\n<p> <br>VirusTotal&#8217;s Magika detected PNG structure because it analyzed the decrypted content, not the encrypted file on disk. Jeadpietpour.rky stores encrypted bytes on disk (<code>77 4D 80 79...<\/code>), which AliyunWrap.dll&#8217;s <code>SendLogToCloud()<\/code> function decrypts at runtime. The decrypted result is a PNG file with the actual payload embedded in IDAT chunks. The .NET assembly is then extracted from the PNG and injected into FluInterface32.exe.<\/p>\n\n\n\n<p>This explains why AliyunWrap.dll is required (provides decryption), why both Jeadpietpour.rky and Meck.xkd are needed (key material and staging data), why AVs can&#8217;t detect the payload (encrypted at rest), and why Meck.xkd is created empty on crash (it&#8217;s written during decryption, not read as input).<br><br>However, this is only a theory, but seems likely.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>The execution flow is (likely):<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>E-Consol.exe<br>\u251c\u2500 Reads encrypted Jeadpietpour.rky<br>\u251c\u2500 Calls AliyunWrap.dll::SendLogToCloud() for decryption<br>\u251c\u2500 Writes intermediate data to Meck.xkd<br>\u251c\u2500 Extracts .NET payload from decrypted PNG<br>\u2514\u2500 Injects payload into FluInterface32.exe<\/code><\/pre>\n\n\n\n<p>The architecture seems to separate the encrypted payload (Jeadpietpour.rky) from the decryption logic (AliyunWrap.dll), obscures file purposes with unusual extensions (.rky, .xkd), and creates a clean injection target (FluInterface32.exe) at runtime to avoid detection.<\/p>\n\n\n\n<div style=\"height:63px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">Memory Dump Analysis<\/h3>\n\n\n\n<p>After looking into the architecture of the malware, I resumed analyzing the memory dump from FluInterface32.exe.<\/p>\n\n\n\n<p><br>I attempted to use DNSpy to debug the dumped payload (wosoqulwj2u.exe), however there was a lot of obfuscation thanks to the Calli Obfuscator.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1539\" height=\"931\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2025\/10\/Screenshot-2025-10-16-121208-1.png\" alt=\"\" class=\"wp-image-1038\"\/><\/figure>\n\n\n\n<p><br>The <code>calli<\/code> (call indirect) instruction is a signature of the Calli obfuscator. This made it so that instead of normal method calls, all function invocations route through function pointers dynamically resolved at runtime.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>This makes it very hard to analyze, it can be done but diminishing returns kick in hard.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>I ended up pivoting to use FLOSS to extract strings from memory.<\/p>\n\n\n\n<details class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary>Dumped Payload strings<\/summary>\n<p>&#8216;(&#8216;\/&#8217;<\/p>\n\n\n\n<p>+&#8217;+?+L+<\/p>\n\n\n\n<p>.O0X0u0E1}1<\/p>\n\n\n\n<p>?D@N@<\/p>\n\n\n\n<p>OAPHP<\/p>\n\n\n\n<p>wosoqulwj2u.exe<\/p>\n\n\n\n<p>wosoqulwj2u<\/p>\n\n\n\n<p>mscorlib<\/p>\n\n\n\n<p>System.Web.Extensions<\/p>\n\n\n\n<p>System.Windows.Forms<\/p>\n\n\n\n<p>System<\/p>\n\n\n\n<p>System.Drawing<\/p>\n\n\n\n<p>System.Core<\/p>\n\n\n\n<p>System.Net.Http<\/p>\n\n\n\n<p>System.Runtime.Serialization<\/p>\n\n\n\n<p>System.Security<\/p>\n\n\n\n<p>System.Xml<\/p>\n\n\n\n<p>System.Management<\/p>\n\n\n\n<p>System.IO.Compression.FileSystem<\/p>\n\n\n\n<p>Microsoft.CSharp<\/p>\n\n\n\n<p>kernel32.dll<\/p>\n\n\n\n<p>advapi32.dll<\/p>\n\n\n\n<p>advapi32<\/p>\n\n\n\n<p>user32.dll<\/p>\n\n\n\n<p>msvcrt.dll<\/p>\n\n\n\n<p>User32.dll<\/p>\n\n\n\n<p>gdi32.dll<\/p>\n\n\n\n<p>rstrtmgr.dll<\/p>\n\n\n\n<p>ntdll.dll<\/p>\n\n\n\n<p>String<\/p>\n\n\n\n<p>Format<\/p>\n\n\n\n<p>IFormatProvider<\/p>\n\n\n\n<p>FileInfo<\/p>\n\n\n\n<p>System.IO<\/p>\n\n\n\n<p>get_Directory<\/p>\n\n\n\n<p>DirectoryInfo<\/p>\n\n\n\n<p>Environment<\/p>\n\n\n\n<p>GetFolderPath<\/p>\n\n\n\n<p>SpecialFolder<\/p>\n\n\n\n<p>Concat<\/p>\n\n\n\n<p>Replace<\/p>\n\n\n\n<p>RuntimeHelpers<\/p>\n\n\n\n<p>System.Runtime.CompilerServices<\/p>\n\n\n\n<p>InitializeArray<\/p>\n\n\n\n<p>Array<\/p>\n\n\n\n<p>RuntimeFieldHandle<\/p>\n\n\n\n<p>Split<\/p>\n\n\n\n<p>Type<\/p>\n\n\n\n<p>GetTypeFromHandle<\/p>\n\n\n\n<p>RuntimeTypeHandle<\/p>\n\n\n\n<p>Marshal<\/p>\n\n\n\n<p>System.Runtime.InteropServices<\/p>\n\n\n\n<p>SizeOf<\/p>\n\n\n\n<p>AllocHGlobal<\/p>\n\n\n\n<p>Copy<\/p>\n\n\n\n<p>IntPtr<\/p>\n\n\n\n<p>op_Inequality<\/p>\n\n\n\n<p>FreeHGlobal<\/p>\n\n\n\n<p>ExpandEnvironmentVariables<\/p>\n\n\n\n<p>Encoding<\/p>\n\n\n\n<p>System.Text<\/p>\n\n\n\n<p>get_UTF8<\/p>\n\n\n\n<p>Convert<\/p>\n\n\n\n<p>FromBase64String<\/p>\n\n\n\n<p>get_NewLine<\/p>\n\n\n\n<p>StringSplitOptions<\/p>\n\n\n\n<p>Contains<\/p>\n\n\n\n<p>IsNullOrEmpty<\/p>\n\n\n\n<p>get_Chars<\/p>\n\n\n\n<p>ToUpper<\/p>\n\n\n\n<p>Remove<\/p>\n\n\n\n<p>Path<\/p>\n\n\n\n<p>Combine<\/p>\n\n\n\n<p>File<\/p>\n\n\n\n<p>Exists<\/p>\n\n\n\n<p>Trim<\/p>\n\n\n\n<p>IsNullOrWhiteSpace<\/p>\n\n\n\n<p>StartsWith<\/p>\n\n\n\n<p>ToInt64<\/p>\n\n\n\n<p>DateTime<\/p>\n\n\n\n<p>get_Now<\/p>\n\n\n\n<p>AddMonths<\/p>\n\n\n\n<p>get_Ticks<\/p>\n\n\n\n<p>ToInt32<\/p>\n\n\n\n<p>Join<\/p>\n\n\n\n<p>GetFiles<\/p>\n\n\n\n<p>SearchOption<\/p>\n\n\n\n<p>GetEncoding<\/p>\n\n\n\n<p>ProtectedData<\/p>\n\n\n\n<p>System.Security.Cryptography<\/p>\n\n\n\n<p>Unprotect<\/p>\n\n\n\n<p>DataProtectionScope<\/p>\n\n\n\n<p>get_ASCII<\/p>\n\n\n\n<p>HashAlgorithm<\/p>\n\n\n\n<p>ComputeHash<\/p>\n\n\n\n<p>CultureInfo<\/p>\n\n\n\n<p>System.Globalization<\/p>\n\n\n\n<p>get_InvariantCulture<\/p>\n\n\n\n<p>get_SystemDirectory<\/p>\n\n\n\n<p>BitConverter<\/p>\n\n\n\n<p>get_Unicode<\/p>\n\n\n\n<p>GetBytes<\/p>\n\n\n\n<p>Buffer<\/p>\n\n\n\n<p>BlockCopy<\/p>\n\n\n\n<p>ToLower<\/p>\n\n\n\n<p>get_BigEndianUnicode<\/p>\n\n\n\n<p>ToString<\/p>\n\n\n\n<p>IndexOf<\/p>\n\n\n\n<p>StringComparison<\/p>\n\n\n\n<p>Substring<\/p>\n\n\n\n<p>TrimStart<\/p>\n\n\n\n<p>Compare<\/p>\n\n\n\n<p>Directory<\/p>\n\n\n\n<p>GetDirectories<\/p>\n\n\n\n<p>get_Length<\/p>\n\n\n\n<p>get_CurrentManagedThreadId<\/p>\n\n\n\n<p>Regex<\/p>\n\n\n\n<p>System.Text.RegularExpressions<\/p>\n\n\n\n<p>Matches<\/p>\n\n\n\n<p>MatchCollection<\/p>\n\n\n\n<p>StringBuilder<\/p>\n\n\n\n<p>AppendLine<\/p>\n\n\n\n<p>ChangeType<\/p>\n\n\n\n<p>Object<\/p>\n\n\n\n<p>GetType<\/p>\n\n\n\n<p>op_Equality<\/p>\n\n\n\n<p>GetLogicalDrives<\/p>\n\n\n\n<p>EnumerateDirectories<\/p>\n\n\n\n<p>IEnumerable`1<\/p>\n\n\n\n<p>System.Collections.Generic<\/p>\n\n\n\n<p>XmlDocument<\/p>\n\n\n\n<p>get_DocumentElement<\/p>\n\n\n\n<p>XmlElement<\/p>\n\n\n\n<p>CreateDirectory<\/p>\n\n\n\n<p>FileSystemInfo<\/p>\n\n\n\n<p>get_CreationTime<\/p>\n\n\n\n<p>op_LessThan<\/p>\n\n\n\n<p>Delete<\/p>\n\n\n\n<p>get_UserDomainName<\/p>\n\n\n\n<p>get_UserName<\/p>\n\n\n\n<p>Assembly<\/p>\n\n\n\n<p>System.Reflection<\/p>\n\n\n\n<p>GetExecutingAssembly<\/p>\n\n\n\n<p>InputLanguage<\/p>\n\n\n\n<p>get_CurrentInputLanguage<\/p>\n\n\n\n<p>get_Culture<\/p>\n\n\n\n<p>Screen<\/p>\n\n\n\n<p>get_PrimaryScreen<\/p>\n\n\n\n<p>get_Bounds<\/p>\n\n\n\n<p>Rectangle<\/p>\n\n\n\n<p>get_Width<\/p>\n\n\n\n<p>get_Height<\/p>\n\n\n\n<p>TimeZoneInfo<\/p>\n\n\n\n<p>get_Local<\/p>\n\n\n\n<p>get_DisplayName<\/p>\n\n\n\n<p>RegistryKey<\/p>\n\n\n\n<p>Microsoft.Win32<\/p>\n\n\n\n<p>OpenSubKey<\/p>\n\n\n\n<p>GetValue<\/p>\n\n\n\n<p>GetDelegateForFunctionPointer<\/p>\n\n\n\n<p>Delegate<\/p>\n\n\n\n<p>XmlNode<\/p>\n\n\n\n<p>SelectSingleNode<\/p>\n\n\n\n<p>Append<\/p>\n\n\n\n<p>ManagementObjectSearcher<\/p>\n\n\n\n<p>ManagementObjectCollection<\/p>\n\n\n\n<p>GetEnumerator<\/p>\n\n\n\n<p>ManagementObjectEnumerator<\/p>\n\n\n\n<p>get_Current<\/p>\n\n\n\n<p>ManagementBaseObject<\/p>\n\n\n\n<p>get_Item<\/p>\n\n\n\n<p>ToUInt32<\/p>\n\n\n\n<p>GetSubKeyNames<\/p>\n\n\n\n<p>FileVersionInfo<\/p>\n\n\n\n<p>System.Diagnostics<\/p>\n\n\n\n<p>GetVersionInfo<\/p>\n\n\n\n<p>get_FileVersion<\/p>\n\n\n\n<p>Process<\/p>\n\n\n\n<p>GetCurrentProcess<\/p>\n\n\n\n<p>get_SessionId<\/p>\n\n\n\n<p>get_InstalledInputLanguages<\/p>\n\n\n\n<p>InputLanguageCollection<\/p>\n\n\n\n<p>ToDouble<\/p>\n\n\n\n<p>Math<\/p>\n\n\n\n<p>Round<\/p>\n\n\n\n<p>get_Is64BitOperatingSystem<\/p>\n\n\n\n<p>ReadAllText<\/p>\n\n\n\n<p>WriteAllText<\/p>\n\n\n\n<p>GetDirectoryName<\/p>\n\n\n\n<p>Int32<\/p>\n\n\n\n<p>Parse<\/p>\n\n\n\n<p>NumberStyles<\/p>\n\n\n\n<p>Char<\/p>\n\n\n\n<p>IsLetter<\/p>\n\n\n\n<p>IsLower<\/p>\n\n\n\n<p>SHA256<\/p>\n\n\n\n<p>Create<\/p>\n\n\n\n<p>OpenRead<\/p>\n\n\n\n<p>FileStream<\/p>\n\n\n\n<p>get_Capacity<\/p>\n\n\n\n<p>GetLastWin32Error<\/p>\n\n\n\n<p>EnsureCapacity<\/p>\n\n\n\n<p>PtrToStringAuto<\/p>\n\n\n\n<p>set_Length<\/p>\n\n\n\n<p>IsWhiteSpace<\/p>\n\n\n\n<p>UInt32<\/p>\n\n\n\n<p>TryParse<\/p>\n\n\n\n<p>Decimal<\/p>\n\n\n\n<p>Enum<\/p>\n\n\n\n<p>CreateInstance<\/p>\n\n\n\n<p>SetValue<\/p>\n\n\n\n<p>ConstructorInfo<\/p>\n\n\n\n<p>Invoke<\/p>\n\n\n\n<p>IsDigit<\/p>\n\n\n\n<p>Double<\/p>\n\n\n\n<p>StringComparer<\/p>\n\n\n\n<p>get_OrdinalIgnoreCase<\/p>\n\n\n\n<p>Attribute<\/p>\n\n\n\n<p>GetCustomAttribute<\/p>\n\n\n\n<p>MemberInfo<\/p>\n\n\n\n<p>DataMemberAttribute<\/p>\n\n\n\n<p>get_Name<\/p>\n\n\n\n<p>FormatterServices<\/p>\n\n\n\n<p>GetUninitializedObject<\/p>\n\n\n\n<p>AppendFormat<\/p>\n\n\n\n<p>get_ProcessName<\/p>\n\n\n\n<p>Byte<\/p>\n\n\n\n<p>Registry<\/p>\n\n\n\n<p>GetProcesses<\/p>\n\n\n\n<p>Kill<\/p>\n\n\n\n<p>Thread<\/p>\n\n\n\n<p>System.Threading<\/p>\n\n\n\n<p>Sleep<\/p>\n\n\n\n<p>Image<\/p>\n\n\n\n<p>FromStream<\/p>\n\n\n\n<p>Stream<\/p>\n\n\n\n<p>Save<\/p>\n\n\n\n<p>Bitmap<\/p>\n\n\n\n<p>GetPixel<\/p>\n\n\n\n<p>Color<\/p>\n\n\n\n<p>ToArgb<\/p>\n\n\n\n<p>get_White<\/p>\n\n\n\n<p>Clone<\/p>\n\n\n\n<p>PixelFormat<\/p>\n\n\n\n<p>System.Drawing.Imaging<\/p>\n\n\n\n<p>GetTempFileName<\/p>\n\n\n\n<p>WebClient<\/p>\n\n\n\n<p>System.Net<\/p>\n\n\n\n<p>DownloadFile<\/p>\n\n\n\n<p>Start<\/p>\n\n\n\n<p>TextBoxBase<\/p>\n\n\n\n<p>Paste<\/p>\n\n\n\n<p>RegistryValueKind<\/p>\n\n\n\n<p>GetProcessesByName<\/p>\n\n\n\n<p>Monitor<\/p>\n\n\n\n<p>Enter<\/p>\n\n\n\n<p>Exit<\/p>\n\n\n\n<p>GetCreationTimeUtc<\/p>\n\n\n\n<p>Guid<\/p>\n\n\n\n<p>NewGuid<\/p>\n\n\n\n<p>DriveInfo<\/p>\n\n\n\n<p>get_IsReady<\/p>\n\n\n\n<p>get_DriveType<\/p>\n\n\n\n<p>DriveType<\/p>\n\n\n\n<p>ReadAllBytes<\/p>\n\n\n\n<p>WriteAllBytes<\/p>\n\n\n\n<p>GetRandomFileName<\/p>\n\n\n\n<p>Insert<\/p>\n\n\n\n<p>Graphics<\/p>\n\n\n\n<p>FromHwnd<\/p>\n\n\n\n<p>get_VolumeLabel<\/p>\n\n\n\n<p>get_AvailableFreeSpace<\/p>\n\n\n\n<p>GetFileName<\/p>\n\n\n\n<p>ReadAllLines<\/p>\n\n\n\n<p>WriteAllLines<\/p>\n\n\n\n<p>Point<\/p>\n\n\n\n<p>get_X<\/p>\n\n\n\n<p>get_Y<\/p>\n\n\n\n<p>set_X<\/p>\n\n\n\n<p>set_Y<\/p>\n\n\n\n<p>op_Explicit<\/p>\n\n\n\n<p>Size<\/p>\n\n\n\n<p>get_Left<\/p>\n\n\n\n<p>get_Top<\/p>\n\n\n\n<p>get_Right<\/p>\n\n\n\n<p>get_Bottom<\/p>\n\n\n\n<p>ProcessStartInfo<\/p>\n\n\n\n<p>set_RedirectStandardError<\/p>\n\n\n\n<p>set_RedirectStandardOutput<\/p>\n\n\n\n<p>set_UseShellExecute<\/p>\n\n\n\n<p>set_CreateNoWindow<\/p>\n\n\n\n<p>set_StartInfo<\/p>\n\n\n\n<p>get_MainWindowTitle<\/p>\n\n\n\n<p>get_Id<\/p>\n\n\n\n<p>get_Size<\/p>\n\n\n\n<p>set_Width<\/p>\n\n\n\n<p>set_Height<\/p>\n\n\n\n<p>get_CurrentThread<\/p>\n\n\n\n<p>set_Priority<\/p>\n\n\n\n<p>ThreadPriority<\/p>\n\n\n\n<p>Socket<\/p>\n\n\n\n<p>System.Net.Sockets<\/p>\n\n\n\n<p>BeginSend<\/p>\n\n\n\n<p>IAsyncResult<\/p>\n\n\n\n<p>SocketFlags<\/p>\n\n\n\n<p>AsyncCallback<\/p>\n\n\n\n<p>Collect<\/p>\n\n\n\n<p>get_PixelFormat<\/p>\n\n\n\n<p>LockBits<\/p>\n\n\n\n<p>BitmapData<\/p>\n\n\n\n<p>ImageLockMode<\/p>\n\n\n\n<p>get_Scan0<\/p>\n\n\n\n<p>Receive<\/p>\n\n\n\n<p>UnlockBits<\/p>\n\n\n\n<p>FromImage<\/p>\n\n\n\n<p>ReleaseHdc<\/p>\n\n\n\n<p>DrawImage<\/p>\n\n\n\n<p>Abort<\/p>\n\n\n\n<p>get_AllScreens<\/p>\n\n\n\n<p>CopyFromScreen<\/p>\n\n\n\n<p>EndSend<\/p>\n\n\n\n<p>Console<\/p>\n\n\n\n<p>WriteLine<\/p>\n\n\n\n<p>Close<\/p>\n\n\n\n<p>get_MainWindowHandle<\/p>\n\n\n\n<p>CloseMainWindow<\/p>\n\n\n\n<p>get_WorkingArea<\/p>\n\n\n\n<p>Shutdown<\/p>\n\n\n\n<p>SocketShutdown<\/p>\n\n\n\n<p>GetProcessById<\/p>\n\n\n\n<p>PerformanceCounter<\/p>\n\n\n\n<p>NextValue<\/p>\n\n\n\n<p>BeginReceive<\/p>\n\n\n\n<p>Poll<\/p>\n\n\n\n<p>SelectMode<\/p>\n\n\n\n<p>get_Available<\/p>\n\n\n\n<p>IPAddress<\/p>\n\n\n\n<p>Connect<\/p>\n\n\n\n<p>EndPoint<\/p>\n\n\n\n<p>set_NoDelay<\/p>\n\n\n\n<p>Send<\/p>\n\n\n\n<p>set_ReceiveTimeout<\/p>\n\n\n\n<p>EndReceive<\/p>\n\n\n\n<p>TrimEnd<\/p>\n\n\n\n<p>get_Stride<\/p>\n\n\n\n<p>ImageFormat<\/p>\n\n\n\n<p>get_Jpeg<\/p>\n\n\n\n<p>op_Addition<\/p>\n\n\n\n<p>ServicePointManager<\/p>\n\n\n\n<p>set_SecurityProtocol<\/p>\n\n\n\n<p>SecurityProtocolType<\/p>\n\n\n\n<p>ToCharArray<\/p>\n\n\n\n<p>Reverse<\/p>\n\n\n\n<p>GetInvalidFileNameChars<\/p>\n\n\n\n<p>WaitForExit<\/p>\n\n\n\n<p>Application<\/p>\n\n\n\n<p>ReadInt32<\/p>\n\n\n\n<p>DownloadString<\/p>\n\n\n\n<p>ZipFile<\/p>\n\n\n\n<p>System.IO.Compression<\/p>\n\n\n\n<p>ExtractToDirectory<\/p>\n\n\n\n<p>DownloadData<\/p>\n\n\n\n<p>SuppressFinalize<\/p>\n\n\n\n<p>get_Threads<\/p>\n\n\n\n<p>ProcessThreadCollection<\/p>\n\n\n\n<p>ProcessThread<\/p>\n\n\n\n<p>ToBoolean<\/p>\n\n\n\n<p>TimeSpan<\/p>\n\n\n\n<p>FromMinutes<\/p>\n\n\n\n<p>get_TotalMilliseconds<\/p>\n\n\n\n<p>Timer<\/p>\n\n\n\n<p>System.Timers<\/p>\n\n\n\n<p>add_Elapsed<\/p>\n\n\n\n<p>ElapsedEventHandler<\/p>\n\n\n\n<p>get_InstalledUICulture<\/p>\n\n\n\n<p>set_RedirectStandardInput<\/p>\n\n\n\n<p>set_StandardOutputEncoding<\/p>\n\n\n\n<p>set_StandardErrorEncoding<\/p>\n\n\n\n<p>GetPathRoot<\/p>\n\n\n\n<p>set_WorkingDirectory<\/p>\n\n\n\n<p>set_Arguments<\/p>\n\n\n\n<p>get_StandardInput<\/p>\n\n\n\n<p>StreamWriter<\/p>\n\n\n\n<p>Clear<\/p>\n\n\n\n<p>get_HasExited<\/p>\n\n\n\n<p>get_StandardOutput<\/p>\n\n\n\n<p>StreamReader<\/p>\n\n\n\n<p>get_StandardError<\/p>\n\n\n\n<p>Stop<\/p>\n\n\n\n<p>TcpClient<\/p>\n\n\n\n<p>get_MainModule<\/p>\n\n\n\n<p>ProcessModule<\/p>\n\n\n\n<p>get_FileName<\/p>\n\n\n\n<p>get_Extension<\/p>\n\n\n\n<p>NetworkInterface<\/p>\n\n\n\n<p>System.Net.NetworkInformation<\/p>\n\n\n\n<p>GetAllNetworkInterfaces<\/p>\n\n\n\n<p>MethodInfo<\/p>\n\n\n\n<p>Load<\/p>\n\n\n\n<p>CSharpArgumentInfo<\/p>\n\n\n\n<p>Microsoft.CSharp.RuntimeBinder<\/p>\n\n\n\n<p>CSharpArgumentInfoFlags<\/p>\n\n\n\n<p>Binder<\/p>\n\n\n\n<p>GetIndex<\/p>\n\n\n\n<p>CallSiteBinder<\/p>\n\n\n\n<p>CSharpBinderFlags<\/p>\n\n\n\n<p>BinaryOperation<\/p>\n\n\n\n<p>ExpressionType<\/p>\n\n\n\n<p>System.Linq.Expressions<\/p>\n\n\n\n<p>UnaryOperation<\/p>\n\n\n\n<p>GetTempPath<\/p>\n\n\n\n<p>Exception<\/p>\n\n\n\n<p>get_HResult<\/p>\n\n\n\n<p>ReAllocHGlobal<\/p>\n\n\n\n<p>ReadIntPtr<\/p>\n\n\n\n<p>UIntPtr<\/p>\n\n\n\n<p>MultipartFormDataContent<\/p>\n\n\n\n<p>HttpContent<\/p>\n\n\n\n<p>get_Headers<\/p>\n\n\n\n<p>HttpContentHeaders<\/p>\n\n\n\n<p>System.Net.Http.Headers<\/p>\n\n\n\n<p>MediaTypeHeaderValue<\/p>\n\n\n\n<p>set_ContentType<\/p>\n\n\n\n<p>HttpClient<\/p>\n\n\n\n<p>PostAsync<\/p>\n\n\n\n<p>Task`1<\/p>\n\n\n\n<p>System.Threading.Tasks<\/p>\n\n\n\n<p>HttpResponseMessage<\/p>\n\n\n\n<p>get_IsSuccessStatusCode<\/p>\n\n\n\n<p>get_Content<\/p>\n\n\n\n<p>ReadAsByteArrayAsync<\/p>\n\n\n\n<p>Task<\/p>\n\n\n\n<p>Wait<\/p>\n\n\n\n<p>ToBase64String<\/p>\n\n\n\n<p>CryptoStream<\/p>\n\n\n\n<p>FlushFinalBlock<\/p>\n\n\n\n<p>RandomNumberGenerator<\/p>\n\n\n\n<p>CopyTo<\/p>\n\n\n\n<p>SocketAsyncEventArgs<\/p>\n\n\n\n<p>get_LastOperation<\/p>\n\n\n\n<p>SocketAsyncOperation<\/p>\n\n\n\n<p>get_ExecutablePath<\/p>\n\n\n\n<p>set_WindowStyle<\/p>\n\n\n\n<p>ProcessWindowStyle<\/p>\n\n\n\n<p>set_FileName<\/p>\n\n\n\n<p>op_Subtraction<\/p>\n\n\n\n<p>op_GreaterThan<\/p>\n\n\n\n<p>get_Connected<\/p>\n\n\n\n<p>InvokeMember<\/p>\n\n\n\n<p>SetBuffer<\/p>\n\n\n\n<p>SendAsync<\/p>\n\n\n\n<p>get_BytesTransferred<\/p>\n\n\n\n<p>ReceiveAsync<\/p>\n\n\n\n<p>get_Buffer<\/p>\n\n\n\n<p>GetDrives<\/p>\n\n\n\n<p>GetFullPath<\/p>\n\n\n\n<p>get_LastWriteTime<\/p>\n\n\n\n<p>MoveTo<\/p>\n\n\n\n<p>get_Png<\/p>\n\n\n\n<p>EndsWith<\/p>\n\n\n\n<p>GetThumbnailImage<\/p>\n\n\n\n<p>GetThumbnailImageAbort<\/p>\n\n\n\n<p>Icon<\/p>\n\n\n\n<p>ExtractAssociatedIcon<\/p>\n\n\n\n<p>ToBitmap<\/p>\n\n\n\n<p>IPGlobalProperties<\/p>\n\n\n\n<p>GetIPGlobalProperties<\/p>\n\n\n\n<p>ToByte<\/p>\n\n\n\n<p>get_Default<\/p>\n\n\n\n<p>Capture<\/p>\n\n\n\n<p>get_Value<\/p>\n\n\n\n<p>IsLetterOrDigit<\/p>\n\n\n\n<p>JavaScriptSerializer<\/p>\n\n\n\n<p>System.Web.Script.Serialization<\/p>\n\n\n\n<p>set_MaxJsonLength<\/p>\n\n\n\n<p>AsyncTaskMethodBuilder<\/p>\n\n\n\n<p>SetException<\/p>\n\n\n\n<p>SetResult<\/p>\n\n\n\n<p>ReadAsStringAsync<\/p>\n\n\n\n<p>get_Client<\/p>\n\n\n\n<p>set_ReceiveBufferSize<\/p>\n\n\n\n<p>set_SendBufferSize<\/p>\n\n\n\n<p>GetHostByName<\/p>\n\n\n\n<p>IPHostEntry<\/p>\n\n\n\n<p>get_AddressList<\/p>\n\n\n\n<p>get_Task<\/p>\n\n\n\n<p>get_SocketError<\/p>\n\n\n\n<p>SocketError<\/p>\n\n\n\n<p>remove_Completed<\/p>\n\n\n\n<p>EventHandler`1<\/p>\n\n\n\n<p>add_Completed<\/p>\n\n\n\n<p>SystemInformation<\/p>\n\n\n\n<p>get_VirtualScreen<\/p>\n\n\n\n<p>Serialize<\/p>\n\n\n\n<p>resource<\/p>\n\n\n\n<p>List`1<\/p>\n\n\n\n<p>.ctor<\/p>\n\n\n\n<p>GetString<\/p>\n\n\n\n<p>EmptyTypes<\/p>\n\n\n\n<p>Func`2<\/p>\n\n\n\n<p>KeyValuePair`2<\/p>\n\n\n\n<p>Enumerable<\/p>\n\n\n\n<p>System.Linq<\/p>\n\n\n\n<p>Select<\/p>\n\n\n\n<p>IList`1<\/p>\n\n\n\n<p>UInt64<\/p>\n\n\n\n<p>Int16<\/p>\n\n\n\n<p>CryptographicException<\/p>\n\n\n\n<p>IDisposable<\/p>\n\n\n\n<p>Dispose<\/p>\n\n\n\n<p>Zero<\/p>\n\n\n\n<p>Single<\/p>\n\n\n\n<p>UInt16<\/p>\n\n\n\n<p>Int64<\/p>\n\n\n\n<p>ParamArrayAttribute<\/p>\n\n\n\n<p>IteratorStateMachineAttribute<\/p>\n\n\n\n<p>Enumerator<\/p>\n\n\n\n<p>MoveNext<\/p>\n\n\n\n<p>get_FullName<\/p>\n\n\n\n<p>Empty<\/p>\n\n\n\n<p>AddRange<\/p>\n\n\n\n<p>XmlTextReader<\/p>\n\n\n\n<p>XmlReader<\/p>\n\n\n\n<p>get_ChildNodes<\/p>\n\n\n\n<p>XmlNodeList<\/p>\n\n\n\n<p>get_ItemOf<\/p>\n\n\n\n<p>IEnumerator<\/p>\n\n\n\n<p>System.Collections<\/p>\n\n\n\n<p>get_InnerText<\/p>\n\n\n\n<p>InvalidOperationException<\/p>\n\n\n\n<p>get_Location<\/p>\n\n\n\n<p>get_EnglishName<\/p>\n\n\n\n<p>ToList<\/p>\n\n\n\n<p>get_Exists<\/p>\n\n\n\n<p>BinaryReader<\/p>\n\n\n\n<p>ReadUInt16<\/p>\n\n\n\n<p>ReadByte<\/p>\n\n\n\n<p>get_Position<\/p>\n\n\n\n<p>ReadInt16<\/p>\n\n\n\n<p>ReadUInt32<\/p>\n\n\n\n<p>Seek<\/p>\n\n\n\n<p>SeekOrigin<\/p>\n\n\n\n<p>Dictionary`2<\/p>\n\n\n\n<p>ContainsKey<\/p>\n\n\n\n<p>Boolean<\/p>\n\n\n\n<p>get_Count<\/p>\n\n\n\n<p>get_Key<\/p>\n\n\n\n<p>set_Item<\/p>\n\n\n\n<p>GetComputerName<\/p>\n\n\n\n<p>LookupAccountName<\/p>\n\n\n\n<p>ConvertSidToStringSid<\/p>\n\n\n\n<p>LocalFree<\/p>\n\n\n\n<p>HMACSHA256<\/p>\n\n\n\n<p>IEnumerator`1<\/p>\n\n\n\n<p>FirstOrDefault<\/p>\n\n\n\n<p>Where<\/p>\n\n\n\n<p>MemoryStream<\/p>\n\n\n\n<p>HashSet`1<\/p>\n\n\n\n<p>LocalMachine<\/p>\n\n\n\n<p>CurrentUser<\/p>\n\n\n\n<p>ToArray<\/p>\n\n\n\n<p>EnumDisplayMonitors<\/p>\n\n\n\n<p>GetMonitorInfo<\/p>\n\n\n\n<p>memcmp<\/p>\n\n\n\n<p>memcpy<\/p>\n\n\n\n<p>SetForegroundWindow<\/p>\n\n\n\n<p>GetForegroundWindow<\/p>\n\n\n\n<p>keybd_event<\/p>\n\n\n\n<p>TextBox<\/p>\n\n\n\n<p>Control<\/p>\n\n\n\n<p>get_Text<\/p>\n\n\n\n<p>Component<\/p>\n\n\n\n<p>System.ComponentModel<\/p>\n\n\n\n<p>ThreadStart<\/p>\n\n\n\n<p>get_Message<\/p>\n\n\n\n<p>GetDeviceCaps<\/p>\n\n\n\n<p>GetHdc<\/p>\n\n\n\n<p>InsertRange<\/p>\n\n\n\n<p>mouse_event<\/p>\n\n\n\n<p>SetCursorPos<\/p>\n\n\n\n<p>SystemParametersInfo<\/p>\n\n\n\n<p>OpenDesktop<\/p>\n\n\n\n<p>CloseDesktop<\/p>\n\n\n\n<p>EnumDesktopWindows<\/p>\n\n\n\n<p>SetWindowPos<\/p>\n\n\n\n<p>IsWindowVisible<\/p>\n\n\n\n<p>SuppressUnmanagedCodeSecurityAttribute<\/p>\n\n\n\n<p>PostMessage<\/p>\n\n\n\n<p>SendMessage<\/p>\n\n\n\n<p>SetThreadDesktop<\/p>\n\n\n\n<p>WindowFromPoint<\/p>\n\n\n\n<p>GetClassName<\/p>\n\n\n\n<p>GetWindowRect<\/p>\n\n\n\n<p>GetParent<\/p>\n\n\n\n<p>GetScrollPos<\/p>\n\n\n\n<p>SetScrollPos<\/p>\n\n\n\n<p>SetActiveWindow<\/p>\n\n\n\n<p>DefWindowProc<\/p>\n\n\n\n<p>CreateProcess<\/p>\n\n\n\n<p>GetThreadDesktop<\/p>\n\n\n\n<p>SetWindowLong<\/p>\n\n\n\n<p>GetWindowLong<\/p>\n\n\n\n<p>GetCurrentThreadId<\/p>\n\n\n\n<p>EnumWindows<\/p>\n\n\n\n<p>PrintWindow<\/p>\n\n\n\n<p>DeleteDC<\/p>\n\n\n\n<p>Last<\/p>\n\n\n\n<p>get_AsyncState<\/p>\n\n\n\n<p>GZipStream<\/p>\n\n\n\n<p>CompressionMode<\/p>\n\n\n\n<p>Write<\/p>\n\n\n\n<p>CreateDesktop<\/p>\n\n\n\n<p>IsWindow<\/p>\n\n\n\n<p>First<\/p>\n\n\n\n<p>FindWindow<\/p>\n\n\n\n<p>ShowWindow<\/p>\n\n\n\n<p>AddressFamily<\/p>\n\n\n\n<p>SocketType<\/p>\n\n\n\n<p>ProtocolType<\/p>\n\n\n\n<p>IPEndPoint<\/p>\n\n\n\n<p>ParameterizedThreadStart<\/p>\n\n\n\n<p>RemoveRange<\/p>\n\n\n\n<p>GetRange<\/p>\n\n\n\n<p>SetLength<\/p>\n\n\n\n<p>ManagementObject<\/p>\n\n\n\n<p>ReadOnlyCollectionBase<\/p>\n\n\n\n<p>Distinct<\/p>\n\n\n\n<p>OpenThread<\/p>\n\n\n\n<p>SuspendThread<\/p>\n\n\n\n<p>ResumeThread<\/p>\n\n\n\n<p>CloseHandle<\/p>\n\n\n\n<p>CopyFile<\/p>\n\n\n\n<p>Tuple`2<\/p>\n\n\n\n<p>DataContractSerializer<\/p>\n\n\n\n<p>XmlObjectSerializer<\/p>\n\n\n\n<p>ReadObject<\/p>\n\n\n\n<p>DeflateStream<\/p>\n\n\n\n<p>CompressionLevel<\/p>\n\n\n\n<p>WriteObject<\/p>\n\n\n\n<p>get_TextInfo<\/p>\n\n\n\n<p>TextInfo<\/p>\n\n\n\n<p>get_OEMCodePage<\/p>\n\n\n\n<p>get_CodePage<\/p>\n\n\n\n<p>get_BaseStream<\/p>\n\n\n\n<p>TextReader<\/p>\n\n\n\n<p>Read<\/p>\n\n\n\n<p>Peek<\/p>\n\n\n\n<p>ApplicationException<\/p>\n\n\n\n<p>ObjectDisposedException<\/p>\n\n\n\n<p>TextWriter<\/p>\n\n\n\n<p>Flush<\/p>\n\n\n\n<p>MD5CryptoServiceProvider<\/p>\n\n\n\n<p>get_OperationalStatus<\/p>\n\n\n\n<p>OperationalStatus<\/p>\n\n\n\n<p>get_Description<\/p>\n\n\n\n<p>GetPhysicalAddress<\/p>\n\n\n\n<p>PhysicalAddress<\/p>\n\n\n\n<p>get_Item1<\/p>\n\n\n\n<p>get_Item2<\/p>\n\n\n\n<p>GetMethod<\/p>\n\n\n\n<p>BindingFlags<\/p>\n\n\n\n<p>MethodBase<\/p>\n\n\n\n<p>Deserialize<\/p>\n\n\n\n<p>CallSite`1<\/p>\n\n\n\n<p>Func`3<\/p>\n\n\n\n<p>CallSite<\/p>\n\n\n\n<p>Target<\/p>\n\n\n\n<p>Func`4<\/p>\n\n\n\n<p>IsWow64Process<\/p>\n\n\n\n<p>MapViewOfFile<\/p>\n\n\n\n<p>CreateFileMappingA<\/p>\n\n\n\n<p>GetFileSizeEx<\/p>\n\n\n\n<p>RmRegisterResources<\/p>\n\n\n\n<p>RmStartSession<\/p>\n\n\n\n<p>RmEndSession<\/p>\n\n\n\n<p>RmGetList<\/p>\n\n\n\n<p>DuplicateHandle<\/p>\n\n\n\n<p>GetCurrentProcessId<\/p>\n\n\n\n<p>TerminateProcess<\/p>\n\n\n\n<p>OpenProcess<\/p>\n\n\n\n<p>GetFinalPathNameByHandleW<\/p>\n\n\n\n<p>UnmapViewOfFile<\/p>\n\n\n\n<p>GetFileType<\/p>\n\n\n\n<p>NtQuerySystemInformation<\/p>\n\n\n\n<p>get_Result<\/p>\n\n\n\n<p>AsyncTaskMethodBuilder`1<\/p>\n\n\n\n<p>AsyncStateMachineAttribute<\/p>\n\n\n\n<p>DebuggerStepThroughAttribute<\/p>\n\n\n\n<p>SymmetricAlgorithm<\/p>\n\n\n\n<p>set_Key<\/p>\n\n\n\n<p>set_IV<\/p>\n\n\n\n<p>get_IV<\/p>\n\n\n\n<p>CreateEncryptor<\/p>\n\n\n\n<p>ICryptoTransform<\/p>\n\n\n\n<p>CryptoStreamMode<\/p>\n\n\n\n<p>CreateDecryptor<\/p>\n\n\n\n<p>Take<\/p>\n\n\n\n<p>Skip<\/p>\n\n\n\n<p>DynamicAttribute<\/p>\n\n\n\n<p>get_DomainName<\/p>\n\n\n\n<p>FileMode<\/p>\n\n\n\n<p>FileAccess<\/p>\n\n\n\n<p>FileShare<\/p>\n\n\n\n<p>Match<\/p>\n\n\n\n<p>Predicate`1<\/p>\n\n\n\n<p>RemoveAll<\/p>\n\n\n\n<p>OpenClipboard<\/p>\n\n\n\n<p>CloseClipboard<\/p>\n\n\n\n<p>SetClipboardData<\/p>\n\n\n\n<p>Count<\/p>\n\n\n\n<p>Nullable`1<\/p>\n\n\n\n<p>GetValueOrDefault<\/p>\n\n\n\n<p>ResourceManager<\/p>\n\n\n\n<p>System.Resources<\/p>\n\n\n\n<p>GetManifestResourceStream<\/p>\n\n\n\n<p>DebuggerHiddenAttribute<\/p>\n\n\n\n<p>EqualityComparer`1<\/p>\n\n\n\n<p>Equals<\/p>\n\n\n\n<p>GetHashCode<\/p>\n\n\n\n<p>DebuggerDisplayAttribute<\/p>\n\n\n\n<p>Account<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>get_URL<\/p>\n\n\n\n<p>set_URL<\/p>\n\n\n\n<p>value<\/p>\n\n\n\n<p>get_Username<\/p>\n\n\n\n<p>set_Username<\/p>\n\n\n\n<p>get_Password<\/p>\n\n\n\n<p>set_Password<\/p>\n\n\n\n<p>Username<\/p>\n\n\n\n<p>Password<\/p>\n\n\n\n<p>DataContractAttribute<\/p>\n\n\n\n<p>Autofill<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>set_Name<\/p>\n\n\n\n<p>set_Value<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>Value<\/p>\n\n\n\n<p>ValueType<\/p>\n\n\n\n<p>.cctor<\/p>\n\n\n\n<p>&lt;&gt;9__2_0<\/p>\n\n\n\n<p>&lt;&gt;9__4_0<\/p>\n\n\n\n<p>Browser<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>get_BrowserName<\/p>\n\n\n\n<p>set_BrowserName<\/p>\n\n\n\n<p>get_BrowserProfile<\/p>\n\n\n\n<p>set_BrowserProfile<\/p>\n\n\n\n<p>get_Logins<\/p>\n\n\n\n<p>set_Logins<\/p>\n\n\n\n<p>get_Autofills<\/p>\n\n\n\n<p>set_Autofills<\/p>\n\n\n\n<p>get_CC<\/p>\n\n\n\n<p>set_CC<\/p>\n\n\n\n<p>get_Cookies<\/p>\n\n\n\n<p>set_Cookies<\/p>\n\n\n\n<p>ICollection`1<\/p>\n\n\n\n<p>IsEmpty<\/p>\n\n\n\n<p>BrowserName<\/p>\n\n\n\n<p>BrowserProfile<\/p>\n\n\n\n<p>Logins<\/p>\n\n\n\n<p>Autofills<\/p>\n\n\n\n<p>Cookies<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>get_HolderName<\/p>\n\n\n\n<p>set_HolderName<\/p>\n\n\n\n<p>get_Month<\/p>\n\n\n\n<p>set_Month<\/p>\n\n\n\n<p>get_Year<\/p>\n\n\n\n<p>set_Year<\/p>\n\n\n\n<p>get_Number<\/p>\n\n\n\n<p>set_Number<\/p>\n\n\n\n<p>HolderName<\/p>\n\n\n\n<p>Month<\/p>\n\n\n\n<p>Year<\/p>\n\n\n\n<p>Number<\/p>\n\n\n\n<p>ScannedCookie<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>get_Host<\/p>\n\n\n\n<p>set_Host<\/p>\n\n\n\n<p>get_Http<\/p>\n\n\n\n<p>set_Http<\/p>\n\n\n\n<p>get_Path<\/p>\n\n\n\n<p>set_Path<\/p>\n\n\n\n<p>get_Secure<\/p>\n\n\n\n<p>set_Secure<\/p>\n\n\n\n<p>get_Expires<\/p>\n\n\n\n<p>set_Expires<\/p>\n\n\n\n<p>ToText<\/p>\n\n\n\n<p>Host<\/p>\n\n\n\n<p>Http<\/p>\n\n\n\n<p>Secure<\/p>\n\n\n\n<p>Expires<\/p>\n\n\n\n<p>BrowserVersion<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>get_NameOfBrowser<\/p>\n\n\n\n<p>set_NameOfBrowser<\/p>\n\n\n\n<p>get_Version<\/p>\n\n\n\n<p>set_Version<\/p>\n\n\n\n<p>get_PathOfFile<\/p>\n\n\n\n<p>set_PathOfFile<\/p>\n\n\n\n<p>NameOfBrowser<\/p>\n\n\n\n<p>Version<\/p>\n\n\n\n<p>PathOfFile<\/p>\n\n\n\n<p>Func`1<\/p>\n\n\n\n<p>&lt;&gt;9__0_0<\/p>\n\n\n\n<p>&lt;&gt;9__0_2<\/p>\n\n\n\n<p>&lt;&gt;9__0_4<\/p>\n\n\n\n<p>&lt;&gt;9__0_6<\/p>\n\n\n\n<p>&lt;&gt;9__0_8<\/p>\n\n\n\n<p>Finalize<\/p>\n\n\n\n<p>MulticastDelegate<\/p>\n\n\n\n<p>BeginInvoke<\/p>\n\n\n\n<p>EndInvoke<\/p>\n\n\n\n<p>CompareTo<\/p>\n\n\n\n<p>Resize<\/p>\n\n\n\n<p>ReadMasterOfContext<\/p>\n\n\n\n<p>offset<\/p>\n\n\n\n<p>IEnumerable<\/p>\n\n\n\n<p>System.IDisposable.Dispose<\/p>\n\n\n\n<p>System.Collections.Generic.IEnumerator.get_Current<\/p>\n\n\n\n<p>NotSupportedException<\/p>\n\n\n\n<p>System.Collections.IEnumerator.Reset<\/p>\n\n\n\n<p>Reset<\/p>\n\n\n\n<p>System.Collections.IEnumerator.get_Current<\/p>\n\n\n\n<p>System.Collections.Generic.IEnumerable.GetEnumerator<\/p>\n\n\n\n<p>System.Collections.IEnumerable.GetEnumerator<\/p>\n\n\n\n<p>ScannedFile<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>filename<\/p>\n\n\n\n<p>get_NameOfFile<\/p>\n\n\n\n<p>set_NameOfFile<\/p>\n\n\n\n<p>get_Body<\/p>\n\n\n\n<p>set_Body<\/p>\n\n\n\n<p>get_NameOfApplication<\/p>\n\n\n\n<p>set_NameOfApplication<\/p>\n\n\n\n<p>get_DirOfFile<\/p>\n\n\n\n<p>set_DirOfFile<\/p>\n\n\n\n<p>NameOfFile<\/p>\n\n\n\n<p>Body<\/p>\n\n\n\n<p>NameOfApplication<\/p>\n\n\n\n<p>DirOfFile<\/p>\n\n\n\n<p>get_CurrentEncoding<\/p>\n\n\n\n<p>ReadToEnd<\/p>\n\n\n\n<p>SelectMany<\/p>\n\n\n\n<p>GetProperties<\/p>\n\n\n\n<p>PropertyInfo<\/p>\n\n\n\n<p>get_PropertyType<\/p>\n\n\n\n<p>&lt;&gt;9__4_1<\/p>\n\n\n\n<p>FileScannerArg<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>get_Tag<\/p>\n\n\n\n<p>set_Tag<\/p>\n\n\n\n<p>set_Directory<\/p>\n\n\n\n<p>get_Pattern<\/p>\n\n\n\n<p>set_Pattern<\/p>\n\n\n\n<p>get_Recoursive<\/p>\n\n\n\n<p>set_Recoursive<\/p>\n\n\n\n<p>Pattern<\/p>\n\n\n\n<p>Recoursive<\/p>\n\n\n\n<p>Random<\/p>\n\n\n\n<p>OrderBy<\/p>\n\n\n\n<p>IOrderedEnumerable`1<\/p>\n\n\n\n<p>Next<\/p>\n\n\n\n<p>HardwareType<\/p>\n\n\n\n<p>value__<\/p>\n\n\n\n<p>Processor<\/p>\n\n\n\n<p>EnumMemberAttribute<\/p>\n\n\n\n<p>Graphic<\/p>\n\n\n\n<p>Json<\/p>\n\n\n\n<p>json<\/p>\n\n\n\n<p>set_RecursionLimit<\/p>\n\n\n\n<p>get_JSON<\/p>\n\n\n\n<p>FromJSON<\/p>\n\n\n\n<p>this<\/p>\n\n\n\n<p>ToJSON<\/p>\n\n\n\n<p>JSON<\/p>\n\n\n\n<p>LocalState<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>get_os_crypt<\/p>\n\n\n\n<p>set_os_crypt<\/p>\n\n\n\n<p>os_crypt<\/p>\n\n\n\n<p>OsCrypt<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>get_encrypted_key<\/p>\n\n\n\n<p>set_encrypted_key<\/p>\n\n\n\n<p>encrypted_key<\/p>\n\n\n\n<p>LoadLibrary<\/p>\n\n\n\n<p>FreeLibrary<\/p>\n\n\n\n<p>ReliabilityContractAttribute<\/p>\n\n\n\n<p>System.Runtime.ConstrainedExecution<\/p>\n\n\n\n<p>Consistency<\/p>\n\n\n\n<p>GetProcAddress<\/p>\n\n\n\n<p>ScanDetails<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>get_SecurityUtils<\/p>\n\n\n\n<p>set_SecurityUtils<\/p>\n\n\n\n<p>get_AvailableLanguages<\/p>\n\n\n\n<p>set_AvailableLanguages<\/p>\n\n\n\n<p>get_Softwares<\/p>\n\n\n\n<p>set_Softwares<\/p>\n\n\n\n<p>get_Processes<\/p>\n\n\n\n<p>set_Processes<\/p>\n\n\n\n<p>get_SystemHardwares<\/p>\n\n\n\n<p>set_SystemHardwares<\/p>\n\n\n\n<p>get_Browsers<\/p>\n\n\n\n<p>set_Browsers<\/p>\n\n\n\n<p>get_FtpConnections<\/p>\n\n\n\n<p>set_FtpConnections<\/p>\n\n\n\n<p>get_InstalledBrowsers<\/p>\n\n\n\n<p>set_InstalledBrowsers<\/p>\n\n\n\n<p>get_ScannedFiles<\/p>\n\n\n\n<p>set_ScannedFiles<\/p>\n\n\n\n<p>get_GameLauncherFiles<\/p>\n\n\n\n<p>set_GameLauncherFiles<\/p>\n\n\n\n<p>get_ScannedWallets<\/p>\n\n\n\n<p>set_ScannedWallets<\/p>\n\n\n\n<p>get_NordAccounts<\/p>\n\n\n\n<p>set_NordAccounts<\/p>\n\n\n\n<p>get_Open<\/p>\n\n\n\n<p>set_Open<\/p>\n\n\n\n<p>get_Proton<\/p>\n\n\n\n<p>set_Proton<\/p>\n\n\n\n<p>get_MessageClientFiles<\/p>\n\n\n\n<p>set_MessageClientFiles<\/p>\n\n\n\n<p>get_DicrFiles<\/p>\n\n\n\n<p>set_DicrFiles<\/p>\n\n\n\n<p>SecurityUtils<\/p>\n\n\n\n<p>AvailableLanguages<\/p>\n\n\n\n<p>Softwares<\/p>\n\n\n\n<p>Processes<\/p>\n\n\n\n<p>SystemHardwares<\/p>\n\n\n\n<p>Browsers<\/p>\n\n\n\n<p>FtpConnections<\/p>\n\n\n\n<p>InstalledBrowsers<\/p>\n\n\n\n<p>ScannedFiles<\/p>\n\n\n\n<p>GameLauncherFiles<\/p>\n\n\n\n<p>ScannedWallets<\/p>\n\n\n\n<p>NordAccounts<\/p>\n\n\n\n<p>Open<\/p>\n\n\n\n<p>Proton<\/p>\n\n\n\n<p>MessageClientFiles<\/p>\n\n\n\n<p>DicrFiles<\/p>\n\n\n\n<p>SystemHardware<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>get_Counter<\/p>\n\n\n\n<p>set_Counter<\/p>\n\n\n\n<p>get_HardType<\/p>\n\n\n\n<p>set_HardType<\/p>\n\n\n\n<p>Counter<\/p>\n\n\n\n<p>HardType<\/p>\n\n\n\n<p>ScanningArgs<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>k__BackingField<\/p>\n\n\n\n<p>get_ScanBrowsers<\/p>\n\n\n\n<p>set_ScanBrowsers<\/p>\n\n\n\n<p>get_ScanFiles<\/p>\n\n\n\n<p>set_ScanFiles<\/p>\n\n\n\n<p>get_ScanFTP<\/p>\n\n\n\n<p>set_ScanFTP<\/p>\n\n\n\n<p>get_ScanWallets<\/p>\n\n\n\n<p>set_ScanWallets<\/p>\n\n\n\n<p>get_ScanScreen<\/p>\n\n\n\n<p>set_ScanScreen<\/p>\n\n\n\n<p>get_ScanTelegram<\/p>\n\n\n\n<p>set_ScanTelegram<\/p>\n\n\n\n<p>get_ScanVPN<\/p>\n\n\n\n<p>set_ScanVPN<\/p>\n\n\n\n<p>get_ScanSteam<\/p>\n\n\n\n<p>set_ScanSteam<\/p>\n\n\n\n<p>get_ScanDiscord<\/p>\n\n\n\n<p>set_ScanDiscord<\/p>\n\n\n\n<p>get_ScanFilesPaths<\/p>\n\n\n\n<p>set_ScanFilesPaths<\/p>\n\n\n\n<p>get_ScanChromeBrowsersPaths<\/p>\n\n\n\n<p>set_ScanChromeBrowsersPaths<\/p>\n\n\n\n<p>get_ScanGeckoBrowsersPaths<\/p>\n\n\n\n<p>set_ScanGeckoBrowsersPaths<\/p>\n\n\n\n<p>get_Configs<\/p>\n\n\n\n<p>set_Configs<\/p>\n\n\n\n<p>ScanBrowsers<\/p>\n\n\n\n<p>ScanFiles<\/p>\n\n\n\n<p>ScanFTP<\/p>\n\n\n\n<p>ScanWallets<\/p>\n\n\n\n<p>ScanScreen<\/p>\n\n\n\n<p>ScanTelegram<\/p>\n\n\n\n<p>ScanVPN<\/p>\n\n\n\n<p>ScanSteam<\/p>\n\n\n\n<p>ScanDiscord<\/p>\n\n\n\n<p>ScanFilesPaths<\/p>\n\n\n\n<p>ScanChromeBrowsersPaths<\/p>\n\n\n\n<p>ScanGeckoBrowsersPaths<\/p>\n\n\n\n<p>Configs<\/p>\n\n\n\n<p>ScanResult<\/p>\n\n\n\n<p>get_Hardware<\/p>\n\n\n\n<p>set_Hardware<\/p>\n\n\n\n<p>get_ReleaseID<\/p>\n\n\n\n<p>set_ReleaseID<\/p>\n\n\n\n<p>get_MachineName<\/p>\n\n\n\n<p>set_MachineName<\/p>\n\n\n\n<p>get_OSVersion<\/p>\n\n\n\n<p>set_OSVersion<\/p>\n\n\n\n<p>get_Language<\/p>\n\n\n\n<p>set_Language<\/p>\n\n\n\n<p>get_Resolution<\/p>\n\n\n\n<p>set_Resolution<\/p>\n\n\n\n<p>get_ScanDetails<\/p>\n\n\n\n<p>set_ScanDetails<\/p>\n\n\n\n<p>get_Country<\/p>\n\n\n\n<p>set_Country<\/p>\n\n\n\n<p>get_City<\/p>\n\n\n\n<p>set_City<\/p>\n\n\n\n<p>get_TZ<\/p>\n\n\n\n<p>set_TZ<\/p>\n\n\n\n<p>get_IPv4<\/p>\n\n\n\n<p>set_IPv4<\/p>\n\n\n\n<p>get_Monitor<\/p>\n\n\n\n<p>set_Monitor<\/p>\n\n\n\n<p>get_ZipCode<\/p>\n\n\n\n<p>set_ZipCode<\/p>\n\n\n\n<p>get_FileLocation<\/p>\n\n\n\n<p>set_FileLocation<\/p>\n\n\n\n<p>get_SeenBefore<\/p>\n\n\n\n<p>set_SeenBefore<\/p>\n\n\n\n<p>Hardware<\/p>\n\n\n\n<p>ReleaseID<\/p>\n\n\n\n<p>MachineName<\/p>\n\n\n\n<p>OSVersion<\/p>\n\n\n\n<p>Language<\/p>\n\n\n\n<p>Resolution<\/p>\n\n\n\n<p>Country<\/p>\n\n\n\n<p>City<\/p>\n\n\n\n<p>IPv4<\/p>\n\n\n\n<p>ZipCode<\/p>\n\n\n\n<p>FileLocation<\/p>\n\n\n\n<p>SeenBefore<\/p>\n\n\n\n<p>Cast<\/p>\n\n\n\n<p>&lt;&gt;9__7_0<\/p>\n\n\n\n<p>&lt;&gt;9__8_0<\/p>\n\n\n\n<p>&lt;&gt;9__1_0<\/p>\n\n\n\n<p>Stack`1<\/p>\n\n\n\n<p>ThreadStaticAttribute<\/p>\n\n\n\n<p>FieldInfo<\/p>\n\n\n\n<p>get_IsPrimitive<\/p>\n\n\n\n<p>get_IsEnum<\/p>\n\n\n\n<p>get_IsArray<\/p>\n\n\n\n<p>GetElementType<\/p>\n\n\n\n<p>Push<\/p>\n\n\n\n<p>get_IsGenericType<\/p>\n\n\n\n<p>GetGenericTypeDefinition<\/p>\n\n\n\n<p>GetGenericArguments<\/p>\n\n\n\n<p>GetConstructor<\/p>\n\n\n\n<p>IList<\/p>\n\n\n\n<p>IDictionary<\/p>\n\n\n\n<p>IEqualityComparer`1<\/p>\n\n\n\n<p>IgnoreDataMemberAttribute<\/p>\n\n\n\n<p>IsDefined<\/p>\n\n\n\n<p>TryGetValue<\/p>\n\n\n\n<p>GetFields<\/p>\n\n\n\n<p>get_FieldType<\/p>\n\n\n\n<p>ICollection<\/p>\n\n\n\n<p>get_Keys<\/p>\n\n\n\n<p>get_CanRead<\/p>\n\n\n\n<p>ObsoleteAttribute<\/p>\n\n\n\n<p>EnumDesktopWindowsProc<\/p>\n\n\n\n<p>&lt;&gt;9__22_0<\/p>\n\n\n\n<p>TrimExcess<\/p>\n\n\n\n<p>&lt;&gt;9__34_1<\/p>\n\n\n\n<p>&lt;&gt;9__34_7<\/p>\n\n\n\n<p>&lt;&gt;9__34_2<\/p>\n\n\n\n<p>&lt;&gt;9__34_9<\/p>\n\n\n\n<p>&lt;&gt;9__34_4<\/p>\n\n\n\n<p>&lt;&gt;9__34_11<\/p>\n\n\n\n<p>&lt;&gt;9__34_5<\/p>\n\n\n\n<p>&lt;&gt;9__34_13<\/p>\n\n\n\n<p>&lt;&gt;9__34_6<\/p>\n\n\n\n<p>&lt;&gt;9__34_15<\/p>\n\n\n\n<p>Repeat<\/p>\n\n\n\n<p>&lt;&gt;9__6_0<\/p>\n\n\n\n<p>STAThreadAttribute<\/p>\n\n\n\n<p>SetWindowsHookEx<\/p>\n\n\n\n<p>CallNextHookEx<\/p>\n\n\n\n<p>GetModuleHandle<\/p>\n\n\n\n<p>GetWindowThreadProcessId<\/p>\n\n\n\n<p>GetKeyState<\/p>\n\n\n\n<p>GetKeyboardState<\/p>\n\n\n\n<p>GetKeyboardLayout<\/p>\n\n\n\n<p>ToUnicodeEx<\/p>\n\n\n\n<p>MapVirtualKey<\/p>\n\n\n\n<p>GetWindowText<\/p>\n\n\n\n<p>Keys<\/p>\n\n\n\n<p>&lt;&gt;9__23_0<\/p>\n\n\n\n<p>Mutex<\/p>\n\n\n\n<p>WaitHandle<\/p>\n\n\n\n<p>FlagsAttribute<\/p>\n\n\n\n<p>StealerSettingConfigParce<\/p>\n\n\n\n<p>get_discord<\/p>\n\n\n\n<p>set_discord<\/p>\n\n\n\n<p>get_files<\/p>\n\n\n\n<p>set_files<\/p>\n\n\n\n<p>get_ftp<\/p>\n\n\n\n<p>set_ftp<\/p>\n\n\n\n<p>get_steam<\/p>\n\n\n\n<p>set_steam<\/p>\n\n\n\n<p>get_telegram<\/p>\n\n\n\n<p>set_telegram<\/p>\n\n\n\n<p>get_vpn<\/p>\n\n\n\n<p>set_vpn<\/p>\n\n\n\n<p>get_endbled<\/p>\n\n\n\n<p>set_endbled<\/p>\n\n\n\n<p>get_grabber<\/p>\n\n\n\n<p>set_grabber<\/p>\n\n\n\n<p>discord<\/p>\n\n\n\n<p>files<\/p>\n\n\n\n<p>steam<\/p>\n\n\n\n<p>telegram<\/p>\n\n\n\n<p>endbled<\/p>\n\n\n\n<p>grabber<\/p>\n\n\n\n<p>IAsyncStateMachine<\/p>\n\n\n\n<p>TaskAwaiter`1<\/p>\n\n\n\n<p>StringContent<\/p>\n\n\n\n<p>ByteArrayContent<\/p>\n\n\n\n<p>GetAwaiter<\/p>\n\n\n\n<p>get_IsCompleted<\/p>\n\n\n\n<p>AwaitUnsafeOnCompleted<\/p>\n\n\n\n<p>GetResult<\/p>\n\n\n\n<p>SetStateMachine<\/p>\n\n\n\n<p>OnCompleted<\/p>\n\n\n\n<p>&lt;&gt;9__48_0<\/p>\n\n\n\n<p>&lt;&gt;9__49_0<\/p>\n\n\n\n<p>&lt;&gt;9__57_0<\/p>\n\n\n\n<p>&lt;&gt;9__71_0<\/p>\n\n\n\n<p>ElapsedEventArgs<\/p>\n\n\n\n<p>Find<\/p>\n\n\n\n<p>Action`3<\/p>\n\n\n\n<p>&lt;&gt;9__9_0<\/p>\n\n\n\n<p>RuntimeMethodHandle<\/p>\n\n\n\n<p>Module<\/p>\n\n\n\n<p>get_Module<\/p>\n\n\n\n<p>ResolveMethod<\/p>\n\n\n\n<p>get_MethodHandle<\/p>\n\n\n\n<p>GetFunctionPointer<\/p>\n\n\n\n<p>PtrToStructure<\/p>\n\n\n\n<p>CompilationRelaxationsAttribute<\/p>\n\n\n\n<p>RuntimeCompatibilityAttribute<\/p>\n\n\n\n<p>DebuggableAttribute<\/p>\n\n\n\n<p>DebuggingModes<\/p>\n\n\n\n<p>AssemblyTitleAttribute<\/p>\n\n\n\n<p>AssemblyDescriptionAttribute<\/p>\n\n\n\n<p>AssemblyConfigurationAttribute<\/p>\n\n\n\n<p>AssemblyCompanyAttribute<\/p>\n\n\n\n<p>AssemblyProductAttribute<\/p>\n\n\n\n<p>AssemblyCopyrightAttribute<\/p>\n\n\n\n<p>AssemblyTrademarkAttribute<\/p>\n\n\n\n<p>ComVisibleAttribute<\/p>\n\n\n\n<p>GuidAttribute<\/p>\n\n\n\n<p>AssemblyFileVersionAttribute<\/p>\n\n\n\n<p>TargetFrameworkAttribute<\/p>\n\n\n\n<p>System.Runtime.Versioning<\/p>\n\n\n\n<p>UnverifiableCodeAttribute<\/p>\n\n\n\n<p>ui+vi<\/p>\n\n\n\n<p>mk+nk<\/p>\n\n\n\n<p>{ Type = {Type} }<\/p>\n\n\n\n<p>Type<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>Username<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>Password0<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>AccountT<\/p>\n\n\n\n<p>\\tNamespace<\/p>\n\n\n\n<p>BrowserExtension<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>Value1<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>AutofillT<\/p>\n\n\n\n<p>\\tNamespace<\/p>\n\n\n\n<p>BrowserExtension<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>BrowserName<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>BrowserProfile\\t(<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>Logins\\t(<\/p>\n\n\n\n<p>Name\\tAutofills\\t(<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>CC\\t(<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>Cookies7<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>ScannedBrowserT<\/p>\n\n\n\n<p>\\tNamespace<\/p>\n\n\n\n<p>BrowserExtension<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>HolderName<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>Month<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>Year<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>Number+<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>\\tNamespace<\/p>\n\n\n\n<p>BrowserExtension<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>Host<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>Http<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>Path<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>Secure<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>Expires6<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>ScannedCookieT<\/p>\n\n\n\n<p>\\tNamespace<\/p>\n\n\n\n<p>BrowserExtension<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>NameOfBrowser<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>Version<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>PathOfFile7<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>BrowserVersionT<\/p>\n\n\n\n<p>\\tNamespace<\/p>\n\n\n\n<p>BrowserExtension:<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>NameOfFile<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>Body<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>NameOfApplication<\/p>\n\n\n\n<p>Name\\tDirOfFile4<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>ScannedFileT<\/p>\n\n\n\n<p>\\tNamespace<\/p>\n\n\n\n<p>BrowserExtension<\/p>\n\n\n\n<p>Name\\tDirectory<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>Pattern<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>Recoursive7<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>FileScannerArgT<\/p>\n\n\n\n<p>\\tNamespace<\/p>\n\n\n\n<p>BrowserExtension%<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>HardwareType<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>os_crypt<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>LocalState<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>encrypted_key<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>OsCrypt<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>SecurityUtils<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>AvailableLanguages<\/p>\n\n\n\n<p>Name\\tSoftwares<\/p>\n\n\n\n<p>Name\\tProcesses<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>SystemHardwares\\t(<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>Browsers\\t(<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>FtpConnections\\t(<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>InstalledBrowsers<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>ScannedFiles<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>GameLauncherFiles<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>ScannedWallets<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>Nord<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>Open<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>Proton<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>MessageClientFiles<\/p>\n\n\n\n<p>Name\\tDicrFiles4<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>ScanDetailsT<\/p>\n\n\n\n<p>\\tNamespace<\/p>\n\n\n\n<p>BrowserExtension<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>Counter<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>HardType7<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>SystemHardwareT<\/p>\n\n\n\n<p>\\tNamespace<\/p>\n\n\n\n<p>BrowserExtension\\t<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>ScanBrowsers<\/p>\n\n\n\n<p>Name\\tScanFiles<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>ScanFTP<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>ScanWallets<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>ScanScreen<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>ScanTelegram<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>ScanVPN<\/p>\n\n\n\n<p>Name\\tScanSteam<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>ScanDiscord<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>ScanFilesPaths#<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>ScanChromeBrowsersPaths&#8221;<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>ScanGeckoBrowsersPaths<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>Configs5<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>ScanningArgsT<\/p>\n\n\n\n<p>\\tNamespace<\/p>\n\n\n\n<p>BrowserExtension\\t<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>WalletConfigT<\/p>\n\n\n\n<p>\\tNamespace<\/p>\n\n\n\n<p>BrowserExtension<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>Hardware<\/p>\n\n\n\n<p>Name\\tReleaseID<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>MachineName<\/p>\n\n\n\n<p>Name\\tOSVersion<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>Language<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>ScreenSize<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>ScanDetails<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>Country<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>City<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>TimeZone<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>IPv4<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>Monitor<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>ZipCode<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>FileLocation<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>SeenBefore3<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>ScanResultT<\/p>\n\n\n\n<p>\\tNamespace<\/p>\n\n\n\n<p>BrowserExtension\\t<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>discord<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>files<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>steam<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>telegram<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>endbled<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>grabber@<\/p>\n\n\n\n<p>Name<\/p>\n\n\n\n<p>StealerSettingConfigParceT<\/p>\n\n\n\n<p>\\tNamespace<\/p>\n\n\n\n<p>SettingsParces<\/p>\n\n\n\n<p>WrapNonExceptionThrows<\/p>\n\n\n\n<p>$fb27641d-4694-4b93-9361-8f5262570e64<\/p>\n\n\n\n<p>1.0.0.0<\/p>\n\n\n\n<p>.NETFramework,Version=v4.7.2<\/p>\n\n\n\n<p>FrameworkDisplayName<\/p>\n\n\n\n<p>.NET Framework 4.7.2<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;security&gt;\n\n  &lt;requestedPrivileges xmlns=\"urn:schemas-microsoft-com:asm.v3\"&gt;\n\n    &lt;requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"\/&gt;\n\n  &lt;\/requestedPrivileges&gt;\n\n&lt;\/security&gt;<\/code><\/pre>\n\n\n\n<p>+&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;-+<\/p>\n\n\n\n<p>| FLOSS STATIC STRINGS: UTF-16LE (32) |<\/p>\n\n\n\n<p>+&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;-+<\/p>\n\n\n\n<p>Login Data, CommandLine: , Name: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall-*.lo&#8211;gNoDefrdDefVPNDefID: CommandLineOpera GX Stabletdata\\tdataZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbg==AFileSystemntivFileSystemirusPrFileSystemoduFileSystemct|AntiFileSystemSpyWFileSystemareProFileSystemduct|FireFileSystemwallProdFileSystemuct[^\\u0020-\\u007F]Profilesexpiraas21tion_yas21ear%appdata%\\discord\\Local Storage\\leveldbmoz_cookiesTotalVisibleMemorySizeis_securewaasflletasfWeb DataDisplayVersionautofill<\/p>\n\n\n\n<p>\/\/settString.Replaceing[@name=\\UString.Replacesername]\/vaString.Replaceluepath%appdata%{0}\\FileZilla\\recentservers.xmlUser Data{0}\\FileZilla\\sitemanager.xml MB or SELECT * FROM Cookiesconfig<\/p>\n\n\n\n<p>Local StateProfile_%localappdata%\\valuecookiesTotal of RAMwaasflleasft.datasfcard_number_encryptedwindows-1251<\/p>\n\n\n\n<p>isSecureSoftware\\Valve\\SteamROOT\\SecurityCenterv10<em>ssfn<\/em>expiryname_on_cardSteamPath\/\/settinString.Removeg[@name=\\PasswString.Removeord]\/valuString.Removeeencrypted_valueNWinordVWinpn.eWinxe<em>WinDisplayName\\Program Files\\Program Files (x86)\\profiles1<\/em>.1l1d1begram.exehost_keyAppData\\Local\\ProcessIdUnknownExtensionexpires_utcuser.config\\Telegram Desktop\\tdataAppData\\Roaming\\OpHandlerenVPHandlerN ConHandlernectName%USERPEnvironmentROFILE%\\AppDEnvironmentata\\RoaEnvironmentmingUNKNOWNOpera GXv11\\Program Data\\name{}:,[]&#8221;.Profile_Unknownloginscookies.sqliteROOT\\SecurityCenter2coMANGOokies.sqMANGOliteLocalPrefs.json\\Windows*.vstring.Replacedfexpiras21ation_moas21nth%DSK_23%TelTReplaceokReplaceenReplaces.tReplacextdisplayName[AString-ZaString-z\\d]{2String4}.[String\\w-]{String6}.[\\wString-]{2String7}Local Extension Settingshost<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>6$7%8&amp;?&#8217;@7A:CGzV<\/li>\n<\/ul>\n\n\n\n<h1 class=\"wp-block-heading\">&#8220;&amp;%&#8217;%\/.21:9;9FEJIPOQOSRTRURVRWRXRYRZR[R\\R]R^R_R`RaRbRcRdReRfRgRhRiRjRkRlRmRnRoRpRutvtwtyxzx{x|x}x~x<\/h1>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>abcdefghijklmnop<\/p>\n<\/blockquote>\n\n\n\n<p>estu<\/p>\n\n\n\n<p>yxyz<\/p>\n\n\n\n<p>wosoqulwj2u, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null<\/p>\n\n\n\n<p>resource<\/p>\n\n\n\n<p>VS_VERSION_INFO<\/p>\n\n\n\n<p>VarFileInfo<\/p>\n\n\n\n<p>Translation<\/p>\n\n\n\n<p>StringFileInfo<\/p>\n\n\n\n<p>000004b0<\/p>\n\n\n\n<p>Comments<\/p>\n\n\n\n<p>CompanyName<\/p>\n\n\n\n<p>FileDescription<\/p>\n\n\n\n<p>FileVersion<\/p>\n\n\n\n<p>1.0.0.0<\/p>\n\n\n\n<p>InternalName<\/p>\n\n\n\n<p>dfgfghfghfghfghfgh.exe<\/p>\n\n\n\n<p>LegalCopyright<\/p>\n\n\n\n<p>LegalTrademarks<\/p>\n\n\n\n<p>OriginalFilename<\/p>\n\n\n\n<p>dfgfghfghfghfghfgh.exe<\/p>\n\n\n\n<p>ProductName<\/p>\n\n\n\n<p>ProductVersion<\/p>\n\n\n\n<p>1.0.0.0<\/p>\n\n\n\n<p>Assembly Version<\/p>\n\n\n\n<p>1.0.0.0<\/p>\n<\/details>\n\n\n\n<div style=\"height:63px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">RAT Capabilities &amp; Theft Targets<\/h2>\n\n\n\n<p>FLOSS string extraction from the dumped payload revealed extensive financial data theft operations targeting cryptocurrency users, gamers, and business users.<\/p>\n\n\n\n<div style=\"height:22px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><br><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Modular Configuration System<br><\/h3>\n\n\n\n<p>The malware uses a modular configuration with distinct scanning modules:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Configuration Flags:\n\u251c\u2500 ScanBrowsers    \u2192 Browser credential harvesting\n\u251c\u2500 ScanWallets     \u2192 Cryptocurrency wallet extension theft\n\u251c\u2500 ScanFiles       \u2192 Document\/file enumeration\n\u251c\u2500 ScanFTP         \u2192 FTP client credential theft\n\u251c\u2500 ScanTelegram    \u2192 Telegram data exfiltration\n\u251c\u2500 ScanVPN         \u2192 VPN configuration theft\n\u251c\u2500 ScanSteam       \u2192 Steam account credential theft\n\u251c\u2500 ScanDiscord     \u2192 Discord token harvesting\n\u2514\u2500 ScanScreen      \u2192 Screenshot capability<\/code><\/pre>\n\n\n\n<p>This modularity allows operators to enable\/disable capabilities per target, reduce detection surface by disabling unused features, and customize theft profiles for different campaigns.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"884\" height=\"776\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2025\/10\/image-13.png\" alt=\"\" class=\"wp-image-1042\"\/><\/figure>\n\n\n\n<div style=\"height:63px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">Cryptocurrency Wallet Targeting (24 Extensions)<br><\/h3>\n\n\n\n<p>The malware contains a base64-encoded list of 24 cryptocurrency wallet browser extensions:<\/p>\n\n\n\n<p><strong>Primary Targets:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Metamask (Ethereum, ~21M users)<\/li>\n\n\n\n<li>Coinbase (major exchange wallet)<\/li>\n\n\n\n<li>BinanceChain (Binance ecosystem)<\/li>\n\n\n\n<li>Phantom (Solana ecosystem)<\/li>\n\n\n\n<li>BraveWallet (Brave browser integrated)<\/li>\n<\/ul>\n\n\n\n<p><strong>Multi-Chain Wallets:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>MathWallet, GuardaWallet, AtomicWallet, Coin98Wallet, BitAppWallet<\/li>\n<\/ul>\n\n\n\n<p><strong>Gaming\/NFT Focused:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>RoninWallet (Axie Infinity), GuildWallet, Wombat (EOS gaming), NiftyWallet<\/li>\n<\/ul>\n\n\n\n<p><strong>Blockchain-Specific:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>TronLink (Tron), TerraStation (Terra\/Luna), HarmonyWallet, KardiaChain, TonCrystal, YoroiWallet (Cardano)<\/li>\n<\/ul>\n\n\n\n<p><strong>Additional:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>EqualWallet, JaxxxLiberty, iWallet, MewCx (MyEtherWallet)<\/li>\n<\/ul>\n\n\n\n<p>The inclusion of RoninWallet (Axie Infinity), GuildWallet, and Wombat indicates operators specifically target blockchain gaming communities and NFT traders. Multi-chain wallet support (MathWallet, Coin98, AtomicWallet) targets DeFi traders who manage portfolios across multiple blockchains. It appears very flexible.<\/p>\n\n\n\n<div style=\"height:63px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">Browser Data Theft<br><\/h3>\n\n\n\n<p><strong>Chromium-Based Browsers:<\/strong><br>Target Files:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>Login Data<\/code> \u2192 SQLite database with encrypted credentials<\/li>\n\n\n\n<li><code>Cookies<\/code> \u2192 Session cookies for session hijacking<\/li>\n\n\n\n<li><code>Local State<\/code> \u2192 Contains master encryption key for passwords<\/li>\n\n\n\n<li><code>Web Data<\/code> \u2192 Autofill data, payment methods<\/li>\n\n\n\n<li><code>*\/User Data\/Default<\/code> \u2192 Profile-specific data<\/li>\n<\/ul>\n\n\n\n<p>Credit Card Theft:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>card_number_encrypted<\/code>, <code>name_on_card<\/code>, <code>expiration_month<\/code>, <code>encrypted_value<\/code><\/li>\n<\/ul>\n\n\n\n<p>Supported Browsers: Chrome, Edge, Opera GX, Brave, any Chromium-based browser<\/p>\n\n\n\n<p><strong>Firefox-Based:<\/strong><\/p>\n\n\n\n<p>Target Files:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>cookies.sqlite<\/code>, <code>logins.json<\/code>, <code>key4.db<\/code> (master password), <code>cert9.db<\/code><\/li>\n<\/ul>\n\n\n\n<p>Access to <code>Local State<\/code> and <code>key4.db<\/code> allows decryption of all stored passwords, enabling complete credential harvesting from browser password managers.<\/p>\n\n\n\n<div style=\"height:63px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">Application-Specific Targeting<\/h3>\n\n\n\n<p><strong>Discord Token Theft:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Target Path: %appdata%\\discord\\Local Storage\\leveldb\\\nTarget Files: *.ldb, Tokens.txt\n\nPotential Impact:\n\u251c\u2500 Complete account takeover\n\u251c\u2500 Access to all DMs and servers\n\u251c\u2500 Ability to send messages as victim\n\u2514\u2500 Two-factor bypass (token-based auth)\n\n(Discord's token security sucks :p)<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Telegram Data Exfiltration:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Target Path: \\Telegram Desktop\\tdata\\\nTarget Files: key_datas, *s files, user_data, usertag, settings*\n\nImpact:\n\u251c\u2500 Complete message history access\n\u251c\u2500 Contact list exfiltration\n\u251c\u2500 Media file access\n\u2514\u2500 Session hijacking<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Steam Account Theft:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Registry Target: Software\\Valve\\Steam\\SteamPath\nFile Targets: ssfn*, config\/loginusers.vdf, config\/config.vdf\n\nImpact:\n\u251c\u2500 Complete account access\n\u251c\u2500 Inventory theft (CS:GO skins, TF2 items)\n\u251c\u2500 Steam Market access\n\u2514\u2500 Trading functionality<\/code><\/pre>\n\n\n\n<p><strong>FileZilla FTP Credentials:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Target Paths: %appdata%\\FileZilla\\\nTarget Files: recentservers.xml, sitemanager.xml (plaintext passwords)\n\nImpact:\n\u251c\u2500 Website\/server access\n\u251c\u2500 Database credentials (if stored)\n\u251c\u2500 Ability to deface websites\n\u2514\u2500 Lateral movement to server infrastructure<\/code><\/pre>\n\n\n\n<p><strong>VPN Configuration Theft:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Target Extensions: *.ovpn, *.vd, profiles*.ld, *.conf\n\nSpecific Targets: OpenVPN, NordVPN, ProtonVPN, WireGuard\n\nImpact:\n\u251c\u2500 Corporate network access\n\u251c\u2500 VPN credential theft\n\u251c\u2500 Bypass of IP geolocation restrictions\n\u2514\u2500 Enterprise network penetration<\/code><\/pre>\n\n\n\n<div style=\"height:63px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">System Reconnaissance<\/h3>\n\n\n\n<p>The malware performs comprehensive system profiling before data exfiltration.<br><br><\/p>\n\n\n\n<p><strong>Security Software Enumeration:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>WMI Queries:\n\u251c\u2500 ROOT\\SecurityCenter \u2192 Windows Security Center status\n\u251c\u2500 ROOT\\SecurityCenter2 \u2192 Windows Defender status\n\u251c\u2500 AntiSpyWareProduct \u2192 Installed anti-malware products\n\u2514\u2500 FirewallProduct \u2192 Firewall configuration<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>System Information Collection:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Data Points:\n\u251c\u2500 CommandLine \u2192 Process command-line arguments\n\u251c\u2500 DisplayVersion \u2192 Windows version\/build\n\u251c\u2500 DisplayName \u2192 Installed software names\n\u251c\u2500 TotalVisibleMemorySize \u2192 Total RAM capacity\n\u251c\u2500 ProcessorId \u2192 CPU identifier\n\u2514\u2500 UserName \u2192 Current user account<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>File System Scanning:<\/strong><\/p>\n\n\n\n<p><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Target Directories:\n\u251c\u2500 %appdata%\n\u251c\u2500 %localappdata%\n\u251c\u2500 %USERPROFILE%\\AppData\\Roaming\n\u251c\u2500 %USERPROFILE%\\AppData\\Local\n\u251c\u2500 \\Program Files\\\n\u2514\u2500 \\Program Files (x86)\\<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><br><\/pre>\n\n\n\n<div style=\"height:63px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">String Obfuscation<br><\/h3>\n\n\n\n<p>The malware employs multiple layers of obfuscation for sensitive string storage:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Layer 1:<\/strong> XOR encryption with key 0xD0 (208 decimal)<\/li>\n\n\n\n<li><strong>Layer 2:<\/strong> Base64 encoding over XOR-encrypted data<\/li>\n\n\n\n<li><strong>Layer 3:<\/strong> Calli obfuscation prevents string-to-usage mapping<br><br><\/li>\n<\/ul>\n\n\n\n<div style=\"height:63px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">Network Infrastructure Analysis<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Active Command &amp; Control<br><\/h4>\n\n\n\n<p><strong>Primary C2 Server:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>IP Address: 45.141.87.249\nPort: 15847\nASN: Media Land LLC\nCountry: Russian Federation\nStatus: Offline (failed connection during analysis)\nProtocol: TCP<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"748\" height=\"594\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2026\/01\/Screenshot-2025-10-14-164622.png\" alt=\"\" class=\"wp-image-1086\"\/><\/figure>\n\n\n\n<p>The malware also contacts binance servers (hosted on AWS) dynamic ip etc:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>IP Address: 52.223.34.155\nPort: 443 (HTTPS)\nASN: AMAZON-02 (AWS)\nCountry: United States\nData Observed: 829 bytes upload, 5 KB download\nPurpose: Likely data exfiltration or secondary C2\nStatus: Active (successful connection)<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1915\" height=\"1105\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2026\/01\/Screenshot-2025-07-19-000124.png\" alt=\"\" class=\"wp-image-1089\"\/><\/figure>\n\n\n\n<p>The Russian C2 was offline during analysis (connection attempts failed).<\/p>\n\n\n\n<div style=\"height:63px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">Cryptocurrency Operations Infrastructure<\/h3>\n\n\n\n<p><strong>Binance Smart Chain (BSC) Nodes:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Primary Nodes:\n\u251c\u2500 bsc-dataseed1.ninicoin.io\n\u251c\u2500 bsc-dataseed2.ninicoin.io\n\u251c\u2500 bsc-dataseed3.ninicoin.io\n\u2514\u2500 bsc-dataseed4.ninicoin.io\n\nBinance Official: bsc-dataseed1.binance.org\nProtocol: JSON-RPC over HTTPS\nPort: 443<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"875\" height=\"485\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2026\/01\/Screenshot-2025-07-19-110629.png\" alt=\"\" class=\"wp-image-1087\"\/><\/figure>\n\n\n\n<div style=\"height:63px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Network Traffic Pattern<\/h2>\n\n\n\n<p><strong>Wireshark Analysis Results:<\/strong><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Russian C2 Connection Attempt<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>45.141.87.249:15847<\/li>\n\n\n\n<li>Status: FAILED (RST packet received)<\/li>\n\n\n\n<li>Retries: 3 attempts, all failed<\/li>\n\n\n\n<li>Conclusion: C2 server offline\/blocked<\/li>\n<\/ul>\n\n\n\n<p><strong>AWS Connection<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>52.223.34.155:443<\/li>\n\n\n\n<li>Status: SUCCESS (TLS handshake complete)<\/li>\n\n\n\n<li>Data Transfer: 829 bytes up, 5 KB down<\/li>\n\n\n\n<li>TLS Version: 1.2<\/li>\n<\/ul>\n\n\n\n<p><strong>BSC Node Queries<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>bsc-dataseed[1-4].ninicoin.io:443<\/li>\n\n\n\n<li>Status: SUCCESS (multiple queries)<\/li>\n\n\n\n<li>Request Pattern: eth_call JSON-RPC<\/li>\n\n\n\n<li>Frequency: ~15 queries per minute<\/li>\n<\/ul>\n\n\n\n<div style=\"height:63px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">AliyunWrap.dll Deep Dive<\/h2>\n\n\n\n<p>AliyunWrap.dll is one of the most interesting components. It&#8217;s a 493 KB DLL heavily detected by AV (39\/72) that initially appeared suspicious but dependency testing proved it&#8217;s required for E-Consol.exe to function.<\/p>\n\n\n\n<p>Removing AliyunWrap.dll causes E-Consol.exe to fail immediately with &#8220;AliyunWrap.dll was not found&#8221; error. It appears to be an essential component.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1256\" height=\"527\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2025\/10\/preview-1-1.webp\" alt=\"\" class=\"wp-image-1054\"\/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Ghidra Analysis: Legitimate Cloud APIs<br><\/h3>\n\n\n\n<p>Static analysis in Ghidra revealed AliyunWrap.dll contains a complete, professional implementation of Alibaba Cloud Log Service APIs.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"913\" height=\"1111\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2025\/11\/image.png\" alt=\"\" class=\"wp-image-1056\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Exported DLL Functions:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>AliyunOpenSession, AliyunCloseSession, AliyunSendInfo\nAliyunAddParamToSessionA\/W, AliyunEnableUserInfoCollect\nAliyunGetUserUid, AliyunInstallConfigFilePath\nAliyunInstallInitUid, AliyunIsEnableUserInfoCollect\nAliyunStopProcess, AliyunUninstallStart\/End\nSendLogToCloud (main cloud upload function)<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Configuration System:<\/strong><br><br><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;Config Section Keys]\nLOGENDPOINT, ACCESSKEYID, ACCESSKEYSECRET\nPROJECTNAME, LOGSTORENAME, LOGSTORENAME2\nProductName, AllowSendUrl, SZUID\nbAllowSendInfo, bAutoAddUid, bAutoAddTimestamp\nnLimitKeyvalueMaxLen, nLimitPairsCount\nnMaxItemCount, nMaxItemDays, nMaxIdleMinutes<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Network Protocol Implementation:<\/strong><br><br><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>POST http:\/\/&#91;project].&#91;domain]\/logstores\/&#91;logstore]\/shards\/lb HTTP\/1.1\nHost: &#91;project].&#91;domain]\nContent-Type: application\/x-protobuf\nx-log-apiversion: 0.6.0\nx-log-compresstype: lz4\nx-log-signaturemethod: hmac-sha1\nx-log-bodyrawsize: &#91;size]\nx-acs-security-token: &#91;token]\nContent-MD5: &#91;hash]\nAuthorization: LOG &#91;accesskey]:&#91;signature]\nUser-Agent: log-c-lite_0.1.0\nDate: &#91;RFC 822 timestamp]\n\n&#91;Protocol Buffers binary data - LZ4 compressed]<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>System Profiling Capabilities:<\/strong><\/p>\n\n\n\n<div class=\"wp-block-group is-nowrap is-layout-flex wp-container-core-group-is-layout-1 wp-block-group-is-layout-flex\">\n<pre class=\"wp-block-code\"><code>Hardware enumeration:\n\u251c\u2500 HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0\n\u251c\u2500 ProcessorNameString (CPU model)\n\u251c\u2500 SystemBiosVersion\n\u2514\u2500 ~MHz (CPU frequency)\n\nProcess monitoring:\n\u251c\u2500 CreateToolhelp32Snapshot (enumerate processes)\n\u251c\u2500 Process32FirstW\/Process32NextW (iterate)\n\u2514\u2500 OpenProcess (access process handles)\n\nNetwork adapter info:\n\u251c\u2500 GetAdaptersInfo (MAC addresses)\n\u2514\u2500 Network interface details<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><\/pre>\n<\/div>\n\n\n\n<p><strong>Credential Harvesting Infrastructure:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>.netrc file parsing:\n\u251c\u2500 machine &#91;hostname]\n\u251c\u2500 login &#91;username]\n\u2514\u2500 password &#91;password]\n\nAuthentication methods supported:\n\u251c\u2500 LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5, GSSAPI\n\u251c\u2500 EXTERNAL, NTLM, SCRAM-SHA-1, SCRAM-SHA-256\n\u251c\u2500 XOAUTH2, OAUTHBEARER, AWS_SIGV4\n\nProtocol support:\n\u251c\u2500 IMAP (CAPABILITY, AUTHENTICATE, FETCH)\n\u251c\u2500 SMTP (MAIL FROM, RCPT TO)\n\u251c\u2500 POP3\n\u2514\u2500 STARTTLS<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Code Signing Certificate:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>Signer: CHENGDU YIWO Tech Development Co., Ltd.\nLocation: Wuhou District, Chengdu, Sichuan\nOrganization ID: 91510107765360104N\nCA: DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1\nValid: 2024-07-09 to 2027-07-09 (REVOKED)<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>PDB Debug Paths:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>D:\\svn\\share_lib\\99_publiclibrary\\aliyunlog-2017\\userinfocollect\\aliyun-vs2017-lib\\aliyun\\src\\log_api.cpp\nD:\\EPM\\_EPM_main\\ShareLib\\aliyunlog\\Release_x64\\AliyunWrap.pdb<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>The professional implementation uses correct Alibaba Cloud authentication (HMAC-SHA1), proper Protocol Buffers serialization, and LZ4 compression. The PDB paths reveal SVN version control and professional development environment.<\/p>\n\n\n\n<div style=\"height:63px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">The Runtime Reality: Required But Not Used for Cloud<\/h3>\n\n\n\n<p>Dependency testing proved AliyunWrap.dll is required for E-Consol.exe to start (removing it causes immediate failure). However, dynamic analysis revealed zero Alibaba Cloud traffic.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>AliyunWrap.dll IS loaded by E-Consol.exe (hard dependency), and some functions from it are used (likely crypto\/PNG extraction), but the Alibaba Cloud networking functions are not used (no cloud traffic).<\/p>\n\n\n\n<p>E-Consol.exe likely imports AliyunWrap.dll for its crypto\/decompression functions (needed to extract Jeadpietpour.rky payload) but doesn&#8217;t use the cloud upload functionality. The cloud API code is vestigial from an earlier version or repurposed from legitimate software.<\/p>\n\n\n\n<div style=\"height:63px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">Definitive Evidence: Import Analysis<\/h3>\n\n\n\n<p>Analysis of E-Consol.exe&#8217;s import table definitively resolves whether AliyunWrap.dll&#8217;s extensive credential harvesting and cloud upload code is active.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>E-Consol.exe imports one single function from AliyunWrap.dll:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>ALIYUNWRAP.DLL\n\u2514\u2500 SendLogToCloud<\/code><\/pre>\n\n\n\n<p>E-Consol.exe does not import any of the other 26 exported functions<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>What This Proves:<\/strong><\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>E-Consol.exe cannot call functions it doesn&#8217;t import<\/li>\n\n\n\n<li>The credential harvesting code requires those other functions &#8211; they&#8217;re part of the &#8220;user info collect&#8221; and &#8220;session&#8221; APIs<\/li>\n\n\n\n<li>Only <code>SendLogToCloud()<\/code> is used &#8211; despite its misleading name, this is the decryption\/extraction function<\/li>\n\n\n\n<li>All other code is vestigial &#8211; present in the DLL but unreachable by E-Consol.exe<\/li>\n<\/ol>\n\n\n\n<p><\/p>\n\n\n\n<p>The FTP\/IMAP\/SMTP\/credential harvesting code in AliyunWrap.dll is definitively inactive in this sample. E-Consol.exe&#8217;s import table proves it only uses the single <code>SendLogToCloud()<\/code> function, which despite its name, is repurposed for payload decryption rather than cloud data exfiltration.