File name:

New Inquiries.exe

Full analysis: https://app.any.run/tasks/db5a7f7f-7d05-4306-acdf-2bd9d161322d
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Malware Trends Tracker     >>>
Analysis date: January 05, 2023, 08:11:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
agenttesla
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

14F34CE68A9FA222F4890789E3B52F1A

SHA1:

BB12303832E9D7F09929FDCF13D48DC5D33734C6

SHA256:

BDA00392E993AEC17335551AA8BBE596BF1AAB747E7B41EBD65D1360EA117458

SSDEEP:

12288:v16q9hx1HsAi3W65CCe3LB47q0nLW2Rfxj0s:B9hx3cW6oCebB47rnC4fxQs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials from Web Browsers

      • New Inquiries.exe (PID: 1464)

    • AGENTTESLA detected by memory dumps

      • New Inquiries.exe (PID: 1464)

  • SUSPICIOUS

    • Application launched itself

      • New Inquiries.exe (PID: 1752)

    • Reads settings of System Certificates

      • New Inquiries.exe (PID: 1464)

    • Connects to SMTP port

      • New Inquiries.exe (PID: 1464)

    • Reads browser cookies

      • New Inquiries.exe (PID: 1464)

    • Actions looks like stealing of personal data

      • New Inquiries.exe (PID: 1464)

  • INFO

    • Reads the machine GUID from the registry

      • New Inquiries.exe (PID: 1752)
      • New Inquiries.exe (PID: 1464)

    • Reads the computer name

      • New Inquiries.exe (PID: 1752)
      • New Inquiries.exe (PID: 1464)

    • Checks supported languages

      • New Inquiries.exe (PID: 1752)
      • New Inquiries.exe (PID: 1464)

    • The process checks LSA protection

      • New Inquiries.exe (PID: 1752)
      • New Inquiries.exe (PID: 1464)

    • Reads Environment values

      • New Inquiries.exe (PID: 1464)

    • Creates files or folders in the user directory

      • New Inquiries.exe (PID: 1464)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AgentTesla

(PID) Process(1464) New Inquiries.exe
Protocolsmtp
Hostsmtp.yandex.com
Usernamehisgraceinme@yandex.com
PasswordGeneral1248@1
Strings (672)
:
<br>
<hr>
<b>[
]</b> (
)<br>
False
{BACK}
{ALT+TAB}
{ALT+F4}
{TAB}
{ESC}
{Win}
{CAPSLOCK}
&uarr;
&darr;
&larr;
&rarr;
{DEL}
{END}
{HOME}
{Insert}
{NumLock}
{PageDown}
{PageUp}
{ENTER}
{F1}
{F2}
{F3}
{F4}
{F5}
{F6}
{F7}
{F8}
{F9}
{F10}
{F11}
{F12}
control
{CTRL}
&
&amp;
<
&lt;
>
&gt;
"
&quot;
<hr>Copied Text: <br>
The binary key cannot have an odd number of digits: {0}
:Zone.Identifier
SystemDrive
\
ObjectLength
ChainingModeGCM
AuthTagLength
ChainingMode
KeyDataBlob
AES
Microsoft Primitive Provider
-
Windows RDP
credential
policy
blob
rdg
chrome
{{{0}}}
Length
CopyTo
ComputeHash
sha512
Copy
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
True
20
1
587
smtp.yandex.com
hisgraceinme@yandex.com
General1248@1
appdata
CFWVFH
CFWVFH.exe
/
SC
/log.tmp
KL
<br>[
yyyy-MM-dd HH:mm:ss
]<br>
URL:
Username:
Password:
Application:
PW
CO
text/html
_
yyyy_MM_dd_HH_mm_ss
.html
.jpeg
image/jpg
.zip
application/zip
Time:
MM/dd/yyyy HH:mm:ss
<br>User Name:
<br>Computer Name:
<br>OSFullName:
<br>CPU:
<br>RAM:
IP Address:
New
Recovered!
Time
User Name
OSFullName
CPU:
RAM:
None
win32_processor
processorID
e6ea99ce-3c57-4d57-b2ca-5824b4618fdf
Win32_NetworkAdapterConfiguration
IPEnabled
MacAddress
:
8dfc46f9-4281-41cb-af12-355039ffc8af
WinMgmts:
InstancesOf
Win32_BaseBoard
SerialNumber
bb8cd93b-2aec-4fee-8a96-50225e9c21a8
x2
GET
OK
GetBytes
SELECT * FROM Win32_Processor
Name
MB
Unknown
Wr
W
C
ExtractFile
n
{0}
Key
Mode
IV
Padding
CreateDecryptor
TransformFinalBlock
SEQUENCE {
{0:X2}
INTEGER
OCTETSTRING
OBJECTIDENTIFIER
}
sha256
Cookies
cookies.sqlite
Path=([A-z0-9\/\.\-]+)
profiles.ini
\Default\
Profile
origin_url
username_value
password_value
v10
v11
Opera Stable
\Local State
"encrypted_key":"(.*?)"
\Default\Login Data
\Login Data
logins
\Microsoft\Edge\User Data
Edge Chromium
Major
Minor
2F1A6504-0641-44CF-8BB5-3612D865F2E5
Windows Secure Note
3CCD5499-87A8-4B10-A215-608888DD3B55
Windows Web Password Credential
154E23D0-C644-4E6F-8CE6-5069272F999F
Windows Credential Picker Protector
4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Web Credentials
77BC582B-F0A6-4E15-4E80-61736B6F3B29
Windows Credentials
E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
Windows Domain Certificate Credential
3E0E35BE-1B77-43E7-B873-AED901B6275B
Windows Domain Password Credential
3C886FF3-2669-4AA2-A8FB-3F6759A77548
Windows Extended Credential
00000000-0000-0000-0000-000000000000
SchemaId
pResourceElement
pIdentityElement
pPackageSid
pAuthenticatorElement
IE/Edge
UCBrowser\
*
Login Data
journal
UC Browser
wow_logins
\Common Files\Apple\Apple Application Support\plutil.exe
\Apple Computer\Preferences\keychain.plist
\Microsoft\Credentials\
\Microsoft\Protect\
GuidMasterKey
Tencent\QQBrowser\User Data
\Default\EncryptedStorage
\EncryptedStorage
entries
category
Password
str3
str2
blob0
QQ Browser
PopPassword
SmtpPassword
Software\IncrediMail\Identities\
\Accounts_New
EmailAddress
SmtpServer
IncrediMail
HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine
current
Settings
SavePasswordText
ReturnAddress
Eudora
\falkon\profiles\
startProfile="([A-z0-9\/\.]+)"
\browsedata.db
autofill
Falkon Browser
startProfile=([A-z0-9\/\.]+)
Backend=([A-z0-9\/\.-]+)
\settings.ini
\Claws-mail
\clawsrc
passkey0
master_passphrase_salt=(.+)
master_passphrase_pbkdf2_rounds=(.+)
use_master_passphrase=(.+)
\accountrc
smtp_server
address
account
[
]
\passwordstorerc
{(.*),(.*)}(.*)
ClawsMail
APPDATA
\Flock\Browser\
signons3.txt
---
.
objects
Data
DecryptTripleDes
Flock Browser
ALLUSERSPROFILE
\\
DynDNS\Updater\config.dyndns
username=
=
password=
&H
t6KzXhCh
http://DynDns.com
DynDNS
name
jid
password
Psi/Psi+
Software\OpenVPN-GUI\configs
Software\OpenVPN-GUI\configs\
username
auth-data
entropy
Open VPN
\FileZilla\recentservers.xml
<Server>
<Host>
</Host>
<Port>
</Port>
<User>
</User>
<Pass encoding="base64">
</Pass>
<Pass>
FileZilla
SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
HostName
UserName
PublicKeyFile
PortNumber
22
[PRIVATE KEY LOCATION: "{0}"]
WinSCP
IP=
port=
user=
pass=
FlashFXP
SOFTWARE\FTPWare\COREFTP\Sites
CoreFTP
User
Host
Port
\FTP Navigator\Ftplist.txt
Server
No Password
FTP Navigator
Programfiles(x86)
programfiles
\jDownloader\config\database.script
programfiles(x86)
INSERT INTO CONFIG VALUES('AccountController','
sq
.
t
xt
JDownloader
Software\Paltalk
HKEY_CURRENT_USER\Software\Paltalk\
pwd
Paltalk
\.purple\accounts.xml
<account>
<protocol>
</protocol>
<name>
</name>
<password>
</password>
Pidgin
\SmartFTP\Client 2.0\Favorites\Quick Connect\
\SmartFTP\Client 2.0\Favorites\Quick Connect\*.xml
<Password>
</Password>
<Name>
</Name>
SmartFTP
\Ipswitch\WS_FTP\Sites\ws_ftp.ini
HOST
UID
PWD
WS_FTP
\cftp\Ftplist.txt
;Server=
;Port=
;Password=
;User=
;Anonymous=
Name=
FTPCommander
\FTPGetter\servers.xml
<server>
<server_ip>
</server_ip>
<server_port>
</server_port>
<server_user_name>
</server_user_name>
<server_user_password>
</server_user_password>
FTPGetter
HKEY_LOCAL_MACHINE\SOFTWARE\Vitalwerks\DUC
HKEY_CURRENT_USER\SOFTWARE\Vitalwerks\DUC
USERname
NO-IP
\The Bat!
\Account.CFN
zzz
TheBat
HKEY_CURRENT_USER\Software\RimArts\B2\Settings
DataDir
Folder.lst
\Mailbox.ini
Account
SMTPServer
MailAddress
PassWd
Becky!
\Trillian\users\global\accounts.dat
Accounts
Trillian
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Email
IMAP Password
POP3 Password
HTTP Password
SMTP Password
SMTP Server
Outlook
COMPlus_legacyCorruptedStateExceptionsPolicy
Software\Microsoft\ActiveSync\Partners
syncpassword
mailoutgoing
Windows Mail App
HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
Executable
HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
FoxmailPath
\Storage\
\mail\
\VirtualStore\Program Files\Foxmail\mail\
\VirtualStore\Program Files (x86)\Foxmail\mail\
\Accounts\Account.rec0
\Account.stg
Read
Close
Dispose
POP3Host
SMTPHost
IncomingServer
POP3Password
Foxmail
\Opera Mail\Opera Mail\wand.dat
opera:
Opera Mail
\Pocomail\accounts.ini
POPPass
SMTPPass
SMTP
PocoMail
RealVNC 4.x
SOFTWARE\Wow6432Node\RealVNC\WinVNC4
RealVNC 3.x
SOFTWARE\RealVNC\vncserver
SOFTWARE\RealVNC\WinVNC4
Software\ORL\WinVNC3
TightVNC
Software\TightVNC\Server
PasswordViewOnly
TightVNC ControlPassword
ControlPassword
TigerVNC
Software\TigerVNC\Server
Trim
UltraVNC
ProgramFiles(x86)
\uvnc bvba\UltraVNC\ultravnc.ini
passwd
passwd2
ProgramFiles
\UltraVNC\ultravnc.ini
Substring
eM Client\accounts.dat
eM Client
"Username":"
",
"Secret":"
72905C47-F4FD-4CF7-A489-4E8121A155BD
"ProviderName":"
\Mailbird\Store\Store.db
Server_Host
Username
EncryptedPassword
Mailbird
SenderIdentities
NordVPN
NordVPN directory not found!
NordVpn.exe*
user.config
Load
SelectSingleNode
//setting[@name='Username']/value
InnerText
//setting[@name='Password']/value
\MySQL\Workbench\workbench_user_data.dat


MySQL Workbench
%ProgramW6432%
Private Internet Access\data
\Private Internet Access\data
\account.json
.*"username":"(.*?)"
.*"password":"(.*?)"
Private Internet Access
Software\DownloadManager\Passwords\
EncPassword
Internet Download Manager
discord.com
Discord
Discord Token
hdfzpysvpzimorhk
quick.dat
Sites.dat
\FlashFXP\
yA36zA48dEhfrvghGRg57h5UlDv3
Type
Value
IterationCount
\Psi\profiles
\Psi+\profiles
\accounts.xml
USERPROFILE
\OpenVPN\config\
remote
PWD=
+-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
5A
71
abcçdefgğhıijklmnoöpqrsştuüvwxyz1234567890_-.~!@#$%^&*()[{]}\|';:,<>/?+=
o6806642kbM7c5
[\w-]{24}\.[\w-]{6}\.[\w-]{27}
mfa\.[\w-]{84}
discordcanary
discordptb
Local Storage\leveldb
*.ldb
*.log
discord
<array>
<dict>
<string>
</string>
<data>
</data>
Safari Browser
-convert xml1 -s -o "
\fixed_keychain.xml"
A
10
B
11
12
D
13
E
14
F
15
ABCDEF
(
EndsWith
)
IndexOf
UNIQUE
table
Opera Browser
Opera Software\Opera Stable
Yandex Browser
Yandex\YandexBrowser\User Data
Iridium Browser
Iridium\User Data
Chromium
Chromium\User Data
7Star
7Star\7Star\User Data
Torch Browser
Torch\User Data
Cool Novo
MapleStudio\ChromePlus\User Data
Kometa
Kometa\User Data
Amigo
Amigo\User Data
Brave
BraveSoftware\Brave-Browser\User Data
CentBrowser
CentBrowser\User Data
Chedot
Chedot\User Data
Orbitum
Orbitum\User Data
Sputnik
Sputnik\Sputnik\User Data
Comodo Dragon
Comodo\Dragon\User Data
Vivaldi
Vivaldi\User Data
Citrio
CatalinaGroup\Citrio\User Data
360 Browser
360Chrome\Chrome\User Data
Uran
uCozMedia\Uran\User Data
Liebao Browser
liebao\User Data
Elements Browser
Elements Browser\User Data
Epic Privacy
Epic Privacy Browser\User Data
Coccoc
CocCoc\Browser\User Data
Sleipnir 6
Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
QIP Surf
QIP Surf\User Data
Coowon
Coowon\Coowon\User Data
Chrome
Google\Chrome\User Data
Firefox
\Mozilla\Firefox\
SeaMonkey
\Mozilla\SeaMonkey\
Thunderbird
\Thunderbird\
BlackHawk
\NETGATE Technologies\BlackHawk\
CyberFox
\8pecxstudios\Cyberfox\
K-Meleon
\K-Meleon\
IceCat
\Mozilla\icecat\
PaleMoon
\Moonchild Productions\Pale Moon\
IceDragon
\Comodo\IceDragon\
WaterFox
\Waterfox\
Postbox
\Postbox\
Flock
00061561
Berkelet DB
00000002
1.85 (Hash, version 2, native byte-order)
Unknow database format
key4.db
metaData
id
item1
item2
nssPrivate
a11
a102
Contains
2a864886f70d0209
2a864886f70d010c050103
key3.db
global-salt
Version
password-check
Replace
logins.json
\"(hostname|encryptedPassword|encryptedUsername)":"(.*?)"
oauth
[^\u0020-\u007F]
signons.sqlite
moz_logins
hostname
encryptedUsername
encryptedPassword
;
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2023-Jan-05 04:48:42
Debug artifacts:
  • rPfX.pdb
Comments: Atomkraftwerk-Simulator
CompanyName: Jdam Software
FileDescription: AKW-Simulator
FileVersion: 1.0.2.0
InternalName: rPfX.exe
LegalCopyright: Copyright © Jdam 2008
LegalTrademarks: Jdam Software
OriginalFilename: rPfX.exe
ProductName: AKW-Simulator
ProductVersion: 1.0.2.0
Assembly Version: 1.0.2.0

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: -
e_cparhdr: 4
e_minalloc: -
e_maxalloc: 65535
e_ss: -
e_sp: 184
e_csum: -
e_ip: -
e_cs: -
e_ovno: -
e_oemid: -
e_oeminfo: -
e_lfanew: 128

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 3
TimeDateStamp: 2023-Jan-05 04:48:42
PointerToSymbolTable: -
NumberOfSymbols: -
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
8192
649836
650240
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.57037
.rsrc
663552
8292
8704
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.49502
.reloc
679936
12
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
0.0815394

Resources

Title
Entropy
Size
Codepage
Language
Type
1
7.51791
3698
UNKNOWN
UNKNOWN
RT_ICON
32512
1.51664
20
UNKNOWN
UNKNOWN
RT_GROUP_ICON
1 (#2)
3.39975
896
UNKNOWN
UNKNOWN
RT_VERSION
1 (#3)
4.99419
3365
UNKNOWN
UNKNOWN
RT_MANIFEST

Imports

mscoree.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
30
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start new inquiries.exe no specs #AGENTTESLA new inquiries.exe

Process information

PID
CMD
Path
Indicators
Parent process
1464"C:\Users\admin\AppData\Local\Temp\New Inquiries.exe"C:\Users\admin\AppData\Local\Temp\New Inquiries.exe
New Inquiries.exe
User:
admin
Company:
Jdam Software
Integrity Level:
MEDIUM
Description:
AKW-Simulator
Exit code:
0
Version:
1.0.2.0
Modules
Images
c:\users\admin\appdata\local\temp\new inquiries.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\mscoree.dll
AgentTesla
(PID) Process(1464) New Inquiries.exe
Protocolsmtp
Hostsmtp.yandex.com
Usernamehisgraceinme@yandex.com
PasswordGeneral1248@1
Strings (672)
:
<br>
<hr>
<b>[
]</b> (
)<br>
False
{BACK}
{ALT+TAB}
{ALT+F4}
{TAB}
{ESC}
{Win}
{CAPSLOCK}
&uarr;
&darr;
&larr;
&rarr;
{DEL}
{END}
{HOME}
{Insert}
{NumLock}
{PageDown}
{PageUp}
{ENTER}
{F1}
{F2}
{F3}
{F4}
{F5}
{F6}
{F7}
{F8}
{F9}
{F10}
{F11}
{F12}
control
{CTRL}
&
&amp;
<
&lt;
>
&gt;
"
&quot;
<hr>Copied Text: <br>
The binary key cannot have an odd number of digits: {0}
:Zone.Identifier
SystemDrive
\
ObjectLength
ChainingModeGCM
AuthTagLength
ChainingMode
KeyDataBlob
AES
Microsoft Primitive Provider
-
Windows RDP
credential
policy
blob
rdg
chrome
{{{0}}}
Length
CopyTo
ComputeHash
sha512
Copy
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
True
20
1
587
smtp.yandex.com
hisgraceinme@yandex.com
General1248@1
appdata
CFWVFH
CFWVFH.exe
/
SC
/log.tmp
KL
<br>[
yyyy-MM-dd HH:mm:ss
]<br>
URL:
Username:
Password:
Application:
PW
CO
text/html
_
yyyy_MM_dd_HH_mm_ss
.html
.jpeg
image/jpg
.zip
application/zip
Time:
MM/dd/yyyy HH:mm:ss
<br>User Name:
<br>Computer Name:
<br>OSFullName:
<br>CPU:
<br>RAM:
IP Address:
New
Recovered!
Time
User Name
OSFullName
CPU:
RAM:
None
win32_processor
processorID
e6ea99ce-3c57-4d57-b2ca-5824b4618fdf
Win32_NetworkAdapterConfiguration
IPEnabled
MacAddress
:
8dfc46f9-4281-41cb-af12-355039ffc8af
WinMgmts:
InstancesOf
Win32_BaseBoard
SerialNumber
bb8cd93b-2aec-4fee-8a96-50225e9c21a8
x2
GET
OK
GetBytes
SELECT * FROM Win32_Processor
Name
MB
Unknown
Wr
W
C
ExtractFile
n
{0}
Key
Mode
IV
Padding
CreateDecryptor
TransformFinalBlock
SEQUENCE {
{0:X2}
INTEGER
OCTETSTRING
OBJECTIDENTIFIER
}
sha256
Cookies
cookies.sqlite
Path=([A-z0-9\/\.\-]+)
profiles.ini
\Default\
Profile
origin_url
username_value
password_value
v10
v11
Opera Stable
\Local State
"encrypted_key":"(.*?)"
\Default\Login Data
\Login Data
logins
\Microsoft\Edge\User Data
Edge Chromium
Major
Minor
2F1A6504-0641-44CF-8BB5-3612D865F2E5
Windows Secure Note
3CCD5499-87A8-4B10-A215-608888DD3B55
Windows Web Password Credential
154E23D0-C644-4E6F-8CE6-5069272F999F
Windows Credential Picker Protector
4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Web Credentials
77BC582B-F0A6-4E15-4E80-61736B6F3B29
Windows Credentials
E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
Windows Domain Certificate Credential
3E0E35BE-1B77-43E7-B873-AED901B6275B
Windows Domain Password Credential
3C886FF3-2669-4AA2-A8FB-3F6759A77548
Windows Extended Credential
00000000-0000-0000-0000-000000000000
SchemaId
pResourceElement
pIdentityElement
pPackageSid
pAuthenticatorElement
IE/Edge
UCBrowser\
*
Login Data
journal
UC Browser
wow_logins
\Common Files\Apple\Apple Application Support\plutil.exe
\Apple Computer\Preferences\keychain.plist
\Microsoft\Credentials\
\Microsoft\Protect\
GuidMasterKey
Tencent\QQBrowser\User Data
\Default\EncryptedStorage
\EncryptedStorage
entries
category
Password
str3
str2
blob0
QQ Browser
PopPassword
SmtpPassword
Software\IncrediMail\Identities\
\Accounts_New
EmailAddress
SmtpServer
IncrediMail
HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine
current
Settings
SavePasswordText
ReturnAddress
Eudora
\falkon\profiles\
startProfile="([A-z0-9\/\.]+)"
\browsedata.db
autofill
Falkon Browser
startProfile=([A-z0-9\/\.]+)
Backend=([A-z0-9\/\.-]+)
\settings.ini
\Claws-mail
\clawsrc
passkey0
master_passphrase_salt=(.+)
master_passphrase_pbkdf2_rounds=(.+)
use_master_passphrase=(.+)
\accountrc
smtp_server
address
account
[
]
\passwordstorerc
{(.*),(.*)}(.*)
ClawsMail
APPDATA
\Flock\Browser\
signons3.txt
---
.
objects
Data
DecryptTripleDes
Flock Browser
ALLUSERSPROFILE
\\
DynDNS\Updater\config.dyndns
username=
=
password=
&H
t6KzXhCh
http://DynDns.com
DynDNS
name
jid
password
Psi/Psi+
Software\OpenVPN-GUI\configs
Software\OpenVPN-GUI\configs\
username
auth-data
entropy
Open VPN
\FileZilla\recentservers.xml
<Server>
<Host>
</Host>
<Port>
</Port>
<User>
</User>
<Pass encoding="base64">
</Pass>
<Pass>
FileZilla
SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
HostName
UserName
PublicKeyFile
PortNumber
22
[PRIVATE KEY LOCATION: "{0}"]
WinSCP
IP=
port=
user=
pass=
FlashFXP
SOFTWARE\FTPWare\COREFTP\Sites
CoreFTP
User
Host
Port
\FTP Navigator\Ftplist.txt
Server
No Password
FTP Navigator
Programfiles(x86)
programfiles
\jDownloader\config\database.script
programfiles(x86)
INSERT INTO CONFIG VALUES('AccountController','
sq
.
t
xt
JDownloader
Software\Paltalk
HKEY_CURRENT_USER\Software\Paltalk\
pwd
Paltalk
\.purple\accounts.xml
<account>
<protocol>
</protocol>
<name>
</name>
<password>
</password>
Pidgin
\SmartFTP\Client 2.0\Favorites\Quick Connect\
\SmartFTP\Client 2.0\Favorites\Quick Connect\*.xml
<Password>
</Password>
<Name>
</Name>
SmartFTP
\Ipswitch\WS_FTP\Sites\ws_ftp.ini
HOST
UID
PWD
WS_FTP
\cftp\Ftplist.txt
;Server=
;Port=
;Password=
;User=
;Anonymous=
Name=
FTPCommander
\FTPGetter\servers.xml
<server>
<server_ip>
</server_ip>
<server_port>
</server_port>
<server_user_name>
</server_user_name>
<server_user_password>
</server_user_password>
FTPGetter
HKEY_LOCAL_MACHINE\SOFTWARE\Vitalwerks\DUC
HKEY_CURRENT_USER\SOFTWARE\Vitalwerks\DUC
USERname
NO-IP
\The Bat!
\Account.CFN
zzz
TheBat
HKEY_CURRENT_USER\Software\RimArts\B2\Settings
DataDir
Folder.lst
\Mailbox.ini
Account
SMTPServer
MailAddress
PassWd
Becky!
\Trillian\users\global\accounts.dat
Accounts
Trillian
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Email
IMAP Password
POP3 Password
HTTP Password
SMTP Password
SMTP Server
Outlook
COMPlus_legacyCorruptedStateExceptionsPolicy
Software\Microsoft\ActiveSync\Partners
syncpassword
mailoutgoing
Windows Mail App
HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
Executable
HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
FoxmailPath
\Storage\
\mail\
\VirtualStore\Program Files\Foxmail\mail\
\VirtualStore\Program Files (x86)\Foxmail\mail\
\Accounts\Account.rec0
\Account.stg
Read
Close
Dispose
POP3Host
SMTPHost
IncomingServer
POP3Password
Foxmail
\Opera Mail\Opera Mail\wand.dat
opera:
Opera Mail
\Pocomail\accounts.ini
POPPass
SMTPPass
SMTP
PocoMail
RealVNC 4.x
SOFTWARE\Wow6432Node\RealVNC\WinVNC4
RealVNC 3.x
SOFTWARE\RealVNC\vncserver
SOFTWARE\RealVNC\WinVNC4
Software\ORL\WinVNC3
TightVNC
Software\TightVNC\Server
PasswordViewOnly
TightVNC ControlPassword
ControlPassword
TigerVNC
Software\TigerVNC\Server
Trim
UltraVNC
ProgramFiles(x86)
\uvnc bvba\UltraVNC\ultravnc.ini
passwd
passwd2
ProgramFiles
\UltraVNC\ultravnc.ini
Substring
eM Client\accounts.dat
eM Client
"Username":"
",
"Secret":"
72905C47-F4FD-4CF7-A489-4E8121A155BD
"ProviderName":"
\Mailbird\Store\Store.db
Server_Host
Username
EncryptedPassword
Mailbird
SenderIdentities
NordVPN
NordVPN directory not found!
NordVpn.exe*
user.config
Load
SelectSingleNode
//setting[@name='Username']/value
InnerText
//setting[@name='Password']/value
\MySQL\Workbench\workbench_user_data.dat


MySQL Workbench
%ProgramW6432%
Private Internet Access\data
\Private Internet Access\data
\account.json
.*"username":"(.*?)"
.*"password":"(.*?)"
Private Internet Access
Software\DownloadManager\Passwords\
EncPassword
Internet Download Manager
discord.com
Discord
Discord Token
hdfzpysvpzimorhk
quick.dat
Sites.dat
\FlashFXP\
yA36zA48dEhfrvghGRg57h5UlDv3
Type
Value
IterationCount
\Psi\profiles
\Psi+\profiles
\accounts.xml
USERPROFILE
\OpenVPN\config\
remote
PWD=
+-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
5A
71
abcçdefgğhıijklmnoöpqrsştuüvwxyz1234567890_-.~!@#$%^&*()[{]}\|';:,<>/?+=
o6806642kbM7c5
[\w-]{24}\.[\w-]{6}\.[\w-]{27}
mfa\.[\w-]{84}
discordcanary
discordptb
Local Storage\leveldb
*.ldb
*.log
discord
<array>
<dict>
<string>
</string>
<data>
</data>
Safari Browser
-convert xml1 -s -o "
\fixed_keychain.xml"
A
10
B
11
12
D
13
E
14
F
15
ABCDEF
(
EndsWith
)
IndexOf
UNIQUE
table
Opera Browser
Opera Software\Opera Stable
Yandex Browser
Yandex\YandexBrowser\User Data
Iridium Browser
Iridium\User Data
Chromium
Chromium\User Data
7Star
7Star\7Star\User Data
Torch Browser
Torch\User Data
Cool Novo
MapleStudio\ChromePlus\User Data
Kometa
Kometa\User Data
Amigo
Amigo\User Data
Brave
BraveSoftware\Brave-Browser\User Data
CentBrowser
CentBrowser\User Data
Chedot
Chedot\User Data
Orbitum
Orbitum\User Data
Sputnik
Sputnik\Sputnik\User Data
Comodo Dragon
Comodo\Dragon\User Data
Vivaldi
Vivaldi\User Data
Citrio
CatalinaGroup\Citrio\User Data
360 Browser
360Chrome\Chrome\User Data
Uran
uCozMedia\Uran\User Data
Liebao Browser
liebao\User Data
Elements Browser
Elements Browser\User Data
Epic Privacy
Epic Privacy Browser\User Data
Coccoc
CocCoc\Browser\User Data
Sleipnir 6
Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
QIP Surf
QIP Surf\User Data
Coowon
Coowon\Coowon\User Data
Chrome
Google\Chrome\User Data
Firefox
\Mozilla\Firefox\
SeaMonkey
\Mozilla\SeaMonkey\
Thunderbird
\Thunderbird\
BlackHawk
\NETGATE Technologies\BlackHawk\
CyberFox
\8pecxstudios\Cyberfox\
K-Meleon
\K-Meleon\
IceCat
\Mozilla\icecat\
PaleMoon
\Moonchild Productions\Pale Moon\
IceDragon
\Comodo\IceDragon\
WaterFox
\Waterfox\
Postbox
\Postbox\
Flock
00061561
Berkelet DB
00000002
1.85 (Hash, version 2, native byte-order)
Unknow database format
key4.db
metaData
id
item1
item2
nssPrivate
a11
a102
Contains
2a864886f70d0209
2a864886f70d010c050103
key3.db
global-salt
Version
password-check
Replace
logins.json
\"(hostname|encryptedPassword|encryptedUsername)":"(.*?)"
oauth
[^\u0020-\u007F]
signons.sqlite
moz_logins
hostname
encryptedUsername
encryptedPassword
;
1752"C:\Users\admin\AppData\Local\Temp\New Inquiries.exe" C:\Users\admin\AppData\Local\Temp\New Inquiries.exeExplorer.EXE
User:
admin
Company:
Jdam Software
Integrity Level:
MEDIUM
Description:
AKW-Simulator
Exit code:
0
Version:
1.0.2.0
Modules
Images
c:\users\admin\appdata\local\temp\new inquiries.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\mscoree.dll
Total events
1 938
Read events
1 928
Write events
10
Delete events
0

Modification events

(PID) Process:(1464) New Inquiries.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\14C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
0
Suspicious files
0
Text files
0
Unknown types
4

Dropped files

PID
Process
Filename
Type
1464New Inquiries.exeC:\Users\admin\AppData\Roaming\legxlwjp.fvb\Firefox\Profiles\nltxvmn2.default\cookies.sqlitesqlite
MD5:FF3819BA79CA33058AB110FEC5CD0955
SHA256:C5140A31EA483E1E6AFE2A2750B853FA46FA3C5B0A04C973094E23E6C8AD533E
1464New Inquiries.exeC:\Users\admin\AppData\Roaming\legxlwjp.fvb\Chrome\Default\Cookiessqlite
MD5:387B1D63B45DA12EE4D0C68A9E777271
SHA256:40BD4B959B25DBF4D65864B92F548C5373C12FC7EF99FE70A9BE479A90FBF0D2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
1
Threats
2

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1464
New Inquiries.exe
77.88.21.158:587
smtp.yandex.com
YANDEX LLC
RU
whitelisted

DNS requests

Domain
IP
Reputation
smtp.yandex.com
  • 77.88.21.158
malicious

Threats

PID
Process
Class
Message
1464
New Inquiries.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
1464
New Inquiries.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
New Inquiries.exe