Windows Analysis Report
WebSigner_SuiteMSI_Barclays.exe

Overview

General Information

Sample name: WebSigner_SuiteMSI_Barclays.exe
Analysis ID: 1428711
MD5: c469b3646fbddc8e03dcb9865b02e89c
SHA1: 46c0d0b632a9b2865cd79110f5549e3132cd313a
SHA256: c5e809af345907819df2cebda858e8c9b5614de1f049bd347cebb6305281790d
Infos:

Detection

Score: 16
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

PE file has a writeable .text section
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Uses 32bit PE files
Source: WebSigner_SuiteMSI_Barclays.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe File created: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\eula.rtf Jump to behavior
Source: WebSigner_SuiteMSI_Barclays.exe Static PE information: certificate valid
Source: WebSigner_SuiteMSI_Barclays.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\CodeBases\isdev\redist\language independent\x64\SetupSuite64.pdb source: setup64.exe, 00000002.00000000.1667433443.00007FF6237D9000.00000002.00000001.01000000.00000007.sdmp, setup64.exe, 00000002.00000002.2923632394.00007FF6237D9000.00000002.00000001.01000000.00000007.sdmp, setup64.exe.1.dr
Source: Binary string: C:\CodeBases\isdev\redist\Language Independent\i386\ISP\ISSetup.pdb source: ISSetup.dll.1.dr
Source: Binary string: C:\CodeBases\isdev\redist\language independent\i386\SetupSuite.pdb source: WebSigner_SuiteMSI_Barclays.exe, _is23C8.exe.0.dr
Source: Binary string: signtool.pdb source: signtool.exe.1.dr
Source: Binary string: C:\CodeBases\isdev\redist\language independent\i386\SetupSuite.pdbG source: WebSigner_SuiteMSI_Barclays.exe, _is23C8.exe.0.dr
Source: Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\ISBEW64\x64\Release\ISBEW64.pdb source: ISBEW64.exe.1.dr
Source: Binary string: E:\DEV_Encours\MESSAGE\Xmessage\obj\Release\Xmessage.pdb source: Xmessage.exe.1.dr
Source: Binary string: C:\CodeBases\isdev\redist\language independent\i386\Setup_UI.pdb source: _is23C8.exe, 00000001.00000002.2924966445.000000006CF41000.00000002.00000001.01000000.00000005.sdmp, Setup_UI.dll.1.dr
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00EBFB60 FindFirstFileW,__CxxThrowException@8,FindClose, 0_2_00EBFB60
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: 1_2_0047FB60 FindFirstFileW,__CxxThrowException@8,FindClose, 1_2_0047FB60
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe Code function: 2_2_00007FF6237D1B98 FindFirstFileExW, 2_2_00007FF6237D1B98
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe Code function: 2_2_00007FF6237C50CC QueryPerformanceCounter,GetTickCount,ResetEvent,InternetReadFile,QueryPerformanceCounter,GetTickCount, 2_2_00007FF6237C50CC
Source: _is23C8.exe, 00000001.00000002.2923780076.00000000012F5000.00000004.00000010.00020000.00000000.sdmp, ISRT.dll.1.dr, Setup_UI.dll.1.dr, ISBEW64.exe.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: WebSigner_SuiteMSI_Barclays.exe, setup64.exe.1.dr, _is23C8.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: _is23C8.exe, 00000001.00000002.2923780076.00000000012F5000.00000004.00000010.00020000.00000000.sdmp, ISRT.dll.1.dr, Setup_UI.dll.1.dr, ISBEW64.exe.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: WebSigner_SuiteMSI_Barclays.exe, setup64.exe.1.dr, _is23C8.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: WebSigner_SuiteMSI_Barclays.exe, setup64.exe.1.dr, _is23C8.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: WebSigner_SuiteMSI_Barclays.exe, setup64.exe.1.dr, _is23C8.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: WebSigner_SuiteMSI_Barclays.exe, setup64.exe.1.dr, _is23C8.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: _is23C8.exe, 00000001.00000002.2923780076.00000000012F5000.00000004.00000010.00020000.00000000.sdmp, ISRT.dll.1.dr, Setup_UI.dll.1.dr, ISBEW64.exe.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: WebSigner_SuiteMSI_Barclays.exe, setup64.exe.1.dr, _is23C8.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: WebSigner_SuiteMSI_Barclays.exe, setup64.exe.1.dr, _is23C8.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: _is23C8.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: _is23C8.exe, 00000001.00000002.2923780076.00000000012F5000.00000004.00000010.00020000.00000000.sdmp, ISRT.dll.1.dr, Setup_UI.dll.1.dr, ISBEW64.exe.1.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: _is23C8.exe, 00000001.00000002.2923780076.00000000012F5000.00000004.00000010.00020000.00000000.sdmp, ISRT.dll.1.dr, Setup_UI.dll.1.dr, ISBEW64.exe.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: WebSigner_SuiteMSI_Barclays.exe, setup64.exe.1.dr, _is23C8.exe.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: _is23C8.exe, 00000001.00000002.2923780076.00000000012F5000.00000004.00000010.00020000.00000000.sdmp, ISRT.dll.1.dr, Setup_UI.dll.1.dr, ISBEW64.exe.1.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: _is23C8.exe, 00000001.00000002.2924247309.0000000003930000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://logo.ve
Source: WebSigner_SuiteMSI_Barclays.exe, setup64.exe.1.dr, _is23C8.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: WebSigner_SuiteMSI_Barclays.exe, setup64.exe.1.dr, _is23C8.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: _is23C8.exe, 00000001.00000002.2923780076.00000000012F5000.00000004.00000010.00020000.00000000.sdmp, WebSigner_SuiteMSI_Barclays.exe, ISRT.dll.1.dr, Setup_UI.dll.1.dr, ISBEW64.exe.1.dr, setup64.exe.1.dr, _is23C8.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: _is23C8.exe, 00000001.00000002.2923780076.00000000012F5000.00000004.00000010.00020000.00000000.sdmp, ISRT.dll.1.dr, Setup_UI.dll.1.dr, ISBEW64.exe.1.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: WebSigner_SuiteMSI_Barclays.exe, setup64.exe.1.dr, _is23C8.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: _is23C8.exe, 00000001.00000002.2923780076.00000000012F5000.00000004.00000010.00020000.00000000.sdmp, ISRT.dll.1.dr, Setup_UI.dll.1.dr, ISBEW64.exe.1.dr String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: _is23C8.exe, 00000001.00000002.2923780076.00000000012F5000.00000004.00000010.00020000.00000000.sdmp, ISRT.dll.1.dr, Setup_UI.dll.1.dr, ISBEW64.exe.1.dr String found in binary or memory: http://s2.symcb.com0
