analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Orden de consulta.msg

Full analysis: https://app.any.run/tasks/c647e225-4123-4bc5-8fa9-008290d8e34f
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Analysis date: August 12, 2022, 15:01:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
agenttesla
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

672B7B6B84B40B4C7947268376C37BA2

SHA1:

78F944E59B2D4A33696EDD77CDB6CFBE174485E4

SHA256:

DFD7539032E405AEBDD9791161B49F80445EE5D55C3145D9DE8A0877953EE69A

SSDEEP:

6144:6E6fO8YrVZ8LPGNgnYqqYNgtmUfSiSSE7Sr5PFVELSE:jL8Lgu3iSSD92u

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • BCNDHGJK.exe (PID: 652)
      • BCNDHGJK.exe (PID: 3196)
      • BCNDHGJK.exe (PID: 2568)
    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 3096)
    • AGENTTESLA detected by memory dumps

      • cvtres.exe (PID: 3168)
      • cvtres.exe (PID: 3620)
      • cvtres.exe (PID: 3936)
    • Actions looks like stealing of personal data

      • cvtres.exe (PID: 3620)
    • Steals credentials from Web Browsers

      • cvtres.exe (PID: 3620)
  • SUSPICIOUS

    • Checks supported languages

      • WinRAR.exe (PID: 3096)
      • BCNDHGJK.exe (PID: 652)
      • cvtres.exe (PID: 3168)
      • BCNDHGJK.exe (PID: 3196)
      • cvtres.exe (PID: 3620)
      • BCNDHGJK.exe (PID: 2568)
      • cvtres.exe (PID: 3936)
      • Reader_sl.exe (PID: 3756)
      • AdobeARM.exe (PID: 1228)
    • Reads the computer name

      • WinRAR.exe (PID: 3096)
      • cvtres.exe (PID: 3168)
      • BCNDHGJK.exe (PID: 652)
      • BCNDHGJK.exe (PID: 3196)
      • cvtres.exe (PID: 3620)
      • cvtres.exe (PID: 3936)
      • BCNDHGJK.exe (PID: 2568)
      • AdobeARM.exe (PID: 1228)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3096)
    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 3096)
    • Reads Environment values

      • cvtres.exe (PID: 3168)
      • cvtres.exe (PID: 3620)
      • cvtres.exe (PID: 3936)
  • INFO

    • Reads the computer name

      • OUTLOOK.EXE (PID: 2960)
      • AcroRd32.exe (PID: 1116)
      • AcroRd32.exe (PID: 1036)
      • RdrCEF.exe (PID: 4068)
    • Checks supported languages

      • OUTLOOK.EXE (PID: 2960)
      • AcroRd32.exe (PID: 1036)
      • AcroRd32.exe (PID: 1116)
      • RdrCEF.exe (PID: 4068)
      • RdrCEF.exe (PID: 2376)
      • RdrCEF.exe (PID: 544)
      • RdrCEF.exe (PID: 1988)
      • RdrCEF.exe (PID: 3596)
      • RdrCEF.exe (PID: 2588)
      • RdrCEF.exe (PID: 3292)
      • RdrCEF.exe (PID: 2424)
    • Searches for installed software

      • OUTLOOK.EXE (PID: 2960)
      • AcroRd32.exe (PID: 1036)
      • AcroRd32.exe (PID: 1116)
    • Reads Microsoft Office registry keys

      • OUTLOOK.EXE (PID: 2960)
      • AcroRd32.exe (PID: 1116)
    • Reads CPU info

      • AcroRd32.exe (PID: 1116)
    • Application launched itself

      • AcroRd32.exe (PID: 1036)
      • RdrCEF.exe (PID: 4068)
    • Reads settings of System Certificates

      • AcroRd32.exe (PID: 1036)
      • RdrCEF.exe (PID: 4068)
    • Checks Windows Trust Settings

      • AcroRd32.exe (PID: 1036)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AgentTesla

(PID) Process(3168) cvtres.exe
Strings (789)
20
yyyy-MM-dd HH:mm:ss
yyyy_MM_dd_HH_mm_ss
<br>
<hr>
ObjectLength
ChainingModeGCM
AuthTagLength
ChainingMode
KeyDataBlob
AES
Microsoft Primitive Provider
CONNECTION
KEEP-ALIVE
PROXY-AUTHENTICATE
PROXY-AUTHORIZATION
TE
TRAILER
TRANSFER-ENCODING
UPGRADE
%startupfolder%
\%insfolder%\%insname%
/
\%insfolder%\
Software\Microsoft\Windows\CurrentVersion\Run
%insregname%
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
True
https://api.ipify.org%
GET
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
OK
http://wreIBh.com
\kbk
SELECT * FROM Win32_Processor
Name
MB
Unknown
CO
CO_
-
_
.zip
yyyy-MM-dd hh-mm-ss
Cookie
application/zip
SC
SC_
.jpeg
Screenshot
image/jpeg
/log.tmp
KL
KL_
.html
<html>
</html>
Log
text/html
[
]
Time:
MM/dd/yyyy HH:mm:ss
User Name:
Computer Name:
OSFullName:
CPU:
RAM:
IP Address:
New
Recovered!
User Name
:
OSFullName
uninstall
Software\Microsoft\Windows NT\CurrentVersion\Windows
Load
%ftphost%/
%ftpuser%
%ftppassword%
STOR
Length
Write
Close
GetBytes
Opera Browser
Opera Software\Opera Stable
Yandex Browser
Yandex\YandexBrowser\User Data
Iridium Browser
Iridium\User Data
Chromium
Chromium\User Data
7Star
7Star\7Star\User Data
Torch Browser
Torch\User Data
Cool Novo
MapleStudio\ChromePlus\User Data
Kometa
Kometa\User Data
Amigo
Amigo\User Data
Brave
BraveSoftware\Brave-Browser\User Data
CentBrowser
CentBrowser\User Data
Chedot
Chedot\User Data
Orbitum
Orbitum\User Data
Sputnik
Sputnik\Sputnik\User Data
Comodo Dragon
Comodo\Dragon\User Data
Vivaldi
Vivaldi\User Data
Citrio
CatalinaGroup\Citrio\User Data
360 Browser
360Chrome\Chrome\User Data
Uran
uCozMedia\Uran\User Data
Liebao Browser
liebao\User Data
Elements Browser
Elements Browser\User Data
Epic Privacy
Epic Privacy Browser\User Data
Coccoc
CocCoc\Browser\User Data
Sleipnir 6
Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
QIP Surf
QIP Surf\User Data
Coowon
Coowon\Coowon\User Data
APPDATA
\CoreFTP\sites.idx
HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites\
Host
HKEY_CURRENT_USERSoftwareFTPWareCOREFTPSites
Port
User
PW
CoreFTP
webpanel
,
"
smtp
ftp
URL:
Username:
Password:
Application:
URL:
Username:
Password:
Application:
PW_
nilya1957
posta.ni.net.tr
image/jpg
:Zone.Identifier
\tmpG
.tmp
%urlkey%
-f
\Data\Tor\torrc
p=
%PostURL%
127.0.0.1
POST
+
%2B
application/x-www-form-urlencoded
&
&amp;
<
&lt;
>
&gt;
&quot;
Copied Text:
<font color="#00b1ba"><b>[
</b>
<b>]</b> <font color="#000000">(
)</font></font>
False
<font color="#00ba66">{BACK}</font>
</font>
<font color="#00ba66">{ALT+TAB}</font>
<font color="#00ba66">{ALT+F4}</font>
<font color="#00ba66">{TAB}</font>
<font color="#00ba66">{ESC}</font>
<font color="#00ba66">{Win}</font>
<font color="#00ba66">{CAPSLOCK}</font>
<font color="#00ba66">&uarr;</font>
<font color="#00ba66">&darr;</font>
<font color="#00ba66">&larr;</font>
<font color="#00ba66">&rarr;</font>
<font color="#00ba66">{DEL}</font>
<font color="#00ba66">{END}</font>
<font color="#00ba66">{HOME}</font>
<font color="#00ba66">{Insert}</font>
<font color="#00ba66">{NumLock}</font>
<font color="#00ba66">{PageDown}</font>
<font color="#00ba66">{PageUp}</font>
<font color="#00ba66">{ENTER}</font>
<font color="#00ba66">{F1}</font>
<font color="#00ba66">{F2}</font>
<font color="#00ba66">{F3}</font>
<font color="#00ba66">{F4}</font>
<font color="#00ba66">{F5}</font>
<font color="#00ba66">{F6}</font>
<font color="#00ba66">{F7}</font>
<font color="#00ba66">{F8}</font>
<font color="#00ba66">{F9}</font>
<font color="#00ba66">{F10}</font>
<font color="#00ba66">{F11}</font>
<font color="#00ba66">{F12}</font>
control
<font color="#00ba66">{CTRL}</font>
Windows RDP
credential
policy
blob
rdg
chrome
{{{0}}}
CopyTo
ComputeHash
sha512
Copy
SystemDrive
\
WScript.Shell
RegRead
g
401
502
500
Add
chat_id
caption
/sendDocument
document
---------------------------
x
--
multipart/form-data; boundary=
Content-Disposition: form-data; name="{0}" {1}
Content-Disposition: form-data; name="{0}"; filename="{1}" Content-Type: {2}
--
Cookies
Opera
Chrome
\Google\Chrome\User Data
\360Chrome\Chrome\User Data
Yandex
SRWare Iron
Brave Browser
\Iridium\User Data
CoolNovo
Epic Privacy Browser
CocCoc
QQ Browser
Tencent\QQBrowser\User Data
UC Browser
UCBrowser\
uCozMedia
cookies.sqlite
Firefox
\Mozilla\Firefox\
IceCat
\Mozilla\icecat\
PaleMoon
\Moonchild Productions\Pale Moon\
SeaMonkey
\Mozilla\SeaMonkey\
Flock
\Flock\Browser\
K-Meleon
\K-Meleon\
Postbox
\Postbox\
Thunderbird
\Thunderbird\
IceDragon
\Comodo\IceDragon\
WaterFox
\Waterfox\
BlackHawk
\NETGATE Technologies\BlackHawk\
CyberFox
\8pecxstudios\Cyberfox\
Path=([A-z0-9\/\.\-]+)
profiles.ini
\Default\
Profile
origin_url
username_value
password_value
v10
v11
Opera Stable
\Local State
"encrypted_key":"(.*?)"
\Default\Login Data
\Login Data
\Google\Chrome\User Data\
logins
Major
Minor
2F1A6504-0641-44CF-8BB5-3612D865F2E5
Windows Secure Note
3CCD5499-87A8-4B10-A215-608888DD3B55
Windows Web Password Credential
154E23D0-C644-4E6F-8CE6-5069272F999F
Windows Credential Picker Protector
4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Web Credentials
77BC582B-F0A6-4E15-4E80-61736B6F3B29
Windows Credentials
E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
Windows Domain Certificate Credential
3E0E35BE-1B77-43E7-B873-AED901B6275B
Windows Domain Password Credential
3C886FF3-2669-4AA2-A8FB-3F6759A77548
Windows Extended Credential
00000000-0000-0000-0000-000000000000
SchemaId
pResourceElement
pIdentityElement
pPackageSid
pAuthenticatorElement
IE/Edge
Type
Value
\Common Files\Apple\Apple Application Support\plutil.exe
\Apple Computer\Preferences\keychain.plist
*
Login Data
journal
wow_logins
\Microsoft\Edge\User Data
Edge Chromium
\Microsoft\Credentials\
\Microsoft\Protect\
GuidMasterKey
\Default\EncryptedStorage
\EncryptedStorage
entries
category
Password
str3
str2
blob0
PopPassword
SmtpPassword
Software\IncrediMail\Identities\
\Accounts_New
EmailAddress
SmtpServer
incredimail
HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine
current
Settings
SavePasswordText
ReturnAddress
Eudora
\falkon\profiles\
startProfile="([A-z0-9\/\.]+)"
\browsedata.db
autofill
Falkon Browser
startProfile=([A-z0-9\/\.]+)
Backend=([A-z0-9\/\.-]+)
\settings.ini
\Claws-mail
\clawsrc
passkey0
master_passphrase_salt=(.+)
master_passphrase_pbkdf2_rounds=(.+)
use_master_passphrase=(.+)
\accountrc
smtp_server
address
account
\passwordstorerc
{(.*),(.*)}(.*)
ClawsMail
TransformFinalBlock
Substring
IterationCount
signons3.txt
---
.
objects
Data
DecryptTripleDes
Flock Browser
ALLUSERSPROFILE
\\
DynDNS\Updater\config.dyndns
username=
=
password=
&H
t6KzXhCh
http://DynDns.com
DynDNS
\Psi\profiles
\Psi+\profiles
\accounts.xml
name
jid
password
Psi/Psi+
Software\OpenVPN-GUI\configs
Software\OpenVPN-GUI\configs\
username
auth-data
entropy
Open VPN
USERPROFILE
\OpenVPN\config\
remote
\FileZilla\recentservers.xml
<Server>
<Host>
</Host>
:
<Port>
</Port>
<User>
</User>
<Pass encoding="base64">
</Pass>
<Pass>
FileZilla
SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
HostName
UserName
PublicKeyFile
PortNumber
22
[PRIVATE KEY LOCATION: "{0}"]
WinSCP
Username
All Users
\FlashFXP\3quick.dat
IP=
port=
user=
pass=
created=
FlashFXP
\FTP Navigator\Ftplist.txt
Server
No Password
FTP Navigator
Programfiles(x86)
programfiles
\jDownloader\config\database.script
programfiles(x86)
INSERT INTO CONFIG VALUES('AccountController','
sq
.
t
xt
JDownloader
Software\Paltalk
HKEY_CURRENT_USER\Software\Paltalk\
pwd
Paltalk
\.purple\accounts.xml
<account>
<protocol>
</protocol>
<name>
</name>
<password>
</password>
Pidgin
\SmartFTP\Client 2.0\Favorites\Quick Connect\
\SmartFTP\Client 2.0\Favorites\Quick Connect\*.xml
<Password>
</Password>
<Name>
</Name>
SmartFTP
appdata
\Ipswitch\WS_FTP\Sites\ws_ftp.ini
HOST
UID
PWD
WS_FTP
PWD=
Key
Mode
IV
Padding
CreateDecryptor
\cftp\Ftplist.txt
;Server=
;Port=
;Password=
;User=
;Anonymous=
Name=
FTPCommander
\FTPGetter\servers.xml
<server>
<server_ip>
</server_ip>
<server_port>
</server_port>
<server_user_name>
</server_user_name>
<server_user_password>
</server_user_password>
FTPGetter
HKEY_LOCAL_MACHINE\SOFTWARE\Vitalwerks\DUC
HKEY_CURRENT_USER\SOFTWARE\Vitalwerks\DUC
USERname
NO-IP
+-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
\The Bat!
\Account.CFN
zzz
TheBat
HKEY_CURRENT_USER\Software\RimArts\B2\Settings
DataDir
Folder.lst
\Mailbox.ini
Account
SMTPServer
MailAddress
PassWd
Becky!
\Trillian\users\global\accounts.dat
Accounts
Trillian
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Email
IMAP Password
POP3 Password
HTTP Password
SMTP Password
SMTP Server
Outlook
HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
Executable
HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
FoxmailPath
\Storage\
\mail\
\VirtualStore\Program Files\Foxmail\mail\
\VirtualStore\Program Files (x86)\Foxmail\mail\
\Accounts\Account.rec0
\Account.stg
Read
Dispose
POP3Host
SMTPHost
IncomingServer
POP3Password
Foxmail
5A
71
\Opera Mail\Opera Mail\wand.dat
opera:
Opera Mail
abcçdefgğhıijklmnoöpqrsştuüvwxyz1234567890_-.~!@#$%^&*()[{]}\|';:,<>/?+=
\Pocomail\accounts.ini
POPPass
SMTPPass
SMTP
PocoMail
RealVNC 4.x
SOFTWARE\Wow6432Node\RealVNC\WinVNC4
RealVNC 3.x
SOFTWARE\RealVNC\vncserver
SOFTWARE\RealVNC\WinVNC4
Software\ORL\WinVNC3
TightVNC
Software\TightVNC\Server
PasswordViewOnly
TightVNC ControlPassword
ControlPassword
TigerVNC
Software\TigerVNC\Server
Trim
UltraVNC
ProgramFiles(x86)
\uvnc bvba\UltraVNC\ultravnc.ini
passwd
passwd2
ProgramFiles
\UltraVNC\ultravnc.ini
\eM Client
.dll
eM Client\accounts.dat
eM Client
AccountConfiguration
72905C47-F4FD-4CF7-A489-4E8121A155BD
host
o6806642kbM7c5
\Mailbird\Store\Store.db
Server_Host
EncryptedPassword
Mailbird
SenderIdentities
NordVPN
NordVPN directory not found!
NordVpn.exe*
user.config
SelectSingleNode
//setting[@name='Username']/value
InnerText
//setting[@name='Password']/value
\MySQL\Workbench\workbench_user_data.dat


MySQL Workbench
%ProgramW6432%
Private Internet Access\data
\Private Internet Access\data
\account.json
.*"username":"(.*?)"
.*"password":"(.*?)"
Private Internet Access
<array>
<dict>
<string>
</string>
<data>
</data>
Safari Browser
-convert xml1 -s -o "
\fixed_keychain.xml"
A
10
B
11
C
12
D
13
E
14
F
15
ABCDEF
(
EndsWith
)
IndexOf
UNIQUE
table
Software\DownloadManager\Passwords\
EncPassword
Internet Download Manager
{0}
http://127.0.0.1:
HTTP/1.1
Hostname
200 Connection established Proxy-Agent: HToS5x
Connect
PathAndQuery
Fragment
Host:
Wr
W
ExtractFile
n
Tor
AUTHENTICATE "%torpass%"
SIGNAL NEWNYM
250
tor
StartInfo
FileName
\Tor\tor.exe
Arguments
UseShellExecute
RedirectStandardOutput
CreateNoWindow
Start
StandardOutput
ReadLine
Contains
Bootstrapped 100%
EndOfStream
Id
AvoidDiskWrites 1 Log notice stdout DormantCanceledByStartup 1 ControlPort 9051 CookieAuthentication 1 runasdaemon 1 ExtORPort auto hashedcontrolpassword %hash% DataDirectory %tordir%\Data\Tor GeoIPFile %tordir%\Data\Tor\geoip GeoIPv6File %tordir%\Data\Tor\geoip6
\tor.zip
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
%tordir%
%hash%
%torpass%
https://www.theonionrouter.com/dist.torproject.org/torbrowser/
<a.+?href\s*=\s*(["'])(?<href>.+?)\1[^>]*>
href
Replace
TrimStart
TrimEnd
tor-win32-
TransformBlock
Hash
16:
None
win32_processor
processorID
429628c9-af07-4369-a3d9-05084eca6f83
Win32_NetworkAdapterConfiguration
IPEnabled
MacAddress
e46c3618-dbd5-4696-b828-8dc826eaecc4
WinMgmts:
InstancesOf
Win32_BaseBoard
SerialNumber
b7239939-3317-46dd-bf42-0727acf1a4f8
x2
00061561
Berkelet DB
00000002
1.85 (Hash, version 2, native byte-order)
Unknow database format
SEQUENCE {
{0:X2}
INTEGER
OCTETSTRING
OBJECTIDENTIFIER
}
sha256
key4.db
metaData
id
item1
item2
nssPrivate
a11
a102
2a864886f70d0209
2a864886f70d010c050103
key3.db
global-salt
Version
password-check
logins.json
\"(hostname|encryptedPassword|encryptedUsername)":"(.*?)"
[^\u0020-\u007F]
signons.sqlite
moz_logins
hostname
encryptedUsername
encryptedPassword
Version=4.0.0.0
version=2.0.0.0
mscorlib
System
MailClient.Protocols.Smtp.SmtpAccountConfiguration
MailClient.Accounts.TlsType
MailClient.Accounts.CredentialsModelTypes
MailClient.Accounts.Mail.MailAccountConfiguration
MailClient.Accounts.ArchivingScope
MailClient.Mail.MailAddress
;
info
AccountConfiguration+accountName
AccountConfiguration+username
AccountConfiguration+password
providerName
Port587
Passwordnilya1957
Hostposta.ni.net.tr
Protocolsmtp
(PID) Process(3620) cvtres.exe
Strings (789)
20
yyyy-MM-dd HH:mm:ss
yyyy_MM_dd_HH_mm_ss
<br>
<hr>
ObjectLength
ChainingModeGCM
AuthTagLength
ChainingMode
KeyDataBlob
AES
Microsoft Primitive Provider
CONNECTION
KEEP-ALIVE
PROXY-AUTHENTICATE
PROXY-AUTHORIZATION
TE
TRAILER
TRANSFER-ENCODING
UPGRADE
%startupfolder%
\%insfolder%\%insname%
/
\%insfolder%\
Software\Microsoft\Windows\CurrentVersion\Run
%insregname%
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
True
https://api.ipify.org%
GET
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
OK
http://wreIBh.com
\kbk
SELECT * FROM Win32_Processor
Name
MB
Unknown
CO
CO_
-
_
.zip
yyyy-MM-dd hh-mm-ss
Cookie
application/zip
SC
SC_
.jpeg
Screenshot
image/jpeg
/log.tmp
KL
KL_
.html
<html>
</html>
Log
text/html
[
]
Time:
MM/dd/yyyy HH:mm:ss
User Name:
Computer Name:
OSFullName:
CPU:
RAM:
IP Address:
New
Recovered!
User Name
:
OSFullName
uninstall
Software\Microsoft\Windows NT\CurrentVersion\Windows
Load
%ftphost%/
%ftpuser%
%ftppassword%
STOR
Length
Write
Close
GetBytes
Opera Browser
Opera Software\Opera Stable
Yandex Browser
Yandex\YandexBrowser\User Data
Iridium Browser
Iridium\User Data
Chromium
Chromium\User Data
7Star
7Star\7Star\User Data
Torch Browser
Torch\User Data
Cool Novo
MapleStudio\ChromePlus\User Data
Kometa
Kometa\User Data
Amigo
Amigo\User Data
Brave
BraveSoftware\Brave-Browser\User Data
CentBrowser
CentBrowser\User Data
Chedot
Chedot\User Data
Orbitum
Orbitum\User Data
Sputnik
Sputnik\Sputnik\User Data
Comodo Dragon
Comodo\Dragon\User Data
Vivaldi
Vivaldi\User Data
Citrio
CatalinaGroup\Citrio\User Data
360 Browser
360Chrome\Chrome\User Data
Uran
uCozMedia\Uran\User Data
Liebao Browser
liebao\User Data
Elements Browser
Elements Browser\User Data
Epic Privacy
Epic Privacy Browser\User Data
Coccoc
CocCoc\Browser\User Data
Sleipnir 6
Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
QIP Surf
QIP Surf\User Data
Coowon
Coowon\Coowon\User Data
APPDATA
\CoreFTP\sites.idx
HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites\
Host
HKEY_CURRENT_USERSoftwareFTPWareCOREFTPSites
Port
User
PW
CoreFTP
webpanel
,
"
smtp
ftp
URL:
Username:
Password:
Application:
URL:
Username:
Password:
Application:
PW_
nilya1957
posta.ni.net.tr
image/jpg
:Zone.Identifier
\tmpG
.tmp
%urlkey%
-f
\Data\Tor\torrc
p=
%PostURL%
127.0.0.1
POST
+
%2B
application/x-www-form-urlencoded
&
&amp;
<
&lt;
>
&gt;
&quot;
Copied Text:
<font color="#00b1ba"><b>[
</b>
<b>]</b> <font color="#000000">(
)</font></font>
False
<font color="#00ba66">{BACK}</font>
</font>
<font color="#00ba66">{ALT+TAB}</font>
<font color="#00ba66">{ALT+F4}</font>
<font color="#00ba66">{TAB}</font>
<font color="#00ba66">{ESC}</font>
<font color="#00ba66">{Win}</font>
<font color="#00ba66">{CAPSLOCK}</font>
<font color="#00ba66">&uarr;</font>
<font color="#00ba66">&darr;</font>
<font color="#00ba66">&larr;</font>
<font color="#00ba66">&rarr;</font>
<font color="#00ba66">{DEL}</font>
<font color="#00ba66">{END}</font>
<font color="#00ba66">{HOME}</font>
<font color="#00ba66">{Insert}</font>
<font color="#00ba66">{NumLock}</font>
<font color="#00ba66">{PageDown}</font>
<font color="#00ba66">{PageUp}</font>
<font color="#00ba66">{ENTER}</font>
<font color="#00ba66">{F1}</font>
<font color="#00ba66">{F2}</font>
<font color="#00ba66">{F3}</font>
<font color="#00ba66">{F4}</font>
<font color="#00ba66">{F5}</font>
<font color="#00ba66">{F6}</font>
<font color="#00ba66">{F7}</font>
<font color="#00ba66">{F8}</font>
<font color="#00ba66">{F9}</font>
<font color="#00ba66">{F10}</font>
<font color="#00ba66">{F11}</font>
<font color="#00ba66">{F12}</font>
control
<font color="#00ba66">{CTRL}</font>
Windows RDP
credential
policy
blob
rdg
chrome
{{{0}}}
CopyTo
ComputeHash
sha512
Copy
SystemDrive
\
WScript.Shell
RegRead
g
401
502
500
Add
chat_id
caption
/sendDocument
document
---------------------------
x
--
multipart/form-data; boundary=
Content-Disposition: form-data; name="{0}" {1}
Content-Disposition: form-data; name="{0}"; filename="{1}" Content-Type: {2}
--
Cookies
Opera
Chrome
\Google\Chrome\User Data
\360Chrome\Chrome\User Data
Yandex
SRWare Iron
Brave Browser
\Iridium\User Data
CoolNovo
Epic Privacy Browser
CocCoc
QQ Browser
Tencent\QQBrowser\User Data
UC Browser
UCBrowser\
uCozMedia
cookies.sqlite
Firefox
\Mozilla\Firefox\
IceCat
\Mozilla\icecat\
PaleMoon
\Moonchild Productions\Pale Moon\
SeaMonkey
\Mozilla\SeaMonkey\
Flock
\Flock\Browser\
K-Meleon
\K-Meleon\
Postbox
\Postbox\
Thunderbird
\Thunderbird\
IceDragon
\Comodo\IceDragon\
WaterFox
\Waterfox\
BlackHawk
\NETGATE Technologies\BlackHawk\
CyberFox
\8pecxstudios\Cyberfox\
Path=([A-z0-9\/\.\-]+)
profiles.ini
\Default\
Profile
origin_url
username_value
password_value
v10
v11
Opera Stable
\Local State
"encrypted_key":"(.*?)"
\Default\Login Data
\Login Data
\Google\Chrome\User Data\
logins
Major
Minor
2F1A6504-0641-44CF-8BB5-3612D865F2E5
Windows Secure Note
3CCD5499-87A8-4B10-A215-608888DD3B55
Windows Web Password Credential
154E23D0-C644-4E6F-8CE6-5069272F999F
Windows Credential Picker Protector
4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Web Credentials
77BC582B-F0A6-4E15-4E80-61736B6F3B29
Windows Credentials
E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
Windows Domain Certificate Credential
3E0E35BE-1B77-43E7-B873-AED901B6275B
Windows Domain Password Credential
3C886FF3-2669-4AA2-A8FB-3F6759A77548
Windows Extended Credential
00000000-0000-0000-0000-000000000000
SchemaId
pResourceElement
pIdentityElement
pPackageSid
pAuthenticatorElement
IE/Edge
Type
Value
\Common Files\Apple\Apple Application Support\plutil.exe
\Apple Computer\Preferences\keychain.plist
*
Login Data
journal
wow_logins
\Microsoft\Edge\User Data
Edge Chromium
\Microsoft\Credentials\
\Microsoft\Protect\
GuidMasterKey
\Default\EncryptedStorage
\EncryptedStorage
entries
category
Password
str3
str2
blob0
PopPassword
SmtpPassword
Software\IncrediMail\Identities\
\Accounts_New
EmailAddress
SmtpServer
incredimail
HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine
current
Settings
SavePasswordText
ReturnAddress
Eudora
\falkon\profiles\
startProfile="([A-z0-9\/\.]+)"
\browsedata.db
autofill
Falkon Browser
startProfile=([A-z0-9\/\.]+)
Backend=([A-z0-9\/\.-]+)
\settings.ini
\Claws-mail
\clawsrc
passkey0
master_passphrase_salt=(.+)
master_passphrase_pbkdf2_rounds=(.+)
use_master_passphrase=(.+)
\accountrc
smtp_server
address
account
\passwordstorerc
{(.*),(.*)}(.*)
ClawsMail
TransformFinalBlock
Substring
IterationCount
signons3.txt
---
.
objects
Data
DecryptTripleDes
Flock Browser
ALLUSERSPROFILE
\\
DynDNS\Updater\config.dyndns
username=
=
password=
&H
t6KzXhCh
http://DynDns.com
DynDNS
\Psi\profiles
\Psi+\profiles
\accounts.xml
name
jid
password
Psi/Psi+
Software\OpenVPN-GUI\configs
Software\OpenVPN-GUI\configs\
username
auth-data
entropy
Open VPN
USERPROFILE
\OpenVPN\config\
remote
\FileZilla\recentservers.xml
<Server>
<Host>
</Host>
:
<Port>
</Port>
<User>
</User>
<Pass encoding="base64">
</Pass>
<Pass>
FileZilla
SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
HostName
UserName
PublicKeyFile
PortNumber
22
[PRIVATE KEY LOCATION: "{0}"]
WinSCP
Username
All Users
\FlashFXP\3quick.dat
IP=
port=
user=
pass=
created=
FlashFXP
\FTP Navigator\Ftplist.txt
Server
No Password
FTP Navigator
Programfiles(x86)
programfiles
\jDownloader\config\database.script
programfiles(x86)
INSERT INTO CONFIG VALUES('AccountController','
sq
.
t
xt
JDownloader
Software\Paltalk
HKEY_CURRENT_USER\Software\Paltalk\
pwd
Paltalk
\.purple\accounts.xml
<account>
<protocol>
</protocol>
<name>
</name>
<password>
</password>
Pidgin
\SmartFTP\Client 2.0\Favorites\Quick Connect\
\SmartFTP\Client 2.0\Favorites\Quick Connect\*.xml
<Password>
</Password>
<Name>
</Name>
SmartFTP
appdata
\Ipswitch\WS_FTP\Sites\ws_ftp.ini
HOST
UID
PWD
WS_FTP
PWD=
Key
Mode
IV
Padding
CreateDecryptor
\cftp\Ftplist.txt
;Server=
;Port=
;Password=
;User=
;Anonymous=
Name=
FTPCommander
\FTPGetter\servers.xml
<server>
<server_ip>
</server_ip>
<server_port>
</server_port>
<server_user_name>
</server_user_name>
<server_user_password>
</server_user_password>
FTPGetter
HKEY_LOCAL_MACHINE\SOFTWARE\Vitalwerks\DUC
HKEY_CURRENT_USER\SOFTWARE\Vitalwerks\DUC
USERname
NO-IP
+-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
\The Bat!
\Account.CFN
zzz
TheBat
HKEY_CURRENT_USER\Software\RimArts\B2\Settings
DataDir
Folder.lst
\Mailbox.ini
Account
SMTPServer
MailAddress
PassWd
Becky!
\Trillian\users\global\accounts.dat
Accounts
Trillian
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Email
IMAP Password
POP3 Password
HTTP Password
SMTP Password
SMTP Server
Outlook
HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
Executable
HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
FoxmailPath
\Storage\
\mail\
\VirtualStore\Program Files\Foxmail\mail\
\VirtualStore\Program Files (x86)\Foxmail\mail\
\Accounts\Account.rec0
\Account.stg
Read
Dispose
POP3Host
SMTPHost
IncomingServer
POP3Password
Foxmail
5A
71
\Opera Mail\Opera Mail\wand.dat
opera:
Opera Mail
abcçdefgğhıijklmnoöpqrsştuüvwxyz1234567890_-.~!@#$%^&*()[{]}\|';:,<>/?+=
\Pocomail\accounts.ini
POPPass
SMTPPass
SMTP
PocoMail
RealVNC 4.x
SOFTWARE\Wow6432Node\RealVNC\WinVNC4
RealVNC 3.x
SOFTWARE\RealVNC\vncserver
SOFTWARE\RealVNC\WinVNC4
Software\ORL\WinVNC3
TightVNC
Software\TightVNC\Server
PasswordViewOnly
TightVNC ControlPassword
ControlPassword
TigerVNC
Software\TigerVNC\Server
Trim
UltraVNC
ProgramFiles(x86)
\uvnc bvba\UltraVNC\ultravnc.ini
passwd
passwd2
ProgramFiles
\UltraVNC\ultravnc.ini
\eM Client
.dll
eM Client\accounts.dat
eM Client
AccountConfiguration
72905C47-F4FD-4CF7-A489-4E8121A155BD
host
o6806642kbM7c5
\Mailbird\Store\Store.db
Server_Host
EncryptedPassword
Mailbird
SenderIdentities
NordVPN
NordVPN directory not found!
NordVpn.exe*
user.config
SelectSingleNode
//setting[@name='Username']/value
InnerText
//setting[@name='Password']/value
\MySQL\Workbench\workbench_user_data.dat


MySQL Workbench
%ProgramW6432%
Private Internet Access\data
\Private Internet Access\data
\account.json
.*"username":"(.*?)"
.*"password":"(.*?)"
Private Internet Access
<array>
<dict>
<string>
</string>
<data>
</data>
Safari Browser
-convert xml1 -s -o "
\fixed_keychain.xml"
A
10
B
11
C
12
D
13
E
14
F
15
ABCDEF
(
EndsWith
)
IndexOf
UNIQUE
table
Software\DownloadManager\Passwords\
EncPassword
Internet Download Manager
{0}
http://127.0.0.1:
HTTP/1.1
Hostname
200 Connection established Proxy-Agent: HToS5x
Connect
PathAndQuery
Fragment
Host:
Wr
W
ExtractFile
n
Tor
AUTHENTICATE "%torpass%"
SIGNAL NEWNYM
250
tor
StartInfo
FileName
\Tor\tor.exe
Arguments
UseShellExecute
RedirectStandardOutput
CreateNoWindow
Start
StandardOutput
ReadLine
Contains
Bootstrapped 100%
EndOfStream
Id
AvoidDiskWrites 1 Log notice stdout DormantCanceledByStartup 1 ControlPort 9051 CookieAuthentication 1 runasdaemon 1 ExtORPort auto hashedcontrolpassword %hash% DataDirectory %tordir%\Data\Tor GeoIPFile %tordir%\Data\Tor\geoip GeoIPv6File %tordir%\Data\Tor\geoip6
\tor.zip
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
%tordir%
%hash%
%torpass%
https://www.theonionrouter.com/dist.torproject.org/torbrowser/
<a.+?href\s*=\s*(["'])(?<href>.+?)\1[^>]*>
href
Replace
TrimStart
TrimEnd
tor-win32-
TransformBlock
Hash
16:
None
win32_processor
processorID
429628c9-af07-4369-a3d9-05084eca6f83
Win32_NetworkAdapterConfiguration
IPEnabled
MacAddress
e46c3618-dbd5-4696-b828-8dc826eaecc4
WinMgmts:
InstancesOf
Win32_BaseBoard
SerialNumber
b7239939-3317-46dd-bf42-0727acf1a4f8
x2
00061561
Berkelet DB
00000002
1.85 (Hash, version 2, native byte-order)
Unknow database format
SEQUENCE {
{0:X2}
INTEGER
OCTETSTRING
OBJECTIDENTIFIER
}
sha256
key4.db
metaData
id
item1
item2
nssPrivate
a11
a102
2a864886f70d0209
2a864886f70d010c050103
key3.db
global-salt
Version
password-check
logins.json
\"(hostname|encryptedPassword|encryptedUsername)":"(.*?)"
[^\u0020-\u007F]
signons.sqlite
moz_logins
hostname
encryptedUsername
encryptedPassword
Version=4.0.0.0
version=2.0.0.0
mscorlib
System
MailClient.Protocols.Smtp.SmtpAccountConfiguration
MailClient.Accounts.TlsType
MailClient.Accounts.CredentialsModelTypes
MailClient.Accounts.Mail.MailAccountConfiguration
MailClient.Accounts.ArchivingScope
MailClient.Mail.MailAddress
;
info
AccountConfiguration+accountName
AccountConfiguration+username
AccountConfiguration+password
providerName
Port587
Passwordnilya1957
Hostposta.ni.net.tr
Protocolsmtp
(PID) Process(3936) cvtres.exe
Strings (789)
20
yyyy-MM-dd HH:mm:ss
yyyy_MM_dd_HH_mm_ss
<br>
<hr>
ObjectLength
ChainingModeGCM
AuthTagLength
ChainingMode
KeyDataBlob
AES
Microsoft Primitive Provider
CONNECTION
KEEP-ALIVE
PROXY-AUTHENTICATE
PROXY-AUTHORIZATION
TE
TRAILER
TRANSFER-ENCODING
UPGRADE
%startupfolder%
\%insfolder%\%insname%
/
\%insfolder%\
Software\Microsoft\Windows\CurrentVersion\Run
%insregname%
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
True
https://api.ipify.org%
GET
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
OK
http://wreIBh.com
\kbk
SELECT * FROM Win32_Processor
Name
MB
Unknown
CO
CO_
-
_
.zip
yyyy-MM-dd hh-mm-ss
Cookie
application/zip
SC
SC_
.jpeg
Screenshot
image/jpeg
/log.tmp
KL
KL_
.html
<html>
</html>
Log
text/html
[
]
Time:
MM/dd/yyyy HH:mm:ss
User Name:
Computer Name:
OSFullName:
CPU:
RAM:
IP Address:
New
Recovered!
User Name
:
OSFullName
uninstall
Software\Microsoft\Windows NT\CurrentVersion\Windows
Load
%ftphost%/
%ftpuser%
%ftppassword%
STOR
Length
Write
Close
GetBytes
Opera Browser
Opera Software\Opera Stable
Yandex Browser
Yandex\YandexBrowser\User Data
Iridium Browser
Iridium\User Data
Chromium
Chromium\User Data
7Star
7Star\7Star\User Data
Torch Browser
Torch\User Data
Cool Novo
MapleStudio\ChromePlus\User Data
Kometa
Kometa\User Data
Amigo
Amigo\User Data
Brave
BraveSoftware\Brave-Browser\User Data
CentBrowser
CentBrowser\User Data
Chedot
Chedot\User Data
Orbitum
Orbitum\User Data
Sputnik
Sputnik\Sputnik\User Data
Comodo Dragon
Comodo\Dragon\User Data
Vivaldi
Vivaldi\User Data
Citrio
CatalinaGroup\Citrio\User Data
360 Browser
360Chrome\Chrome\User Data
Uran
uCozMedia\Uran\User Data
Liebao Browser
liebao\User Data
Elements Browser
Elements Browser\User Data
Epic Privacy
Epic Privacy Browser\User Data
Coccoc
CocCoc\Browser\User Data
Sleipnir 6
Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
QIP Surf
QIP Surf\User Data
Coowon
Coowon\Coowon\User Data
APPDATA
\CoreFTP\sites.idx
HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites\
Host
HKEY_CURRENT_USERSoftwareFTPWareCOREFTPSites
Port
User
PW
CoreFTP
webpanel
,
"
smtp
ftp
URL:
Username:
Password:
Application:
URL:
Username:
Password:
Application:
PW_
nilya1957
posta.ni.net.tr
image/jpg
:Zone.Identifier
\tmpG
.tmp
%urlkey%
-f
\Data\Tor\torrc
p=
%PostURL%
127.0.0.1
POST
+
%2B
application/x-www-form-urlencoded
&
&amp;
<
&lt;
>
&gt;
&quot;
Copied Text:
<font color="#00b1ba"><b>[
</b>
<b>]</b> <font color="#000000">(
)</font></font>
False
<font color="#00ba66">{BACK}</font>
</font>
<font color="#00ba66">{ALT+TAB}</font>
<font color="#00ba66">{ALT+F4}</font>
<font color="#00ba66">{TAB}</font>
<font color="#00ba66">{ESC}</font>
<font color="#00ba66">{Win}</font>
<font color="#00ba66">{CAPSLOCK}</font>
<font color="#00ba66">&uarr;</font>
<font color="#00ba66">&darr;</font>
<font color="#00ba66">&larr;</font>
<font color="#00ba66">&rarr;</font>
<font color="#00ba66">{DEL}</font>
<font color="#00ba66">{END}</font>
<font color="#00ba66">{HOME}</font>
<font color="#00ba66">{Insert}</font>
<font color="#00ba66">{NumLock}</font>
<font color="#00ba66">{PageDown}</font>
<font color="#00ba66">{PageUp}</font>
<font color="#00ba66">{ENTER}</font>
<font color="#00ba66">{F1}</font>
<font color="#00ba66">{F2}</font>
<font color="#00ba66">{F3}</font>
<font color="#00ba66">{F4}</font>
<font color="#00ba66">{F5}</font>
<font color="#00ba66">{F6}</font>
<font color="#00ba66">{F7}</font>
<font color="#00ba66">{F8}</font>
<font color="#00ba66">{F9}</font>
<font color="#00ba66">{F10}</font>
<font color="#00ba66">{F11}</font>
<font color="#00ba66">{F12}</font>
control
<font color="#00ba66">{CTRL}</font>
Windows RDP
credential
policy
blob
rdg
chrome
{{{0}}}
CopyTo
ComputeHash
sha512
Copy
SystemDrive
\
WScript.Shell
RegRead
g
401
502
500
Add
chat_id
caption
/sendDocument
document
---------------------------
x
--
multipart/form-data; boundary=
Content-Disposition: form-data; name="{0}" {1}
Content-Disposition: form-data; name="{0}"; filename="{1}" Content-Type: {2}
--
Cookies
Opera
Chrome
\Google\Chrome\User Data
\360Chrome\Chrome\User Data
Yandex
SRWare Iron
Brave Browser
\Iridium\User Data
CoolNovo
Epic Privacy Browser
CocCoc
QQ Browser
Tencent\QQBrowser\User Data
UC Browser
UCBrowser\
uCozMedia
cookies.sqlite
Firefox
\Mozilla\Firefox\
IceCat
\Mozilla\icecat\
PaleMoon
\Moonchild Productions\Pale Moon\
SeaMonkey
\Mozilla\SeaMonkey\
Flock
\Flock\Browser\
K-Meleon
\K-Meleon\
Postbox
\Postbox\
Thunderbird
\Thunderbird\
IceDragon
\Comodo\IceDragon\
WaterFox
\Waterfox\
BlackHawk
\NETGATE Technologies\BlackHawk\
CyberFox
\8pecxstudios\Cyberfox\
Path=([A-z0-9\/\.\-]+)
profiles.ini
\Default\
Profile
origin_url
username_value
password_value
v10
v11
Opera Stable
\Local State
"encrypted_key":"(.*?)"
\Default\Login Data
\Login Data
\Google\Chrome\User Data\
logins
Major
Minor
2F1A6504-0641-44CF-8BB5-3612D865F2E5
Windows Secure Note
3CCD5499-87A8-4B10-A215-608888DD3B55
Windows Web Password Credential
154E23D0-C644-4E6F-8CE6-5069272F999F
Windows Credential Picker Protector
4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Web Credentials
77BC582B-F0A6-4E15-4E80-61736B6F3B29
Windows Credentials
E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
Windows Domain Certificate Credential
3E0E35BE-1B77-43E7-B873-AED901B6275B
Windows Domain Password Credential
3C886FF3-2669-4AA2-A8FB-3F6759A77548
Windows Extended Credential
00000000-0000-0000-0000-000000000000
SchemaId
pResourceElement
pIdentityElement
pPackageSid
pAuthenticatorElement
IE/Edge
Type
Value
\Common Files\Apple\Apple Application Support\plutil.exe
\Apple Computer\Preferences\keychain.plist
*
Login Data
journal
wow_logins
\Microsoft\Edge\User Data
Edge Chromium
\Microsoft\Credentials\
\Microsoft\Protect\
GuidMasterKey
\Default\EncryptedStorage
\EncryptedStorage
entries
category
Password
str3
str2
blob0
PopPassword
SmtpPassword
Software\IncrediMail\Identities\
\Accounts_New
EmailAddress
SmtpServer
incredimail
HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine
current
Settings
SavePasswordText
ReturnAddress
Eudora
\falkon\profiles\
startProfile="([A-z0-9\/\.]+)"
\browsedata.db
autofill
Falkon Browser
startProfile=([A-z0-9\/\.]+)
Backend=([A-z0-9\/\.-]+)
\settings.ini
\Claws-mail
\clawsrc
passkey0
master_passphrase_salt=(.+)
master_passphrase_pbkdf2_rounds=(.+)
use_master_passphrase=(.+)
\accountrc
smtp_server
address
account
\passwordstorerc
{(.*),(.*)}(.*)
ClawsMail
TransformFinalBlock
Substring
IterationCount
signons3.txt
---
.
objects
Data
DecryptTripleDes
Flock Browser
ALLUSERSPROFILE
\\
DynDNS\Updater\config.dyndns
username=
=
password=
&H
t6KzXhCh
http://DynDns.com
DynDNS
\Psi\profiles
\Psi+\profiles
\accounts.xml
name
jid
password
Psi/Psi+
Software\OpenVPN-GUI\configs
Software\OpenVPN-GUI\configs\
username
auth-data
entropy
Open VPN
USERPROFILE
\OpenVPN\config\
remote
\FileZilla\recentservers.xml
<Server>
<Host>
</Host>
:
<Port>
</Port>
<User>
</User>
<Pass encoding="base64">
</Pass>
<Pass>
FileZilla
SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
HostName
UserName
PublicKeyFile
PortNumber
22
[PRIVATE KEY LOCATION: "{0}"]
WinSCP
Username
All Users
\FlashFXP\3quick.dat
IP=
port=
user=
pass=
created=
FlashFXP
\FTP Navigator\Ftplist.txt
Server
No Password
FTP Navigator
Programfiles(x86)
programfiles
\jDownloader\config\database.script
programfiles(x86)
INSERT INTO CONFIG VALUES('AccountController','
sq
.
t
xt
JDownloader
Software\Paltalk
HKEY_CURRENT_USER\Software\Paltalk\
pwd
Paltalk
\.purple\accounts.xml
<account>
<protocol>
</protocol>
<name>
</name>
<password>
</password>
Pidgin
\SmartFTP\Client 2.0\Favorites\Quick Connect\
\SmartFTP\Client 2.0\Favorites\Quick Connect\*.xml
<Password>
</Password>
<Name>
</Name>
SmartFTP
appdata
\Ipswitch\WS_FTP\Sites\ws_ftp.ini
HOST
UID
PWD
WS_FTP
PWD=
Key
Mode
IV
Padding
CreateDecryptor
\cftp\Ftplist.txt
;Server=
;Port=
;Password=
;User=
;Anonymous=
Name=
FTPCommander
\FTPGetter\servers.xml
<server>
<server_ip>
</server_ip>
<server_port>
</server_port>
<server_user_name>
</server_user_name>
<server_user_password>
</server_user_password>
FTPGetter
HKEY_LOCAL_MACHINE\SOFTWARE\Vitalwerks\DUC
HKEY_CURRENT_USER\SOFTWARE\Vitalwerks\DUC
USERname
NO-IP
+-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
\The Bat!
\Account.CFN
zzz
TheBat
HKEY_CURRENT_USER\Software\RimArts\B2\Settings
DataDir
Folder.lst
\Mailbox.ini
Account
SMTPServer
MailAddress
PassWd
Becky!
\Trillian\users\global\accounts.dat
Accounts
Trillian
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Email
IMAP Password
POP3 Password
HTTP Password
SMTP Password
SMTP Server
Outlook
HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
Executable
HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
FoxmailPath
\Storage\
\mail\
\VirtualStore\Program Files\Foxmail\mail\
\VirtualStore\Program Files (x86)\Foxmail\mail\
\Accounts\Account.rec0
\Account.stg
Read
Dispose
POP3Host
SMTPHost
IncomingServer
POP3Password
Foxmail
5A
71
\Opera Mail\Opera Mail\wand.dat
opera:
Opera Mail
abcçdefgğhıijklmnoöpqrsştuüvwxyz1234567890_-.~!@#$%^&*()[{]}\|';:,<>/?+=
\Pocomail\accounts.ini
POPPass
SMTPPass
SMTP
PocoMail
RealVNC 4.x
SOFTWARE\Wow6432Node\RealVNC\WinVNC4
RealVNC 3.x
SOFTWARE\RealVNC\vncserver
SOFTWARE\RealVNC\WinVNC4
Software\ORL\WinVNC3
TightVNC
Software\TightVNC\Server
PasswordViewOnly
TightVNC ControlPassword
ControlPassword
TigerVNC
Software\TigerVNC\Server
Trim
UltraVNC
ProgramFiles(x86)
\uvnc bvba\UltraVNC\ultravnc.ini
passwd
passwd2
ProgramFiles
\UltraVNC\ultravnc.ini
\eM Client
.dll
eM Client\accounts.dat
eM Client
AccountConfiguration
72905C47-F4FD-4CF7-A489-4E8121A155BD
host
o6806642kbM7c5
\Mailbird\Store\Store.db
Server_Host
EncryptedPassword
Mailbird
SenderIdentities
NordVPN
NordVPN directory not found!
NordVpn.exe*
user.config
SelectSingleNode
//setting[@name='Username']/value
InnerText
//setting[@name='Password']/value
\MySQL\Workbench\workbench_user_data.dat


MySQL Workbench
%ProgramW6432%
Private Internet Access\data
\Private Internet Access\data
\account.json
.*"username":"(.*?)"
.*"password":"(.*?)"
Private Internet Access
<array>
<dict>
<string>
</string>
<data>
</data>
Safari Browser
-convert xml1 -s -o "
\fixed_keychain.xml"
A
10
B
11
C
12
D
13
E
14
F
15
ABCDEF
(
EndsWith
)
IndexOf
UNIQUE
table
Software\DownloadManager\Passwords\
EncPassword
Internet Download Manager
{0}
http://127.0.0.1:
HTTP/1.1
Hostname
200 Connection established Proxy-Agent: HToS5x
Connect
PathAndQuery
Fragment
Host:
Wr
W
ExtractFile
n
Tor
AUTHENTICATE "%torpass%"
SIGNAL NEWNYM
250
tor
StartInfo
FileName
\Tor\tor.exe
Arguments
UseShellExecute
RedirectStandardOutput
CreateNoWindow
Start
StandardOutput
ReadLine
Contains
Bootstrapped 100%
EndOfStream
Id
AvoidDiskWrites 1 Log notice stdout DormantCanceledByStartup 1 ControlPort 9051 CookieAuthentication 1 runasdaemon 1 ExtORPort auto hashedcontrolpassword %hash% DataDirectory %tordir%\Data\Tor GeoIPFile %tordir%\Data\Tor\geoip GeoIPv6File %tordir%\Data\Tor\geoip6
\tor.zip
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
%tordir%
%hash%
%torpass%
https://www.theonionrouter.com/dist.torproject.org/torbrowser/
<a.+?href\s*=\s*(["'])(?<href>.+?)\1[^>]*>
href
Replace
TrimStart
TrimEnd
tor-win32-
TransformBlock
Hash
16:
None
win32_processor
processorID
429628c9-af07-4369-a3d9-05084eca6f83
Win32_NetworkAdapterConfiguration
IPEnabled
MacAddress
e46c3618-dbd5-4696-b828-8dc826eaecc4
WinMgmts:
InstancesOf
Win32_BaseBoard
SerialNumber
b7239939-3317-46dd-bf42-0727acf1a4f8
x2
00061561
Berkelet DB
00000002
1.85 (Hash, version 2, native byte-order)
Unknow database format
SEQUENCE {
{0:X2}
INTEGER
OCTETSTRING
OBJECTIDENTIFIER
}
sha256
key4.db
metaData
id
item1
item2
nssPrivate
a11
a102
2a864886f70d0209
2a864886f70d010c050103
key3.db
global-salt
Version
password-check
logins.json
\"(hostname|encryptedPassword|encryptedUsername)":"(.*?)"
[^\u0020-\u007F]
signons.sqlite
moz_logins
hostname
encryptedUsername
encryptedPassword
Version=4.0.0.0
version=2.0.0.0
mscorlib
System
MailClient.Protocols.Smtp.SmtpAccountConfiguration
MailClient.Accounts.TlsType
MailClient.Accounts.CredentialsModelTypes
MailClient.Accounts.Mail.MailAccountConfiguration
MailClient.Accounts.ArchivingScope
MailClient.Mail.MailAddress
;
info
AccountConfiguration+accountName
AccountConfiguration+username
AccountConfiguration+password
providerName
Port587
Passwordnilya1957
Hostposta.ni.net.tr
Protocolsmtp
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
60
Monitored processes
20
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start outlook.exe winrar.exe bcndhgjk.exe no specs #AGENTTESLA cvtres.exe no specs bcndhgjk.exe no specs #AGENTTESLA cvtres.exe bcndhgjk.exe no specs #AGENTTESLA cvtres.exe no specs acrord32.exe acrord32.exe no specs rdrcef.exe rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs adobearm.exe no specs reader_sl.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2960"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\admin\AppData\Local\Temp\Orden de consulta.msg"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
3096"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\WHXRK3RY\BCNDHGJK.Z"C:\Program Files\WinRAR\WinRAR.exe
OUTLOOK.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
652"C:\Users\admin\AppData\Local\Temp\Rar$EXa3096.16325\BCNDHGJK.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3096.16325\BCNDHGJK.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Description:
BCNDHGJK
Exit code:
0
Version:
1.0.0.0
3168"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
BCNDHGJK.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Version:
12.00.51209.34209 built by: FX452RTMGDR
AgentTesla
(PID) Process(3168) cvtres.exe
Strings (789)
20
yyyy-MM-dd HH:mm:ss
yyyy_MM_dd_HH_mm_ss
<br>
<hr>
ObjectLength
ChainingModeGCM
AuthTagLength
ChainingMode
KeyDataBlob
AES
Microsoft Primitive Provider
CONNECTION
KEEP-ALIVE
PROXY-AUTHENTICATE
PROXY-AUTHORIZATION
TE
TRAILER
TRANSFER-ENCODING
UPGRADE
%startupfolder%
\%insfolder%\%insname%
/
\%insfolder%\
Software\Microsoft\Windows\CurrentVersion\Run
%insregname%
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
True
https://api.ipify.org%
GET
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
OK
http://wreIBh.com
\kbk
SELECT * FROM Win32_Processor
Name
MB
Unknown
CO
CO_
-
_
.zip
yyyy-MM-dd hh-mm-ss
Cookie
application/zip
SC
SC_
.jpeg
Screenshot
image/jpeg
/log.tmp
KL
KL_
.html
<html>
</html>
Log
text/html
[
]
Time:
MM/dd/yyyy HH:mm:ss
User Name:
Computer Name:
OSFullName:
CPU:
RAM:
IP Address:
New
Recovered!
User Name
:
OSFullName
uninstall
Software\Microsoft\Windows NT\CurrentVersion\Windows
Load
%ftphost%/
%ftpuser%
%ftppassword%
STOR
Length
Write
Close
GetBytes
Opera Browser
Opera Software\Opera Stable
Yandex Browser
Yandex\YandexBrowser\User Data
Iridium Browser
Iridium\User Data
Chromium
Chromium\User Data
7Star
7Star\7Star\User Data
Torch Browser
Torch\User Data
Cool Novo
MapleStudio\ChromePlus\User Data
Kometa
Kometa\User Data
Amigo
Amigo\User Data
Brave
BraveSoftware\Brave-Browser\User Data
CentBrowser
CentBrowser\User Data
Chedot
Chedot\User Data
Orbitum
Orbitum\User Data
Sputnik
Sputnik\Sputnik\User Data
Comodo Dragon
Comodo\Dragon\User Data
Vivaldi
Vivaldi\User Data
Citrio
CatalinaGroup\Citrio\User Data
360 Browser
360Chrome\Chrome\User Data
Uran
uCozMedia\Uran\User Data
Liebao Browser
liebao\User Data
Elements Browser
Elements Browser\User Data
Epic Privacy
Epic Privacy Browser\User Data
Coccoc
CocCoc\Browser\User Data
Sleipnir 6
Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
QIP Surf
QIP Surf\User Data
Coowon
Coowon\Coowon\User Data
APPDATA
\CoreFTP\sites.idx
HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites\
Host
HKEY_CURRENT_USERSoftwareFTPWareCOREFTPSites
Port
User
PW
CoreFTP
webpanel
,
"
smtp
ftp
URL:
Username:
Password:
Application:
URL:
Username:
Password:
Application:
PW_
nilya1957
posta.ni.net.tr
image/jpg
:Zone.Identifier
\tmpG
.tmp
%urlkey%
-f
\Data\Tor\torrc
p=
%PostURL%
127.0.0.1
POST
+
%2B
application/x-www-form-urlencoded
&
&amp;
<
&lt;
>
&gt;
&quot;
Copied Text:
<font color="#00b1ba"><b>[
</b>
<b>]</b> <font color="#000000">(
)</font></font>
False
<font color="#00ba66">{BACK}</font>
</font>
<font color="#00ba66">{ALT+TAB}</font>
<font color="#00ba66">{ALT+F4}</font>
<font color="#00ba66">{TAB}</font>
<font color="#00ba66">{ESC}</font>
<font color="#00ba66">{Win}</font>
<font color="#00ba66">{CAPSLOCK}</font>
<font color="#00ba66">&uarr;</font>
<font color="#00ba66">&darr;</font>
<font color="#00ba66">&larr;</font>
<font color="#00ba66">&rarr;</font>
<font color="#00ba66">{DEL}</font>
<font color="#00ba66">{END}</font>
<font color="#00ba66">{HOME}</font>
<font color="#00ba66">{Insert}</font>
<font color="#00ba66">{NumLock}</font>
<font color="#00ba66">{PageDown}</font>
<font color="#00ba66">{PageUp}</font>
<font color="#00ba66">{ENTER}</font>
<font color="#00ba66">{F1}</font>
<font color="#00ba66">{F2}</font>
<font color="#00ba66">{F3}</font>
<font color="#00ba66">{F4}</font>
<font color="#00ba66">{F5}</font>
<font color="#00ba66">{F6}</font>
<font color="#00ba66">{F7}</font>
<font color="#00ba66">{F8}</font>
<font color="#00ba66">{F9}</font>
<font color="#00ba66">{F10}</font>
<font color="#00ba66">{F11}</font>
<font color="#00ba66">{F12}</font>
control
<font color="#00ba66">{CTRL}</font>
Windows RDP
credential
policy
blob
rdg
chrome
{{{0}}}
CopyTo
ComputeHash
sha512
Copy
SystemDrive
\
WScript.Shell
RegRead
g
401
502
500
Add
chat_id
caption
/sendDocument
document
---------------------------
x
--
multipart/form-data; boundary=
Content-Disposition: form-data; name="{0}" {1}
Content-Disposition: form-data; name="{0}"; filename="{1}" Content-Type: {2}
--
Cookies
Opera
Chrome
\Google\Chrome\User Data
\360Chrome\Chrome\User Data
Yandex
SRWare Iron
Brave Browser
\Iridium\User Data
CoolNovo
Epic Privacy Browser
CocCoc
QQ Browser
Tencent\QQBrowser\User Data
UC Browser
UCBrowser\
uCozMedia
cookies.sqlite
Firefox
\Mozilla\Firefox\
IceCat
\Mozilla\icecat\
PaleMoon
\Moonchild Productions\Pale Moon\
SeaMonkey
\Mozilla\SeaMonkey\
Flock
\Flock\Browser\
K-Meleon
\K-Meleon\
Postbox
\Postbox\
Thunderbird
\Thunderbird\
IceDragon
\Comodo\IceDragon\
WaterFox
\Waterfox\
BlackHawk
\NETGATE Technologies\BlackHawk\
CyberFox
\8pecxstudios\Cyberfox\
Path=([A-z0-9\/\.\-]+)
profiles.ini
\Default\
Profile
origin_url
username_value
password_value
v10
v11
Opera Stable
\Local State
"encrypted_key":"(.*?)"
\Default\Login Data
\Login Data
\Google\Chrome\User Data\
logins
Major
Minor
2F1A6504-0641-44CF-8BB5-3612D865F2E5
Windows Secure Note
3CCD5499-87A8-4B10-A215-608888DD3B55
Windows Web Password Credential
154E23D0-C644-4E6F-8CE6-5069272F999F
Windows Credential Picker Protector
4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Web Credentials
77BC582B-F0A6-4E15-4E80-61736B6F3B29
Windows Credentials
E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
Windows Domain Certificate Credential
3E0E35BE-1B77-43E7-B873-AED901B6275B
Windows Domain Password Credential
3C886FF3-2669-4AA2-A8FB-3F6759A77548
Windows Extended Credential
00000000-0000-0000-0000-000000000000
SchemaId
pResourceElement
pIdentityElement
pPackageSid
pAuthenticatorElement
IE/Edge
Type
Value
\Common Files\Apple\Apple Application Support\plutil.exe
\Apple Computer\Preferences\keychain.plist
*
Login Data
journal
wow_logins
\Microsoft\Edge\User Data
Edge Chromium
\Microsoft\Credentials\
\Microsoft\Protect\
GuidMasterKey
\Default\EncryptedStorage
\EncryptedStorage
entries
category
Password
str3
str2
blob0
PopPassword
SmtpPassword
Software\IncrediMail\Identities\
\Accounts_New
EmailAddress
SmtpServer
incredimail
HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine
current
Settings
SavePasswordText
ReturnAddress
Eudora
\falkon\profiles\
startProfile="([A-z0-9\/\.]+)"
\browsedata.db
autofill
Falkon Browser
startProfile=([A-z0-9\/\.]+)
Backend=([A-z0-9\/\.-]+)
\settings.ini
\Claws-mail
\clawsrc
passkey0
master_passphrase_salt=(.+)
master_passphrase_pbkdf2_rounds=(.+)
use_master_passphrase=(.+)
\accountrc
smtp_server
address
account
\passwordstorerc
{(.*),(.*)}(.*)
ClawsMail
TransformFinalBlock
Substring
IterationCount
signons3.txt
---
.
objects
Data
DecryptTripleDes
Flock Browser
ALLUSERSPROFILE
\\
DynDNS\Updater\config.dyndns
username=
=
password=
&H
t6KzXhCh
http://DynDns.com
DynDNS
\Psi\profiles
\Psi+\profiles
\accounts.xml
name
jid
password
Psi/Psi+
Software\OpenVPN-GUI\configs
Software\OpenVPN-GUI\configs\
username
auth-data
entropy
Open VPN
USERPROFILE
\OpenVPN\config\
remote
\FileZilla\recentservers.xml
<Server>
<Host>
</Host>
:
<Port>
</Port>
<User>
</User>
<Pass encoding="base64">
</Pass>
<Pass>
FileZilla
SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
HostName
UserName
PublicKeyFile
PortNumber
22
[PRIVATE KEY LOCATION: "{0}"]
WinSCP
Username
All Users
\FlashFXP\3quick.dat
IP=
port=
user=
pass=
created=
FlashFXP
\FTP Navigator\Ftplist.txt
Server
No Password
FTP Navigator
Programfiles(x86)
programfiles
\jDownloader\config\database.script
programfiles(x86)
INSERT INTO CONFIG VALUES('AccountController','
sq
.
t
xt
JDownloader
Software\Paltalk
HKEY_CURRENT_USER\Software\Paltalk\
pwd
Paltalk
\.purple\accounts.xml
<account>
<protocol>
</protocol>
<name>
</name>
<password>
</password>
Pidgin
\SmartFTP\Client 2.0\Favorites\Quick Connect\
\SmartFTP\Client 2.0\Favorites\Quick Connect\*.xml
<Password>
</Password>
<Name>
</Name>
SmartFTP
appdata
\Ipswitch\WS_FTP\Sites\ws_ftp.ini
HOST
UID
PWD
WS_FTP
PWD=
Key
Mode
IV
Padding
CreateDecryptor
\cftp\Ftplist.txt
;Server=
;Port=
;Password=
;User=
;Anonymous=
Name=
FTPCommander
\FTPGetter\servers.xml
<server>
<server_ip>
</server_ip>
<server_port>
</server_port>
<server_user_name>
</server_user_name>
<server_user_password>
</server_user_password>
FTPGetter
HKEY_LOCAL_MACHINE\SOFTWARE\Vitalwerks\DUC
HKEY_CURRENT_USER\SOFTWARE\Vitalwerks\DUC
USERname
NO-IP
+-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
\The Bat!
\Account.CFN
zzz
TheBat
HKEY_CURRENT_USER\Software\RimArts\B2\Settings
DataDir
Folder.lst
\Mailbox.ini
Account
SMTPServer
MailAddress
PassWd
Becky!
\Trillian\users\global\accounts.dat
Accounts
Trillian
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Email
IMAP Password
POP3 Password
HTTP Password
SMTP Password
SMTP Server
Outlook
HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
Executable
HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
FoxmailPath
\Storage\
\mail\
\VirtualStore\Program Files\Foxmail\mail\
\VirtualStore\Program Files (x86)\Foxmail\mail\
\Accounts\Account.rec0
\Account.stg
Read
Dispose
POP3Host
SMTPHost
IncomingServer
POP3Password
Foxmail
5A
71
\Opera Mail\Opera Mail\wand.dat
opera:
Opera Mail
abcçdefgğhıijklmnoöpqrsştuüvwxyz1234567890_-.~!@#$%^&*()[{]}\|';:,<>/?+=
\Pocomail\accounts.ini
POPPass
SMTPPass
SMTP
PocoMail
RealVNC 4.x
SOFTWARE\Wow6432Node\RealVNC\WinVNC4
RealVNC 3.x
SOFTWARE\RealVNC\vncserver
SOFTWARE\RealVNC\WinVNC4
Software\ORL\WinVNC3
TightVNC
Software\TightVNC\Server
PasswordViewOnly
TightVNC ControlPassword
ControlPassword
TigerVNC
Software\TigerVNC\Server
Trim
UltraVNC
ProgramFiles(x86)
\uvnc bvba\UltraVNC\ultravnc.ini
passwd
passwd2
ProgramFiles
\UltraVNC\ultravnc.ini
\eM Client
.dll
eM Client\accounts.dat
eM Client
AccountConfiguration
72905C47-F4FD-4CF7-A489-4E8121A155BD
host
o6806642kbM7c5
\Mailbird\Store\Store.db
Server_Host
EncryptedPassword
Mailbird
SenderIdentities
NordVPN
NordVPN directory not found!
NordVpn.exe*
user.config
SelectSingleNode
//setting[@name='Username']/value
InnerText
//setting[@name='Password']/value
\MySQL\Workbench\workbench_user_data.dat


MySQL Workbench
%ProgramW6432%
Private Internet Access\data
\Private Internet Access\data
\account.json
.*"username":"(.*?)"
.*"password":"(.*?)"
Private Internet Access
<array>
<dict>
<string>
</string>
<data>
</data>
Safari Browser
-convert xml1 -s -o "
\fixed_keychain.xml"
A
10
B
11
C
12
D
13
E
14
F
15
ABCDEF
(
EndsWith
)
IndexOf
UNIQUE
table
Software\DownloadManager\Passwords\
EncPassword
Internet Download Manager
{0}
http://127.0.0.1:
HTTP/1.1
Hostname
200 Connection established Proxy-Agent: HToS5x
Connect
PathAndQuery
Fragment
Host:
Wr
W
ExtractFile
n
Tor
AUTHENTICATE "%torpass%"
SIGNAL NEWNYM
250
tor
StartInfo
FileName
\Tor\tor.exe
Arguments
UseShellExecute
RedirectStandardOutput
CreateNoWindow
Start
StandardOutput
ReadLine
Contains
Bootstrapped 100%
EndOfStream
Id
AvoidDiskWrites 1 Log notice stdout DormantCanceledByStartup 1 ControlPort 9051 CookieAuthentication 1 runasdaemon 1 ExtORPort auto hashedcontrolpassword %hash% DataDirectory %tordir%\Data\Tor GeoIPFile %tordir%\Data\Tor\geoip GeoIPv6File %tordir%\Data\Tor\geoip6
\tor.zip
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
%tordir%
%hash%
%torpass%
https://www.theonionrouter.com/dist.torproject.org/torbrowser/
<a.+?href\s*=\s*(["'])(?<href>.+?)\1[^>]*>
href
Replace
TrimStart
TrimEnd
tor-win32-
TransformBlock
Hash
16:
None
win32_processor
processorID
429628c9-af07-4369-a3d9-05084eca6f83
Win32_NetworkAdapterConfiguration
IPEnabled
MacAddress
e46c3618-dbd5-4696-b828-8dc826eaecc4
WinMgmts:
InstancesOf
Win32_BaseBoard
SerialNumber
b7239939-3317-46dd-bf42-0727acf1a4f8
x2
00061561
Berkelet DB
00000002
1.85 (Hash, version 2, native byte-order)
Unknow database format
SEQUENCE {
{0:X2}
INTEGER
OCTETSTRING
OBJECTIDENTIFIER
}
sha256
key4.db
metaData
id
item1
item2
nssPrivate
a11
a102
2a864886f70d0209
2a864886f70d010c050103
key3.db
global-salt
Version
password-check
logins.json
\"(hostname|encryptedPassword|encryptedUsername)":"(.*?)"
[^\u0020-\u007F]
signons.sqlite
moz_logins
hostname
encryptedUsername
encryptedPassword
Version=4.0.0.0
version=2.0.0.0
mscorlib
System
MailClient.Protocols.Smtp.SmtpAccountConfiguration
MailClient.Accounts.TlsType
MailClient.Accounts.CredentialsModelTypes
MailClient.Accounts.Mail.MailAccountConfiguration
MailClient.Accounts.ArchivingScope
MailClient.Mail.MailAddress
;
info
AccountConfiguration+accountName
AccountConfiguration+username
AccountConfiguration+password
providerName
Port587
Passwordnilya1957
Hostposta.ni.net.tr
Protocolsmtp
3196"C:\Users\admin\AppData\Local\Temp\Rar$EXa3096.17353\BCNDHGJK.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3096.17353\BCNDHGJK.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Description:
BCNDHGJK
Exit code:
0
Version:
1.0.0.0
3620"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
BCNDHGJK.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
4294967295
Version:
12.00.51209.34209 built by: FX452RTMGDR
AgentTesla
(PID) Process(3620) cvtres.exe
Strings (789)
20
yyyy-MM-dd HH:mm:ss
yyyy_MM_dd_HH_mm_ss
<br>
<hr>
ObjectLength
ChainingModeGCM
AuthTagLength
ChainingMode
KeyDataBlob
AES
Microsoft Primitive Provider
CONNECTION
KEEP-ALIVE
PROXY-AUTHENTICATE
PROXY-AUTHORIZATION
TE
TRAILER
TRANSFER-ENCODING
UPGRADE
%startupfolder%
\%insfolder%\%insname%
/
\%insfolder%\
Software\Microsoft\Windows\CurrentVersion\Run
%insregname%
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
True
https://api.ipify.org%
GET
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
OK
http://wreIBh.com
\kbk
SELECT * FROM Win32_Processor
Name
MB
Unknown
CO
CO_
-
_
.zip
yyyy-MM-dd hh-mm-ss
Cookie
application/zip
SC
SC_
.jpeg
Screenshot
image/jpeg
/log.tmp
KL
KL_
.html
<html>
</html>
Log
text/html
[
]
Time:
MM/dd/yyyy HH:mm:ss
User Name:
Computer Name:
OSFullName:
CPU:
RAM:
IP Address:
New
Recovered!
User Name
:
OSFullName
uninstall
Software\Microsoft\Windows NT\CurrentVersion\Windows
Load
%ftphost%/
%ftpuser%
%ftppassword%
STOR
Length
Write
Close
GetBytes
Opera Browser
Opera Software\Opera Stable
Yandex Browser
Yandex\YandexBrowser\User Data
Iridium Browser
Iridium\User Data
Chromium
Chromium\User Data
7Star
7Star\7Star\User Data
Torch Browser
Torch\User Data
Cool Novo
MapleStudio\ChromePlus\User Data
Kometa
Kometa\User Data
Amigo
Amigo\User Data
Brave
BraveSoftware\Brave-Browser\User Data
CentBrowser
CentBrowser\User Data
Chedot
Chedot\User Data
Orbitum
Orbitum\User Data
Sputnik
Sputnik\Sputnik\User Data
Comodo Dragon
Comodo\Dragon\User Data
Vivaldi
Vivaldi\User Data
Citrio
CatalinaGroup\Citrio\User Data
360 Browser
360Chrome\Chrome\User Data
Uran
uCozMedia\Uran\User Data
Liebao Browser
liebao\User Data
Elements Browser
Elements Browser\User Data
Epic Privacy
Epic Privacy Browser\User Data
Coccoc
CocCoc\Browser\User Data
Sleipnir 6
Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
QIP Surf
QIP Surf\User Data
Coowon
Coowon\Coowon\User Data
APPDATA
\CoreFTP\sites.idx
HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites\
Host
HKEY_CURRENT_USERSoftwareFTPWareCOREFTPSites
Port
User
PW
CoreFTP
webpanel
,
"
smtp
ftp
URL:
Username:
Password:
Application:
URL:
Username:
Password:
Application:
PW_
nilya1957
posta.ni.net.tr
image/jpg
:Zone.Identifier
\tmpG
.tmp
%urlkey%
-f
\Data\Tor\torrc
p=
%PostURL%
127.0.0.1
POST
+
%2B
application/x-www-form-urlencoded
&
&amp;
<
&lt;
>
&gt;
&quot;
Copied Text:
<font color="#00b1ba"><b>[
</b>
<b>]</b> <font color="#000000">(
)</font></font>
False
<font color="#00ba66">{BACK}</font>
</font>
<font color="#00ba66">{ALT+TAB}</font>
<font color="#00ba66">{ALT+F4}</font>
<font color="#00ba66">{TAB}</font>
<font color="#00ba66">{ESC}</font>
<font color="#00ba66">{Win}</font>
<font color="#00ba66">{CAPSLOCK}</font>
<font color="#00ba66">&uarr;</font>
<font color="#00ba66">&darr;</font>
<font color="#00ba66">&larr;</font>
<font color="#00ba66">&rarr;</font>
<font color="#00ba66">{DEL}</font>
<font color="#00ba66">{END}</font>
<font color="#00ba66">{HOME}</font>
<font color="#00ba66">{Insert}</font>
<font color="#00ba66">{NumLock}</font>
<font color="#00ba66">{PageDown}</font>
<font color="#00ba66">{PageUp}</font>
<font color="#00ba66">{ENTER}</font>
<font color="#00ba66">{F1}</font>
<font color="#00ba66">{F2}</font>
<font color="#00ba66">{F3}</font>
<font color="#00ba66">{F4}</font>
<font color="#00ba66">{F5}</font>
<font color="#00ba66">{F6}</font>
<font color="#00ba66">{F7}</font>
<font color="#00ba66">{F8}</font>
<font color="#00ba66">{F9}</font>
<font color="#00ba66">{F10}</font>
<font color="#00ba66">{F11}</font>
<font color="#00ba66">{F12}</font>
control
<font color="#00ba66">{CTRL}</font>
Windows RDP
credential
policy
blob
rdg
chrome
{{{0}}}
CopyTo
ComputeHash
sha512
Copy
SystemDrive
\
WScript.Shell
RegRead
g
401
502
500
Add
chat_id
caption
/sendDocument
document
---------------------------
x
--
multipart/form-data; boundary=
Content-Disposition: form-data; name="{0}" {1}
Content-Disposition: form-data; name="{0}"; filename="{1}" Content-Type: {2}
--
Cookies
Opera
Chrome
\Google\Chrome\User Data
\360Chrome\Chrome\User Data
Yandex
SRWare Iron
Brave Browser
\Iridium\User Data
CoolNovo
Epic Privacy Browser
CocCoc
QQ Browser
Tencent\QQBrowser\User Data
UC Browser
UCBrowser\
uCozMedia
cookies.sqlite
Firefox
\Mozilla\Firefox\
IceCat
\Mozilla\icecat\
PaleMoon
\Moonchild Productions\Pale Moon\
SeaMonkey
\Mozilla\SeaMonkey\
Flock
\Flock\Browser\
K-Meleon
\K-Meleon\
Postbox
\Postbox\
Thunderbird
\Thunderbird\
IceDragon
\Comodo\IceDragon\
WaterFox
\Waterfox\
BlackHawk
\NETGATE Technologies\BlackHawk\
CyberFox
\8pecxstudios\Cyberfox\
Path=([A-z0-9\/\.\-]+)
profiles.ini
\Default\
Profile
origin_url
username_value
password_value
v10
v11
Opera Stable
\Local State
"encrypted_key":"(.*?)"
\Default\Login Data
\Login Data
\Google\Chrome\User Data\
logins
Major
Minor
2F1A6504-0641-44CF-8BB5-3612D865F2E5
Windows Secure Note
3CCD5499-87A8-4B10-A215-608888DD3B55
Windows Web Password Credential
154E23D0-C644-4E6F-8CE6-5069272F999F
Windows Credential Picker Protector
4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Web Credentials
77BC582B-F0A6-4E15-4E80-61736B6F3B29
Windows Credentials
E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
Windows Domain Certificate Credential
3E0E35BE-1B77-43E7-B873-AED901B6275B
Windows Domain Password Credential
3C886FF3-2669-4AA2-A8FB-3F6759A77548
Windows Extended Credential
00000000-0000-0000-0000-000000000000
SchemaId
pResourceElement
pIdentityElement
pPackageSid
pAuthenticatorElement
IE/Edge
Type
Value
\Common Files\Apple\Apple Application Support\plutil.exe
\Apple Computer\Preferences\keychain.plist
*
Login Data
journal
wow_logins
\Microsoft\Edge\User Data
Edge Chromium
\Microsoft\Credentials\
\Microsoft\Protect\
GuidMasterKey
\Default\EncryptedStorage
\EncryptedStorage
entries
category
Password
str3
str2
blob0
PopPassword
SmtpPassword
Software\IncrediMail\Identities\
\Accounts_New
EmailAddress
SmtpServer
incredimail
HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine
current
Settings
SavePasswordText
ReturnAddress
Eudora
\falkon\profiles\
startProfile="([A-z0-9\/\.]+)"
\browsedata.db
autofill
Falkon Browser
startProfile=([A-z0-9\/\.]+)
Backend=([A-z0-9\/\.-]+)
\settings.ini
\Claws-mail
\clawsrc
passkey0
master_passphrase_salt=(.+)
master_passphrase_pbkdf2_rounds=(.+)
use_master_passphrase=(.+)
\accountrc
smtp_server
address
account
\passwordstorerc
{(.*),(.*)}(.*)
ClawsMail
TransformFinalBlock
Substring
IterationCount
signons3.txt
---
.
objects
Data
DecryptTripleDes
Flock Browser
ALLUSERSPROFILE
\\
DynDNS\Updater\config.dyndns
username=
=
password=
&H
t6KzXhCh
http://DynDns.com
DynDNS
\Psi\profiles
\Psi+\profiles
\accounts.xml
name
jid
password
Psi/Psi+
Software\OpenVPN-GUI\configs
Software\OpenVPN-GUI\configs\
username
auth-data
entropy
Open VPN
USERPROFILE
\OpenVPN\config\
remote
\FileZilla\recentservers.xml
<Server>
<Host>
</Host>
:
<Port>
</Port>
<User>
</User>
<Pass encoding="base64">
</Pass>
<Pass>
FileZilla
SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
HostName
UserName
PublicKeyFile
PortNumber
22
[PRIVATE KEY LOCATION: "{0}"]
WinSCP
Username
All Users
\FlashFXP\3quick.dat
IP=
port=
user=
pass=
created=
FlashFXP
\FTP Navigator\Ftplist.txt
Server
No Password
FTP Navigator
Programfiles(x86)
programfiles
\jDownloader\config\database.script
programfiles(x86)
INSERT INTO CONFIG VALUES('AccountController','
sq
.
t
xt
JDownloader
Software\Paltalk
HKEY_CURRENT_USER\Software\Paltalk\
pwd
Paltalk
\.purple\accounts.xml
<account>
<protocol>
</protocol>
<name>
</name>
<password>
</password>
Pidgin
\SmartFTP\Client 2.0\Favorites\Quick Connect\
\SmartFTP\Client 2.0\Favorites\Quick Connect\*.xml
<Password>
</Password>
<Name>
</Name>
SmartFTP
appdata
\Ipswitch\WS_FTP\Sites\ws_ftp.ini
HOST
UID
PWD
WS_FTP
PWD=
Key
Mode
IV
Padding
CreateDecryptor
\cftp\Ftplist.txt
;Server=
;Port=
;Password=
;User=
;Anonymous=
Name=
FTPCommander
\FTPGetter\servers.xml
<server>
<server_ip>
</server_ip>
<server_port>
</server_port>
<server_user_name>
</server_user_name>
<server_user_password>
</server_user_password>
FTPGetter
HKEY_LOCAL_MACHINE\SOFTWARE\Vitalwerks\DUC
HKEY_CURRENT_USER\SOFTWARE\Vitalwerks\DUC
USERname
NO-IP
+-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
\The Bat!
\Account.CFN
zzz
TheBat
HKEY_CURRENT_USER\Software\RimArts\B2\Settings
DataDir
Folder.lst
\Mailbox.ini
Account
SMTPServer
MailAddress
PassWd
Becky!
\Trillian\users\global\accounts.dat
Accounts
Trillian
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Email
IMAP Password
POP3 Password
HTTP Password
SMTP Password
SMTP Server
Outlook
HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
Executable
HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
FoxmailPath
\Storage\
\mail\
\VirtualStore\Program Files\Foxmail\mail\
\VirtualStore\Program Files (x86)\Foxmail\mail\
\Accounts\Account.rec0
\Account.stg
Read
Dispose
POP3Host
SMTPHost
IncomingServer
POP3Password
Foxmail
5A
71
\Opera Mail\Opera Mail\wand.dat
opera:
Opera Mail
abcçdefgğhıijklmnoöpqrsştuüvwxyz1234567890_-.~!@#$%^&*()[{]}\|';:,<>/?+=
\Pocomail\accounts.ini
POPPass
SMTPPass
SMTP
PocoMail
RealVNC 4.x
SOFTWARE\Wow6432Node\RealVNC\WinVNC4
RealVNC 3.x
SOFTWARE\RealVNC\vncserver
SOFTWARE\RealVNC\WinVNC4
Software\ORL\WinVNC3
TightVNC
Software\TightVNC\Server
PasswordViewOnly
TightVNC ControlPassword
ControlPassword
TigerVNC
Software\TigerVNC\Server
Trim
UltraVNC
ProgramFiles(x86)
\uvnc bvba\UltraVNC\ultravnc.ini
passwd
passwd2
ProgramFiles
\UltraVNC\ultravnc.ini
\eM Client
.dll
eM Client\accounts.dat
eM Client
AccountConfiguration
72905C47-F4FD-4CF7-A489-4E8121A155BD
host
o6806642kbM7c5
\Mailbird\Store\Store.db
Server_Host
EncryptedPassword
Mailbird
SenderIdentities
NordVPN
NordVPN directory not found!
NordVpn.exe*
user.config
SelectSingleNode
//setting[@name='Username']/value
InnerText
//setting[@name='Password']/value
\MySQL\Workbench\workbench_user_data.dat


MySQL Workbench
%ProgramW6432%
Private Internet Access\data
\Private Internet Access\data
\account.json
.*"username":"(.*?)"
.*"password":"(.*?)"
Private Internet Access
<array>
<dict>
<string>
</string>
<data>
</data>
Safari Browser
-convert xml1 -s -o "
\fixed_keychain.xml"
A
10
B
11
C
12
D
13
E
14
F
15
ABCDEF
(
EndsWith
)
IndexOf
UNIQUE
table
Software\DownloadManager\Passwords\
EncPassword
Internet Download Manager
{0}
http://127.0.0.1:
HTTP/1.1
Hostname
200 Connection established Proxy-Agent: HToS5x
Connect
PathAndQuery
Fragment
Host:
Wr
W
ExtractFile
n
Tor
AUTHENTICATE "%torpass%"
SIGNAL NEWNYM
250
tor
StartInfo
FileName
\Tor\tor.exe
Arguments
UseShellExecute
RedirectStandardOutput
CreateNoWindow
Start
StandardOutput
ReadLine
Contains
Bootstrapped 100%
EndOfStream
Id
AvoidDiskWrites 1 Log notice stdout DormantCanceledByStartup 1 ControlPort 9051 CookieAuthentication 1 runasdaemon 1 ExtORPort auto hashedcontrolpassword %hash% DataDirectory %tordir%\Data\Tor GeoIPFile %tordir%\Data\Tor\geoip GeoIPv6File %tordir%\Data\Tor\geoip6
\tor.zip
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
%tordir%
%hash%
%torpass%
https://www.theonionrouter.com/dist.torproject.org/torbrowser/
<a.+?href\s*=\s*(["'])(?<href>.+?)\1[^>]*>
href
Replace
TrimStart
TrimEnd
tor-win32-
TransformBlock
Hash
16:
None
win32_processor
processorID
429628c9-af07-4369-a3d9-05084eca6f83
Win32_NetworkAdapterConfiguration
IPEnabled
MacAddress
e46c3618-dbd5-4696-b828-8dc826eaecc4
WinMgmts:
InstancesOf
Win32_BaseBoard
SerialNumber
b7239939-3317-46dd-bf42-0727acf1a4f8
x2
00061561
Berkelet DB
00000002
1.85 (Hash, version 2, native byte-order)
Unknow database format
SEQUENCE {
{0:X2}
INTEGER
OCTETSTRING
OBJECTIDENTIFIER
}
sha256
key4.db
metaData
id
item1
item2
nssPrivate
a11
a102
2a864886f70d0209
2a864886f70d010c050103
key3.db
global-salt
Version
password-check
logins.json
\"(hostname|encryptedPassword|encryptedUsername)":"(.*?)"
[^\u0020-\u007F]
signons.sqlite
moz_logins
hostname
encryptedUsername
encryptedPassword
Version=4.0.0.0
version=2.0.0.0
mscorlib
System
MailClient.Protocols.Smtp.SmtpAccountConfiguration
MailClient.Accounts.TlsType
MailClient.Accounts.CredentialsModelTypes
MailClient.Accounts.Mail.MailAccountConfiguration
MailClient.Accounts.ArchivingScope
MailClient.Mail.MailAddress
;
info
AccountConfiguration+accountName
AccountConfiguration+username
AccountConfiguration+password
providerName
Port587
Passwordnilya1957
Hostposta.ni.net.tr
Protocolsmtp
2568"C:\Users\admin\AppData\Local\Temp\Rar$EXa3096.30850\BCNDHGJK.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3096.30850\BCNDHGJK.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Description:
BCNDHGJK
Exit code:
0
Version:
1.0.0.0
3936"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
BCNDHGJK.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Version:
12.00.51209.34209 built by: FX452RTMGDR
AgentTesla
(PID) Process(3936) cvtres.exe
Strings (789)
20
yyyy-MM-dd HH:mm:ss
yyyy_MM_dd_HH_mm_ss
<br>
<hr>
ObjectLength
ChainingModeGCM
AuthTagLength
ChainingMode
KeyDataBlob
AES
Microsoft Primitive Provider
CONNECTION
KEEP-ALIVE
PROXY-AUTHENTICATE
PROXY-AUTHORIZATION
TE
TRAILER
TRANSFER-ENCODING
UPGRADE
%startupfolder%
\%insfolder%\%insname%
/
\%insfolder%\
Software\Microsoft\Windows\CurrentVersion\Run
%insregname%
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
True
https://api.ipify.org%
GET
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
OK
http://wreIBh.com
\kbk
SELECT * FROM Win32_Processor
Name
MB
Unknown
CO
CO_
-
_
.zip
yyyy-MM-dd hh-mm-ss
Cookie
application/zip
SC
SC_
.jpeg
Screenshot
image/jpeg
/log.tmp
KL
KL_
.html
<html>
</html>
Log
text/html
[
]
Time:
MM/dd/yyyy HH:mm:ss
User Name:
Computer Name:
OSFullName:
CPU:
RAM:
IP Address:
New
Recovered!
User Name
:
OSFullName
uninstall
Software\Microsoft\Windows NT\CurrentVersion\Windows
Load
%ftphost%/
%ftpuser%
%ftppassword%
STOR
Length
Write
Close
GetBytes
Opera Browser
Opera Software\Opera Stable
Yandex Browser
Yandex\YandexBrowser\User Data
Iridium Browser
Iridium\User Data
Chromium
Chromium\User Data
7Star
7Star\7Star\User Data
Torch Browser
Torch\User Data
Cool Novo
MapleStudio\ChromePlus\User Data
Kometa
Kometa\User Data
Amigo
Amigo\User Data
Brave
BraveSoftware\Brave-Browser\User Data
CentBrowser
CentBrowser\User Data
Chedot
Chedot\User Data
Orbitum
Orbitum\User Data
Sputnik
Sputnik\Sputnik\User Data
Comodo Dragon
Comodo\Dragon\User Data
Vivaldi
Vivaldi\User Data
Citrio
CatalinaGroup\Citrio\User Data
360 Browser
360Chrome\Chrome\User Data
Uran
uCozMedia\Uran\User Data
Liebao Browser
liebao\User Data
Elements Browser
Elements Browser\User Data
Epic Privacy
Epic Privacy Browser\User Data
Coccoc
CocCoc\Browser\User Data
Sleipnir 6
Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
QIP Surf
QIP Surf\User Data
Coowon
Coowon\Coowon\User Data
APPDATA
\CoreFTP\sites.idx
HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites\
Host
HKEY_CURRENT_USERSoftwareFTPWareCOREFTPSites
Port
User
PW
CoreFTP
webpanel
,
"
smtp
ftp
URL:
Username:
Password:
Application:
URL:
Username:
Password:
Application:
PW_
nilya1957
posta.ni.net.tr
image/jpg
:Zone.Identifier
\tmpG
.tmp
%urlkey%
-f
\Data\Tor\torrc
p=
%PostURL%
127.0.0.1
POST
+
%2B
application/x-www-form-urlencoded
&
&amp;
<
&lt;
>
&gt;
&quot;
Copied Text:
<font color="#00b1ba"><b>[
</b>
<b>]</b> <font color="#000000">(
)</font></font>
False
<font color="#00ba66">{BACK}</font>
</font>
<font color="#00ba66">{ALT+TAB}</font>
<font color="#00ba66">{ALT+F4}</font>
<font color="#00ba66">{TAB}</font>
<font color="#00ba66">{ESC}</font>
<font color="#00ba66">{Win}</font>
<font color="#00ba66">{CAPSLOCK}</font>
<font color="#00ba66">&uarr;</font>
<font color="#00ba66">&darr;</font>
<font color="#00ba66">&larr;</font>
<font color="#00ba66">&rarr;</font>
<font color="#00ba66">{DEL}</font>
<font color="#00ba66">{END}</font>
<font color="#00ba66">{HOME}</font>
<font color="#00ba66">{Insert}</font>
<font color="#00ba66">{NumLock}</font>
<font color="#00ba66">{PageDown}</font>
<font color="#00ba66">{PageUp}</font>
<font color="#00ba66">{ENTER}</font>
<font color="#00ba66">{F1}</font>
<font color="#00ba66">{F2}</font>
<font color="#00ba66">{F3}</font>
<font color="#00ba66">{F4}</font>
<font color="#00ba66">{F5}</font>
<font color="#00ba66">{F6}</font>
<font color="#00ba66">{F7}</font>
<font color="#00ba66">{F8}</font>
<font color="#00ba66">{F9}</font>
<font color="#00ba66">{F10}</font>
<font color="#00ba66">{F11}</font>
<font color="#00ba66">{F12}</font>
control
<font color="#00ba66">{CTRL}</font>
Windows RDP
credential
policy
blob
rdg
chrome
{{{0}}}
CopyTo
ComputeHash
sha512
Copy
SystemDrive
\
WScript.Shell
RegRead
g
401
502
500
Add
chat_id
caption
/sendDocument
document
---------------------------
x
--
multipart/form-data; boundary=
Content-Disposition: form-data; name="{0}" {1}
Content-Disposition: form-data; name="{0}"; filename="{1}" Content-Type: {2}
--
Cookies
Opera
Chrome
\Google\Chrome\User Data
\360Chrome\Chrome\User Data
Yandex
SRWare Iron
Brave Browser
\Iridium\User Data
CoolNovo
Epic Privacy Browser
CocCoc
QQ Browser
Tencent\QQBrowser\User Data
UC Browser
UCBrowser\
uCozMedia
cookies.sqlite
Firefox
\Mozilla\Firefox\
IceCat
\Mozilla\icecat\
PaleMoon
\Moonchild Productions\Pale Moon\
SeaMonkey
\Mozilla\SeaMonkey\
Flock
\Flock\Browser\
K-Meleon
\K-Meleon\
Postbox
\Postbox\
Thunderbird
\Thunderbird\
IceDragon
\Comodo\IceDragon\
WaterFox
\Waterfox\
BlackHawk
\NETGATE Technologies\BlackHawk\
CyberFox
\8pecxstudios\Cyberfox\
Path=([A-z0-9\/\.\-]+)
profiles.ini
\Default\
Profile
origin_url
username_value
password_value
v10
v11
Opera Stable
\Local State
"encrypted_key":"(.*?)"
\Default\Login Data
\Login Data
\Google\Chrome\User Data\
logins
Major
Minor
2F1A6504-0641-44CF-8BB5-3612D865F2E5
Windows Secure Note
3CCD5499-87A8-4B10-A215-608888DD3B55
Windows Web Password Credential
154E23D0-C644-4E6F-8CE6-5069272F999F
Windows Credential Picker Protector
4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Web Credentials
77BC582B-F0A6-4E15-4E80-61736B6F3B29
Windows Credentials
E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
Windows Domain Certificate Credential
3E0E35BE-1B77-43E7-B873-AED901B6275B
Windows Domain Password Credential
3C886FF3-2669-4AA2-A8FB-3F6759A77548
Windows Extended Credential
00000000-0000-0000-0000-000000000000
SchemaId
pResourceElement
pIdentityElement
pPackageSid
pAuthenticatorElement
IE/Edge
Type
Value
\Common Files\Apple\Apple Application Support\plutil.exe
\Apple Computer\Preferences\keychain.plist
*
Login Data
journal
wow_logins
\Microsoft\Edge\User Data
Edge Chromium
\Microsoft\Credentials\
\Microsoft\Protect\
GuidMasterKey
\Default\EncryptedStorage
\EncryptedStorage
entries
category
Password
str3
str2
blob0
PopPassword
SmtpPassword
Software\IncrediMail\Identities\
\Accounts_New
EmailAddress
SmtpServer
incredimail
HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine
current
Settings
SavePasswordText
ReturnAddress
Eudora
\falkon\profiles\
startProfile="([A-z0-9\/\.]+)"
\browsedata.db
autofill
Falkon Browser
startProfile=([A-z0-9\/\.]+)
Backend=([A-z0-9\/\.-]+)
\settings.ini
\Claws-mail
\clawsrc
passkey0
master_passphrase_salt=(.+)
master_passphrase_pbkdf2_rounds=(.+)
use_master_passphrase=(.+)
\accountrc
smtp_server
address
account
\passwordstorerc
{(.*),(.*)}(.*)
ClawsMail
TransformFinalBlock
Substring
IterationCount
signons3.txt
---
.
objects
Data
DecryptTripleDes
Flock Browser
ALLUSERSPROFILE
\\
DynDNS\Updater\config.dyndns
username=
=
password=
&H
t6KzXhCh
http://DynDns.com
DynDNS
\Psi\profiles
\Psi+\profiles
\accounts.xml
name
jid
password
Psi/Psi+
Software\OpenVPN-GUI\configs
Software\OpenVPN-GUI\configs\
username
auth-data
entropy
Open VPN
USERPROFILE
\OpenVPN\config\
remote
\FileZilla\recentservers.xml
<Server>
<Host>
</Host>
:
<Port>
</Port>
<User>
</User>
<Pass encoding="base64">
</Pass>
<Pass>
FileZilla
SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
HostName
UserName
PublicKeyFile
PortNumber
22
[PRIVATE KEY LOCATION: "{0}"]
WinSCP
Username
All Users
\FlashFXP\3quick.dat
IP=
port=
user=
pass=
created=
FlashFXP
\FTP Navigator\Ftplist.txt
Server
No Password
FTP Navigator
Programfiles(x86)
programfiles
\jDownloader\config\database.script
programfiles(x86)
INSERT INTO CONFIG VALUES('AccountController','
sq
.
t
xt
JDownloader
Software\Paltalk
HKEY_CURRENT_USER\Software\Paltalk\
pwd
Paltalk
\.purple\accounts.xml
<account>
<protocol>
</protocol>
<name>
</name>
<password>
</password>
Pidgin
\SmartFTP\Client 2.0\Favorites\Quick Connect\
\SmartFTP\Client 2.0\Favorites\Quick Connect\*.xml
<Password>
</Password>
<Name>
</Name>
SmartFTP
appdata
\Ipswitch\WS_FTP\Sites\ws_ftp.ini
HOST
UID
PWD
WS_FTP
PWD=
Key
Mode
IV
Padding
CreateDecryptor
\cftp\Ftplist.txt
;Server=
;Port=
;Password=
;User=
;Anonymous=
Name=
FTPCommander
\FTPGetter\servers.xml
<server>
<server_ip>
</server_ip>
<server_port>
</server_port>
<server_user_name>
</server_user_name>
<server_user_password>
</server_user_password>
FTPGetter
HKEY_LOCAL_MACHINE\SOFTWARE\Vitalwerks\DUC
HKEY_CURRENT_USER\SOFTWARE\Vitalwerks\DUC
USERname
NO-IP
+-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
\The Bat!
\Account.CFN
zzz
TheBat
HKEY_CURRENT_USER\Software\RimArts\B2\Settings
DataDir
Folder.lst
\Mailbox.ini
Account
SMTPServer
MailAddress
PassWd
Becky!
\Trillian\users\global\accounts.dat
Accounts
Trillian
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Email
IMAP Password
POP3 Password
HTTP Password
SMTP Password
SMTP Server
Outlook
HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
Executable
HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
FoxmailPath
\Storage\
\mail\
\VirtualStore\Program Files\Foxmail\mail\
\VirtualStore\Program Files (x86)\Foxmail\mail\
\Accounts\Account.rec0
\Account.stg
Read
Dispose
POP3Host
SMTPHost
IncomingServer
POP3Password
Foxmail
5A
71
\Opera Mail\Opera Mail\wand.dat
opera:
Opera Mail
abcçdefgğhıijklmnoöpqrsştuüvwxyz1234567890_-.~!@#$%^&*()[{]}\|';:,<>/?+=
\Pocomail\accounts.ini
POPPass
SMTPPass
SMTP
PocoMail
RealVNC 4.x
SOFTWARE\Wow6432Node\RealVNC\WinVNC4
RealVNC 3.x
SOFTWARE\RealVNC\vncserver
SOFTWARE\RealVNC\WinVNC4
Software\ORL\WinVNC3
TightVNC
Software\TightVNC\Server
PasswordViewOnly
TightVNC ControlPassword
ControlPassword
TigerVNC
Software\TigerVNC\Server
Trim
UltraVNC
ProgramFiles(x86)
\uvnc bvba\UltraVNC\ultravnc.ini
passwd
passwd2
ProgramFiles
\UltraVNC\ultravnc.ini
\eM Client
.dll
eM Client\accounts.dat
eM Client
AccountConfiguration
72905C47-F4FD-4CF7-A489-4E8121A155BD
host
o6806642kbM7c5
\Mailbird\Store\Store.db
Server_Host
EncryptedPassword
Mailbird
SenderIdentities
NordVPN
NordVPN directory not found!
NordVpn.exe*
user.config
SelectSingleNode
//setting[@name='Username']/value
InnerText
//setting[@name='Password']/value
\MySQL\Workbench\workbench_user_data.dat


MySQL Workbench
%ProgramW6432%
Private Internet Access\data
\Private Internet Access\data
\account.json
.*"username":"(.*?)"
.*"password":"(.*?)"
Private Internet Access
<array>
<dict>
<string>
</string>
<data>
</data>
Safari Browser
-convert xml1 -s -o "
\fixed_keychain.xml"
A
10
B
11
C
12
D
13
E
14
F
15
ABCDEF
(
EndsWith
)
IndexOf
UNIQUE
table
Software\DownloadManager\Passwords\
EncPassword
Internet Download Manager
{0}
http://127.0.0.1:
HTTP/1.1
Hostname
200 Connection established Proxy-Agent: HToS5x
Connect
PathAndQuery
Fragment
Host:
Wr
W
ExtractFile
n
Tor
AUTHENTICATE "%torpass%"
SIGNAL NEWNYM
250
tor
StartInfo
FileName
\Tor\tor.exe
Arguments
UseShellExecute
RedirectStandardOutput
CreateNoWindow
Start
StandardOutput
ReadLine
Contains
Bootstrapped 100%
EndOfStream
Id
AvoidDiskWrites 1 Log notice stdout DormantCanceledByStartup 1 ControlPort 9051 CookieAuthentication 1 runasdaemon 1 ExtORPort auto hashedcontrolpassword %hash% DataDirectory %tordir%\Data\Tor GeoIPFile %tordir%\Data\Tor\geoip GeoIPv6File %tordir%\Data\Tor\geoip6
\tor.zip
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
%tordir%
%hash%
%torpass%
https://www.theonionrouter.com/dist.torproject.org/torbrowser/
<a.+?href\s*=\s*(["'])(?<href>.+?)\1[^>]*>
href
Replace
TrimStart
TrimEnd
tor-win32-
TransformBlock
Hash
16:
None
win32_processor
processorID
429628c9-af07-4369-a3d9-05084eca6f83
Win32_NetworkAdapterConfiguration
IPEnabled
MacAddress
e46c3618-dbd5-4696-b828-8dc826eaecc4
WinMgmts:
InstancesOf
Win32_BaseBoard
SerialNumber
b7239939-3317-46dd-bf42-0727acf1a4f8
x2
00061561
Berkelet DB
00000002
1.85 (Hash, version 2, native byte-order)
Unknow database format
SEQUENCE {
{0:X2}
INTEGER
OCTETSTRING
OBJECTIDENTIFIER
}
sha256
key4.db
metaData
id
item1
item2
nssPrivate
a11
a102
2a864886f70d0209
2a864886f70d010c050103
key3.db
global-salt
Version
password-check
logins.json
\"(hostname|encryptedPassword|encryptedUsername)":"(.*?)"
[^\u0020-\u007F]
signons.sqlite
moz_logins
hostname
encryptedUsername
encryptedPassword
Version=4.0.0.0
version=2.0.0.0
mscorlib
System
MailClient.Protocols.Smtp.SmtpAccountConfiguration
MailClient.Accounts.TlsType
MailClient.Accounts.CredentialsModelTypes
MailClient.Accounts.Mail.MailAccountConfiguration
MailClient.Accounts.ArchivingScope
MailClient.Mail.MailAddress
;
info
AccountConfiguration+accountName
AccountConfiguration+username
AccountConfiguration+password
providerName
Port587
Passwordnilya1957
Hostposta.ni.net.tr
Protocolsmtp
1036"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\WHXRK3RY\09876560098.pdf"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
OUTLOOK.EXE
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat Reader DC
Version:
20.13.20064.405839
1116"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\WHXRK3RY\09876560098.pdf"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat Reader DC
Version:
20.13.20064.405839
Total events
21 356
Read events
20 636
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
127
Text files
19
Unknown types
6

Dropped files

PID
Process
Filename
Type
2960OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVRA604.tmp.cvr
MD5:
SHA256:
2960OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
MD5:
SHA256:
2960OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:9D44E048454210CE40F79C81331425C8
SHA256:BE884E2330A3C082E850E03E563C9B63CD187746430F3F75111CAAF8E2824E11
3096WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3096.30850\BCNDHGJK.exeexecutable
MD5:664F8FDE9B17B5B5AD6C64D3B45CF45B
SHA256:00FDC4EC48B20F242022329109DC1E46B881A9F044F8D3D2C41C5071F13F284F
2960OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\WHXRK3RY\BCNDHGJK.Zcompressed
MD5:CAFE158681606E67892D5F4F0DF739E1
SHA256:DFBBEB21D7F76500F4BC965688865F595F9DB83DAE4A5BA0FB57C75A9BA90271
2960OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\outlook logging\firstrun.logtext
MD5:862A477307D592ABB660F2A157C89945
SHA256:C2FE5868C5D9870166C0DD2ABDBDD27CA7A89C193D53B4564575E205F5491247
3096WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3096.16325\BCNDHGJK.exeexecutable
MD5:664F8FDE9B17B5B5AD6C64D3B45CF45B
SHA256:00FDC4EC48B20F242022329109DC1E46B881A9F044F8D3D2C41C5071F13F284F
2960OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Outlook\RoamCache\Stream_WorkHours_1_2D26C13A28854A48A3DB20A061D6F09C.datxml
MD5:807EF0FC900FEB3DA82927990083D6E7
SHA256:4411E7DC978011222764943081500FFF0E43CBF7CCD44264BD1AB6306CA68913
2960OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\WHXRK3RY\BCNDHGJK (2).Zcompressed
MD5:CAFE158681606E67892D5F4F0DF739E1
SHA256:DFBBEB21D7F76500F4BC965688865F595F9DB83DAE4A5BA0FB57C75A9BA90271
3096WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3096.17353\BCNDHGJK.exeexecutable
MD5:664F8FDE9B17B5B5AD6C64D3B45CF45B
SHA256:00FDC4EC48B20F242022329109DC1E46B881A9F044F8D3D2C41C5071F13F284F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
12
DNS requests
11
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1036
AcroRd32.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D
US
der
471 b
whitelisted
1036
AcroRd32.exe
GET
200
8.249.63.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?b77d7c952f174d7a
US
compressed
4.70 Kb
whitelisted
1036
AcroRd32.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?5b1be12541c4e163
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3620
cvtres.exe
89.252.128.115:587
posta.ni.net.tr
Netinternet Bilisim Teknolojileri AS
TR
malicious
4068
RdrCEF.exe
2.20.72.142:443
armmf.adobe.com
Akamai International B.V.
suspicious
2960
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted
1036
AcroRd32.exe
93.184.221.240:80
ctldl.windowsupdate.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1036
AcroRd32.exe
23.6.112.18:443
acroipm2.adobe.com
Akamai International B.V.
NL
malicious
4068
RdrCEF.exe
23.47.208.143:443
geo2.adobe.com
NTT DOCOMO, INC.
US
unknown
1036
AcroRd32.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
4068
RdrCEF.exe
107.22.247.231:443
p13n.adobe.io
Amazon.com, Inc.
US
suspicious
856
svchost.exe
2.18.233.74:443
armmf.adobe.com
Akamai International B.V.
whitelisted
1036
AcroRd32.exe
8.249.63.254:80
ctldl.windowsupdate.com
Level 3 Communications, Inc.
US
suspicious

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
posta.ni.net.tr
  • 89.252.128.115
malicious
geo2.adobe.com
  • 23.47.208.143
whitelisted
armmf.adobe.com
  • 2.20.72.142
  • 2.18.233.74
whitelisted
acroipm2.adobe.com
  • 23.6.112.18
  • 23.6.112.41
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
  • 8.249.63.254
  • 8.241.45.126
  • 8.238.176.254
  • 8.249.61.254
whitelisted
p13n.adobe.io
  • 107.22.247.231
  • 18.207.85.246
  • 34.193.227.236
  • 54.144.73.197
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

PID
Process
Class
Message
3620
cvtres.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
No debug info