Play interactive tour

Edit tour

Windows Analysis Report SW0P9o9ksjpBsnr.exe

Overview

General Information

Sample Name:	SW0P9o9ksjpBsnr.exe
Analysis ID:	547727
MD5:	27f2a9688ec34fc8aa3b0fee4757dd71
SHA1:	9464f6bea3222c5598ecd9d29a8bc68c0998f926
SHA256:	5733ad0577f5b8fc7e939b1daff3ff98b339bb47542a138b659e47b9001fbbd2
Tags:	exeRemcosRAT
Infos:
Most interesting Screenshot:

Detection

HawkEye Remcos AgentTesla AveMaria MailPassView UACMe

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected MailPassView

Yara detected HawkEye Keylogger

Yara detected AgentTesla

Yara detected AntiVM3

Antivirus detection for dropped file

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Remcos RAT

Yara detected UACMe UAC Bypass tool

Detected HawkEye Rat

Yara detected AveMaria stealer

Detected Remcos RAT

Multi AV Scanner detection for dropped file

Connects to many ports of the same IP (likely port scanning)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Allocates memory in foreign processes

May check the online IP address of the machine

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

.NET source code contains very large array initializations

Creates a thread in another existing process (thread injection)

Adds a directory exclusion to Windows Defender

Creates autostart registry keys with suspicious names

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Increases the number of concurrent connection per server for Internet Explorer

.NET source code references suspicious native API functions

Contains functionality to hide user accounts

Contains functionality to log keystrokes (.Net Source)

Contains functionality to steal e-mail passwords

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Yara detected WebBrowserPassView password recovery tool

Contains functionality to steal Chrome passwords or cookies

Sigma detected: Powershell Defender Exclusion

Machine Learning detection for dropped file

Contains functionality to inject threads in other processes

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Contains functionality to create new users

Antivirus or Machine Learning detection for unpacked file

Drops PE files to the application program directory (C:\ProgramData)

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

One or more processes crash

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to enumerate running services

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Contains functionality to download and execute PE files

Yara detected Keylogger Generic

Contains functionality to retrieve information about pressed keystrokes

Creates a process in suspended mode (likely to inject code)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May infect USB drives

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Yara detected Credential Stealer

Contains functionality to call native functions

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains executable resources (Code or Archives)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Contains functionality to download and launch executables

Uses SMTP (mail sending)

Creates a window with clipboard capturing capabilities

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Uses Microsoft's Enhanced Cryptographic Provider

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

SW0P9o9ksjpBsnr.exe (PID: 5468 cmdline: "C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe" MD5: 27F2A9688EC34FC8AA3B0FEE4757DD71)

BackgroundTransferHost.exe (PID: 4928 cmdline: "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 MD5: 02BA81746B929ECC9DB6665589B68335)

bin.exe (PID: 6480 cmdline: "C:\Users\user\AppData\Local\Temp\bin.exe" 0 MD5: 805FBB84293E86F25B566A5B2C2815D2)

powershell.exe (PID: 6572 cmdline: powershell Add-MpPreference -ExclusionPath C:\ MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6580 cmdline: C:\Windows\System32\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

warz.exe (PID: 6544 cmdline: "C:\Users\user\AppData\Local\Temp\warz.exe" 0 MD5: 1D90A7DA17807F64F1699E5EA2091A36)

powershell.exe (PID: 6764 cmdline: powershell Add-MpPreference -ExclusionPath C:\ MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

images.exe (PID: 6824 cmdline: C:\ProgramData\images.exe MD5: 1D90A7DA17807F64F1699E5EA2091A36)

powershell.exe (PID: 7092 cmdline: powershell Add-MpPreference -ExclusionPath C:\ MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 7164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 7156 cmdline: C:\Windows\System32\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 4380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

rem.exe (PID: 6564 cmdline: "C:\Users\user\AppData\Local\Temp\rem.exe" 0 MD5: 9E764165FBA9E86937643D84A2F4E063)

hawkstartup.exe (PID: 6776 cmdline: "C:\Users\user\AppData\Local\Temp\hawkstartup.exe" 0 MD5: AEAF1943FB037B6529873D7CC47CE137)

Windows Update.exe (PID: 3328 cmdline: "C:\Users\user\AppData\Roaming\Windows Update.exe" MD5: AEAF1943FB037B6529873D7CC47CE137)

dw20.exe (PID: 5040 cmdline: dw20.exe -x -s 2228 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)

vbc.exe (PID: 1456 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt" MD5: C63ED21D5706A527419C9FBD730FFB2E)

vbc.exe (PID: 4692 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt" MD5: C63ED21D5706A527419C9FBD730FFB2E)

WerFault.exe (PID: 1896 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 2232 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 4600 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 2232 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

ori4.0dec23sta.exe (PID: 6988 cmdline: "C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe" 0 MD5: F41809BC71EEB2C3B1676309139216A8)

ori2.0dec23sta.exe (PID: 7112 cmdline: "C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe" 0 MD5: 421138225D5DEE81805C5E5072898504)

BackgroundTransferHost.exe (PID: 6776 cmdline: "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 MD5: 02BA81746B929ECC9DB6665589B68335)

SW0P9o9ksjpBsnr.exe (PID: 4928 cmdline: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe MD5: 27F2A9688EC34FC8AA3B0FEE4757DD71)

bin.exe (PID: 7136 cmdline: "C:\Users\user\AppData\Local\Temp\bin.exe" MD5: 805FBB84293E86F25B566A5B2C2815D2)

WindowsUpdate.exe (PID: 6840 cmdline: "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" MD5: AEAF1943FB037B6529873D7CC47CE137)

100.exe (PID: 5772 cmdline: "C:\Users\user\AppData\Roaming\100\100.exe" MD5: F41809BC71EEB2C3B1676309139216A8)

WindowsUpdate.exe (PID: 7164 cmdline: "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" MD5: AEAF1943FB037B6529873D7CC47CE137)