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Why the Cloud Code Remains<\/h3>\n\n\n\n<p><strong>Evidence Supporting Repurposed Library Theory:<\/strong><\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Code Signing Certificate:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Signed by legitimate Chinese software company (CHENGDU YIWO Tech)<\/li>\n\n\n\n<li>Certificate was revoked (indicating abuse\/theft)<\/li>\n\n\n\n<li>Suggests this is real Aliyun SDK code from a legitimate product<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Professional Development:<\/strong>\n<ul class=\"wp-block-list\">\n<li>PDB paths show SVN version control: <code>D:\\EPM\\_EPM_main\\ShareLib\\aliyunlog\\<\/code><\/li>\n\n\n\n<li>Production quality code with proper error handling<\/li>\n\n\n\n<li>Too polished to be fake\/decoy code<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Functional Crypto Library:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Contains working implementations of HMAC-SHA1, MD5, Base64, LZ4<\/li>\n\n\n\n<li>These functions ARE used by E-Consol.exe (for Jeadpietpour.rky extraction)<\/li>\n\n\n\n<li>Only the cloud UPLOAD functions are unused<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Dependency Requirement:<\/strong>\n<ul class=\"wp-block-list\">\n<li>E-Consol.exe hard-coded to require AliyunWrap.dll<\/li>\n\n\n\n<li>Not just present as misdirection &#8211; actually imported and loaded<\/li>\n\n\n\n<li>Removing it causes immediate execution failure<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<p>AliyunWrap.dll is a repurposed legitimate library from Alibaba Cloud SDK or telemetry software. The malware authors kept the crypto\/compression functions they need, left the cloud upload code intact (easier than removing), and never use the credential harvesting code. The YIWO Tech certificate being revoked supports this &#8211; it was legitimate software that was stolen and repurposed for malware.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Unintentional Decoy Effect:<\/strong><\/p>\n\n\n\n<p>While AliyunWrap.dll is functionally necessary, it creates a decoy effect:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>39\/72 AV detection draws attention away from 0\/72 clean E-Consol.exe<\/li>\n\n\n\n<li>Analysts waste time analyzing unused cloud functions<\/li>\n\n\n\n<li>Attribution confusion (Chinese certificate + Russian C2)<\/li>\n<\/ul>\n\n\n\n<div style=\"height:63px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Reverse Engineering AliyunWrap.dll<\/h2>\n\n\n\n<p>This section documents the reverse engineering process that revealed how E-Consol.exe loads and decrypts Jeadpietpour.rky using AliyunWrap.dll. Analysis was performed using Ghidra with supplemental dynamic analysis via ANY.RUN sandbox.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Component Architecture<\/h3>\n\n\n\n<p><strong>E-Consol.exe (Orchestrator):<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Imports only <code>SendLogToCloud<\/code> from AliyunWrap.dll<\/li>\n\n\n\n<li>Builds parameter vector via internal functions<\/li>\n\n\n\n<li>Calls AliyunWrap.dll with configuration data<\/li>\n\n\n\n<li>Performs post-load operations via <code>AttemptInstallation<\/code><\/li>\n<\/ul>\n\n\n\n<p><strong>AliyunWrap.dll (Dual-Purpose Library):<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Legitimate Path:<\/strong> Alibaba Cloud Log Service API (unused in this sample)<\/li>\n\n\n\n<li><strong>Malicious Path:<\/strong> PE reflective loading and decryption<\/li>\n\n\n\n<li><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Confirmed Call Chain<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>E-Consol.exe\n\u251c\u2500 FUN_1400017a0 (Main orchestration loop)\n\u2502   \u251c\u2500 FUN_140001e60 (Data preparation)\n\u2502   \u251c\u2500 FUN_140001b20 (Build parameter vector)\n\u2502   \u2514\u2500 SendLogToCloud(vector&lt;pair&lt;wchar_t*, wchar_t*&gt;&gt;)\n\u2502\nAliyunWrap.dll\n\u251c\u2500 SendLogToCloud (Vector entry point - 0x180004050)\n\u2502   \u2514\u2500 Data conversion: wchar_t \u2192 char\n\u2502   \u2514\u2500 SendLogToCloud (Raw pointer wrapper - 0x180003fa0)\n\u2502       \u2514\u2500 Retry logic (attempts twice on failure)\n\u2502       \u2514\u2500 SendLogToCloud_Interface (Orchestrator - 0x180003d20)\n\u2502           \u251c\u2500 LoadCloudConfig (Parse AliyunConfig.ini)\n\u2502           \u251c\u2500 ExtractDomain\/ExtractEndpoint (Parse settings)\n\u2502           \u251c\u2500 GetCloudContext (Initialize context)\n\u2502           \u251c\u2500 UploadDataToCloud (Protocol Buffers encoding)\n\u2502           \u2514\u2500 &#91;Unknown routing logic] \u2190 GAP IN ANALYSIS\n\u2502               \u2514\u2500 ReflectivePELoader (PE loader - 0x180008e30)\n\u2502                   \u251c\u2500 API resolution via hashing\n\u2502                   \u251c\u2500 File operations (CreateFileW\/ReadFile - obfuscated)\n\u2502                   \u251c\u2500 PE header parsing\n\u2502                   \u251c\u2500 Memory allocation + VirtualProtect\n\u2502                   \u2514\u2500 Payload execution<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Analysis Gap:<\/strong> The exact conditional logic that routes from <code>SendLogToCloud_Interface<\/code> to <code>ReflectivePELoader<\/code> is obfuscated. Static analysis shows both functions exist, but the dispatcher mechanism uses either encrypted parameters or function pointer indirection that wasn&#8217;t fully resolved.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Import Analysis: Definitive Proof of Unused Code<\/h3>\n\n\n\n<p>E-Consol.exe&#8217;s import table confirms which AliyunWrap.dll functions are used:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"992\" height=\"95\" src=\"http:\/\/thetrueartist.co.uk\/wp-content\/uploads\/2026\/01\/Screenshot-2025-10-17-122503.png\" alt=\"\" class=\"wp-image-1084\"\/><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>Imported Functions:\n\u2713 SendLogToCloud (vector&lt;pair&lt;wchar_t*, wchar_t*&gt;&gt;) - USED\n\nNot Imported:\n\u2717 AliyunOpenSession\n\u2717 AliyunEnableUserInfoCollect  \n\u2717 AliyunSendInfo\n\u2717 All other 26+ cloud API functions<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<p>This proves the extensive Alibaba Cloud code (HMAC-SHA1, Protocol Buffers, HTTP client) is vestigial &#8211; present in the DLL but unreachable by E-Consol.exe. The credential harvesting code discovered in FLOSS analysis is definitively inactive.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">AliyunWrap.dll Obfuscation Analysis<\/h3>\n\n\n\n<p><\/p>\n\n\n\n<p>Static analysis of AliyunWrap.dll revealed significant anti-analysis techniques that prevented complete code tracing:<\/p>\n\n\n\n<p><strong>API Hashing:<\/strong> Function calls throughout the DLL use dynamic resolution via hash-based lookups (multiplicative hash: <code>hash * 2 + byte<\/code>). This prevents static identification of which Windows APIs are called, though constants matching standard file I\/O parameters (GENERIC_READ, OPEN_EXISTING) were observed.<\/p>\n\n\n\n<p><strong>String References:<\/strong> Analysis confirmed <code>Jeadpietpour.rky<\/code> is explicitly referenced in AliyunWrap.dll code at address 0x180008e30, with ASCII-to-wide-char conversion patterns consistent with Windows file operations.<\/p>\n\n\n\n<p><strong>Code Patterns:<\/strong> The function at 0x180008e30 contains:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Hash-based function resolution loops<\/li>\n\n\n\n<li>Constants matching PE structure offsets (0x3c, 0x2c)<\/li>\n\n\n\n<li>Memory protection constant 0x40 (PAGE_EXECUTE_READWRITE value)<\/li>\n\n\n\n<li>Memory copy operations<\/li>\n<\/ul>\n\n\n\n<p>These patterns are consistent with reflective PE loading techniques, though the exact execution flow could not be definitively traced due to obfuscation.<\/p>\n\n\n\n<p><strong>Analysis Limitation:<\/strong> The routing mechanism from <code>SendLogToCloud<\/code> to internal payload processing functions uses either encrypted parameters or function pointer indirection that static analysis could not fully resolve. Import table analysis remains the definitive proof of which functions E-Consol.exe actually uses.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Technical Findings Summary<\/h3>\n\n\n\n<p><strong>Observed Evidence:<\/strong><\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li> Function at 0x180008e30 exists and is registered in Windows SEH exception table<\/li>\n\n\n\n<li> References &#8220;Jeadpietpour.rky&#8221; string explicitly<\/li>\n\n\n\n<li> Converts filename to wide char for Windows APIs<\/li>\n\n\n\n<li> Uses API hashing to obfuscate Windows function calls<\/li>\n\n\n\n<li> Contains constants matching standard file I\/O and PE structure parameters<\/li>\n\n\n\n<li> Contains constant 0x40 (PAGE_EXECUTE_READWRITE value)<\/li>\n\n\n\n<li> Contains memory copy loops and indirect function calls<\/li>\n<\/ol>\n\n\n\n<p><strong>Inferred Behavior (based on code patterns):<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Function likely performs file operations on Jeadpietpour.rky<\/li>\n\n\n\n<li>Code patterns consistent with PE loading techniques<\/li>\n\n\n\n<li>Memory operations suggest executable payload loading<\/li>\n<\/ul>\n\n\n\n<p><strong>Unknown Elements:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li> Exact decryption algorithm (AES-256 suspected based on AliyunWrap.dll crypto functions)<\/li>\n\n\n\n<li> Decryption key source (embedded, derived, or from Meck.xkd)<\/li>\n\n\n\n<li> Precise routing logic from SendLogToCloud_Interface to payload loading<\/li>\n\n\n\n<li> Complete API hash to function name mapping<\/li>\n\n\n\n<li> Meck.xkd purpose (83KB file &#8211; possibly staging data or key material)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Why This Design is Effective<\/h3>\n\n\n\n<p>The separation of concerns provides multiple evasion layers:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Clean Executables:<\/strong> E-Consol.exe (0\/72 detection) and FluInterface32.exe (0\/68 detection) contain no malicious code on disk<\/li>\n\n\n\n<li><strong>Repurposed Library:<\/strong> AliyunWrap.dll appears as legitimate Alibaba SDK with valid (revoked) code signature<\/li>\n\n\n\n<li><strong>Encrypted Payload:<\/strong> Jeadpietpour.rky remains encrypted on disk until runtime<\/li>\n\n\n\n<li><strong>Memory-Only Execution:<\/strong> Malicious code never touches disk in decrypted form<\/li>\n\n\n\n<li><strong>API Obfuscation:<\/strong> Hashing prevents signature-based detection of malicious API sequences<\/li>\n<\/ol>\n\n\n\n<div style=\"height:63px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Automated Analysis: CAPA Findings<\/h2>\n\n\n\n<p>CAPA (FLARE Capability Analysis) was run against both E-Consol.exe and AliyunWrap.dll to identify capabilities through automated pattern matching. Key findings support and extend our manual analysis.<\/p>\n\n\n\n<div style=\"height:63px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">E-Consol.exe Capabilities<\/h3>\n\n\n\n<p><strong>File Operations:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\u2713 read .ini file (6 matches) - Configuration file parsing\n\u2713 write file on Windows - Dropper functionality\n\u2713 delete file (2 matches) - Cleanup operations\n\u2713 check if file exists (2 matches) - Pre-execution validation\n\u2713 set current directory - Environment manipulation<\/code><\/pre>\n\n\n\n<p><strong>Process Management:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\u2713 check mutex and exit - Anti-rerun protection\n\u2713 create mutex - Single instance enforcement\n\u2713 parse PE header - PE file manipulation capability<\/code><\/pre>\n\n\n\n<p><strong>Network Communication:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\u2713 download URL - File retrieval capability\n\u2713 receive data - C2 communication potential\n\u2713 HTTP client - Web-based communication<\/code><\/pre>\n\n\n\n<p><strong>Runtime Behavior:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\u2713 link function at runtime (5 matches) - Dynamic API resolution via GetProcAddress\n\u2713 reference anti-VM strings - VM detection capability\n\u2713 query registry value - System reconnaissance<\/code><\/pre>\n\n\n\n<div style=\"height:63px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">AliyunWrap.dll Capabilities<\/h3>\n\n\n\n<p><strong>Anti-Analysis Techniques:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\u2713 check for software breakpoints (0x180015B90) - Anti-debugging\n\u2713 reference anti-VM strings - VM detection<\/code><\/pre>\n\n\n\n<p><strong>Cryptographic Operations (Confirms Our Analysis):<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\u2713 hash data using djb2 (0x18001E090) - API hashing function\n\u2713 hash data with MD5 - Integrity checking\n\u2713 hash data using SHA1 (2 matches) - HMAC operations\n\u2713 authenticate HMAC - Alibaba Cloud authentication\n\u2713 encrypt data using RC4 PRGA (2 matches) - Stream cipher\n\u2713 encrypt data using DES - Block cipher\n\u2713 encrypt or decrypt via WinCrypt - Windows Crypto API usage\n\u2713 encode data using XOR (2 matches) - Simple obfuscation\n\u2713 encode data using Base64 - Data encoding<\/code><\/pre>\n\n\n\n<p><strong>Key Discovery &#8211; API Resolution:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\u2713 resolve function by parsing PE exports (0x180008AC4)<\/code><\/pre>\n\n\n\n<p>This function at <strong>0x180008AC4<\/strong> is part of the API hashing infrastructure we documented in ReflectivePELoader. It parses PE export tables to resolve function addresses by hash, confirming our static analysis findings.<\/p>\n\n\n\n<p><strong>Key Discovery &#8211; DJB2 Hashing:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\u2713 hash data using djb2 (0x18001E090)<\/code><\/pre>\n\n\n\n<p>The DJB2 hash algorithm is commonly used for API hashing in malware. However, our manual analysis of ReflectivePELoader showed a simpler <code>hash * 2 + byte<\/code> algorithm. This suggests:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Multiple hashing schemes are present in AliyunWrap.dll<\/li>\n\n\n\n<li>DJB2 may be used elsewhere (possibly for config or string obfuscation)<\/li>\n\n\n\n<li>The ReflectivePELoader uses a custom variant<\/li>\n<\/ul>\n\n\n\n<p><strong>Network &amp; Communication (Extensive Capabilities):<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\u2713 send data (15 matches) - Comprehensive exfiltration capability\n\u2713 receive data (5 matches) - C2 communication\n\u2713 HTTP status code checking (3 matches) - Robust HTTP client\n\u2713 resolve DNS - Domain resolution\n\u2713 initialize Winsock library - Network stack initialization\n\u2713 socket operations (11+ matches) - Raw socket communication<\/code><\/pre>\n\n\n\n<p><strong>Process &amp; System Manipulation:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\u2713 create process on Windows (2 matches) - Process spawning capability\n\u2713 enumerate processes (2 matches) - System reconnaissance\n\u2713 terminate process (2 matches) - Process control\n\u2713 enumerate process modules - Advanced process inspection\n\u2713 create thread (2 matches) - Multi-threading support<\/code><\/pre>\n\n\n\n<p><strong>File System Operations:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\u2713 read file on Windows (4 matches) - File I\/O confirmed\n\u2713 write file on Windows (2 matches) - File creation\n\u2713 read .ini file (4 matches) - Configuration parsing\n\u2713 copy file (2 matches) - File duplication\n\u2713 move file - File relocation\n\u2713 delete file - File cleanup<\/code><\/pre>\n\n\n\n<div style=\"height:63px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">Analysis Correlations<\/h3>\n\n\n\n<p><strong>Confirmed from Manual Analysis:<\/strong><\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>API Hashing:<\/strong> CAPA identified djb2 hashing (0x18001E090) and PE export parsing (0x180008AC4), validating our observation of API obfuscation in ReflectivePELoader<\/li>\n\n\n\n<li><strong>Cryptographic Capabilities:<\/strong> Multiple encryption schemes (RC4, DES, HMAC-SHA1) confirm AliyunWrap.dll&#8217;s crypto functionality for Jeadpietpour.rky decryption<\/li>\n\n\n\n<li><strong>File Operations:<\/strong> Read\/write capabilities support our conclusion that the DLL performs file I\/O despite not seeing direct CreateFileW in decompiled code<\/li>\n\n\n\n<li><strong>Anti-Analysis:<\/strong> Software breakpoint detection and anti-VM strings confirm sophisticated evasion techniques<\/li>\n<\/ol>\n\n\n\n<p><strong>New Discoveries:<\/strong><\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Process Enumeration:<\/strong> Two separate implementations suggest capability to identify security products or sandboxes<\/li>\n\n\n\n<li><strong>Thread Creation:<\/strong> Multi-threading support may indicate asynchronous operations or persistence mechanisms<\/li>\n\n\n\n<li><strong>Named Pipes:<\/strong> Read pipe capability (0x180040160) suggests potential for inter-process communication or cmd.exe output capture<\/li>\n\n\n\n<li><strong>Luhn Algorithm:<\/strong> Payment card validation (0x180033B40) indicates potential credit card theft functionality beyond our initial analysis<\/li>\n<\/ol>\n\n\n\n<div style=\"height:63px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">CAPA Limitations<\/h3>\n\n\n\n<p>CAPA identifies capabilities but cannot determine:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Whether capabilities are actually used (many may be vestigial from legitimate Alibaba SDK)<\/li>\n\n\n\n<li>The routing logic between components<\/li>\n\n\n\n<li>Encrypted strings or obfuscated parameters<\/li>\n\n\n\n<li>Runtime behavior under specific conditions<\/li>\n<\/ul>\n\n\n\n<p>Our manual analysis provides context for which CAPA-detected capabilities are actively exploited versus dormant code.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<div style=\"height:63px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p>This Arechclient2\/SectopRAT variant demonstrates advanced adversary tradecraft through component separation and multi-layer evasion.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">The Component Strategy<\/h3>\n\n\n\n<p>AliyunWrap.dll serves a dual purpose: it&#8217;s both functionally necessary and analytically misleading.<\/p>\n\n\n\n<p><strong>Functional Necessity:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Dependency testing proved E-Consol.exe crashes without AliyunWrap.dll<\/li>\n\n\n\n<li>Contains crypto\/decompression functions (CAPA identified DES, RC4, SHA1, HMAC implementations)<\/li>\n\n\n\n<li>Likely provides Windows CryptoAPI wrapper functions for decrypting Jeadpietpour.rky<\/li>\n<\/ul>\n\n\n\n<p><strong>Analytical Misdirection:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Contains extensive Alibaba Cloud API code that never executes<\/li>\n\n\n\n<li>Contains FTP\/IMAP\/SMTP credential harvesting code that&#8217;s definitively unused (import analysis proves this)<\/li>\n\n\n\n<li>PDB paths suggest legitimate software origin, not purpose-built malware<\/li>\n\n\n\n<li>Heavy AV detection (39\/72) draws attention while clean components (0\/72) execute<\/li>\n<\/ul>\n\n\n\n<p>The most likely explanation: AliyunWrap.dll is repurposed from legitimate Alibaba Cloud SDK or telemetry software. The malware authors kept the crypto\/compression functions they need, left the cloud upload code intact (easier than removing), and never use the credential harvesting code. The YIWO Tech certificate being revoked supports this.<\/p>\n\n\n\n<div style=\"height:63px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">Evasion Through Separation<\/h3>\n\n\n\n<p>The multi-layer evasion strategy operates across the entire attack lifecycle:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Delivery Phase:<\/strong> Clean PNG (0\/97) bypasses email\/web filters via steganography<\/li>\n\n\n\n<li><strong>Installation Phase:<\/strong> Clean executables (0\/72) bypass AV signature scans<\/li>\n\n\n\n<li><strong>Execution Phase:<\/strong> Process injection hides malicious code in memory-only execution<\/li>\n\n\n\n<li><strong>Analysis Phase:<\/strong> Calli obfuscation defeats debuggers and decompilers<\/li>\n\n\n\n<li><strong>Network Phase:<\/strong> Legitimate infrastructure (BSC, AWS) appears as normal traffic<\/li>\n<\/ol>\n\n\n\n<div style=\"height:63px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">Financial Targeting<\/h3>\n\n\n\n<p>The comprehensive cryptocurrency targeting (24 wallet extensions) combined with gaming (Steam), messaging (Discord\/Telegram), and business (FTP) credentials reveals operators specifically hunting high-value targets:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Blockchain Gamers:<\/strong> RoninWallet (Axie Infinity) targets play-to-earn users<\/li>\n\n\n\n<li><strong>DeFi Traders:<\/strong> Multi-chain wallets target users with diversified portfolios<\/li>\n\n\n\n<li><strong>NFT Collectors:<\/strong> Wallets like MewCx and NiftyWallet target NFT traders<\/li>\n\n\n\n<li><strong>Enterprise Users:<\/strong> FTP and VPN theft enables lateral movement<\/li>\n<\/ul>\n\n\n\n<div style=\"height:63px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">Evolution from Standard SectopRAT<\/h3>\n\n\n\n<p>This variant represents significant evolution from standard SectopRAT deployments:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Evolution Point<\/th><th>Standard SectopRAT<\/th><th>This Variant<\/th><\/tr><\/thead><tbody><tr><td>Delivery<\/td><td>Direct download<\/td><td>HijackLoader steganography<\/td><\/tr><tr><td>Injection<\/td><td>MSBuild.exe (LOLBin)<\/td><td>Custom FluInterface32.exe<\/td><\/tr><tr><td>Obfuscation<\/td><td>Basic ConfuserEx<\/td><td>Strategic clean\/obfuscated separation<\/td><\/tr><tr><td>C2<\/td><td>Dynamic (Pastebin)<\/td><td>Hardcoded Russian + AWS backup<\/td><\/tr><tr><td>Targeting<\/td><td>~10 wallets<\/td><td>24 wallets + comprehensive apps<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>The shift to steganographic delivery, combined with custom injection targets and intentional decoy modules, shows commodity malware adopting APT-level techniques.<\/p>\n\n\n\n<div style=\"height:63px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">What Was Definitively Proven<\/h3>\n\n\n\n<p><strong>Confirmed findings:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li> Steganographic delivery via PNG (IDAT chunk + XOR decryption)<\/li>\n\n\n\n<li> Multi-component architecture with clean droppers (0\/72 detection)<\/li>\n\n\n\n<li> Component dependencies: E-Consol.exe requires AliyunWrap.dll and Jeadpietpour.rky<\/li>\n\n\n\n<li> Process injection into FluInterface32.exe (confirmed via Hollows Hunter)<\/li>\n\n\n\n<li> Comprehensive RAT\/infostealer capabilities from memory dump (24 crypto wallets, Discord, Telegram, Steam, FTP, VPN)<\/li>\n\n\n\n<li> C2 infrastructure: Russian C2, AWS backup, BSC blockchain queries<\/li>\n\n\n\n<li> AliyunWrap.dll credential harvesting is DEFINITIVELY INACTIVE (import analysis proves this)<\/li>\n\n\n\n<li> Calli obfuscation prevents debugging<\/li>\n<\/ul>\n\n\n\n<p><strong>Unknown or speculative:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Exact decryption mechanism in AliyunWrap.dll (likely AES-256)<\/li>\n\n\n\n<li>Meck.xkd purpose (83KB file &#8211; possibly key file or config)<\/li>\n\n\n\n<li>Jeadpietpour.rky internal structure (PNG container with encrypted payload)<\/li>\n\n\n\n<li>Injection technique details (exact API calls unknown)<\/li>\n\n\n\n<li>Full C2 protocol (server was offline during analysis)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Static Analysis: CAPA Capability Detection<\/h2>\n\n\n\n<p>CAPA analysis confirms the capabilities observed during reverse engineering and reveals additional functionality in both components.