Predator Pain Keylogger - Partial Memory Dump

1. Predator Pain Keylogger - Partial Dump Of Strings In Memory
2. http://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html
3.  
4.  
5. 0x230370 (30): APP_CONFIG_FILE
6. 0x230448 (28): MACHINE_CONFIG
7.  
8. 0x249c48 (20): System.Windows.Forms
9. 0x249d68 (20): System.Xml
10. 0x249dc8 (16): GDI+ Hook Window
11. 0x249e08 (20): System.Xml
12. 0x249ee8 (21): Microsoft.VisualBasic
13. 0x24a208 (20): System.Web
14.  
15. 0x24c3c8 (28): KazyLoader.dll
16. 0x24c540 (14): KazyLoader.dll
17. 0x24c568 (14): kazyloader.dll
18.  
19. 0x1991ff9 (44): !This program cannot be run in DOS mode.
20. 0x19923d0 (10): v2.0.50727
21. 0x199279a (14): KazyLoader.dll
22. 0x19927b0 (10): KazyLoader
23. 0x199300a (30): VS_VERSION_INFO
24. 0x1993066 (22): VarFileInfo
25. 0x1993086 (22): Translation
26. 0x19930aa (28): StringFileInfo
27. 0x19930e6 (22): CompanyName
28. 0x199311a (30): FileDescription
29. 0x199313c (20): KazyLoader
30. 0x199315a (22): FileVersion
31. 0x199318a (24): InternalName
32. 0x19931a4 (28): KazyLoader.dll
33. 0x19931ca (28): LegalCopyright
34. 0x19931e8 (20): Copyright
35. 0x19931fe (30): Microsoft 2014
36. 0x1993226 (32): OriginalFilename
37. 0x1993248 (28): KazyLoader.dll
38. 0x199326e (22): ProductName
39. 0x1993288 (20): KazyLoader
40. 0x19932a6 (28): ProductVersion
41. 0x19932da (32): Assembly Version
42.  
43. 0x19983a8 (24): winlogon.exe
44. 0x19983ec (116): The application failed to initialize properly (0xc0000135)
45. 0x1998474 (54): Microsoft Application Error
46.  
47. 0x1998548 (36): HKEY_LOCAL_MACHINE
48. 0x1998580 (34): HKEY_CURRENT_USER
49. 0x19985b4 (34): HKEY_CLASSES_ROOT
50. 0x19985e8 (20): HKEY_USERS
51. 0x1998610 (42): HKEY_PERFORMANCE_DATA
52. 0x199864c (38): HKEY_CURRENT_CONFIG
53. 0x1998684 (26): HKEY_DYN_DATA
54. 0x1998890 (106): Software\Microsoft\Windows NT\CurrentVersion\Winlogon
55. 0x1998928 (28): explorer.exe,
56. 0x1998958 (116): Software\Microsoft\Windows\Current Version\Policies\System
57. 0x1998a40 (20): \csrss.exe
58. 0x1998a68 (40): -reg "explorer.exe,
59. 0x1998abc (20): -prockill
60.  
61. 0x199cc1c (24): LICENSE_FILE
62. 0x199cc48 (38): LOADER_OPTIMIZATION
63. 0x199cda4 (88): Software\Microsoft\Windows NT\CurrentVersion
64. 0x199ce10 (32): InstallationType
65. 0x199ce64 (22): Server Core
66. 0x199cee0 (20): system.net
67.  
68. 0x19b588c (22): dontclearie
69. 0x19b58b4 (22): dontclearff
70. 0x19b5900 (26): downloadfiles
71. 0x19b592c (28): websitevisitor
72. 0x19b595c (28): websiteblocker
73. 0x19b598c (36): DisableAdminRights
74. 0x19b5a88 (36): DisableTaskManager
75. 0x19b5b04 (22): Disablemelt
76. 0x19b5b2c (20): Disablereg
77. 0x19b5b54 (20): Disablecmd
78. 0x19b5b7c (30): Disablemsconfig
79. 0x19b5bac (32): Disablespreaders
80. 0x19b5be0 (24): Disablesteam
81. 0x19b5c0c (38): \Windows Update.exe
82. 0x19b61bc (24): winlogon.exe
83.  
84. 0x19b6330 (28): CMemoryExecute
85. 0x19b6935 (44): !This program cannot be run in DOS mode.
86. 0x19b6dcc (10): v2.0.50727
87. 0x19b7252 (18): CMemoryExecute.dll
88. 0x19b7265 (14): CMemoryExecute
89. 0x19b78d1 (14): CMemoryExecute
90. 0x19b78eb (10): Copyright
91. 0x19b7d46 (30): VS_VERSION_INFO
92. 0x19b7da2 (22): VarFileInfo
93. 0x19b7dc2 (22): Translation
94. 0x19b7de6 (28): StringFileInfo
95. 0x19b7e22 (30): FileDescription
96. 0x19b7e44 (28): CMemoryExecute
97. 0x19b7e6a (22): FileVersion
98. 0x19b7e9a (24): InternalName
99. 0x19b7eb4 (36): CMemoryExecute.dll
100. 0x19b7ee2 (28): LegalCopyright
101. 0x19b7f00 (20): Copyright
102. 0x19b7f2a (32): OriginalFilename
103. 0x19b7f4c (36): CMemoryExecute.dll
104. 0x19b7f7a (22): ProductName
105. 0x19b7f94 (28): CMemoryExecute
106. 0x19b7fba (28): ProductVersion
107. 0x19b7fee (32): Assembly Version
108.  
109. 0x19bb738 (36): \WindowsUpdate.exe
110. 0x19bb770 (22): SysInfo.txt
111. 0x19bb7bc (22): \pidloc.txt
112. 0x19bb7e4 (28): PredatorLogger
113. 0x19bb814 (30): Disablestealers
114. 0x19bb844 (26): Disablelogger
115. 0x19bb898 (22): Disableclip
116.  
117. 0x19c011c (58): results@facebookmarketers.net
118. 0x19c0188 (52): mail.facebookmarketers.net
119. 0x19c01d0 (24): ftp.host.com
120. 0x19c02bc (98): http://www.DeceptiveEngineering.com/path/logs.php
121. 0x19c0484 (24): GetHostEntry
122. 0x19c04b0 (26): GetHostByName
123. 0x19c0500 (58): http://whatismyipaddress.com/
124. 0x19c054c (44): <!-- do not script -->
125. 0x19c0704 (28): DownloadString
126. 0x19c0734 (26): net_webclient
127. 0x19c0760 (24): DownloadData
128. 0x19c09b0 (20): WebRequest
129. 0x19c0a04 (34): webRequestModules
130. 0x19c1e84 (28): HttpWebRequest
131. 0x19c1ef8 (24): defaultProxy
132. 0x19c216c (20): bypasslist
133. 0x19c21b0 (42): useDefaultCredentials
134. 0x19c2584 (20): autoDetect
135. 0x19c25ac (28): scriptLocation
136. 0x19c25dc (26): bypassonlocal
137. 0x19c2608 (24): proxyaddress
138. 0x19c2634 (32): usesystemdefault
139. 0x19c4ab8 (42): whatismyipaddress.com
140. 0x19c4e4c (56): http://whatismyipaddress.com
141. 0x19c6354 (42): whatismyipaddress.com
142.  
143. 0x19cb7b0 (42): \root\SecurityCenter2
144. 0x19cb7ec (60): SELECT * FROM AntivirusProduct
145. 0x19cb83c (22): displayName
146. 0x19cb884 (24): COMPUTERNAME
147.  
148. 0x19cc048 (28): //./root/cimv2
149. 0x19ccd00 (58): SELECT * FROM FirewallProduct
150. 0x19cd7ac (30): Disablefakerror
151.  
152. 0x19ce324 (38): \bitcoin\wallet.dat
153. 0x19ce35c (22): _wallet.dat
154. 0x19ce384 (20): wallet.dat
155.  
156. 0x19ce748 (28): Disablestartup
157. 0x19ce778 (90): Software\Microsoft\Windows\CurrentVersion\Run
158. 0x19ce7e4 (28): Windows Update
159.  
160. 0x19cffd4 (72): This is an email notifying you that
161. 0x19d0030 (262): has ran your logger and emails should be sent to you shortly and at interval choosen.
162.  
163. Predator Logger Details:
164. Server Name:
165. 0x19d0148 (42):
166. Keylogger Enabled:
167. 0x19d0184 (56):
168. Clipboard-Logger Enabled:
169. 0x19d01d0 (74):
170. Time Logs will be delivered: Every
171. 0x19d022c (62): minutes
172.  
173. Stealers Enabled:
174. 0x19d027c (156):
175. Time Log will be delivered: Average 2 to 4 minutes
176.  
177. Local Date and Time:
178. 0x19d032c (44):
179. Installed Language:
180. 0x19d036c (40):
181. Operating System:
182. 0x19d03a8 (46):
183. Internal IP Address:
184. 0x19d03e8 (46):
185. External IP Address:
186. 0x19d0428 (48):
187. Installed Anti-Virus:
188. 0x19d046c (44):
189. Installed Firewall:
190. 0x19d04ac (26): Disablenotify
191. 0x19d04d8 (60): Predator_Painv13_Notification_
192. 0x19d0544 (68): Predator Pain v13 - Server Ran - [
193. 0x19d059c (42): \.minecraft\lastlogin
194. 0x19d05d8 (78): Predator Pain v13|Minecraft Stealer - [
195. 0x19d0638 (312): There is a file attached to this email containing Minecraft username and password download it then decrypt the login information with my Minecraft Decryptor
196. 0x19d0794 (40): d/MM/yyyy h:mm:ss tt
197. 0x19d09b4 (42): Win32_OperatingSystem
198. 0x19d0a80 (48): select * from meta_class
199. 0x19d0fcc (70): select * from Win32_OperatingSystem
200. 0x19d13b8 (22): UnicodeText
201. 0x19d13f8 (46): DeviceIndependentBitmap
202. 0x19d1458 (32): EnhancedMetafile
203. 0x19d148c (24): MetaFilePict
204. 0x19d14b8 (24): SymbolicLink
205. 0x19d14e4 (42): DataInterchangeFormat
206. 0x19d1520 (42): TaggedImageFileFormat
207. 0x19d1648 (22): HTML Format
208. 0x19d1670 (32): Rich Text Format
209. 0x19d16a4 (32): PersistentObject
210. 0x19d16d8 (26): System.String
211. 0x19d1704 (60): WindowsForms10PersistentObject
212. 0x19d1904 (72): Predator Pain v13 - Key Recorder - [
213. 0x19d1960 (454): **********************************************
214. ClipBoard Log
215. **********************************************
216.  
217. 0x19d1b38 (458):
218. **********************************************
219. Keylogger Log
220. **********************************************
221.  
222. 0x19d1d14 (28): Disablescreeny
223. 0x19d1d64 (36): screens\screenshot
224. Karagany
225.  
226. 0x19d2174 (36): WebBrowserPassView
227.  
228. 0x19d2bec (24): mailSettings
229. 0x19d2ebc (48): specifiedPickupDirectory
230. 0x19d2f00 (28): deliveryMethod
231. 0x19d32f8 (36): defaultCredentials
232. 0x19d3330 (24): clientDomain
233. 0x19d33a4 (20): targetName
234.  
235. 0x19d3938 (46): pickupDirectoryLocation
236. 0x19d3bbc (20): SmtpClient
237. 0x19d4010 (68): SMTPSVC/mail.facebookmarketers.net
238. 0x19d4740 (48): MailAddressInvalidFormat
239. 0x19d4784 (56): MailAddressUnsupportedFormat
240. 0x19d47f0 (42): facebookmarketers.net
241. 0x19d48a8 (42): facebookmarketers.net
242. 0x19d4904 (90): Predator Pain v13 - Server Ran - [SOME-PC]
243.  
244. 0x19db7e0 (30): DeliveryMethod=
245. 0x19dbafc (72): ByHost:mail.facebookmarketers.net:25
246. 0x19dbbd8 (72): ByHost:mail.facebookmarketers.net:25
247. 0x19dbf80 (60): mail.facebookmarketers.net
248. 25
249.  
250. 0x19dc5b4 (42): facebookmarketers.net
251. 0x19dc7d4 (84): Microsoft.NET\Framework\v2.0.50727\vbc.exe
252. 0x19dc860 (30): holdermail.txt"
253. 0x19dc8a8 (28): holdermail.txt
254.  
255. 0x1b69360 (486): **********************************************
256. Operating System Intel Recovery
257. **********************************************
258. CPU Name:
259. 0x1b69558 (46):
260. Local Date and Time:
261. 0x1b69598 (30):
262. Net Version:
263. 0x1b695c8 (58):
264. Operating System Platform:
265. 0x1b69614 (56):
266. Operating System Version:
267. 0x1b69660 (466):
268. **********************************************
269. WEB Browser Password Recovery
270. **********************************************
271.  
272. 0x1b69844 (468):
273. **********************************************
274. Mail Messenger Password Recovery
275. **********************************************
276.  
277. 0x1b69a2c (930):
278. **********************************************
279. Internet Download Manager Recovery
280. **********************************************
281. **********************************************
282. Jdownloader Password Recovery
283. **********************************************
284. 0x1b69de0 (58): Predator_Painv13_Stealer_Log_
285. 0x1b69e2c (66): Predator Pain v13|Stealer Log - [
286. 0x1b69e80 (26): holderwb.txt"
287. 0x1b69eac (24): holderwb.txt
288.  
289. 0x1df1ff0 (70): select * from Win32_OperatingSystem
290. 0x1df20b8 (28): \\.\root\cimv2
291.  
292. 0x1e15db4 (72): f:\dd\Tools\devdiv\EcmaPublicKey.snk
293.  
294. 0x1e24a8c (76): Unable to connect to the remote server
295. 0x1e24db0 (38): SmtpSendMailFailure
296. 0x1e24de8 (42): Failure sending mail.
297.  
298. 0x1e327c0 (74): Pain File Stealer Bitcoin Stealer - [
299. 0x1e3281c (128): Steals the Wallet.DAT file that holds the users bitcoin currency
300.  
301. 0x2996e2d (44): !This program cannot be run in DOS mode.
302. 0x299932f (44): !This program cannot be run in DOS mode.
303. 0x299e3c7 (28): CMemoryExecute
304. 0x299e3e8 (36): WebBrowserPassView
305. 0x299e473 (44): !This program cannot be run in DOS mode.
306. 0x299e90a (10): v2.0.50727
307. 0x299ed90 (18): CMemoryExecute.dll
308. 0x299eda3 (14): CMemoryExecute
309. 0x299f40f (14): CMemoryExecute
310. 0x299f429 (10): Copyright
311. 0x299f57a (121): C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb
312. 0x299f884 (30): VS_VERSION_INFO
313. 0x299f8e0 (22): VarFileInfo
314. 0x299f900 (22): Translation
315. 0x299f924 (28): StringFileInfo
316. 0x299f960 (30): FileDescription
317. 0x299f982 (28): CMemoryExecute
318. 0x299f9a8 (22): FileVersion
319. 0x299f9d8 (24): InternalName
320. 0x299f9f2 (36): CMemoryExecute.dll
321. 0x299fa20 (28): LegalCopyright
322. 0x299fa3e (20): Copyright
323. 0x299fa68 (32): OriginalFilename
324. 0x299fa8a (36): CMemoryExecute.dll
325. 0x299fab8 (22): ProductName
326. 0x299fad2 (28): CMemoryExecute
327. 0x299faf8 (28): ProductVersion
328. 0x299fb2c (32): Assembly Version
329. 0x299fe78 (44): !This program cannot be run in DOS mode.
330.  
331. 0x29e24ef (36): WebBrowserPassView
332. 0x29e2543 (82): Apple Computer\Preferences\keychain.plist
333. 0x29e25cf (16): com.apple.Safari
334. 0x29e25e3 (27): com.apple.WebKit2WebProcess
335. 0x29e260b (138): SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins
336. 0x29e270b (30): LoadPasswordsIE
337. 0x29e272b (40): LoadPasswordsFirefox
338. 0x29e2757 (38): LoadPasswordsChrome
339. 0x29e277f (36): LoadPasswordsOpera
340. 0x29e27a7 (38): LoadPasswordsSafari
341. 0x29e27cf (44): LoadPasswordsSeaMonkey
342. 0x29e27ff (46): UseFirefoxProfileFolder
343. 0x29e282f (46): UseFirefoxInstallFolder
344. 0x29e285f (44): UseChromeProfileFolder
345. 0x29e288f (40): UseOperaPasswordFile
346. 0x29e28bb (40): FirefoxProfileFolder
347. 0x29e28e7 (40): FirefoxInstallFolder
348. 0x29e2913 (38): ChromeProfileFolder
349. 0x29e293b (34): OperaPasswordFile
350. 0x29e2962 (57): "Account","Login Name","Password","Web Site","Comments"
351.  
352. 0x29e2c0f (11): CredDeleteA
353. 0x29e2c1b (14): CredEnumerateA
354. 0x29e2c2b (14): CredEnumerateW
355. 0x29e2c3b (22): crypt32.dll
356. 0x29e2c53 (18): CryptUnprotectData
357. 0x29e2c67 (20): CryptAcquireContextA
358. 0x29e2c7f (19): CryptReleaseContext
359. 0x29e2c93 (15): CryptCreateHash
360. 0x29e2ca3 (17): CryptGetHashParam
361. 0x29e2cb7 (13): CryptHashData
362. 0x29e2cc7 (16): CryptDestroyHash
363.  
364. 0x29e32ef (15): SQLite format 3
365. 0x29e37eb (103): CREATE TABLE sqlite_master(
366. type text,
367. name text,
368. tbl_name text,
369. rootpage integer,
370. sql text
371. )
372.  
373. 0x29e707b (130): SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe
374. 0x29e70ff (50): %programfiles%\Sea Monkey
375. 0x29e7133 (32): SOFTWARE\Mozilla
376. 0x29e718b (60): %programfiles%\Mozilla Firefox
377. 0x29e71cb (129): SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins
378. 0x29e7255 (24): -signons.txt
379. 0x29e726f (24): signons2.txt
380. 0x29e728b (24): signons3.txt
381. 0x29e72a7 (28): signons.sqlite
382. 0x29e72c7 (20): netmsg.dll
383.  
384. 0x29e7553 (84): Microsoft\Windows\WebCache\WebCacheV01.dat
385. 0x29e75ab (84): Microsoft\Windows\WebCache\WebCacheV24.dat
386. 0x29e7633 (116): Software\Microsoft\Internet Explorer\IntelliForms\Storage2
387. 0x29e76ab (88): https://www.google.com/accounts/servicelogin
388. 0x29e7707 (48): http://www.facebook.com/
389. 0x29e773b (72): https://login.yahoo.com/config/login
390. 0x29e778d (36): @internet explorer
391. 0x29e77d7 (22): :stringdata
392. 0x29e77ef (46): wininetcachecredentials
393. 0x29e7e79 (24): @history.dat
394. 0x29e7e93 (26): places.sqlite
395. 0x29e7eaf (32): Mozilla\Profiles
396. 0x29e7ed3 (48): Mozilla\Firefox\Profiles
397. 0x29e7f07 (52): Mozilla\SeaMonkey\Profiles
398. 0x29e7f3f (34): Mozilla\SeaMonkey
399. 0x29e7f63 (30): Mozilla\Firefox
400. 0x29e7f83 (24): profiles.ini
401. 0x29e8157 (22): sqlite3.dll
402. 0x29e816f (28): mozsqlite3.dll
403. 0x29e819b (12): NSS_Shutdown
404. 0x29e81ab (23): PK11_GetInternalKeySlot
405. 0x29e81c3 (13): PK11_FreeSlot
406. 0x29e81d3 (22): PK11_CheckUserPassword
407. 0x29e81eb (17): PK11_Authenticate
408. 0x29e81ff (15): PK11SDR_Decrypt
409. 0x29e82df (20): Login Data
410. 0x29e82f7 (46): Google\Chrome\User Data
411. 0x29e8327 (54): Google\Chrome SxS\User Data
412. 0x29e835f (40): Opera\Opera\wand.dat
413. 0x29e838b (58): Opera\Opera7\profile\wand.dat
414. 0x29e8583 (22): pstorec.dll
415. 0x29e859b (20): PStoreCreateInstance
416.  
417. 0x29ebb43 (22): ProductName
418. 0x29ebb5b (30): FileDescription
419. 0x29ebb7b (22): FileVersion
420. 0x29ebb93 (28): ProductVersion
421. 0x29ebbb3 (22): CompanyName
422. 0x29ebbcb (24): InternalName
423. 0x29ebbe7 (28): LegalCopyright
424. 0x29ebc07 (32): OriginalFileName
425. 0x29ebc2b (22): log profile
426. 0x29ebc67 (24): vaultcli.dll
427. 0x29ebc83 (14): VaultOpenVault
428. 0x29ebc93 (15): VaultCloseVault
429. 0x29ebca3 (19): VaultEnumerateItems
430. 0x29ebcc3 (19): VaultGetInformation
431. 0x29ebcd7 (12): VaultGetItem
432. 0x29ebd3b (68): f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb
433.  
434. 0x29f2eff (44): Load Passwords From...
435. 0x29f2f4b (34): Internet Explorer
436. 0x29f2f8f (26): Google Chrome
437. 0x29f2ff7 (30): Mozilla Firefox
438. 0x29f30e7 (30): Firefox Options
439. 0x29f3127 (32): Master password:
440. 0x29f3187 (32): Firefox Profile:
441. 0x29f320f (42): Firefox Installation:
442. 0x29f32a3 (28): Chrome Options
443. 0x29f32df (34): User Data Folder:
444. 0x29f336b (26): Opera Options
445. 0x29f33a7 (28): wand.dat file:
446.  
447. 0x29f3883 (32): Created by using
448. 0x29f38a5 (50): Select a filename to save
449. 0x29f38d9 (382): Web Browser Passwords%Choose another Firefox profile folder)Choose the installation folder of Firefox,Choose another profile of Chrome Web browser,Choose the password file of Opera (wand.dat)
450. 0x29f3a59 (28):
451. Loading... %d
452. 0x29f3a81 (20): Text File
453. 0x29f3a97 (46): Tab Delimited Text File
454. 0x29f3ac7 (34): Tabular Text File
455. 0x29f3aeb (44): HTML File - Horizontal
456. 0x29f3b19 (40): HTML File - Vertical
457. 0x29f3b55 (50): Comma Delimited Text File
458. 0x29f3b89 (32): KeePass csv file
459. 0x29f3bbf (58): Opera Password File All Files
460. 0x29f3c1b (54): Internet Explorer 4.0 - 6.0
461. 0x29f3c53 (54): Internet Explorer 7.0 - 9.0
462. 0x29f3c8b (22): Firefox 1.x
463. 0x29f3ca3 (22): Firefox 2.x
464. 0x29f3cbb (22): Firefox 3.0
465. 0x29f3d0b (64): Internet Explorer 10.0 SeaMonkey
466. 0x29f3d7f (42): Web Browser User Name
467. 0x29f3dbd (34): Password Strength
468. 0x29f3de1 (30): User Name Field
469. 0x29f3e01 (28): Password Field
470. 0x29f3e29 (20): Very Weak
471. 0x29f3e65 (22): Very Strong
472. 0x29f3f75 (30): VS_VERSION_INFO
473. 0x29f3fd1 (28): StringFileInfo
474. 0x29f400d (22): CompanyName
475. 0x29f403d (30): FileDescription
476. 0x29f405f (36): WebBrowserPassView
477. 0x29f408d (22): FileVersion
478. 0x29f40b9 (24): InternalName
479. 0x29f40d3 (36): WebBrowserPassView
480. 0x29f4101 (28): LegalCopyright
481. 0x29f411f (20): Copyright
482. 0x29f4135 (44): 2011 - 2013 Nir Sofer
483. 0x29f4169 (32): OriginalFilename
484. 0x29f418b (44): WebBrowserPassView.exe
485. 0x29f41c1 (22): ProductName
486. 0x29f41db (36): WebBrowserPassView
487. 0x29f4209 (28): ProductVersion
488. 0x29f4239 (22): VarFileInfo
489. 0x29f4259 (22): Translation
490.  
491. 0x29f5cdd (44): !This program cannot be run in DOS mode.
492. 0x2a06ee8 (13): Mail PassView
493. 0x2a07088 (14): POP3 User Name
494. 0x2a07098 (14): IMAP User Name
495. 0x2a070a8 (18): HTTPMail User Name
496. 0x2a070bc (14): SMTP USer Name
497. 0x2a070cc (11): POP3 Server
498. 0x2a070d8 (11): IMAP Server
499. 0x2a070e4 (15): HTTPMail Server
500. 0x2a070f4 (11): SMTP Server
501. 0x2a07100 (14): POP3 Password2
502. 0x2a07110 (14): IMAP Password2
503. 0x2a07120 (18): HTTPMail Password2
504. 0x2a07134 (14): SMTP Password2
505. 0x2a0715c (13): HTTPMail Port
506. 0x2a07178 (22): POP3 Secure Connection
507. 0x2a07190 (22): IMAP Secure Connection
508. 0x2a071a8 (26): HTTPMail Secure Connection
509. 0x2a071c4 (22): SMTP Secure Connection
510. 0x2a071dc (17): SMTP Display Name
511. 0x2a071f0 (18): SMTP Email Address
512. 0x2a07204 (13): POP3 Password
513. 0x2a07214 (13): IMAP Password
514. 0x2a07224 (13): HTTP Password
515. 0x2a07234 (13): SMTP Password
516. 0x2a07274 (15): HTTP Server URL
517. 0x2a07290 (12): POP3 Use SPA
518. 0x2a072a0 (12): IMAP Use SPA
519. 0x2a072b0 (16): HTTPMail Use SSL
520. 0x2a072c4 (12): SMTP Use SSL
521. 0x2a072d4 (12): Display Name
522. 0x2a072ec (10): Identities
523. 0x2a07304 (52): Software\Microsoft\Internet Account Manager\Accounts
524. 0x2a07344 (62): Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
525. 0x2a07384 (11): DisplayName
526. 0x2a07390 (12): EmailAddress
527. 0x2a073a0 (10): PopAccount
528. 0x2a073c0 (12): PopLogSecure
529. 0x2a073d0 (11): PopPassword
530. 0x2a073dc (11): SMTPAccount
531. 0x2a073e8 (10): SMTPServer
532. 0x2a07400 (13): SMTPLogSecure
533. 0x2a07410 (12): SMTPPassword
534. 0x2a07420 (31): Software\IncrediMail\Identities
535. 0x2a0744c (11): %s\Accounts
536. 0x2a07488 (13): ReturnAddress
537. 0x2a07498 (16): SavePasswordText
538. 0x2a074ac (13): Personalities
539. 0x2a074bc (14): Server Details
540. 0x2a074cc (13): ESMTPUsername
541. 0x2a074dc (13): ESMTPPassword
542. 0x2a074ec (10): POP3Server
543. 0x2a074f8 (12): POP3Username
544. 0x2a07508 (12): POP3Password
545. 0x2a07518 (11): InstallPath
546. 0x2a07524 (19): Software\Group Mail
547. 0x2a07540 (12): %s@gmail.com
548. 0x2a07550 (12): %s@yahoo.com
549. 0x2a07563 (57): "Account","Login Name","Password","Web Site","Comments"
550. 0x2a075b0 (100): www.google.com/Please log in to your Gmail account
551. 0x2a07618 (108): www.google.com:443/Please log in to your Gmail account
552. 0x2a07688 (102): www.google.com/Please log in to your Google Account
553. 0x2a076f0 (110): www.google.com:443/Please log in to your Google Account
554. 0x2a07760 (55): Software\Microsoft\Windows Messaging Subsystem\Profiles
555. 0x2a07798 (81): Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
556. 0x2a077ec (47): Software\Microsoft\Office\15.0\Outlook\Profiles
557. 0x2a078d8 (28): www.google.com
558. 0x2a07b28 (16): POP3_credentials
559. 0x2a07b54 (40): Software\Google\Google Desktop\Mailboxes
560. 0x2a07b84 (36): Software\Google\Google Talk\Accounts
561. 0x2a07bb0 (34): Microsoft_WinInet
562. 0x2a08024 (20): mail.account.account
563. 0x2a08044 (10): identities
564. 0x2a08050 (11): mail.server
565. 0x2a08084 (10): useSecAuth
566. 0x2a08098 (13): mail.identity
567. 0x2a080c0 (21): signon.signonfilename
568. 0x2a080d8 (10): mailbox://
569. 0x2a080ec (15): mailbox://%s@%s
570. 0x2a080fc (12): imap://%s@%s
571. 0x2a08110 (129): SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins
572. 0x2a08194 (12): mailbox://%s
573. 0x2a081b0 (11): signons.txt
574. 0x2a081bc (14): signons.sqlite
575. 0x2a081f4 (30): Password.NET Messenger Service
576. 0x2a08214 (26): User.NET Messenger Service
577. 0x2a08230 (31): Software\Microsoft\MSNMessenger
578. 0x2a08250 (35): Software\Microsoft\MessengerService
579. 0x2a08274 (14): Passport.Net\*
580. 0x2a0828c (11): ps:password
581. 0x2a08298 (36): WindowsLive:name=*
582. 0x2a082c0 (17): windowslive:name=
583. 0x2a082d4 (30): Software\Microsoft\IdentityCRL
584. 0x2a08eec (11): *.oeaccount
585. 0x2a08ef8 (23): \Microsoft\Windows Mail
586. 0x2a08f10 (28): \Microsoft\Windows Live Mail
587. 0x2a08f30 (10): Store Root
588. 0x2a08f48 (20): Software\Yahoo\Pager
589. 0x2a08f60 (14): Yahoo! User ID
590.  
591. 0x2a08fd8 (44): f:\Projects\VS2005\mailpv\Release\mailpv.pdb
592.  
593. 0x2a0d588 (30): Outlook Express
594. 0x2a0d5a8 (22): IncrediMail
595. 0x2a0d5ce (52): Group Mail Free
596. MS Outlook
597. 0x2a0d604 (60): MS Outlook 2002/2003/2007/2010
598. 0x2a0d64e (22): Hotmail/MSN
599. 0x2a0d666 (50): Yahoo! Mail
600. Netscape Mail
601. 0x2a0d69a (22): Thunderbird
602. 0x2a0d6b2 (28): Google Desktop
603. 0x2a0d6d0 (24): Windows Mail
604. 0x2a0d6ea (34): Windows Live Mail
605. 0x2a0d70e (24): Outlook 2013
606.  
607. 0x2a0d96a (30): VS_VERSION_INFO
608. 0x2a0d9c6 (28): StringFileInfo
609. 0x2a0da02 (22): CompanyName
610. 0x2a0da32 (30): FileDescription
611. 0x2a0da54 (44): Mail Password Recovery
612. 0x2a0da8a (22): FileVersion
613. 0x2a0dab6 (24): InternalName
614. 0x2a0dad0 (26): Mail PassView
615. 0x2a0daf2 (28): LegalCopyright
616. 0x2a0db10 (20): Copyright
617. 0x2a0db26 (44): 2003 - 2013 Nir Sofer
618. 0x2a0db5a (32): OriginalFilename
619. 0x2a0db7c (20): mailpv.exe
620. 0x2a0db9a (22): ProductName
621. 0x2a0dbb4 (26): Mail PassView
622. 0x2a0dbd6 (28): ProductVersion
623. 0x2a0dc06 (22): VarFileInfo
624. 0x2a0dc26 (22): Translation
625.  
626. 0x2a10ba5 (20): encryptedemailstring
627. 0x2a10bba (19): encryptedpassstring
628. 0x2a10bce (19): encryptedsmtpstring
629. 0x2a10be2 (10): portstring
630. 0x2a10bed (11): timerstring
631. 0x2a10bf9 (13): fakemgrstring
632. 0x2a10c07 (16): encryptedftphost
633. 0x2a10c18 (16): encryptedftpuser
634. 0x2a10c29 (16): encryptedftppass
635. 0x2a10c3a (16): encryptedphplink
636. 0x2a10c83 (10): downloader
637. 0x2a10c8e (14): websitevisitor
638. 0x2a10c9d (14): websiteblocker
639. 0x2a10cac (11): AdminRights
640. 0x2a10cbf (10): DisableSSL
641. 0x2a10ce8 (11): TaskManager
642. 0x2a10d2b (13): screenynumber
643. 0x2a10d39 (10): Minecraftt
644. 0x2a10d53 (12): meltLocation
645. 0x2a10d71 (32): AccessedThroughPropertyAttribute
646. 0x2a10d92 (11): emailstring
647. 0x2a10d9e (10): passstring
648. 0x2a10da9 (10): smtpstring
649. 0x2a10e0f (10): WM_KEYDOWN
650. 0x2a10e1a (13): WM_SYSKEYDOWN
651. 0x2a10e28 (11): WM_SYSKEYUP
652. 0x2a10e34 (14): KeyboardHandle
653. 0x2a10e43 (26): LastCheckedForegroundTitle
654. 0x2a10e7d (10): InternalIp
655. 0x2a10e8d (10): MyFirewall
656. 0x2a10e9c (20): CleanedPasswordsMAIL
657. 0x2a10eb1 (18): CleanedPasswordsWB
658. 0x2a1156f (11): ReadAllText
659. 0x2a1157b (10): DeleteFile
660. 0x2a11593 (11): ThreadStart
661. 0x2a1159f (17): SetApartmentState
662. 0x2a115b1 (14): ApartmentState
663. 0x2a115cb (13): IsNullOrEmpty
664. 0x2a115e1 (16): FromBase64String
665. 0x2a115f2 (13): WriteAllBytes
666. 0x2a11600 (11): get_Network
667. 0x2a11614 (12): DownloadFile
668. 0x2a11634 (14): GetDirectories
669. 0x2a116e7 (18): GetProcessesByName
670. 0x2a116ff (15): ForceSteamLogin
671. 0x2a11746 (16): NetworkInterface
672. 0x2a11775 (23): GetAllNetworkInterfaces
673. 0x2a1178d (24): get_NetworkInterfaceType
674. 0x2a117a6 (20): NetworkInterfaceType
675. 0x2a117bb (21): get_OperationalStatus
676. 0x2a117d1 (17): OperationalStatus
677. 0x2a117e3 (21): IsConnectedToInternet
678. 0x2a11846 (14): FakemsgInstall
679. 0x2a11855 (11): MailMessage
680. 0x2a11861 (15): System.Net.Mail
681. 0x2a11871 (10): SmtpClient
682. 0x2a118a6 (13): get_LocalTime
683. 0x2a118bd (12): ComputerInfo
684. 0x2a118ca (22): get_InstalledUICulture
685. 0x2a118e1 (11): CultureInfo
686. 0x2a118ed (20): System.Globalization
687. 0x2a11902 (14): get_OSFullName
688. 0x2a11911 (11): MailAddress
689. 0x2a1192d (21): MailAddressCollection
690. 0x2a11943 (11): set_Subject
691. 0x2a11961 (13): set_EnableSsl
692. 0x2a1196f (17): NetworkCredential
693. 0x2a11981 (10): System.Net
694. 0x2a1198c (15): set_Credentials
695. 0x2a1199c (18): ICredentialsByHost
696. 0x2a119b4 (13): ServerInstall
697. 0x2a119c2 (12): get_Registry
698. 0x2a119cf (13): RegistryProxy
699. 0x2a119e6 (17): RegistryValueKind
700. 0x2a11afc (12): addtostartup
701. 0x2a11b09 (24): DESCryptoServiceProvider
702. 0x2a11c71 (13): StartStealers
703. 0x2a11c92 (11): get_Version
704. 0x2a11ca6 (14): get_OSPlatform
705. 0x2a11cb5 (13): get_OSVersion
706. 0x2a11cc3 (15): stealWebroswers
707. 0x2a11cdd (12): StreamReader
708. 0x2a11d10 (10): FileStream
709. 0x2a11d24 (24): WaitUntilFileIsAvailable
710. 0x2a11d46 (15): get_Attachments
711. 0x2a11d56 (20): AttachmentCollection
712. 0x2a11d83 (10): Bitcoinsub
713. 0x2a11d8e (12): MemoryStream
714. 0x2a11d9b (10): GZipStream
715. 0x2a11da6 (21): System.IO.Compression
716. 0x2a11dbc (12): BitConverter
717. 0x2a11e22 (12): Minecraftsub
718. 0x2a11ed5 (14): CopyFromScreen
719. 0x2a11ef2 (11): SendLogsFTP
720. 0x2a11efe (13): FtpWebRequest
721. 0x2a11f0c (12): BinaryWriter
722. 0x2a11f19 (10): WebRequest
723. 0x2a11f2b (12): ICredentials
724. 0x2a11f38 (10): set_Method
725. 0x2a11f43 (16): GetRequestStream
726. 0x2a11f63 (12): ReadAllBytes
727. 0x2a11f70 (11): SendLogsPHP
728. 0x2a11f7c (14): DownloadString
729. 0x2a11f95 (13): get_TimeOfDay
730. 0x2a11fa3 (13): get_Clipboard
731. 0x2a11fb1 (14): ClipboardProxy
732. 0x2a1212e (13): GetInternalIP
733. 0x2a1213c (13): GetExternalIP
734. 0x2a121d1 (15): get_MachineName
735. 0x2a12203 (12): GetAntiVirus
736. 0x2a12210 (11): GetFirewall
737. 0x2a1223a (15): KBDLLHOOKSTRUCT
738. 0x2a127c9 (11): get_Culture
739. 0x2a127d5 (11): set_Culture
740. 0x2a127eb (18): get_CMemoryExecute
741. 0x2a127fe (10): get_mailpv
742. 0x2a12809 (22): get_WebBrowserPassView
743. 0x2a12828 (14): CMemoryExecute
744. 0x2a1283e (18): WebBrowserPassView
745.  
746. 0x2a13185 (22): dontclearie
747. 0x2a1319d (22): dontclearff
748. 0x2a131c9 (26): downloadfiles
749. 0x2a131e5 (28): websitevisitor
750. 0x2a13203 (28): websiteblocker
751. 0x2a13221 (36): DisableAdminRights
752. 0x2a132a7 (36): DisableTaskManager
753. 0x2a132ed (22): Disablemelt
754. 0x2a13305 (20): Disablereg
755. 0x2a1331b (20): Disablecmd
756. 0x2a13331 (30): Disablemsconfig
757. 0x2a13351 (32): Disablespreaders
758. 0x2a13373 (24): Disablesteam
759. 0x2a1338d (38): \Windows Update.exe
760. 0x2a13633 (36): \WindowsUpdate.exe
761. 0x2a13659 (22): SysInfo.txt
762. 0x2a13683 (22): \pidloc.txt
763. 0x2a1369b (28): PredatorLogger
764. 0x2a136b9 (30): Disablestealers
765. 0x2a136d9 (26): Disablelogger
766. 0x2a136f5 (22): Disableclip
767. 0x2a13779 (50): \Mozilla\Firefox\Profiles
768. 0x2a137bb (36): \drivers\etc\hosts
769. 0x2a137e1 (20): 127.0.0.1
770. 0x2a13815 (34): \SteamAppData.vdf
771. 0x2a13839 (40): \ClientRegistry.blob
772. 0x2a1386f (30): Disablefakerror
773. 0x2a1388f (54): Microsoft Application Error
774. 0x2a138dd (72): This is an email notifying you that
775. 0x2a13928 (262): has ran your logger and emails should be sent to you shortly and at interval choosen.
776.  
777. Predator Logger Details:
778. Server Name:
779. 0x2a13a30 (42):
780. Keylogger Enabled:
781. 0x2a13a5c (56):
782. Clipboard-Logger Enabled:
783. 0x2a13a96 (74):
784. Time Logs will be delivered: Every
785. 0x2a13ae2 (62): minutes
786.  
787. Stealers Enabled:
788. 0x2a13b23 (156):
789. Time Log will be delivered: Average 2 to 4 minutes
790.  
791. Local Date and Time:
792. 0x2a13bc1 (44):
793. Installed Language:
794. 0x2a13bef (40):
795. Operating System:
796. 0x2a13c19 (46):
797. Internal IP Address:
798. 0x2a13c49 (46):
799. External IP Address:
800. 0x2a13c79 (48):
801. Installed Anti-Virus:
802. 0x2a13cab (44):
803. Installed Firewall:
804. 0x2a13cd9 (26): Disablenotify
805. 0x2a13cf5 (60): Predator_Painv13_Notification_
806. 0x2a13d3d (68): Predator Pain v13 - Server Ran - [
807. 0x2a13d84 (154): HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
808. 0x2a13e2e (22): autorun.inf
809. 0x2a13e5a (24): open=Sys.exe
810. 0x2a13e74 (32): action=Run win32
811. 0x2a13ea6 (90): Software\Microsoft\Windows\CurrentVersion\Run
812. 0x2a13f02 (28): Windows Update
813. 0x2a13f20 (28): CMemoryExecute
814. 0x2a13f46 (106): C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
815. 0x2a13fd2 (38): \bitcoin\wallet.dat
816. 0x2a13ffa (22): _wallet.dat
817. 0x2a14012 (20): wallet.dat
818. 0x2a1403a (84): Microsoft.NET\Framework\v2.0.50727\vbc.exe
819. 0x2a140a2 (30): holdermail.txt"
820. 0x2a140c2 (28): holdermail.txt
821. 0x2a140e1 (486): **********************************************
822. Operating System Intel Recovery
823. **********************************************
824. CPU Name:
825. 0x2a142c9 (46):
826. Local Date and Time:
827. 0x2a142f9 (30):
828. Net Version:
829. 0x2a14319 (58):
830. Operating System Platform:
831. 0x2a14355 (56):
832. Operating System Version:
833. 0x2a14390 (466):
834. **********************************************
835. WEB Browser Password Recovery
836. **********************************************
837.  
838. 0x2a14565 (468):
839. **********************************************
840. Mail Messenger Password Recovery
841. **********************************************
842.  
843. 0x2a1473c (930):
844. **********************************************
845. Internet Download Manager Recovery
846. **********************************************
847. **********************************************
848. Jdownloader Password Recovery
849. **********************************************
850. 0x2a14ae0 (58): Predator_Painv13_Stealer_Log_
851. 0x2a14b1c (66): Predator Pain v13|Stealer Log - [
852. 0x2a14b60 (26): holderwb.txt"
853. 0x2a14b7c (24): holderwb.txt
854. 0x2a14b96 (74): Pain File Stealer Bitcoin Stealer - [
855. 0x2a14be3 (128): Steals the Wallet.DAT file that holds the users bitcoin currency
856. 0x2a14c65 (42): \.minecraft\lastlogin
857. 0x2a14c91 (78): Predator Pain v13|Minecraft Stealer - [
858. 0x2a14ce2 (312): There is a file attached to this email containing Minecraft username and password download it then decrypt the login information with my Minecraft Decryptor
859. 0x2a14e66 (28): Disablestartup
860. 0x2a14e84 (72): Predator Pain v13 - Key Recorder - [
861. 0x2a14ecf (454): **********************************************
862. ClipBoard Log
863. **********************************************
864.  
865. 0x2a15098 (458):
866. **********************************************
867. Keylogger Log
868. **********************************************
869.  
870. 0x2a15264 (28): Disablescreeny
871. 0x2a15292 (36): screens\screenshot
872. 0x2a152c4 (50): Predator_Pain_v13_KeyLog_
873. 0x2a1532e (26): [------------
874. 0x2a1534a (26): ------------]
875. 0x2a15366 (26): 099u787978786
876. 0x2a15382 (58): http://whatismyipaddress.com/
877. 0x2a153be (44): <!-- do not script -->
878. 0x2a153fe (42): \root\SecurityCenter2
879. 0x2a1542a (60): SELECT * FROM AntivirusProduct
880. 0x2a15468 (22): displayName
881. 0x2a15480 (58): SELECT * FROM FirewallProduct
882. 0x2a154bc (38): Microsoft.Resources
883. 0x2a154f2 (36): WebBrowserPassView
884. 0x2a15520 (104): :\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
885.  
886. 0x2a2d464 (106): Software\Microsoft\Windows NT\CurrentVersion\Winlogon
887. 0x2a2d4dc (28): explorer.exe,
888. 0x2a2d4fa (116): Software\Microsoft\Windows\Current Version\Policies\System
889. 0x2a2d59e (20): \csrss.exe
890. 0x2a2d5b6 (40): -reg "explorer.exe,
891. 0x2a2d5e6 (20): -prockill
892. 0x2a2d638 (22): SbieDll.dll
893. 0x2a2d660 (60): The Wireshark Network Analyzer