Skip to content

Instantly share code, notes, and snippets.

@hasherezade

hasherezade/strings_xs2.csv Secret

Last active December 5, 2023 00:29
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save hasherezade/ac63c0cbe7855276780126be006f7304 to your computer and use it in GitHub Desktop.
Save hasherezade/ac63c0cbe7855276780126be006f7304 to your computer and use it in GitHub Desktop.
Download ZIP
Deobfuscates strings from Rhadamanthys - Stage 3 (3ef91f5460ebe3f9d874213856a403c7)
Raw
strings_xs2.csv
We can make this file beautiful and searchable if this error is corrected: Illegal quoting in line 260.
df57c,'atcuf32'
df564,'bdhkm32'
df73c,'/bin/i386/coredll.bin'
df660,'/extension/%08x.xs'
df660,'/extension/%08x.xs'
df628,'RtlGetVersion'
df60c,'ntdll.dll'
df990,'ABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890abcdefghijklmnopqrstuvwxyz'
df968,'Sec-Websocket-Version'
df944,'Sec-Websocket-Key'
df92c,'Accept'
df894,'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9'
df874,'Accept-Language'
df854,'en-US,en;q=0.9'
df834,'Accept-Encoding'
df810,'gzip, deflate, br'
df7f4,'User-Agent'
df7dc,'Upgrade'
df7c0,'websocket'
df7a4,'Connection'
df78c,'upgrade'
df778,'13'
df764,'GET'
dfa58,'/etc/puk.key'
dfa40,'http://'
dfa24,'https://'
dfa40,'http://'
dfa24,'https://'
dfa00,'/etc/license.key'
df9e4,'/etc/ua.txt'
df6a4,'/bin/runtime.dll'
df684,'/bin/loader.dll'
e07e4,'@%s'
e0874,'_G'
e085c,'package'
e0844,'preload'
e0828,'MessagePack'
e0810,'winreg'
e07f8,'cjson'
e0a40,'fs_search'
e0a24,'flag_exist'
e0a08,'parse_path'
e09ec,'file_exist'
e09d0,'path_exist'
e09b4,'add_stream'
e0998,'add_file'
e097c,'set_commit'
e0960,'ps_getpath'
e0944,'get_arch'
e0928,'readfile'
e0914,'gc'
e08f8,'reg_export'
e08dc,'send_data'
e08bc,'decrypt_utf8'
e085c,'package'
e08a4,'loaded'
e0888,'framework'
e0888,'framework'
e0ab0,'FileSizeLow'
e0a90,'FileSizeHigh'
e0a74,'Filename'
e0a5c,'Name'
e0c6c,'/bin/i386'
e0c4c,'%s/stubmod.bin'
e0c6c,'/bin/i386'
e0c34,'%s/%s'
e0c1c,'/bin/%s'
df60c,'ntdll.dll'
df73c,'/bin/i386/coredll.bin'
df73c,'/bin/i386/coredll.bin'
e0dc4,'core.dll'
e0edc,'RHMTHYS'
e0edc,'RHMTHYS'
e0edc,'RHMTHYS'
e0edc,'RHMTHYS'
e0edc,'RHMTHYS'
e0edc,'RHMTHYS'
e0f34,'IsWow64Process'
e0f54,'/bin/i386/stubexec.bin'
df73c,'/bin/i386/coredll.bin'
df6ec,'/bin/i386/taskcore.bin'
e23b0,'kernel32'
e2394,'kernelbase'
e2324,'user32'
e22b8,'advapi32'
e224c,'gdi32'
e21e4,'ole32'
e217c,'combase'
e2110,'ws2_32'
e3528,'_chrome-extension://'
e3b94,'os_crypt'
e3b74,'encrypted_key'
e3a98,'card_number_encrypted'
e3a98,'card_number_encrypted'
e3a98,'card_number_encrypted'
e3a98,'card_number_encrypted'
e3a98,'card_number_encrypted'
e3ac0,'name'
e3a04,'value'
e39e4,'credit_cards'
e39c8,'autofill'
e39ac,'Twinkstar'
e3a98,'card_number_encrypted'
e3a98,'card_number_encrypted'
e3a98,'card_number_encrypted'
e3a98,'card_number_encrypted'
e3a98,'card_number_encrypted'
e3ac0,'name'
e3a04,'value'
e39e4,'credit_cards'
e39c8,'autofill'
e3964,'origin_url'
e3964,'origin_url'
e3964,'origin_url'
e38cc,'logins'
e38cc,'logins'
e3890,'360'
e3830,'domain'
e3830,'domain'
e3830,'domain'
e37dc,'tb_account'
e3768,'host_key'
e3768,'host_key'
e3768,'host_key'
e3768,'host_key'
e3768,'host_key'
e3768,'host_key'
e36dc,'encrypted_value'
e3768,'host_key'
e36c0,'httponly'
e3734,'path'
e36a8,'secure'
e36fc,'expires_utc'
e3ac0,'name'
e36dc,'encrypted_value'
e3690,'cookies'
e3690,'cookies'
e3658,'url'
e3658,'url'
e3628,'urls'
e360c,'downloads'
e35cc,'roots'
e3ac0,'name'
e3658,'url'
e35b0,'children'
e3588,'chrome_%08x'
e3568,'Brave-Browser'
e61a0,'Brave'
e3d1c,'!WP:'
e6234,'brave'
e621c,'wallet'
e61e8,'keyring_encryption_keys_migrated'
e3964,'origin_url'
e3964,'origin_url'
e3964,'origin_url'
e38cc,'logins'
e38cc,'logins'
e3890,'360'
e3830,'domain'
e3830,'domain'
e3830,'domain'
e37dc,'tb_account'
e644c,'N'
e634c,'host'
e6334,'user'
e37f8,'password'
e631c,'port'
e6304,'coreftp'
e64c4,'windows-credential'
e66e0,'MasterKey'
e66c4,'$[M]Discord'
e6670,'discord'
e6728,'_https://discordapp.com|\x01token'
e66fc,'_https://discord.com|\x01token'
e3b94,'os_crypt'
e3b74,'encrypted_key'
e634c,'host'
e6334,'user'
e37f8,'password'
e631c,'port'
e67fc,'keyfile'
e67ac,'filezilla'
e68f4,'RecentServers'
e68f4,'RecentServers'
e68f4,'RecentServers'
e68f4,'RecentServers'
e68f4,'RecentServers'
e68f4,'RecentServers'
e68f4,'RecentServers'
e68f4,'RecentServers'
e696c,'email'
e37f8,'password'
e6954,'foxmail'
e6ce8,'~draGon~'
e6ccc,'~F@7%m$~'
e6c54,'Account'
e6c34,'POP3Ac1junt'
e6c18,'Password'
e6bf8,'POP3Password'
e6c54,'Account'
e6c34,'POP3Ac1junt'
e6c18,'Password'
e6bf8,'POP3Password'
e6ba0,'\nMailAddress='
e6b84,'\nPassword='
e6b64,'\nPOP3Password='
e3964,'origin_url'
e3944,'username_value'
e3924,'password_value'
e3768,'host_key'
e374c,'is_httponly'
e3734,'path'
e3718,'is_secure'
e36fc,'expires_utc'
e3ac0,'name'
e3a04,'value'
e3658,'url'
e6d14,'msie'
e6eac,'KeePassHax.dll'
e6f4c,'keepass'
e760c,'NSS_Init'
e75ec,'PK11SDR_Decrypt'
e75c8,'PK11_Authenticate'
e75a0,'PK11_GetInternalKeySlot'
e7580,'PK11_FreeSlot'
e755c,'SECITEM_ZfreeItem'
e753c,'NSS_Shutdown'
e751c,'formSubmitURL'
e751c,'formSubmitURL'
e751c,'formSubmitURL'
e751c,'formSubmitURL'
e751c,'formSubmitURL'
e751c,'formSubmitURL'
e751c,'formSubmitURL'
e751c,'formSubmitURL'
e751c,'formSubmitURL'
e751c,'formSubmitURL'
e3658,'url'
e3658,'url'
e746c,'title'
e3658,'url'
e744c,'FirefoxPortable'
e73c4,'SELECT url FROM (SELECT * FROM moz_annos INNER JOIN moz_places ON moz_annos.place_id=moz_places.id) t GROUP BY place_id'
e7344,'SELECT title, url FROM (SELECT * FROM moz_bookmarks INNER JOIN moz_places ON moz_bookmarks.fk=moz_places.id)'
e38cc,'logins'
e7628,'moz_logins'
e7644,'moz_cookies'
e7690,'moz_places'
e760c,'NSS_Init'
e75ec,'PK11SDR_Decrypt'
e75c8,'PK11_Authenticate'
e75a0,'PK11_GetInternalKeySlot'
e7580,'PK11_FreeSlot'
e755c,'SECITEM_ZfreeItem'
e753c,'NSS_Shutdown'
e76dc,'hostname'
e76dc,'hostname'
e76dc,'hostname'
e3d1c,'!WP:'
e7be8,'"extensions.webextensions.uuids"'
e7bcc,'{"root":'
e7bb0,'root'
e7d58,'profile'
e3814,'username'
e37f8,'password'
e7d40,'openvpn'
e7ce8,'$[V]OpenVPN'
