Play interactive tour

Edit tour

Windows Analysis Report Hpdyv8oO3j.exe

Overview

General Information

Sample Name:	Hpdyv8oO3j.exe
Analysis ID:	524274
MD5:	dffaf08a25150b38c19210c180862aeb
SHA1:	a28b135b64a08d5ed30621aac5c3e955d4d090fb
SHA256:	8fdbfbf55033187c6a4d3cd7d42394cd56cbd3b5a9dc905e72aef2886172be36
Tags:	exenjratRAT
Infos:
Most interesting Screenshot:

Detection

HawkEye MailPassView Njrat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected MailPassView

Yara detected HawkEye Keylogger

Antivirus detection for dropped file

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Njrat

Antivirus / Scanner detection for submitted sample

Detected HawkEye Rat

Multi AV Scanner detection for dropped file

Creates multiple autostart registry keys

Uses netsh to modify the Windows network and firewall settings

Drops PE files to the startup folder

Uses cmd line tools excessively to alter registry or file data

Machine Learning detection for sample

Allocates memory in foreign processes

May check the online IP address of the machine

.NET source code contains potential unpacker

Creates files with lurking names (e.g. Crack.exe)

Injects a PE file into a foreign processes

Creates autostart registry keys with suspicious names

Drops executables to the windows directory (C:\Windows) and starts them

Tries to harvest and steal browser information (history, passwords, etc)

Sample uses process hollowing technique

Installs a global keyboard hook

Writes to foreign memory regions

.NET source code references suspicious native API functions

Contains functionality to log keystrokes (.Net Source)

Changes the view of files in windows explorer (hidden files and folders)

Yara detected WebBrowserPassView password recovery tool

.NET source code contains very large strings

Machine Learning detection for dropped file

Modifies the windows firewall

Antivirus or Machine Learning detection for unpacked file

One or more processes crash

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Checks if the current process is being debugged

Creates a start menu entry (Start Menu\Programs\Startup)

Sigma detected: Netsh Port or Application Allowed

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Creates files inside the system directory

May infect USB drives

Found potential string decryption / allocating functions

Contains functionality to call native functions

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

AV process strings found (often used to terminate AV products)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Extensive use of GetProcAddress (often used to hide API calls)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Contains functionality to detect virtual machines (SLDT)

Uses SMTP (mail sending)

Creates a window with clipboard capturing capabilities

Social media urls found in memory data

Uses taskkill to terminate processes

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Contains functionality to query network adapater information

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

Hpdyv8oO3j.exe (PID: 6436 cmdline: "C:\Users\user\Desktop\Hpdyv8oO3j.exe" MD5: DFFAF08A25150B38C19210C180862AEB)

Keylogger.exe (PID: 4492 cmdline: "C:\Users\user\AppData\Local\Temp\Keylogger.exe" MD5: C4E4A84909D8FF8DD222B8252365985D)

Windows Update.exe (PID: 5624 cmdline: "C:\Users\user\AppData\Roaming\Windows Update.exe" MD5: C4E4A84909D8FF8DD222B8252365985D)

dw20.exe (PID: 4332 cmdline: dw20.exe -x -s 2528 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)

vbc.exe (PID: 6444 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt" MD5: C63ED21D5706A527419C9FBD730FFB2E)

vbc.exe (PID: 1364 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt" MD5: C63ED21D5706A527419C9FBD730FFB2E)

vbc.exe (PID: 1980 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt" /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt" MD5: C63ED21D5706A527419C9FBD730FFB2E)

hhzclipper.exe (PID: 1244 cmdline: "C:\Users\user\AppData\Local\Temp\hhzclipper.exe" MD5: FC07BE5E90A1FFA22B22D3BC58A43E58)

RedLine.MainPanel-cracked.exe (PID: 4140 cmdline: "C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe" MD5: 098F7F40BACA320377ECA83FBF87F534)

RedLine.exe (PID: 4236 cmdline: "C:\Users\user\AppData\Roaming\RedLine.exe" MD5: 098F7F40BACA320377ECA83FBF87F534)

netsh.exe (PID: 7096 cmdline: netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\RedLine.exe" "RedLine.exe" ENABLE MD5: 98CC37BBF363A38834253E22C80A8F32)

conhost.exe (PID: 6480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RedLine.MainPanel-cracked.exe (PID: 7032 cmdline: "C:\Users\user\AppData\Local\Temp\RedLine.MainPanel-cracked.exe" MD5: 098F7F40BACA320377ECA83FBF87F534)

cmd.exe (PID: 3348 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\HOST.bat" " MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

ViRuS.exe (PID: 2988 cmdline: "C:\Users\user\AppData\Local\Temp\ViRuS.exe" MD5: D0F09063EA6922ACBFC734145FA48203)

attrib.exe (PID: 5332 cmdline: C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Windows\system32\user32dll.exe MD5: A5540E9F87D4CB083BDF8269DEC1CFF9)

conhost.exe (PID: 5308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

attrib.exe (PID: 7160 cmdline: C:\Windows\System32\attrib.exe" +r +h +s +a "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk MD5: A5540E9F87D4CB083BDF8269DEC1CFF9)

conhost.exe (PID: 7140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

taskkill.exe (PID: 7116 cmdline: taskkill /f /im "ViRuS.exe" MD5: 15E2E0ACD891510C6268CB8899F2A1A1)

conhost.exe (PID: 7120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

user32dll.exe (PID: 7128 cmdline: "C:\Windows\SysWOW64\user32dll.exe" MD5: D0F09063EA6922ACBFC734145FA48203)

taskkill.exe (PID: 7156 cmdline: taskkill /f /im "user32dll.exe" MD5: 15E2E0ACD891510C6268CB8899F2A1A1)

conhost.exe (PID: 7080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WerFault.exe (PID: 1008 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7156 -s 176 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

RedLine.exe (PID: 6688 cmdline: "C:\Users\user\AppData\Roaming\RedLine.exe" .. MD5: 098F7F40BACA320377ECA83FBF87F534)

WindowsUpdate.exe (PID: 6300 cmdline: "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" MD5: C4E4A84909D8FF8DD222B8252365985D)

Windows Update.exe (PID: 5248 cmdline: "C:\Users\user\AppData\Roaming\Windows Update.exe" MD5: C4E4A84909D8FF8DD222B8252365985D)

dw20.exe (PID: 7048 cmdline: dw20.exe -x -s 2472 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)

vbc.exe (PID: 4964 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt" MD5: C63ED21D5706A527419C9FBD730FFB2E)

vbc.exe (PID: 7156 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt" MD5: C63ED21D5706A527419C9FBD730FFB2E)

RedLine.exe (PID: 4864 cmdline: "C:\Users\user\AppData\Roaming\RedLine.exe" .. MD5: 098F7F40BACA320377ECA83FBF87F534)

WindowsUpdate.exe (PID: 4456 cmdline: "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" MD5: C4E4A84909D8FF8DD222B8252365985D)

