sunburst encrypted string

Sunburst Backdoor Decoded Strings From C# Code

Sunburst decoded strings from OrionImprovementBusinessLayer.cs.

Extract encrypted strings of Sunburst with CyberChef

For example:

sunburst encrypted string
Encrypted Domain String
sunburst decrypted string
Decrypted Domain String
EncryptedPlaintext
07DP1NSIjkvUrYqtidPUKEktLoHzVTQB(?i)([^a-z]|^)(test)([^a-z]|$)
07DP1NQozs9JLCrPzEsp1gQA(?i)(solarwinds)
03POLypJrQjIKU3PzAMA.CortexPlugin
0/MvyszPAwA.Orion
06vIzQEA.xml
i6420DGtjVWoNtTRNTSrVag2quWsNgYKKVSb1MZUm9ZyAQA[{0,5}] {1,-16} {2} {3,5} {4}\{5}\r\n
i6420DGtjVWoNqzlAgA[{0,5}] {1}\r\n
i3aNVag2qFWoNgRio1oA[E] {0} {1} {2}
U4qpjjbQtUzUTdONrTY2q42pVapRgooABYxQuIZmtUoA\{[0-9a-f-]{36}\}|”[0-9a-f]{32}”|”[0-9a-f]{16}”
i/EvyszP88wtKMovS81NzSuJCc7PSSwKz8xLKdZDl9NLrUgFAA\OrionImprovement\.OrionImprovement.exe
0403AAA-_0
qzaoVag2rFXwCAkJ0K82quUCAA{0} {1} HTTP/{2}\r\n
M4jX1QMA0_-.
MzA0MjYxNTO3sExMSk5JTUvPyMzKzsnNyy8oLCouKS0rr6is0o3XAwA0123456789abcdefghijklmnopqrstuvwxyz-_.
MzTQA0MA10.0.0.0
MzQ21DMystAzNNIzAAA131.228.12.0
MzQx0bMw0zMyMtMzAAA144.86.226.0
MzQ10TM0tNAzNDHQMwAA154.118.140.0
MzQ30jM00zPQMwAA172.16.0.0
M7TQMzQ20ANCAA18.130.0.0
M7Qw0TM30jPQMwAA184.72.0.0
M7Q00jM0s9Az0DMAAA192.168.0.0
M7S01DMyMNQzNDTXMwAA199.201.117.0
MzLQMzQx0ANCAA20.140.0.0
MzI01zM0M9Yz1zMAAA217.163.7.0
MzIy0TMAQQA224.0.0.0
MzIx0ANDAA240.0.0.0
MzI11TMAQQA255.0.0.0
MzI11TMyMdADQgA255.240.0.0
MzI11TMyNdEz0DMAAA255.254.0.0
MzI11TMyNdEz0DMAAA255.254.0.0
MzI11TMCYgM9AwA255.255.0.0
MzI11TMCYgM9AwA255.255.0.0
MzI11TMCYgM9AwA255.255.0.0
MzI11TMCYRMLPQMA255.255.248.0
MzI11TMCYRMLPQMA255.255.248.0
MzI11TMCYyM9AwA255.255.252.0
MzI11TMCYxM9AwA255.255.254.0
MzI11TOCYgMA255.255.255.0
MzI11TOCYgMA255.255.255.0
MzI11TOCYgMA255.255.255.0
MzI11TOCYgMA255.255.255.0
MzI11TOCYgMA255.255.255.0
MzI11TOCYgMA255.255.255.0
MzI11TOCYgMA255.255.255.0
MwYA3
M9YzAEJjCyMA3.0.0.382
MwEA4
MzHUszDRMzS11DMAAA41.84.159.0
MwUA5
0zU1MAAA-500
M7UwTkm0NDHVNTNKTNM1NEi10DWxNDDSTbRIMzIwTTY3SjJKBQA583da945-62af-10e8-4902-a8f205c72b2e
MzfUMzQ10jM11jMAAA71.152.53.0
MzfRMzQ00TMy0TMAAA74.114.24.0
s9AztNAzNDHRMwAA8.18.144.0
szDXMzK20LMw0DMAAA87.238.80.0
szTTMzbUMzQ30jMAAA96.31.172.0
s7TUM7fUM9AzAAA99.79.0.0
c0zJzczLLC4pSizJLwIAAdministrator
c0zJzczLLC4pSizJLwIAAdministrator
SyzI1CvOz0ksKs/MSynWS87PBQAapi..com
cyzIz8nJBwAApollo
SywoyMlMTizJzM/TzyrOzwMAapplication/json
SywoyMlMTizJzM/Tz08uSS3RLS4pSk3MBQAapplication/octet-stream
SywoKK7MS9ZNLMgEAAappsync-api
SywrLstNzskvTdFLzs8FAAavsvmcloud.com
c8rPSQEABold
c8rPSfEsSczJTAYABoldItalic
001OBAA-ca
c04sKMnMzwMACaption
001OLSoBAA-cert
c87JL03xzc/LLMkvysxLBwACloudMonitoring
c87PLcjPS80rKQYAComponents
c0lNSyzNKfEMcE8sSS1PrAQADefaultIPGateway
c0ktTi7KLCjJzM8DAADescription
c/FwDnDNS0zKSU0BAADHCPEnabled
c/FwDghOLSpLLQIADHCPServer
c/ELdsnPTczMCy5NS8usCE5NLErO8C9KSS0CAADNSDomainSuffixSearchOrder
c/EL9sgvLvFLzE0FAADNSHostName
c/ELDk4tKkstCk5NLErO8C9KSS0CAADNSServerSearchOrder
U3IpLUosyczP8y1Wsqo2qNUBAADurationMs:{0},
Sy3VLU8tLtE1BAAeu-west-1
U3ItS80r8UvMTVWyUgKzfRPzEtNTi5R0AAEventName:”EventManager”,
U3ItS80rCaksSFWyUvIvyszPU9IBAAEventType:”Orion”,
c60oKUp0ys9JAQAExtraBold
c60oKUp0ys9J8SxJzMlMBgAExtraBoldItalic
S0s2MLCyAgAfc00::
S0s1MLCyAgAfe00::
S0tNNrCyAgAfec0::
S0szMLCyAgAff00::
S0szMLCyAgAff00::
S0tLNrCyAgAffc0::
S8vPKynWL89PS9OvNqjVrTYEYqPaauNaPZCYEQAfonts/woff/{0}-{1}-{2}{3}.woff2
S8vPKynWL89PS9OvNqjVrTYEYqNa3fLUpDSgTLVxrR5IzggAfonts/woff/{0}-{1}-{2}-webfont{3}.woff2
SytKTU3LzysBAAfreefont
c08t8S/PSy0CAAGetOwner
003PyU9KzAEA-global
8/B2dgYAHKCC
8/B2DgIAHKCR
8/B2DgUAHKCU
8/B2cQEAHKDD
8/B2jYx39nEMDnYNjg/y9w8BAAHKEY_CLASSES_ROOT
8/B2jYx3Dg0KcvULiXf293PzdAcAHKEY_CURRENT_CONFIG
8/B2jYx3Dg0KcvULiQ8Ndg0CAAHKEY_CURRENT_USER
8/B2jYx3ifSLd3EMcQQAHKEY_DYN_DATA
8/B2jYz38Xd29In3dXT28PRzBQAHKEY_LOCAL_MACHINE
8/B2jYz38Xd29In3dXT28PRzjQn2dwsJdwxyjfHNTC7KL85PK4lxLqosKMlPL0osyKgEAAHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography
8/B2jYwPcA1y8/d19HN2jXdxDHEEAAHKEY_PERFOMANCE_DATA
8/B2jYwPDXYNCgYAHKEY_USERS
8/D28QUAHKLM
8/AOcAEAHKPD
8/AOBQAHKU
80zT9cvPS9X1TSxJzgAAIf-None-Match
U/LMS0mtULKqNqjVAQAIndex:{0},
88wrLknMyXFJLEkFAAInstallDate
88wrSS1KS0xOLQYAInterfaces
8wxwTEkpSi0uBgAIPAddress
8wwILk3KSy0BAAIPSubnet
8yxJzMlMBgAItalic
88lMzygBAALight
88lMzyjxLEnMyUwGAALightItalic
88lPTsxxTE7OL80rAQALocalAccount
83V0dkxJKUotLgYAMACAddress
801MzsjMS3UvzUwBAAMachineGuid
U/JNLS5OTE9VslKqNqhVAgAMessage:”{0}”
881MLsovzk8r0XUuqiwoyXcM8NQHAAMicrosoft-CryptoAPI/
80vMTQUAName
88tPSS0GAANodes
y8svyQcAnoto
8wvwBQANPM
yy9IzStOzCsGAAopensans
8y9KT8zLrEosyczPAwAOrganization
8w92LErOyCxJTS4pLUoFAAOSArchitecture
