hawkeye sample

found by Korben Dallas @KorbenD_Intel
https://twitter.com/KorbenD_Intel/status/983440061772582912
hxxp://emifile[.]com/zcast/
https://www.reverse.it/sample/a02ef42dc3f903a66c6eef374bc4a9f186fdf8e3f7ab5a4a0b833a65aca3acb5/5acbceee7ca3e149fb207535
fes.exe
md5, 7c57c615432a2262c638238bf1625cbf
---------

--------
interesting file locations
--------
C:\Users\xxx\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsolts.exe
md5,7C57C615432A2262C638238BF1625CBF

---------
interesting in-memory strings
---------
0x2a5fad8 (66): C:\Users\HawkEye\Desktop\Reborn\Stub\obj\x86\Debug\Reborn Stub.pdb
0x2cdfbb5 (104): HawkEye Keylogger - Reborn v8 - {0} Logs - {1} \ {2}
0x2cdfc1e (122): HawkEye Keylogger - Reborn v8{0}{1} Logs{0}{2} \ {3}{0}{0}{4}
0x2d50f34 (32): KeePass csv file
0x2d50f70 (30): Eudora.ini file
0x2d50ff0 (30): Outlook Express
0x2d51010 (22): IncrediMail
0x2d51036 (52): Group Mail Free
0x2d5106c (60): MS Outlook 2002/2003/2007/2010
0x2d510b6 (22): Hotmail/MSN
0x2d510ce (50): Yahoo! Mail
0x2d51102 (22): Thunderbird
0x2d5111a (28): Google Desktop
0x2d51138 (24): Windows Mail
0x2d51152 (34): Windows Live Mail
0x2d51176 (24): Outlook 2013
0x2d51190 (24): Outlook 2016
0x2d5156e (44):  2003 - 2016 Nir Sofer
0x2d515a2 (22): ProductName
0x2d515bc (30): Mail   PassView
0x2d50c96 (38): Email Accounts List
0x2d50cbe (128): Select base folder of Netscape!Select base folder of ThunderBird
0x2d50d40 (148): Select Eudora.ini filename/Select the location of Thunderbird installation
0x2d4c7ec (23): \Microsoft\Windows Mail
0x2d4c804 (28): \Microsoft\Windows Live Mail
0x2d4c858 (14): Yahoo! User ID
0x2d4c8d0 (49): c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb
0x2d4ba08 (129): SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins
0x2d4ae18 (100): www.google.com/Please log in to your Gmail account
0x2d4adcb (57): "Account","Login Name","Password","Web Site","Comments"
0x2d4ada8 (12): %s@gmail.com
0x2d4adb8 (12): %s@yahoo.com
0x2d4ac88 (31): Software\IncrediMail\Identities
0x2d2ef03 (73): c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb
0x2d2b6d7 (40): Opera\Opera\wand.dat
0x2d2b703 (58): Opera\Opera7\profile\wand.dat
0x2d2b74b (76): Opera Software\Opera Stable\Login Data
0x2d25303 (138): SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins 
0x2cde152 (66): http://bot.whatismyipaddress.com/
0x2cde196 (66): Win32_NetworkAdapterConfiguration
0x2cde48a (32): AntiVirusProduct
0x2cde4e4 (30): FirewallProduct
0x2cdd870 (20): Screenshot
0x2cdd8b4 (78): http://uploads.im/api?upload&format=xml
0x2cdb0d4 (19): get_ClipboardLogger
0x2cdb0e8 (19): set_ClipboardLogger
0x2cdb0fc (19): get_KeyStrokeLogger
0x2cdb110 (19): set_KeyStrokeLogger
0x2cdb124 (16): get_WebCamLogger
0x2cdb135 (16): set_WebCamLogger
0x2cdb146 (20): get_ScreenshotLogger
0x2cdb15b (20): set_ScreenshotLogger
0x2a38789 (72): https://login.yahoo.com/config/login
0x29ee772 (19): random seed: reborn
0x29ee79a (14): clipboardHook
0x29ee7ae (12): keyboardHook
0x29eac56 (60): The Wireshark Network Analyzer
0x29eaca4 (38): Emulation Detected!
0x29eaccc (20): rstrui.exe
0x29eace2 (24): AvastSvc.exe
0x29eacfc (24): avconfig.exe
0x29ead16 (22): AvastUI.exe
0x29ead2e (20): avscan.exe
0x29ead44 (20): instup.exe
0x29ead6c (22): mbamgui.exe
0x29ead84 (20): mbampt.exe
0x29ead9a (34): mbamscheduler.exe
0x29eadbe (30): mbamservice.exe
0x29eadde (28): hijackthis.exe
0x29eadfc (24): spybotsd.exe
0x29eae2a (24): avcenter.exe
0x29eae44 (22): avguard.exe
0x29eae84 (24): avgcsrvx.exe
0x29eae9e (30): avgidsagent.exe
0x29eaebe (20): avgrsx.exe
0x29eaed4 (24): avgwdsvc.exe
0x29eaf00 (24): zlclient.exe
0x29eaf1a (22): bdagent.exe
0x29eaf32 (32): keyscrambler.exe
0x29eaf64 (26): wireshark.exe
0x29eaf80 (24): ComboFix.exe
0x29eaf9a (22): MSASCui.exe
0x29eafb2 (24): MpCmdRun.exe
0x29eafcc (22): msseces.exe
0x29eafe4 (22): MsMpEng.exe