-
-
Save hshrzd/3c1768b1ca2aa9d2664575f582ba9e00 to your computer and use it in GitHub Desktop.
Strings for the Saint Stealer loader
We can make this file beautiful and searchable if this error is corrected: Illegal quoting in line 133.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 607c,'/DELETE /TN Maintenance /f' | |
| 60b8,'\Software\Microsoft\Windows\CurrentVersion\Run' | |
| 61a8,'Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 YaBrowser/15.10.2454.3865 Safari/537.36' | |
| 62c8,'Content-Type: application/x-www-form-urlencoded' | |
| 63c0,'SYSTEM\CurrentControlSet\Services\disk\Enum' | |
| 641c,'QEMU' | |
| 6428,'VIRTIO' | |
| 6438,'VMWARE' | |
| 6448,'VBOX' | |
| 6454,'XEN' | |
| 645c,'ntdll.dll' | |
| 6470,'LdrLoadDll' | |
| 6488,'RtlInitUnicodeString' | |
| 64b4,'NtQueryInformationProcess' | |
| 64e8,'NtQueryDefaultLocale' | |
| 6514,'Advapi32.dll' | |
| 6530,'RegOpenKeyExW' | |
| 654c,'RegQueryValueExW' | |
| 6570,'GetUserNameW' | |
| 658c,'RegCloseKey' | |
| 65a4,'kernel32.dll' | |
| 65c0,'CreateFileW' | |
| 65d8,'WriteFile' | |
| 65ec,'CloseHandle' | |
| 6604,'CreateProcessW' | |
| 6624,'ExitProcess' | |
| 663c,'GetModuleFileNameW' | |
| 6664,'GetCurrentProcess' | |
| 6688,'SetProcessMitigationPolicy' | |
| 66c0,'GetModuleHandleW' | |
| 66e4,'Sleep' | |
| 66f0,'Shell32.dll' | |
| 6708,'SHGetFolderPathW' | |
| 65a4,'kernel32.dll' | |
| 672c,'CreateDirectoryW' | |
| 6750,'SetFileAttributesW' | |
| 6778,'CopyFileW' | |
| 678c,'GetSystemTime' | |
| 67a8,'GetFileAttributesW' | |
| 6514,'Advapi32.dll' | |
| 67d0,'RegEnumKeyExW' | |
| 66f0,'Shell32.dll' | |
| 67ec,'ShellExecuteW' | |
| 6808,'IsUserAnAdmin' | |
| 6514,'Advapi32.dll' | |
| 6824,'RegCreateKeyExW' | |
| 6844,'RegSetValueW' | |
| 6860,'RegDeleteTreeW' | |
| 6880,'OpenProcessToken' | |
| 68a4,'GetTokenInformation' | |
| 68cc,'GetSidSubAuthority' | |
| 68f4,'GetSidSubAuthorityCount' | |
| 6924,'ConvertStringSidToSidW' | |
| 6954,'LookupAccountSidW' | |
| 6978,'ConvertSidToStringSidW' | |
| 69a8,'LookupAccountNameW' | |
| 65a4,'kernel32.dll' | |
| 69d0,'Wow64DisableWow64FsRedirection' | |
| 6a10,'Wow64RevertWow64FsRedirection' | |
| 6a4c,'WaitForSingleObject' | |
| 66c0,'GetModuleHandleW' | |
| 6a74,'CreateMutexW' | |
| 6a90,'ReleaseMutex' | |
| 6aac,'GetLastError' | |
| 6ac8,'Netapi32.dll' | |
| 6ae4,'NetUserGetLocalGroups' | |
| 6b10,'NetApiBufferFree' | |
| 6b34,'NtAllocateVirtualMemory' | |
| 6b64,'NtWriteVirtualMemory' | |
| 6b90,'NtAlertResumeThread' | |
| 6bb8,'NtQueueApcThread' | |
| 6bdc,'NtFreeVirtualMemory' | |
| 6c04,'NtOpenKey' | |
| 6c18,'NtSetValueKey' | |
| 6c34,'NtClose' | |
| 6488,'RtlInitUnicodeString' | |
| 6c44,'NtCreateKey' | |
| 6c5c,'NtDeleteValueKey' | |
| 65a4,'kernel32.dll' | |
| 6c80,'FindFirstFileW' | |
| 6ca0,'FindNextFileW' | |
| 6cbc,'SetProcessShutdownParameters' | |
| 6cf8,'CreateThread' | |
| 6d14,'FindClose' | |
| 6d28,'User32.dll' | |
| 6d40,'RegisterClassExW' | |
| 6d64,'CreateWindowExW' | |
| 6d84,'ShowWindow' | |
| 6d9c,'UpdateWindow' | |
| 6db8,'GetMessageW' | |
| 6dd0,'TranslateMessage' | |
| 6df4,'DispatchMessageW' | |
| 6e18,'DefWindowProcW' | |
| 65a4,'kernel32.dll' | |
| 6e38,'GetVolumeInformationW' | |
| 6e64,'GetUserGeoID' | |
| 6e80,'GetGeoInfoW' | |
| 6e98,'GetNativeSystemInfo' | |
| 6ec0,'GlobalMemoryStatusEx' | |
| 6eec,'DeleteFileW' | |
| 6f04,'FreeLibrary' | |
| 6f1c,'GetThreadContext' | |
| 6f40,'ReadProcessMemory' | |
| 6f64,'SetThreadContext' | |
| 6f88,'ResumeThread' | |
| 6fa4,'MultiByteToWideChar' | |
| 6d28,'User32.dll' | |
| 6fcc,'EnumDisplayMonitors' | |
| 6ff4,'EnumDisplayDevicesW' | |
| 701c,'Winhttp.dll' | |
| 7034,'WinHttpOpen' | |
| 704c,'WinHttpConnect' | |
| 706c,'WinHttpOpenRequest' | |
| 7094,'WinHttpSendRequest' | |
| 70bc,'WinHttpReadData' | |
| 70dc,'WinHttpCloseHandle' | |
| 7104,'WinHttpReceiveResponse' | |
| 7134,'WinHttpQueryDataAvailable' | |
| 66f0,'Shell32.dll' | |
| 7168,'SHFileOperationW' | |
| 71d8,'\Software\Classes\ms-settings\Shell\Open\command' | |
| 723c,'SOFTWARE\Classes\ms-settings' | |
| 7278,'\Software\Classes\ms-settings' | |
| 72b8,'\Software\Classes\ms-settings\Shell' | |
| 7300,'\Software\Classes\ms-settings\Shell\Open' | |
| 7354,'DelegateExecute' | |
| 7378,'C:\Windows\System32\fodhelper.exe' | |
| 73d8,'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' | |
| 744c,'ConsentPromptBehaviorAdmin' | |
| 7190,'C:\Windows\System32\EhStorAuthn.exe' | |
| 748c,'C:\windows\system32\ntdll.dll' | |
| 60b8,'\Software\Microsoft\Windows\CurrentVersion\Run' | |
| 7ac0,'C:\Program Files\adaware\"C:\Program Files\Avast Software\Avast\"C:\Program Files\AVG\Antivirus\"C:\Program Files (x86)\Avira\"C:\Program Files\Webroot\"C:\Program Files\Bitdefender\"C:\Program Files\BullGuard Ltd\"C:\ProgramData\Dr Web\"C:\Program Files\Emsisoft Anti-Malware\"C:\Program Files\COMODO\"C:\Program Files\ESET\"C:\Program Files\Fortinet\FortiClient\"C:\Program Files\IKARUS\anti.virus\"C:\ProgramData\F-Secure\"C:\Program Files\Malwarebytes\Anti-Malware\"C:\Program Files (x86)\Panda Security\Panda Security Protection\"C:\ProgramData\Kaspersky Lab\"C:\ProgramData\McAfee\"C:\ProgramData\Sophos\"C:\Program Files\Trend Micro\"C:\Program Files (x86)\CheckPoint\ZoneAlarm\"C:\Program Files\Symantec\Symantec Endpoint Protection\' | |
| 78c0,'/create /sc minute /mo 5 /tn "Maintenance" /tr "C:\Users\%USERNAME%\AppData\Local\z_%USERNAME%\%USERNAME%.vbs" /F' | |
| 61a8,'Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 YaBrowser/15.10.2454.3865 Safari/537.36' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment