Analysis Overview
SHA256
e14fddeef8f828f7c244f17140f851bb1f321c980637718bbf1333ab5665391c
Threat Level: Known bad
The file e14fddeef8f828f7c244f17140f851bb1f321c980637718bbf1333ab5665391c was found to be: Known bad.
Malicious Activity Summary
MassLogger log file
MassLogger
Executes dropped EXE
Obfuscated with Agile.Net obfuscator
Loads dropped DLL
Checks computer location settings
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Suspicious use of SetThreadContext
Program crash
Suspicious use of SetWindowsHookEx
outlook_win_path
outlook_office_path
Suspicious use of WriteProcessMemory
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-21 01:59
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-21 01:59
Reported
2022-05-21 03:04
Platform
win10v2004-20220414-en
Max time kernel
91s
Max time network
135s
Command Line
Signatures
MassLogger
MassLogger log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2068 set thread context of 4992 | N/A | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20200616_080918_33046.exe | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20200616_080918_33046.exe |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20200616_080918_33046.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20200616_080918_33046.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20200616_080918_33046.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20200616_080918_33046.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20200616_080918_33046.exe
"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20200616_080918_33046.exe"
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2068 -ip 2068
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 1376
Network
| Country | Destination | Domain | Proto |
| NL | 52.178.17.2:443 | tcp | |
| FR | 2.18.109.224:443 | tcp | |
| US | 104.18.24.243:80 | tcp | |
| NL | 8.248.3.254:80 | tcp | |
| NL | 8.248.3.254:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 52.20.78.240:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | smtp.yandex.com | udp |
| RU | 77.88.21.158:587 | smtp.yandex.com | tcp |
Files
memory/2068-130-0x0000000000DA0000-0x0000000000FFE000-memory.dmp
memory/2068-131-0x0000000005F80000-0x0000000006524000-memory.dmp
memory/2068-132-0x0000000005AC0000-0x0000000005B52000-memory.dmp
memory/2068-133-0x0000000005F30000-0x0000000005F74000-memory.dmp
memory/2068-134-0x0000000007A40000-0x0000000007A62000-memory.dmp
memory/4992-135-0x0000000000000000-mapping.dmp
memory/4992-136-0x0000000000400000-0x0000000000546000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
| MD5 | 5d4073b2eb6d217c19f2b22f21bf8d57 |
| SHA1 | f0209900fbf08d004b886a0b3ba33ea2b0bf9da8 |
| SHA256 | ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3 |
| SHA512 | 9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159 |
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
| MD5 | 5d4073b2eb6d217c19f2b22f21bf8d57 |
| SHA1 | f0209900fbf08d004b886a0b3ba33ea2b0bf9da8 |
| SHA256 | ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3 |
| SHA512 | 9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159 |
memory/4992-140-0x0000000000400000-0x0000000000546000-memory.dmp
memory/4992-142-0x0000000000400000-0x0000000000546000-memory.dmp
memory/4992-144-0x0000000000400000-0x0000000000546000-memory.dmp
memory/4992-146-0x0000000000400000-0x0000000000546000-memory.dmp
memory/4992-148-0x0000000000400000-0x0000000000546000-memory.dmp
memory/4992-150-0x0000000000400000-0x0000000000546000-memory.dmp
memory/4992-152-0x0000000000400000-0x0000000000546000-memory.dmp
memory/4992-154-0x0000000000400000-0x0000000000546000-memory.dmp
memory/4992-156-0x0000000000400000-0x0000000000546000-memory.dmp
memory/4992-158-0x0000000000400000-0x0000000000546000-memory.dmp
memory/4992-160-0x0000000000400000-0x0000000000546000-memory.dmp
memory/4992-162-0x0000000000400000-0x0000000000546000-memory.dmp
memory/4992-164-0x0000000000400000-0x0000000000546000-memory.dmp
memory/4992-166-0x0000000000400000-0x0000000000546000-memory.dmp
memory/4992-168-0x0000000000400000-0x0000000000546000-memory.dmp
memory/4992-170-0x0000000000400000-0x0000000000546000-memory.dmp
memory/4992-172-0x0000000000400000-0x0000000000546000-memory.dmp
memory/4992-174-0x0000000000400000-0x0000000000546000-memory.dmp
memory/4992-176-0x0000000000400000-0x0000000000546000-memory.dmp
memory/4992-178-0x0000000000400000-0x0000000000546000-memory.dmp
memory/4992-180-0x0000000000400000-0x0000000000546000-memory.dmp
memory/4992-182-0x0000000000400000-0x0000000000546000-memory.dmp
memory/4992-184-0x0000000000400000-0x0000000000546000-memory.dmp
memory/4992-186-0x0000000000400000-0x0000000000546000-memory.dmp
memory/4992-188-0x0000000000400000-0x0000000000546000-memory.dmp
memory/4992-190-0x0000000000400000-0x0000000000546000-memory.dmp
memory/4992-192-0x0000000000400000-0x0000000000546000-memory.dmp
memory/4992-194-0x0000000000400000-0x0000000000546000-memory.dmp
memory/4992-196-0x0000000000400000-0x0000000000546000-memory.dmp
memory/4992-198-0x0000000000400000-0x0000000000546000-memory.dmp
memory/4992-200-0x0000000000400000-0x0000000000546000-memory.dmp
memory/4992-643-0x0000000005EC0000-0x0000000005F26000-memory.dmp
memory/4992-644-0x00000000061D0000-0x00000000061DA000-memory.dmp
memory/4992-645-0x0000000007C70000-0x0000000007CC0000-memory.dmp
memory/4992-646-0x0000000007D60000-0x0000000007DFC000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-21 01:59
Reported
2022-05-21 03:04
Platform
win7-20220414-en
Max time kernel
131s
Max time network
135s
Command Line
Signatures
MassLogger
MassLogger log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20200616_080918_33046.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 560 set thread context of 1592 | N/A | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20200616_080918_33046.exe | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20200616_080918_33046.exe |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20200616_080918_33046.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20200616_080918_33046.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20200616_080918_33046.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20200616_080918_33046.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20200616_080918_33046.exe
"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20200616_080918_33046.exe"
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 796
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 54.91.59.199:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | smtp.yandex.com | udp |
| RU | 77.88.21.158:587 | smtp.yandex.com | tcp |
| US | 8.8.8.8:53 | repository.certum.pl | udp |
| NL | 104.110.191.14:80 | repository.certum.pl | tcp |
Files
memory/560-54-0x0000000000860000-0x0000000000ABE000-memory.dmp
memory/560-55-0x0000000000430000-0x0000000000444000-memory.dmp
memory/560-56-0x0000000000600000-0x0000000000608000-memory.dmp
memory/560-57-0x0000000000630000-0x0000000000638000-memory.dmp
memory/560-58-0x0000000000640000-0x0000000000648000-memory.dmp
\Users\Admin\AppData\Local\Temp\InstallUtil.exe
| MD5 | 91c9ae9c9a17a9db5e08b120e668c74c |
| SHA1 | 50770954c1ceb0bb6f1d5d3f2de2a0a065773723 |
| SHA256 | e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f |
| SHA512 | ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e |
memory/1592-60-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1592-61-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1592-63-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1592-65-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1592-66-0x0000000000400000-0x0000000000546000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
| MD5 | 91c9ae9c9a17a9db5e08b120e668c74c |
| SHA1 | 50770954c1ceb0bb6f1d5d3f2de2a0a065773723 |
| SHA256 | e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f |
| SHA512 | ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e |
memory/1592-67-0x00000000004A12AE-mapping.dmp
memory/1592-70-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1592-72-0x0000000000400000-0x0000000000546000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
| MD5 | 91c9ae9c9a17a9db5e08b120e668c74c |
| SHA1 | 50770954c1ceb0bb6f1d5d3f2de2a0a065773723 |
| SHA256 | e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f |
| SHA512 | ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e |
memory/1592-75-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1592-77-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1592-79-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1592-83-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1592-81-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1592-85-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1592-87-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1592-89-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1592-93-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1592-91-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1592-95-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1592-97-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1592-101-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1592-99-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1592-103-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1592-105-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1592-107-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1592-109-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1592-111-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1592-113-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1592-117-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1592-115-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1592-121-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1592-125-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1592-123-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1592-119-0x0000000000400000-0x0000000000546000-memory.dmp
memory/1680-165-0x0000000000000000-mapping.dmp
memory/1592-580-0x00000000051F0000-0x0000000005234000-memory.dmp