Source: _is23C8.exe, 00000001.00000002.2923780076.00000000012F5000.00000004.00000010.00020000.00000000.sdmp, ISRT.dll.1.dr, Setup_UI.dll.1.dr, ISBEW64.exe.1.dr String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: _is23C8.exe, 00000001.00000002.2923780076.00000000012F5000.00000004.00000010.00020000.00000000.sdmp, ISRT.dll.1.dr, Setup_UI.dll.1.dr, ISBEW64.exe.1.dr String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: _is23C8.exe, 00000001.00000002.2923780076.00000000012F5000.00000004.00000010.00020000.00000000.sdmp, ISRT.dll.1.dr, Setup_UI.dll.1.dr, ISBEW64.exe.1.dr String found in binary or memory: http://sv.symcd.com0&
Source: _is23C8.exe, 00000001.00000002.2924656843.0000000005B98000.00000004.00000020.00020000.00000000.sdmp, _is23C8.exe, 00000001.00000002.2924765043.0000000005C55000.00000004.00000020.00020000.00000000.sdmp, eula.rtf.1.dr String found in binary or memory: http://www.apache.org/licenses/
Source: _is23C8.exe, 00000001.00000002.2924656843.0000000005B98000.00000004.00000020.00020000.00000000.sdmp, _is23C8.exe, 00000001.00000002.2924765043.0000000005C55000.00000004.00000020.00020000.00000000.sdmp, eula.rtf.1.dr String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: WebSigner_SuiteMSI_Barclays.exe, setup64.exe.1.dr, _is23C8.exe.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: _is23C8.exe, 00000001.00000002.2923780076.00000000012F5000.00000004.00000010.00020000.00000000.sdmp, ISRT.dll.1.dr, Setup_UI.dll.1.dr, ISBEW64.exe.1.dr String found in binary or memory: http://www.flexerasoftware.com0
Source: _is23C8.exe, 00000001.00000002.2923886870.000000000140C000.00000004.00000020.00020000.00000000.sdmp, setup.xml.1.dr String found in binary or memory: http://www.gemalto.com
Source: ISSetup.dll.1.dr String found in binary or memory: http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d
Source: _is23C8.exe, 00000001.00000002.2924656843.0000000005B98000.00000004.00000020.00020000.00000000.sdmp, _is23C8.exe, 00000001.00000002.2924765043.0000000005C55000.00000004.00000020.00020000.00000000.sdmp, eula.rtf.1.dr String found in binary or memory: http://www.mozilla.org/MPL/
Source: eula.rtf.1.dr String found in binary or memory: http://www.openssl.org/)
Source: _is23C8.exe, 00000001.00000002.2923780076.00000000012F5000.00000004.00000010.00020000.00000000.sdmp, ISRT.dll.1.dr, Setup_UI.dll.1.dr, ISBEW64.exe.1.dr String found in binary or memory: http://www.symauth.com/cps0(
Source: _is23C8.exe, 00000001.00000002.2923780076.00000000012F5000.00000004.00000010.00020000.00000000.sdmp, ISRT.dll.1.dr, Setup_UI.dll.1.dr, ISBEW64.exe.1.dr String found in binary or memory: http://www.symauth.com/rpa00
Source: _is23C8.exe, 00000001.00000002.2923780076.00000000012F5000.00000004.00000010.00020000.00000000.sdmp, ISRT.dll.1.dr, Setup_UI.dll.1.dr, ISBEW64.exe.1.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: _is23C8.exe, 00000001.00000002.2923780076.00000000012F5000.00000004.00000010.00020000.00000000.sdmp, ISRT.dll.1.dr, Setup_UI.dll.1.dr, ISBEW64.exe.1.dr String found in binary or memory: https://d.symcb.com/rpa0
Source: _is23C8.exe, 00000001.00000002.2924656843.0000000005B98000.00000004.00000020.00020000.00000000.sdmp, _is23C8.exe, 00000001.00000002.2924765043.0000000005C55000.00000004.00000020.00020000.00000000.sdmp, eula.rtf.1.dr String found in binary or memory: https://mozilla.org/MPL/2.0/.
Source: _is23C8.exe, 00000001.00000002.2924656843.0000000005B98000.00000004.00000020.00020000.00000000.sdmp, _is23C8.exe, 00000001.00000002.2924765043.0000000005C55000.00000004.00000020.00020000.00000000.sdmp, eula.rtf.1.dr String found in binary or memory: https://opensource.org/licenses/Zlib)
Source: _is23C8.exe, 00000001.00000002.2924656843.0000000005B98000.00000004.00000020.00020000.00000000.sdmp, _is23C8.exe, 00000001.00000002.2924765043.0000000005C55000.00000004.00000020.00020000.00000000.sdmp, eula.rtf.1.dr String found in binary or memory: https://supportportal.thalesgroup.com
Source: _is23C8.exe, 00000001.00000002.2924656843.0000000005B98000.00000004.00000020.00020000.00000000.sdmp, _is23C8.exe, 00000001.00000002.2924765043.0000000005C55000.00000004.00000020.00020000.00000000.sdmp, eula.rtf.1.dr String found in binary or memory: https://supportportal.thalesgroup.com/.
Source: _is23C8.exe, 00000001.00000002.2923780076.00000000012F5000.00000004.00000010.00020000.00000000.sdmp, ISRT.dll.1.dr, Setup_UI.dll.1.dr, ISBEW64.exe.1.dr String found in binary or memory: https://www.digicert.com/CPS0

System Summary
barindex
PE file has a writeable .text section
Source: ISRT.dll.1.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00F44741 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx, 0_2_00F44741
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: 1_2_00504741 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx, 1_2_00504741
Detected potential crypto function
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00F50066 0_2_00F50066
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00F3E270 0_2_00F3E270
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00F4A226 0_2_00F4A226
