-
-
Save hasherezade/ac63c0cbe7855276780126be006f7304 to your computer and use it in GitHub Desktop.
Deobfuscates strings from Rhadamanthys - Stage 3 (3ef91f5460ebe3f9d874213856a403c7)
We can make this file beautiful and searchable if this error is corrected: Illegal quoting in line 260.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
df57c,'atcuf32' | |
df564,'bdhkm32' | |
df73c,'/bin/i386/coredll.bin' | |
df660,'/extension/%08x.xs' | |
df660,'/extension/%08x.xs' | |
df628,'RtlGetVersion' | |
df60c,'ntdll.dll' | |
df990,'ABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890abcdefghijklmnopqrstuvwxyz' | |
df968,'Sec-Websocket-Version' | |
df944,'Sec-Websocket-Key' | |
df92c,'Accept' | |
df894,'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' | |
df874,'Accept-Language' | |
df854,'en-US,en;q=0.9' | |
df834,'Accept-Encoding' | |
df810,'gzip, deflate, br' | |
df7f4,'User-Agent' | |
df7dc,'Upgrade' | |
df7c0,'websocket' | |
df7a4,'Connection' | |
df78c,'upgrade' | |
df778,'13' | |
df764,'GET' | |
dfa58,'/etc/puk.key' | |
dfa40,'http://' | |
dfa24,'https://' | |
dfa40,'http://' | |
dfa24,'https://' | |
dfa00,'/etc/license.key' | |
df9e4,'/etc/ua.txt' | |
df6a4,'/bin/runtime.dll' | |
df684,'/bin/loader.dll' | |
e07e4,'@%s' | |
e0874,'_G' | |
e085c,'package' | |
e0844,'preload' | |
e0828,'MessagePack' | |
e0810,'winreg' | |
e07f8,'cjson' | |
e0a40,'fs_search' | |
e0a24,'flag_exist' | |
e0a08,'parse_path' | |
e09ec,'file_exist' | |
e09d0,'path_exist' | |
e09b4,'add_stream' | |
e0998,'add_file' | |
e097c,'set_commit' | |
e0960,'ps_getpath' | |
e0944,'get_arch' | |
e0928,'readfile' | |
e0914,'gc' | |
e08f8,'reg_export' | |
e08dc,'send_data' | |
e08bc,'decrypt_utf8' | |
e085c,'package' | |
e08a4,'loaded' | |
e0888,'framework' | |
e0888,'framework' | |
e0ab0,'FileSizeLow' | |
e0a90,'FileSizeHigh' | |
e0a74,'Filename' | |
e0a5c,'Name' | |
e0c6c,'/bin/i386' | |
e0c4c,'%s/stubmod.bin' | |
e0c6c,'/bin/i386' | |
e0c34,'%s/%s' | |
e0c1c,'/bin/%s' | |
df60c,'ntdll.dll' | |
df73c,'/bin/i386/coredll.bin' | |
df73c,'/bin/i386/coredll.bin' | |
e0dc4,'core.dll' | |
e0edc,'RHMTHYS' | |
e0edc,'RHMTHYS' | |
e0edc,'RHMTHYS' | |
e0edc,'RHMTHYS' | |
e0edc,'RHMTHYS' | |
e0edc,'RHMTHYS' | |
e0f34,'IsWow64Process' | |
e0f54,'/bin/i386/stubexec.bin' | |
df73c,'/bin/i386/coredll.bin' | |
df6ec,'/bin/i386/taskcore.bin' | |
e23b0,'kernel32' | |
e2394,'kernelbase' | |
e2324,'user32' | |
e22b8,'advapi32' | |
e224c,'gdi32' | |
e21e4,'ole32' | |
e217c,'combase' | |
e2110,'ws2_32' | |
e3528,'_chrome-extension://' | |
e3b94,'os_crypt' | |
e3b74,'encrypted_key' | |
e3a98,'card_number_encrypted' | |
e3a98,'card_number_encrypted' | |
e3a98,'card_number_encrypted' | |
e3a98,'card_number_encrypted' | |
e3a98,'card_number_encrypted' | |
e3ac0,'name' | |
e3a04,'value' | |
e39e4,'credit_cards' | |
e39c8,'autofill' | |
e39ac,'Twinkstar' | |
e3a98,'card_number_encrypted' | |
e3a98,'card_number_encrypted' | |
e3a98,'card_number_encrypted' | |
e3a98,'card_number_encrypted' | |
e3a98,'card_number_encrypted' | |
e3ac0,'name' | |
e3a04,'value' | |
e39e4,'credit_cards' | |
e39c8,'autofill' | |
e3964,'origin_url' | |
e3964,'origin_url' | |
e3964,'origin_url' | |
e38cc,'logins' | |
e38cc,'logins' | |
e3890,'360' | |
e3830,'domain' | |
e3830,'domain' | |
e3830,'domain' | |
e37dc,'tb_account' | |
e3768,'host_key' | |
e3768,'host_key' | |
e3768,'host_key' | |
e3768,'host_key' | |
e3768,'host_key' | |
e3768,'host_key' | |
e36dc,'encrypted_value' | |
e3768,'host_key' | |
e36c0,'httponly' | |
e3734,'path' | |
e36a8,'secure' | |
e36fc,'expires_utc' | |
e3ac0,'name' | |
e36dc,'encrypted_value' | |
e3690,'cookies' | |
e3690,'cookies' | |
e3658,'url' | |
e3658,'url' | |
e3628,'urls' | |
e360c,'downloads' | |
e35cc,'roots' | |
e3ac0,'name' | |
e3658,'url' | |
e35b0,'children' | |
e3588,'chrome_%08x' | |
e3568,'Brave-Browser' | |
e61a0,'Brave' | |
e3d1c,'!WP:' | |
e6234,'brave' | |
e621c,'wallet' | |
e61e8,'keyring_encryption_keys_migrated' | |
e3964,'origin_url' | |
e3964,'origin_url' | |
e3964,'origin_url' | |
e38cc,'logins' | |
e38cc,'logins' | |
e3890,'360' | |
e3830,'domain' | |
e3830,'domain' | |
e3830,'domain' | |
e37dc,'tb_account' | |
e644c,'N' | |
e634c,'host' | |
e6334,'user' | |
e37f8,'password' | |
e631c,'port' | |
e6304,'coreftp' | |
e64c4,'windows-credential' | |
e66e0,'MasterKey' | |
e66c4,'$[M]Discord' | |
e6670,'discord' | |
e6728,'_https://discordapp.com|\x01token' | |
e66fc,'_https://discord.com|\x01token' | |
e3b94,'os_crypt' | |
e3b74,'encrypted_key' | |
e634c,'host' | |
e6334,'user' | |
e37f8,'password' | |
e631c,'port' | |
e67fc,'keyfile' | |
e67ac,'filezilla' | |
e68f4,'RecentServers' | |
e68f4,'RecentServers' | |
e68f4,'RecentServers' | |
e68f4,'RecentServers' | |
e68f4,'RecentServers' | |
e68f4,'RecentServers' | |
e68f4,'RecentServers' | |
e68f4,'RecentServers' | |
e696c,'email' | |
e37f8,'password' | |
e6954,'foxmail' | |
e6ce8,'~draGon~' | |
e6ccc,'~F@7%m$~' | |
e6c54,'Account' | |
e6c34,'POP3Ac1junt' | |
e6c18,'Password' | |
e6bf8,'POP3Password' | |
e6c54,'Account' | |
e6c34,'POP3Ac1junt' | |
e6c18,'Password' | |
e6bf8,'POP3Password' | |
e6ba0,'\nMailAddress=' | |
e6b84,'\nPassword=' | |
e6b64,'\nPOP3Password=' | |
e3964,'origin_url' | |
e3944,'username_value' | |
e3924,'password_value' | |
e3768,'host_key' | |
e374c,'is_httponly' | |
e3734,'path' | |
e3718,'is_secure' | |
e36fc,'expires_utc' | |
e3ac0,'name' | |
e3a04,'value' | |
e3658,'url' | |
e6d14,'msie' | |
e6eac,'KeePassHax.dll' | |
e6f4c,'keepass' | |
e760c,'NSS_Init' | |
e75ec,'PK11SDR_Decrypt' | |
e75c8,'PK11_Authenticate' | |
e75a0,'PK11_GetInternalKeySlot' | |
e7580,'PK11_FreeSlot' | |
e755c,'SECITEM_ZfreeItem' | |
e753c,'NSS_Shutdown' | |
e751c,'formSubmitURL' | |
e751c,'formSubmitURL' | |
e751c,'formSubmitURL' | |
e751c,'formSubmitURL' | |
e751c,'formSubmitURL' | |
e751c,'formSubmitURL' | |
e751c,'formSubmitURL' | |
e751c,'formSubmitURL' | |
e751c,'formSubmitURL' | |
e751c,'formSubmitURL' | |
e3658,'url' | |
e3658,'url' | |
e746c,'title' | |
e3658,'url' | |
e744c,'FirefoxPortable' | |
e73c4,'SELECT url FROM (SELECT * FROM moz_annos INNER JOIN moz_places ON moz_annos.place_id=moz_places.id) t GROUP BY place_id' | |
e7344,'SELECT title, url FROM (SELECT * FROM moz_bookmarks INNER JOIN moz_places ON moz_bookmarks.fk=moz_places.id)' | |
e38cc,'logins' | |
e7628,'moz_logins' | |
e7644,'moz_cookies' | |
e7690,'moz_places' | |
e760c,'NSS_Init' | |
e75ec,'PK11SDR_Decrypt' | |
e75c8,'PK11_Authenticate' | |
e75a0,'PK11_GetInternalKeySlot' | |
e7580,'PK11_FreeSlot' | |
e755c,'SECITEM_ZfreeItem' | |
e753c,'NSS_Shutdown' | |
e76dc,'hostname' | |
e76dc,'hostname' | |
e76dc,'hostname' | |
e3d1c,'!WP:' | |
e7be8,'"extensions.webextensions.uuids"' | |
e7bcc,'{"root":' | |
e7bb0,'root' | |
e7d58,'profile' | |
e3814,'username' | |
e37f8,'password' | |
e7d40,'openvpn' | |
e7ce8,'$[V]OpenVPN' | |
e7cc4,'$[V]OpenVPN Connect' | |
e7e8c,'$[G]Steam' | |
e8164,'Text' | |
e8140,'stickynotes_sqlite' | |
e80a4,'stickynotes' | |
e8074,'$[N]Stickynotes/Media' | |
e81c0,'Notes' | |
e81a8,'Note' | |
e81a8,'Note' | |
e81c0,'Notes' | |
e81a8,'Note' | |
e81a8,'Note' | |
e81ec,'@sysinfo' | |
df628,'RtlGetVersion' | |
df60c,'ntdll.dll' | |
e83b0,'GetSystemPowerStatus' | |
e8390,'kernel32.dll' | |
e8368,'CallNtPowerInformation' | |
e8348,'powrProf.dll' | |
e8314,'WTSQueryUserToken' | |
e8390,'kernel32.dll' | |
e8230,'CPU' | |
e821c,'GPU' | |
e863c,'teamviewer' | |
e883c,'$[M]Telegram' | |
e88dc,'web-credential' | |
e89c8,'VaultEnumerateVaults' | |
e89a4,'VaultEnumerateItems' | |
e8984,'VaultOpenVault' | |
e8968,'VaultFree' | |
e8948,'VaultCloseVault' | |
e8928,'VaultGetItem' | |
e3658,'url' | |
e8a14,'login' | |
e37f8,'password' | |
e631c,'port' | |
e89fc,'winscp' | |
df48c,\GLOBAL?? | |
df530,ImfRegistryFilter | |
df50c,aswMonFlt | |
df4f0,AVGSP | |
df4cc,K7Sentry | |
df4b0,BdDci | |
dfaa0,\Registry\Machine\S | |
dfa78,MachineGuid | |
dfb68,%LOCALAPPDATA%\Microsoft\ | |
dfb50,exe | |
dfb34,runas | |
dfc58,%Systemroot%\system32\rekeywiz.exe | |
e052c,%Systemroot%\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe | |
e052c,%Systemroot%\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe | |
e052c,%Systemroot%\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe | |
e052c,%Systemroot%\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe | |
e052c,%Systemroot%\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe | |
e052c,%Systemroot%\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe | |
e052c,%Systemroot%\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe | |
e052c,%Systemroot%\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe | |
e052c,%Systemroot%\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe | |
e052c,%Systemroot%\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe | |
e052c,%Systemroot%\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe | |
e052c,%Systemroot%\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe | |
e052c,%Systemroot%\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe | |
e052c,%Systemroot%\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe | |
e052c,%Systemroot%\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe | |
e052c,%Systemroot%\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe | |
e05bc,%ProgramFiles%\Windows Media Player\ | |
e0670,.exe | |
e0644,wmpconfig.exe | |
e0618,wmpnetwk.exe | |
e068c,\\.\pipe\{%08lx-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x} | |
e0b54,%USERPROFILE% | |
e0b80,"%DSK" | |
e0f08,explorer.exe | |
e1070,ROOT\CIMV2 | |
e1044,Win32_Process | |
e1014,Create | |
e0ff8,"%s" | |
e0fd8,"%s" %s | |
e0fa4,CurrentDirectory | |
e0f7c,CommandLine | |
e1fc8,%Systemroot%\system32\dllhost.exe | |
e1fc8,%Systemroot%\system32\dllhost.exe | |
e1fc8,%Systemroot%\system32\dllhost.exe | |
e1fc8,%Systemroot%\system32\dllhost.exe | |
e1fc8,%Systemroot%\system32\dllhost.exe | |
e1fc8,%Systemroot%\system32\dllhost.exe | |
e201c,\Registry\Machine\%s | |
e2064,\Systemroot\system32\kernel32.dll | |
e233c,\Systemroot\system32\kernelbase.dll | |
e22d4,\Systemroot\system32\user32.dll | |
e2264,\Systemroot\system32\advapi32.dll | |
e21fc,\Systemroot\system32\gdi32.dll | |
e2194,\Systemroot\system32\ole32.dll | |
e2128,\Systemroot\system32\combase.dll | |
e20c0,\Systemroot\system32\ws2_32.dll | |
e3494,%s\Local Extension Settings\%s | |
e3448,%s\Sync Extension Settings\%s | |
e34e4,%s\Local Storage\leveldb | |
e3bb0,\Local State | |
e3b48,\Last Version | |
e3b1c,\Last Browser | |
e3ad8,\Web Data | |
e3980,\Web Data Ts4 | |
e38e4,\Login Data For Account | |
e38a4,\Login Data | |
e3848,\apps\LoginAssis\assis2.db | |
e37b8,\Cookies | |
e3784,\Network\Cookies | |
e366c,\History | |
e35e4,\Bookmarks | |
e3cc4,\User Data | |
e3ca4,Browser | |
e3c80,\CocCoc\ | |
e3c50,\Pale Moon\ | |
e3c1c,\Sleipnir5\ | |
e3bdc,\Opera Software\ | |
e614c,fhbohimaelbohpjbbldcngcnapndodjp | |
e3fd4,pnlccmojcmeohlpggmfnbbiapkmbliob | |
e61b8,%s\Preferences | |
e3bb0,\Local State | |
e3bb0,\Local State | |
e3bb0,\Local State | |
e3ad8,\Web Data | |
e3980,\Web Data Ts4 | |
e38a4,\Login Data | |
e37b8,\Cookies | |
e62c4,--user-data-dir= | |
e38e4,\Login Data For Account | |
e38a4,\Login Data | |
e3848,\apps\LoginAssis\assis2.db | |
e6468,SOFTWARE\FTPWare\CoreFTP\Sites | |
e644c,Name | |
e644c,Name | |
e644c,Name | |
e644c,Name | |
e644c,Name | |
e644c,Name | |
e662c,CURRENT | |
e65d0,Discord\Local Storage\leveldb\CURRENT | |
e664c,\Discord | |
e3bb0,\Local State | |
e6688,Local Storage\leveldb | |
e6768,Local State | |
e6814,FileZilla | |
e67c8,\sitemanager.xml | |
e6914,recentservers.xml | |
e6a34,\Registry\Machine\Software\CLASSES\Applications\Foxmail.exe\shell\open\command | |
e6a18,.exe | |
e69d4,Software\Aerofox\Foxmail | |
e69ac,Executable | |
e6984,Foxmail.exe | |
e6b38,Account.rec0 | |
e6b38,Account.rec0 | |
e6b38,Account.rec0 | |
e6cb0,.rec0 | |
e6c70,\Accounts\Account.rec0 | |
e6bdc,.tdat | |
e6bc0,.stg | |
e6f24,KeePass.exe | |
e6f04,DllMain | |
e6ecc,KeePassHax.Program | |
e71ac,\compatibility.ini | |
e7184,LastAppDir | |
e7158,Compatibility | |
e7130,LastVersion | |
e7158,Compatibility | |
e7100,\extensions.ini | |
e70d8,Extension0 | |
e70ac,ExtensionDirs | |
e7080,\extensions\ | |
e6fcc,\Registry\Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe | |
e6fb0,Path | |
e6f8c,\nss3.dll | |
e728c,\logins.json | |
e725c,\signons.sqlite | |
e7238,\key3.db | |
e7214,\key4.db | |
e71ac,\compatibility.ini | |
e72b8,nss3.dll | |
e7320,\Profiles | |
e3cc4,\User Data | |
e72f8,\K-Meleon\ | |
e728c,\logins.json | |
e725c,\signons.sqlite | |
e7660,\cookies.sqlite | |
e76ac,\places.sqlite | |
e76ac,\places.sqlite | |
e72b8,nss3.dll | |
e7814,%s\prefs.js | |
e77dc,%s\storage\default | |
e7c1c,userContextId | |
e7814,%s\prefs.js | |
e77dc,%s\storage\default | |
e7d04,%USERPROFILE%\OpenVPN | |
e7f6c,\Registry\Machine\Software\Valve\Steam | |
e7f30,SourceModInstallPath | |
e7f08,InstallPath | |
e7ec8,\config\loginusers.vdf | |
e7ea8,\config | |
e80e8,Software\Simnet\Simpl | |
e80c0,DBLocation | |
e817c,\Media | |
e8280,\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | |
e8248,ProcessorNameString | |
dfaa0,\Registry\Machine\S | |
dfa78,MachineGuid | |
e8608,DisplayName | |
e85d4,QuietDisplayName | |
e85a4,DisplayVersion | |
e857c,InstallDate | |
e8550,InstallSource | |
e852c,Publisher | |
e84fc,SystemComponent | |
e8718,TeamViewer | |
e86f8,#32770 | |
e86dc,Edit | |
e86dc,Edit | |
e86dc,Edit | |
e875c,\tdata\D877F783D5D3EF8C\configs | |
e8810,Telegram.exe | |
e8880,%s\tdata\key_datas | |
e885c,%s\tdata | |
e88fc,vaultcli.dll | |
e8bc8,Software\Martin Prikryl\WinSCP 2\Configuration\Security | |
e8b94,UseMasterPassword | |
e8b30,Software\Martin Prikryl\WinSCP 2\Sessions | |
e8b0c,HostName | |
e8b0c,HostName | |
e8b0c,HostName | |
e8b0c,HostName | |
e8b0c,HostName |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment