Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Creates:
- C:\Users\<user>\AppData\Roaming\pidloc.txt
- C:\Users\<user>\AppData\Local\Temp\holderwb.txt
- C:\Users\<user>\AppData\Roaming\pid.txt
- C:\Users\<user>\AppData\Local\Temp\FolderN\name.exe.bat
- ~~~
- :_Start
- timeout /t 300
- tasklist /nh /fi "imagename eq svhost.exe" | find /i "svhost.exe" >nul && (
- Goto _Start
- ) || (
- Start /W "" "C:\Users\admin\AppData\Local\Temp\FolderN\name.exe"
- Goto _Start
- )
- ~~~
- Drops a copy of itself in:
- C:\Users\<user>\AppData\Roaming\
- Checks:
- C:\Users\<user>\AppData\Local\Microsoft\Windows Live Mail\*.*
- C:\Users\<user>\AppData\Local\Temp\wallet.dat
- C:\Users\<user>\AppData\Roaming\bitcoin\wallet.dat
- HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
- HKEY_CURRENT_USER\Identities\{A9C5A4D2-6684-4CEE-A0B2-626CD68CB58B}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
- HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
- HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
- checks ip with bot.whatismyipaddress.com
- exfils via submission email 587, may contact a c2 as well
- may find the below in memory
- No Keylog file found! Rather this is a Test, if the Email work or something went wrong :/
- [#[ Keylogger started
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