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">E-Consol.exe Capabilities<\/h3>\n\n\n\n<p><strong>Core Functionality:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>parse PE header                    \u2192 Confirms PE manipulation capability\ncreate mutex                       \u2192 Single-instance enforcement\ncheck mutex and exit              \u2192 Prevents multiple executions<\/code><\/pre>\n\n\n\n<p><strong>File System Operations:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>read .ini file (6 matches)        \u2192 Configuration file processing\ncheck if file exists (2 matches)   \u2192 File verification\ndelete file (2 matches)           \u2192 Cleanup operations\nwrite file on Windows             \u2192 Component deployment\nset current directory             \u2192 Working directory manipulation<\/code><\/pre>\n\n\n\n<p><strong>Network Operations:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>download URL                      \u2192 File download capability\nreceive data                      \u2192 C2 communication\nget MAC address on Windows        \u2192 System fingerprinting<\/code><\/pre>\n\n\n\n<p><strong>Anti-Analysis:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>reference anti-VM strings         \u2192 VM detection capability\nlink function at runtime (5 matches) \u2192 Dynamic API resolution<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">AliyunWrap.dll Capabilities<\/h3>\n\n\n\n<p><strong>Command &amp; Control:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>send data (15 matches)            \u2192 Extensive C2 communication\nreceive data (5 matches)          \u2192 Command reception\ncheck HTTP status code (3 matches) \u2192 HTTP-based C2 validation\nresolve DNS                       \u2192 Domain resolution\nget socket information (11 matches) \u2192 Network operations\ninitialize Winsock library        \u2192 Windows sockets initialization<\/code><\/pre>\n\n\n\n<p><strong>Cryptography &amp; Encoding:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>hash data using MD5               \u2192 Data integrity\/identification\nhash data using SHA1 (2 matches)  \u2192 Cryptographic hashing\nhash data using djb2              \u2192 Fast hashing (likely for API hashing)\nauthenticate HMAC                 \u2192 Message authentication (Alibaba Cloud)\nencrypt data using RC4 (2 matches) \u2192 Stream cipher encryption\nencrypt data using DES            \u2192 Block cipher encryption\nencode data using XOR (2 matches) \u2192 Simple obfuscation\nencode data using Base64          \u2192 Data encoding<\/code><\/pre>\n\n\n\n<p><strong>Process &amp; System Interaction:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>create process on Windows (2 matches) \u2192 Process spawning (FluInterface32.exe)\nenumerate processes (2 matches)   \u2192 System reconnaissance\nenumerate process modules         \u2192 Module enumeration\nterminate process (2 matches)     \u2192 Process control\nread pipe                         \u2192 Inter-process communication\ncreate thread (2 matches)         \u2192 Threading capability<\/code><\/pre>\n\n\n\n<p><strong>Anti-Analysis &amp; Evasion:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>check for software breakpoints    \u2192 Anti-debugging\nreference anti-VM strings         \u2192 VM detection\nresolve function by parsing PE exports \u2192 Dynamic API resolution (confirms our findings)<\/code><\/pre>\n\n\n\n<p><strong>Data Theft Infrastructure:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>get MAC address on Windows        \u2192 Network fingerprinting\nget local IPv4 addresses (11 matches) \u2192 Network enumeration\nquery environment variable (2 matches) \u2192 System information gathering\nget session user name             \u2192 User identification\nget user security identifier      \u2192 SID enumeration<\/code><\/pre>\n\n\n\n<p><strong>File Operations:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>read file on Windows (4 matches)  \u2192 File reading (Jeadpietpour.rky)\nwrite file on Windows (2 matches) \u2192 File writing\ncopy file (2 matches)             \u2192 File copying\nmove file                         \u2192 File relocation\ndelete file                       \u2192 Cleanup operations\ncheck if file exists (2 matches)  \u2192 File verification\nread .ini file (4 matches)        \u2192 Configuration parsing<\/code><\/pre>\n\n\n\n<p><strong>Notable Technical Details:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>linked against libcurl            \u2192 Uses libcurl for HTTP operations\nvalidate payment card number using luhn \u2192 Credit card validation capability\ngenerate random numbers via WinAPI \u2192 PRNG for cryptographic operations<\/code><\/pre>\n\n\n\n<div style=\"height:63px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">Key Observations<\/h3>\n\n\n\n<p><strong>1. Dual-Purpose Design:<\/strong> AliyunWrap.dll contains both legitimate Alibaba Cloud functionality (HMAC, HTTP, Base64) and malicious capabilities (process enumeration, anti-debugging, PE parsing for injection).<\/p>\n\n\n\n<p><strong>2. Comprehensive Crypto Suite:<\/strong> The presence of MD5, SHA1, HMAC, RC4, DES, and XOR indicates multi-layered encryption and authentication &#8211; explaining why static analysis of Jeadpietpour.rky reveals only high entropy.<\/p>\n\n\n\n<p><strong>3. API Hashing Confirmed:<\/strong> CAPA detected &#8220;resolve function by parsing PE exports&#8221; and &#8220;hash data using djb2&#8221; &#8211; confirming the API hashing obfuscation observed in ReflectivePELoader.<\/p>\n\n\n\n<p><strong>4. Anti-Analysis Focus:<\/strong> Both components implement anti-debugging and anti-VM checks, combined with dynamic API resolution &#8211; sophisticated evasion for commodity malware.<\/p>\n\n\n\n<p><strong>5. Network Infrastructure:<\/strong> 15 send data functions and 5 receive data functions in AliyunWrap.dll confirm extensive C2 capabilities beyond just the Alibaba Cloud upload functionality.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<div style=\"height:63px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">CAPA Static Analysis<\/h2>\n\n\n\n<p>CAPA revealed capabilities supporting our reverse engineering findings:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">E-Consol.exe Capabilities<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Parse PE header<\/strong> (0x14001085C)<\/li>\n\n\n\n<li><strong>Read .ini files<\/strong> (6 matches)<\/li>\n\n\n\n<li><strong>Create mutex<\/strong> (0x1400031A0)<\/li>\n\n\n\n<li><strong>Download URL<\/strong>, <strong>Receive C2 data<\/strong><\/li>\n\n\n\n<li><strong>Anti-VM strings<\/strong> reference<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">AliyunWrap.dll Capabilities<\/h3>\n\n\n\n<p><strong>Cryptographic Operations:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>DES encryption (0x180059500), RC4 PRGA (2 matches)<\/li>\n\n\n\n<li>MD5 (0x180013D80), SHA1 (2 matches), HMAC (0x18005C1B0)<\/li>\n\n\n\n<li>Base64\/XOR encoding<\/li>\n<\/ul>\n\n\n\n<p><strong>PE Manipulation:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Resolve function by parsing PE exports<\/strong> (0x180008AC4) \u2192 Confirms API hashing in ReflectivePELoader<\/li>\n\n\n\n<li>Create process (2 matches) \u2192 Confirms FluInterface32.exe spawning<\/li>\n<\/ul>\n\n\n\n<p><strong>Network:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Send data (15 matches), receive data (5 matches)<\/li>\n\n\n\n<li>HTTP status checks (3 matches), libcurl linked<\/li>\n<\/ul>\n\n\n\n<p><strong>Anti-Analysis:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Software breakpoint detection (0x180015B90)<\/li>\n\n\n\n<li>Anti-VM strings<\/li>\n<\/ul>\n\n\n\n<p><strong>Key Validation:<\/strong><\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>PE export parsing (0x180008AC4) validates our API hashing analysis<\/li>\n\n\n\n<li>Crypto suite (RC4, DES, SHA1, HMAC) supports Jeadpietpour.rky decryption theory<\/li>\n\n\n\n<li>Process creation confirms FluInterface32.exe spawning capability<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<div style=\"height:63px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Indicators of Compromise (IOCs)<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">File Hashes (SHA-256)<\/h3>\n\n\n\n<p><strong>Initial Delivery:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>7dc2ddaac0f6c54d774f6b336fa15a249fd0d5e74a903e7ada07cc00772c8341\n\u2514\u2500 XMouseButtonControlSetup.2.20.5.exe (2.80 MB, 41\/71 detection)\n\n163810b5276c23ddccfdcbcb85ac97c58957b7968aae5312cb06668e68f6ac98\n\u2514\u2500 goto.ps1 (PowerShell dropper, 14\/63 detection)<\/code><\/pre>\n\n\n\n<p><strong>Core Components:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>0285dd7f0017a6b8d6dad24b1b876970dc9766db49811647f3d5a68fbfa2143a\n\u2514\u2500 E-Consol.exe (178 KB, 0\/72 detection)\n\n57ec97f531753ff2c825eabb56134754d0a7c1edb606d278ccbcb8506b5a5a6c\n\u2514\u2500 FluInterface32.exe (67 KB, 0\/68 detection)\n\n6cc3640cd7e5b027f39ef83fe23bd25ef01addc144fca7bdd0f0c8c763349e85\n\u2514\u2500 AliyunWrap.dll (493 KB, 39\/72 detection)\n\n&#91;Unknown]\n\u2514\u2500 wos....exe (dumped RAT payload)\n\nd6b40125f781c1d44c4e3b497e0705012c7ed9cb253c18e390dd48aaf6dcae89\n\u2514\u2500 Jeadpietpour.rky (1.69 MB, encrypted modules)\n\n41e50d05d58f48d5b473b2118fe03d438a662c76873c8d367dbe4dd653a0ee47\n\u2514\u2500 Meck.xkd (83 KB, secondary encrypted component)\n\nb3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209\n\u2514\u2500 AliyunConfig.ini (2 bytes, configuration file)<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Network Indicators<\/h3>\n\n\n\n<p><strong>Command &amp; Control:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>45.141.87.249:15847\/tcp     - Primary Russian C2 (offline during analysis)\n52.223.34.155:443\/tcp       - AWS Binance IP (likely)<\/code><\/pre>\n\n\n\n<p><strong>Cryptocurrency Infrastructure:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>bsc-dataseed1.ninicoin.io:443\nbsc-dataseed2.ninicoin.io:443\nbsc-dataseed3.ninicoin.io:443\nbsc-dataseed4.ninicoin.io:443\nbsc-dataseed1.binance.org:443<\/code><\/pre>\n\n\n\n<p><strong>Steganographic Payload:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>https:\/\/i.postimg.cc\/L41T7Xgc\/memmmu.png (0\/97 detection)<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">File System Indicators<\/h3>\n\n\n\n<p><strong>Installation Paths:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>%APPDATA%\\Roaming\\GoToxW\\\n%PROGRAMDATA%\\Checksystemjxg\\\n%LOCALAPPDATA%\\XMouseButtonControl\\\n%USERPROFILE%\\FluInterface32.exe<\/code><\/pre>\n\n\n\n<p><strong>Persistence:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>%STARTUP%\\GoTo.lnk (shortcut to E-Consol.exe)<\/code><\/pre>\n\n\n\n<p><strong>Targeted Data Locations:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Browser Data:\n\u251c\u2500 %LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\\n\u251c\u2500 %LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\\n\u251c\u2500 %APPDATA%\\Opera Software\\Opera GX Stable\\\n\u2514\u2500 %APPDATA%\\Mozilla\\Firefox\\Profiles\\\n\nApplication Data:\n\u251c\u2500 %APPDATA%\\discord\\Local Storage\\leveldb\\\n\u251c\u2500 %APPDATA%\\Telegram Desktop\\tdata\\\n\u251c\u2500 %APPDATA%\\FileZilla\\\n\u2514\u2500 Registry: Software\\Valve\\Steam\\<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Registry Indicators<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>HKLM\\Software\\Microsoft\\Tracing\\FluInterface32_RASAPI32\nHKLM\\Software\\Microsoft\\Tracing\\FluInterface32_RASMANCS\nSoftware\\Valve\\Steam\\SteamPath\nROOT\\SecurityCenter\nROOT\\SecurityCenter2<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Behavioral Indicators<\/h3>\n\n\n\n<p><strong>Process Artifacts:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Parent-Child Relationships:\n\u251c\u2500 E-Consol.exe \u2192 powershell.exe (with -ExecutionPolicy Bypass)\n\u251c\u2500 powershell.exe \u2192 goto.ps1\n\u251c\u2500 E-Consol.exe \u2192 FluInterface32.exe\n\u2514\u2500 E-Consol.exe \u2192 attrib.exe +h &#91;path]<\/code><\/pre>\n\n\n\n<p><strong>Network Behavior:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\u251c\u2500 Failed connections to 45.141.87.249:15847\n\u251c\u2500 Successful HTTPS to 52.223.34.155:443\n\u251c\u2500 Multiple eth_call JSON-RPC requests to BSC nodes\n\u2514\u2500 Connection attempts from FluInterface32.exe (unexpected process)<\/code><\/pre>\n\n\n\n<p><strong>Memory Indicators:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Process Injection Signs:\n\u251c\u2500 FluInterface32.exe with .NET modules loaded (originally native PE)\n\u251c\u2500 Undetermined image sizes in memory\n\u251c\u2500 RWX (Read-Write-Execute) memory regions\n\u2514\u2500 Unsigned code executing in signed process space<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>What is Arechclient2 (SectopRAT)? Arechclient2 (SectopRAT) is a RAT and Infostealer Arechclient2, also known as SectopRAT, is a remote access trojan and infostealer initially observed in 2019. It&#8217;s primarily used as a post-compromise tool and is currently experiencing a significant surge in deployment during 2025 campaigns. The malware is delivered via the HijackLoader steganographic delivery [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1098,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7,22,21,6],"tags":[9,11,8,20,15],"class_list":["post-942","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware","category-infostealer","category-rat","category-reverse-engineering","tag-cybersecurity","tag-infostealer","tag-malware","tag-rat","tag-stealer"],"_links":{"self":[{"href":"http:\/\/thetrueartist.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/942","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/thetrueartist.co.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/thetrueartist.co.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/thetrueartist.co.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/thetrueartist.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=942"}],"version-history":[{"count":144,"href":"http:\/\/thetrueartist.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/942\/revisions"}],"predecessor-version":[{"id":1125,"href":"http:\/\/thetrueartist.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/942\/revisions\/1125"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/thetrueartist.co.uk\/index.php\/wp-json\/wp\/v2\/media\/1098"}],"wp:attachment":[{"href":"http:\/\/thetrueartist.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=942"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/thetrueartist.co.uk\/index.php\/wp-json\/wp\/v2\/categories?post=942"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/thetrueartist.co.uk\/index.php\/wp-json\/wp\/v2\/tags?post=942"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}