File name:

Payment Copy_Chase Bank_Pdf.iso

Full analysis: https://app.any.run/tasks/f66ff4ba-a97c-4ab4-bc11-b7030d85c4e1
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Malware Trends Tracker     >>>
Analysis date: January 05, 2023, 22:38:40
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
agenttesla
Indicators:
MIME: application/x-iso9660-image
File info: UDF filesystem data (version 1.5) 'PAYMENT_COPY_CHASE_BANK_PDF'
MD5:

EB4B38831A10894D462D776D659E71B8

SHA1:

EE2D7AE75C86659825EE44A90F38735D17C4122A

SHA256:

926A3142270A52F8AFB93490D5DD21F0CA23BC0815EE6630068CF6409D8EE448

SSDEEP:

192:vJZcIZJLj1DESCjSLuZmff5XLO4gZYQHbEvNesGhv:vTLZE5WLuoff5XLOZYCgvNesc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Payment Copy_Chase Bank_Pdf.exe (PID: 2320)
      • Payment Copy_Chase Bank_Pdf.exe (PID: 3572)
      • Payment Copy_Chase Bank_Pdf.exe (PID: 5268)

    • Drops the executable file immediately after the start

      • Payment Copy_Chase Bank_Pdf.exe (PID: 2320)

    • Changes the autorun value in the registry

      • Payment Copy_Chase Bank_Pdf.exe (PID: 2320)

    • AGENTTESLA detected by memory dumps

      • Payment Copy_Chase Bank_Pdf.exe (PID: 5268)

    • Steals credentials from Web Browsers

      • Payment Copy_Chase Bank_Pdf.exe (PID: 5268)

  • SUSPICIOUS

    • Reads settings of System Certificates

      • powershell.exe (PID: 5524)
      • Payment Copy_Chase Bank_Pdf.exe (PID: 5268)

    • Executable content was dropped or overwritten

      • Payment Copy_Chase Bank_Pdf.exe (PID: 2320)

    • Reads the date of Windows installation

      • Payment Copy_Chase Bank_Pdf.exe (PID: 2320)

    • Application launched itself

      • Payment Copy_Chase Bank_Pdf.exe (PID: 2320)

    • Actions looks like stealing of personal data

      • Payment Copy_Chase Bank_Pdf.exe (PID: 5268)

  • INFO

    • Reads the computer name

      • Payment Copy_Chase Bank_Pdf.exe (PID: 2320)
      • Payment Copy_Chase Bank_Pdf.exe (PID: 5268)

    • Manual execution by a user

      • Payment Copy_Chase Bank_Pdf.exe (PID: 2320)

    • The process checks LSA protection

      • Explorer.exe (PID: 5144)
      • powershell.exe (PID: 5524)
      • slui.exe (PID: 3500)
      • Payment Copy_Chase Bank_Pdf.exe (PID: 2320)
      • Payment Copy_Chase Bank_Pdf.exe (PID: 5268)

    • Process checks computer location settings

      • Payment Copy_Chase Bank_Pdf.exe (PID: 2320)

    • Reads the software policy settings

      • powershell.exe (PID: 5524)
      • Payment Copy_Chase Bank_Pdf.exe (PID: 5268)
      • slui.exe (PID: 3500)

    • Reads security settings of Internet Explorer

      • powershell.exe (PID: 5524)

    • Checks supported languages

      • conhost.exe (PID: 2128)
      • Payment Copy_Chase Bank_Pdf.exe (PID: 2320)
      • Payment Copy_Chase Bank_Pdf.exe (PID: 5268)

    • Creates files or folders in the user directory

      • powershell.exe (PID: 5524)
      • Payment Copy_Chase Bank_Pdf.exe (PID: 2320)

    • Checks proxy server information

      • Payment Copy_Chase Bank_Pdf.exe (PID: 2320)
      • Payment Copy_Chase Bank_Pdf.exe (PID: 5268)
      • slui.exe (PID: 3500)

    • Reads the machine GUID from the registry

      • Payment Copy_Chase Bank_Pdf.exe (PID: 2320)
      • Payment Copy_Chase Bank_Pdf.exe (PID: 5268)

    • Reads Environment values

      • Payment Copy_Chase Bank_Pdf.exe (PID: 2320)
      • Payment Copy_Chase Bank_Pdf.exe (PID: 5268)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AgentTesla

(PID) Process(5268) Payment Copy_Chase Bank_Pdf.exe
Protocolsmtp
Hostmail.transgear.in
Usernamemarketing@transgear.in
PasswordM@ssw0rd#621
Strings (670)
:
<br>
<hr>
<b>[
]</b> (
)<br>
False
{BACK}
{ALT+TAB}
{ALT+F4}
{TAB}
{ESC}
{Win}
{CAPSLOCK}
&uarr;
&darr;
&larr;
&rarr;
{DEL}
{END}
{HOME}
{Insert}
{NumLock}
{PageDown}
{PageUp}
{ENTER}
{F1}
{F2}
{F3}
{F4}
{F5}
{F6}
{F7}
{F8}
{F9}
{F10}
{F11}
{F12}
control
{CTRL}
&
&amp;
<
&lt;
>
&gt;
"
&quot;
<hr>Copied Text: <br>
The binary key cannot have an odd number of digits: {0}
:Zone.Identifier
SystemDrive
\
ObjectLength
ChainingModeGCM
AuthTagLength
ChainingMode
KeyDataBlob
AES
Microsoft Primitive Provider
-
Windows RDP
credential
policy
blob
rdg
chrome
{{{0}}}
Length
CopyTo
ComputeHash
sha512
Copy
True
https://api.ipify.org
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
20
1
587
mail.transgear.in
marketing@transgear.in
M@ssw0rd#621
zaritkt@arhitektondizajn.com
appdata
HZXbM
HZXbM.exe
/
SC
/log.tmp
KL
<br>[
yyyy-MM-dd HH:mm:ss
]<br>
URL:
Username:
Password:
Application:
PW
text/html
_
yyyy_MM_dd_HH_mm_ss
.html
.jpeg
image/jpg
.zip
application/zip
Time:
MM/dd/yyyy HH:mm:ss
<br>User Name:
<br>Computer Name:
<br>OSFullName:
<br>CPU:
<br>RAM:
IP Address:
New
Recovered!
Time
User Name
OSFullName
CPU:
RAM:
None
win32_processor
processorID
ca333442-cd4f-4f7b-beed-f67a71236a19
Win32_NetworkAdapterConfiguration
IPEnabled
MacAddress
:
c75f62a7-d5db-4351-b5e6-9ab33a09b801
WinMgmts:
InstancesOf
Win32_BaseBoard
SerialNumber
da5bd99e-2241-40c2-94b6-92441692b69f
x2
GET
OK
GetBytes
SELECT * FROM Win32_Processor
Name
MB
Unknown
Wr
W
C
ExtractFile
n
{0}
Key
Mode
IV
Padding
CreateDecryptor
TransformFinalBlock
SEQUENCE {
{0:X2}
INTEGER
OCTETSTRING
OBJECTIDENTIFIER
}
sha256
origin_url
username_value
password_value
v10
v11
Opera Stable
\Local State
"encrypted_key":"(.*?)"
\Default\Login Data
\Login Data
Profile
logins
\Microsoft\Edge\User Data
Edge Chromium
Major
Minor
2F1A6504-0641-44CF-8BB5-3612D865F2E5
Windows Secure Note
3CCD5499-87A8-4B10-A215-608888DD3B55
Windows Web Password Credential
154E23D0-C644-4E6F-8CE6-5069272F999F
Windows Credential Picker Protector
4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Web Credentials
77BC582B-F0A6-4E15-4E80-61736B6F3B29
Windows Credentials
E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
Windows Domain Certificate Credential
3E0E35BE-1B77-43E7-B873-AED901B6275B
Windows Domain Password Credential
3C886FF3-2669-4AA2-A8FB-3F6759A77548
Windows Extended Credential
00000000-0000-0000-0000-000000000000
SchemaId
pResourceElement
pIdentityElement
pPackageSid
pAuthenticatorElement
IE/Edge
UCBrowser\
*
Login Data
journal
UC Browser
wow_logins
\Common Files\Apple\Apple Application Support\plutil.exe
\Apple Computer\Preferences\keychain.plist
\Microsoft\Credentials\
\Microsoft\Protect\
GuidMasterKey
Tencent\QQBrowser\User Data
\Default\EncryptedStorage
\EncryptedStorage
entries
category
Password
str3
str2
blob0
QQ Browser
PopPassword
SmtpPassword
Software\IncrediMail\Identities\
\Accounts_New
EmailAddress
SmtpServer
IncrediMail
HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine
current
Settings
SavePasswordText
ReturnAddress
Eudora
\falkon\profiles\
startProfile="([A-z0-9\/\.]+)"
profiles.ini
\browsedata.db
autofill
Falkon Browser
startProfile=([A-z0-9\/\.]+)
Backend=([A-z0-9\/\.-]+)
\settings.ini
\Claws-mail
\clawsrc
passkey0
master_passphrase_salt=(.+)
master_passphrase_pbkdf2_rounds=(.+)
use_master_passphrase=(.+)
\accountrc
smtp_server
address
account
[
]
\passwordstorerc
{(.*),(.*)}(.*)
ClawsMail
APPDATA
\Flock\Browser\
signons3.txt
---
.
objects
Data
DecryptTripleDes
Flock Browser
ALLUSERSPROFILE
\\
DynDNS\Updater\config.dyndns
username=
=
password=
&H
t6KzXhCh
http://DynDns.com
DynDNS
name
jid
password
Psi/Psi+
Software\OpenVPN-GUI\configs
Software\OpenVPN-GUI\configs\
username
auth-data
entropy
Open VPN
\FileZilla\recentservers.xml
<Server>
<Host>
</Host>
<Port>
</Port>
<User>
</User>
<Pass encoding="base64">
</Pass>
<Pass>
FileZilla
SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
HostName
UserName
PublicKeyFile
PortNumber
22
[PRIVATE KEY LOCATION: "{0}"]
WinSCP
IP=
port=
user=
pass=
FlashFXP
SOFTWARE\FTPWare\COREFTP\Sites
CoreFTP
User
Host
Port
\FTP Navigator\Ftplist.txt
Server
No Password
FTP Navigator
Programfiles(x86)
programfiles
\jDownloader\config\database.script
programfiles(x86)
INSERT INTO CONFIG VALUES('AccountController','
sq
.
t
xt
JDownloader
Software\Paltalk
HKEY_CURRENT_USER\Software\Paltalk\
pwd
Paltalk
\.purple\accounts.xml
<account>
<protocol>
</protocol>
<name>
</name>
<password>
</password>
Pidgin
\SmartFTP\Client 2.0\Favorites\Quick Connect\
\SmartFTP\Client 2.0\Favorites\Quick Connect\*.xml
<Password>
</Password>
<Name>
</Name>
SmartFTP
\Ipswitch\WS_FTP\Sites\ws_ftp.ini
HOST
UID
PWD
WS_FTP
\cftp\Ftplist.txt
;Server=
;Port=
;Password=
;User=
;Anonymous=
Name=
FTPCommander
\FTPGetter\servers.xml
<server>
<server_ip>
</server_ip>
<server_port>
</server_port>
<server_user_name>
</server_user_name>
<server_user_password>
</server_user_password>
FTPGetter
HKEY_LOCAL_MACHINE\SOFTWARE\Vitalwerks\DUC
HKEY_CURRENT_USER\SOFTWARE\Vitalwerks\DUC
USERname
NO-IP
\The Bat!
\Account.CFN
zzz
TheBat
HKEY_CURRENT_USER\Software\RimArts\B2\Settings
DataDir
Folder.lst
\Mailbox.ini
Account
SMTPServer
MailAddress
PassWd
Becky!
\Trillian\users\global\accounts.dat
Accounts
Trillian
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Email
IMAP Password
POP3 Password
HTTP Password
SMTP Password
SMTP Server
Outlook
COMPlus_legacyCorruptedStateExceptionsPolicy
Software\Microsoft\ActiveSync\Partners
syncpassword
mailoutgoing
Windows Mail App
HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
Executable
HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
FoxmailPath
\Storage\
\mail\
\VirtualStore\Program Files\Foxmail\mail\
\VirtualStore\Program Files (x86)\Foxmail\mail\
\Accounts\Account.rec0
\Account.stg
Read
Close
Dispose
POP3Host
SMTPHost
IncomingServer
POP3Password
Foxmail
\Opera Mail\Opera Mail\wand.dat
opera:
Opera Mail
\Pocomail\accounts.ini
POPPass
SMTPPass
SMTP
PocoMail
RealVNC 4.x
SOFTWARE\Wow6432Node\RealVNC\WinVNC4
RealVNC 3.x
SOFTWARE\RealVNC\vncserver
SOFTWARE\RealVNC\WinVNC4
Software\ORL\WinVNC3
TightVNC
Software\TightVNC\Server
PasswordViewOnly
TightVNC ControlPassword
ControlPassword
TigerVNC
Software\TigerVNC\Server
Trim
UltraVNC
ProgramFiles(x86)
\uvnc bvba\UltraVNC\ultravnc.ini
passwd
passwd2
ProgramFiles
\UltraVNC\ultravnc.ini
Substring
eM Client\accounts.dat
eM Client
"Username":"
",
"Secret":"
72905C47-F4FD-4CF7-A489-4E8121A155BD
"ProviderName":"
\Mailbird\Store\Store.db
Server_Host
Username
EncryptedPassword
Mailbird
SenderIdentities
NordVPN
NordVPN directory not found!
NordVpn.exe*
user.config
Load
SelectSingleNode
//setting[@name='Username']/value
InnerText
//setting[@name='Password']/value
\MySQL\Workbench\workbench_user_data.dat