C0gsSs0rCSjKT04tLvZ0AQAParentProcessID
C0gsyfBLzE0FAAPathName
K8gwSs1MyzfOMy0tSTfMskixNCksKkvKzTYoTswxN0sGAAph2eifo3n5utg1j8d94qrvbmk0sal76c
K8jO1E8uytGvNqitNqytNqrVA/IApki/crl/{0}{1}{2}.crl
0y0oysxNLKqMT04EAA-primary_ca
CyjKT04tLvZ0AQAProcessID
C0pNzywuSS1KTQktTi0CAARegisteredUser
C0pNL81JLAIARegular
C0otyC8qCU8sSc5ILQrILy4pyM9LBQAReportWatcherPostpone
C0otyC8qCU8sSc5ILQpKLSmqBAAReportWatcherRetry
0y3Kzy8BAA-root
Kyo0Ti9OzCkxKzXMrEyryi8wNTdKMbFMyquwSC7LzU4tz8gCAArq3gsalt6u1iyfzop572d49bnx8cvmkewhj
C9Y11DXVBQAS-1-5-
0y1OTS4tSk1OBAA-secureca
C07NSU0uUdBScCvKz1UIz8wzNor3Sy0pzy/KdkxJLChJLXLOz0vLTC8tSizJzM9TKM9ILUpV8AxwzUtMyklNsS0pKk0FAASelect * From Win32_NetworkAdapterConfiguration where IPEnabled\tTRUE
C07NSU0uUdBScCvKz1UIz8wzNor3L0gtSizJzEsPriwuSc0FAASelect * From Win32_OperatingSystem
C07NSU0uUdBScCvKz1UIz8wzNooPKMpPTi0uBgASelect * From Win32_Process
C07NSU0uUdBScCvKz1UIz8wzNooPriwuSc11KcosSy0CAASelect * From Win32_SystemDriver
C07NSU0uUdBScCvKz1UIz8wzNooPLU4tckxOzi/NKwEASelect * From Win32_UserAccount
C07NzXTKz0kBAASemiBold
C07NzXTKz0nxLEnMyUwGAASemiBoldItalic
C04NSi0uyS9KDSjKLMvMSU1PBQASeRestorePrivilege
C04NzigtSckvzwsoyizLzElNTwUASeShutdownPrivilege
UypOLS7OzM/zTFGyUqo2qFXSAQAsessionId:”{0}”,
C04NScxO9S/PSy0qzsgsCCjKLMvMSU1PBQASeTakeOwnershipPrivilege
C/Z0AQASID
C87PSSwKz8xLKQYA
C87PSSwKz8xLKfYvyszP88wtKMovS81NzStxzskEkvoASolarWindsOrionImprovementClient/
C84vLUpOdc5PSQ0oygcASourceCodePro
C84vLUpO9UjMC07MKwYASourceHanSans
C84vLUpO9UjMC04tykwDAASourceHanSerif
C84vLUpODU4tykwLKMoHAASourceSerifPro
Cy5JLCoBAAStart
Cy5JLCoBAAStart
Cy5JLCoBAAStart
Cy5JLCoBAAStart
UyouSS0oVrKKBgAsteps:[
UwouTU5OTU1JTVGyKikqTdUBAASucceeded:true,
Ky7PLNB3LUvNKykGAAswip/Events
Ky7PLNAvLUjRBwAswip/upd/
Ky7PLNAPLcjJT0zRSyzOqAAAswip/Upload.ashx
C44MDnH1BQASYSTEM
C44MDnH1jXEuLSpKzStxzs8rKcrPCU4tiSlOLSrLTE4tBgASYSTEM\CurrentControlSet\services
C44MDnH1jXEuLSpKzStxzs8rKcrPCU4tiSlOLSrLTE4tBgASYSTEM\CurrentControlSet\services
0y3JzE0tLknMLQAA-timestamp
UwrJzE0tLknMLVCyUorRd0ksSdWoNqjVjNFX0gEATimestamp:”\/Date({0})\/”,
KykqTQUAtrue
C/UEAAUI
0y3NyyxLLSpOzIlPTgQA-universal_ca
Ky3WTU0sLtE1BAAus-east-1
Ky3WTU0sLtE1AgAus-east-2
UyotTi3yTFGyUqo2qFXSAQAuserId:”{0}”,
Ky3WLU8tLtE1AgAus-west-2
C0stKs7MzwMAVersion
C8vPKc1NLQYAVolumes
C89MSU8tKQYAWidgets
C88sSs1JLS4GAAWireless