RedLine.exe (PID: 3408 cmdline: "C:\Users\user\AppData\Roaming\RedLine.exe" .. MD5: 098F7F40BACA320377ECA83FBF87F534)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\Keylogger.exe	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b809:$key: HawkEyeKeylogger 0x7db3f:$salt: 099u787978786 0x7bec6:$string1: HawkEye_Keylogger 0x7cd19:$string1: HawkEye_Keylogger 0x7da9f:$string1: HawkEye_Keylogger 0x7c2af:$string2: holdermail.txt 0x7c2cf:$string2: holdermail.txt 0x7c1f1:$string3: wallet.dat 0x7c209:$string3: wallet.dat 0x7c21f:$string3: wallet.dat 0x7d663:$string4: Keylog Records 0x7d97b:$string4: Keylog Records 0x7db97:$string5: do not script --> 0x7b7f1:$string6: \pidloc.txt 0x7b87f:$string7: BSPLIT 0x7b88f:$string7: BSPLIT
C:\Users\user\AppData\Local\Temp\Keylogger.exe	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
C:\Users\user\AppData\Local\Temp\Keylogger.exe	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
C:\Users\user\AppData\Local\Temp\Keylogger.exe	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
C:\Users\user\AppData\Local\Temp\Keylogger.exe	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
C:\Users\user\AppData\Local\Temp\Keylogger.exe	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf1e:$hawkstr1: HawkEye Keylogger 0x7cd5f:$hawkstr1: HawkEye Keylogger 0x7d08e:$hawkstr1: HawkEye Keylogger 0x7d1e9:$hawkstr1: HawkEye Keylogger 0x7d34c:$hawkstr1: HawkEye Keylogger 0x7d63b:$hawkstr1: HawkEye Keylogger 0x7ba90:$hawkstr2: Dear HawkEye Customers! 0x7d0e1:$hawkstr2: Dear HawkEye Customers! 0x7d238:$hawkstr2: Dear HawkEye Customers! 0x7d39f:$hawkstr2: Dear HawkEye Customers! 0x7bbb1:$hawkstr3: HawkEye Logger Details:
C:\Users\user\AppData\Roaming\Windows Update.exe	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b809:$key: HawkEyeKeylogger 0x7db3f:$salt: 099u787978786 0x7bec6:$string1: HawkEye_Keylogger 0x7cd19:$string1: HawkEye_Keylogger 0x7da9f:$string1: HawkEye_Keylogger 0x7c2af:$string2: holdermail.txt 0x7c2cf:$string2: holdermail.txt 0x7c1f1:$string3: wallet.dat 0x7c209:$string3: wallet.dat 0x7c21f:$string3: wallet.dat 0x7d663:$string4: Keylog Records 0x7d97b:$string4: Keylog Records 0x7db97:$string5: do not script --> 0x7b7f1:$string6: \pidloc.txt 0x7b87f:$string7: BSPLIT 0x7b88f:$string7: BSPLIT
C:\Users\user\AppData\Roaming\Windows Update.exe	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
C:\Users\user\AppData\Roaming\Windows Update.exe	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
C:\Users\user\AppData\Roaming\Windows Update.exe	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
C:\Users\user\AppData\Roaming\Windows Update.exe	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
C:\Users\user\AppData\Roaming\Windows Update.exe	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf1e:$hawkstr1: HawkEye Keylogger 0x7cd5f:$hawkstr1: HawkEye Keylogger 0x7d08e:$hawkstr1: HawkEye Keylogger 0x7d1e9:$hawkstr1: HawkEye Keylogger 0x7d34c:$hawkstr1: HawkEye Keylogger 0x7d63b:$hawkstr1: HawkEye Keylogger 0x7ba90:$hawkstr2: Dear HawkEye Customers! 0x7d0e1:$hawkstr2: Dear HawkEye Customers! 0x7d238:$hawkstr2: Dear HawkEye Customers! 0x7d39f:$hawkstr2: Dear HawkEye Customers! 0x7bbb1:$hawkstr3: HawkEye Logger Details:
C:\Users\user\AppData\Roaming\WindowsUpdate.exe	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b809:$key: HawkEyeKeylogger 0x7db3f:$salt: 099u787978786 0x7bec6:$string1: HawkEye_Keylogger 0x7cd19:$string1: HawkEye_Keylogger 0x7da9f:$string1: HawkEye_Keylogger 0x7c2af:$string2: holdermail.txt 0x7c2cf:$string2: holdermail.txt 0x7c1f1:$string3: wallet.dat 0x7c209:$string3: wallet.dat 0x7c21f:$string3: wallet.dat 0x7d663:$string4: Keylog Records 0x7d97b:$string4: Keylog Records 0x7db97:$string5: do not script --> 0x7b7f1:$string6: \pidloc.txt 0x7b87f:$string7: BSPLIT 0x7b88f:$string7: BSPLIT
C:\Users\user\AppData\Roaming\WindowsUpdate.exe	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
C:\Users\user\AppData\Roaming\WindowsUpdate.exe	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
C:\Users\user\AppData\Roaming\WindowsUpdate.exe	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
C:\Users\user\AppData\Roaming\WindowsUpdate.exe	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf1e:$hawkstr1: HawkEye Keylogger 0x7cd5f:$hawkstr1: HawkEye Keylogger 0x7d08e:$hawkstr1: HawkEye Keylogger 0x7d1e9:$hawkstr1: HawkEye Keylogger 0x7d34c:$hawkstr1: HawkEye Keylogger 0x7d63b:$hawkstr1: HawkEye Keylogger 0x7ba90:$hawkstr2: Dear HawkEye Customers! 0x7d0e1:$hawkstr2: Dear HawkEye Customers! 0x7d238:$hawkstr2: Dear HawkEye Customers! 0x7d39f:$hawkstr2: Dear HawkEye Customers! 0x7bbb1:$hawkstr3: HawkEye Logger Details:
Click to see the 13 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000011.00000002.401046205.000000000384C000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000001C.00000000.394707935.0000000000400000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000019.00000002.567099655.0000000000400000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000002A.00000002.490818765.0000000002EA1000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000002A.00000002.490818765.0000000002EA1000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1e963:$a1: netsh firewall add allowedprogram 0x341bb:$a1: netsh firewall add allowedprogram 0x3c1d3:$a1: netsh firewall add allowedprogram 0x1e933:$a2: SEE_MASK_NOZONECHECKS 0x3418b:$a2: SEE_MASK_NOZONECHECKS 0x3c1a3:$a2: SEE_MASK_NOZONECHECKS 0x1eb53:$b1: [TAP] 0x343ab:$b1: [TAP] 0x3c3c3:$b1: [TAP] 0x1ea4f:$c3: cmd.exe /c ping 0x342a7:$c3: cmd.exe /c ping 0x3c2bf:$c3: cmd.exe /c ping
0000002A.00000002.490818765.0000000002EA1000.00000004.00000001.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1e933:$reg: SEE_MASK_NOZONECHECKS 0x3418b:$reg: SEE_MASK_NOZONECHECKS 0x3c1a3:$reg: SEE_MASK_NOZONECHECKS 0x1e634:$msg: Execute ERROR 0x1e6ce:$msg: Execute ERROR 0x33e8c:$msg: Execute ERROR 0x33f26:$msg: Execute ERROR 0x3bea4:$msg: Execute ERROR 0x3bf3e:$msg: Execute ERROR 0x1ea4f:$ping: cmd.exe /c ping 0 -n 2 & del 0x342a7:$ping: cmd.exe /c ping 0 -n 2 & del 0x3c2bf:$ping: cmd.exe /c ping 0 -n 2 & del
00000028.00000002.461183087.0000000000B02000.00000002.00020000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b609:$key: HawkEyeKeylogger 0x7d93f:$salt: 099u787978786 0x7bcc6:$string1: HawkEye_Keylogger 0x7cb19:$string1: HawkEye_Keylogger 0x7d89f:$string1: HawkEye_Keylogger 0x7c0af:$string2: holdermail.txt 0x7c0cf:$string2: holdermail.txt 0x7bff1:$string3: wallet.dat 0x7c009:$string3: wallet.dat 0x7c01f:$string3: wallet.dat 0x7d463:$string4: Keylog Records 0x7d77b:$string4: Keylog Records 0x7d997:$string5: do not script --> 0x7b5f1:$string6: \pidloc.txt 0x7b67f:$string7: BSPLIT 0x7b68f:$string7: BSPLIT
00000028.00000002.461183087.0000000000B02000.00000002.00020000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000028.00000002.461183087.0000000000B02000.00000002.00020000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000028.00000002.461183087.0000000000B02000.00000002.00020000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000028.00000002.461183087.0000000000B02000.00000002.00020000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd1e:$hawkstr1: HawkEye Keylogger 0x7cb5f:$hawkstr1: HawkEye Keylogger 0x7ce8e:$hawkstr1: HawkEye Keylogger 0x7cfe9:$hawkstr1: HawkEye Keylogger 0x7d14c:$hawkstr1: HawkEye Keylogger 0x7d43b:$hawkstr1: HawkEye Keylogger 0x7b890:$hawkstr2: Dear HawkEye Customers! 0x7cee1:$hawkstr2: Dear HawkEye Customers! 0x7d038:$hawkstr2: Dear HawkEye Customers! 0x7d19f:$hawkstr2: Dear HawkEye Customers! 0x7b9b1:$hawkstr3: HawkEye Logger Details:
00000022.00000002.460848822.0000000002831000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000022.00000002.460848822.0000000002831000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1e963:$a1: netsh firewall add allowedprogram 0x341bb:$a1: netsh firewall add allowedprogram 0x3c1d3:$a1: netsh firewall add allowedprogram 0x1e933:$a2: SEE_MASK_NOZONECHECKS 0x3418b:$a2: SEE_MASK_NOZONECHECKS 0x3c1a3:$a2: SEE_MASK_NOZONECHECKS 0x1eb53:$b1: [TAP] 0x343ab:$b1: [TAP] 0x3c3c3:$b1: [TAP] 0x1ea4f:$c3: cmd.exe /c ping 0x342a7:$c3: cmd.exe /c ping 0x3c2bf:$c3: cmd.exe /c ping
00000022.00000002.460848822.0000000002831000.00000004.00000001.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1e933:$reg: SEE_MASK_NOZONECHECKS 0x3418b:$reg: SEE_MASK_NOZONECHECKS 0x3c1a3:$reg: SEE_MASK_NOZONECHECKS 0x1e634:$msg: Execute ERROR 0x1e6ce:$msg: Execute ERROR 0x33e8c:$msg: Execute ERROR 0x33f26:$msg: Execute ERROR 0x3bea4:$msg: Execute ERROR 0x3bf3e:$msg: Execute ERROR 0x1ea4f:$ping: cmd.exe /c ping 0 -n 2 & del 0x342a7:$ping: cmd.exe /c ping 0 -n 2 & del 0x3c2bf:$ping: cmd.exe /c ping 0 -n 2 & del
00000021.00000002.442088450.0000000000BC2000.00000002.00020000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b609:$key: HawkEyeKeylogger 0x7d93f:$salt: 099u787978786 0x7bcc6:$string1: HawkEye_Keylogger 0x7cb19:$string1: HawkEye_Keylogger 0x7d89f:$string1: HawkEye_Keylogger 0x7c0af:$string2: holdermail.txt 0x7c0cf:$string2: holdermail.txt 0x7bff1:$string3: wallet.dat 0x7c009:$string3: wallet.dat 0x7c01f:$string3: wallet.dat 0x7d463:$string4: Keylog Records 0x7d77b:$string4: Keylog Records 0x7d997:$string5: do not script --> 0x7b5f1:$string6: \pidloc.txt 0x7b67f:$string7: BSPLIT 0x7b68f:$string7: BSPLIT
00000021.00000002.442088450.0000000000BC2000.00000002.00020000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000021.00000002.442088450.0000000000BC2000.00000002.00020000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000021.00000002.442088450.0000000000BC2000.00000002.00020000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000021.00000002.442088450.0000000000BC2000.00000002.00020000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd1e:$hawkstr1: HawkEye Keylogger 0x7cb5f:$hawkstr1: HawkEye Keylogger 0x7ce8e:$hawkstr1: HawkEye Keylogger 0x7cfe9:$hawkstr1: HawkEye Keylogger 0x7d14c:$hawkstr1: HawkEye Keylogger 0x7d43b:$hawkstr1: HawkEye Keylogger 0x7b890:$hawkstr2: Dear HawkEye Customers! 0x7cee1:$hawkstr2: Dear HawkEye Customers! 0x7d038:$hawkstr2: Dear HawkEye Customers! 0x7d19f:$hawkstr2: Dear HawkEye Customers! 0x7b9b1:$hawkstr3: HawkEye Logger Details:
00000004.00000002.344112668.0000000002630000.00000004.00020000.sdmp	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x68bf:$x1: cmd.exe /c ping 0 -n 2 & del " 0x6504:$s3: Executed As
00000004.00000002.344112668.0000000002630000.00000004.00020000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000004.00000002.344112668.0000000002630000.00000004.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x67d3:$a1: netsh firewall add allowedprogram 0x67a3:$a2: SEE_MASK_NOZONECHECKS 0x69c3:$b1: [TAP] 0x68bf:$c3: cmd.exe /c ping
00000004.00000002.344112668.0000000002630000.00000004.00020000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x67a3:$reg: SEE_MASK_NOZONECHECKS 0x64a4:$msg: Execute ERROR 0x653e:$msg: Execute ERROR 0x68bf:$ping: cmd.exe /c ping 0 -n 2 & del
00000010.00000002.569953826.0000000002A81000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000010.00000002.569953826.0000000002A81000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1e963:$a1: netsh firewall add allowedprogram 0x341bb:$a1: netsh firewall add allowedprogram 0x3c1d3:$a1: netsh firewall add allowedprogram 0x1e933:$a2: SEE_MASK_NOZONECHECKS 0x3418b:$a2: SEE_MASK_NOZONECHECKS 0x3c1a3:$a2: SEE_MASK_NOZONECHECKS 0x1eb53:$b1: [TAP] 0x343ab:$b1: [TAP] 0x3c3c3:$b1: [TAP] 0x1ea4f:$c3: cmd.exe /c ping 0x342a7:$c3: cmd.exe /c ping 0x3c2bf:$c3: cmd.exe /c ping
00000010.00000002.569953826.0000000002A81000.00000004.00000001.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1e933:$reg: SEE_MASK_NOZONECHECKS 0x3418b:$reg: SEE_MASK_NOZONECHECKS 0x3c1a3:$reg: SEE_MASK_NOZONECHECKS 0x1e634:$msg: Execute ERROR 0x1e6ce:$msg: Execute ERROR 0x33e8c:$msg: Execute ERROR 0x33f26:$msg: Execute ERROR 0x3bea4:$msg: Execute ERROR 0x3bf3e:$msg: Execute ERROR 0x1ea4f:$ping: cmd.exe /c ping 0 -n 2 & del 0x342a7:$ping: cmd.exe /c ping 0 -n 2 & del 0x3c2bf:$ping: cmd.exe /c ping 0 -n 2 & del
00000028.00000000.452870911.0000000000B02000.00000002.00020000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b609:$key: HawkEyeKeylogger 0x7d93f:$salt: 099u787978786 0x7bcc6:$string1: HawkEye_Keylogger 0x7cb19:$string1: HawkEye_Keylogger 0x7d89f:$string1: HawkEye_Keylogger 0x7c0af:$string2: holdermail.txt 0x7c0cf:$string2: holdermail.txt 0x7bff1:$string3: wallet.dat 0x7c009:$string3: wallet.dat 0x7c01f:$string3: wallet.dat 0x7d463:$string4: Keylog Records 0x7d77b:$string4: Keylog Records 0x7d997:$string5: do not script --> 0x7b5f1:$string6: \pidloc.txt 0x7b67f:$string7: BSPLIT 0x7b68f:$string7: BSPLIT
00000028.00000000.452870911.0000000000B02000.00000002.00020000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000028.00000000.452870911.0000000000B02000.00000002.00020000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000028.00000000.452870911.0000000000B02000.00000002.00020000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000028.00000000.452870911.0000000000B02000.00000002.00020000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd1e:$hawkstr1: HawkEye Keylogger 0x7cb5f:$hawkstr1: HawkEye Keylogger 0x7ce8e:$hawkstr1: HawkEye Keylogger 0x7cfe9:$hawkstr1: HawkEye Keylogger 0x7d14c:$hawkstr1: HawkEye Keylogger 0x7d43b:$hawkstr1: HawkEye Keylogger 0x7b890:$hawkstr2: Dear HawkEye Customers! 0x7cee1:$hawkstr2: Dear HawkEye Customers! 0x7d038:$hawkstr2: Dear HawkEye Customers! 0x7d19f:$hawkstr2: Dear HawkEye Customers! 0x7b9b1:$hawkstr3: HawkEye Logger Details:
00000004.00000002.344202284.0000000002AC1000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000004.00000002.344202284.0000000002AC1000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1eae3:$a1: netsh firewall add allowedprogram 0x3433b:$a1: netsh firewall add allowedprogram 0x3c353:$a1: netsh firewall add allowedprogram 0x1eab3:$a2: SEE_MASK_NOZONECHECKS 0x3430b:$a2: SEE_MASK_NOZONECHECKS 0x3c323:$a2: SEE_MASK_NOZONECHECKS 0x1ecd3:$b1: [TAP] 0x3452b:$b1: [TAP] 0x3c543:$b1: [TAP] 0x1ebcf:$c3: cmd.exe /c ping 0x34427:$c3: cmd.exe /c ping 0x3c43f:$c3: cmd.exe /c ping
00000004.00000002.344202284.0000000002AC1000.00000004.00000001.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1eab3:$reg: SEE_MASK_NOZONECHECKS 0x3430b:$reg: SEE_MASK_NOZONECHECKS 0x3c323:$reg: SEE_MASK_NOZONECHECKS 0x1e7b4:$msg: Execute ERROR 0x1e84e:$msg: Execute ERROR 0x3400c:$msg: Execute ERROR 0x340a6:$msg: Execute ERROR 0x3c024:$msg: Execute ERROR 0x3c0be:$msg: Execute ERROR 0x1ebcf:$ping: cmd.exe /c ping 0 -n 2 & del 0x34427:$ping: cmd.exe /c ping 0 -n 2 & del 0x3c43f:$ping: cmd.exe /c ping 0 -n 2 & del
00000011.00000002.401022146.0000000003844000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000011.00000002.401022146.0000000003844000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x46a0:$hawkstr1: HawkEye Keylogger 0x40ec:$hawkstr2: Dear HawkEye Customers! 0x421e:$hawkstr3: HawkEye Logger Details:
0000002A.00000002.490487625.0000000002AD0000.00000004.00020000.sdmp	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x68bf:$x1: cmd.exe /c ping 0 -n 2 & del " 0x6504:$s3: Executed As
0000002A.00000002.490487625.0000000002AD0000.00000004.00020000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000002A.00000002.490487625.0000000002AD0000.00000004.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x67d3:$a1: netsh firewall add allowedprogram 0x67a3:$a2: SEE_MASK_NOZONECHECKS 0x69c3:$b1: [TAP] 0x68bf:$c3: cmd.exe /c ping
0000002A.00000002.490487625.0000000002AD0000.00000004.00020000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x67a3:$reg: SEE_MASK_NOZONECHECKS 0x64a4:$msg: Execute ERROR 0x653e:$msg: Execute ERROR 0x68bf:$ping: cmd.exe /c ping 0 -n 2 & del
00000022.00000002.460388443.00000000008F0000.00000004.00020000.sdmp	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x68bf:$x1: cmd.exe /c ping 0 -n 2 & del " 0x6504:$s3: Executed As
00000022.00000002.460388443.00000000008F0000.00000004.00020000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000022.00000002.460388443.00000000008F0000.00000004.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x67d3:$a1: netsh firewall add allowedprogram 0x67a3:$a2: SEE_MASK_NOZONECHECKS 0x69c3:$b1: [TAP] 0x68bf:$c3: cmd.exe /c ping
00000022.00000002.460388443.00000000008F0000.00000004.00020000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x67a3:$reg: SEE_MASK_NOZONECHECKS 0x64a4:$msg: Execute ERROR 0x653e:$msg: Execute ERROR 0x68bf:$ping: cmd.exe /c ping 0 -n 2 & del
00000023.00000002.517639660.0000000000D72000.00000002.00020000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b609:$key: HawkEyeKeylogger 0x7d93f:$salt: 099u787978786 0x7bcc6:$string1: HawkEye_Keylogger 0x7cb19:$string1: HawkEye_Keylogger 0x7d89f:$string1: HawkEye_Keylogger 0x7c0af:$string2: holdermail.txt 0x7c0cf:$string2: holdermail.txt 0x7bff1:$string3: wallet.dat 0x7c009:$string3: wallet.dat 0x7c01f:$string3: wallet.dat 0x7d463:$string4: Keylog Records 0x7d77b:$string4: Keylog Records 0x7d997:$string5: do not script --> 0x7b5f1:$string6: \pidloc.txt 0x7b67f:$string7: BSPLIT 0x7b68f:$string7: BSPLIT
00000023.00000002.517639660.0000000000D72000.00000002.00020000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000023.00000002.517639660.0000000000D72000.00000002.00020000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000023.00000002.517639660.0000000000D72000.00000002.00020000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000023.00000002.517639660.0000000000D72000.00000002.00020000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd1e:$hawkstr1: HawkEye Keylogger 0x7cb5f:$hawkstr1: HawkEye Keylogger 0x7ce8e:$hawkstr1: HawkEye Keylogger 0x7cfe9:$hawkstr1: HawkEye Keylogger 0x7d14c:$hawkstr1: HawkEye Keylogger 0x7d43b:$hawkstr1: HawkEye Keylogger 0x7b890:$hawkstr2: Dear HawkEye Customers! 0x7cee1:$hawkstr2: Dear HawkEye Customers! 0x7d038:$hawkstr2: Dear HawkEye Customers! 0x7d19f:$hawkstr2: Dear HawkEye Customers! 0x7b9b1:$hawkstr3: HawkEye Logger Details:
00000011.00000002.398362779.00000000033D1000.00000004.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x2ed28:$key: HawkEyeKeylogger 0x2fc50:$salt: 099u787978786 0x4302c:$string1: HawkEye_Keylogger 0x139978:$string1: HawkEye_Keylogger 0x1039ac:$string2: holdermail.txt 0x1039dc:$string2: holdermail.txt 0x10530c:$string2: holdermail.txt 0x12035c:$string2: holdermail.txt 0x4597a:$string3: wallet.dat 0x459a2:$string3: wallet.dat 0x459c8:$string3: wallet.dat 0xb4f4c:$string4: Keylog Records 0xb5282:$string4: Keylog Records 0x343d4:$string5: do not script --> 0x2ed00:$string6: \pidloc.txt 0x2fb74:$string6: \pidloc.txt 0x2fc28:$string6: \pidloc.txt 0x2ee08:$string7: BSPLIT 0x2ee28:$string7: BSPLIT
00000011.00000002.398362779.00000000033D1000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000011.00000002.398362779.00000000033D1000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x430bc:$hawkstr1: HawkEye Keylogger 0x45aa0:$hawkstr1: HawkEye Keylogger 0x45e8c:$hawkstr1: HawkEye Keylogger 0x9c9a8:$hawkstr1: HawkEye Keylogger 0xb4f24:$hawkstr1: HawkEye Keylogger 0x1399d0:$hawkstr1: HawkEye Keylogger 0x42b08:$hawkstr2: Dear HawkEye Customers! 0x4410c:$hawkstr2: Dear HawkEye Customers! 0x45b04:$hawkstr2: Dear HawkEye Customers! 0x45ef0:$hawkstr2: Dear HawkEye Customers! 0x42c3a:$hawkstr3: HawkEye Logger Details: 0x44236:$hawkstr3: HawkEye Logger Details:
00000023.00000000.438271647.0000000000D72000.00000002.00020000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b609:$key: HawkEyeKeylogger 0x7d93f:$salt: 099u787978786 0x7bcc6:$string1: HawkEye_Keylogger 0x7cb19:$string1: HawkEye_Keylogger 0x7d89f:$string1: HawkEye_Keylogger 0x7c0af:$string2: holdermail.txt 0x7c0cf:$string2: holdermail.txt 0x7bff1:$string3: wallet.dat 0x7c009:$string3: wallet.dat 0x7c01f:$string3: wallet.dat 0x7d463:$string4: Keylog Records 0x7d77b:$string4: Keylog Records 0x7d997:$string5: do not script --> 0x7b5f1:$string6: \pidloc.txt 0x7b67f:$string7: BSPLIT 0x7b68f:$string7: BSPLIT
00000023.00000000.438271647.0000000000D72000.00000002.00020000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000023.00000000.438271647.0000000000D72000.00000002.00020000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000023.00000000.438271647.0000000000D72000.00000002.00020000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000023.00000000.438271647.0000000000D72000.00000002.00020000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd1e:$hawkstr1: HawkEye Keylogger 0x7cb5f:$hawkstr1: HawkEye Keylogger 0x7ce8e:$hawkstr1: HawkEye Keylogger 0x7cfe9:$hawkstr1: HawkEye Keylogger 0x7d14c:$hawkstr1: HawkEye Keylogger 0x7d43b:$hawkstr1: HawkEye Keylogger 0x7b890:$hawkstr2: Dear HawkEye Customers! 0x7cee1:$hawkstr2: Dear HawkEye Customers! 0x7d038:$hawkstr2: Dear HawkEye Customers! 0x7d19f:$hawkstr2: Dear HawkEye Customers! 0x7b9b1:$hawkstr3: HawkEye Logger Details:
00000011.00000002.404757917.0000000007F20000.00000004.00020000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000011.00000000.344079662.0000000000D42000.00000002.00020000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b609:$key: HawkEyeKeylogger 0x7d93f:$salt: 099u787978786 0x7bcc6:$string1: HawkEye_Keylogger 0x7cb19:$string1: HawkEye_Keylogger 0x7d89f:$string1: HawkEye_Keylogger 0x7c0af:$string2: holdermail.txt 0x7c0cf:$string2: holdermail.txt 0x7bff1:$string3: wallet.dat 0x7c009:$string3: wallet.dat 0x7c01f:$string3: wallet.dat 0x7d463:$string4: Keylog Records 0x7d77b:$string4: Keylog Records 0x7d997:$string5: do not script --> 0x7b5f1:$string6: \pidloc.txt 0x7b67f:$string7: BSPLIT 0x7b68f:$string7: BSPLIT
00000011.00000000.344079662.0000000000D42000.00000002.00020000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000011.00000000.344079662.0000000000D42000.00000002.00020000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000011.00000000.344079662.0000000000D42000.00000002.00020000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000011.00000000.344079662.0000000000D42000.00000002.00020000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd1e:$hawkstr1: HawkEye Keylogger 0x7cb5f:$hawkstr1: HawkEye Keylogger 0x7ce8e:$hawkstr1: HawkEye Keylogger 0x7cfe9:$hawkstr1: HawkEye Keylogger 0x7d14c:$hawkstr1: HawkEye Keylogger 0x7d43b:$hawkstr1: HawkEye Keylogger 0x7b890:$hawkstr2: Dear HawkEye Customers! 0x7cee1:$hawkstr2: Dear HawkEye Customers! 0x7d038:$hawkstr2: Dear HawkEye Customers! 0x7d19f:$hawkstr2: Dear HawkEye Customers! 0x7b9b1:$hawkstr3: HawkEye Logger Details:
00000011.00000000.345013885.0000000000D42000.00000002.00020000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b609:$key: HawkEyeKeylogger 0x7d93f:$salt: 099u787978786 0x7bcc6:$string1: HawkEye_Keylogger 0x7cb19:$string1: HawkEye_Keylogger 0x7d89f:$string1: HawkEye_Keylogger 0x7c0af:$string2: holdermail.txt 0x7c0cf:$string2: holdermail.txt 0x7bff1:$string3: wallet.dat 0x7c009:$string3: wallet.dat 0x7c01f:$string3: wallet.dat 0x7d463:$string4: Keylog Records 0x7d77b:$string4: Keylog Records 0x7d997:$string5: do not script --> 0x7b5f1:$string6: \pidloc.txt 0x7b67f:$string7: BSPLIT 0x7b68f:$string7: BSPLIT
00000011.00000000.345013885.0000000000D42000.00000002.00020000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000011.00000000.345013885.0000000000D42000.00000002.00020000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000011.00000000.345013885.0000000000D42000.00000002.00020000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000011.00000000.345013885.0000000000D42000.00000002.00020000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd1e:$hawkstr1: HawkEye Keylogger 0x7cb5f:$hawkstr1: HawkEye Keylogger 0x7ce8e:$hawkstr1: HawkEye Keylogger 0x7cfe9:$hawkstr1: HawkEye Keylogger 0x7d14c:$hawkstr1: HawkEye Keylogger 0x7d43b:$hawkstr1: HawkEye Keylogger 0x7b890:$hawkstr2: Dear HawkEye Customers! 0x7cee1:$hawkstr2: Dear HawkEye Customers! 0x7d038:$hawkstr2: Dear HawkEye Customers! 0x7d19f:$hawkstr2: Dear HawkEye Customers! 0x7b9b1:$hawkstr3: HawkEye Logger Details:
00000023.00000000.439141750.0000000000D72000.00000002.00020000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b609:$key: HawkEyeKeylogger 0x7d93f:$salt: 099u787978786 0x7bcc6:$string1: HawkEye_Keylogger 0x7cb19:$string1: HawkEye_Keylogger 0x7d89f:$string1: HawkEye_Keylogger 0x7c0af:$string2: holdermail.txt 0x7c0cf:$string2: holdermail.txt 0x7bff1:$string3: wallet.dat 0x7c009:$string3: wallet.dat 0x7c01f:$string3: wallet.dat 0x7d463:$string4: Keylog Records 0x7d77b:$string4: Keylog Records 0x7d997:$string5: do not script --> 0x7b5f1:$string6: \pidloc.txt 0x7b67f:$string7: BSPLIT 0x7b68f:$string7: BSPLIT
00000023.00000000.439141750.0000000000D72000.00000002.00020000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000023.00000000.439141750.0000000000D72000.00000002.00020000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000023.00000000.439141750.0000000000D72000.00000002.00020000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000023.00000000.439141750.0000000000D72000.00000002.00020000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd1e:$hawkstr1: HawkEye Keylogger 0x7cb5f:$hawkstr1: HawkEye Keylogger 0x7ce8e:$hawkstr1: HawkEye Keylogger 0x7cfe9:$hawkstr1: HawkEye Keylogger 0x7d14c:$hawkstr1: HawkEye Keylogger 0x7d43b:$hawkstr1: HawkEye Keylogger 0x7b890:$hawkstr2: Dear HawkEye Customers! 0x7cee1:$hawkstr2: Dear HawkEye Customers! 0x7d038:$hawkstr2: Dear HawkEye Customers! 0x7d19f:$hawkstr2: Dear HawkEye Customers! 0x7b9b1:$hawkstr3: HawkEye Logger Details:
0000001C.00000000.395296595.0000000000400000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000011.00000002.395985311.0000000000D42000.00000002.00020000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b609:$key: HawkEyeKeylogger 0x7d93f:$salt: 099u787978786 0x7bcc6:$string1: HawkEye_Keylogger 0x7cb19:$string1: HawkEye_Keylogger 0x7d89f:$string1: HawkEye_Keylogger 0x7c0af:$string2: holdermail.txt 0x7c0cf:$string2: holdermail.txt 0x7bff1:$string3: wallet.dat 0x7c009:$string3: wallet.dat 0x7c01f:$string3: wallet.dat 0x7d463:$string4: Keylog Records 0x7d77b:$string4: Keylog Records 0x7d997:$string5: do not script --> 0x7b5f1:$string6: \pidloc.txt 0x7b67f:$string7: BSPLIT 0x7b68f:$string7: BSPLIT
00000011.00000002.395985311.0000000000D42000.00000002.00020000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000011.00000002.395985311.0000000000D42000.00000002.00020000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000011.00000002.395985311.0000000000D42000.00000002.00020000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000011.00000002.395985311.0000000000D42000.00000002.00020000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd1e:$hawkstr1: HawkEye Keylogger 0x7cb5f:$hawkstr1: HawkEye Keylogger 0x7ce8e:$hawkstr1: HawkEye Keylogger 0x7cfe9:$hawkstr1: HawkEye Keylogger 0x7d14c:$hawkstr1: HawkEye Keylogger 0x7d43b:$hawkstr1: HawkEye Keylogger 0x7b890:$hawkstr2: Dear HawkEye Customers! 0x7cee1:$hawkstr2: Dear HawkEye Customers! 0x7d038:$hawkstr2: Dear HawkEye Customers! 0x7d19f:$hawkstr2: Dear HawkEye Customers! 0x7b9b1:$hawkstr3: HawkEye Logger Details:
00000002.00000002.345938091.0000000000762000.00000002.00020000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b609:$key: HawkEyeKeylogger 0x7d93f:$salt: 099u787978786 0x7bcc6:$string1: HawkEye_Keylogger 0x7cb19:$string1: HawkEye_Keylogger 0x7d89f:$string1: HawkEye_Keylogger 0x7c0af:$string2: holdermail.txt 0x7c0cf:$string2: holdermail.txt 0x7bff1:$string3: wallet.dat 0x7c009:$string3: wallet.dat 0x7c01f:$string3: wallet.dat 0x7d463:$string4: Keylog Records 0x7d77b:$string4: Keylog Records 0x7d997:$string5: do not script --> 0x7b5f1:$string6: \pidloc.txt 0x7b67f:$string7: BSPLIT 0x7b68f:$string7: BSPLIT
00000002.00000002.345938091.0000000000762000.00000002.00020000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000002.00000002.345938091.0000000000762000.00000002.00020000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000002.00000002.345938091.0000000000762000.00000002.00020000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000002.00000002.345938091.0000000000762000.00000002.00020000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd1e:$hawkstr1: HawkEye Keylogger 0x7cb5f:$hawkstr1: HawkEye Keylogger 0x7ce8e:$hawkstr1: HawkEye Keylogger 0x7cfe9:$hawkstr1: HawkEye Keylogger 0x7d14c:$hawkstr1: HawkEye Keylogger 0x7d43b:$hawkstr1: HawkEye Keylogger 0x7b890:$hawkstr2: Dear HawkEye Customers! 0x7cee1:$hawkstr2: Dear HawkEye Customers! 0x7d038:$hawkstr2: Dear HawkEye Customers! 0x7d19f:$hawkstr2: Dear HawkEye Customers! 0x7b9b1:$hawkstr3: HawkEye Logger Details:
00000005.00000002.339955429.0000000002861000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000005.00000002.339955429.0000000002861000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1eae3:$a1: netsh firewall add allowedprogram 0x3433b:$a1: netsh firewall add allowedprogram 0x3c353:$a1: netsh firewall add allowedprogram 0x1eab3:$a2: SEE_MASK_NOZONECHECKS 0x3430b:$a2: SEE_MASK_NOZONECHECKS 0x3c323:$a2: SEE_MASK_NOZONECHECKS 0x1ecd3:$b1: [TAP] 0x3452b:$b1: [TAP] 0x3c543:$b1: [TAP] 0x1ebcf:$c3: cmd.exe /c ping 0x34427:$c3: cmd.exe /c ping 0x3c43f:$c3: cmd.exe /c ping
00000005.00000002.339955429.0000000002861000.00000004.00000001.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1eab3:$reg: SEE_MASK_NOZONECHECKS 0x3430b:$reg: SEE_MASK_NOZONECHECKS 0x3c323:$reg: SEE_MASK_NOZONECHECKS 0x1e7b4:$msg: Execute ERROR 0x1e84e:$msg: Execute ERROR 0x3400c:$msg: Execute ERROR 0x340a6:$msg: Execute ERROR 0x3c024:$msg: Execute ERROR 0x3c0be:$msg: Execute ERROR 0x1ebcf:$ping: cmd.exe /c ping 0 -n 2 & del 0x34427:$ping: cmd.exe /c ping 0 -n 2 & del 0x3c43f:$ping: cmd.exe /c ping 0 -n 2 & del
00000011.00000002.404673570.0000000007D50000.00000004.00020000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000023.00000002.529100173.0000000008CA0000.00000004.00020000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000011.00000000.344577031.0000000000D42000.00000002.00020000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b609:$key: HawkEyeKeylogger 0x7d93f:$salt: 099u787978786 0x7bcc6:$string1: HawkEye_Keylogger 0x7cb19:$string1: HawkEye_Keylogger 0x7d89f:$string1: HawkEye_Keylogger 0x7c0af:$string2: holdermail.txt 0x7c0cf:$string2: holdermail.txt 0x7bff1:$string3: wallet.dat 0x7c009:$string3: wallet.dat 0x7c01f:$string3: wallet.dat 0x7d463:$string4: Keylog Records 0x7d77b:$string4: Keylog Records 0x7d997:$string5: do not script --> 0x7b5f1:$string6: \pidloc.txt 0x7b67f:$string7: BSPLIT 0x7b68f:$string7: BSPLIT
00000011.00000000.344577031.0000000000D42000.00000002.00020000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000011.00000000.344577031.0000000000D42000.00000002.00020000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000011.00000000.344577031.0000000000D42000.00000002.00020000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000011.00000000.344577031.0000000000D42000.00000002.00020000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd1e:$hawkstr1: HawkEye Keylogger 0x7cb5f:$hawkstr1: HawkEye Keylogger 0x7ce8e:$hawkstr1: HawkEye Keylogger 0x7cfe9:$hawkstr1: HawkEye Keylogger 0x7d14c:$hawkstr1: HawkEye Keylogger 0x7d43b:$hawkstr1: HawkEye Keylogger 0x7b890:$hawkstr2: Dear HawkEye Customers! 0x7cee1:$hawkstr2: Dear HawkEye Customers! 0x7d038:$hawkstr2: Dear HawkEye Customers! 0x7d19f:$hawkstr2: Dear HawkEye Customers! 0x7b9b1:$hawkstr3: HawkEye Logger Details:
00000021.00000000.418565410.0000000000BC2000.00000002.00020000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b609:$key: HawkEyeKeylogger 0x7d93f:$salt: 099u787978786 0x7bcc6:$string1: HawkEye_Keylogger 0x7cb19:$string1: HawkEye_Keylogger 0x7d89f:$string1: HawkEye_Keylogger 0x7c0af:$string2: holdermail.txt 0x7c0cf:$string2: holdermail.txt 0x7bff1:$string3: wallet.dat 0x7c009:$string3: wallet.dat 0x7c01f:$string3: wallet.dat 0x7d463:$string4: Keylog Records 0x7d77b:$string4: Keylog Records 0x7d997:$string5: do not script --> 0x7b5f1:$string6: \pidloc.txt 0x7b67f:$string7: BSPLIT 0x7b68f:$string7: BSPLIT
00000021.00000000.418565410.0000000000BC2000.00000002.00020000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000021.00000000.418565410.0000000000BC2000.00000002.00020000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000021.00000000.418565410.0000000000BC2000.00000002.00020000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000021.00000000.418565410.0000000000BC2000.00000002.00020000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd1e:$hawkstr1: HawkEye Keylogger 0x7cb5f:$hawkstr1: HawkEye Keylogger 0x7ce8e:$hawkstr1: HawkEye Keylogger 0x7cfe9:$hawkstr1: HawkEye Keylogger 0x7d14c:$hawkstr1: HawkEye Keylogger 0x7d43b:$hawkstr1: HawkEye Keylogger 0x7b890:$hawkstr2: Dear HawkEye Customers! 0x7cee1:$hawkstr2: Dear HawkEye Customers! 0x7d038:$hawkstr2: Dear HawkEye Customers! 0x7d19f:$hawkstr2: Dear HawkEye Customers! 0x7b9b1:$hawkstr3: HawkEye Logger Details:
00000011.00000003.370310625.0000000006DFE000.00000004.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x3af31:$key: HawkEyeKeylogger 0x3d267:$salt: 099u787978786 0x3b5ee:$string1: HawkEye_Keylogger 0x3c441:$string1: HawkEye_Keylogger 0x3d1c7:$string1: HawkEye_Keylogger 0x3b9d7:$string2: holdermail.txt 0x3b9f7:$string2: holdermail.txt 0x3b919:$string3: wallet.dat 0x3b931:$string3: wallet.dat 0x3b947:$string3: wallet.dat 0x3cd8b:$string4: Keylog Records 0x3d0a3:$string4: Keylog Records 0x3d2bf:$string5: do not script --> 0x3af19:$string6: \pidloc.txt 0x3afa7:$string7: BSPLIT 0x3afb7:$string7: BSPLIT
00000011.00000003.370310625.0000000006DFE000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000011.00000003.370310625.0000000006DFE000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000011.00000003.370310625.0000000006DFE000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000011.00000003.370310625.0000000006DFE000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x3b646:$hawkstr1: HawkEye Keylogger 0x3c487:$hawkstr1: HawkEye Keylogger 0x3c7b6:$hawkstr1: HawkEye Keylogger 0x3c911:$hawkstr1: HawkEye Keylogger 0x3ca74:$hawkstr1: HawkEye Keylogger 0x3cd63:$hawkstr1: HawkEye Keylogger 0x3b1b8:$hawkstr2: Dear HawkEye Customers! 0x3c809:$hawkstr2: Dear HawkEye Customers! 0x3c960:$hawkstr2: Dear HawkEye Customers! 0x3cac7:$hawkstr2: Dear HawkEye Customers! 0x3b2d9:$hawkstr3: HawkEye Logger Details:
00000023.00000000.439708948.0000000000D72000.00000002.00020000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b609:$key: HawkEyeKeylogger 0x7d93f:$salt: 099u787978786 0x7bcc6:$string1: HawkEye_Keylogger 0x7cb19:$string1: HawkEye_Keylogger 0x7d89f:$string1: HawkEye_Keylogger 0x7c0af:$string2: holdermail.txt 0x7c0cf:$string2: holdermail.txt 0x7bff1:$string3: wallet.dat 0x7c009:$string3: wallet.dat 0x7c01f:$string3: wallet.dat 0x7d463:$string4: Keylog Records 0x7d77b:$string4: Keylog Records 0x7d997:$string5: do not script --> 0x7b5f1:$string6: \pidloc.txt 0x7b67f:$string7: BSPLIT 0x7b68f:$string7: BSPLIT
00000023.00000000.439708948.0000000000D72000.00000002.00020000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000023.00000000.439708948.0000000000D72000.00000002.00020000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000023.00000000.439708948.0000000000D72000.00000002.00020000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000023.00000000.439708948.0000000000D72000.00000002.00020000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd1e:$hawkstr1: HawkEye Keylogger 0x7cb5f:$hawkstr1: HawkEye Keylogger 0x7ce8e:$hawkstr1: HawkEye Keylogger 0x7cfe9:$hawkstr1: HawkEye Keylogger 0x7d14c:$hawkstr1: HawkEye Keylogger 0x7d43b:$hawkstr1: HawkEye Keylogger 0x7b890:$hawkstr2: Dear HawkEye Customers! 0x7cee1:$hawkstr2: Dear HawkEye Customers! 0x7d038:$hawkstr2: Dear HawkEye Customers! 0x7d19f:$hawkstr2: Dear HawkEye Customers! 0x7b9b1:$hawkstr3: HawkEye Logger Details:
00000023.00000000.437787976.0000000000D72000.00000002.00020000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b609:$key: HawkEyeKeylogger 0x7d93f:$salt: 099u787978786 0x7bcc6:$string1: HawkEye_Keylogger 0x7cb19:$string1: HawkEye_Keylogger 0x7d89f:$string1: HawkEye_Keylogger 0x7c0af:$string2: holdermail.txt 0x7c0cf:$string2: holdermail.txt 0x7bff1:$string3: wallet.dat 0x7c009:$string3: wallet.dat 0x7c01f:$string3: wallet.dat 0x7d463:$string4: Keylog Records 0x7d77b:$string4: Keylog Records 0x7d997:$string5: do not script --> 0x7b5f1:$string6: \pidloc.txt 0x7b67f:$string7: BSPLIT 0x7b68f:$string7: BSPLIT
00000023.00000000.437787976.0000000000D72000.00000002.00020000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000023.00000000.437787976.0000000000D72000.00000002.00020000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000023.00000000.437787976.0000000000D72000.00000002.00020000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000023.00000000.437787976.0000000000D72000.00000002.00020000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd1e:$hawkstr1: HawkEye Keylogger 0x7cb5f:$hawkstr1: HawkEye Keylogger 0x7ce8e:$hawkstr1: HawkEye Keylogger 0x7cfe9:$hawkstr1: HawkEye Keylogger 0x7d14c:$hawkstr1: HawkEye Keylogger 0x7d43b:$hawkstr1: HawkEye Keylogger 0x7b890:$hawkstr2: Dear HawkEye Customers! 0x7cee1:$hawkstr2: Dear HawkEye Customers! 0x7d038:$hawkstr2: Dear HawkEye Customers! 0x7d19f:$hawkstr2: Dear HawkEye Customers! 0x7b9b1:$hawkstr3: HawkEye Logger Details:
0000001C.00000002.412155949.0000000000400000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000021.00000002.445241123.00000000013F3000.00000004.00000020.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0xecb9:$key: HawkEyeKeylogger 0x10fef:$salt: 099u787978786 0xf376:$string1: HawkEye_Keylogger 0x101c9:$string1: HawkEye_Keylogger 0x10f4f:$string1: HawkEye_Keylogger 0xf75f:$string2: holdermail.txt 0xf77f:$string2: holdermail.txt 0xf6a1:$string3: wallet.dat 0xf6b9:$string3: wallet.dat 0xf6cf:$string3: wallet.dat 0x10b13:$string4: Keylog Records 0x10e2b:$string4: Keylog Records 0x11047:$string5: do not script --> 0xeca1:$string6: \pidloc.txt 0xed2f:$string7: BSPLIT 0xed3f:$string7: BSPLIT
00000021.00000002.445241123.00000000013F3000.00000004.00000020.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000021.00000002.445241123.00000000013F3000.00000004.00000020.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000021.00000002.445241123.00000000013F3000.00000004.00000020.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0xf3ce:$hawkstr1: HawkEye Keylogger 0x1020f:$hawkstr1: HawkEye Keylogger 0x1053e:$hawkstr1: HawkEye Keylogger 0x10699:$hawkstr1: HawkEye Keylogger 0x107fc:$hawkstr1: HawkEye Keylogger 0x10aeb:$hawkstr1: HawkEye Keylogger 0xef40:$hawkstr2: Dear HawkEye Customers! 0x10591:$hawkstr2: Dear HawkEye Customers! 0x106e8:$hawkstr2: Dear HawkEye Customers! 0x1084f:$hawkstr2: Dear HawkEye Customers! 0xf061:$hawkstr3: HawkEye Logger Details:
00000005.00000002.339619983.00000000024B0000.00000004.00020000.sdmp	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x68bf:$x1: cmd.exe /c ping 0 -n 2 & del " 0x6504:$s3: Executed As
00000005.00000002.339619983.00000000024B0000.00000004.00020000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000005.00000002.339619983.00000000024B0000.00000004.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x67d3:$a1: netsh firewall add allowedprogram 0x67a3:$a2: SEE_MASK_NOZONECHECKS 0x69c3:$b1: [TAP] 0x68bf:$c3: cmd.exe /c ping
00000005.00000002.339619983.00000000024B0000.00000004.00020000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x67a3:$reg: SEE_MASK_NOZONECHECKS 0x64a4:$msg: Execute ERROR 0x653e:$msg: Execute ERROR 0x68bf:$ping: cmd.exe /c ping 0 -n 2 & del
00000011.00000002.401457902.00000000043D1000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000002.00000000.314643771.0000000000762000.00000002.00020000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b609:$key: HawkEyeKeylogger 0x7d93f:$salt: 099u787978786 0x7bcc6:$string1: HawkEye_Keylogger 0x7cb19:$string1: HawkEye_Keylogger 0x7d89f:$string1: HawkEye_Keylogger 0x7c0af:$string2: holdermail.txt 0x7c0cf:$string2: holdermail.txt 0x7bff1:$string3: wallet.dat 0x7c009:$string3: wallet.dat 0x7c01f:$string3: wallet.dat 0x7d463:$string4: Keylog Records 0x7d77b:$string4: Keylog Records 0x7d997:$string5: do not script --> 0x7b5f1:$string6: \pidloc.txt 0x7b67f:$string7: BSPLIT 0x7b68f:$string7: BSPLIT
00000002.00000000.314643771.0000000000762000.00000002.00020000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000002.00000000.314643771.0000000000762000.00000002.00020000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000002.00000000.314643771.0000000000762000.00000002.00020000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000002.00000000.314643771.0000000000762000.00000002.00020000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd1e:$hawkstr1: HawkEye Keylogger 0x7cb5f:$hawkstr1: HawkEye Keylogger 0x7ce8e:$hawkstr1: HawkEye Keylogger 0x7cfe9:$hawkstr1: HawkEye Keylogger 0x7d14c:$hawkstr1: HawkEye Keylogger 0x7d43b:$hawkstr1: HawkEye Keylogger 0x7b890:$hawkstr2: Dear HawkEye Customers! 0x7cee1:$hawkstr2: Dear HawkEye Customers! 0x7d038:$hawkstr2: Dear HawkEye Customers! 0x7d19f:$hawkstr2: Dear HawkEye Customers! 0x7b9b1:$hawkstr3: HawkEye Logger Details:
00000011.00000002.402244108.0000000004591000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000002.00000003.339296284.0000000000E97000.00000004.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x3ba29:$key: HawkEyeKeylogger 0x3dd5f:$salt: 099u787978786 0x3c0e6:$string1: HawkEye_Keylogger 0x3cf39:$string1: HawkEye_Keylogger 0x3dcbf:$string1: HawkEye_Keylogger 0x3c4cf:$string2: holdermail.txt 0x3c4ef:$string2: holdermail.txt 0x3c411:$string3: wallet.dat 0x3c429:$string3: wallet.dat 0x3c43f:$string3: wallet.dat 0x3d883:$string4: Keylog Records 0x3db9b:$string4: Keylog Records 0x3ddb7:$string5: do not script --> 0x3ba11:$string6: \pidloc.txt 0x3ba9f:$string7: BSPLIT 0x3baaf:$string7: BSPLIT
00000002.00000003.339296284.0000000000E97000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000002.00000003.339296284.0000000000E97000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000002.00000003.339296284.0000000000E97000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000002.00000003.339296284.0000000000E97000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x3c13e:$hawkstr1: HawkEye Keylogger 0x3cf7f:$hawkstr1: HawkEye Keylogger 0x3d2ae:$hawkstr1: HawkEye Keylogger 0x3d409:$hawkstr1: HawkEye Keylogger 0x3d56c:$hawkstr1: HawkEye Keylogger 0x3d85b:$hawkstr1: HawkEye Keylogger 0x3bcb0:$hawkstr2: Dear HawkEye Customers! 0x3d301:$hawkstr2: Dear HawkEye Customers! 0x3d458:$hawkstr2: Dear HawkEye Customers! 0x3d5bf:$hawkstr2: Dear HawkEye Customers! 0x3bdd1:$hawkstr3: HawkEye Logger Details:
00000023.00000002.525622624.00000000046C1000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000023.00000002.525622624.00000000046C1000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000001E.00000002.421069475.0000000002C51000.00000004.00000001.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000001E.00000002.421069475.0000000002C51000.00000004.00000001.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x1e963:$a1: netsh firewall add allowedprogram 0x341bb:$a1: netsh firewall add allowedprogram 0x3c1d3:$a1: netsh firewall add allowedprogram 0x1e933:$a2: SEE_MASK_NOZONECHECKS 0x3418b:$a2: SEE_MASK_NOZONECHECKS 0x3c1a3:$a2: SEE_MASK_NOZONECHECKS 0x1eb53:$b1: [TAP] 0x343ab:$b1: [TAP] 0x3c3c3:$b1: [TAP] 0x1ea4f:$c3: cmd.exe /c ping 0x342a7:$c3: cmd.exe /c ping 0x3c2bf:$c3: cmd.exe /c ping
0000001E.00000002.421069475.0000000002C51000.00000004.00000001.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x1e933:$reg: SEE_MASK_NOZONECHECKS 0x3418b:$reg: SEE_MASK_NOZONECHECKS 0x3c1a3:$reg: SEE_MASK_NOZONECHECKS 0x1e634:$msg: Execute ERROR 0x1e6ce:$msg: Execute ERROR 0x33e8c:$msg: Execute ERROR 0x33f26:$msg: Execute ERROR 0x3bea4:$msg: Execute ERROR 0x3bf3e:$msg: Execute ERROR 0x1ea4f:$ping: cmd.exe /c ping 0 -n 2 & del 0x342a7:$ping: cmd.exe /c ping 0 -n 2 & del 0x3c2bf:$ping: cmd.exe /c ping 0 -n 2 & del
0000001E.00000002.420830260.0000000002620000.00000004.00020000.sdmp	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x68bf:$x1: cmd.exe /c ping 0 -n 2 & del " 0x6504:$s3: Executed As
0000001E.00000002.420830260.0000000002620000.00000004.00020000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0000001E.00000002.420830260.0000000002620000.00000004.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x67d3:$a1: netsh firewall add allowedprogram 0x67a3:$a2: SEE_MASK_NOZONECHECKS 0x69c3:$b1: [TAP] 0x68bf:$c3: cmd.exe /c ping
0000001E.00000002.420830260.0000000002620000.00000004.00020000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x67a3:$reg: SEE_MASK_NOZONECHECKS 0x64a4:$msg: Execute ERROR 0x653e:$msg: Execute ERROR 0x68bf:$ping: cmd.exe /c ping 0 -n 2 & del
00000023.00000002.521512355.00000000036C1000.00000004.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x2dee0:$key: HawkEyeKeylogger 0x343ac:$salt: 099u787978786 0x44fa0:$string1: HawkEye_Keylogger 0x50718:$string1: HawkEye_Keylogger 0x4e11c:$string2: holdermail.txt 0x4e14c:$string2: holdermail.txt 0x4e424:$string2: holdermail.txt 0x522e0:$string2: holdermail.txt 0xd84f0:$string2: holdermail.txt 0xd85c8:$string2: holdermail.txt 0xd86a0:$string2: holdermail.txt 0xd87c4:$string2: holdermail.txt 0xd889c:$string2: holdermail.txt 0xd8974:$string2: holdermail.txt 0xf0bf8:$string2: holdermail.txt 0xf0cd0:$string2: holdermail.txt 0xf0da8:$string2: holdermail.txt 0xf0e80:$string2: holdermail.txt 0xf0f58:$string2: holdermail.txt 0xf1030:$string2: holdermail.txt 0xf1108:$string2: holdermail.txt
00000023.00000002.521512355.00000000036C1000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000023.00000002.521512355.00000000036C1000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x45030:$hawkstr1: HawkEye Keylogger 0x472b8:$hawkstr1: HawkEye Keylogger 0x47650:$hawkstr1: HawkEye Keylogger 0x48a88:$hawkstr1: HawkEye Keylogger 0x494bc:$hawkstr1: HawkEye Keylogger 0x50770:$hawkstr1: HawkEye Keylogger 0x52144:$hawkstr1: HawkEye Keylogger 0x466e28:$hawkstr1: HawkEye Keylogger 0x44a7c:$hawkstr2: Dear HawkEye Customers! 0x45858:$hawkstr2: Dear HawkEye Customers! 0x4731c:$hawkstr2: Dear HawkEye Customers! 0x476b4:$hawkstr2: Dear HawkEye Customers! 0x521a4:$hawkstr2: Dear HawkEye Customers! 0x44bae:$hawkstr3: HawkEye Logger Details: 0x45982:$hawkstr3: HawkEye Logger Details:
00000010.00000002.569803952.0000000002700000.00000004.00020000.sdmp	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x68bf:$x1: cmd.exe /c ping 0 -n 2 & del " 0x6504:$s3: Executed As
00000010.00000002.569803952.0000000002700000.00000004.00020000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000010.00000002.569803952.0000000002700000.00000004.00020000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x67d3:$a1: netsh firewall add allowedprogram 0x67a3:$a2: SEE_MASK_NOZONECHECKS 0x69c3:$b1: [TAP] 0x68bf:$c3: cmd.exe /c ping
00000010.00000002.569803952.0000000002700000.00000004.00020000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x67a3:$reg: SEE_MASK_NOZONECHECKS 0x64a4:$msg: Execute ERROR 0x653e:$msg: Execute ERROR 0x68bf:$ping: cmd.exe /c ping 0 -n 2 & del
00000023.00000002.529114563.0000000008CB0000.00000004.00020000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
0000001C.00000000.393916948.0000000000400000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000011.00000000.343560898.0000000000D42000.00000002.00020000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b609:$key: HawkEyeKeylogger 0x7d93f:$salt: 099u787978786 0x7bcc6:$string1: HawkEye_Keylogger 0x7cb19:$string1: HawkEye_Keylogger 0x7d89f:$string1: HawkEye_Keylogger 0x7c0af:$string2: holdermail.txt 0x7c0cf:$string2: holdermail.txt 0x7bff1:$string3: wallet.dat 0x7c009:$string3: wallet.dat 0x7c01f:$string3: wallet.dat 0x7d463:$string4: Keylog Records 0x7d77b:$string4: Keylog Records 0x7d997:$string5: do not script --> 0x7b5f1:$string6: \pidloc.txt 0x7b67f:$string7: BSPLIT 0x7b68f:$string7: BSPLIT
00000011.00000000.343560898.0000000000D42000.00000002.00020000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000011.00000000.343560898.0000000000D42000.00000002.00020000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000011.00000000.343560898.0000000000D42000.00000002.00020000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000011.00000000.343560898.0000000000D42000.00000002.00020000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd1e:$hawkstr1: HawkEye Keylogger 0x7cb5f:$hawkstr1: HawkEye Keylogger 0x7ce8e:$hawkstr1: HawkEye Keylogger 0x7cfe9:$hawkstr1: HawkEye Keylogger 0x7d14c:$hawkstr1: HawkEye Keylogger 0x7d43b:$hawkstr1: HawkEye Keylogger 0x7b890:$hawkstr2: Dear HawkEye Customers! 0x7cee1:$hawkstr2: Dear HawkEye Customers! 0x7d038:$hawkstr2: Dear HawkEye Customers! 0x7d19f:$hawkstr2: Dear HawkEye Customers! 0x7b9b1:$hawkstr3: HawkEye Logger Details:
Process Memory Space: Keylogger.exe PID: 4492	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: Keylogger.exe PID: 4492	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: RedLine.MainPanel-cracked.exe PID: 4140	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: RedLine.MainPanel-cracked.exe PID: 7032	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: RedLine.exe PID: 4236	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Process Memory Space: Windows Update.exe PID: 5624	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: Windows Update.exe PID: 5624	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: vbc.exe PID: 6444	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Click to see the 161 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
17.2.Windows Update.exe.350b42c.5.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
17.2.Windows Update.exe.7f20000.9.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
4.2.RedLine.MainPanel-cracked.exe.2ad9310.4.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
4.2.RedLine.MainPanel-cracked.exe.2ad9310.4.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x67d3:$a1: netsh firewall add allowedprogram 0x1c02b:$a1: netsh firewall add allowedprogram 0x24043:$a1: netsh firewall add allowedprogram 0x67a3:$a2: SEE_MASK_NOZONECHECKS 0x1bffb:$a2: SEE_MASK_NOZONECHECKS 0x24013:$a2: SEE_MASK_NOZONECHECKS 0x69c3:$b1: [TAP] 0x1c21b:$b1: [TAP] 0x24233:$b1: [TAP] 0x68bf:$c3: cmd.exe /c ping 0x1c117:$c3: cmd.exe /c ping 0x2412f:$c3: cmd.exe /c ping
4.2.RedLine.MainPanel-cracked.exe.2ad9310.4.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x67a3:$reg: SEE_MASK_NOZONECHECKS 0x1bffb:$reg: SEE_MASK_NOZONECHECKS 0x24013:$reg: SEE_MASK_NOZONECHECKS 0x64a4:$msg: Execute ERROR 0x653e:$msg: Execute ERROR 0x1bcfc:$msg: Execute ERROR 0x1bd96:$msg: Execute ERROR 0x23d14:$msg: Execute ERROR 0x23dae:$msg: Execute ERROR 0x68bf:$ping: cmd.exe /c ping 0 -n 2 & del 0x1c117:$ping: cmd.exe /c ping 0 -n 2 & del 0x2412f:$ping: cmd.exe /c ping 0 -n 2 & del
5.2.RedLine.MainPanel-cracked.exe.2886bc0.3.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
5.2.RedLine.MainPanel-cracked.exe.2886bc0.3.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe77b:$a1: netsh firewall add allowedprogram 0x16793:$a1: netsh firewall add allowedprogram 0xe74b:$a2: SEE_MASK_NOZONECHECKS 0x16763:$a2: SEE_MASK_NOZONECHECKS 0xe96b:$b1: [TAP] 0x16983:$b1: [TAP] 0xe867:$c3: cmd.exe /c ping 0x1687f:$c3: cmd.exe /c ping
5.2.RedLine.MainPanel-cracked.exe.2886bc0.3.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xe74b:$reg: SEE_MASK_NOZONECHECKS 0x16763:$reg: SEE_MASK_NOZONECHECKS 0xe44c:$msg: Execute ERROR 0xe4e6:$msg: Execute ERROR 0x16464:$msg: Execute ERROR 0x164fe:$msg: Execute ERROR 0xe867:$ping: cmd.exe /c ping 0 -n 2 & del 0x1687f:$ping: cmd.exe /c ping 0 -n 2 & del
28.0.vbc.exe.400000.4.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
5.2.RedLine.MainPanel-cracked.exe.24b0000.1.raw.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x68bf:$x1: cmd.exe /c ping 0 -n 2 & del " 0x6504:$s3: Executed As
5.2.RedLine.MainPanel-cracked.exe.24b0000.1.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
5.2.RedLine.MainPanel-cracked.exe.24b0000.1.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x67d3:$a1: netsh firewall add allowedprogram 0x67a3:$a2: SEE_MASK_NOZONECHECKS 0x69c3:$b1: [TAP] 0x68bf:$c3: cmd.exe /c ping
5.2.RedLine.MainPanel-cracked.exe.24b0000.1.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x67a3:$reg: SEE_MASK_NOZONECHECKS 0x64a4:$msg: Execute ERROR 0x653e:$msg: Execute ERROR 0x68bf:$ping: cmd.exe /c ping 0 -n 2 & del
17.3.Windows Update.exe.6e1b39a.0.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
17.0.Windows Update.exe.d49c0d.11.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
4.2.RedLine.MainPanel-cracked.exe.2630000.1.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0x4abf:$x1: cmd.exe /c ping 0 -n 2 & del " 0x4704:$s3: Executed As
4.2.RedLine.MainPanel-cracked.exe.2630000.1.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
4.2.RedLine.MainPanel-cracked.exe.2630000.1.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0x49d3:$a1: netsh firewall add allowedprogram 0x49a3:$a2: SEE_MASK_NOZONECHECKS 0x4bc3:$b1: [TAP] 0x4abf:$c3: cmd.exe /c ping
4.2.RedLine.MainPanel-cracked.exe.2630000.1.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0x49a3:$reg: SEE_MASK_NOZONECHECKS 0x46a4:$msg: Execute ERROR 0x473e:$msg: Execute ERROR 0x4abf:$ping: cmd.exe /c ping 0 -n 2 & del
25.2.vbc.exe.400000.0.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
28.0.vbc.exe.400000.3.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
4.2.RedLine.MainPanel-cracked.exe.2ae6bc0.2.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
4.2.RedLine.MainPanel-cracked.exe.2ae6bc0.2.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xe77b:$a1: netsh firewall add allowedprogram 0x16793:$a1: netsh firewall add allowedprogram 0xe74b:$a2: SEE_MASK_NOZONECHECKS 0x16763:$a2: SEE_MASK_NOZONECHECKS 0xe96b:$b1: [TAP] 0x16983:$b1: [TAP] 0xe867:$c3: cmd.exe /c ping 0x1687f:$c3: cmd.exe /c ping
4.2.RedLine.MainPanel-cracked.exe.2ae6bc0.2.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xe74b:$reg: SEE_MASK_NOZONECHECKS 0x16763:$reg: SEE_MASK_NOZONECHECKS 0xe44c:$msg: Execute ERROR 0xe4e6:$msg: Execute ERROR 0x16464:$msg: Execute ERROR 0x164fe:$msg: Execute ERROR 0xe867:$ping: cmd.exe /c ping 0 -n 2 & del 0x1687f:$ping: cmd.exe /c ping 0 -n 2 & del
2.0.Keylogger.exe.7bfa72.2.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
2.2.Keylogger.exe.7bfa72.3.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1db97:$key: HawkEyeKeylogger 0x1fecd:$salt: 099u787978786 0x1e254:$string1: HawkEye_Keylogger 0x1f0a7:$string1: HawkEye_Keylogger 0x1fe2d:$string1: HawkEye_Keylogger 0x1e63d:$string2: holdermail.txt 0x1e65d:$string2: holdermail.txt 0x1e57f:$string3: wallet.dat 0x1e597:$string3: wallet.dat 0x1e5ad:$string3: wallet.dat 0x1f9f1:$string4: Keylog Records 0x1fd09:$string4: Keylog Records 0x1ff25:$string5: do not script --> 0x1db7f:$string6: \pidloc.txt 0x1dc0d:$string7: BSPLIT 0x1dc1d:$string7: BSPLIT
2.2.Keylogger.exe.7bfa72.3.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
2.2.Keylogger.exe.7bfa72.3.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
2.2.Keylogger.exe.7bfa72.3.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e2ac:$hawkstr1: HawkEye Keylogger 0x1f0ed:$hawkstr1: HawkEye Keylogger 0x1f41c:$hawkstr1: HawkEye Keylogger 0x1f577:$hawkstr1: HawkEye Keylogger 0x1f6da:$hawkstr1: HawkEye Keylogger 0x1f9c9:$hawkstr1: HawkEye Keylogger 0x1de1e:$hawkstr2: Dear HawkEye Customers! 0x1f46f:$hawkstr2: Dear HawkEye Customers! 0x1f5c6:$hawkstr2: Dear HawkEye Customers! 0x1f72d:$hawkstr2: Dear HawkEye Customers! 0x1df3f:$hawkstr3: HawkEye Logger Details:
2.2.Keylogger.exe.768208.2.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x75401:$key: HawkEyeKeylogger 0x77737:$salt: 099u787978786

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Hpdyv8oO3j.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Dropped Files

Memory Dumps

Unpacked PEs