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00F5047E 0_2_00F5047E
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00F3A410 0_2_00F3A410
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00F54576 0_2_00F54576
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00F00520 0_2_00F00520
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00F508B3 0_2_00F508B3
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00EC2870 0_2_00EC2870
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00F3C830 0_2_00F3C830
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00EFCA90 0_2_00EFCA90
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00F3ABED 0_2_00F3ABED
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00F50CE8 0_2_00F50CE8
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00F00DF0 0_2_00F00DF0
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00F3AE43 0_2_00F3AE43
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00F3CFF0 0_2_00F3CFF0
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00F5B2D0 0_2_00F5B2D0
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00F51298 0_2_00F51298
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00F3D460 0_2_00F3D460
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00F09450 0_2_00F09450
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00ECB630 0_2_00ECB630
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00F3D890 0_2_00F3D890
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00EB5840 0_2_00EB5840
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00F4FB6A 0_2_00F4FB6A
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00F5FC1C 0_2_00F5FC1C
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00F1DDE0 0_2_00F1DDE0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: 1_2_004FA410 1_2_004FA410
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: 1_2_004C9450 1_2_004C9450
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: 1_2_0048B630 1_2_0048B630
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: 1_2_00510066 1_2_00510066
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: 1_2_004FE270 1_2_004FE270
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: 1_2_0050A226 1_2_0050A226
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: 1_2_0051047E 1_2_0051047E
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: 1_2_00514576 1_2_00514576
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: 1_2_004C0520 1_2_004C0520
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: 1_2_00482870 1_2_00482870
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: 1_2_004FC830 1_2_004FC830
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: 1_2_005108B3 1_2_005108B3
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: 1_2_004BCA90 1_2_004BCA90
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: 1_2_004FABED 1_2_004FABED
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: 1_2_00510CE8 1_2_00510CE8
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: 1_2_004C0DF0 1_2_004C0DF0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: 1_2_004FAE43 1_2_004FAE43
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: 1_2_004FCFF0 1_2_004FCFF0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: 1_2_0051B2D0 1_2_0051B2D0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: 1_2_004FD460 1_2_004FD460
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: 1_2_00475840 1_2_00475840
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: 1_2_004FD890 1_2_004FD890
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: 1_2_0050FB6A 1_2_0050FB6A
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: 1_2_0051FC1C 1_2_0051FC1C
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: 1_2_004DDDE0 1_2_004DDDE0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: 1_2_6CEE4A70 1_2_6CEE4A70
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: 1_2_6CEE37F0 1_2_6CEE37F0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: 1_2_6CF00C50 1_2_6CF00C50
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe Code function: 2_2_00007FF6237B2C90 2_2_00007FF6237B2C90
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe Code function: 2_2_00007FF6237D2C00 2_2_00007FF6237D2C00
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe Code function: 2_2_00007FF6237B9B10 2_2_00007FF6237B9B10
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe Code function: 2_2_00007FF6237C2B34 2_2_00007FF6237C2B34
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe Code function: 2_2_00007FF6237D6AA8 2_2_00007FF6237D6AA8
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe Code function: 2_2_00007FF6237B1A10 2_2_00007FF6237B1A10
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe Code function: 2_2_00007FF6237BA220 2_2_00007FF6237BA220
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe Code function: 2_2_00007FF6237D1968 2_2_00007FF6237D1968
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe Code function: 2_2_00007FF6237C298C 2_2_00007FF6237C298C
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe Code function: 2_2_00007FF6237D30D0 2_2_00007FF6237D30D0
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe Code function: 2_2_00007FF6237CB910 2_2_00007FF6237CB910
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe Code function: 2_2_00007FF6237C2130 2_2_00007FF6237C2130
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe Code function: 2_2_00007FF6237B7020 2_2_00007FF6237B7020
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe Code function: 2_2_00007FF6237C25E0 2_2_00007FF6237C25E0
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe Code function: 2_2_00007FF6237CD568 2_2_00007FF6237CD568
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: String function: 00EB6D90 appears 80 times
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: String function: 00F3FB96 appears 67 times
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: String function: 00F4CC61 appears 46 times
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: String function: 00F4C2E5 appears 33 times
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: String function: 00EB4150 appears 287 times
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: String function: 00EB6CA0 appears 107 times
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: String function: 00F4D300 appears 31 times
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: String function: 00EBB040 appears 324 times
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: String function: 00F4CC2D appears 51 times
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: String function: 00EBDDE0 appears 140 times
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: String function: 00476D90 appears 82 times
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: String function: 6CEA9160 appears 154 times
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: String function: 004FFB96 appears 67 times
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: String function: 0050C2E5 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: String function: 0050CC61 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: String function: 0047DDE0 appears 140 times
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: String function: 0050D300 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: String function: 0050CC2D appears 51 times
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: String function: 0047B040 appears 327 times
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: String function: 00476CA0 appears 107 times
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: String function: 00474150 appears 285 times
PE file contains executable resources (Code or Archives)
Source: ISSetup.dll.1.dr Static PE information: Resource name: PUBLICKEY type: b.out overlay separate pure segmented executable V2.3 186 286 286 386 Large Text Large Data Huge Objects Enabled
Sample file is different than original file name gathered from version info
Source: WebSigner_SuiteMSI_Barclays.exe, 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameInstallShield SetupSuite.exe< vs WebSigner_SuiteMSI_Barclays.exe
Source: WebSigner_SuiteMSI_Barclays.exe Binary or memory string: OriginalFilenameInstallShield SetupSuite.exe< vs WebSigner_SuiteMSI_Barclays.exe
Uses 32bit PE files
Source: WebSigner_SuiteMSI_Barclays.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: ISRT.dll.1.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ISRT.dll.1.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: classification engine Classification label: clean16.winEXE@5/47@0/0
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00F44741 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx, 0_2_00F44741
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: 1_2_00504741 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx, 1_2_00504741
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00EEC2B0 CoCreateInstance, 0_2_00EEC2B0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: 1_2_6CEE9680 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GlobalUnlock,GlobalFree, 1_2_6CEE9680
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Mutant created: \Sessions\1\BaseNamedObjects\{783F36BC-63CA-4E74-ABA6-81C222D2C3DD}
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe File created: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24} Jump to behavior
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Command line argument: IS_temp 0_2_00EE81F0
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Command line argument: runfromtemp 0_2_00EE81F0
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Command line argument: kernel32.dll 0_2_00EE81F0
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Command line argument: SuiteSetup.ini 0_2_00EE81F0
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Command line argument: SuiteSetup.ini 0_2_00EE81F0
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Command line argument: embedded: 0_2_00EE81F0
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Command line argument: IS_ProxyWaiter_ 0_2_00EE81F0
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Command line argument: debuglog 0_2_00EE81F0
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Command line argument: newlog 0_2_00EE81F0
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Command line argument: SetupSuite.cpp 0_2_00EE81F0
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Command line argument: SetupSuite.cpp 0_2_00EE81F0
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Command line argument: SetupSuite.cpp 0_2_00EE81F0
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Command line argument: SuiteSetup.ini 0_2_00EE81F0
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Command line argument: SuiteSetup.ini 0_2_00EE81F0
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Command line argument: clone_wait 0_2_00EE81F0
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Command line argument: debuglog 0_2_00EE81F0
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Command line argument: /debuglog 0_2_00EE81F0
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Command line argument: /debuglog 0_2_00EE81F0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Command line argument: IS_temp 1_2_004A81F0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Command line argument: runfromtemp 1_2_004A81F0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Command line argument: kernel32.dll 1_2_004A81F0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Command line argument: SuiteSetup.ini 1_2_004A81F0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Command line argument: SuiteSetup.ini 1_2_004A81F0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Command line argument: embedded: 1_2_004A81F0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Command line argument: IS_ProxyWaiter_ 1_2_004A81F0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Command line argument: debuglog 1_2_004A81F0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Command line argument: newlog 1_2_004A81F0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Command line argument: SetupSuite.cpp 1_2_004A81F0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Command line argument: SetupSuite.cpp 1_2_004A81F0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Command line argument: SetupSuite.cpp 1_2_004A81F0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Command line argument: SuiteSetup.ini 1_2_004A81F0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Command line argument: SuiteSetup.ini 1_2_004A81F0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Command line argument: clone_wait 1_2_004A81F0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Command line argument: debuglog 1_2_004A81F0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Command line argument: /debuglog 1_2_004A81F0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Command line argument: /debuglog 1_2_004A81F0
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe File read: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\SuiteSetup.ini Jump to behavior
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe File read: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe "C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe"
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Process created: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe "C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe" -IS_temp ORIGINALSETUPEXEDIR="C:\Users\user\Desktop" ORIGINALSETUPEXENAME="WebSigner_SuiteMSI_Barclays.exe"
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Process created: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe "C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe" -embedded:EEFDEB78-A81F-4EAC-839B-C4BCB6470B9F -IS_temp
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Process created: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe "C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe" -IS_temp ORIGINALSETUPEXEDIR="C:\Users\user\Desktop" ORIGINALSETUPEXENAME="WebSigner_SuiteMSI_Barclays.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Process created: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe "C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe" -embedded:EEFDEB78-A81F-4EAC-839B-C4BCB6470B9F -IS_temp Jump to behavior
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Section loaded: msi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Section loaded: msftedit.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Section loaded: windows.globalization.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Section loaded: globinputhost.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Section loaded: windows.ui.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Section loaded: windowmanagementapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Section loaded: inputhost.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe File written: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\SuiteSetup.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Automated click: I accept the terms in the license agreement
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Automated click: I accept the terms in the license agreement
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Automated click: I accept the terms in the license agreement
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Automated click: I accept the terms in the license agreement
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Automated click: I accept the terms in the license agreement
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Automated click: I accept the terms in the license agreement
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Automated click: I accept the terms in the license agreement
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Automated click: I accept the terms in the license agreement
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Automated click: I accept the terms in the license agreement
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Automated click: I accept the terms in the license agreement
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Automated click: I accept the terms in the license agreement
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Automated click: I accept the terms in the license agreement
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Automated click: I accept the terms in the license agreement
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Automated click: I accept the terms in the license agreement
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Automated click: I accept the terms in the license agreement
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Automated click: I accept the terms in the license agreement
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe File opened: C:\Windows\SysWOW64\msftedit.dll Jump to behavior
Source: WebSigner_SuiteMSI_Barclays.exe Static PE information: certificate valid
Source: WebSigner_SuiteMSI_Barclays.exe Static file information: File size 3485736 > 1048576
Source: WebSigner_SuiteMSI_Barclays.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: WebSigner_SuiteMSI_Barclays.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: WebSigner_SuiteMSI_Barclays.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: WebSigner_SuiteMSI_Barclays.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: WebSigner_SuiteMSI_Barclays.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: WebSigner_SuiteMSI_Barclays.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: WebSigner_SuiteMSI_Barclays.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: WebSigner_SuiteMSI_Barclays.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\CodeBases\isdev\redist\language independent\x64\SetupSuite64.pdb source: setup64.exe, 00000002.00000000.1667433443.00007FF6237D9000.00000002.00000001.01000000.00000007.sdmp, setup64.exe, 00000002.00000002.2923632394.00007FF6237D9000.00000002.00000001.01000000.00000007.sdmp, setup64.exe.1.dr
Source: Binary string: C:\CodeBases\isdev\redist\Language Independent\i386\ISP\ISSetup.pdb source: ISSetup.dll.1.dr
Source: Binary string: C:\CodeBases\isdev\redist\language independent\i386\SetupSuite.pdb source: WebSigner_SuiteMSI_Barclays.exe, _is23C8.exe.0.dr
Source: Binary string: signtool.pdb source: signtool.exe.1.dr
Source: Binary string: C:\CodeBases\isdev\redist\language independent\i386\SetupSuite.pdbG source: WebSigner_SuiteMSI_Barclays.exe, _is23C8.exe.0.dr
Source: Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\ISBEW64\x64\Release\ISBEW64.pdb source: ISBEW64.exe.1.dr
Source: Binary string: E:\DEV_Encours\MESSAGE\Xmessage\obj\Release\Xmessage.pdb source: Xmessage.exe.1.dr
Source: Binary string: C:\CodeBases\isdev\redist\language independent\i386\Setup_UI.pdb source: _is23C8.exe, 00000001.00000002.2924966445.000000006CF41000.00000002.00000001.01000000.00000005.sdmp, Setup_UI.dll.1.dr
Source: WebSigner_SuiteMSI_Barclays.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: WebSigner_SuiteMSI_Barclays.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: WebSigner_SuiteMSI_Barclays.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: WebSigner_SuiteMSI_Barclays.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: WebSigner_SuiteMSI_Barclays.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00F20CE0 LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_00F20CE0
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .rsrc
PE file contains sections with non-standard names
Source: WebSigner_SuiteMSI_Barclays.exe Static PE information: section name: .orpc
Source: _is23C8.exe.0.dr Static PE information: section name: .orpc
Source: ISSetup.dll.1.dr Static PE information: section name: .orpc
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00F4CBF6 push ecx; ret 0_2_00F4CC09
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00F4D346 push ecx; ret 0_2_00F4D359
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00F5BC7D push dword ptr [esp+ecx-75h]; iretd 0_2_00F5BC81
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: 1_2_0050CBF6 push ecx; ret 1_2_0050CC09
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: 1_2_0050D346 push ecx; ret 1_2_0050D359
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: 1_2_0051BC7D push dword ptr [esp+ecx-75h]; iretd 1_2_0051BC81
Source: ISRT.dll.1.dr Static PE information: section name: .text entropy: 7.98362330850952
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe File created: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Setup_UI.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe File created: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\ISRT.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe File created: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Xmessage.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe File created: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\ISBEW64.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe File created: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\signtool.exe Jump to dropped file
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe File created: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe File created: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe File created: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\ISSetup.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe File created: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\eula.rtf Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Setup_UI.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\ISRT.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Xmessage.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\ISBEW64.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\signtool.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\ISSetup.dll Jump to dropped file
Found evaded block containing many API calls
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe Evaded block: after key decision
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe API coverage: 7.3 %
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe API coverage: 6.2 %
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00EBFB60 FindFirstFileW,__CxxThrowException@8,FindClose, 0_2_00EBFB60
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: 1_2_0047FB60 FindFirstFileW,__CxxThrowException@8,FindClose, 1_2_0047FB60
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe Code function: 2_2_00007FF6237D1B98 FindFirstFileExW, 2_2_00007FF6237D1B98
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00EEEB40 VirtualQuery,GetSystemInfo,MapViewOfFile,UnmapViewOfFile, 0_2_00EEEB40
Source: ISRT.dll.1.dr Binary or memory string: RFqEMUdUD
Source: ISRT.dll.1.dr Binary or memory string: _GetVirtualMachineType
Source: ISRT.dll.1.dr Binary or memory string: _IsVirtualMachine
Source: _is23C8.exe, 00000001.00000000.1662044743.0000000000471000.00000020.00000001.01000000.00000004.sdmp Binary or memory string: hgFSd
Source: ISRT.dll.1.dr Binary or memory string: AddIconCallDLLFnComponentViewCreateWindowComponentViewDestroyComponentViewRefreshComponentViewSelectAllComponentViewSetInfoComponentViewSetInfoExCreateFolderDeleteFolderDeleteIconEnableHourGlassEnumFoldersItemsGetCPUTypeGetFontSubGetHandleGetPortsGetSelectedItemStateIsEmptyIsNTAdminIsOSTypeNTIsObjectIsPowerUserLangLoadStringMessageBeepPPathCompactPathPixelPathCrackUrlPathGetDirPathGetDrivePathGetFilePathGetFileExtPathGetFileNamePathGetLongFromShortPathGetPathPathIsValidSyntaxQueryIconReadArrayPropertyReadBoolPropertyReadNumberPropertyReplaceIconShowFolderTextSubSubstituteVerGetFileVersionWriteArrayPropertyWriteBoolPropertyWriteNumberPropertyWriteStringProperty_AppSearch_BrowseForFolder_CCPSearch_CHARArrayToWCHARArray_CalculateAndAddFileCost_CleanupInet_CloseFile_CmdGetHwndDlg_CmdGetMsg_CmdGetParam1_CmdGetParam2_CoGetObject_CompareDWORD_ComponentAddItem_ComponentCompareSizeRequired_ComponentError_ComponentErrorInfo_ComponentFileEnum_ComponentFileInfo_ComponentFilterLanguage_ComponentFilterOS_ComponentGetCost_ComponentGetCostEx_ComponentGetData_ComponentGetItemSize_ComponentGetTotalCost_ComponentGetTotalCostEx_ComponentInitialize_ComponentIsItemSelected_ComponentListItems_ComponentLoadTarget_ComponentMoveData_ComponentPatch_ComponentReinstall_ComponentRemoveAll_ComponentRemoveAllInLogOnly_ComponentSaveTarget_ComponentSelectItem_ComponentSelectNew_ComponentSetData_ComponentSetupTypeEnum_ComponentSetupTypeGetData_ComponentSetupTypeSet_ComponentTotalSize_ComponentTransferData_ComponentUpdate_ComponentValidate_ComponentViewCreate_ComponentViewQueryInfo_CopyBytes_CreateDir_CreateObject_CreateRegistrySet_CreateShellObjects_CtrlGetNotificationCode_CtrlGetParentWindowHelper_CtrlGetSubCommand_CtrlGetUrlForLinkClicked_CtrlSetHtmlContent_CtrlSetMLERichText_DIFxDriverPackageGetPath_DIFxDriverPackageInstall_DIFxDriverPackagePreinstall_DIFxDriverPackageUninstall_DefineDialog_DeleteCHARArray_DialogSetFont_DisableBranding_DisableStatus_Divide_DoInstall_DoSprintf_DotNetCoCreateObject_DotNetUnloadAppDomain_EnableDialogCache_EnablePrevDialog_EnableSkins_EnableStatus_EnableWow64FsRedirection_EndDialog_ExistsDir_ExistsDisk_ExistsFile_ExitInstall_FeatureAddCost_FeatureAddUninstallCost_FeatureGetCost_FeatureInitialize_FeatureSpendCost_FeatureSpendUninstallCost_FileCopy_FloatingPointOperation_GenerateFileMD5SignatureHex_GetByte_GetCurrentDialogName_GetDiskInfo_GetDiskSpaceEx_GetDiskSpaceExEx_GetFont_GetGlobalFlags_GetGlobalMemorySize_GetInetFileSize_GetInetFileTime_GetLine_GetLineSize_GetObject_GetObjectByIndex_GetObjectCount_GetProcessorInfo_GetRunningChildProcess_GetRunningChildProcessEx_GetRunningChildProcessEx2_GetSelectedTreeComponent_GetStandardLangId_GetSupportDir_GetSystemDpi_GetTrueTypeFontFileInfo_GetVirtualMachineType_InetEndofTransfer_InetGetLastError_InetGetNextDisk_InitInstall_IsFontTypefaceNameAvailable_IsInAdminGroup_IsLangSupported_IsSkinLoaded_IsVirtualMachine_IsWindowsME_IsWow64_KillProcesses_ListAddItem_ListAddString_ListCount_ListCreate_ListCurrentIte
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00F5222D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00F5222D
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe Code function: 2_2_00007FF6237BDEB4 GetLastError,IsDebuggerPresent,OutputDebugStringW, 2_2_00007FF6237BDEB4
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00F5551A VirtualProtect ?,-00000001,00000104,?,?,?,0000001C 0_2_00F5551A
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00F20CE0 LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_00F20CE0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00F55CC5 mov eax, dword ptr fs:[00000030h] 0_2_00F55CC5
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: 1_2_00515CC5 mov eax, dword ptr fs:[00000030h] 1_2_00515CC5
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00F5A39A GetProcessHeap, 0_2_00F5A39A
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00F5222D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00F5222D
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00F4CF12 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00F4CF12
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00F4D112 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00F4D112
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00F4D2A4 SetUnhandledExceptionFilter, 0_2_00F4D2A4
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: 1_2_0051222D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0051222D
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: 1_2_0050CF12 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_0050CF12
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: 1_2_0050D112 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0050D112
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: 1_2_0050D2A4 SetUnhandledExceptionFilter, 1_2_0050D2A4
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe Code function: 2_2_00007FF6237C9CAC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00007FF6237C9CAC
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe Code function: 2_2_00007FF6237C6224 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00007FF6237C6224
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe Code function: 2_2_00007FF6237C6764 SetUnhandledExceptionFilter, 2_2_00007FF6237C6764
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe Code function: 2_2_00007FF6237C658C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00007FF6237C658C
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Process created: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe "C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe" -embedded:EEFDEB78-A81F-4EAC-839B-C4BCB6470B9F -IS_temp Jump to behavior
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00F43200 __EH_prolog3_GS,AllocateAndInitializeSid,AllocateAndInitializeSid,AllocateAndInitializeSid,AllocateAndInitializeSid,SetEntriesInAclW,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetTempPathW, 0_2_00F43200
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00F43200 __EH_prolog3_GS,AllocateAndInitializeSid,AllocateAndInitializeSid,AllocateAndInitializeSid,AllocateAndInitializeSid,SetEntriesInAclW,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetTempPathW, 0_2_00F43200
Source: ISSetup.dll.1.dr Binary or memory string: ?OPTYPE_PROGMAN_FIELDSWWW
Source: ISSetup.dll.1.dr Binary or memory string: ISLOG_VERSION_INFO..\..\..\Shared\LogServices2\LogDB.cppOPTYPE_PROGMANISLOGDB_USER_PROPERTIESD
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00F4D3C8 cpuid 0_2_00F4D3C8
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Queries volume information: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\gemalto48.png VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Queries volume information: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\gemalto48.png VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Queries volume information: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\gemalto48.png VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Queries volume information: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\gemalto48.png VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Queries volume information: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\1reader.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Queries volume information: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\40LE.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Queries volume information: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\EzioBLE.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Queries volume information: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Typical.png VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Queries volume information: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Custom.png VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Queries volume information: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Application.png VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Queries volume information: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Folder.png VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Queries volume information: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Folder.png VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Queries volume information: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Folder.png VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Queries volume information: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Folder.png VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Queries volume information: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Folder.png VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Queries volume information: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Folder.png VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00ED2D20 CreateNamedPipeW,CloseHandle,GetLastError,CreateEventW,WaitForSingleObject,CloseHandle,new,CloseHandle,CloseHandle,CloseHandle, 0_2_00ED2D20
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00F4D572 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00F4D572
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00EC2400 GetVersionExW, 0_2_00EC2400
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00EB10E0 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ, 0_2_00EB10E0
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe Code function: 0_2_00EB1040 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ, 0_2_00EB1040
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: 1_2_00471040 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ, 1_2_00471040
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe Code function: 1_2_004710E0 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ, 1_2_004710E0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1428711 Sample: WebSigner_SuiteMSI_Barclays.exe Startdate: 19/04/2024 Architecture: WINDOWS Score: 16 25 PE file has a writeable .text section 2->25 7 WebSigner_SuiteMSI_Barclays.exe 11 2->7         started        process3 file4 15 C:\Users\user\AppData\Local\...\_is23C8.exe, PE32 7->15 dropped 10 _is23C8.exe 1 117 7->10         started        process5 file6 17 C:\Users\user\AppData\Local\...\signtool.exe, PE32 10->17 dropped 19 C:\Users\user\AppData\Local\...\setup64.exe, PE32+ 10->19 dropped 21 C:\Users\user\AppData\Local\...\Xmessage.exe, PE32 10->21 dropped 23 4 other files (none is malicious) 10->23 dropped 13 setup64.exe 10->13         started        process7
No contacted IP infos