Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Predator Pain Keylogger - Partial Dump Of Strings In Memory
- http://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html
- 0x230370 (30): APP_CONFIG_FILE
- 0x230448 (28): MACHINE_CONFIG
- 0x249c48 (20): System.Windows.Forms
- 0x249d68 (20): System.Xml
- 0x249dc8 (16): GDI+ Hook Window
- 0x249e08 (20): System.Xml
- 0x249ee8 (21): Microsoft.VisualBasic
- 0x24a208 (20): System.Web
- 0x24c3c8 (28): KazyLoader.dll
- 0x24c540 (14): KazyLoader.dll
- 0x24c568 (14): kazyloader.dll
- 0x1991ff9 (44): !This program cannot be run in DOS mode.
- 0x19923d0 (10): v2.0.50727
- 0x199279a (14): KazyLoader.dll
- 0x19927b0 (10): KazyLoader
- 0x199300a (30): VS_VERSION_INFO
- 0x1993066 (22): VarFileInfo
- 0x1993086 (22): Translation
- 0x19930aa (28): StringFileInfo
- 0x19930e6 (22): CompanyName
- 0x199311a (30): FileDescription
- 0x199313c (20): KazyLoader
- 0x199315a (22): FileVersion
- 0x199318a (24): InternalName
- 0x19931a4 (28): KazyLoader.dll
- 0x19931ca (28): LegalCopyright
- 0x19931e8 (20): Copyright
- 0x19931fe (30): Microsoft 2014
- 0x1993226 (32): OriginalFilename
- 0x1993248 (28): KazyLoader.dll
- 0x199326e (22): ProductName
- 0x1993288 (20): KazyLoader
- 0x19932a6 (28): ProductVersion
- 0x19932da (32): Assembly Version
- 0x19983a8 (24): winlogon.exe
- 0x19983ec (116): The application failed to initialize properly (0xc0000135)
- 0x1998474 (54): Microsoft Application Error
- 0x1998548 (36): HKEY_LOCAL_MACHINE
- 0x1998580 (34): HKEY_CURRENT_USER
- 0x19985b4 (34): HKEY_CLASSES_ROOT
- 0x19985e8 (20): HKEY_USERS
- 0x1998610 (42): HKEY_PERFORMANCE_DATA
- 0x199864c (38): HKEY_CURRENT_CONFIG
- 0x1998684 (26): HKEY_DYN_DATA
- 0x1998890 (106): Software\Microsoft\Windows NT\CurrentVersion\Winlogon
- 0x1998928 (28): explorer.exe,
- 0x1998958 (116): Software\Microsoft\Windows\Current Version\Policies\System
- 0x1998a40 (20): \csrss.exe
- 0x1998a68 (40): -reg "explorer.exe,
- 0x1998abc (20): -prockill
- 0x199cc1c (24): LICENSE_FILE
- 0x199cc48 (38): LOADER_OPTIMIZATION
- 0x199cda4 (88): Software\Microsoft\Windows NT\CurrentVersion
- 0x199ce10 (32): InstallationType
- 0x199ce64 (22): Server Core
- 0x199cee0 (20): system.net
- 0x19b588c (22): dontclearie
- 0x19b58b4 (22): dontclearff
- 0x19b5900 (26): downloadfiles
- 0x19b592c (28): websitevisitor
- 0x19b595c (28): websiteblocker
- 0x19b598c (36): DisableAdminRights
- 0x19b5a88 (36): DisableTaskManager
- 0x19b5b04 (22): Disablemelt
- 0x19b5b2c (20): Disablereg
- 0x19b5b54 (20): Disablecmd
- 0x19b5b7c (30): Disablemsconfig
- 0x19b5bac (32): Disablespreaders
- 0x19b5be0 (24): Disablesteam
- 0x19b5c0c (38): \Windows Update.exe
- 0x19b61bc (24): winlogon.exe
- 0x19b6330 (28): CMemoryExecute
- 0x19b6935 (44): !This program cannot be run in DOS mode.
- 0x19b6dcc (10): v2.0.50727
- 0x19b7252 (18): CMemoryExecute.dll
- 0x19b7265 (14): CMemoryExecute
- 0x19b78d1 (14): CMemoryExecute
- 0x19b78eb (10): Copyright
- 0x19b7d46 (30): VS_VERSION_INFO
- 0x19b7da2 (22): VarFileInfo
- 0x19b7dc2 (22): Translation
- 0x19b7de6 (28): StringFileInfo
- 0x19b7e22 (30): FileDescription
- 0x19b7e44 (28): CMemoryExecute
- 0x19b7e6a (22): FileVersion
- 0x19b7e9a (24): InternalName
- 0x19b7eb4 (36): CMemoryExecute.dll
- 0x19b7ee2 (28): LegalCopyright
- 0x19b7f00 (20): Copyright
- 0x19b7f2a (32): OriginalFilename
- 0x19b7f4c (36): CMemoryExecute.dll
- 0x19b7f7a (22): ProductName
- 0x19b7f94 (28): CMemoryExecute
- 0x19b7fba (28): ProductVersion
- 0x19b7fee (32): Assembly Version
- 0x19bb738 (36): \WindowsUpdate.exe
- 0x19bb770 (22): SysInfo.txt
- 0x19bb7bc (22): \pidloc.txt
- 0x19bb7e4 (28): PredatorLogger
- 0x19bb814 (30): Disablestealers
- 0x19bb844 (26): Disablelogger
- 0x19bb898 (22): Disableclip
- 0x19c011c (58): results@facebookmarketers.net
- 0x19c0188 (52): mail.facebookmarketers.net
- 0x19c01d0 (24): ftp.host.com
- 0x19c02bc (98): http://www.DeceptiveEngineering.com/path/logs.php
- 0x19c0484 (24): GetHostEntry
- 0x19c04b0 (26): GetHostByName
- 0x19c0500 (58): http://whatismyipaddress.com/
- 0x19c054c (44): <!-- do not script -->
- 0x19c0704 (28): DownloadString
- 0x19c0734 (26): net_webclient
- 0x19c0760 (24): DownloadData
- 0x19c09b0 (20): WebRequest
- 0x19c0a04 (34): webRequestModules
- 0x19c1e84 (28): HttpWebRequest
- 0x19c1ef8 (24): defaultProxy
- 0x19c216c (20): bypasslist
- 0x19c21b0 (42): useDefaultCredentials
- 0x19c2584 (20): autoDetect
- 0x19c25ac (28): scriptLocation
- 0x19c25dc (26): bypassonlocal
- 0x19c2608 (24): proxyaddress
- 0x19c2634 (32): usesystemdefault
- 0x19c4ab8 (42): whatismyipaddress.com
- 0x19c4e4c (56): http://whatismyipaddress.com
- 0x19c6354 (42): whatismyipaddress.com
- 0x19cb7b0 (42): \root\SecurityCenter2
- 0x19cb7ec (60): SELECT * FROM AntivirusProduct
- 0x19cb83c (22): displayName
- 0x19cb884 (24): COMPUTERNAME
- 0x19cc048 (28): //./root/cimv2
- 0x19ccd00 (58): SELECT * FROM FirewallProduct
- 0x19cd7ac (30): Disablefakerror
- 0x19ce324 (38): \bitcoin\wallet.dat
- 0x19ce35c (22): _wallet.dat
- 0x19ce384 (20): wallet.dat
- 0x19ce748 (28): Disablestartup
- 0x19ce778 (90): Software\Microsoft\Windows\CurrentVersion\Run
- 0x19ce7e4 (28): Windows Update
- 0x19cffd4 (72): This is an email notifying you that
- 0x19d0030 (262): has ran your logger and emails should be sent to you shortly and at interval choosen.
- Predator Logger Details:
- Server Name:
- 0x19d0148 (42):
- Keylogger Enabled:
- 0x19d0184 (56):
- Clipboard-Logger Enabled:
- 0x19d01d0 (74):
- Time Logs will be delivered: Every
- 0x19d022c (62): minutes
- Stealers Enabled:
- 0x19d027c (156):
- Time Log will be delivered: Average 2 to 4 minutes
- Local Date and Time:
- 0x19d032c (44):
- Installed Language:
- 0x19d036c (40):
- Operating System:
- 0x19d03a8 (46):
- Internal IP Address:
- 0x19d03e8 (46):
- External IP Address:
- 0x19d0428 (48):
- Installed Anti-Virus:
- 0x19d046c (44):
- Installed Firewall:
- 0x19d04ac (26): Disablenotify
- 0x19d04d8 (60): Predator_Painv13_Notification_
- 0x19d0544 (68): Predator Pain v13 - Server Ran - [
- 0x19d059c (42): \.minecraft\lastlogin
- 0x19d05d8 (78): Predator Pain v13|Minecraft Stealer - [
- 0x19d0638 (312): There is a file attached to this email containing Minecraft username and password download it then decrypt the login information with my Minecraft Decryptor
- 0x19d0794 (40): d/MM/yyyy h:mm:ss tt
- 0x19d09b4 (42): Win32_OperatingSystem
- 0x19d0a80 (48): select * from meta_class
- 0x19d0fcc (70): select * from Win32_OperatingSystem
- 0x19d13b8 (22): UnicodeText
- 0x19d13f8 (46): DeviceIndependentBitmap
- 0x19d1458 (32): EnhancedMetafile
- 0x19d148c (24): MetaFilePict
- 0x19d14b8 (24): SymbolicLink
- 0x19d14e4 (42): DataInterchangeFormat
- 0x19d1520 (42): TaggedImageFileFormat
- 0x19d1648 (22): HTML Format
- 0x19d1670 (32): Rich Text Format
- 0x19d16a4 (32): PersistentObject
- 0x19d16d8 (26): System.String
- 0x19d1704 (60): WindowsForms10PersistentObject
- 0x19d1904 (72): Predator Pain v13 - Key Recorder - [
- 0x19d1960 (454): **********************************************
- ClipBoard Log
- **********************************************
- 0x19d1b38 (458):
- **********************************************
- Keylogger Log
- **********************************************
- 0x19d1d14 (28): Disablescreeny
- 0x19d1d64 (36): screens\screenshot
- Karagany
- 0x19d2174 (36): WebBrowserPassView
- 0x19d2bec (24): mailSettings
- 0x19d2ebc (48): specifiedPickupDirectory
- 0x19d2f00 (28): deliveryMethod
- 0x19d32f8 (36): defaultCredentials
- 0x19d3330 (24): clientDomain
- 0x19d33a4 (20): targetName
- 0x19d3938 (46): pickupDirectoryLocation
- 0x19d3bbc (20): SmtpClient
- 0x19d4010 (68): SMTPSVC/mail.facebookmarketers.net
- 0x19d4740 (48): MailAddressInvalidFormat
- 0x19d4784 (56): MailAddressUnsupportedFormat
- 0x19d47f0 (42): facebookmarketers.net
- 0x19d48a8 (42): facebookmarketers.net
- 0x19d4904 (90): Predator Pain v13 - Server Ran - [SOME-PC]
- 0x19db7e0 (30): DeliveryMethod=
- 0x19dbafc (72): ByHost:mail.facebookmarketers.net:25
- 0x19dbbd8 (72): ByHost:mail.facebookmarketers.net:25
- 0x19dbf80 (60): mail.facebookmarketers.net
- 25
- 0x19dc5b4 (42): facebookmarketers.net
- 0x19dc7d4 (84): Microsoft.NET\Framework\v2.0.50727\vbc.exe
- 0x19dc860 (30): holdermail.txt"
- 0x19dc8a8 (28): holdermail.txt
- 0x1b69360 (486): **********************************************
- Operating System Intel Recovery
- **********************************************
- CPU Name:
- 0x1b69558 (46):
- Local Date and Time:
- 0x1b69598 (30):
- Net Version:
- 0x1b695c8 (58):
- Operating System Platform:
- 0x1b69614 (56):
- Operating System Version:
- 0x1b69660 (466):
- **********************************************
- WEB Browser Password Recovery
- **********************************************
- 0x1b69844 (468):
- **********************************************
- Mail Messenger Password Recovery
- **********************************************
- 0x1b69a2c (930):
- **********************************************
- Internet Download Manager Recovery
- **********************************************
- **********************************************
- Jdownloader Password Recovery
- **********************************************
- 0x1b69de0 (58): Predator_Painv13_Stealer_Log_
- 0x1b69e2c (66): Predator Pain v13|Stealer Log - [
- 0x1b69e80 (26): holderwb.txt"
- 0x1b69eac (24): holderwb.txt
- 0x1df1ff0 (70): select * from Win32_OperatingSystem
- 0x1df20b8 (28): \\.\root\cimv2
- 0x1e15db4 (72): f:\dd\Tools\devdiv\EcmaPublicKey.snk
- 0x1e24a8c (76): Unable to connect to the remote server
- 0x1e24db0 (38): SmtpSendMailFailure
- 0x1e24de8 (42): Failure sending mail.
- 0x1e327c0 (74): Pain File Stealer Bitcoin Stealer - [
- 0x1e3281c (128): Steals the Wallet.DAT file that holds the users bitcoin currency
- 0x2996e2d (44): !This program cannot be run in DOS mode.
- 0x299932f (44): !This program cannot be run in DOS mode.
- 0x299e3c7 (28): CMemoryExecute
- 0x299e3e8 (36): WebBrowserPassView
- 0x299e473 (44): !This program cannot be run in DOS mode.
- 0x299e90a (10): v2.0.50727
- 0x299ed90 (18): CMemoryExecute.dll
- 0x299eda3 (14): CMemoryExecute
- 0x299f40f (14): CMemoryExecute
- 0x299f429 (10): Copyright
- 0x299f57a (121): C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb
- 0x299f884 (30): VS_VERSION_INFO
- 0x299f8e0 (22): VarFileInfo
- 0x299f900 (22): Translation
- 0x299f924 (28): StringFileInfo
- 0x299f960 (30): FileDescription
- 0x299f982 (28): CMemoryExecute
- 0x299f9a8 (22): FileVersion
- 0x299f9d8 (24): InternalName
- 0x299f9f2 (36): CMemoryExecute.dll
- 0x299fa20 (28): LegalCopyright
- 0x299fa3e (20): Copyright
- 0x299fa68 (32): OriginalFilename
- 0x299fa8a (36): CMemoryExecute.dll
- 0x299fab8 (22): ProductName
- 0x299fad2 (28): CMemoryExecute
- 0x299faf8 (28): ProductVersion
- 0x299fb2c (32): Assembly Version
- 0x299fe78 (44): !This program cannot be run in DOS mode.
- 0x29e24ef (36): WebBrowserPassView
- 0x29e2543 (82): Apple Computer\Preferences\keychain.plist
- 0x29e25cf (16): com.apple.Safari
- 0x29e25e3 (27): com.apple.WebKit2WebProcess
- 0x29e260b (138): SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins
- 0x29e270b (30): LoadPasswordsIE
- 0x29e272b (40): LoadPasswordsFirefox
- 0x29e2757 (38): LoadPasswordsChrome
- 0x29e277f (36): LoadPasswordsOpera
- 0x29e27a7 (38): LoadPasswordsSafari
- 0x29e27cf (44): LoadPasswordsSeaMonkey
- 0x29e27ff (46): UseFirefoxProfileFolder
- 0x29e282f (46): UseFirefoxInstallFolder
- 0x29e285f (44): UseChromeProfileFolder
- 0x29e288f (40): UseOperaPasswordFile
- 0x29e28bb (40): FirefoxProfileFolder
- 0x29e28e7 (40): FirefoxInstallFolder
- 0x29e2913 (38): ChromeProfileFolder
- 0x29e293b (34): OperaPasswordFile
- 0x29e2962 (57): "Account","Login Name","Password","Web Site","Comments"
- 0x29e2c0f (11): CredDeleteA
- 0x29e2c1b (14): CredEnumerateA
- 0x29e2c2b (14): CredEnumerateW
- 0x29e2c3b (22): crypt32.dll
- 0x29e2c53 (18): CryptUnprotectData
- 0x29e2c67 (20): CryptAcquireContextA
- 0x29e2c7f (19): CryptReleaseContext
- 0x29e2c93 (15): CryptCreateHash
- 0x29e2ca3 (17): CryptGetHashParam
- 0x29e2cb7 (13): CryptHashData
- 0x29e2cc7 (16): CryptDestroyHash
- 0x29e32ef (15): SQLite format 3
- 0x29e37eb (103): CREATE TABLE sqlite_master(
- type text,
- name text,
- tbl_name text,
- rootpage integer,
- sql text
- )
- 0x29e707b (130): SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe
- 0x29e70ff (50): %programfiles%\Sea Monkey
- 0x29e7133 (32): SOFTWARE\Mozilla
- 0x29e718b (60): %programfiles%\Mozilla Firefox
- 0x29e71cb (129): SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins
- 0x29e7255 (24): -signons.txt
- 0x29e726f (24): signons2.txt
- 0x29e728b (24): signons3.txt
- 0x29e72a7 (28): signons.sqlite
- 0x29e72c7 (20): netmsg.dll
- 0x29e7553 (84): Microsoft\Windows\WebCache\WebCacheV01.dat
- 0x29e75ab (84): Microsoft\Windows\WebCache\WebCacheV24.dat
- 0x29e7633 (116): Software\Microsoft\Internet Explorer\IntelliForms\Storage2
- 0x29e76ab (88): https://www.google.com/accounts/servicelogin
- 0x29e7707 (48): http://www.facebook.com/
- 0x29e773b (72): https://login.yahoo.com/config/login
- 0x29e778d (36): @internet explorer
- 0x29e77d7 (22): :stringdata
- 0x29e77ef (46): wininetcachecredentials
- 0x29e7e79 (24): @history.dat
- 0x29e7e93 (26): places.sqlite
- 0x29e7eaf (32): Mozilla\Profiles
- 0x29e7ed3 (48): Mozilla\Firefox\Profiles
- 0x29e7f07 (52): Mozilla\SeaMonkey\Profiles
- 0x29e7f3f (34): Mozilla\SeaMonkey
- 0x29e7f63 (30): Mozilla\Firefox
- 0x29e7f83 (24): profiles.ini
- 0x29e8157 (22): sqlite3.dll
- 0x29e816f (28): mozsqlite3.dll
- 0x29e819b (12): NSS_Shutdown
- 0x29e81ab (23): PK11_GetInternalKeySlot
- 0x29e81c3 (13): PK11_FreeSlot
- 0x29e81d3 (22): PK11_CheckUserPassword
- 0x29e81eb (17): PK11_Authenticate
- 0x29e81ff (15): PK11SDR_Decrypt
- 0x29e82df (20): Login Data
- 0x29e82f7 (46): Google\Chrome\User Data
- 0x29e8327 (54): Google\Chrome SxS\User Data
- 0x29e835f (40): Opera\Opera\wand.dat
- 0x29e838b (58): Opera\Opera7\profile\wand.dat
- 0x29e8583 (22): pstorec.dll
- 0x29e859b (20): PStoreCreateInstance
- 0x29ebb43 (22): ProductName
- 0x29ebb5b (30): FileDescription
- 0x29ebb7b (22): FileVersion
- 0x29ebb93 (28): ProductVersion
- 0x29ebbb3 (22): CompanyName
- 0x29ebbcb (24): InternalName
- 0x29ebbe7 (28): LegalCopyright
- 0x29ebc07 (32): OriginalFileName
- 0x29ebc2b (22): log profile
- 0x29ebc67 (24): vaultcli.dll
- 0x29ebc83 (14): VaultOpenVault
- 0x29ebc93 (15): VaultCloseVault
- 0x29ebca3 (19): VaultEnumerateItems
- 0x29ebcc3 (19): VaultGetInformation
- 0x29ebcd7 (12): VaultGetItem
- 0x29ebd3b (68): f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb
- 0x29f2eff (44): Load Passwords From...
- 0x29f2f4b (34): Internet Explorer
- 0x29f2f8f (26): Google Chrome
- 0x29f2ff7 (30): Mozilla Firefox
- 0x29f30e7 (30): Firefox Options
- 0x29f3127 (32): Master password:
- 0x29f3187 (32): Firefox Profile:
- 0x29f320f (42): Firefox Installation:
- 0x29f32a3 (28): Chrome Options
- 0x29f32df (34): User Data Folder:
- 0x29f336b (26): Opera Options
- 0x29f33a7 (28): wand.dat file:
- 0x29f3883 (32): Created by using
- 0x29f38a5 (50): Select a filename to save
- 0x29f38d9 (382): Web Browser Passwords%Choose another Firefox profile folder)Choose the installation folder of Firefox,Choose another profile of Chrome Web browser,Choose the password file of Opera (wand.dat)
- 0x29f3a59 (28):
- Loading... %d
- 0x29f3a81 (20): Text File
- 0x29f3a97 (46): Tab Delimited Text File
- 0x29f3ac7 (34): Tabular Text File
- 0x29f3aeb (44): HTML File - Horizontal
- 0x29f3b19 (40): HTML File - Vertical
- 0x29f3b55 (50): Comma Delimited Text File
- 0x29f3b89 (32): KeePass csv file
- 0x29f3bbf (58): Opera Password File All Files
- 0x29f3c1b (54): Internet Explorer 4.0 - 6.0
- 0x29f3c53 (54): Internet Explorer 7.0 - 9.0
- 0x29f3c8b (22): Firefox 1.x
- 0x29f3ca3 (22): Firefox 2.x
- 0x29f3cbb (22): Firefox 3.0
- 0x29f3d0b (64): Internet Explorer 10.0 SeaMonkey
- 0x29f3d7f (42): Web Browser User Name
- 0x29f3dbd (34): Password Strength
- 0x29f3de1 (30): User Name Field
- 0x29f3e01 (28): Password Field
- 0x29f3e29 (20): Very Weak
- 0x29f3e65 (22): Very Strong
- 0x29f3f75 (30): VS_VERSION_INFO
- 0x29f3fd1 (28): StringFileInfo
- 0x29f400d (22): CompanyName
- 0x29f403d (30): FileDescription
- 0x29f405f (36): WebBrowserPassView
- 0x29f408d (22): FileVersion
- 0x29f40b9 (24): InternalName
- 0x29f40d3 (36): WebBrowserPassView
- 0x29f4101 (28): LegalCopyright
- 0x29f411f (20): Copyright
- 0x29f4135 (44): 2011 - 2013 Nir Sofer
- 0x29f4169 (32): OriginalFilename
- 0x29f418b (44): WebBrowserPassView.exe
- 0x29f41c1 (22): ProductName
- 0x29f41db (36): WebBrowserPassView
- 0x29f4209 (28): ProductVersion
- 0x29f4239 (22): VarFileInfo
- 0x29f4259 (22): Translation
- 0x29f5cdd (44): !This program cannot be run in DOS mode.
- 0x2a06ee8 (13): Mail PassView
- 0x2a07088 (14): POP3 User Name
- 0x2a07098 (14): IMAP User Name
- 0x2a070a8 (18): HTTPMail User Name
- 0x2a070bc (14): SMTP USer Name
- 0x2a070cc (11): POP3 Server
- 0x2a070d8 (11): IMAP Server
- 0x2a070e4 (15): HTTPMail Server
- 0x2a070f4 (11): SMTP Server
- 0x2a07100 (14): POP3 Password2
- 0x2a07110 (14): IMAP Password2
- 0x2a07120 (18): HTTPMail Password2
- 0x2a07134 (14): SMTP Password2
- 0x2a0715c (13): HTTPMail Port
- 0x2a07178 (22): POP3 Secure Connection
- 0x2a07190 (22): IMAP Secure Connection
- 0x2a071a8 (26): HTTPMail Secure Connection
- 0x2a071c4 (22): SMTP Secure Connection
- 0x2a071dc (17): SMTP Display Name
- 0x2a071f0 (18): SMTP Email Address
- 0x2a07204 (13): POP3 Password
- 0x2a07214 (13): IMAP Password
- 0x2a07224 (13): HTTP Password
- 0x2a07234 (13): SMTP Password
- 0x2a07274 (15): HTTP Server URL
- 0x2a07290 (12): POP3 Use SPA
- 0x2a072a0 (12): IMAP Use SPA
- 0x2a072b0 (16): HTTPMail Use SSL
- 0x2a072c4 (12): SMTP Use SSL
- 0x2a072d4 (12): Display Name
- 0x2a072ec (10): Identities
- 0x2a07304 (52): Software\Microsoft\Internet Account Manager\Accounts
- 0x2a07344 (62): Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
- 0x2a07384 (11): DisplayName
- 0x2a07390 (12): EmailAddress
- 0x2a073a0 (10): PopAccount
- 0x2a073c0 (12): PopLogSecure
- 0x2a073d0 (11): PopPassword
- 0x2a073dc (11): SMTPAccount
- 0x2a073e8 (10): SMTPServer
- 0x2a07400 (13): SMTPLogSecure
- 0x2a07410 (12): SMTPPassword
- 0x2a07420 (31): Software\IncrediMail\Identities
- 0x2a0744c (11): %s\Accounts
- 0x2a07488 (13): ReturnAddress
- 0x2a07498 (16): SavePasswordText
- 0x2a074ac (13): Personalities
- 0x2a074bc (14): Server Details
- 0x2a074cc (13): ESMTPUsername
- 0x2a074dc (13): ESMTPPassword
- 0x2a074ec (10): POP3Server
- 0x2a074f8 (12): POP3Username
- 0x2a07508 (12): POP3Password
- 0x2a07518 (11): InstallPath
- 0x2a07524 (19): Software\Group Mail
- 0x2a07540 (12): %s@gmail.com
- 0x2a07550 (12): %s@yahoo.com
- 0x2a07563 (57): "Account","Login Name","Password","Web Site","Comments"
- 0x2a075b0 (100): www.google.com/Please log in to your Gmail account
- 0x2a07618 (108): www.google.com:443/Please log in to your Gmail account
- 0x2a07688 (102): www.google.com/Please log in to your Google Account
- 0x2a076f0 (110): www.google.com:443/Please log in to your Google Account
- 0x2a07760 (55): Software\Microsoft\Windows Messaging Subsystem\Profiles
- 0x2a07798 (81): Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
- 0x2a077ec (47): Software\Microsoft\Office\15.0\Outlook\Profiles
- 0x2a078d8 (28): www.google.com
- 0x2a07b28 (16): POP3_credentials
- 0x2a07b54 (40): Software\Google\Google Desktop\Mailboxes
- 0x2a07b84 (36): Software\Google\Google Talk\Accounts
- 0x2a07bb0 (34): Microsoft_WinInet
- 0x2a08024 (20): mail.account.account
- 0x2a08044 (10): identities
- 0x2a08050 (11): mail.server
- 0x2a08084 (10): useSecAuth
- 0x2a08098 (13): mail.identity
- 0x2a080c0 (21): signon.signonfilename
- 0x2a080d8 (10): mailbox://
- 0x2a080ec (15): mailbox://%s@%s
- 0x2a080fc (12): imap://%s@%s
- 0x2a08110 (129): SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins
- 0x2a08194 (12): mailbox://%s
- 0x2a081b0 (11): signons.txt
- 0x2a081bc (14): signons.sqlite
- 0x2a081f4 (30): Password.NET Messenger Service
- 0x2a08214 (26): User.NET Messenger Service
- 0x2a08230 (31): Software\Microsoft\MSNMessenger
- 0x2a08250 (35): Software\Microsoft\MessengerService
- 0x2a08274 (14): Passport.Net\*
- 0x2a0828c (11): ps:password
- 0x2a08298 (36): WindowsLive:name=*
- 0x2a082c0 (17): windowslive:name=
- 0x2a082d4 (30): Software\Microsoft\IdentityCRL
- 0x2a08eec (11): *.oeaccount
- 0x2a08ef8 (23): \Microsoft\Windows Mail
- 0x2a08f10 (28): \Microsoft\Windows Live Mail
- 0x2a08f30 (10): Store Root
- 0x2a08f48 (20): Software\Yahoo\Pager
- 0x2a08f60 (14): Yahoo! User ID
- 0x2a08fd8 (44): f:\Projects\VS2005\mailpv\Release\mailpv.pdb
- 0x2a0d588 (30): Outlook Express
- 0x2a0d5a8 (22): IncrediMail
- 0x2a0d5ce (52): Group Mail Free
- MS Outlook
- 0x2a0d604 (60): MS Outlook 2002/2003/2007/2010
- 0x2a0d64e (22): Hotmail/MSN
- 0x2a0d666 (50): Yahoo! Mail
- Netscape Mail
- 0x2a0d69a (22): Thunderbird
- 0x2a0d6b2 (28): Google Desktop
- 0x2a0d6d0 (24): Windows Mail
- 0x2a0d6ea (34): Windows Live Mail
- 0x2a0d70e (24): Outlook 2013
- 0x2a0d96a (30): VS_VERSION_INFO
- 0x2a0d9c6 (28): StringFileInfo
- 0x2a0da02 (22): CompanyName
- 0x2a0da32 (30): FileDescription
- 0x2a0da54 (44): Mail Password Recovery
- 0x2a0da8a (22): FileVersion
- 0x2a0dab6 (24): InternalName
- 0x2a0dad0 (26): Mail PassView
- 0x2a0daf2 (28): LegalCopyright
- 0x2a0db10 (20): Copyright
- 0x2a0db26 (44): 2003 - 2013 Nir Sofer
- 0x2a0db5a (32): OriginalFilename
- 0x2a0db7c (20): mailpv.exe
- 0x2a0db9a (22): ProductName
- 0x2a0dbb4 (26): Mail PassView
- 0x2a0dbd6 (28): ProductVersion
- 0x2a0dc06 (22): VarFileInfo
- 0x2a0dc26 (22): Translation
- 0x2a10ba5 (20): encryptedemailstring
- 0x2a10bba (19): encryptedpassstring
- 0x2a10bce (19): encryptedsmtpstring
- 0x2a10be2 (10): portstring
- 0x2a10bed (11): timerstring
- 0x2a10bf9 (13): fakemgrstring
- 0x2a10c07 (16): encryptedftphost
- 0x2a10c18 (16): encryptedftpuser
- 0x2a10c29 (16): encryptedftppass
- 0x2a10c3a (16): encryptedphplink
- 0x2a10c83 (10): downloader
- 0x2a10c8e (14): websitevisitor
- 0x2a10c9d (14): websiteblocker
- 0x2a10cac (11): AdminRights
- 0x2a10cbf (10): DisableSSL
- 0x2a10ce8 (11): TaskManager
- 0x2a10d2b (13): screenynumber
- 0x2a10d39 (10): Minecraftt
- 0x2a10d53 (12): meltLocation
- 0x2a10d71 (32): AccessedThroughPropertyAttribute
- 0x2a10d92 (11): emailstring
- 0x2a10d9e (10): passstring
- 0x2a10da9 (10): smtpstring
- 0x2a10e0f (10): WM_KEYDOWN
- 0x2a10e1a (13): WM_SYSKEYDOWN
- 0x2a10e28 (11): WM_SYSKEYUP
- 0x2a10e34 (14): KeyboardHandle
- 0x2a10e43 (26): LastCheckedForegroundTitle
- 0x2a10e7d (10): InternalIp
- 0x2a10e8d (10): MyFirewall
- 0x2a10e9c (20): CleanedPasswordsMAIL
- 0x2a10eb1 (18): CleanedPasswordsWB
- 0x2a1156f (11): ReadAllText
- 0x2a1157b (10): DeleteFile
- 0x2a11593 (11): ThreadStart
- 0x2a1159f (17): SetApartmentState
- 0x2a115b1 (14): ApartmentState
- 0x2a115cb (13): IsNullOrEmpty
- 0x2a115e1 (16): FromBase64String
- 0x2a115f2 (13): WriteAllBytes
- 0x2a11600 (11): get_Network
- 0x2a11614 (12): DownloadFile
- 0x2a11634 (14): GetDirectories
- 0x2a116e7 (18): GetProcessesByName
- 0x2a116ff (15): ForceSteamLogin
- 0x2a11746 (16): NetworkInterface
- 0x2a11775 (23): GetAllNetworkInterfaces
- 0x2a1178d (24): get_NetworkInterfaceType
- 0x2a117a6 (20): NetworkInterfaceType
- 0x2a117bb (21): get_OperationalStatus
- 0x2a117d1 (17): OperationalStatus
- 0x2a117e3 (21): IsConnectedToInternet
- 0x2a11846 (14): FakemsgInstall
- 0x2a11855 (11): MailMessage
- 0x2a11861 (15): System.Net.Mail
- 0x2a11871 (10): SmtpClient
- 0x2a118a6 (13): get_LocalTime
- 0x2a118bd (12): ComputerInfo
- 0x2a118ca (22): get_InstalledUICulture
- 0x2a118e1 (11): CultureInfo
- 0x2a118ed (20): System.Globalization
- 0x2a11902 (14): get_OSFullName
- 0x2a11911 (11): MailAddress
- 0x2a1192d (21): MailAddressCollection
- 0x2a11943 (11): set_Subject
- 0x2a11961 (13): set_EnableSsl
- 0x2a1196f (17): NetworkCredential
- 0x2a11981 (10): System.Net
- 0x2a1198c (15): set_Credentials
- 0x2a1199c (18): ICredentialsByHost
- 0x2a119b4 (13): ServerInstall
- 0x2a119c2 (12): get_Registry
- 0x2a119cf (13): RegistryProxy
- 0x2a119e6 (17): RegistryValueKind
- 0x2a11afc (12): addtostartup
- 0x2a11b09 (24): DESCryptoServiceProvider
- 0x2a11c71 (13): StartStealers
- 0x2a11c92 (11): get_Version
- 0x2a11ca6 (14): get_OSPlatform
- 0x2a11cb5 (13): get_OSVersion
- 0x2a11cc3 (15): stealWebroswers
- 0x2a11cdd (12): StreamReader
- 0x2a11d10 (10): FileStream
- 0x2a11d24 (24): WaitUntilFileIsAvailable
- 0x2a11d46 (15): get_Attachments
- 0x2a11d56 (20): AttachmentCollection
- 0x2a11d83 (10): Bitcoinsub
- 0x2a11d8e (12): MemoryStream
- 0x2a11d9b (10): GZipStream
- 0x2a11da6 (21): System.IO.Compression
- 0x2a11dbc (12): BitConverter
- 0x2a11e22 (12): Minecraftsub
- 0x2a11ed5 (14): CopyFromScreen
- 0x2a11ef2 (11): SendLogsFTP
- 0x2a11efe (13): FtpWebRequest
- 0x2a11f0c (12): BinaryWriter
- 0x2a11f19 (10): WebRequest
- 0x2a11f2b (12): ICredentials
- 0x2a11f38 (10): set_Method
- 0x2a11f43 (16): GetRequestStream
- 0x2a11f63 (12): ReadAllBytes
- 0x2a11f70 (11): SendLogsPHP
- 0x2a11f7c (14): DownloadString
- 0x2a11f95 (13): get_TimeOfDay
- 0x2a11fa3 (13): get_Clipboard
- 0x2a11fb1 (14): ClipboardProxy
- 0x2a1212e (13): GetInternalIP
- 0x2a1213c (13): GetExternalIP
- 0x2a121d1 (15): get_MachineName
- 0x2a12203 (12): GetAntiVirus
- 0x2a12210 (11): GetFirewall
- 0x2a1223a (15): KBDLLHOOKSTRUCT
- 0x2a127c9 (11): get_Culture
- 0x2a127d5 (11): set_Culture
- 0x2a127eb (18): get_CMemoryExecute
- 0x2a127fe (10): get_mailpv
- 0x2a12809 (22): get_WebBrowserPassView
- 0x2a12828 (14): CMemoryExecute
- 0x2a1283e (18): WebBrowserPassView
- 0x2a13185 (22): dontclearie
- 0x2a1319d (22): dontclearff
- 0x2a131c9 (26): downloadfiles
- 0x2a131e5 (28): websitevisitor
- 0x2a13203 (28): websiteblocker
- 0x2a13221 (36): DisableAdminRights
- 0x2a132a7 (36): DisableTaskManager
- 0x2a132ed (22): Disablemelt
- 0x2a13305 (20): Disablereg
- 0x2a1331b (20): Disablecmd
- 0x2a13331 (30): Disablemsconfig
- 0x2a13351 (32): Disablespreaders
- 0x2a13373 (24): Disablesteam
- 0x2a1338d (38): \Windows Update.exe
- 0x2a13633 (36): \WindowsUpdate.exe
- 0x2a13659 (22): SysInfo.txt
- 0x2a13683 (22): \pidloc.txt
- 0x2a1369b (28): PredatorLogger
- 0x2a136b9 (30): Disablestealers
- 0x2a136d9 (26): Disablelogger
- 0x2a136f5 (22): Disableclip
- 0x2a13779 (50): \Mozilla\Firefox\Profiles
- 0x2a137bb (36): \drivers\etc\hosts
- 0x2a137e1 (20): 127.0.0.1
- 0x2a13815 (34): \SteamAppData.vdf
- 0x2a13839 (40): \ClientRegistry.blob
- 0x2a1386f (30): Disablefakerror
- 0x2a1388f (54): Microsoft Application Error
- 0x2a138dd (72): This is an email notifying you that
- 0x2a13928 (262): has ran your logger and emails should be sent to you shortly and at interval choosen.
- Predator Logger Details:
- Server Name:
- 0x2a13a30 (42):
- Keylogger Enabled:
- 0x2a13a5c (56):
- Clipboard-Logger Enabled:
- 0x2a13a96 (74):
- Time Logs will be delivered: Every
- 0x2a13ae2 (62): minutes
- Stealers Enabled:
- 0x2a13b23 (156):
- Time Log will be delivered: Average 2 to 4 minutes
- Local Date and Time:
- 0x2a13bc1 (44):
- Installed Language:
- 0x2a13bef (40):
- Operating System:
- 0x2a13c19 (46):
- Internal IP Address:
- 0x2a13c49 (46):
- External IP Address:
- 0x2a13c79 (48):
- Installed Anti-Virus:
- 0x2a13cab (44):
- Installed Firewall:
- 0x2a13cd9 (26): Disablenotify
- 0x2a13cf5 (60): Predator_Painv13_Notification_
- 0x2a13d3d (68): Predator Pain v13 - Server Ran - [
- 0x2a13d84 (154): HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
- 0x2a13e2e (22): autorun.inf
- 0x2a13e5a (24): open=Sys.exe
- 0x2a13e74 (32): action=Run win32
- 0x2a13ea6 (90): Software\Microsoft\Windows\CurrentVersion\Run
- 0x2a13f02 (28): Windows Update
- 0x2a13f20 (28): CMemoryExecute
- 0x2a13f46 (106): C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
- 0x2a13fd2 (38): \bitcoin\wallet.dat
- 0x2a13ffa (22): _wallet.dat
- 0x2a14012 (20): wallet.dat
- 0x2a1403a (84): Microsoft.NET\Framework\v2.0.50727\vbc.exe
- 0x2a140a2 (30): holdermail.txt"
- 0x2a140c2 (28): holdermail.txt
- 0x2a140e1 (486): **********************************************
- Operating System Intel Recovery
- **********************************************
- CPU Name:
- 0x2a142c9 (46):
- Local Date and Time:
- 0x2a142f9 (30):
- Net Version:
- 0x2a14319 (58):
- Operating System Platform:
- 0x2a14355 (56):
- Operating System Version:
- 0x2a14390 (466):
- **********************************************
- WEB Browser Password Recovery
- **********************************************
- 0x2a14565 (468):
- **********************************************
- Mail Messenger Password Recovery
- **********************************************
- 0x2a1473c (930):
- **********************************************
- Internet Download Manager Recovery
- **********************************************
- **********************************************
- Jdownloader Password Recovery
- **********************************************
- 0x2a14ae0 (58): Predator_Painv13_Stealer_Log_
- 0x2a14b1c (66): Predator Pain v13|Stealer Log - [
- 0x2a14b60 (26): holderwb.txt"
- 0x2a14b7c (24): holderwb.txt
- 0x2a14b96 (74): Pain File Stealer Bitcoin Stealer - [
- 0x2a14be3 (128): Steals the Wallet.DAT file that holds the users bitcoin currency
- 0x2a14c65 (42): \.minecraft\lastlogin
- 0x2a14c91 (78): Predator Pain v13|Minecraft Stealer - [
- 0x2a14ce2 (312): There is a file attached to this email containing Minecraft username and password download it then decrypt the login information with my Minecraft Decryptor
- 0x2a14e66 (28): Disablestartup
- 0x2a14e84 (72): Predator Pain v13 - Key Recorder - [
- 0x2a14ecf (454): **********************************************
- ClipBoard Log
- **********************************************
- 0x2a15098 (458):
- **********************************************
- Keylogger Log
- **********************************************
- 0x2a15264 (28): Disablescreeny
- 0x2a15292 (36): screens\screenshot
- 0x2a152c4 (50): Predator_Pain_v13_KeyLog_
- 0x2a1532e (26): [------------
- 0x2a1534a (26): ------------]
- 0x2a15366 (26): 099u787978786
- 0x2a15382 (58): http://whatismyipaddress.com/
- 0x2a153be (44): <!-- do not script -->
- 0x2a153fe (42): \root\SecurityCenter2
- 0x2a1542a (60): SELECT * FROM AntivirusProduct
- 0x2a15468 (22): displayName
- 0x2a15480 (58): SELECT * FROM FirewallProduct
- 0x2a154bc (38): Microsoft.Resources
- 0x2a154f2 (36): WebBrowserPassView
- 0x2a15520 (104): :\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
- 0x2a2d464 (106): Software\Microsoft\Windows NT\CurrentVersion\Winlogon
- 0x2a2d4dc (28): explorer.exe,
- 0x2a2d4fa (116): Software\Microsoft\Windows\Current Version\Policies\System
- 0x2a2d59e (20): \csrss.exe
- 0x2a2d5b6 (40): -reg "explorer.exe,
- 0x2a2d5e6 (20): -prockill
- 0x2a2d638 (22): SbieDll.dll
- 0x2a2d660 (60): The Wireshark Network Analyzer
Add Comment
Please, Sign In to add comment