analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

MV REK KING_VESSEL DETAILS.pdf.exe

Full analysis: https://app.any.run/tasks/de6fed82-f165-441e-8ee8-a95ccdaad366
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Analysis date: May 20, 2022, 18:53:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
agenttesla
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

0F24A8CEC8CECB9C0B31DDAC24190431

SHA1:

7A79CA4BC4758A6D0827E72E49A2D021D6D172C9

SHA256:

BE12FC921CD49C7E886A1F363D49754A99B1558A95A9B77E492B9005933D5EA8

SSDEEP:

12288:AXYTFZH1UEGEgCcjrCpVBC1ZNBzdighg+S:cWJGfZrHZNBzdXhg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 880)
      • cmd.exe (PID: 3096)
    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 3604)
      • schtasks.exe (PID: 3468)
    • Drops executable file immediately after starts

      • cmd.exe (PID: 4040)
    • Steals credentials from Web Browsers

      • vbc.exe (PID: 3344)
      • vbc.exe (PID: 3156)
    • Actions looks like stealing of personal data

      • vbc.exe (PID: 3344)
      • vbc.exe (PID: 3156)
    • AGENTTESLA detected by memory dumps

      • vbc.exe (PID: 3344)
      • vbc.exe (PID: 3156)
  • SUSPICIOUS

    • Reads the computer name

      • MV REK KING_VESSEL DETAILS.pdf.exe (PID: 2444)
      • vbc.exe (PID: 3344)
      • rrftttnnn.exe (PID: 2612)
      • vbc.exe (PID: 3156)
    • Checks supported languages

      • vbc.exe (PID: 3344)
      • cmd.exe (PID: 880)
      • MV REK KING_VESSEL DETAILS.pdf.exe (PID: 2444)
      • cmd.exe (PID: 4040)
      • rrftttnnn.exe (PID: 2612)
      • vbc.exe (PID: 3156)
      • cmd.exe (PID: 3096)
      • cmd.exe (PID: 3308)
    • Executes scripts

      • MV REK KING_VESSEL DETAILS.pdf.exe (PID: 2444)
      • rrftttnnn.exe (PID: 2612)
    • Starts CMD.EXE for commands execution

      • MV REK KING_VESSEL DETAILS.pdf.exe (PID: 2444)
      • rrftttnnn.exe (PID: 2612)
    • Reads Environment values

      • vbc.exe (PID: 3344)
      • vbc.exe (PID: 3156)
    • Executed via Task Scheduler

      • rrftttnnn.exe (PID: 2612)
    • Creates files in the user directory

      • cmd.exe (PID: 4040)
      • vbc.exe (PID: 3344)
      • vbc.exe (PID: 3156)
    • Executable content was dropped or overwritten

      • cmd.exe (PID: 4040)
    • Drops a file with a compile date too recent

      • cmd.exe (PID: 4040)
    • Reads the cookies of Google Chrome

      • vbc.exe (PID: 3344)
    • Reads the cookies of Mozilla Firefox

      • vbc.exe (PID: 3344)
  • INFO

    • Checks supported languages

      • schtasks.exe (PID: 3604)
      • schtasks.exe (PID: 3468)
    • Reads the computer name

      • schtasks.exe (PID: 3604)
      • schtasks.exe (PID: 3468)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AgentTesla

(PID) Process(3344) vbc.exe
Protocolsmtp
Hostsmtp.uk-custom.com
PasswordaNQqA@Q7
Port587
Strings (771)
:
<font color="#00b1ba"><b>[
</b>
<b>]</b> <font color="#000000">(
MM/dd/yyyy HH:mm:ss
)</font></font>
False
<font color="#00ba66">{BACK}</font>
</font>
<font color="#00ba66">{ALT+TAB}</font>
<font color="#00ba66">{ALT+F4}</font>
<font color="#00ba66">{TAB}</font>
<font color="#00ba66">{ESC}</font>
<font color="#00ba66">{Win}</font>
<font color="#00ba66">{CAPSLOCK}</font>
<font color="#00ba66">&uarr;</font>
<font color="#00ba66">&darr;</font>
<font color="#00ba66">&larr;</font>
<font color="#00ba66">&rarr;</font>
<font color="#00ba66">{DEL}</font>
<font color="#00ba66">{END}</font>
<font color="#00ba66">{HOME}</font>
<font color="#00ba66">{Insert}</font>
<font color="#00ba66">{NumLock}</font>
<font color="#00ba66">{PageDown}</font>
<font color="#00ba66">{PageUp}</font>
<font color="#00ba66">{ENTER}</font>
<font color="#00ba66">{F1}</font>
<font color="#00ba66">{F2}</font>
<font color="#00ba66">{F3}</font>
<font color="#00ba66">{F4}</font>
<font color="#00ba66">{F5}</font>
<font color="#00ba66">{F6}</font>
<font color="#00ba66">{F7}</font>
<font color="#00ba66">{F8}</font>
<font color="#00ba66">{F9}</font>
<font color="#00ba66">{F10}</font>
<font color="#00ba66">{F11}</font>
<font color="#00ba66">{F12}</font>
control
<font color="#00ba66">{CTRL}</font>
&
&amp;
<
&lt;
>
&gt;
"
&quot;
Copied Text:
The binary key cannot have an odd number of digits: {0}
Index must be from {0} to {1}.
:Zone.Identifier
SystemDrive
\
WScript.Shell
RegRead
ObjectLength
ChainingModeGCM
AuthTagLength
ChainingMode
KeyDataBlob
AES
Microsoft Primitive Provider
CONNECTION
KEEP-ALIVE
PROXY-AUTHENTICATE
PROXY-AUTHORIZATION
TE
TRAILER
TRANSFER-ENCODING
UPGRADE
g
401
502
500
-
Windows RDP
credential
policy
blob
rdg
chrome
{{{0}}}
Length
CopyTo
ComputeHash
sha512
Copy
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0
20
yyyy-MM-dd HH:mm:ss
yyyy_MM_dd_HH_mm_ss
<br>
<hr>
https://api.ipify.org%
%startupfolder%
\%insfolder%\%insname%
/
http://jVCULg.com
\XSy
\%insfolder%\
Software\Microsoft\Windows\CurrentVersion\Run
%insregname%
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
SC
SC_
_
.jpeg
yyyy-MM-dd hh-mm-ss
Screenshot
image/jpeg
/log.tmp
KL
KL_
.html
<html>
</html>
Log
text/html
[
]
,
URL:
Username:
Password:
Application:
PW
PW_
CO
CO_
.zip
Cookie
application/zip
%urlkey%
-f
\Data\Tor\torrc
p=
%PostURL%
127.0.0.1
POST
+
%2B
application/x-www-form-urlencoded
aNQqA@Q7
smtp.uk-custom.com
image/jpg
%ftphost%/
%ftpuser%
%ftppassword%
STOR
Write
Close
Add
chat_id
caption
/sendDocument
document
---------------------------
x
--
multipart/form-data; boundary=
Content-Disposition: form-data; name="{0}" {1}
Content-Disposition: form-data; name="{0}"; filename="{1}" Content-Type: {2}
--
Time:
User Name:
Computer Name:
OSFullName:
CPU:
RAM:
IP Address:
New
Recovered!
User Name
OSFullName
None
win32_processor
processorID
4e90e72a-3358-442a-b1a5-6cb21421b49f
Win32_NetworkAdapterConfiguration
IPEnabled
MacAddress
:
b26f4e3e-4308-4fd6-b63d-1c58e0e6726e
WinMgmts:
InstancesOf
Win32_BaseBoard
SerialNumber
2edc6594-a6ee-4e08-94f6-33a992a856db
x2
Tor
AUTHENTICATE "%torpass%"
SIGNAL NEWNYM
250
tor
StartInfo
FileName
\Tor\tor.exe
Arguments
UseShellExecute
RedirectStandardOutput
CreateNoWindow
Start
StandardOutput
ReadLine
Contains
Bootstrapped 100%
EndOfStream
Id
AvoidDiskWrites 1 Log notice stdout DormantCanceledByStartup 1 ControlPort 9051 CookieAuthentication 1 runasdaemon 1 ExtORPort auto hashedcontrolpassword %hash% DataDirectory %tordir%\Data\Tor GeoIPFile %tordir%\Data\Tor\geoip GeoIPv6File %tordir%\Data\Tor\geoip6
\tor.zip
%tordir%
%hash%
%torpass%
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
https://www.theonionrouter.com/dist.torproject.org/torbrowser/
<a.+?href\s*=\s*(["'])(?<href>.+?)\1[^>]*>
href
Replace
TrimStart
.
TrimEnd
tor-win32-
GetBytes
TransformBlock
TransformFinalBlock
Hash
16:
GET
OK
\tmpG
.tmp
SELECT * FROM Win32_Processor
Name
MB
Unknown
Wr
W
C
ExtractFile
n
http://127.0.0.1:
HTTP/1.1
Hostname
Port
200 Connection established Proxy-Agent: HToS5x
Connect
Host
PathAndQuery
Fragment
Host:
{0}
Key
Mode
IV
Padding
CreateDecryptor
SEQUENCE {
{0:X2}
INTEGER
OCTETSTRING
OBJECTIDENTIFIER
}
sha256
Cookies
Opera
Opera Software\Opera Stable
Comodo Dragon
Comodo\Dragon\User Data
Chrome
\Google\Chrome\User Data
360 Browser
\360Chrome\Chrome\User Data
Yandex
Yandex\YandexBrowser\User Data
SRWare Iron
Chromium\User Data
Torch Browser
Torch\User Data
Brave Browser
BraveSoftware\Brave-Browser\User Data
Iridium Browser
\Iridium\User Data
CoolNovo
MapleStudio\ChromePlus\User Data
7Star
7Star\7Star\User Data
Epic Privacy Browser
Epic Privacy Browser\User Data
Amigo
Amigo\User Data
CentBrowser
CentBrowser\User Data
CocCoc
CocCoc\Browser\User Data
Chedot
Chedot\User Data
Elements Browser
Elements Browser\User Data
Kometa
Kometa\User Data
Sleipnir 6
Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
Citrio
CatalinaGroup\Citrio\User Data
Coowon
Coowon\Coowon\User Data
Liebao Browser
liebao\User Data
QIP Surf
QIP Surf\User Data
QQ Browser
Tencent\QQBrowser\User Data
UC Browser
UCBrowser\
Orbitum
Orbitum\User Data
Sputnik
Sputnik\Sputnik\User Data
uCozMedia
uCozMedia\Uran\User Data
Vivaldi
Vivaldi\User Data
cookies.sqlite
Firefox
APPDATA
\Mozilla\Firefox\
IceCat
\Mozilla\icecat\
PaleMoon
\Moonchild Productions\Pale Moon\
SeaMonkey
\Mozilla\SeaMonkey\
Flock
\Flock\Browser\
K-Meleon
\K-Meleon\
Postbox
\Postbox\
Thunderbird
\Thunderbird\
IceDragon
\Comodo\IceDragon\
WaterFox
\Waterfox\
BlackHawk
\NETGATE Technologies\BlackHawk\
CyberFox
\8pecxstudios\Cyberfox\
Path=([A-z0-9\/\.\-]+)
profiles.ini
\Default\
Profile
origin_url
username_value
password_value
v10
v11
Opera Stable
\Local State
"encrypted_key":"(.*?)"
\Default\Login Data
\Login Data
Opera Browser
Yandex Browser
Iridium\User Data
Chromium
Cool Novo
Brave
360Chrome\Chrome\User Data
Uran
Epic Privacy
Coccoc
\Google\Chrome\User Data\
logins
Major
Minor
2F1A6504-0641-44CF-8BB5-3612D865F2E5
Windows Secure Note
3CCD5499-87A8-4B10-A215-608888DD3B55
Windows Web Password Credential
154E23D0-C644-4E6F-8CE6-5069272F999F
Windows Credential Picker Protector
4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Web Credentials
77BC582B-F0A6-4E15-4E80-61736B6F3B29
Windows Credentials
E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
Windows Domain Certificate Credential
3E0E35BE-1B77-43E7-B873-AED901B6275B
Windows Domain Password Credential
3C886FF3-2669-4AA2-A8FB-3F6759A77548
Windows Extended Credential
00000000-0000-0000-0000-000000000000
SchemaId
pResourceElement
pIdentityElement
pPackageSid
pAuthenticatorElement
IE/Edge
\Common Files\Apple\Apple Application Support\plutil.exe
\Apple Computer\Preferences\keychain.plist
*
Login Data
journal
wow_logins
\Microsoft\Edge\User Data
Edge Chromium
\Microsoft\Credentials\
\Microsoft\Protect\
GuidMasterKey
\Default\EncryptedStorage
\EncryptedStorage
entries
category
Password
str3
str2
blob0
PopPassword
SmtpPassword
Software\IncrediMail\Identities\
\Accounts_New
EmailAddress
SmtpServer
incredimail
HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine
current
Settings
SavePasswordText
ReturnAddress
Eudora
\falkon\profiles\
startProfile="([A-z0-9\/\.]+)"
\browsedata.db
autofill
Falkon Browser
startProfile=([A-z0-9\/\.]+)
Backend=([A-z0-9\/\.-]+)
\settings.ini
\Claws-mail
\clawsrc
passkey0
master_passphrase_salt=(.+)
master_passphrase_pbkdf2_rounds=(.+)
use_master_passphrase=(.+)
\accountrc
smtp_server
address
account
\passwordstorerc
{(.*),(.*)}(.*)
ClawsMail
signons3.txt
---
.
objects
Data
DecryptTripleDes
Flock Browser
ALLUSERSPROFILE
\\
DynDNS\Updater\config.dyndns
username=
=
password=
&H
t6KzXhCh
http://DynDns.com
DynDNS
name
jid
password
Psi/Psi+
Software\OpenVPN-GUI\configs
Software\OpenVPN-GUI\configs\
username
auth-data
entropy
Open VPN
\FileZilla\recentservers.xml
<Server>
<Host>
</Host>
<Port>
</Port>
<User>
</User>
<Pass encoding="base64">
</Pass>
<Pass>
FileZilla
SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
HostName
UserName
PublicKeyFile
PortNumber
22
[PRIVATE KEY LOCATION: "{0}"]
WinSCP
IP=
port=
user=
pass=
FlashFXP
SOFTWARE\FTPWare\COREFTP\Sites
CoreFTP
User
\FTP Navigator\Ftplist.txt
Server
No Password
FTP Navigator
Programfiles(x86)
programfiles
\jDownloader\config\database.script
programfiles(x86)
INSERT INTO CONFIG VALUES('AccountController','
sq
t
xt
JDownloader
Software\Paltalk
HKEY_CURRENT_USER\Software\Paltalk\
pwd
Paltalk
\.purple\accounts.xml
<account>
<protocol>
</protocol>
<name>
</name>
<password>
</password>
Pidgin
\SmartFTP\Client 2.0\Favorites\Quick Connect\
\SmartFTP\Client 2.0\Favorites\Quick Connect\*.xml
<Password>
</Password>
<Name>
</Name>
SmartFTP
appdata
\Ipswitch\WS_FTP\Sites\ws_ftp.ini
HOST
UID
PWD
WS_FTP
\cftp\Ftplist.txt
;Server=
;Port=
;Password=
;User=
;Anonymous=
Name=
FTPCommander
\FTPGetter\servers.xml
<server>
<server_ip>
</server_ip>
<server_port>
</server_port>
<server_user_name>
</server_user_name>
<server_user_password>
</server_user_password>
FTPGetter
HKEY_LOCAL_MACHINE\SOFTWARE\Vitalwerks\DUC
HKEY_CURRENT_USER\SOFTWARE\Vitalwerks\DUC
USERname
NO-IP
\The Bat!
\Account.CFN
zzz
TheBat
HKEY_CURRENT_USER\Software\RimArts\B2\Settings
DataDir
Folder.lst
\Mailbox.ini
Account
SMTPServer
MailAddress
PassWd
Becky!
\Trillian\users\global\accounts.dat
Accounts
Trillian
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Email
IMAP Password
POP3 Password
HTTP Password
SMTP Password
SMTP Server
Outlook
COMPlus_legacyCorruptedStateExceptionsPolicy
1
Software\Microsoft\ActiveSync\Partners
syncpassword
mailoutgoing
Windows Mail App
HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
Executable
HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
FoxmailPath
\Storage\
\mail\
\VirtualStore\Program Files\Foxmail\mail\
\VirtualStore\Program Files (x86)\Foxmail\mail\
\Accounts\Account.rec0
\Account.stg
Read
Dispose
POP3Host
SMTPHost
IncomingServer
POP3Password
Foxmail
\Opera Mail\Opera Mail\wand.dat
opera:
Opera Mail
\Pocomail\accounts.ini
POPPass
SMTPPass
SMTP
PocoMail
RealVNC 4.x
SOFTWARE\Wow6432Node\RealVNC\WinVNC4
RealVNC 3.x
SOFTWARE\RealVNC\vncserver
SOFTWARE\RealVNC\WinVNC4
Software\ORL\WinVNC3
TightVNC
Software\TightVNC\Server
PasswordViewOnly
TightVNC ControlPassword
ControlPassword
TigerVNC
Software\TigerVNC\Server
Trim
UltraVNC
ProgramFiles(x86)
\uvnc bvba\UltraVNC\ultravnc.ini
passwd
passwd2
ProgramFiles
\UltraVNC\ultravnc.ini
Substring
eM Client\accounts.dat
eM Client
"Username":"
",
"Secret":"
72905C47-F4FD-4CF7-A489-4E8121A155BD
"ProviderName":"
\Mailbird\Store\Store.db
Server_Host
Username
EncryptedPassword
Mailbird
SenderIdentities
NordVPN
NordVPN directory not found!
NordVpn.exe*
user.config
Load
SelectSingleNode
//setting[@name='Username']/value
InnerText
//setting[@name='Password']/value
\MySQL\Workbench\workbench_user_data.dat


MySQL Workbench
%ProgramW6432%
Private Internet Access\data
\Private Internet Access\data
\account.json
.*"username":"(.*?)"
.*"password":"(.*?)"
Private Internet Access
Software\DownloadManager\Passwords\
EncPassword
Internet Download Manager
hdfzpysvpzimorhk
quick.dat
Sites.dat
\FlashFXP\
yA36zA48dEhfrvghGRg57h5UlDv3
Type
Value
IterationCount
\Psi\profiles
\Psi+\profiles
\accounts.xml
USERPROFILE
\OpenVPN\config\
remote
PWD=
+-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
5A
71
abcçdefgğhıijklmnoöpqrsştuüvwxyz1234567890_-.~!@#$%^&*()[{]}\|';:,<>/?+=
o6806642kbM7c5
<array>
<dict>
<string>
</string>
<data>
</data>
Safari Browser
-convert xml1 -s -o "
\fixed_keychain.xml"
A
10
B
11
12
D
13
E
14
F
15
ABCDEF
(
EndsWith
)
IndexOf
UNIQUE
table
00061561
Berkelet DB
00000002
1.85 (Hash, version 2, native byte-order)
Unknow database format
key4.db
metaData
id
item1
item2
nssPrivate
a11
a102
2a864886f70d0209
2a864886f70d010c050103
key3.db
global-salt
Version
password-check
logins.json
\"(hostname|encryptedPassword|encryptedUsername)":"(.*?)"
[^\u0020-\u007F]
signons.sqlite
moz_logins
hostname
encryptedUsername
encryptedPassword
;
(PID) Process(3156) vbc.exe
Protocolsmtp
Hostsmtp.uk-custom.com
PasswordaNQqA@Q7
Port587
Strings (771)
:
<font color="#00b1ba"><b>[
</b>
<b>]</b> <font color="#000000">(
MM/dd/yyyy HH:mm:ss
)</font></font>
False
<font color="#00ba66">{BACK}</font>
</font>
<font color="#00ba66">{ALT+TAB}</font>
<font color="#00ba66">{ALT+F4}</font>
<font color="#00ba66">{TAB}</font>
<font color="#00ba66">{ESC}</font>
<font color="#00ba66">{Win}</font>
<font color="#00ba66">{CAPSLOCK}</font>
<font color="#00ba66">&uarr;</font>
<font color="#00ba66">&darr;</font>
<font color="#00ba66">&larr;</font>
<font color="#00ba66">&rarr;</font>
<font color="#00ba66">{DEL}</font>
<font color="#00ba66">{END}</font>
<font color="#00ba66">{HOME}</font>
<font color="#00ba66">{Insert}</font>
<font color="#00ba66">{NumLock}</font>
<font color="#00ba66">{PageDown}</font>
<font color="#00ba66">{PageUp}</font>
<font color="#00ba66">{ENTER}</font>
<font color="#00ba66">{F1}</font>
<font color="#00ba66">{F2}</font>
<font color="#00ba66">{F3}</font>
<font color="#00ba66">{F4}</font>
<font color="#00ba66">{F5}</font>
<font color="#00ba66">{F6}</font>
<font color="#00ba66">{F7}</font>
<font color="#00ba66">{F8}</font>
<font color="#00ba66">{F9}</font>
<font color="#00ba66">{F10}</font>
<font color="#00ba66">{F11}</font>
<font color="#00ba66">{F12}</font>
control
<font color="#00ba66">{CTRL}</font>
&
&amp;
<
&lt;
>
&gt;
"
&quot;
Copied Text:
The binary key cannot have an odd number of digits: {0}
Index must be from {0} to {1}.
:Zone.Identifier
SystemDrive
\
WScript.Shell
RegRead
ObjectLength
ChainingModeGCM
AuthTagLength
ChainingMode
KeyDataBlob
AES
Microsoft Primitive Provider
CONNECTION
KEEP-ALIVE
PROXY-AUTHENTICATE
PROXY-AUTHORIZATION
TE
TRAILER
TRANSFER-ENCODING
UPGRADE
g
401
502
500
-
Windows RDP
credential
policy
blob
rdg
chrome
{{{0}}}
Length
CopyTo
ComputeHash
sha512
Copy
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0
20
yyyy-MM-dd HH:mm:ss
yyyy_MM_dd_HH_mm_ss
<br>
<hr>
https://api.ipify.org%
%startupfolder%
\%insfolder%\%insname%
/
http://jVCULg.com
\XSy
\%insfolder%\
Software\Microsoft\Windows\CurrentVersion\Run
%insregname%
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
SC
SC_
_
.jpeg
yyyy-MM-dd hh-mm-ss
Screenshot
image/jpeg
/log.tmp
KL
KL_
.html
<html>
</html>
Log
text/html
[
]
,
URL:
Username:
Password:
Application:
PW
PW_
CO
CO_
.zip
Cookie
application/zip
%urlkey%
-f
\Data\Tor\torrc
p=
%PostURL%
127.0.0.1
POST
+
%2B
application/x-www-form-urlencoded
aNQqA@Q7
smtp.uk-custom.com
image/jpg
%ftphost%/
%ftpuser%
%ftppassword%
STOR
Write
Close
Add
chat_id
caption
/sendDocument
document
---------------------------
x
--
multipart/form-data; boundary=
Content-Disposition: form-data; name="{0}" {1}
Content-Disposition: form-data; name="{0}"; filename="{1}" Content-Type: {2}
--
Time:
User Name:
Computer Name:
OSFullName:
CPU:
RAM:
IP Address:
New
Recovered!
User Name
OSFullName
None
win32_processor
processorID
4e90e72a-3358-442a-b1a5-6cb21421b49f
Win32_NetworkAdapterConfiguration
IPEnabled
MacAddress
:
b26f4e3e-4308-4fd6-b63d-1c58e0e6726e
WinMgmts:
InstancesOf
Win32_BaseBoard
SerialNumber
2edc6594-a6ee-4e08-94f6-33a992a856db
x2
Tor
AUTHENTICATE "%torpass%"
SIGNAL NEWNYM
250
tor
StartInfo
FileName
\Tor\tor.exe
Arguments
UseShellExecute
RedirectStandardOutput
CreateNoWindow
Start
StandardOutput
ReadLine
Contains
Bootstrapped 100%
EndOfStream
Id
AvoidDiskWrites 1 Log notice stdout DormantCanceledByStartup 1 ControlPort 9051 CookieAuthentication 1 runasdaemon 1 ExtORPort auto hashedcontrolpassword %hash% DataDirectory %tordir%\Data\Tor GeoIPFile %tordir%\Data\Tor\geoip GeoIPv6File %tordir%\Data\Tor\geoip6
\tor.zip
%tordir%
%hash%
%torpass%
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
https://www.theonionrouter.com/dist.torproject.org/torbrowser/
<a.+?href\s*=\s*(["'])(?<href>.+?)\1[^>]*>
href
Replace
TrimStart
.
TrimEnd
tor-win32-
GetBytes
TransformBlock
TransformFinalBlock
Hash
16:
GET
OK
\tmpG
.tmp
SELECT * FROM Win32_Processor
Name
MB
Unknown
Wr
W
C
ExtractFile
n
http://127.0.0.1:
HTTP/1.1
Hostname
Port
200 Connection established Proxy-Agent: HToS5x
Connect
Host
PathAndQuery
Fragment
Host:
{0}
Key
Mode
IV
Padding
CreateDecryptor
SEQUENCE {
{0:X2}
INTEGER
OCTETSTRING
OBJECTIDENTIFIER
}
sha256
Cookies
Opera
Opera Software\Opera Stable
Comodo Dragon
Comodo\Dragon\User Data
Chrome
\Google\Chrome\User Data
360 Browser
\360Chrome\Chrome\User Data
Yandex
Yandex\YandexBrowser\User Data
SRWare Iron
Chromium\User Data
Torch Browser
Torch\User Data
Brave Browser
BraveSoftware\Brave-Browser\User Data
Iridium Browser
\Iridium\User Data
CoolNovo
MapleStudio\ChromePlus\User Data
7Star
7Star\7Star\User Data
Epic Privacy Browser
Epic Privacy Browser\User Data
Amigo
Amigo\User Data
CentBrowser
CentBrowser\User Data
CocCoc
CocCoc\Browser\User Data
Chedot
Chedot\User Data
Elements Browser
Elements Browser\User Data
Kometa
Kometa\User Data
Sleipnir 6
Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
Citrio
CatalinaGroup\Citrio\User Data
Coowon
Coowon\Coowon\User Data
Liebao Browser
liebao\User Data
QIP Surf
QIP Surf\User Data
QQ Browser
Tencent\QQBrowser\User Data
UC Browser
UCBrowser\
Orbitum
Orbitum\User Data
Sputnik
Sputnik\Sputnik\User Data
uCozMedia
uCozMedia\Uran\User Data
Vivaldi
Vivaldi\User Data
cookies.sqlite
Firefox
APPDATA
\Mozilla\Firefox\
IceCat
\Mozilla\icecat\
PaleMoon
\Moonchild Productions\Pale Moon\
SeaMonkey
\Mozilla\SeaMonkey\
Flock
\Flock\Browser\
K-Meleon
\K-Meleon\
Postbox
\Postbox\
Thunderbird
\Thunderbird\
IceDragon
\Comodo\IceDragon\
WaterFox
\Waterfox\
BlackHawk
\NETGATE Technologies\BlackHawk\
CyberFox
\8pecxstudios\Cyberfox\
Path=([A-z0-9\/\.\-]+)
profiles.ini
\Default\
Profile
origin_url
username_value
password_value
v10
v11
Opera Stable
\Local State
"encrypted_key":"(.*?)"
\Default\Login Data
\Login Data
Opera Browser
Yandex Browser
Iridium\User Data
Chromium
Cool Novo
Brave
360Chrome\Chrome\User Data
Uran
Epic Privacy
Coccoc
\Google\Chrome\User Data\
logins
Major
Minor
2F1A6504-0641-44CF-8BB5-3612D865F2E5
Windows Secure Note
3CCD5499-87A8-4B10-A215-608888DD3B55
Windows Web Password Credential
154E23D0-C644-4E6F-8CE6-5069272F999F
Windows Credential Picker Protector
4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Web Credentials
77BC582B-F0A6-4E15-4E80-61736B6F3B29
Windows Credentials
E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
Windows Domain Certificate Credential
3E0E35BE-1B77-43E7-B873-AED901B6275B
Windows Domain Password Credential
3C886FF3-2669-4AA2-A8FB-3F6759A77548
Windows Extended Credential
00000000-0000-0000-0000-000000000000
SchemaId
pResourceElement
pIdentityElement
pPackageSid
pAuthenticatorElement
IE/Edge
\Common Files\Apple\Apple Application Support\plutil.exe
\Apple Computer\Preferences\keychain.plist
*
Login Data
journal
wow_logins
\Microsoft\Edge\User Data
Edge Chromium
\Microsoft\Credentials\
\Microsoft\Protect\
GuidMasterKey
\Default\EncryptedStorage
\EncryptedStorage
entries
category
Password
str3
str2
blob0
PopPassword
SmtpPassword
Software\IncrediMail\Identities\
\Accounts_New
EmailAddress
SmtpServer
incredimail
HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine
current
Settings
SavePasswordText
ReturnAddress
Eudora
\falkon\profiles\
startProfile="([A-z0-9\/\.]+)"
\browsedata.db
autofill
Falkon Browser
startProfile=([A-z0-9\/\.]+)
Backend=([A-z0-9\/\.-]+)
\settings.ini
\Claws-mail
\clawsrc
passkey0
master_passphrase_salt=(.+)
master_passphrase_pbkdf2_rounds=(.+)
use_master_passphrase=(.+)
\accountrc
smtp_server
address
account
\passwordstorerc
{(.*),(.*)}(.*)
ClawsMail
signons3.txt
---
.
objects
Data
DecryptTripleDes
Flock Browser
ALLUSERSPROFILE
\\
DynDNS\Updater\config.dyndns
username=
=
password=
&H
t6KzXhCh
http://DynDns.com
DynDNS
name
jid
password
Psi/Psi+
Software\OpenVPN-GUI\configs
Software\OpenVPN-GUI\configs\
username
auth-data
entropy
Open VPN
\FileZilla\recentservers.xml
<Server>
<Host>
</Host>
<Port>
</Port>
<User>
</User>
<Pass encoding="base64">
</Pass>
<Pass>
FileZilla
SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
HostName
UserName
PublicKeyFile
PortNumber
22
[PRIVATE KEY LOCATION: "{0}"]
WinSCP
IP=
port=
user=
pass=
FlashFXP
SOFTWARE\FTPWare\COREFTP\Sites
CoreFTP
User
\FTP Navigator\Ftplist.txt
Server
No Password
FTP Navigator
Programfiles(x86)
programfiles
\jDownloader\config\database.script
programfiles(x86)
INSERT INTO CONFIG VALUES('AccountController','
sq
t
xt
JDownloader
Software\Paltalk
HKEY_CURRENT_USER\Software\Paltalk\
pwd
Paltalk
\.purple\accounts.xml
<account>
<protocol>
</protocol>
<name>
</name>
<password>
</password>
Pidgin
\SmartFTP\Client 2.0\Favorites\Quick Connect\
\SmartFTP\Client 2.0\Favorites\Quick Connect\*.xml
<Password>
</Password>
<Name>
</Name>
SmartFTP
appdata
\Ipswitch\WS_FTP\Sites\ws_ftp.ini
HOST
UID
PWD
WS_FTP
\cftp\Ftplist.txt
;Server=
;Port=
;Password=
;User=
;Anonymous=
Name=
FTPCommander
\FTPGetter\servers.xml
<server>
<server_ip>
</server_ip>
<server_port>
</server_port>
<server_user_name>
</server_user_name>
<server_user_password>
</server_user_password>
FTPGetter
HKEY_LOCAL_MACHINE\SOFTWARE\Vitalwerks\DUC
HKEY_CURRENT_USER\SOFTWARE\Vitalwerks\DUC
USERname
NO-IP
\The Bat!
\Account.CFN
zzz
TheBat
HKEY_CURRENT_USER\Software\RimArts\B2\Settings
DataDir
Folder.lst
\Mailbox.ini
Account
SMTPServer
MailAddress
PassWd
Becky!
\Trillian\users\global\accounts.dat
Accounts
Trillian
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Email
IMAP Password
POP3 Password
HTTP Password
SMTP Password
SMTP Server
Outlook
COMPlus_legacyCorruptedStateExceptionsPolicy
1
Software\Microsoft\ActiveSync\Partners
syncpassword
mailoutgoing
Windows Mail App
HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
Executable
HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
FoxmailPath
\Storage\
\mail\
\VirtualStore\Program Files\Foxmail\mail\
\VirtualStore\Program Files (x86)\Foxmail\mail\
\Accounts\Account.rec0
\Account.stg
Read
Dispose
POP3Host
SMTPHost
IncomingServer
POP3Password
Foxmail
\Opera Mail\Opera Mail\wand.dat
opera:
Opera Mail
\Pocomail\accounts.ini
POPPass
SMTPPass
SMTP
PocoMail
RealVNC 4.x
SOFTWARE\Wow6432Node\RealVNC\WinVNC4
RealVNC 3.x
SOFTWARE\RealVNC\vncserver
SOFTWARE\RealVNC\WinVNC4
Software\ORL\WinVNC3
TightVNC
Software\TightVNC\Server
PasswordViewOnly
TightVNC ControlPassword
ControlPassword
TigerVNC
Software\TigerVNC\Server
Trim
UltraVNC
ProgramFiles(x86)
\uvnc bvba\UltraVNC\ultravnc.ini
passwd
passwd2
ProgramFiles
\UltraVNC\ultravnc.ini
Substring
eM Client\accounts.dat
eM Client
"Username":"
",
"Secret":"
72905C47-F4FD-4CF7-A489-4E8121A155BD
"ProviderName":"
\Mailbird\Store\Store.db
Server_Host
Username
EncryptedPassword
Mailbird
SenderIdentities
NordVPN
NordVPN directory not found!
NordVpn.exe*
user.config
Load
SelectSingleNode
//setting[@name='Username']/value
InnerText
//setting[@name='Password']/value
\MySQL\Workbench\workbench_user_data.dat


MySQL Workbench
%ProgramW6432%
Private Internet Access\data
\Private Internet Access\data
\account.json
.*"username":"(.*?)"
.*"password":"(.*?)"
Private Internet Access
Software\DownloadManager\Passwords\
EncPassword
Internet Download Manager
hdfzpysvpzimorhk
quick.dat
Sites.dat
\FlashFXP\
yA36zA48dEhfrvghGRg57h5UlDv3
Type
Value
IterationCount
\Psi\profiles
\Psi+\profiles
\accounts.xml
USERPROFILE
\OpenVPN\config\
remote
PWD=
+-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
5A
71
abcçdefgğhıijklmnoöpqrsştuüvwxyz1234567890_-.~!@#$%^&*()[{]}\|';:,<>/?+=
o6806642kbM7c5
<array>
<dict>
<string>
</string>
<data>
</data>
Safari Browser
-convert xml1 -s -o "
\fixed_keychain.xml"
A
10
B
11
12
D
13
E
14
F
15
ABCDEF
(
EndsWith
)
IndexOf
UNIQUE
table
00061561
Berkelet DB
00000002
1.85 (Hash, version 2, native byte-order)
Unknow database format
key4.db
metaData
id
item1
item2
nssPrivate
a11
a102
2a864886f70d0209
2a864886f70d010c050103
key3.db
global-salt
Version
password-check
logins.json
\"(hostname|encryptedPassword|encryptedUsername)":"(.*?)"
[^\u0020-\u007F]
signons.sqlite
moz_logins
hostname
encryptedUsername
encryptedPassword
;
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:05:09 08:41:23+02:00
PEType: PE32
LinkerVersion: 11
CodeSize: 466944
InitializedDataSize: 50176
UninitializedDataSize: -
EntryPoint: 0x73eae
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.1.167.0
ProductVersionNumber: 2.1.167.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: SecureMix LLC
FileDescription: GlassWire Setup
FileVersion: 2,1,167,0
LegalCopyright: (c) 2019 SecureMix LLC
OriginalFileName: glasswire-setup-2.1.167.exe
ProductName: GlassWire Setup
ProductVersion: 2,1,167,0

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 09-May-2022 06:41:23
Detected languages:
  • English - United States
CompanyName: SecureMix LLC
FileDescription: GlassWire Setup
FileVersion: 2,1,167,0
LegalCopyright: (c) 2019 SecureMix LLC
OriginalFilename: glasswire-setup-2.1.167.exe
ProductName: GlassWire Setup
ProductVersion: 2,1,167,0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 09-May-2022 06:41:23
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00002000
0x00071EB4
0x00072000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.78118
.rsrc
0x00074000
0x0000C0E6
0x0000C200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.94624
.reloc
0x00082000
0x0000000C
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
0.10191

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.00112
490
UNKNOWN
UNKNOWN
RT_MANIFEST
2
5.23333
9640
UNKNOWN
UNKNOWN
RT_ICON
3
5.50055
4264
UNKNOWN
UNKNOWN
RT_ICON
4
5.4773
2440
UNKNOWN
UNKNOWN
RT_ICON
5
5.31551
1128
UNKNOWN
UNKNOWN
RT_ICON
103
2.64638
76
UNKNOWN
UNKNOWN
RT_GROUP_ICON

Imports

mscoree.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
10
Malicious processes
4
Suspicious processes
3

Behavior graph

Click at the process to see the details
start mv rek king_vessel details.pdf.exe no specs #AGENTTESLA vbc.exe cmd.exe no specs schtasks.exe no specs cmd.exe rrftttnnn.exe no specs #AGENTTESLA vbc.exe cmd.exe no specs schtasks.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2444"C:\Users\admin\AppData\Local\Temp\MV REK KING_VESSEL DETAILS.pdf.exe" C:\Users\admin\AppData\Local\Temp\MV REK KING_VESSEL DETAILS.pdf.exeExplorer.EXE
User:
admin
Company:
SecureMix LLC
Integrity Level:
MEDIUM
Description:
GlassWire Setup
Version:
2,1,167,0
3344"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
MV REK KING_VESSEL DETAILS.pdf.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual Basic Command Line Compiler
Exit code:
4294967295
Version:
12.0.51209.34209
AgentTesla
(PID) Process(3344) vbc.exe
Protocolsmtp
Hostsmtp.uk-custom.com
PasswordaNQqA@Q7
Port587
Strings (771)
:
<font color="#00b1ba"><b>[
</b>
<b>]</b> <font color="#000000">(
MM/dd/yyyy HH:mm:ss
)</font></font>
False
<font color="#00ba66">{BACK}</font>
</font>
<font color="#00ba66">{ALT+TAB}</font>
<font color="#00ba66">{ALT+F4}</font>
<font color="#00ba66">{TAB}</font>
<font color="#00ba66">{ESC}</font>
<font color="#00ba66">{Win}</font>
<font color="#00ba66">{CAPSLOCK}</font>
<font color="#00ba66">&uarr;</font>
<font color="#00ba66">&darr;</font>
<font color="#00ba66">&larr;</font>
<font color="#00ba66">&rarr;</font>
<font color="#00ba66">{DEL}</font>
<font color="#00ba66">{END}</font>
<font color="#00ba66">{HOME}</font>
<font color="#00ba66">{Insert}</font>
<font color="#00ba66">{NumLock}</font>
<font color="#00ba66">{PageDown}</font>
<font color="#00ba66">{PageUp}</font>
<font color="#00ba66">{ENTER}</font>
<font color="#00ba66">{F1}</font>
<font color="#00ba66">{F2}</font>
<font color="#00ba66">{F3}</font>
<font color="#00ba66">{F4}</font>
<font color="#00ba66">{F5}</font>
<font color="#00ba66">{F6}</font>
<font color="#00ba66">{F7}</font>
<font color="#00ba66">{F8}</font>
<font color="#00ba66">{F9}</font>
<font color="#00ba66">{F10}</font>
<font color="#00ba66">{F11}</font>
<font color="#00ba66">{F12}</font>
control
<font color="#00ba66">{CTRL}</font>
&
&amp;
<
&lt;
>
&gt;
"
&quot;
Copied Text:
The binary key cannot have an odd number of digits: {0}
Index must be from {0} to {1}.
:Zone.Identifier
SystemDrive
\
WScript.Shell
RegRead
ObjectLength
ChainingModeGCM
AuthTagLength
ChainingMode
KeyDataBlob
AES
Microsoft Primitive Provider
CONNECTION
KEEP-ALIVE
PROXY-AUTHENTICATE
PROXY-AUTHORIZATION
TE
TRAILER
TRANSFER-ENCODING
UPGRADE
g
401
502
500
-
Windows RDP
credential
policy
blob
rdg
chrome
{{{0}}}
Length
CopyTo
ComputeHash
sha512
Copy
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0
20
yyyy-MM-dd HH:mm:ss
yyyy_MM_dd_HH_mm_ss
<br>
<hr>
https://api.ipify.org%
%startupfolder%
\%insfolder%\%insname%
/
http://jVCULg.com
\XSy
\%insfolder%\
Software\Microsoft\Windows\CurrentVersion\Run
%insregname%
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
SC
SC_
_
.jpeg
yyyy-MM-dd hh-mm-ss
Screenshot
image/jpeg
/log.tmp
KL
KL_
.html
<html>
</html>
Log
text/html
[
]
,
URL:
Username:
Password:
Application:
PW
PW_
CO
CO_
.zip
Cookie
application/zip
%urlkey%
-f
\Data\Tor\torrc
p=
%PostURL%
127.0.0.1
POST
+
%2B
application/x-www-form-urlencoded
aNQqA@Q7
smtp.uk-custom.com
image/jpg
%ftphost%/
%ftpuser%
%ftppassword%
STOR
Write
Close
Add
chat_id
caption
/sendDocument
document
---------------------------
x
--
multipart/form-data; boundary=
Content-Disposition: form-data; name="{0}" {1}
Content-Disposition: form-data; name="{0}"; filename="{1}" Content-Type: {2}
--
Time:
User Name:
Computer Name:
OSFullName:
CPU:
RAM:
IP Address:
New
Recovered!
User Name
OSFullName
None
win32_processor
processorID
4e90e72a-3358-442a-b1a5-6cb21421b49f
Win32_NetworkAdapterConfiguration
IPEnabled
MacAddress
:
b26f4e3e-4308-4fd6-b63d-1c58e0e6726e
WinMgmts:
InstancesOf
Win32_BaseBoard
SerialNumber
2edc6594-a6ee-4e08-94f6-33a992a856db
x2
Tor
AUTHENTICATE "%torpass%"
SIGNAL NEWNYM
250
tor
StartInfo
FileName
\Tor\tor.exe
Arguments
UseShellExecute
RedirectStandardOutput
CreateNoWindow
Start
StandardOutput
ReadLine
Contains
Bootstrapped 100%
EndOfStream
Id
AvoidDiskWrites 1 Log notice stdout DormantCanceledByStartup 1 ControlPort 9051 CookieAuthentication 1 runasdaemon 1 ExtORPort auto hashedcontrolpassword %hash% DataDirectory %tordir%\Data\Tor GeoIPFile %tordir%\Data\Tor\geoip GeoIPv6File %tordir%\Data\Tor\geoip6
\tor.zip
%tordir%
%hash%
%torpass%
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
https://www.theonionrouter.com/dist.torproject.org/torbrowser/
<a.+?href\s*=\s*(["'])(?<href>.+?)\1[^>]*>
href
Replace
TrimStart
.
TrimEnd
tor-win32-
GetBytes
TransformBlock
TransformFinalBlock
Hash
16:
GET
OK
\tmpG
.tmp
SELECT * FROM Win32_Processor
Name
MB
Unknown
Wr
W
C
ExtractFile
n
http://127.0.0.1:
HTTP/1.1
Hostname
Port
200 Connection established Proxy-Agent: HToS5x
Connect
Host
PathAndQuery
Fragment
Host:
{0}
Key
Mode
IV
Padding
CreateDecryptor
SEQUENCE {
{0:X2}
INTEGER
OCTETSTRING
OBJECTIDENTIFIER
}
sha256
Cookies
Opera
Opera Software\Opera Stable
Comodo Dragon
Comodo\Dragon\User Data
Chrome
\Google\Chrome\User Data
360 Browser
\360Chrome\Chrome\User Data
Yandex
Yandex\YandexBrowser\User Data
SRWare Iron
Chromium\User Data
Torch Browser
Torch\User Data
Brave Browser
BraveSoftware\Brave-Browser\User Data
Iridium Browser
\Iridium\User Data
CoolNovo
MapleStudio\ChromePlus\User Data
7Star
7Star\7Star\User Data
Epic Privacy Browser
Epic Privacy Browser\User Data
Amigo
Amigo\User Data
CentBrowser
CentBrowser\User Data
CocCoc
CocCoc\Browser\User Data
Chedot
Chedot\User Data
Elements Browser
Elements Browser\User Data
Kometa
Kometa\User Data
Sleipnir 6
Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
Citrio
CatalinaGroup\Citrio\User Data
Coowon
Coowon\Coowon\User Data
Liebao Browser
liebao\User Data
QIP Surf
QIP Surf\User Data
QQ Browser
Tencent\QQBrowser\User Data
UC Browser
UCBrowser\
Orbitum
Orbitum\User Data
Sputnik
Sputnik\Sputnik\User Data
uCozMedia
uCozMedia\Uran\User Data
Vivaldi
Vivaldi\User Data
cookies.sqlite
Firefox
APPDATA
\Mozilla\Firefox\
IceCat
\Mozilla\icecat\
PaleMoon
\Moonchild Productions\Pale Moon\
SeaMonkey
\Mozilla\SeaMonkey\
Flock
\Flock\Browser\
K-Meleon
\K-Meleon\
Postbox
\Postbox\
Thunderbird
\Thunderbird\
IceDragon
\Comodo\IceDragon\
WaterFox
\Waterfox\
BlackHawk
\NETGATE Technologies\BlackHawk\
CyberFox
\8pecxstudios\Cyberfox\
Path=([A-z0-9\/\.\-]+)
profiles.ini
\Default\
Profile
origin_url
username_value
password_value
v10
v11
Opera Stable
\Local State
"encrypted_key":"(.*?)"
\Default\Login Data
\Login Data
Opera Browser
Yandex Browser
Iridium\User Data
Chromium
Cool Novo
Brave
360Chrome\Chrome\User Data
Uran
Epic Privacy
Coccoc
\Google\Chrome\User Data\
logins
Major
Minor
2F1A6504-0641-44CF-8BB5-3612D865F2E5
Windows Secure Note
3CCD5499-87A8-4B10-A215-608888DD3B55
Windows Web Password Credential
154E23D0-C644-4E6F-8CE6-5069272F999F
Windows Credential Picker Protector
4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Web Credentials
77BC582B-F0A6-4E15-4E80-61736B6F3B29
Windows Credentials
E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
Windows Domain Certificate Credential
3E0E35BE-1B77-43E7-B873-AED901B6275B
Windows Domain Password Credential
3C886FF3-2669-4AA2-A8FB-3F6759A77548
Windows Extended Credential
00000000-0000-0000-0000-000000000000
SchemaId
pResourceElement
pIdentityElement
pPackageSid
pAuthenticatorElement
IE/Edge
\Common Files\Apple\Apple Application Support\plutil.exe
\Apple Computer\Preferences\keychain.plist
*
Login Data
journal
wow_logins
\Microsoft\Edge\User Data
Edge Chromium
\Microsoft\Credentials\
\Microsoft\Protect\
GuidMasterKey
\Default\EncryptedStorage
\EncryptedStorage
entries
category
Password
str3
str2
blob0
PopPassword
SmtpPassword
Software\IncrediMail\Identities\
\Accounts_New
EmailAddress
SmtpServer
incredimail
HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine
current
Settings
SavePasswordText
ReturnAddress
Eudora
\falkon\profiles\
startProfile="([A-z0-9\/\.]+)"
\browsedata.db
autofill
Falkon Browser
startProfile=([A-z0-9\/\.]+)
Backend=([A-z0-9\/\.-]+)
\settings.ini
\Claws-mail
\clawsrc
passkey0
master_passphrase_salt=(.+)
master_passphrase_pbkdf2_rounds=(.+)
use_master_passphrase=(.+)
\accountrc
smtp_server
address
account
\passwordstorerc
{(.*),(.*)}(.*)
ClawsMail
signons3.txt
---
.
objects
Data
DecryptTripleDes
Flock Browser
ALLUSERSPROFILE
\\
DynDNS\Updater\config.dyndns
username=
=
password=
&H
t6KzXhCh
http://DynDns.com
DynDNS
name
jid
password
Psi/Psi+
Software\OpenVPN-GUI\configs
Software\OpenVPN-GUI\configs\
username
auth-data
entropy
Open VPN
\FileZilla\recentservers.xml
<Server>
<Host>
</Host>
<Port>
</Port>
<User>
</User>
<Pass encoding="base64">
</Pass>
<Pass>
FileZilla
SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
HostName
UserName
PublicKeyFile
PortNumber
22
[PRIVATE KEY LOCATION: "{0}"]
WinSCP
IP=
port=
user=
pass=
FlashFXP
SOFTWARE\FTPWare\COREFTP\Sites
CoreFTP
User
\FTP Navigator\Ftplist.txt
Server
No Password
FTP Navigator
Programfiles(x86)
programfiles
\jDownloader\config\database.script
programfiles(x86)
INSERT INTO CONFIG VALUES('AccountController','
sq
t
xt
JDownloader
Software\Paltalk
HKEY_CURRENT_USER\Software\Paltalk\
pwd
Paltalk
\.purple\accounts.xml
<account>
<protocol>
</protocol>
<name>
</name>
<password>
</password>
Pidgin
\SmartFTP\Client 2.0\Favorites\Quick Connect\
\SmartFTP\Client 2.0\Favorites\Quick Connect\*.xml
<Password>
</Password>
<Name>
</Name>
SmartFTP
appdata
\Ipswitch\WS_FTP\Sites\ws_ftp.ini
HOST
UID
PWD
WS_FTP
\cftp\Ftplist.txt
;Server=
;Port=
;Password=
;User=
;Anonymous=
Name=
FTPCommander
\FTPGetter\servers.xml
<server>
<server_ip>
</server_ip>
<server_port>
</server_port>
<server_user_name>
</server_user_name>
<server_user_password>
</server_user_password>
FTPGetter
HKEY_LOCAL_MACHINE\SOFTWARE\Vitalwerks\DUC
HKEY_CURRENT_USER\SOFTWARE\Vitalwerks\DUC
USERname
NO-IP
\The Bat!
\Account.CFN
zzz
TheBat
HKEY_CURRENT_USER\Software\RimArts\B2\Settings
DataDir
Folder.lst
\Mailbox.ini
Account
SMTPServer
MailAddress
PassWd
Becky!
\Trillian\users\global\accounts.dat
Accounts
Trillian
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Email
IMAP Password
POP3 Password
HTTP Password
SMTP Password
SMTP Server
Outlook
COMPlus_legacyCorruptedStateExceptionsPolicy
1
Software\Microsoft\ActiveSync\Partners
syncpassword
mailoutgoing
Windows Mail App
HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
Executable
HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
FoxmailPath
\Storage\
\mail\
\VirtualStore\Program Files\Foxmail\mail\
\VirtualStore\Program Files (x86)\Foxmail\mail\
\Accounts\Account.rec0
\Account.stg
Read
Dispose
POP3Host
SMTPHost
IncomingServer
POP3Password
Foxmail
\Opera Mail\Opera Mail\wand.dat
opera:
Opera Mail
\Pocomail\accounts.ini
POPPass
SMTPPass
SMTP
PocoMail
RealVNC 4.x
SOFTWARE\Wow6432Node\RealVNC\WinVNC4
RealVNC 3.x
SOFTWARE\RealVNC\vncserver
SOFTWARE\RealVNC\WinVNC4
Software\ORL\WinVNC3
TightVNC
Software\TightVNC\Server
PasswordViewOnly
TightVNC ControlPassword
ControlPassword
TigerVNC
Software\TigerVNC\Server
Trim
UltraVNC
ProgramFiles(x86)
\uvnc bvba\UltraVNC\ultravnc.ini
passwd
passwd2
ProgramFiles
\UltraVNC\ultravnc.ini
Substring
eM Client\accounts.dat
eM Client
"Username":"
",
"Secret":"
72905C47-F4FD-4CF7-A489-4E8121A155BD
"ProviderName":"
\Mailbird\Store\Store.db
Server_Host
Username
EncryptedPassword
Mailbird
SenderIdentities
NordVPN
NordVPN directory not found!
NordVpn.exe*
user.config
Load
SelectSingleNode
//setting[@name='Username']/value
InnerText
//setting[@name='Password']/value
\MySQL\Workbench\workbench_user_data.dat


MySQL Workbench
%ProgramW6432%
Private Internet Access\data
\Private Internet Access\data
\account.json
.*"username":"(.*?)"
.*"password":"(.*?)"
Private Internet Access
Software\DownloadManager\Passwords\
EncPassword
Internet Download Manager
hdfzpysvpzimorhk
quick.dat
Sites.dat
\FlashFXP\
yA36zA48dEhfrvghGRg57h5UlDv3
Type
Value
IterationCount
\Psi\profiles
\Psi+\profiles
\accounts.xml
USERPROFILE
\OpenVPN\config\
remote
PWD=
+-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
5A
71
abcçdefgğhıijklmnoöpqrsştuüvwxyz1234567890_-.~!@#$%^&*()[{]}\|';:,<>/?+=
o6806642kbM7c5
<array>
<dict>
<string>
</string>
<data>
</data>
Safari Browser
-convert xml1 -s -o "
\fixed_keychain.xml"
A
10
B
11
12
D
13
E
14
F
15
ABCDEF
(
EndsWith
)
IndexOf
UNIQUE
table
00061561
Berkelet DB
00000002
1.85 (Hash, version 2, native byte-order)
Unknow database format
key4.db
metaData
id
item1
item2
nssPrivate
a11
a102
2a864886f70d0209
2a864886f70d010c050103
key3.db
global-salt
Version
password-check
logins.json
\"(hostname|encryptedPassword|encryptedUsername)":"(.*?)"
[^\u0020-\u007F]
signons.sqlite
moz_logins
hostname
encryptedUsername
encryptedPassword
;
880"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\admin\AppData\Roaming\rrftttnnn\rrftttnnn.exe'" /fC:\Windows\system32\cmd.exeMV REK KING_VESSEL DETAILS.pdf.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3604schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\admin\AppData\Roaming\rrftttnnn\rrftttnnn.exe'" /fC:\Windows\system32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4040"cmd.exe" /C copy "C:\Users\admin\AppData\Local\Temp\MV REK KING_VESSEL DETAILS.pdf.exe" "C:\Users\admin\AppData\Roaming\rrftttnnn\rrftttnnn.exe"C:\Windows\system32\cmd.exe
MV REK KING_VESSEL DETAILS.pdf.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2612C:\Users\admin\AppData\Roaming\rrftttnnn\rrftttnnn.exe C:\Users\admin\AppData\Roaming\rrftttnnn\rrftttnnn.exetaskeng.exe
User:
admin
Company:
SecureMix LLC
Integrity Level:
MEDIUM
Description:
GlassWire Setup
Version:
2,1,167,0
3156"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
rrftttnnn.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual Basic Command Line Compiler
Version:
12.0.51209.34209
AgentTesla
(PID) Process(3156) vbc.exe
Protocolsmtp
Hostsmtp.uk-custom.com
PasswordaNQqA@Q7
Port587
Strings (771)
:
<font color="#00b1ba"><b>[
</b>
<b>]</b> <font color="#000000">(
MM/dd/yyyy HH:mm:ss
)</font></font>
False
<font color="#00ba66">{BACK}</font>
</font>
<font color="#00ba66">{ALT+TAB}</font>
<font color="#00ba66">{ALT+F4}</font>
<font color="#00ba66">{TAB}</font>
<font color="#00ba66">{ESC}</font>
<font color="#00ba66">{Win}</font>
<font color="#00ba66">{CAPSLOCK}</font>
<font color="#00ba66">&uarr;</font>
<font color="#00ba66">&darr;</font>
<font color="#00ba66">&larr;</font>
<font color="#00ba66">&rarr;</font>
<font color="#00ba66">{DEL}</font>
<font color="#00ba66">{END}</font>
<font color="#00ba66">{HOME}</font>
<font color="#00ba66">{Insert}</font>
<font color="#00ba66">{NumLock}</font>
<font color="#00ba66">{PageDown}</font>
<font color="#00ba66">{PageUp}</font>
<font color="#00ba66">{ENTER}</font>
<font color="#00ba66">{F1}</font>
<font color="#00ba66">{F2}</font>
<font color="#00ba66">{F3}</font>
<font color="#00ba66">{F4}</font>
<font color="#00ba66">{F5}</font>
<font color="#00ba66">{F6}</font>
<font color="#00ba66">{F7}</font>
<font color="#00ba66">{F8}</font>
<font color="#00ba66">{F9}</font>
<font color="#00ba66">{F10}</font>
<font color="#00ba66">{F11}</font>
<font color="#00ba66">{F12}</font>
control
<font color="#00ba66">{CTRL}</font>
&
&amp;
<
&lt;
>
&gt;
"
&quot;
Copied Text:
The binary key cannot have an odd number of digits: {0}
Index must be from {0} to {1}.
:Zone.Identifier
SystemDrive
\
WScript.Shell
RegRead
ObjectLength
ChainingModeGCM
AuthTagLength
ChainingMode
KeyDataBlob
AES
Microsoft Primitive Provider
CONNECTION
KEEP-ALIVE
PROXY-AUTHENTICATE
PROXY-AUTHORIZATION
TE
TRAILER
TRANSFER-ENCODING
UPGRADE
g
401
502
500
-
Windows RDP
credential
policy
blob
rdg
chrome
{{{0}}}
Length
CopyTo
ComputeHash
sha512
Copy
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0
20
yyyy-MM-dd HH:mm:ss
yyyy_MM_dd_HH_mm_ss
<br>
<hr>
https://api.ipify.org%
%startupfolder%
\%insfolder%\%insname%
/
http://jVCULg.com
\XSy
\%insfolder%\
Software\Microsoft\Windows\CurrentVersion\Run
%insregname%
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
SC
SC_
_
.jpeg
yyyy-MM-dd hh-mm-ss
Screenshot
image/jpeg
/log.tmp
KL
KL_
.html
<html>
</html>
Log
text/html
[
]
,
URL:
Username:
Password:
Application:
PW
PW_
CO
CO_
.zip
Cookie
application/zip
%urlkey%
-f
\Data\Tor\torrc
p=
%PostURL%
127.0.0.1
POST
+
%2B
application/x-www-form-urlencoded
aNQqA@Q7
smtp.uk-custom.com
image/jpg
%ftphost%/
%ftpuser%
%ftppassword%
STOR
Write
Close
Add
chat_id
caption
/sendDocument
document
---------------------------
x
--
multipart/form-data; boundary=
Content-Disposition: form-data; name="{0}" {1}
Content-Disposition: form-data; name="{0}"; filename="{1}" Content-Type: {2}
--
Time:
User Name:
Computer Name:
OSFullName:
CPU:
RAM:
IP Address:
New
Recovered!
User Name
OSFullName
None
win32_processor
processorID
4e90e72a-3358-442a-b1a5-6cb21421b49f
Win32_NetworkAdapterConfiguration
IPEnabled
MacAddress
:
b26f4e3e-4308-4fd6-b63d-1c58e0e6726e
WinMgmts:
InstancesOf
Win32_BaseBoard
SerialNumber
2edc6594-a6ee-4e08-94f6-33a992a856db
x2
Tor
AUTHENTICATE "%torpass%"
SIGNAL NEWNYM
250
tor
StartInfo
FileName
\Tor\tor.exe
Arguments
UseShellExecute
RedirectStandardOutput
CreateNoWindow
Start
StandardOutput
ReadLine
Contains
Bootstrapped 100%
EndOfStream
Id
AvoidDiskWrites 1 Log notice stdout DormantCanceledByStartup 1 ControlPort 9051 CookieAuthentication 1 runasdaemon 1 ExtORPort auto hashedcontrolpassword %hash% DataDirectory %tordir%\Data\Tor GeoIPFile %tordir%\Data\Tor\geoip GeoIPv6File %tordir%\Data\Tor\geoip6
\tor.zip
%tordir%
%hash%
%torpass%
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
https://www.theonionrouter.com/dist.torproject.org/torbrowser/
<a.+?href\s*=\s*(["'])(?<href>.+?)\1[^>]*>
href
Replace
TrimStart
.
TrimEnd
tor-win32-
GetBytes
TransformBlock
TransformFinalBlock
Hash
16:
GET
OK
\tmpG
.tmp
SELECT * FROM Win32_Processor
Name
MB
Unknown
Wr
W
C
ExtractFile
n
http://127.0.0.1:
HTTP/1.1
Hostname
Port
200 Connection established Proxy-Agent: HToS5x
Connect
Host
PathAndQuery
Fragment
Host:
{0}
Key
Mode
IV
Padding
CreateDecryptor
SEQUENCE {
{0:X2}
INTEGER
OCTETSTRING
OBJECTIDENTIFIER
}
sha256
Cookies
Opera
Opera Software\Opera Stable
Comodo Dragon
Comodo\Dragon\User Data
Chrome
\Google\Chrome\User Data
360 Browser
\360Chrome\Chrome\User Data
Yandex
Yandex\YandexBrowser\User Data
SRWare Iron
Chromium\User Data
Torch Browser
Torch\User Data
Brave Browser
BraveSoftware\Brave-Browser\User Data
Iridium Browser
\Iridium\User Data
CoolNovo
MapleStudio\ChromePlus\User Data
7Star
7Star\7Star\User Data
Epic Privacy Browser
Epic Privacy Browser\User Data
Amigo
Amigo\User Data
CentBrowser
CentBrowser\User Data
CocCoc
CocCoc\Browser\User Data
Chedot
Chedot\User Data
Elements Browser
Elements Browser\User Data
Kometa
Kometa\User Data
Sleipnir 6
Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
Citrio
CatalinaGroup\Citrio\User Data
Coowon
Coowon\Coowon\User Data
Liebao Browser
liebao\User Data
QIP Surf
QIP Surf\User Data
QQ Browser
Tencent\QQBrowser\User Data
UC Browser
UCBrowser\
Orbitum
Orbitum\User Data
Sputnik
Sputnik\Sputnik\User Data
uCozMedia
uCozMedia\Uran\User Data
Vivaldi
Vivaldi\User Data
cookies.sqlite
Firefox
APPDATA
\Mozilla\Firefox\
IceCat
\Mozilla\icecat\
PaleMoon
\Moonchild Productions\Pale Moon\
SeaMonkey
\Mozilla\SeaMonkey\
Flock
\Flock\Browser\
K-Meleon
\K-Meleon\
Postbox
\Postbox\
Thunderbird
\Thunderbird\
IceDragon
\Comodo\IceDragon\
WaterFox
\Waterfox\
BlackHawk
\NETGATE Technologies\BlackHawk\
CyberFox
\8pecxstudios\Cyberfox\
Path=([A-z0-9\/\.\-]+)
profiles.ini
\Default\
Profile
origin_url
username_value
password_value
v10
v11
Opera Stable
\Local State
"encrypted_key":"(.*?)"
\Default\Login Data
\Login Data
Opera Browser
Yandex Browser
Iridium\User Data
Chromium
Cool Novo
Brave
360Chrome\Chrome\User Data
Uran
Epic Privacy
Coccoc
\Google\Chrome\User Data\
logins
Major
Minor
2F1A6504-0641-44CF-8BB5-3612D865F2E5
Windows Secure Note
3CCD5499-87A8-4B10-A215-608888DD3B55
Windows Web Password Credential
154E23D0-C644-4E6F-8CE6-5069272F999F
Windows Credential Picker Protector
4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Web Credentials
77BC582B-F0A6-4E15-4E80-61736B6F3B29
Windows Credentials
E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
Windows Domain Certificate Credential
3E0E35BE-1B77-43E7-B873-AED901B6275B
Windows Domain Password Credential
3C886FF3-2669-4AA2-A8FB-3F6759A77548
Windows Extended Credential
00000000-0000-0000-0000-000000000000
SchemaId
pResourceElement
pIdentityElement
pPackageSid
pAuthenticatorElement
IE/Edge
\Common Files\Apple\Apple Application Support\plutil.exe
\Apple Computer\Preferences\keychain.plist
*
Login Data
journal
wow_logins
\Microsoft\Edge\User Data
Edge Chromium
\Microsoft\Credentials\
\Microsoft\Protect\
GuidMasterKey
\Default\EncryptedStorage
\EncryptedStorage
entries
category
Password
str3
str2
blob0
PopPassword
SmtpPassword
Software\IncrediMail\Identities\
\Accounts_New
EmailAddress
SmtpServer
incredimail
HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine
current
Settings
SavePasswordText
ReturnAddress
Eudora
\falkon\profiles\
startProfile="([A-z0-9\/\.]+)"
\browsedata.db
autofill
Falkon Browser
startProfile=([A-z0-9\/\.]+)
Backend=([A-z0-9\/\.-]+)
\settings.ini
\Claws-mail
\clawsrc
passkey0
master_passphrase_salt=(.+)
master_passphrase_pbkdf2_rounds=(.+)
use_master_passphrase=(.+)
\accountrc
smtp_server
address
account
\passwordstorerc
{(.*),(.*)}(.*)
ClawsMail
signons3.txt
---
.
objects
Data
DecryptTripleDes
Flock Browser
ALLUSERSPROFILE
\\
DynDNS\Updater\config.dyndns
username=
=
password=
&H
t6KzXhCh
http://DynDns.com
DynDNS
name
jid
password
Psi/Psi+
Software\OpenVPN-GUI\configs
Software\OpenVPN-GUI\configs\
username
auth-data
entropy
Open VPN
\FileZilla\recentservers.xml
<Server>
<Host>
</Host>
<Port>
</Port>
<User>
</User>
<Pass encoding="base64">
</Pass>
<Pass>
FileZilla
SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
HostName
UserName
PublicKeyFile
PortNumber
22
[PRIVATE KEY LOCATION: "{0}"]
WinSCP
IP=
port=
user=
pass=
FlashFXP
SOFTWARE\FTPWare\COREFTP\Sites
CoreFTP
User
\FTP Navigator\Ftplist.txt
Server
No Password
FTP Navigator
Programfiles(x86)
programfiles
\jDownloader\config\database.script
programfiles(x86)
INSERT INTO CONFIG VALUES('AccountController','
sq
t
xt
JDownloader
Software\Paltalk
HKEY_CURRENT_USER\Software\Paltalk\
pwd
Paltalk
\.purple\accounts.xml
<account>
<protocol>
</protocol>
<name>
</name>
<password>
</password>
Pidgin
\SmartFTP\Client 2.0\Favorites\Quick Connect\
\SmartFTP\Client 2.0\Favorites\Quick Connect\*.xml
<Password>
</Password>
<Name>
</Name>
SmartFTP
appdata
\Ipswitch\WS_FTP\Sites\ws_ftp.ini
HOST
UID
PWD
WS_FTP
\cftp\Ftplist.txt
;Server=
;Port=
;Password=
;User=
;Anonymous=
Name=
FTPCommander
\FTPGetter\servers.xml
<server>
<server_ip>
</server_ip>
<server_port>
</server_port>
<server_user_name>
</server_user_name>
<server_user_password>
</server_user_password>
FTPGetter
HKEY_LOCAL_MACHINE\SOFTWARE\Vitalwerks\DUC
HKEY_CURRENT_USER\SOFTWARE\Vitalwerks\DUC
USERname
NO-IP
\The Bat!
\Account.CFN
zzz
TheBat
HKEY_CURRENT_USER\Software\RimArts\B2\Settings
DataDir
Folder.lst
\Mailbox.ini
Account
SMTPServer
MailAddress
PassWd
Becky!
\Trillian\users\global\accounts.dat
Accounts
Trillian
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Email
IMAP Password
POP3 Password
HTTP Password
SMTP Password
SMTP Server
Outlook
COMPlus_legacyCorruptedStateExceptionsPolicy
1
Software\Microsoft\ActiveSync\Partners
syncpassword
mailoutgoing
Windows Mail App
HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
Executable
HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
FoxmailPath
\Storage\
\mail\
\VirtualStore\Program Files\Foxmail\mail\
\VirtualStore\Program Files (x86)\Foxmail\mail\
\Accounts\Account.rec0
\Account.stg
Read
Dispose
POP3Host
SMTPHost
IncomingServer
POP3Password
Foxmail
\Opera Mail\Opera Mail\wand.dat
opera:
Opera Mail
\Pocomail\accounts.ini
POPPass
SMTPPass
SMTP
PocoMail
RealVNC 4.x
SOFTWARE\Wow6432Node\RealVNC\WinVNC4
RealVNC 3.x
SOFTWARE\RealVNC\vncserver
SOFTWARE\RealVNC\WinVNC4
Software\ORL\WinVNC3
TightVNC
Software\TightVNC\Server
PasswordViewOnly
TightVNC ControlPassword
ControlPassword
TigerVNC
Software\TigerVNC\Server
Trim
UltraVNC
ProgramFiles(x86)
\uvnc bvba\UltraVNC\ultravnc.ini
passwd
passwd2
ProgramFiles
\UltraVNC\ultravnc.ini
Substring
eM Client\accounts.dat
eM Client
"Username":"
",
"Secret":"
72905C47-F4FD-4CF7-A489-4E8121A155BD
"ProviderName":"
\Mailbird\Store\Store.db
Server_Host
Username
EncryptedPassword
Mailbird
SenderIdentities
NordVPN
NordVPN directory not found!
NordVpn.exe*
user.config
Load
SelectSingleNode
//setting[@name='Username']/value
InnerText
//setting[@name='Password']/value
\MySQL\Workbench\workbench_user_data.dat


MySQL Workbench
%ProgramW6432%
Private Internet Access\data
\Private Internet Access\data
\account.json
.*"username":"(.*?)"
.*"password":"(.*?)"
Private Internet Access
Software\DownloadManager\Passwords\
EncPassword
Internet Download Manager
hdfzpysvpzimorhk
quick.dat
Sites.dat
\FlashFXP\
yA36zA48dEhfrvghGRg57h5UlDv3
Type
Value
IterationCount
\Psi\profiles
\Psi+\profiles
\accounts.xml
USERPROFILE
\OpenVPN\config\
remote
PWD=
+-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
5A
71
abcçdefgğhıijklmnoöpqrsştuüvwxyz1234567890_-.~!@#$%^&*()[{]}\|';:,<>/?+=
o6806642kbM7c5
<array>
<dict>
<string>
</string>
<data>
</data>
Safari Browser
-convert xml1 -s -o "
\fixed_keychain.xml"
A
10
B
11
12
D
13
E
14
F
15
ABCDEF
(
EndsWith
)
IndexOf
UNIQUE
table
00061561
Berkelet DB
00000002
1.85 (Hash, version 2, native byte-order)
Unknow database format
key4.db
metaData
id
item1
item2
nssPrivate
a11
a102
2a864886f70d0209
2a864886f70d010c050103
key3.db
global-salt
Version
password-check
logins.json
\"(hostname|encryptedPassword|encryptedUsername)":"(.*?)"
[^\u0020-\u007F]
signons.sqlite
moz_logins
hostname
encryptedUsername
encryptedPassword
;
3096"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\admin\AppData\Roaming\rrftttnnn\rrftttnnn.exe'" /fC:\Windows\system32\cmd.exerrftttnnn.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3468schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\admin\AppData\Roaming\rrftttnnn\rrftttnnn.exe'" /fC:\Windows\system32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3308"cmd.exe" /C copy "C:\Users\admin\AppData\Roaming\rrftttnnn\rrftttnnn.exe" "C:\Users\admin\AppData\Roaming\rrftttnnn\rrftttnnn.exe"C:\Windows\system32\cmd.exerrftttnnn.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
2 171
Read events
2 171
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
0
Unknown types
4

Dropped files

PID
Process
Filename
Type
4040cmd.exeC:\Users\admin\AppData\Roaming\rrftttnnn\rrftttnnn.exeexecutable
MD5:0F24A8CEC8CECB9C0B31DDAC24190431
SHA256:BE12FC921CD49C7E886A1F363D49754A99B1558A95A9B77E492B9005933D5EA8
3156vbc.exeC:\Users\admin\AppData\Roaming\ez3dlvj3.pww\Chrome\Default\Cookiessqlite
MD5:B8E63E7225C9F4E0A81371F29D6456D8
SHA256:35A6919CE60EA8E0A44934F8B267BDE2C5A063C2E32F22D34724F168C43150C8
3156vbc.exeC:\Users\admin\AppData\Roaming\ez3dlvj3.pww\Firefox\Profiles\qldyz51w.default\cookies.sqlitesqlite
MD5:23D08A78BC908C0B29E9800D3D5614E7
SHA256:F6BD7DF5DFAE9FD88811A807DBA14085E00C1B5A6D7CC3D06CC68F6015363D59
3344vbc.exeC:\Users\admin\AppData\Roaming\moegucl5.net\Firefox\Profiles\qldyz51w.default\cookies.sqlitesqlite
MD5:23D08A78BC908C0B29E9800D3D5614E7
SHA256:F6BD7DF5DFAE9FD88811A807DBA14085E00C1B5A6D7CC3D06CC68F6015363D59
3344vbc.exeC:\Users\admin\AppData\Roaming\moegucl5.net\Chrome\Default\Cookiessqlite
MD5:B8E63E7225C9F4E0A81371F29D6456D8
SHA256:35A6919CE60EA8E0A44934F8B267BDE2C5A063C2E32F22D34724F168C43150C8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3344
vbc.exe
208.91.198.46:587
smtp.uk-custom.com
PDR
US
malicious
3156
vbc.exe
208.91.198.46:587
smtp.uk-custom.com
PDR
US
malicious

DNS requests

Domain
IP
Reputation
smtp.uk-custom.com
  • 208.91.198.46
  • 162.222.225.16
  • 162.222.225.29
  • 208.91.198.38
malicious

Threats

PID
Process
Class
Message
3344
vbc.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
3344
vbc.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
3156
vbc.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
3156
vbc.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
No debug info