100.exe (PID: 6576 cmdline: "C:\Users\user\AppData\Roaming\100\100.exe" MD5: F41809BC71EEB2C3B1676309139216A8)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\100\100.exe	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
C:\Users\user\AppData\Roaming\100\100.exe	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
C:\ProgramData\images.exe	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
C:\ProgramData\images.exe	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x191f0:$c1: Elevation:Administrator!new:
C:\ProgramData\images.exe	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x144e8:$a1: \Opera Software\Opera Stable\Login Data 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
C:\ProgramData\images.exe	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
C:\ProgramData\images.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\ProgramData\images.exe	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
C:\ProgramData\images.exe	AveMaria_WarZone	unknown	unknown	0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1640c:$str2: MsgBox.exe 0x1669c:$str4: \System32\cmd.exe 0x162e0:$str6: Ave_Maria 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x14e78:$str8: SMTP Password 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data 0x15b44:$str12: \sqlmap.dll 0x191f0:$str16: Elevation:Administrator!new 0x19310:$str17: /n:%temp%
C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
C:\Users\user\AppData\Local\Temp\warz.exe	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
C:\Users\user\AppData\Local\Temp\warz.exe	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x191f0:$c1: Elevation:Administrator!new:
C:\Users\user\AppData\Local\Temp\warz.exe	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x144e8:$a1: \Opera Software\Opera Stable\Login Data 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
C:\Users\user\AppData\Local\Temp\warz.exe	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
C:\Users\user\AppData\Local\Temp\warz.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\warz.exe	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
C:\Users\user\AppData\Local\Temp\warz.exe	AveMaria_WarZone	unknown	unknown	0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1640c:$str2: MsgBox.exe 0x1669c:$str4: \System32\cmd.exe 0x162e0:$str6: Ave_Maria 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x14e78:$str8: SMTP Password 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data 0x15b44:$str12: \sqlmap.dll 0x191f0:$str16: Elevation:Administrator!new 0x19310:$str17: /n:%temp%
C:\Users\user\AppData\Local\Temp\bin.exe	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
C:\Users\user\AppData\Local\Temp\bin.exe	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x191f0:$c1: Elevation:Administrator!new:
C:\Users\user\AppData\Local\Temp\bin.exe	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x144e8:$a1: \Opera Software\Opera Stable\Login Data 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
C:\Users\user\AppData\Local\Temp\bin.exe	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
C:\Users\user\AppData\Local\Temp\bin.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\bin.exe	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
C:\Users\user\AppData\Local\Temp\bin.exe	AveMaria_WarZone	unknown	unknown	0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1640c:$str2: MsgBox.exe 0x1669c:$str4: \System32\cmd.exe 0x162e0:$str6: Ave_Maria 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x14e78:$str8: SMTP Password 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data 0x15b44:$str12: \sqlmap.dll 0x191f0:$str16: Elevation:Administrator!new 0x19310:$str17: /n:%temp%
C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
C:\Users\user\AppData\Local\Temp\rem.exe	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
C:\Users\user\AppData\Local\Temp\rem.exe	REMCOS_RAT_variants	unknown	unknown	0x60744:$str_a1: C:\Windows\System32\cmd.exe 0x606c0:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x606c0:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5fca8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60300:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f8ec:$str_b2: Executing file: 0x60888:$str_b3: GetDirectListeningPort 0x600c0:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x602e8:$str_b7: \update.vbs 0x5f93c:$str_b9: Downloaded file: 0x5f928:$str_b10: Downloading file: 0x5f910:$str_b12: Failed to upload file: 0x60850:$str_b13: StartForward 0x60870:$str_b14: StopForward 0x60290:$str_b15: fso.DeleteFile " 0x60224:$str_b16: On Error Resume Next 0x602c0:$str_b17: fso.DeleteFolder " 0x5f900:$str_b18: Uploaded file: 0x5f97c:$str_b19: Unable to delete: 0x60258:$str_b20: while fso.FileExists(" 0x5fde1:$str_c0: [Firefox StoredLogins not found]
C:\Users\user\AppData\Local\Temp\hawkstartup.exe	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b872:$key: HawkEyeKeylogger 0x7dad4:$salt: 099u787978786 0x7beb3:$string1: HawkEye_Keylogger 0x7cd06:$string1: HawkEye_Keylogger 0x7da34:$string1: HawkEye_Keylogger 0x7c29c:$string2: holdermail.txt 0x7c2bc:$string2: holdermail.txt 0x7c1de:$string3: wallet.dat 0x7c1f6:$string3: wallet.dat 0x7c20c:$string3: wallet.dat 0x7d5f8:$string4: Keylog Records 0x7d910:$string4: Keylog Records 0x7db2c:$string5: do not script --> 0x7b85a:$string6: \pidloc.txt 0x7b8e8:$string7: BSPLIT 0x7b8f8:$string7: BSPLIT
C:\Users\user\AppData\Local\Temp\hawkstartup.exe	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
C:\Users\user\AppData\Local\Temp\hawkstartup.exe	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
C:\Users\user\AppData\Local\Temp\hawkstartup.exe	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
C:\Users\user\AppData\Local\Temp\hawkstartup.exe	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
C:\Users\user\AppData\Local\Temp\hawkstartup.exe	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0b:$hawkstr1: HawkEye Keylogger 0x7cd4c:$hawkstr1: HawkEye Keylogger 0x7d07b:$hawkstr1: HawkEye Keylogger 0x7d1d6:$hawkstr1: HawkEye Keylogger 0x7d339:$hawkstr1: HawkEye Keylogger 0x7d5d0:$hawkstr1: HawkEye Keylogger 0x7ba99:$hawkstr2: Dear HawkEye Customers! 0x7d0ce:$hawkstr2: Dear HawkEye Customers! 0x7d225:$hawkstr2: Dear HawkEye Customers! 0x7d38c:$hawkstr2: Dear HawkEye Customers! 0x7bbba:$hawkstr3: HawkEye Logger Details:
C:\Users\user\AppData\Roaming\Windows Update.exe	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b872:$key: HawkEyeKeylogger 0x7dad4:$salt: 099u787978786 0x7beb3:$string1: HawkEye_Keylogger 0x7cd06:$string1: HawkEye_Keylogger 0x7da34:$string1: HawkEye_Keylogger 0x7c29c:$string2: holdermail.txt 0x7c2bc:$string2: holdermail.txt 0x7c1de:$string3: wallet.dat 0x7c1f6:$string3: wallet.dat 0x7c20c:$string3: wallet.dat 0x7d5f8:$string4: Keylog Records 0x7d910:$string4: Keylog Records 0x7db2c:$string5: do not script --> 0x7b85a:$string6: \pidloc.txt 0x7b8e8:$string7: BSPLIT 0x7b8f8:$string7: BSPLIT
C:\Users\user\AppData\Roaming\Windows Update.exe	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
C:\Users\user\AppData\Roaming\Windows Update.exe	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
C:\Users\user\AppData\Roaming\Windows Update.exe	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
C:\Users\user\AppData\Roaming\Windows Update.exe	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
C:\Users\user\AppData\Roaming\Windows Update.exe	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf0b:$hawkstr1: HawkEye Keylogger 0x7cd4c:$hawkstr1: HawkEye Keylogger 0x7d07b:$hawkstr1: HawkEye Keylogger 0x7d1d6:$hawkstr1: HawkEye Keylogger 0x7d339:$hawkstr1: HawkEye Keylogger 0x7d5d0:$hawkstr1: HawkEye Keylogger 0x7ba99:$hawkstr2: Dear HawkEye Customers! 0x7d0ce:$hawkstr2: Dear HawkEye Customers! 0x7d225:$hawkstr2: Dear HawkEye Customers! 0x7d38c:$hawkstr2: Dear HawkEye Customers! 0x7bbba:$hawkstr3: HawkEye Logger Details:
Click to see the 36 entries

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000003.295733640.00000000010D3000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000003.295733640.00000000010D3000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000017.00000000.312592775.00000000008C2000.00000002.00020000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000017.00000000.312592775.00000000008C2000.00000002.00020000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0000001F.00000002.435763826.00000000081E0000.00000004.00020000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
0000000C.00000000.294569462.0000000001034000.00000002.00020000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000000.294569462.0000000001034000.00000002.00020000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0000000D.00000000.296555205.0000000000454000.00000002.00020000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000016.00000002.524091426.0000000000344000.00000002.00020000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000016.00000002.524091426.0000000000344000.00000002.00020000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0000000B.00000003.295896513.00000000010CE000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000003.295896513.00000000010CE000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0000001F.00000002.435817753.0000000008330000.00000004.00020000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
0000000D.00000000.297395374.0000000000454000.00000002.00020000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000001F.00000002.433914627.00000000047A1000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000001F.00000002.433914627.00000000047A1000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000000B.00000000.291633552.0000000000894000.00000002.00020000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000000.291633552.0000000000894000.00000002.00020000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000022.00000000.357769555.0000000000400000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000001F.00000000.378931650.00000000047A1000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000001F.00000000.378931650.00000000047A1000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000001F.00000002.429395499.0000000000F42000.00000002.00020000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b672:$key: HawkEyeKeylogger 0x7d8d4:$salt: 099u787978786 0x7bcb3:$string1: HawkEye_Keylogger 0x7cb06:$string1: HawkEye_Keylogger 0x7d834:$string1: HawkEye_Keylogger 0x7c09c:$string2: holdermail.txt 0x7c0bc:$string2: holdermail.txt 0x7bfde:$string3: wallet.dat 0x7bff6:$string3: wallet.dat 0x7c00c:$string3: wallet.dat 0x7d3f8:$string4: Keylog Records 0x7d710:$string4: Keylog Records 0x7d92c:$string5: do not script --> 0x7b65a:$string6: \pidloc.txt 0x7b6e8:$string7: BSPLIT 0x7b6f8:$string7: BSPLIT
0000001F.00000002.429395499.0000000000F42000.00000002.00020000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000001F.00000002.429395499.0000000000F42000.00000002.00020000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000001F.00000002.429395499.0000000000F42000.00000002.00020000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000001F.00000002.429395499.0000000000F42000.00000002.00020000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0b:$hawkstr1: HawkEye Keylogger 0x7cb4c:$hawkstr1: HawkEye Keylogger 0x7ce7b:$hawkstr1: HawkEye Keylogger 0x7cfd6:$hawkstr1: HawkEye Keylogger 0x7d139:$hawkstr1: HawkEye Keylogger 0x7d3d0:$hawkstr1: HawkEye Keylogger 0x7b899:$hawkstr2: Dear HawkEye Customers! 0x7cece:$hawkstr2: Dear HawkEye Customers! 0x7d025:$hawkstr2: Dear HawkEye Customers! 0x7d18c:$hawkstr2: Dear HawkEye Customers! 0x7b9ba:$hawkstr3: HawkEye Logger Details:
0000000B.00000000.291260710.0000000000894000.00000002.00020000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000000.291260710.0000000000894000.00000002.00020000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0000000B.00000003.295581021.00000000010D3000.00000004.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x11628:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x14430:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x11628:$c1: Elevation:Administrator!new: 0x14430:$c1: Elevation:Administrator!new:
0000000B.00000003.295581021.00000000010D3000.00000004.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0000000B.00000003.295581021.00000000010D3000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000003.295581021.00000000010D3000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000030.00000000.423572403.0000000000552000.00000002.00020000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000030.00000000.423572403.0000000000552000.00000002.00020000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0000001F.00000000.389096338.00000000081E0000.00000004.00020000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000023.00000002.377528498.0000000000400000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000016.00000002.533537328.00000000036E0000.00000004.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x19210:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x19210:$c1: Elevation:Administrator!new:
00000016.00000002.533537328.00000000036E0000.00000004.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000016.00000002.533537328.00000000036E0000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000016.00000002.533537328.00000000036E0000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0000001F.00000000.329135760.0000000000F42000.00000002.00020000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b672:$key: HawkEyeKeylogger 0x7d8d4:$salt: 099u787978786 0x7bcb3:$string1: HawkEye_Keylogger 0x7cb06:$string1: HawkEye_Keylogger 0x7d834:$string1: HawkEye_Keylogger 0x7c09c:$string2: holdermail.txt 0x7c0bc:$string2: holdermail.txt 0x7bfde:$string3: wallet.dat 0x7bff6:$string3: wallet.dat 0x7c00c:$string3: wallet.dat 0x7d3f8:$string4: Keylog Records 0x7d710:$string4: Keylog Records 0x7d92c:$string5: do not script --> 0x7b65a:$string6: \pidloc.txt 0x7b6e8:$string7: BSPLIT 0x7b6f8:$string7: BSPLIT
0000001F.00000000.329135760.0000000000F42000.00000002.00020000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000001F.00000000.329135760.0000000000F42000.00000002.00020000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000001F.00000000.329135760.0000000000F42000.00000002.00020000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000001F.00000000.329135760.0000000000F42000.00000002.00020000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0b:$hawkstr1: HawkEye Keylogger 0x7cb4c:$hawkstr1: HawkEye Keylogger 0x7ce7b:$hawkstr1: HawkEye Keylogger 0x7cfd6:$hawkstr1: HawkEye Keylogger 0x7d139:$hawkstr1: HawkEye Keylogger 0x7d3d0:$hawkstr1: HawkEye Keylogger 0x7b899:$hawkstr2: Dear HawkEye Customers! 0x7cece:$hawkstr2: Dear HawkEye Customers! 0x7d025:$hawkstr2: Dear HawkEye Customers! 0x7d18c:$hawkstr2: Dear HawkEye Customers! 0x7b9ba:$hawkstr3: HawkEye Logger Details:
0000000B.00000000.291654350.00000000009CF000.00000002.00020000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xdf0:$c1: Elevation:Administrator!new:
0000000B.00000000.291654350.00000000009CF000.00000002.00020000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000004.00000003.291798891.0000000004593000.00000004.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x19178:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x19178:$c1: Elevation:Administrator!new:
00000004.00000003.291798891.0000000004593000.00000004.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000004.00000003.291798891.0000000004593000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000003.291798891.0000000004593000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000004.00000003.307369542.00000000045AC000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.311194083.000000000116F000.00000002.00020000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xdf0:$c1: Elevation:Administrator!new:
0000000C.00000002.311194083.000000000116F000.00000002.00020000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000004.00000003.315881747.0000000003ECD000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000003.315881747.0000000003ECD000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0000000C.00000003.299504412.0000000000DA0000.00000004.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x2d98:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x5ba0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x2d98:$c1: Elevation:Administrator!new: 0x5ba0:$c1: Elevation:Administrator!new:
0000000C.00000003.299504412.0000000000DA0000.00000004.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0000000C.00000000.293488925.0000000001034000.00000002.00020000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000000.293488925.0000000001034000.00000002.00020000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000026.00000002.375010031.0000000000632000.00000002.00020000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b672:$key: HawkEyeKeylogger 0x7d8d4:$salt: 099u787978786 0x7bcb3:$string1: HawkEye_Keylogger 0x7cb06:$string1: HawkEye_Keylogger 0x7d834:$string1: HawkEye_Keylogger 0x7c09c:$string2: holdermail.txt 0x7c0bc:$string2: holdermail.txt 0x7bfde:$string3: wallet.dat 0x7bff6:$string3: wallet.dat 0x7c00c:$string3: wallet.dat 0x7d3f8:$string4: Keylog Records 0x7d710:$string4: Keylog Records 0x7d92c:$string5: do not script --> 0x7b65a:$string6: \pidloc.txt 0x7b6e8:$string7: BSPLIT 0x7b6f8:$string7: BSPLIT
00000026.00000002.375010031.0000000000632000.00000002.00020000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000026.00000002.375010031.0000000000632000.00000002.00020000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000026.00000002.375010031.0000000000632000.00000002.00020000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000026.00000002.375010031.0000000000632000.00000002.00020000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0b:$hawkstr1: HawkEye Keylogger 0x7cb4c:$hawkstr1: HawkEye Keylogger 0x7ce7b:$hawkstr1: HawkEye Keylogger 0x7cfd6:$hawkstr1: HawkEye Keylogger 0x7d139:$hawkstr1: HawkEye Keylogger 0x7d3d0:$hawkstr1: HawkEye Keylogger 0x7b899:$hawkstr2: Dear HawkEye Customers! 0x7cece:$hawkstr2: Dear HawkEye Customers! 0x7d025:$hawkstr2: Dear HawkEye Customers! 0x7d18c:$hawkstr2: Dear HawkEye Customers! 0x7b9ba:$hawkstr3: HawkEye Logger Details:
00000016.00000002.524271296.000000000047F000.00000002.00020000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xdf0:$c1: Elevation:Administrator!new:
00000016.00000002.524271296.000000000047F000.00000002.00020000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000004.00000003.330768411.0000000004525000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000016.00000000.304556285.0000000000344000.00000002.00020000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000016.00000000.304556285.0000000000344000.00000002.00020000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0000001F.00000000.328533797.0000000000F42000.00000002.00020000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b672:$key: HawkEyeKeylogger 0x7d8d4:$salt: 099u787978786 0x7bcb3:$string1: HawkEye_Keylogger 0x7cb06:$string1: HawkEye_Keylogger 0x7d834:$string1: HawkEye_Keylogger 0x7c09c:$string2: holdermail.txt 0x7c0bc:$string2: holdermail.txt 0x7bfde:$string3: wallet.dat 0x7bff6:$string3: wallet.dat 0x7c00c:$string3: wallet.dat 0x7d3f8:$string4: Keylog Records 0x7d710:$string4: Keylog Records 0x7d92c:$string5: do not script --> 0x7b65a:$string6: \pidloc.txt 0x7b6e8:$string7: BSPLIT 0x7b6f8:$string7: BSPLIT
0000001F.00000000.328533797.0000000000F42000.00000002.00020000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000001F.00000000.328533797.0000000000F42000.00000002.00020000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000001F.00000000.328533797.0000000000F42000.00000002.00020000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000001F.00000000.328533797.0000000000F42000.00000002.00020000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0b:$hawkstr1: HawkEye Keylogger 0x7cb4c:$hawkstr1: HawkEye Keylogger 0x7ce7b:$hawkstr1: HawkEye Keylogger 0x7cfd6:$hawkstr1: HawkEye Keylogger 0x7d139:$hawkstr1: HawkEye Keylogger 0x7d3d0:$hawkstr1: HawkEye Keylogger 0x7b899:$hawkstr2: Dear HawkEye Customers! 0x7cece:$hawkstr2: Dear HawkEye Customers! 0x7d025:$hawkstr2: Dear HawkEye Customers! 0x7d18c:$hawkstr2: Dear HawkEye Customers! 0x7b9ba:$hawkstr3: HawkEye Logger Details:
0000000C.00000002.312181908.0000000002FD7000.00000004.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x19210:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x19210:$c1: Elevation:Administrator!new:
0000000C.00000002.312181908.0000000002FD7000.00000004.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0000000C.00000002.312181908.0000000002FD7000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.312181908.0000000002FD7000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x193af:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x357f8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x193af:$c1: Elevation:Administrator!new: 0x357f8:$c1: Elevation:Administrator!new:
00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x127f0d:$key: HawkEyeKeylogger 0x12a16f:$salt: 099u787978786 0x12854e:$string1: HawkEye_Keylogger 0x1293a1:$string1: HawkEye_Keylogger 0x12a0cf:$string1: HawkEye_Keylogger 0x128937:$string2: holdermail.txt 0x128957:$string2: holdermail.txt 0x128879:$string3: wallet.dat 0x128891:$string3: wallet.dat 0x1288a7:$string3: wallet.dat 0x129c93:$string4: Keylog Records 0x129fab:$string4: Keylog Records 0x12a1c7:$string5: do not script --> 0x127ef5:$string6: \pidloc.txt 0x127f83:$string7: BSPLIT 0x127f93:$string7: BSPLIT
00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1285a6:$hawkstr1: HawkEye Keylogger 0x1293e7:$hawkstr1: HawkEye Keylogger 0x129716:$hawkstr1: HawkEye Keylogger 0x129871:$hawkstr1: HawkEye Keylogger 0x1299d4:$hawkstr1: HawkEye Keylogger 0x129c6b:$hawkstr1: HawkEye Keylogger 0x128134:$hawkstr2: Dear HawkEye Customers! 0x129769:$hawkstr2: Dear HawkEye Customers! 0x1298c0:$hawkstr2: Dear HawkEye Customers! 0x129a27:$hawkstr2: Dear HawkEye Customers! 0x128255:$hawkstr3: HawkEye Logger Details:
0000001A.00000003.364545271.00000000056D1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000001A.00000003.364545271.00000000056D1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0000000C.00000003.300135911.0000000000D91000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000003.300135911.0000000000D91000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0000000C.00000003.305332768.0000000000DA2000.00000004.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x19198:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x19198:$c1: Elevation:Administrator!new:
0000000C.00000003.305332768.0000000000DA2000.00000004.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0000000C.00000003.305332768.0000000000DA2000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000003.305332768.0000000000DA2000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000004.00000003.309595356.0000000003ECE000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000003.309595356.0000000003ECE000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000004.00000003.329717962.0000000003E61000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.525512056.00000000009CF000.00000002.00020000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xdf0:$c1: Elevation:Administrator!new:
0000000B.00000002.525512056.00000000009CF000.00000002.00020000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000016.00000003.315134280.00000000014B2000.00000004.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xc78:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x3a80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xc78:$c1: Elevation:Administrator!new: 0x3a80:$c1: Elevation:Administrator!new:
00000016.00000003.315134280.00000000014B2000.00000004.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000016.00000003.315040551.00000000014B0000.00000004.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x2c78:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x5a80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x2c78:$c1: Elevation:Administrator!new: 0x5a80:$c1: Elevation:Administrator!new:
00000016.00000003.315040551.00000000014B0000.00000004.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000029.00000000.387431044.0000000000682000.00000002.00020000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000029.00000000.387431044.0000000000682000.00000002.00020000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000029.00000002.429550823.0000000000682000.00000002.00020000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000029.00000002.429550823.0000000000682000.00000002.00020000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000022.00000000.356939795.0000000000400000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000001A.00000000.322486737.00000000000D2000.00000002.00020000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000001A.00000000.322486737.00000000000D2000.00000002.00020000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0000001B.00000002.328585434.0000000000894000.00000002.00020000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001B.00000002.328585434.0000000000894000.00000002.00020000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0000001A.00000000.324705647.00000000000D2000.00000002.00020000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000001A.00000000.324705647.00000000000D2000.00000002.00020000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000017.00000002.535498447.0000000002D41000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000017.00000002.535498447.0000000002D41000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001F.00000000.374311123.00000000037A1000.00000004.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x2e594:$key: HawkEyeKeylogger 0x2f0a0:$salt: 099u787978786 0x427b4:$string1: HawkEye_Keylogger 0x49054:$string1: HawkEye_Keylogger 0x469bc:$string2: holdermail.txt 0x469ec:$string2: holdermail.txt 0x4b5fa:$string2: holdermail.txt 0x4b6d2:$string2: holdermail.txt 0x4b7aa:$string2: holdermail.txt 0x4b882:$string2: holdermail.txt 0x4b95a:$string2: holdermail.txt 0x4bcae:$string2: holdermail.txt 0x4bd86:$string2: holdermail.txt 0x4be5e:$string2: holdermail.txt 0x4c1b2:$string2: holdermail.txt 0x4c28a:$string2: holdermail.txt 0x4c362:$string2: holdermail.txt 0x4c632:$string2: holdermail.txt 0x4c70a:$string2: holdermail.txt 0x4ca0e:$string2: holdermail.txt 0x4cae6:$string2: holdermail.txt
0000001F.00000000.374311123.00000000037A1000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000001F.00000000.374311123.00000000037A1000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x42844:$hawkstr1: HawkEye Keylogger 0x43cd8:$hawkstr1: HawkEye Keylogger 0x44070:$hawkstr1: HawkEye Keylogger 0x45248:$hawkstr1: HawkEye Keylogger 0x490ac:$hawkstr1: HawkEye Keylogger 0x50cfc:$hawkstr1: HawkEye Keylogger 0x422bc:$hawkstr2: Dear HawkEye Customers! 0x43d3c:$hawkstr2: Dear HawkEye Customers! 0x440d4:$hawkstr2: Dear HawkEye Customers! 0x50d5c:$hawkstr2: Dear HawkEye Customers! 0x423ee:$hawkstr3: HawkEye Logger Details:
0000001F.00000003.363080383.0000000006F7A000.00000004.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x3b72a:$key: HawkEyeKeylogger 0x3d98c:$salt: 099u787978786 0x3bd6b:$string1: HawkEye_Keylogger 0x3cbbe:$string1: HawkEye_Keylogger 0x3d8ec:$string1: HawkEye_Keylogger 0x3c154:$string2: holdermail.txt 0x3c174:$string2: holdermail.txt 0x3c096:$string3: wallet.dat 0x3c0ae:$string3: wallet.dat 0x3c0c4:$string3: wallet.dat 0x3d4b0:$string4: Keylog Records 0x3d7c8:$string4: Keylog Records 0x3d9e4:$string5: do not script --> 0x3b712:$string6: \pidloc.txt 0x3b7a0:$string7: BSPLIT 0x3b7b0:$string7: BSPLIT
0000001F.00000003.363080383.0000000006F7A000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000001F.00000003.363080383.0000000006F7A000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000001F.00000003.363080383.0000000006F7A000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000001F.00000003.363080383.0000000006F7A000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x3bdc3:$hawkstr1: HawkEye Keylogger 0x3cc04:$hawkstr1: HawkEye Keylogger 0x3cf33:$hawkstr1: HawkEye Keylogger 0x3d08e:$hawkstr1: HawkEye Keylogger 0x3d1f1:$hawkstr1: HawkEye Keylogger 0x3d488:$hawkstr1: HawkEye Keylogger 0x3b951:$hawkstr2: Dear HawkEye Customers! 0x3cf86:$hawkstr2: Dear HawkEye Customers! 0x3d0dd:$hawkstr2: Dear HawkEye Customers! 0x3d244:$hawkstr2: Dear HawkEye Customers! 0x3ba72:$hawkstr3: HawkEye Logger Details:
0000000C.00000003.299610781.0000000000DA2000.00000004.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xd98:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x3ba0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xd98:$c1: Elevation:Administrator!new: 0x3ba0:$c1: Elevation:Administrator!new:
0000000C.00000003.299610781.0000000000DA2000.00000004.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0000000C.00000000.294592566.000000000116F000.00000002.00020000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xdf0:$c1: Elevation:Administrator!new:
0000000C.00000000.294592566.000000000116F000.00000002.00020000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0000001A.00000002.523856737.00000000000D2000.00000002.00020000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000001A.00000002.523856737.00000000000D2000.00000002.00020000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0000001A.00000000.317498484.00000000000D2000.00000002.00020000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000001A.00000000.317498484.00000000000D2000.00000002.00020000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0000000B.00000002.525142353.0000000000894000.00000002.00020000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.525142353.0000000000894000.00000002.00020000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0000001C.00000002.528296094.0000000002BC0000.00000004.00000001.sdmp	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0000001C.00000002.528296094.0000000002BC0000.00000004.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x191f0:$c1: Elevation:Administrator!new:
0000001C.00000002.528296094.0000000002BC0000.00000004.00000001.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x144e8:$a1: \Opera Software\Opera Stable\Login Data 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
0000001C.00000002.528296094.0000000002BC0000.00000004.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0000001C.00000002.528296094.0000000002BC0000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001C.00000002.528296094.0000000002BC0000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0000001C.00000002.528296094.0000000002BC0000.00000004.00000001.sdmp	AveMaria_WarZone	unknown	unknown	0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1640c:$str2: MsgBox.exe 0x1669c:$str4: \System32\cmd.exe 0x162e0:$str6: Ave_Maria 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x14e78:$str8: SMTP Password 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data 0x15b44:$str12: \sqlmap.dll 0x191f0:$str16: Elevation:Administrator!new 0x19310:$str17: /n:%temp%
0000001F.00000000.323573153.0000000000F42000.00000002.00020000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b672:$key: HawkEyeKeylogger 0x7d8d4:$salt: 099u787978786 0x7bcb3:$string1: HawkEye_Keylogger 0x7cb06:$string1: HawkEye_Keylogger 0x7d834:$string1: HawkEye_Keylogger 0x7c09c:$string2: holdermail.txt 0x7c0bc:$string2: holdermail.txt 0x7bfde:$string3: wallet.dat 0x7bff6:$string3: wallet.dat 0x7c00c:$string3: wallet.dat 0x7d3f8:$string4: Keylog Records 0x7d710:$string4: Keylog Records 0x7d92c:$string5: do not script --> 0x7b65a:$string6: \pidloc.txt 0x7b6e8:$string7: BSPLIT 0x7b6f8:$string7: BSPLIT
0000001F.00000000.323573153.0000000000F42000.00000002.00020000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000001F.00000000.323573153.0000000000F42000.00000002.00020000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000001F.00000000.323573153.0000000000F42000.00000002.00020000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000001F.00000000.323573153.0000000000F42000.00000002.00020000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0b:$hawkstr1: HawkEye Keylogger 0x7cb4c:$hawkstr1: HawkEye Keylogger 0x7ce7b:$hawkstr1: HawkEye Keylogger 0x7cfd6:$hawkstr1: HawkEye Keylogger 0x7d139:$hawkstr1: HawkEye Keylogger 0x7d3d0:$hawkstr1: HawkEye Keylogger 0x7b899:$hawkstr2: Dear HawkEye Customers! 0x7cece:$hawkstr2: Dear HawkEye Customers! 0x7d025:$hawkstr2: Dear HawkEye Customers! 0x7d18c:$hawkstr2: Dear HawkEye Customers! 0x7b9ba:$hawkstr3: HawkEye Logger Details:
0000000C.00000002.310994580.0000000001034000.00000002.00020000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.310994580.0000000001034000.00000002.00020000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0000001B.00000000.317967942.0000000000894000.00000002.00020000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001B.00000000.317967942.0000000000894000.00000002.00020000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0000000B.00000000.290415827.0000000000894000.00000002.00020000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000000.290415827.0000000000894000.00000002.00020000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b672:$key: HawkEyeKeylogger 0x7d8d4:$salt: 099u787978786 0x7bcb3:$string1: HawkEye_Keylogger 0x7cb06:$string1: HawkEye_Keylogger 0x7d834:$string1: HawkEye_Keylogger 0x7c09c:$string2: holdermail.txt 0x7c0bc:$string2: holdermail.txt 0x7bfde:$string3: wallet.dat 0x7bff6:$string3: wallet.dat 0x7c00c:$string3: wallet.dat 0x7d3f8:$string4: Keylog Records 0x7d710:$string4: Keylog Records 0x7d92c:$string5: do not script --> 0x7b65a:$string6: \pidloc.txt 0x7b6e8:$string7: BSPLIT 0x7b6f8:$string7: BSPLIT
00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0b:$hawkstr1: HawkEye Keylogger 0x7cb4c:$hawkstr1: HawkEye Keylogger 0x7ce7b:$hawkstr1: HawkEye Keylogger 0x7cfd6:$hawkstr1: HawkEye Keylogger 0x7d139:$hawkstr1: HawkEye Keylogger 0x7d3d0:$hawkstr1: HawkEye Keylogger 0x7b899:$hawkstr2: Dear HawkEye Customers! 0x7cece:$hawkstr2: Dear HawkEye Customers! 0x7d025:$hawkstr2: Dear HawkEye Customers! 0x7d18c:$hawkstr2: Dear HawkEye Customers! 0x7b9ba:$hawkstr3: HawkEye Logger Details:
00000004.00000003.313272509.0000000003E61000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000003.295601289.00000000010E4000.00000004.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x628:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x3430:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x628:$c1: Elevation:Administrator!new: 0x3430:$c1: Elevation:Administrator!new:
0000000B.00000003.295601289.00000000010E4000.00000004.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0000001B.00000002.328741916.00000000009CF000.00000002.00020000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xdf0:$c1: Elevation:Administrator!new:
0000001B.00000002.328741916.00000000009CF000.00000002.00020000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000017.00000000.313041784.00000000008C2000.00000002.00020000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000017.00000000.313041784.00000000008C2000.00000002.00020000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000013.00000000.302582186.00000000004D2000.00000002.00020000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b672:$key: HawkEyeKeylogger 0x7d8d4:$salt: 099u787978786 0x7bcb3:$string1: HawkEye_Keylogger 0x7cb06:$string1: HawkEye_Keylogger 0x7d834:$string1: HawkEye_Keylogger 0x7c09c:$string2: holdermail.txt 0x7c0bc:$string2: holdermail.txt 0x7bfde:$string3: wallet.dat 0x7bff6:$string3: wallet.dat 0x7c00c:$string3: wallet.dat 0x7d3f8:$string4: Keylog Records 0x7d710:$string4: Keylog Records 0x7d92c:$string5: do not script --> 0x7b65a:$string6: \pidloc.txt 0x7b6e8:$string7: BSPLIT 0x7b6f8:$string7: BSPLIT
00000013.00000000.302582186.00000000004D2000.00000002.00020000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000013.00000000.302582186.00000000004D2000.00000002.00020000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000013.00000000.302582186.00000000004D2000.00000002.00020000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000013.00000000.302582186.00000000004D2000.00000002.00020000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0b:$hawkstr1: HawkEye Keylogger 0x7cb4c:$hawkstr1: HawkEye Keylogger 0x7ce7b:$hawkstr1: HawkEye Keylogger 0x7cfd6:$hawkstr1: HawkEye Keylogger 0x7d139:$hawkstr1: HawkEye Keylogger 0x7d3d0:$hawkstr1: HawkEye Keylogger 0x7b899:$hawkstr2: Dear HawkEye Customers! 0x7cece:$hawkstr2: Dear HawkEye Customers! 0x7d025:$hawkstr2: Dear HawkEye Customers! 0x7d18c:$hawkstr2: Dear HawkEye Customers! 0x7b9ba:$hawkstr3: HawkEye Logger Details:
0000000D.00000000.298936574.0000000000454000.00000002.00020000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000013.00000000.304045039.00000000004D2000.00000002.00020000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b672:$key: HawkEyeKeylogger 0x7d8d4:$salt: 099u787978786 0x7bcb3:$string1: HawkEye_Keylogger 0x7cb06:$string1: HawkEye_Keylogger 0x7d834:$string1: HawkEye_Keylogger 0x7c09c:$string2: holdermail.txt 0x7c0bc:$string2: holdermail.txt 0x7bfde:$string3: wallet.dat 0x7bff6:$string3: wallet.dat 0x7c00c:$string3: wallet.dat 0x7d3f8:$string4: Keylog Records 0x7d710:$string4: Keylog Records 0x7d92c:$string5: do not script --> 0x7b65a:$string6: \pidloc.txt 0x7b6e8:$string7: BSPLIT 0x7b6f8:$string7: BSPLIT
00000013.00000000.304045039.00000000004D2000.00000002.00020000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000013.00000000.304045039.00000000004D2000.00000002.00020000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000013.00000000.304045039.00000000004D2000.00000002.00020000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000013.00000000.304045039.00000000004D2000.00000002.00020000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0b:$hawkstr1: HawkEye Keylogger 0x7cb4c:$hawkstr1: HawkEye Keylogger 0x7ce7b:$hawkstr1: HawkEye Keylogger 0x7cfd6:$hawkstr1: HawkEye Keylogger 0x7d139:$hawkstr1: HawkEye Keylogger 0x7d3d0:$hawkstr1: HawkEye Keylogger 0x7b899:$hawkstr2: Dear HawkEye Customers! 0x7cece:$hawkstr2: Dear HawkEye Customers! 0x7d025:$hawkstr2: Dear HawkEye Customers! 0x7d18c:$hawkstr2: Dear HawkEye Customers! 0x7b9ba:$hawkstr3: HawkEye Logger Details:
0000000D.00000000.298035428.0000000000454000.00000002.00020000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000001F.00000000.389208484.0000000008330000.00000004.00020000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000004.00000003.286683979.0000000003E61000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000023.00000000.360954968.0000000000400000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000001F.00000000.381363861.0000000008330000.00000004.00020000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000017.00000002.523672410.00000000008C2000.00000002.00020000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000017.00000002.523672410.00000000008C2000.00000002.00020000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0000000B.00000003.295697323.00000000010E4000.00000004.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x628:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x3430:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x628:$c1: Elevation:Administrator!new: 0x3430:$c1: Elevation:Administrator!new:
0000000B.00000003.295697323.00000000010E4000.00000004.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000004.00000003.315166060.0000000003ECD000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000001B.00000002.331007684.0000000003471000.00000004.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x19210:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x19210:$c1: Elevation:Administrator!new:
0000001B.00000002.331007684.0000000003471000.00000004.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0000001B.00000002.331007684.0000000003471000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001B.00000002.331007684.0000000003471000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0000001B.00000000.317999053.00000000009CF000.00000002.00020000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xdf0:$c1: Elevation:Administrator!new:
0000001B.00000000.317999053.00000000009CF000.00000002.00020000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x193af:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x357f8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x193af:$c1: Elevation:Administrator!new: 0x357f8:$c1: Elevation:Administrator!new:
00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x127f0d:$key: HawkEyeKeylogger 0x12a16f:$salt: 099u787978786 0x12854e:$string1: HawkEye_Keylogger 0x1293a1:$string1: HawkEye_Keylogger 0x12a0cf:$string1: HawkEye_Keylogger 0x128937:$string2: holdermail.txt 0x128957:$string2: holdermail.txt 0x128879:$string3: wallet.dat 0x128891:$string3: wallet.dat 0x1288a7:$string3: wallet.dat 0x129c93:$string4: Keylog Records 0x129fab:$string4: Keylog Records 0x12a1c7:$string5: do not script --> 0x127ef5:$string6: \pidloc.txt 0x127f83:$string7: BSPLIT 0x127f93:$string7: BSPLIT
00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1285a6:$hawkstr1: HawkEye Keylogger 0x1293e7:$hawkstr1: HawkEye Keylogger 0x129716:$hawkstr1: HawkEye Keylogger 0x129871:$hawkstr1: HawkEye Keylogger 0x1299d4:$hawkstr1: HawkEye Keylogger 0x129c6b:$hawkstr1: HawkEye Keylogger 0x128134:$hawkstr2: Dear HawkEye Customers! 0x129769:$hawkstr2: Dear HawkEye Customers! 0x1298c0:$hawkstr2: Dear HawkEye Customers! 0x129a27:$hawkstr2: Dear HawkEye Customers! 0x128255:$hawkstr3: HawkEye Logger Details:
0000000B.00000002.533158869.0000000003085000.00000004.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x19210:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x19210:$c1: Elevation:Administrator!new:
0000000B.00000002.533158869.0000000003085000.00000004.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0000000B.00000002.533158869.0000000003085000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.533158869.0000000003085000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000000.00000002.287902028.0000000002CDD000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000030.00000002.523858136.0000000000552000.00000002.00020000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000030.00000002.523858136.0000000000552000.00000002.00020000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000023.00000000.361387046.0000000000400000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000016.00000000.304645862.000000000047F000.00000002.00020000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xdf0:$c1: Elevation:Administrator!new:
00000016.00000000.304645862.000000000047F000.00000002.00020000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0000000B.00000000.290450731.00000000009CF000.00000002.00020000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xdf0:$c1: Elevation:Administrator!new:
0000000B.00000000.290450731.00000000009CF000.00000002.00020000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0000001A.00000000.317967503.00000000000D2000.00000002.00020000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000001A.00000000.317967503.00000000000D2000.00000002.00020000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0000000C.00000000.294916604.000000000116F000.00000002.00020000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xdf0:$c1: Elevation:Administrator!new:
0000000C.00000000.294916604.000000000116F000.00000002.00020000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000013.00000002.331424060.00000000004D2000.00000002.00020000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b672:$key: HawkEyeKeylogger 0x7d8d4:$salt: 099u787978786 0x7bcb3:$string1: HawkEye_Keylogger 0x7cb06:$string1: HawkEye_Keylogger 0x7d834:$string1: HawkEye_Keylogger 0x7c09c:$string2: holdermail.txt 0x7c0bc:$string2: holdermail.txt 0x7bfde:$string3: wallet.dat 0x7bff6:$string3: wallet.dat 0x7c00c:$string3: wallet.dat 0x7d3f8:$string4: Keylog Records 0x7d710:$string4: Keylog Records 0x7d92c:$string5: do not script --> 0x7b65a:$string6: \pidloc.txt 0x7b6e8:$string7: BSPLIT 0x7b6f8:$string7: BSPLIT
00000013.00000002.331424060.00000000004D2000.00000002.00020000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000013.00000002.331424060.00000000004D2000.00000002.00020000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000013.00000002.331424060.00000000004D2000.00000002.00020000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000013.00000002.331424060.00000000004D2000.00000002.00020000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0b:$hawkstr1: HawkEye Keylogger 0x7cb4c:$hawkstr1: HawkEye Keylogger 0x7ce7b:$hawkstr1: HawkEye Keylogger 0x7cfd6:$hawkstr1: HawkEye Keylogger 0x7d139:$hawkstr1: HawkEye Keylogger 0x7d3d0:$hawkstr1: HawkEye Keylogger 0x7b899:$hawkstr2: Dear HawkEye Customers! 0x7cece:$hawkstr2: Dear HawkEye Customers! 0x7d025:$hawkstr2: Dear HawkEye Customers! 0x7d18c:$hawkstr2: Dear HawkEye Customers! 0x7b9ba:$hawkstr3: HawkEye Logger Details:
00000016.00000003.315866343.000000000149C000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000016.00000003.315866343.000000000149C000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0000002D.00000002.429309545.0000000000E82000.00000002.00020000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b672:$key: HawkEyeKeylogger 0x7d8d4:$salt: 099u787978786 0x7bcb3:$string1: HawkEye_Keylogger 0x7cb06:$string1: HawkEye_Keylogger 0x7d834:$string1: HawkEye_Keylogger 0x7c09c:$string2: holdermail.txt 0x7c0bc:$string2: holdermail.txt 0x7bfde:$string3: wallet.dat 0x7bff6:$string3: wallet.dat 0x7c00c:$string3: wallet.dat 0x7d3f8:$string4: Keylog Records 0x7d710:$string4: Keylog Records 0x7d92c:$string5: do not script --> 0x7b65a:$string6: \pidloc.txt 0x7b6e8:$string7: BSPLIT 0x7b6f8:$string7: BSPLIT
0000002D.00000002.429309545.0000000000E82000.00000002.00020000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000002D.00000002.429309545.0000000000E82000.00000002.00020000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000002D.00000002.429309545.0000000000E82000.00000002.00020000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000002D.00000002.429309545.0000000000E82000.00000002.00020000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0b:$hawkstr1: HawkEye Keylogger 0x7cb4c:$hawkstr1: HawkEye Keylogger 0x7ce7b:$hawkstr1: HawkEye Keylogger 0x7cfd6:$hawkstr1: HawkEye Keylogger 0x7d139:$hawkstr1: HawkEye Keylogger 0x7d3d0:$hawkstr1: HawkEye Keylogger 0x7b899:$hawkstr2: Dear HawkEye Customers! 0x7cece:$hawkstr2: Dear HawkEye Customers! 0x7d025:$hawkstr2: Dear HawkEye Customers! 0x7d18c:$hawkstr2: Dear HawkEye Customers! 0x7b9ba:$hawkstr3: HawkEye Logger Details:
0000000F.00000002.528440483.0000000003290000.00000004.00000001.sdmp	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0000000F.00000002.528440483.0000000003290000.00000004.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x191f0:$c1: Elevation:Administrator!new:
0000000F.00000002.528440483.0000000003290000.00000004.00000001.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x144e8:$a1: \Opera Software\Opera Stable\Login Data 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
0000000F.00000002.528440483.0000000003290000.00000004.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0000000F.00000002.528440483.0000000003290000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.528440483.0000000003290000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0000000F.00000002.528440483.0000000003290000.00000004.00000001.sdmp	AveMaria_WarZone	unknown	unknown	0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1640c:$str2: MsgBox.exe 0x1669c:$str4: \System32\cmd.exe 0x162e0:$str6: Ave_Maria 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x14e78:$str8: SMTP Password 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data 0x15b44:$str12: \sqlmap.dll 0x191f0:$str16: Elevation:Administrator!new 0x19310:$str17: /n:%temp%
00000016.00000003.314784536.00000000014A1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000016.00000003.314784536.00000000014A1000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0000001F.00000000.384358541.00000000037A1000.00000004.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x2e594:$key: HawkEyeKeylogger 0x2f0a0:$salt: 099u787978786 0x427b4:$string1: HawkEye_Keylogger 0x49054:$string1: HawkEye_Keylogger 0x469bc:$string2: holdermail.txt 0x469ec:$string2: holdermail.txt 0x4b5fa:$string2: holdermail.txt 0x4b6d2:$string2: holdermail.txt 0x4b7aa:$string2: holdermail.txt 0x4b882:$string2: holdermail.txt 0x4b95a:$string2: holdermail.txt 0x4bcae:$string2: holdermail.txt 0x4bd86:$string2: holdermail.txt 0x4be5e:$string2: holdermail.txt 0x4c1b2:$string2: holdermail.txt 0x4c28a:$string2: holdermail.txt 0x4c362:$string2: holdermail.txt 0x4c632:$string2: holdermail.txt 0x4c70a:$string2: holdermail.txt 0x4ca0e:$string2: holdermail.txt 0x4cae6:$string2: holdermail.txt
0000001F.00000000.384358541.00000000037A1000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000001F.00000000.384358541.00000000037A1000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x42844:$hawkstr1: HawkEye Keylogger 0x43cd8:$hawkstr1: HawkEye Keylogger 0x44070:$hawkstr1: HawkEye Keylogger 0x45248:$hawkstr1: HawkEye Keylogger 0x490ac:$hawkstr1: HawkEye Keylogger 0x50cfc:$hawkstr1: HawkEye Keylogger 0x422bc:$hawkstr2: Dear HawkEye Customers! 0x43d3c:$hawkstr2: Dear HawkEye Customers! 0x440d4:$hawkstr2: Dear HawkEye Customers! 0x50d5c:$hawkstr2: Dear HawkEye Customers! 0x423ee:$hawkstr3: HawkEye Logger Details:
0000000B.00000000.290858967.0000000000894000.00000002.00020000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000000.290858967.0000000000894000.00000002.00020000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0000000C.00000003.300261604.0000000000D8C000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000003.300261604.0000000000D8C000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0000000C.00000003.299968878.0000000000DA2000.00000004.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xd98:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x3ba0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xd98:$c1: Elevation:Administrator!new: 0x3ba0:$c1: Elevation:Administrator!new:
0000000C.00000003.299968878.0000000000DA2000.00000004.00000001.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000030.00000002.535180538.0000000002961000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000030.00000002.535180538.0000000002961000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000003.299137914.0000000000D91000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000003.299137914.0000000000D91000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0000001F.00000002.431803331.00000000037A1000.00000004.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x2e594:$key: HawkEyeKeylogger 0x2f0a0:$salt: 099u787978786 0x427b4:$string1: HawkEye_Keylogger 0x49054:$string1: HawkEye_Keylogger 0x469bc:$string2: holdermail.txt 0x469ec:$string2: holdermail.txt 0x4b5fa:$string2: holdermail.txt 0x4b6d2:$string2: holdermail.txt 0x4b7aa:$string2: holdermail.txt 0x4b882:$string2: holdermail.txt 0x4b95a:$string2: holdermail.txt 0x4bcae:$string2: holdermail.txt 0x4bd86:$string2: holdermail.txt 0x4be5e:$string2: holdermail.txt 0x4c1b2:$string2: holdermail.txt 0x4c28a:$string2: holdermail.txt 0x4c362:$string2: holdermail.txt 0x4c632:$string2: holdermail.txt 0x4c70a:$string2: holdermail.txt 0x4ca0e:$string2: holdermail.txt 0x4cae6:$string2: holdermail.txt
0000001F.00000002.431803331.00000000037A1000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000001F.00000002.431803331.00000000037A1000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x42844:$hawkstr1: HawkEye Keylogger 0x43cd8:$hawkstr1: HawkEye Keylogger 0x44070:$hawkstr1: HawkEye Keylogger 0x45248:$hawkstr1: HawkEye Keylogger 0x490ac:$hawkstr1: HawkEye Keylogger 0x50cfc:$hawkstr1: HawkEye Keylogger 0x422bc:$hawkstr2: Dear HawkEye Customers! 0x43d3c:$hawkstr2: Dear HawkEye Customers! 0x440d4:$hawkstr2: Dear HawkEye Customers! 0x50d5c:$hawkstr2: Dear HawkEye Customers! 0x423ee:$hawkstr3: HawkEye Logger Details:
00000022.00000000.357301492.0000000000400000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000004.00000003.286824707.0000000003ECC000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000000.291282105.00000000009CF000.00000002.00020000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xdf0:$c1: Elevation:Administrator!new:
0000000B.00000000.291282105.00000000009CF000.00000002.00020000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000004.00000003.328524290.00000000044B8000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000017.00000000.311207048.00000000008C2000.00000002.00020000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000017.00000000.311207048.00000000008C2000.00000002.00020000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0000000C.00000000.293514502.000000000116F000.00000002.00020000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xdf0:$c1: Elevation:Administrator!new:
0000000C.00000000.293514502.000000000116F000.00000002.00020000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0000001F.00000000.386194733.00000000047A1000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000001F.00000000.386194733.00000000047A1000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000001F.00000000.326251064.0000000000F42000.00000002.00020000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b672:$key: HawkEyeKeylogger 0x7d8d4:$salt: 099u787978786 0x7bcb3:$string1: HawkEye_Keylogger 0x7cb06:$string1: HawkEye_Keylogger 0x7d834:$string1: HawkEye_Keylogger 0x7c09c:$string2: holdermail.txt 0x7c0bc:$string2: holdermail.txt 0x7bfde:$string3: wallet.dat 0x7bff6:$string3: wallet.dat 0x7c00c:$string3: wallet.dat 0x7d3f8:$string4: Keylog Records 0x7d710:$string4: Keylog Records 0x7d92c:$string5: do not script --> 0x7b65a:$string6: \pidloc.txt 0x7b6e8:$string7: BSPLIT 0x7b6f8:$string7: BSPLIT
0000001F.00000000.326251064.0000000000F42000.00000002.00020000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000001F.00000000.326251064.0000000000F42000.00000002.00020000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000001F.00000000.326251064.0000000000F42000.00000002.00020000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000001F.00000000.326251064.0000000000F42000.00000002.00020000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd0b:$hawkstr1: HawkEye Keylogger 0x7cb4c:$hawkstr1: HawkEye Keylogger 0x7ce7b:$hawkstr1: HawkEye Keylogger 0x7cfd6:$hawkstr1: HawkEye Keylogger 0x7d139:$hawkstr1: HawkEye Keylogger 0x7d3d0:$hawkstr1: HawkEye Keylogger 0x7b899:$hawkstr2: Dear HawkEye Customers! 0x7cece:$hawkstr2: Dear HawkEye Customers! 0x7d025:$hawkstr2: Dear HawkEye Customers! 0x7d18c:$hawkstr2: Dear HawkEye Customers! 0x7b9ba:$hawkstr3: HawkEye Logger Details:
00000004.00000003.325603575.0000000004481000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000016.00000003.315520254.00000000014B2000.00000004.00000001.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xc78:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b8

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report SW0P9o9ksjpBsnr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Dropped Files

Memory Dumps