rule HawkEye { meta: author = " Kevin Breen " date = "2015/06" ref = "http://malwareconfig.com/stats/HawkEye" maltype = "KeyLogger" filetype = "exe" strings: $key = "HawkEyeKeylogger" wide $salt = "099u787978786" wide $string1 = "HawkEye_Keylogger" wide $string2 = "holdermail.txt" wide $string3 = "wallet.dat" wide $string4 = "Keylog Records" wide $string5 = "" wide $string6 = "\\pidloc.txt" wide $string7 = "BSPLIT" wide condition: $key and $salt and all of ($string*) }