e7cc4,'$[V]OpenVPN Connect'
e7e8c,'$[G]Steam'
e8164,'Text'
e8140,'stickynotes_sqlite'
e80a4,'stickynotes'
e8074,'$[N]Stickynotes/Media'
e81c0,'Notes'
e81a8,'Note'
e81a8,'Note'
e81c0,'Notes'
e81a8,'Note'
e81a8,'Note'
e81ec,'@sysinfo'
df628,'RtlGetVersion'
df60c,'ntdll.dll'
e83b0,'GetSystemPowerStatus'
e8390,'kernel32.dll'
e8368,'CallNtPowerInformation'
e8348,'powrProf.dll'
e8314,'WTSQueryUserToken'
e8390,'kernel32.dll'
e8230,'CPU'
e821c,'GPU'
e863c,'teamviewer'
e883c,'$[M]Telegram'
e88dc,'web-credential'
e89c8,'VaultEnumerateVaults'
e89a4,'VaultEnumerateItems'
e8984,'VaultOpenVault'
e8968,'VaultFree'
e8948,'VaultCloseVault'
e8928,'VaultGetItem'
e3658,'url'
e8a14,'login'
e37f8,'password'
e631c,'port'
e89fc,'winscp'
df48c,\GLOBAL??
df530,ImfRegistryFilter
df50c,aswMonFlt
df4f0,AVGSP
df4cc,K7Sentry
df4b0,BdDci
dfaa0,\Registry\Machine\S
dfa78,MachineGuid
dfb68,%LOCALAPPDATA%\Microsoft\
dfb50,exe
dfb34,runas
dfc58,%Systemroot%\system32\rekeywiz.exe
e052c,%Systemroot%\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
e052c,%Systemroot%\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
e052c,%Systemroot%\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
e052c,%Systemroot%\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
e052c,%Systemroot%\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
e052c,%Systemroot%\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
e052c,%Systemroot%\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
e052c,%Systemroot%\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
e052c,%Systemroot%\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
e052c,%Systemroot%\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
e052c,%Systemroot%\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
e052c,%Systemroot%\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
e052c,%Systemroot%\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
e052c,%Systemroot%\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
e052c,%Systemroot%\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
e052c,%Systemroot%\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
e05bc,%ProgramFiles%\Windows Media Player\
e0670,.exe
e0644,wmpconfig.exe
e0618,wmpnetwk.exe
e068c,\\.\pipe\{%08lx-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}
e0b54,%USERPROFILE%
e0b80,"%DSK"
e0f08,explorer.exe
e1070,ROOT\CIMV2
e1044,Win32_Process
e1014,Create
e0ff8,"%s"
e0fd8,"%s" %s
e0fa4,CurrentDirectory
e0f7c,CommandLine
e1fc8,%Systemroot%\system32\dllhost.exe
e1fc8,%Systemroot%\system32\dllhost.exe
e1fc8,%Systemroot%\system32\dllhost.exe
e1fc8,%Systemroot%\system32\dllhost.exe
e1fc8,%Systemroot%\system32\dllhost.exe
e1fc8,%Systemroot%\system32\dllhost.exe
e201c,\Registry\Machine\%s
e2064,\Systemroot\system32\kernel32.dll
e233c,\Systemroot\system32\kernelbase.dll
e22d4,\Systemroot\system32\user32.dll
e2264,\Systemroot\system32\advapi32.dll
e21fc,\Systemroot\system32\gdi32.dll
e2194,\Systemroot\system32\ole32.dll
e2128,\Systemroot\system32\combase.dll
e20c0,\Systemroot\system32\ws2_32.dll
e3494,%s\Local Extension Settings\%s
e3448,%s\Sync Extension Settings\%s
e34e4,%s\Local Storage\leveldb
e3bb0,\Local State
e3b48,\Last Version
e3b1c,\Last Browser
e3ad8,\Web Data
e3980,\Web Data Ts4
e38e4,\Login Data For Account
e38a4,\Login Data
e3848,\apps\LoginAssis\assis2.db
e37b8,\Cookies
e3784,\Network\Cookies
e366c,\History
e35e4,\Bookmarks
e3cc4,\User Data
e3ca4,Browser
e3c80,\CocCoc\
e3c50,\Pale Moon\
e3c1c,\Sleipnir5\
e3bdc,\Opera Software\
e614c,fhbohimaelbohpjbbldcngcnapndodjp
e3fd4,pnlccmojcmeohlpggmfnbbiapkmbliob
e61b8,%s\Preferences
e3bb0,\Local State
e3bb0,\Local State
e3bb0,\Local State
e3ad8,\Web Data
e3980,\Web Data Ts4
e38a4,\Login Data
e37b8,\Cookies
e62c4,--user-data-dir=
e38e4,\Login Data For Account
e38a4,\Login Data
e3848,\apps\LoginAssis\assis2.db
e6468,SOFTWARE\FTPWare\CoreFTP\Sites
e644c,Name
e644c,Name
e644c,Name
e644c,Name
e644c,Name
e644c,Name
e662c,CURRENT
e65d0,Discord\Local Storage\leveldb\CURRENT
e664c,\Discord
e3bb0,\Local State
e6688,Local Storage\leveldb
e6768,Local State
e6814,FileZilla
e67c8,\sitemanager.xml
e6914,recentservers.xml
e6a34,\Registry\Machine\Software\CLASSES\Applications\Foxmail.exe\shell\open\command
e6a18,.exe
e69d4,Software\Aerofox\Foxmail
e69ac,Executable
e6984,Foxmail.exe
e6b38,Account.rec0
e6b38,Account.rec0
e6b38,Account.rec0
e6cb0,.rec0
e6c70,\Accounts\Account.rec0
e6bdc,.tdat
e6bc0,.stg
e6f24,KeePass.exe
e6f04,DllMain
e6ecc,KeePassHax.Program
e71ac,\compatibility.ini
e7184,LastAppDir
e7158,Compatibility
e7130,LastVersion
e7158,Compatibility
e7100,\extensions.ini
e70d8,Extension0
e70ac,ExtensionDirs
e7080,\extensions\
e6fcc,\Registry\Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe
e6fb0,Path
e6f8c,\nss3.dll
e728c,\logins.json
e725c,\signons.sqlite
e7238,\key3.db
e7214,\key4.db
e71ac,\compatibility.ini
e72b8,nss3.dll
e7320,\Profiles
e3cc4,\User Data
e72f8,\K-Meleon\
e728c,\logins.json
e725c,\signons.sqlite
e7660,\cookies.sqlite
e76ac,\places.sqlite
e76ac,\places.sqlite
e72b8,nss3.dll
e7814,%s\prefs.js
e77dc,%s\storage\default
e7c1c,userContextId
e7814,%s\prefs.js
e77dc,%s\storage\default
e7d04,%USERPROFILE%\OpenVPN
e7f6c,\Registry\Machine\Software\Valve\Steam
e7f30,SourceModInstallPath
e7f08,InstallPath
e7ec8,\config\loginusers.vdf
e7ea8,\config
e80e8,Software\Simnet\Simpl
e80c0,DBLocation
e817c,\Media
e8280,\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0
e8248,ProcessorNameString
dfaa0,\Registry\Machine\S
dfa78,MachineGuid
e8608,DisplayName
e85d4,QuietDisplayName
e85a4,DisplayVersion
e857c,InstallDate
e8550,InstallSource
e852c,Publisher
e84fc,SystemComponent
e8718,TeamViewer
e86f8,#32770
e86dc,Edit
e86dc,Edit
e86dc,Edit
e875c,\tdata\D877F783D5D3EF8C\configs
e8810,Telegram.exe
e8880,%s\tdata\key_datas
e885c,%s\tdata
e88fc,vaultcli.dll
e8bc8,Software\Martin Prikryl\WinSCP 2\Configuration\Security
e8b94,UseMasterPassword
e8b30,Software\Martin Prikryl\WinSCP 2\Sessions
e8b0c,HostName
e8b0c,HostName
e8b0c,HostName
e8b0c,HostName
e8b0c,HostName
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment