drole/Azorult Strings

## Azorult Strings
firefox.exe
SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\
SOFTWARE\Mozilla\Mozilla Firefox
SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe
%appdata%\Mozilla\Firefox\Profile}[Ýã\
MozillaFireFox
CurrentVersion
Install_Directory
nss3.dll
thunderbird.exe
SOFTWARE\Wow6432Node\Mozilla\Mozilla Thunderbird\
SOFTWARE\Mozilla\Mozilla Thunderbird
SOFTWARE\Classes\ThunderbirdEML\DefaultIcon
%appdata%\Thunderbird\Profiles\
ThunderBird
SELECT host, path, isSecure, expiry, name, value FROM moz_cookies
SELECT fieldname, value FROM moz_formhistory
NSS_Init
PK11_GetInternalKeySlot
PK11_Authenticate
PK11SDR_Decrypt
NSS_Shutdown
PK11_FreeSlot
logins.json
logins
hostname
timesUsed
encryptedUsername
encryptedPassword
cookies.sqlite
formhistory.sqlite
%LOCALAPPDATA%\Google\Chrome\User Data\
%LOCALAPPDATA%\Google\Chrome SxS\User Data\
%LOCALAPPDATA%\Xpom\User Data\
%LOCALAPPDATA%\Yandex\YandexBrowser\User Data\
%LOCALAPPDATA%\Comodo\Dragon\User Data\
%LOCALAPPDATA%\Amigo\User Data\
%LOCALAPPDATA%\Orbitum\User Data\
%LOCALAPPDATA%\Bromium\User Data\
%LOCALAPPDATA%\Chromium\User Data\
%LOCALAPPDATA%\Nichrome\User Data\
%LOCALAPPDATA%\RockMelt\User Data\
%LOCALAPPDATA%\360Browser\Browser\User Data\
%LOCALAPPDATA%\Vivaldi\User Data\
%APPDATA%\Opera Software\
%LOCALAPPDATA%\Go!\User Data\
%LOCALAPPDATA%\Sputnik\Sputnik\User Data\
%LOCALAPPDATA%\Kometa\User Data\
%LOCALAPPDATA%\uCozMedia\Uran\User Data\
%LOCALAPPDATA%\QIP Surf\User Data\
%LOCALAPPDATA%\Epic Privacy Browser\User Data\
%APPDATA%\brave\
%LOCALAPPDATA%\CocCoc\Browser\User Data\
%LOCALAPPDATA%\CentBrowser\User Data\
%LOCALAPPDATA%\7Star\7Star\User Data\
%LOCALAPPDATA%\Elements Browser\User Data\
%LOCALAPPDATA%\TorBro\Profile\
%LOCALAPPDATA%\Suhba\User Data\
%LOCALAPPDATA%\Safer Technologies\Secure Browser\User Data\
%LOCALAPPDATA%\Rafotech\Mustang\User Data\
%LOCALAPPDATA%\Superbird\User Data\
%LOCALAPPDATA%\Chedot\User Data\
%LOCALAPPDATA%\Torch\User Data\
GoogleChrome
GoogleChrome64
InternetMailRu
YandexBrowser
ComodoDragon
Amigo
Orbitum
Bromium
Chromium
Nichrome
RockMelt
360Browser
Vivaldi
Opera
GoBrowser
Sputnik
Kometa
Uran
QIPSurf
Epic
Brave
CocCoc
CentBrowser
7Star
ElementsBrowser
TorBro
Suhba
SaferBrowser
Mustang
Superbird
Chedot
Torch
Login Data
Web Data
SELECT origin_url, username_value, password_value FROM logins
SELECT host_key, name, encrypted_value, value, path, secure, (expires_utc/1000000)-11644473600 FROM cookies
SELECT host_key, name, name, value, path, secure, expires_utc FROM cookies
SELECT name, value FROM autofill
SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted value FROM credit_cards
%APPDATA%\Microsoft\Windows\Cookies\
%APPDATA%\Microsoft\Windows\Cookies\Low\
%LOCALAPPDATA%\Microsoft\Windows\INetCache\
%LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\INetCookies\
%LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\
%LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\
%LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cookies\
InternetExplorer
InternetExplorerLow
InternetExplorerINetCache
MicrosoftEdge_AC_INetCookies
MicrosoftEdge_AC_001
MicrosoftEdge_AC_002
MicrosoftEdge_AC
Software\Microsoft\Internet Explorer
Software\Microsoft\Internet Explorer\IntelliForms\Storage2
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook
POP3
IMAP
SMTP
HTTP
%appdata%\Waterfox\Profiles\
Waterfox
%appdata%\Comodo\IceDragon\Profiles\
IceDragon
%appdata%\8pecxstudios\Cyberfox\Profiles\
Cyberfox
sqlite3_open
sqlite3_close
sqlite3_prepare_v2
sqlite3_step
sqlite3_column_text
sqlite3_column_bytes
sqlite3_finalize
%APPDATA%\filezilla\recentservers.xml
<RecentServers>
</RecentServers>
<Server>
</Server>
<Host>
</Host>
<Port>
</Port>
<User>
</User>
<Pass>
</Pass>
<Pass encoding="base64">
FileZilla
ole32.dll
CLSIDFromString
{4BF4C442-9B8A-41A0-B380-DD4A704DDB28}
{3CCD5499-87A8-4B10-A215-608888DD3B55}
vaultcli.dll
VaultOpenVault
VaultEnumerateItems
VaultGetItem
MicrosoftEdge
Browsers\AutoComplete
CookieList.txt
SELECT host_key, name, encrypted_value, value, path, is_secure, (expires_utc/1000000)-11644473600 FROM cookies
%appdata%\Moonchild Productions\Pale Moon\Profiles\
PaleMoon
%appdata%\Electrum\wallets\
\Electrum
%appdata%\Electrum-LTC\wallets\
\Electrum-LTC
%appdata%\ElectrumG\wallets\
\ElectrumG
%appdata%\Electrum-btcp\wallets\
\Electrum-btcp
%APPDATA%\Ethereum\keystore\
\Ethereum
%APPDATA%\Exodus\
\Exodus
\Exodus Eden
*.json,*.seco
%APPDATA%\Jaxx\Local Storage\
\Jaxx\Local Storage\
%APPDATA%\MultiBitHD\
\MultiBitHD
mbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml
.wallet
wallets\.wallet
wallet.dat
wallets\wallet.dat
electrum.dat
wallets\electrum.dat
Software\monero-project\monero-core
wallet_path
Bitcoin\Bitcoin-Qt
BitcoinGold\BitcoinGold-Qt
BitCore\BitCore-Qt
Litecoin\Litecoin-Qt
BitcoinABC\BitcoinABC-Qt
%APPDATA%\Exodus Eden\
%Appdata%\Psi+\profiles\
%Appdata%\Psi\profiles\
<roster-cache>
</roster-cache>
<jid type="QString">
<password type="QString">
</password>
	firefox.exe
	SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\
	SOFTWARE\Mozilla\Mozilla Firefox
	SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command
	SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe
	%appdata%\Mozilla\Firefox\Profile}[Ýã\
	MozillaFireFox
	CurrentVersion
	Install_Directory
	nss3.dll
	thunderbird.exe
	SOFTWARE\Wow6432Node\Mozilla\Mozilla Thunderbird\
	SOFTWARE\Mozilla\Mozilla Thunderbird
	SOFTWARE\Classes\ThunderbirdEML\DefaultIcon
	%appdata%\Thunderbird\Profiles\
	ThunderBird
	SELECT host, path, isSecure, expiry, name, value FROM moz_cookies
	SELECT fieldname, value FROM moz_formhistory
	NSS_Init
	PK11_GetInternalKeySlot
	PK11_Authenticate
	PK11SDR_Decrypt
	NSS_Shutdown
	PK11_FreeSlot
	logins.json
	logins
	hostname
	timesUsed
	encryptedUsername
	encryptedPassword
	cookies.sqlite
	formhistory.sqlite
	%LOCALAPPDATA%\Google\Chrome\User Data\
	%LOCALAPPDATA%\Google\Chrome SxS\User Data\
	%LOCALAPPDATA%\Xpom\User Data\
	%LOCALAPPDATA%\Yandex\YandexBrowser\User Data\
	%LOCALAPPDATA%\Comodo\Dragon\User Data\
	%LOCALAPPDATA%\Amigo\User Data\
	%LOCALAPPDATA%\Orbitum\User Data\
	%LOCALAPPDATA%\Bromium\User Data\
	%LOCALAPPDATA%\Chromium\User Data\
	%LOCALAPPDATA%\Nichrome\User Data\
	%LOCALAPPDATA%\RockMelt\User Data\
	%LOCALAPPDATA%\360Browser\Browser\User Data\
	%LOCALAPPDATA%\Vivaldi\User Data\
	%APPDATA%\Opera Software\
	%LOCALAPPDATA%\Go!\User Data\
	%LOCALAPPDATA%\Sputnik\Sputnik\User Data\
	%LOCALAPPDATA%\Kometa\User Data\
	%LOCALAPPDATA%\uCozMedia\Uran\User Data\
	%LOCALAPPDATA%\QIP Surf\User Data\
	%LOCALAPPDATA%\Epic Privacy Browser\User Data\
	%APPDATA%\brave\
	%LOCALAPPDATA%\CocCoc\Browser\User Data\
	%LOCALAPPDATA%\CentBrowser\User Data\
	%LOCALAPPDATA%\7Star\7Star\User Data\
	%LOCALAPPDATA%\Elements Browser\User Data\
	%LOCALAPPDATA%\TorBro\Profile\
	%LOCALAPPDATA%\Suhba\User Data\
	%LOCALAPPDATA%\Safer Technologies\Secure Browser\User Data\
	%LOCALAPPDATA%\Rafotech\Mustang\User Data\
	%LOCALAPPDATA%\Superbird\User Data\
	%LOCALAPPDATA%\Chedot\User Data\
	%LOCALAPPDATA%\Torch\User Data\
	GoogleChrome
	GoogleChrome64
	InternetMailRu
	YandexBrowser
	ComodoDragon
	Amigo
	Orbitum
	Bromium
	Chromium
	Nichrome
	RockMelt
	360Browser
	Vivaldi
	Opera
	GoBrowser
	Sputnik
	Kometa
	Uran
	QIPSurf
	Epic
	Brave
	CocCoc
	CentBrowser
	7Star
	ElementsBrowser
	TorBro
	Suhba
	SaferBrowser
	Mustang
	Superbird
	Chedot
	Torch
	Login Data
	Web Data
	SELECT origin_url, username_value, password_value FROM logins
	SELECT host_key, name, encrypted_value, value, path, secure, (expires_utc/1000000)-11644473600 FROM cookies
	SELECT host_key, name, name, value, path, secure, expires_utc FROM cookies
	SELECT name, value FROM autofill
	SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted value FROM credit_cards
	%APPDATA%\Microsoft\Windows\Cookies\
	%APPDATA%\Microsoft\Windows\Cookies\Low\
	%LOCALAPPDATA%\Microsoft\Windows\INetCache\
	%LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\INetCookies\
	%LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\
	%LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\
	%LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cookies\
	InternetExplorer
	InternetExplorerLow
	InternetExplorerINetCache
	MicrosoftEdge_AC_INetCookies
	MicrosoftEdge_AC_001
	MicrosoftEdge_AC_002
	MicrosoftEdge_AC
	Software\Microsoft\Internet Explorer
	Software\Microsoft\Internet Explorer\IntelliForms\Storage2
	Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
	Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
	Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook
	POP3
	IMAP
	SMTP
	HTTP
	%appdata%\Waterfox\Profiles\
	Waterfox
	%appdata%\Comodo\IceDragon\Profiles\
	IceDragon
	%appdata%\8pecxstudios\Cyberfox\Profiles\
	Cyberfox
	sqlite3_open
	sqlite3_close
	sqlite3_prepare_v2
	sqlite3_step
	sqlite3_column_text
	sqlite3_column_bytes
	sqlite3_finalize
	%APPDATA%\filezilla\recentservers.xml
	<RecentServers>
	</RecentServers>
	<Server>
	</Server>
	<Host>
	</Host>
	<Port>
	</Port>
	<User>
	</User>
	<Pass>
	</Pass>
	<Pass encoding="base64">
	FileZilla
	ole32.dll
	CLSIDFromString
	{4BF4C442-9B8A-41A0-B380-DD4A704DDB28}
	{3CCD5499-87A8-4B10-A215-608888DD3B55}
	vaultcli.dll
	VaultOpenVault
	VaultEnumerateItems
	VaultGetItem
	MicrosoftEdge
	Browsers\AutoComplete
	CookieList.txt
	SELECT host_key, name, encrypted_value, value, path, is_secure, (expires_utc/1000000)-11644473600 FROM cookies
	%appdata%\Moonchild Productions\Pale Moon\Profiles\
	PaleMoon
	%appdata%\Electrum\wallets\
	\Electrum
	%appdata%\Electrum-LTC\wallets\
	\Electrum-LTC
	%appdata%\ElectrumG\wallets\
	\ElectrumG
	%appdata%\Electrum-btcp\wallets\
	\Electrum-btcp
	%APPDATA%\Ethereum\keystore\
	\Ethereum
	%APPDATA%\Exodus\
	\Exodus
	\Exodus Eden
	.json,.seco
	%APPDATA%\Jaxx\Local Storage\
	\Jaxx\Local Storage\
	%APPDATA%\MultiBitHD\
	\MultiBitHD
	mbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml
	.wallet
	wallets\.wallet
	wallet.dat
	wallets\wallet.dat
	electrum.dat
	wallets\electrum.dat
	Software\monero-project\monero-core
	wallet_path
	Bitcoin\Bitcoin-Qt
	BitcoinGold\BitcoinGold-Qt
	BitCore\BitCore-Qt
	Litecoin\Litecoin-Qt
	BitcoinABC\BitcoinABC-Qt
	%APPDATA%\Exodus Eden\
	%Appdata%\Psi+\profiles\
	%Appdata%\Psi\profiles\
	<roster-cache>
	</roster-cache>
	<jid type="QString">
	<password type="QString">
	</password>