MySQL Workbench
%ProgramW6432%
Private Internet Access\data
\Private Internet Access\data
\account.json
.*"username":"(.*?)"
.*"password":"(.*?)"
Private Internet Access
Software\DownloadManager\Passwords\
EncPassword
Internet Download Manager
discord.com
Discord
Discord Token
hdfzpysvpzimorhk
quick.dat
Sites.dat
\FlashFXP\
yA36zA48dEhfrvghGRg57h5UlDv3
Type
Value
IterationCount
\Psi\profiles
\Psi+\profiles
\accounts.xml
USERPROFILE
\OpenVPN\config\
remote
PWD=
+-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
5A
71
abcçdefgğhıijklmnoöpqrsştuüvwxyz1234567890_-.~!@#$%^&*()[{]}\|';:,<>/?+=
o6806642kbM7c5
[\w-]{24}\.[\w-]{6}\.[\w-]{27}
mfa\.[\w-]{84}
discordcanary
discordptb
Local Storage\leveldb
*.ldb
*.log
discord
<array>
<dict>
<string>
</string>
<data>
</data>
Safari Browser
-convert xml1 -s -o "
\fixed_keychain.xml"
A
10
B
11
12
D
13
E
14
F
15
ABCDEF
(
EndsWith
)
IndexOf
UNIQUE
table
Opera Browser
Opera Software\Opera Stable
Yandex Browser
Yandex\YandexBrowser\User Data
Iridium Browser
Iridium\User Data
Chromium
Chromium\User Data
7Star
7Star\7Star\User Data
Torch Browser
Torch\User Data
Cool Novo
MapleStudio\ChromePlus\User Data
Kometa
Kometa\User Data
Amigo
Amigo\User Data
Brave
BraveSoftware\Brave-Browser\User Data
CentBrowser
CentBrowser\User Data
Chedot
Chedot\User Data
Orbitum
Orbitum\User Data
Sputnik
Sputnik\Sputnik\User Data
Comodo Dragon
Comodo\Dragon\User Data
Vivaldi
Vivaldi\User Data
Citrio
CatalinaGroup\Citrio\User Data
360 Browser
360Chrome\Chrome\User Data
Uran
uCozMedia\Uran\User Data
Liebao Browser
liebao\User Data
Elements Browser
Elements Browser\User Data
Epic Privacy
Epic Privacy Browser\User Data
Coccoc
CocCoc\Browser\User Data
Sleipnir 6
Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
QIP Surf
QIP Surf\User Data
Coowon
Coowon\Coowon\User Data
Chrome
Google\Chrome\User Data
Firefox
\Mozilla\Firefox\
SeaMonkey
\Mozilla\SeaMonkey\
Thunderbird
\Thunderbird\
BlackHawk
\NETGATE Technologies\BlackHawk\
CyberFox
\8pecxstudios\Cyberfox\
K-Meleon
\K-Meleon\
IceCat
\Mozilla\icecat\
PaleMoon
\Moonchild Productions\Pale Moon\
IceDragon
\Comodo\IceDragon\
WaterFox
\Waterfox\
Postbox
\Postbox\
Flock
00061561
Berkelet DB
00000002
1.85 (Hash, version 2, native byte-order)
Unknow database format
key4.db
metaData
id
item1
item2
nssPrivate
a11
a102
Contains
2a864886f70d0209
2a864886f70d010c050103
key3.db
global-salt
Version
password-check
Replace
Path=([A-z0-9\/\.\-]+)
logins.json
\"(hostname|encryptedPassword|encryptedUsername)":"(.*?)"
oauth
[^\u0020-\u007F]
signons.sqlite
moz_logins
hostname
encryptedUsername
encryptedPassword
;
No Malware configuration.

TRiD

.atn | Photoshop Action (37.5)
.gmc | Game Music Creator Music (8.4)
.abr | Adobe PhotoShop Brush (7.5)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
7
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start explorer.exe no specs payment copy_chase bank_pdf.exe slui.exe powershell.exe no specs conhost.exe no specs payment copy_chase bank_pdf.exe no specs #AGENTTESLA payment copy_chase bank_pdf.exe

Process information

PID
CMD
Path
Indicators
Parent process
2128\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1\??\C:\WINDOWS\system32\conhost.exepowershell.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\conhost.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2320"C:\Users\admin\Desktop\Payment Copy_Chase Bank_Pdf.exe" C:\Users\admin\Desktop\Payment Copy_Chase Bank_Pdf.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\payment copy_chase bank_pdf.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
3500C:\WINDOWS\System32\slui.exe -EmbeddingC:\WINDOWS\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
3572"C:\Users\admin\Desktop\Payment Copy_Chase Bank_Pdf.exe"C:\Users\admin\Desktop\Payment Copy_Chase Bank_Pdf.exePayment Copy_Chase Bank_Pdf.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
4294967295
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\payment copy_chase bank_pdf.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
5144"C:\WINDOWS\Explorer.exe" C:\WINDOWS\Explorer.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
10.0.19041.1023 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\twinapi.dll
5268"C:\Users\admin\Desktop\Payment Copy_Chase Bank_Pdf.exe"C:\Users\admin\Desktop\Payment Copy_Chase Bank_Pdf.exe
Payment Copy_Chase Bank_Pdf.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\payment copy_chase bank_pdf.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
AgentTesla
(PID) Process(5268) Payment Copy_Chase Bank_Pdf.exe
Protocolsmtp
Hostmail.transgear.in
Usernamemarketing@transgear.in
PasswordM@ssw0rd#621
Strings (670)
:
<br>
<hr>
<b>[
]</b> (
)<br>
False
{BACK}
{ALT+TAB}
{ALT+F4}
{TAB}
{ESC}
{Win}
{CAPSLOCK}
&uarr;
&darr;
&larr;
&rarr;
{DEL}
{END}
{HOME}
{Insert}
{NumLock}
{PageDown}
{PageUp}
{ENTER}
{F1}
{F2}
{F3}
{F4}
{F5}
{F6}
{F7}
{F8}
{F9}
{F10}
{F11}
{F12}
control
{CTRL}
&
&amp;
<
&lt;
>
&gt;
"
&quot;
<hr>Copied Text: <br>
The binary key cannot have an odd number of digits: {0}
:Zone.Identifier
SystemDrive
\
ObjectLength
ChainingModeGCM
AuthTagLength
ChainingMode
KeyDataBlob
AES
Microsoft Primitive Provider
-
Windows RDP
credential
policy
blob
rdg
chrome
{{{0}}}
Length
CopyTo
ComputeHash
sha512
Copy
True
https://api.ipify.org
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
20
1
587
mail.transgear.in
marketing@transgear.in
M@ssw0rd#621
zaritkt@arhitektondizajn.com
appdata
HZXbM
HZXbM.exe
/
SC
/log.tmp
KL
<br>[
yyyy-MM-dd HH:mm:ss
]<br>
URL:
Username:
Password:
Application:
PW
text/html
_
yyyy_MM_dd_HH_mm_ss
.html
.jpeg
image/jpg
.zip
application/zip
Time:
MM/dd/yyyy HH:mm:ss
<br>User Name:
<br>Computer Name:
<br>OSFullName:
<br>CPU:
<br>RAM:
IP Address:
New
Recovered!
Time
User Name
OSFullName
CPU:
RAM:
None
win32_processor
processorID
ca333442-cd4f-4f7b-beed-f67a71236a19
Win32_NetworkAdapterConfiguration
IPEnabled
MacAddress
:
c75f62a7-d5db-4351-b5e6-9ab33a09b801
WinMgmts:
InstancesOf
Win32_BaseBoard
SerialNumber
da5bd99e-2241-40c2-94b6-92441692b69f
x2
GET
OK
GetBytes
SELECT * FROM Win32_Processor
Name
MB
Unknown
Wr
W
C
ExtractFile
n
{0}
Key
Mode
IV
Padding
CreateDecryptor
TransformFinalBlock
SEQUENCE {
{0:X2}
INTEGER
OCTETSTRING
OBJECTIDENTIFIER
}
sha256
origin_url
username_value
password_value
v10
v11
Opera Stable
\Local State
"encrypted_key":"(.*?)"
\Default\Login Data
\Login Data
Profile
logins
\Microsoft\Edge\User Data
Edge Chromium
Major
Minor
2F1A6504-0641-44CF-8BB5-3612D865F2E5
Windows Secure Note
3CCD5499-87A8-4B10-A215-608888DD3B55
Windows Web Password Credential
154E23D0-C644-4E6F-8CE6-5069272F999F
Windows Credential Picker Protector
4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Web Credentials
77BC582B-F0A6-4E15-4E80-61736B6F3B29
Windows Credentials
E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
Windows Domain Certificate Credential
3E0E35BE-1B77-43E7-B873-AED901B6275B
Windows Domain Password Credential
3C886FF3-2669-4AA2-A8FB-3F6759A77548
Windows Extended Credential
00000000-0000-0000-0000-000000000000
SchemaId
pResourceElement
pIdentityElement
pPackageSid
pAuthenticatorElement
IE/Edge
UCBrowser\
*
Login Data
journal
UC Browser
wow_logins
\Common Files\Apple\Apple Application Support\plutil.exe
\Apple Computer\Preferences\keychain.plist
\Microsoft\Credentials\
\Microsoft\Protect\
GuidMasterKey
Tencent\QQBrowser\User Data
\Default\EncryptedStorage
\EncryptedStorage
entries
category
Password
str3
str2
blob0
QQ Browser
PopPassword
SmtpPassword
Software\IncrediMail\Identities\
\Accounts_New
EmailAddress
SmtpServer
IncrediMail
HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine
current
Settings
SavePasswordText
ReturnAddress
Eudora
\falkon\profiles\
startProfile="([A-z0-9\/\.]+)"
profiles.ini
\browsedata.db
autofill
Falkon Browser
startProfile=([A-z0-9\/\.]+)
Backend=([A-z0-9\/\.-]+)
\settings.ini
\Claws-mail
\clawsrc
passkey0
master_passphrase_salt=(.+)
master_passphrase_pbkdf2_rounds=(.+)
use_master_passphrase=(.+)
\accountrc
smtp_server
address
account
[
]
\passwordstorerc
{(.*),(.*)}(.*)
ClawsMail
APPDATA
\Flock\Browser\
signons3.txt
---
.
objects
Data
DecryptTripleDes
Flock Browser
ALLUSERSPROFILE
\\
DynDNS\Updater\config.dyndns
username=
=
password=
&H
t6KzXhCh
http://DynDns.com
DynDNS
name
jid
password
Psi/Psi+
Software\OpenVPN-GUI\configs
Software\OpenVPN-GUI\configs\
username
auth-data
entropy
Open VPN
\FileZilla\recentservers.xml
<Server>
<Host>
</Host>
<Port>
</Port>
<User>
</User>
<Pass encoding="base64">
</Pass>
<Pass>
FileZilla
SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
HostName
UserName
PublicKeyFile
PortNumber
22
[PRIVATE KEY LOCATION: "{0}"]
WinSCP
IP=
port=
user=
pass=
FlashFXP
SOFTWARE\FTPWare\COREFTP\Sites
CoreFTP
User
Host
Port
\FTP Navigator\Ftplist.txt
Server
No Password
FTP Navigator
Programfiles(x86)
programfiles
\jDownloader\config\database.script
programfiles(x86)
INSERT INTO CONFIG VALUES('AccountController','
sq
.
t
xt
JDownloader
Software\Paltalk
HKEY_CURRENT_USER\Software\Paltalk\
pwd
Paltalk
\.purple\accounts.xml
<account>
<protocol>
</protocol>
<name>
</name>
<password>
</password>
Pidgin
\SmartFTP\Client 2.0\Favorites\Quick Connect\
\SmartFTP\Client 2.0\Favorites\Quick Connect\*.xml
<Password>
</Password>
<Name>
</Name>
SmartFTP
\Ipswitch\WS_FTP\Sites\ws_ftp.ini
HOST
UID
PWD
WS_FTP
\cftp\Ftplist.txt
;Server=
;Port=
;Password=
;User=
;Anonymous=
Name=
FTPCommander
\FTPGetter\servers.xml
<server>
<server_ip>
</server_ip>
<server_port>
</server_port>
<server_user_name>
</server_user_name>
<server_user_password>
</server_user_password>
FTPGetter
HKEY_LOCAL_MACHINE\SOFTWARE\Vitalwerks\DUC
HKEY_CURRENT_USER\SOFTWARE\Vitalwerks\DUC
USERname
NO-IP
\The Bat!
\Account.CFN
zzz
TheBat
HKEY_CURRENT_USER\Software\RimArts\B2\Settings
DataDir
Folder.lst
\Mailbox.ini
Account
SMTPServer
MailAddress
PassWd
Becky!
\Trillian\users\global\accounts.dat
Accounts
Trillian
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Email
IMAP Password
POP3 Password
HTTP Password
SMTP Password
SMTP Server
Outlook
COMPlus_legacyCorruptedStateExceptionsPolicy
Software\Microsoft\ActiveSync\Partners
syncpassword
mailoutgoing
Windows Mail App
HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
Executable
HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
FoxmailPath
\Storage\
\mail\
\VirtualStore\Program Files\Foxmail\mail\
\VirtualStore\Program Files (x86)\Foxmail\mail\
\Accounts\Account.rec0
\Account.stg
Read
Close
Dispose
POP3Host
SMTPHost
IncomingServer
POP3Password
Foxmail
\Opera Mail\Opera Mail\wand.dat
opera:
Opera Mail
\Pocomail\accounts.ini
POPPass
SMTPPass
SMTP
PocoMail
RealVNC 4.x
SOFTWARE\Wow6432Node\RealVNC\WinVNC4
RealVNC 3.x
SOFTWARE\RealVNC\vncserver
SOFTWARE\RealVNC\WinVNC4
Software\ORL\WinVNC3
TightVNC
Software\TightVNC\Server
PasswordViewOnly
TightVNC ControlPassword
ControlPassword
TigerVNC
Software\TigerVNC\Server
Trim
UltraVNC
ProgramFiles(x86)
\uvnc bvba\UltraVNC\ultravnc.ini
passwd
passwd2
ProgramFiles
\UltraVNC\ultravnc.ini
Substring
eM Client\accounts.dat
eM Client
"Username":"
",
"Secret":"
72905C47-F4FD-4CF7-A489-4E8121A155BD
"ProviderName":"
\Mailbird\Store\Store.db
Server_Host
Username
EncryptedPassword
Mailbird
SenderIdentities
NordVPN
NordVPN directory not found!
NordVpn.exe*
user.config
Load
SelectSingleNode
//setting[@name='Username']/value
InnerText
//setting[@name='Password']/value
\MySQL\Workbench\workbench_user_data.dat


MySQL Workbench
%ProgramW6432%
Private Internet Access\data
\Private Internet Access\data
\account.json
.*"username":"(.*?)"
.*"password":"(.*?)"
Private Internet Access
Software\DownloadManager\Passwords\
EncPassword
Internet Download Manager
discord.com
Discord
Discord Token
hdfzpysvpzimorhk
quick.dat
Sites.dat
\FlashFXP\
yA36zA48dEhfrvghGRg57h5UlDv3
Type
Value
IterationCount
\Psi\profiles
\Psi+\profiles
\accounts.xml
USERPROFILE
\OpenVPN\config\
remote
PWD=
+-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
5A
71
abcçdefgğhıijklmnoöpqrsştuüvwxyz1234567890_-.~!@#$%^&*()[{]}\|';:,<>/?+=
o6806642kbM7c5
[\w-]{24}\.[\w-]{6}\.[\w-]{27}
mfa\.[\w-]{84}
discordcanary
discordptb
Local Storage\leveldb
*.ldb
*.log
discord
<array>
<dict>
<string>
</string>
<data>
</data>
Safari Browser
-convert xml1 -s -o "
\fixed_keychain.xml"
A
10
B
11
12
D
13
E
14
F
15
ABCDEF
(
EndsWith
)
IndexOf
UNIQUE
table
Opera Browser
Opera Software\Opera Stable
Yandex Browser
Yandex\YandexBrowser\User Data
Iridium Browser
Iridium\User Data
Chromium
Chromium\User Data
7Star
7Star\7Star\User Data
Torch Browser
Torch\User Data
Cool Novo
MapleStudio\ChromePlus\User Data
Kometa
Kometa\User Data
Amigo
Amigo\User Data
Brave
BraveSoftware\Brave-Browser\User Data
CentBrowser
CentBrowser\User Data
Chedot
Chedot\User Data
Orbitum
Orbitum\User Data
Sputnik
Sputnik\Sputnik\User Data
Comodo Dragon
Comodo\Dragon\User Data
Vivaldi
Vivaldi\User Data
Citrio
CatalinaGroup\Citrio\User Data
360 Browser
360Chrome\Chrome\User Data
Uran
uCozMedia\Uran\User Data
Liebao Browser
liebao\User Data
Elements Browser
Elements Browser\User Data
Epic Privacy
Epic Privacy Browser\User Data
Coccoc
CocCoc\Browser\User Data
Sleipnir 6
Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
QIP Surf
QIP Surf\User Data
Coowon
Coowon\Coowon\User Data
Chrome
Google\Chrome\User Data
Firefox
\Mozilla\Firefox\
SeaMonkey
\Mozilla\SeaMonkey\
Thunderbird
\Thunderbird\
BlackHawk
\NETGATE Technologies\BlackHawk\
CyberFox
\8pecxstudios\Cyberfox\
K-Meleon
\K-Meleon\
IceCat
\Mozilla\icecat\
PaleMoon
\Moonchild Productions\Pale Moon\
IceDragon
\Comodo\IceDragon\
WaterFox
\Waterfox\
Postbox
\Postbox\
Flock
00061561
Berkelet DB
00000002
1.85 (Hash, version 2, native byte-order)
Unknow database format
key4.db
metaData
id
item1
item2
nssPrivate
a11
a102
Contains
2a864886f70d0209
2a864886f70d010c050103
key3.db
global-salt
Version
password-check
Replace
Path=([A-z0-9\/\.\-]+)
logins.json
\"(hostname|encryptedPassword|encryptedUsername)":"(.*?)"
oauth
[^\u0020-\u007F]
signons.sqlite
moz_logins
hostname
encryptedUsername
encryptedPassword
;
5524"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePayment Copy_Chase Bank_Pdf.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
10 908
Read events
10 860
Write events
48
Delete events
0

Modification events

(PID) Process:(2320) Payment Copy_Chase Bank_Pdf.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2320) Payment Copy_Chase Bank_Pdf.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Payment Copy_Chase Bank_Pdf_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2320) Payment Copy_Chase Bank_Pdf.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Payment Copy_Chase Bank_Pdf_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(2320) Payment Copy_Chase Bank_Pdf.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Payment Copy_Chase Bank_Pdf_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2320) Payment Copy_Chase Bank_Pdf.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Payment Copy_Chase Bank_Pdf_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(2320) Payment Copy_Chase Bank_Pdf.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Payment Copy_Chase Bank_Pdf_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(2320) Payment Copy_Chase Bank_Pdf.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Payment Copy_Chase Bank_Pdf_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2320) Payment Copy_Chase Bank_Pdf.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Payment Copy_Chase Bank_Pdf_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(2320) Payment Copy_Chase Bank_Pdf.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Payment Copy_Chase Bank_Pdf_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2320) Payment Copy_Chase Bank_Pdf.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\Payment Copy_Chase Bank_Pdf_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
Executable files
2
Suspicious files
4
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
5524powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:
SHA256:
5524powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:
SHA256:
5524powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_g0bmjbbu.gih.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5524powershell.exeC:\Users\admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logtext
MD5:9E45C239644A8A53705064C1640AD555
SHA256:0822F5BC3A62EDCF73AAFACD7EF03982381C60487339A77B3F2D70A3FC351D63
2320Payment Copy_Chase Bank_Pdf.exeC:\Users\admin\AppData\Roaming\Owuxopld\Qiafadeyfts.exeexecutable
MD5:0B8BB8ED90799AA967281F96D1B3A75D
SHA256:5016BA92AFAC1C2B2A2A6B17A09406869BD6F58CFE680F25030AF1A1BA1C29A2
2320Payment Copy_Chase Bank_Pdf.exeC:\Users\admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment Copy_Chase Bank_Pdf.exe.logtext
MD5:406A606B8C39A3FC49003E0572A4FC9C
SHA256:502C23FD77CA17E86BEDAA0EFBDBD8B57B6FE429DC4860CF8193E410D0727C1B
5524powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_phsrt2a3.x24.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
25
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2320
Payment Copy_Chase Bank_Pdf.exe
GET
200
45.56.99.101:80
http://savory.com.bd/sav/Ztvfo.png
US
binary
649 Kb
suspicious
2244
sihclient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
US
der
407 b
whitelisted
2956
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
US
der
419 b
whitelisted
2244
sihclient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
US
der
419 b
whitelisted
2032
svchost.exe
POST
302
96.16.143.41:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
US
whitelisted
2032
svchost.exe
POST
302
96.16.143.41:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
US
whitelisted
2032
svchost.exe
POST
302
96.16.143.41:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2032
svchost.exe
96.16.143.41:80
AKAMAI-AS
DE
whitelisted
20.190.159.71:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
suspicious
2704
svchost.exe
40.113.110.67:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
996
svchost.exe
20.190.159.71:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
996
svchost.exe
20.190.159.23:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
suspicious
13.107.21.200:443
www.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1852
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5380
mousocoreworker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2320
Payment Copy_Chase Bank_Pdf.exe
45.56.99.101:80
savory.com.bd
Linode, LLC
US
suspicious

DNS requests

Domain
IP
Reputation
self.events.data.microsoft.com
  • 51.132.193.104
whitelisted
www.bing.com
  • 13.107.21.200
  • 204.79.197.200
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
savory.com.bd
  • 45.56.99.101
suspicious
slscr.update.microsoft.com
  • 52.242.101.226
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
api.ipify.org
  • 64.185.227.156
  • 173.231.16.76
  • 104.237.62.212
shared
fe3cr.delivery.mp.microsoft.com
  • 52.152.108.96
whitelisted
nexusrules.officeapps.live.com
  • 52.109.8.86
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Payment Copy_Chase Bank_Pdf.iso