Advertisement
Guest User

Qakbot strings

a guest
Feb 13th, 2024
157
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.24 KB | None | 0 0
  1. %SystemRoot%\SysWOW64\xwizard.exe
  2. .dat
  3. kernelbase.dll
  4. WBJ_IGNORE
  5. mpr.dll
  6. %SystemRoot%\explorer.exe
  7. %SystemRoot%\System32\CertEnrollCtrl.exe
  8. https
  9. SentinelServiceHost.exe;SentinelStaticEngine.exe;SentinelAgent.exe;SentinelStaticEngineScanner.exe;SentinelUI.exe
  10. open
  11. root\SecurityCenter2
  12. %SystemRoot%\SysWOW64\SndVol.exe
  13. %u.%u.%u.%u.%u.%u.%04x
  14. 1234567890
  15. %SystemRoot%\System32\Utilman.exe
  16. snxhk_border_mywnd
  17. %SystemRoot%\SysWOW64\wextract.exe
  18. avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
  19. Win32_PhysicalMemory
  20. Caption
  21. ByteFence.exe
  22. aswhooka.dll
  23. dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
  24. %SystemRoot%\SysWOW64\grpconv.exe
  25. VRTUAL;VMware;VMW;Xen
  26. SELECT * FROM AntiVirusProduct
  27. %s\%08X.dll
  28. wininet.dll
  29. avp.exe;kavtray.exe
  30. rundll32.exe
  31. Create
  32. WQL
  33. %SystemRoot%\System32\sethc.exe
  34. AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe
  35. Software\Classes
  36. vkise.exe;isesrv.exe;cmdagent.exe
  37. LastBootUpTime
  38. MS_VM_CERT;VMware;Virtual Machine
  39. Winsta0
  40. .dll
  41. Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
  42. SonicWallClientProtectionService.exe;SWDash.exe
  43. t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
  44. SystemRoot
  45. CommandLine
  46. %SystemRoot%\SysWOW64\explorer.exe
  47. SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
  48. %s\system32\
  49. SELECT * FROM Win32_OperatingSystem
  50. wbj.go
  51. System32
  52. CynetEPS.exe;CynetMS.exe;CynetConsole.exe
  53. C:\INTERNAL\__empty
  54. cmd.exe
  55. SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  56. */*
  57. MsMpEng.exe
  58. image/pjpeg
  59. {%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
  60. urlmon.dll
  61. type=0x%04X
  62. TRUE
  63. Win32_ComputerSystem
  64. %SystemRoot%\System32\backgroundTaskHost.exe
  65. ALLUSERSPROFILE
  66. .exe
  67. \\.\pipe\
  68. advapi32.dll
  69. application/x-shockwave-flash
  70. %ProgramFiles%\Windows Media Player\wmplayer.exe
  71. ntdll.dll
  72. %SystemRoot%\SysWOW64\Utilman.exe
  73. CfGetPlatformInfo
  74. userenv.dll
  75. LocalLow
  76. FALSE
  77. coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
  78. Sophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe
  79. image/jpeg
  80. image/gif
  81. displayName
  82. Name
  83. Win32_PnPEntity
  84. .cfg
  85. APPDATA
  86. winsta0\default
  87. %SystemRoot%\SysWOW64\CertEnrollCtrl.exe
  88. %SystemRoot%\SysWOW64\backgroundTaskHost.exe
  89. pstorec.dll
  90. RepUx.exe
  91. aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
  92. \sf2.dll
  93. %SystemRoot%\System32\dxdiag.exe
  94. CSFalconService.exe;CSFalconContainer.exe
  95. vbs
  96. WRSA.exe
  97. crypt32.dll
  98. setupapi.dll
  99. c:\saurufdifsdudqat.sys
  100. %ProgramFiles(x86)%\Windows Media Player\wmplayer.exe
  101. netapi32.dll
  102. SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
  103. VMware;PROD_VIRTUAL_DISK;VIRTUAL-DISK;XENSRC;20202020
  104. %SystemRoot%\System32\grpconv.exe
  105. SpyNetReporting
  106. wtsapi32.dll
  107. wpcap.dll
  108. Packages
  109. %SystemRoot%\explorer.exe
  110. regsvr32.exe
  111. aswhookx.dll
  112. Content-Type: application/x-www-form-urlencoded
  113. %SystemRoot%\SysWOW64\SearchIndexer.exe
  114. %SystemRoot%\SysWOW64\AtBroker.exe
  115. %SystemRoot%\System32\WerFault.exe
  116. SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
  117. vmnat.exe
  118. SubmitSamplesConsent
  119. SysWOW64
  120. shell32.dll
  121. wmic process call create 'expand "%S" "%S"'
  122.  
  123. ROOT\CIMV2
  124. Win32_Product
  125. LOCALAPPDATA
  126. %SystemRoot%\SysWOW64\mobsync.exe
  127. ws2_32.dll
  128. WScript.Sleep %u
  129. Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2")
  130. Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process")
  131. errReturn = objProcess.Create("%s", null, nul, nul)
  132. WSCript.Sleep 2000
  133. Set fso = CreateObject("Scripting.FileSystemObject")
  134. fso.DeleteFile("%s")
  135. bcrypt.dll
  136. SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
  137. abcdefghijklmnopqrstuvwxyz
  138. fshoster32.exe
  139. %SystemRoot%\System32\SearchIndexer.exe
  140. reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
  141. Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2")
  142. Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process")
  143. errReturn = objProcess.Create("%s", null, nul, nul)
  144. gdi32.dll
  145. Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2")
  146. Set colFiles = objWMIService.ExecQuery("Select * From CIM_DataFile Where Name = '%s'")
  147. For Each objFile in colFiles
  148. objFile.Copy("%s")
  149. Next
  150. Win32_Process
  151. SELECT * FROM Win32_Processor
  152. user32.dll
  153. Win32_Bios
  154. %SystemRoot%\SysWOW64\explorer.exe
  155. MBAMService.exe;mbamgui.exe
  156. %SystemRoot%\SysWOW64\mspaint.exe
  157. frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe;BehaviorDumper.exe;processdumperx64.exe;anti-virus.EXE;sysinfoX64.exe;sctoolswrapper.exe;sysinfoX64.exe;FakeExplorer.exe;apimonitor-x86.exe;idaq.exe;dumper64.exe;user_imitator.exe;Velociraptor.exe
  158. %SystemRoot%\System32\wextract.exe
  159. egui.exe;ekrn.exe
  160. select
  161. %SystemRoot%\System32\wermgr.exe
  162. iphlpapi.dll
  163. SOFTWARE\Microsoft\Windows Defender\SpyNet
  164. %SystemRoot%\SysWOW64\dxdiag.exe
  165. %SystemRoot%\SysWOW64\WerFault.exe
  166. %SystemRoot%\System32\AtBroker.exe
  167. %SystemRoot%\SysWOW64\sethc.exe
  168. %S.%06d
  169. c:\\
  170. S:(ML;;NW;;;LW)
  171. fmon.exe
  172. %SystemRoot%\System32\xwizard.exe
  173. cscript.exe
  174. Initializing database...
  175. xagtnotif.exe;AppUIMonitor.exe
  176. %ProgramFiles%\Internet Explorer\iexplore.exe
  177. Win32_DiskDrive
  178. aabcdeefghiijklmnoopqrstuuvwxyyz
  179. %SystemRoot%\System32\mobsync.exe
  180. %SystemRoot%\SysWOW64\wermgr.exe
  181. kernel32.dll
  182. %SystemRoot%\System32\mspaint.exe
  183. bdagent.exe;vsserv.exe;vsservppl.exe
  184. SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
  185. Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
  186. NTUSER.DAT
  187. ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe
  188. from
  189. mcshield.exe
  190. %SystemRoot%\System32\SndVol.exe
  191. VMware;VMW;QEMU
  192. QEMU;VMware Pointing;VMware Accelerated;VMware SCSI;VMware SVGA;VMware Replay;VMware server memory;VirtualBox;CWSandbox;Virtual HD;QEMU;VirtIO;srootkit;vSockets;VBoxVideo;vmxnet;vmscsi;VMAUDIO;vmdebug;vm3dmp;vmrawdsk;vmx_svga;ansfltr;sbtisht;XENVIF;XENBUS;XENSRC;XENCLASS
  193. shlwapi.dll
  194. csc_ui.exe
  195. CrAmTray.exe
  196. Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
  197. %ProgramFiles(x86)%\Internet Explorer\iexplore.exe
Tags: Qakbot
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement