Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
WebSigner_SuiteMSI_Barclays.exe

Overview

General Information

Sample name:WebSigner_SuiteMSI_Barclays.exe
Analysis ID:1428711
MD5:c469b3646fbddc8e03dcb9865b02e89c
SHA1:46c0d0b632a9b2865cd79110f5549e3132cd313a
SHA256:c5e809af345907819df2cebda858e8c9b5614de1f049bd347cebb6305281790d
Infos:

Detection

Score:16
Range:0 - 100
Whitelisted:false
Confidence:40%

Signatures

PE file has a writeable .text section
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Process Tree

  • System is w10x64
  • WebSigner_SuiteMSI_Barclays.exe (PID: 7288 cmdline: "C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe" MD5: C469B3646FBDDC8E03DCB9865B02E89C)
    • _is23C8.exe (PID: 7304 cmdline: "C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe" -IS_temp ORIGINALSETUPEXEDIR="C:\Users\user\Desktop" ORIGINALSETUPEXENAME="WebSigner_SuiteMSI_Barclays.exe" MD5: C469B3646FBDDC8E03DCB9865B02E89C)
      • setup64.exe (PID: 7348 cmdline: "C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe" -embedded:EEFDEB78-A81F-4EAC-839B-C4BCB6470B9F -IS_temp MD5: 7686C19501FFA9DA709A98AF94C0C844)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: WebSigner_SuiteMSI_Barclays.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeFile created: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\eula.rtfJump to behavior
Source: WebSigner_SuiteMSI_Barclays.exeStatic PE information: certificate valid
Source: WebSigner_SuiteMSI_Barclays.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\CodeBases\isdev\redist\language independent\x64\SetupSuite64.pdb source: setup64.exe, 00000002.00000000.1667433443.00007FF6237D9000.00000002.00000001.01000000.00000007.sdmp, setup64.exe, 00000002.00000002.2923632394.00007FF6237D9000.00000002.00000001.01000000.00000007.sdmp, setup64.exe.1.dr
Source: Binary string: C:\CodeBases\isdev\redist\Language Independent\i386\ISP\ISSetup.pdb source: ISSetup.dll.1.dr
Source: Binary string: C:\CodeBases\isdev\redist\language independent\i386\SetupSuite.pdb source: WebSigner_SuiteMSI_Barclays.exe, _is23C8.exe.0.dr
Source: Binary string: signtool.pdb source: signtool.exe.1.dr
Source: Binary string: C:\CodeBases\isdev\redist\language independent\i386\SetupSuite.pdbG source: WebSigner_SuiteMSI_Barclays.exe, _is23C8.exe.0.dr
Source: Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\ISBEW64\x64\Release\ISBEW64.pdb source: ISBEW64.exe.1.dr
Source: Binary string: E:\DEV_Encours\MESSAGE\Xmessage\obj\Release\Xmessage.pdb source: Xmessage.exe.1.dr
Source: Binary string: C:\CodeBases\isdev\redist\language independent\i386\Setup_UI.pdb source: _is23C8.exe, 00000001.00000002.2924966445.000000006CF41000.00000002.00000001.01000000.00000005.sdmp, Setup_UI.dll.1.dr
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00EBFB60 FindFirstFileW,__CxxThrowException@8,FindClose,0_2_00EBFB60
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: 1_2_0047FB60 FindFirstFileW,__CxxThrowException@8,FindClose,1_2_0047FB60
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exeCode function: 2_2_00007FF6237D1B98 FindFirstFileExW,2_2_00007FF6237D1B98
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exeCode function: 2_2_00007FF6237C50CC QueryPerformanceCounter,GetTickCount,ResetEvent,InternetReadFile,QueryPerformanceCounter,GetTickCount,2_2_00007FF6237C50CC
Source: _is23C8.exe, 00000001.00000002.2923780076.00000000012F5000.00000004.00000010.00020000.00000000.sdmp, ISRT.dll.1.dr, Setup_UI.dll.1.dr, ISBEW64.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: WebSigner_SuiteMSI_Barclays.exe, setup64.exe.1.dr, _is23C8.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: _is23C8.exe, 00000001.00000002.2923780076.00000000012F5000.00000004.00000010.00020000.00000000.sdmp, ISRT.dll.1.dr, Setup_UI.dll.1.dr, ISBEW64.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: WebSigner_SuiteMSI_Barclays.exe, setup64.exe.1.dr, _is23C8.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: WebSigner_SuiteMSI_Barclays.exe, setup64.exe.1.dr, _is23C8.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: WebSigner_SuiteMSI_Barclays.exe, setup64.exe.1.dr, _is23C8.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: WebSigner_SuiteMSI_Barclays.exe, setup64.exe.1.dr, _is23C8.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: _is23C8.exe, 00000001.00000002.2923780076.00000000012F5000.00000004.00000010.00020000.00000000.sdmp, ISRT.dll.1.dr, Setup_UI.dll.1.dr, ISBEW64.exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: WebSigner_SuiteMSI_Barclays.exe, setup64.exe.1.dr, _is23C8.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: WebSigner_SuiteMSI_Barclays.exe, setup64.exe.1.dr, _is23C8.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: _is23C8.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: _is23C8.exe, 00000001.00000002.2923780076.00000000012F5000.00000004.00000010.00020000.00000000.sdmp, ISRT.dll.1.dr, Setup_UI.dll.1.dr, ISBEW64.exe.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: _is23C8.exe, 00000001.00000002.2923780076.00000000012F5000.00000004.00000010.00020000.00000000.sdmp, ISRT.dll.1.dr, Setup_UI.dll.1.dr, ISBEW64.exe.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: WebSigner_SuiteMSI_Barclays.exe, setup64.exe.1.dr, _is23C8.exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: _is23C8.exe, 00000001.00000002.2923780076.00000000012F5000.00000004.00000010.00020000.00000000.sdmp, ISRT.dll.1.dr, Setup_UI.dll.1.dr, ISBEW64.exe.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: _is23C8.exe, 00000001.00000002.2924247309.0000000003930000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://logo.ve
Source: WebSigner_SuiteMSI_Barclays.exe, setup64.exe.1.dr, _is23C8.exe.0.drString found in binary or memory: http://ocsp.digicert.com0
Source: WebSigner_SuiteMSI_Barclays.exe, setup64.exe.1.dr, _is23C8.exe.0.drString found in binary or memory: http://ocsp.digicert.com0A
Source: _is23C8.exe, 00000001.00000002.2923780076.00000000012F5000.00000004.00000010.00020000.00000000.sdmp, WebSigner_SuiteMSI_Barclays.exe, ISRT.dll.1.dr, Setup_UI.dll.1.dr, ISBEW64.exe.1.dr, setup64.exe.1.dr, _is23C8.exe.0.drString found in binary or memory: http://ocsp.digicert.com0C
Source: _is23C8.exe, 00000001.00000002.2923780076.00000000012F5000.00000004.00000010.00020000.00000000.sdmp, ISRT.dll.1.dr, Setup_UI.dll.1.dr, ISBEW64.exe.1.drString found in binary or memory: http://ocsp.digicert.com0O
Source: WebSigner_SuiteMSI_Barclays.exe, setup64.exe.1.dr, _is23C8.exe.0.drString found in binary or memory: http://ocsp.digicert.com0X
Source: _is23C8.exe, 00000001.00000002.2923780076.00000000012F5000.00000004.00000010.00020000.00000000.sdmp, ISRT.dll.1.dr, Setup_UI.dll.1.dr, ISBEW64.exe.1.drString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: _is23C8.exe, 00000001.00000002.2923780076.00000000012F5000.00000004.00000010.00020000.00000000.sdmp, ISRT.dll.1.dr, Setup_UI.dll.1.dr, ISBEW64.exe.1.drString found in binary or memory: http://s2.symcb.com0
Source: _is23C8.exe, 00000001.00000002.2923780076.00000000012F5000.00000004.00000010.00020000.00000000.sdmp, ISRT.dll.1.dr, Setup_UI.dll.1.dr, ISBEW64.exe.1.drString found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: _is23C8.exe, 00000001.00000002.2923780076.00000000012F5000.00000004.00000010.00020000.00000000.sdmp, ISRT.dll.1.dr, Setup_UI.dll.1.dr, ISBEW64.exe.1.drString found in binary or memory: http://sv.symcb.com/sv.crt0
Source: _is23C8.exe, 00000001.00000002.2923780076.00000000012F5000.00000004.00000010.00020000.00000000.sdmp, ISRT.dll.1.dr, Setup_UI.dll.1.dr, ISBEW64.exe.1.drString found in binary or memory: http://sv.symcd.com0&
Source: _is23C8.exe, 00000001.00000002.2924656843.0000000005B98000.00000004.00000020.00020000.00000000.sdmp, _is23C8.exe, 00000001.00000002.2924765043.0000000005C55000.00000004.00000020.00020000.00000000.sdmp, eula.rtf.1.drString found in binary or memory: http://www.apache.org/licenses/
Source: _is23C8.exe, 00000001.00000002.2924656843.0000000005B98000.00000004.00000020.00020000.00000000.sdmp, _is23C8.exe, 00000001.00000002.2924765043.0000000005C55000.00000004.00000020.00020000.00000000.sdmp, eula.rtf.1.drString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: WebSigner_SuiteMSI_Barclays.exe, setup64.exe.1.dr, _is23C8.exe.0.drString found in binary or memory: http://www.digicert.com/CPS0
Source: _is23C8.exe, 00000001.00000002.2923780076.00000000012F5000.00000004.00000010.00020000.00000000.sdmp, ISRT.dll.1.dr, Setup_UI.dll.1.dr, ISBEW64.exe.1.drString found in binary or memory: http://www.flexerasoftware.com0
Source: _is23C8.exe, 00000001.00000002.2923886870.000000000140C000.00000004.00000020.00020000.00000000.sdmp, setup.xml.1.drString found in binary or memory: http://www.gemalto.com
Source: ISSetup.dll.1.drString found in binary or memory: http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d
Source: _is23C8.exe, 00000001.00000002.2924656843.0000000005B98000.00000004.00000020.00020000.00000000.sdmp, _is23C8.exe, 00000001.00000002.2924765043.0000000005C55000.00000004.00000020.00020000.00000000.sdmp, eula.rtf.1.drString found in binary or memory: http://www.mozilla.org/MPL/
Source: eula.rtf.1.drString found in binary or memory: http://www.openssl.org/)
Source: _is23C8.exe, 00000001.00000002.2923780076.00000000012F5000.00000004.00000010.00020000.00000000.sdmp, ISRT.dll.1.dr, Setup_UI.dll.1.dr, ISBEW64.exe.1.drString found in binary or memory: http://www.symauth.com/cps0(
Source: _is23C8.exe, 00000001.00000002.2923780076.00000000012F5000.00000004.00000010.00020000.00000000.sdmp, ISRT.dll.1.dr, Setup_UI.dll.1.dr, ISBEW64.exe.1.drString found in binary or memory: http://www.symauth.com/rpa00
Source: _is23C8.exe, 00000001.00000002.2923780076.00000000012F5000.00000004.00000010.00020000.00000000.sdmp, ISRT.dll.1.dr, Setup_UI.dll.1.dr, ISBEW64.exe.1.drString found in binary or memory: https://d.symcb.com/cps0%
Source: _is23C8.exe, 00000001.00000002.2923780076.00000000012F5000.00000004.00000010.00020000.00000000.sdmp, ISRT.dll.1.dr, Setup_UI.dll.1.dr, ISBEW64.exe.1.drString found in binary or memory: https://d.symcb.com/rpa0
Source: _is23C8.exe, 00000001.00000002.2924656843.0000000005B98000.00000004.00000020.00020000.00000000.sdmp, _is23C8.exe, 00000001.00000002.2924765043.0000000005C55000.00000004.00000020.00020000.00000000.sdmp, eula.rtf.1.drString found in binary or memory: https://mozilla.org/MPL/2.0/.
Source: _is23C8.exe, 00000001.00000002.2924656843.0000000005B98000.00000004.00000020.00020000.00000000.sdmp, _is23C8.exe, 00000001.00000002.2924765043.0000000005C55000.00000004.00000020.00020000.00000000.sdmp, eula.rtf.1.drString found in binary or memory: https://opensource.org/licenses/Zlib)
Source: _is23C8.exe, 00000001.00000002.2924656843.0000000005B98000.00000004.00000020.00020000.00000000.sdmp, _is23C8.exe, 00000001.00000002.2924765043.0000000005C55000.00000004.00000020.00020000.00000000.sdmp, eula.rtf.1.drString found in binary or memory: https://supportportal.thalesgroup.com
Source: _is23C8.exe, 00000001.00000002.2924656843.0000000005B98000.00000004.00000020.00020000.00000000.sdmp, _is23C8.exe, 00000001.00000002.2924765043.0000000005C55000.00000004.00000020.00020000.00000000.sdmp, eula.rtf.1.drString found in binary or memory: https://supportportal.thalesgroup.com/.
Source: _is23C8.exe, 00000001.00000002.2923780076.00000000012F5000.00000004.00000010.00020000.00000000.sdmp, ISRT.dll.1.dr, Setup_UI.dll.1.dr, ISBEW64.exe.1.drString found in binary or memory: https://www.digicert.com/CPS0

System Summary

barindex
PE file has a writeable .text section
Source: ISRT.dll.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00F44741 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,0_2_00F44741
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: 1_2_00504741 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,1_2_00504741
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00F500660_2_00F50066
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00F3E2700_2_00F3E270
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00F4A2260_2_00F4A226
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00F5047E0_2_00F5047E
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00F3A4100_2_00F3A410
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00F545760_2_00F54576
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00F005200_2_00F00520
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00F508B30_2_00F508B3
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00EC28700_2_00EC2870
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00F3C8300_2_00F3C830
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00EFCA900_2_00EFCA90
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00F3ABED0_2_00F3ABED
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00F50CE80_2_00F50CE8
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00F00DF00_2_00F00DF0
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00F3AE430_2_00F3AE43
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00F3CFF00_2_00F3CFF0
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00F5B2D00_2_00F5B2D0
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00F512980_2_00F51298
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00F3D4600_2_00F3D460
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00F094500_2_00F09450
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00ECB6300_2_00ECB630
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00F3D8900_2_00F3D890
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00EB58400_2_00EB5840
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00F4FB6A0_2_00F4FB6A
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00F5FC1C0_2_00F5FC1C
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00F1DDE00_2_00F1DDE0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: 1_2_004FA4101_2_004FA410
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: 1_2_004C94501_2_004C9450
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: 1_2_0048B6301_2_0048B630
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: 1_2_005100661_2_00510066
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: 1_2_004FE2701_2_004FE270
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: 1_2_0050A2261_2_0050A226
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: 1_2_0051047E1_2_0051047E
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: 1_2_005145761_2_00514576
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: 1_2_004C05201_2_004C0520
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: 1_2_004828701_2_00482870
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: 1_2_004FC8301_2_004FC830
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: 1_2_005108B31_2_005108B3
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: 1_2_004BCA901_2_004BCA90
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: 1_2_004FABED1_2_004FABED
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: 1_2_00510CE81_2_00510CE8
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: 1_2_004C0DF01_2_004C0DF0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: 1_2_004FAE431_2_004FAE43
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: 1_2_004FCFF01_2_004FCFF0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: 1_2_0051B2D01_2_0051B2D0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: 1_2_004FD4601_2_004FD460
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: 1_2_004758401_2_00475840
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: 1_2_004FD8901_2_004FD890
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: 1_2_0050FB6A1_2_0050FB6A
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: 1_2_0051FC1C1_2_0051FC1C
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: 1_2_004DDDE01_2_004DDDE0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: 1_2_6CEE4A701_2_6CEE4A70
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: 1_2_6CEE37F01_2_6CEE37F0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: 1_2_6CF00C501_2_6CF00C50
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exeCode function: 2_2_00007FF6237B2C902_2_00007FF6237B2C90
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exeCode function: 2_2_00007FF6237D2C002_2_00007FF6237D2C00
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exeCode function: 2_2_00007FF6237B9B102_2_00007FF6237B9B10
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exeCode function: 2_2_00007FF6237C2B342_2_00007FF6237C2B34
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exeCode function: 2_2_00007FF6237D6AA82_2_00007FF6237D6AA8
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exeCode function: 2_2_00007FF6237B1A102_2_00007FF6237B1A10
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exeCode function: 2_2_00007FF6237BA2202_2_00007FF6237BA220
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exeCode function: 2_2_00007FF6237D19682_2_00007FF6237D1968
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exeCode function: 2_2_00007FF6237C298C2_2_00007FF6237C298C
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exeCode function: 2_2_00007FF6237D30D02_2_00007FF6237D30D0
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exeCode function: 2_2_00007FF6237CB9102_2_00007FF6237CB910
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exeCode function: 2_2_00007FF6237C21302_2_00007FF6237C2130
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exeCode function: 2_2_00007FF6237B70202_2_00007FF6237B7020
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exeCode function: 2_2_00007FF6237C25E02_2_00007FF6237C25E0
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exeCode function: 2_2_00007FF6237CD5682_2_00007FF6237CD568
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: String function: 00EB6D90 appears 80 times
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: String function: 00F3FB96 appears 67 times
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: String function: 00F4CC61 appears 46 times
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: String function: 00F4C2E5 appears 33 times
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: String function: 00EB4150 appears 287 times
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: String function: 00EB6CA0 appears 107 times
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: String function: 00F4D300 appears 31 times
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: String function: 00EBB040 appears 324 times
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: String function: 00F4CC2D appears 51 times
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: String function: 00EBDDE0 appears 140 times
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: String function: 00476D90 appears 82 times
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: String function: 6CEA9160 appears 154 times
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: String function: 004FFB96 appears 67 times
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: String function: 0050C2E5 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: String function: 0050CC61 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: String function: 0047DDE0 appears 140 times
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: String function: 0050D300 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: String function: 0050CC2D appears 51 times
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: String function: 0047B040 appears 327 times
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: String function: 00476CA0 appears 107 times
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: String function: 00474150 appears 285 times
Source: ISSetup.dll.1.drStatic PE information: Resource name: PUBLICKEY type: b.out overlay separate pure segmented executable V2.3 186 286 286 386 Large Text Large Data Huge Objects Enabled
Source: WebSigner_SuiteMSI_Barclays.exe, 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameInstallShield SetupSuite.exe< vs WebSigner_SuiteMSI_Barclays.exe
Source: WebSigner_SuiteMSI_Barclays.exeBinary or memory string: OriginalFilenameInstallShield SetupSuite.exe< vs WebSigner_SuiteMSI_Barclays.exe
Source: WebSigner_SuiteMSI_Barclays.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: ISRT.dll.1.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ISRT.dll.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: classification engineClassification label: clean16.winEXE@5/47@0/0
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00F44741 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,0_2_00F44741
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: 1_2_00504741 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,1_2_00504741
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00EEC2B0 CoCreateInstance,0_2_00EEC2B0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: 1_2_6CEE9680 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GlobalUnlock,GlobalFree,1_2_6CEE9680
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeMutant created: \Sessions\1\BaseNamedObjects\{783F36BC-63CA-4E74-ABA6-81C222D2C3DD}
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeFile created: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}Jump to behavior
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCommand line argument: IS_temp0_2_00EE81F0
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCommand line argument: runfromtemp0_2_00EE81F0
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCommand line argument: kernel32.dll0_2_00EE81F0
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCommand line argument: SuiteSetup.ini0_2_00EE81F0
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCommand line argument: SuiteSetup.ini0_2_00EE81F0
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCommand line argument: embedded:0_2_00EE81F0
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCommand line argument: IS_ProxyWaiter_0_2_00EE81F0
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCommand line argument: debuglog0_2_00EE81F0
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCommand line argument: newlog0_2_00EE81F0
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCommand line argument: SetupSuite.cpp0_2_00EE81F0
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCommand line argument: SetupSuite.cpp0_2_00EE81F0
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCommand line argument: SetupSuite.cpp0_2_00EE81F0
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCommand line argument: SuiteSetup.ini0_2_00EE81F0
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCommand line argument: SuiteSetup.ini0_2_00EE81F0
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCommand line argument: clone_wait0_2_00EE81F0
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCommand line argument: debuglog0_2_00EE81F0
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCommand line argument: /debuglog0_2_00EE81F0
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCommand line argument: /debuglog0_2_00EE81F0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCommand line argument: IS_temp1_2_004A81F0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCommand line argument: runfromtemp1_2_004A81F0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCommand line argument: kernel32.dll1_2_004A81F0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCommand line argument: SuiteSetup.ini1_2_004A81F0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCommand line argument: SuiteSetup.ini1_2_004A81F0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCommand line argument: embedded:1_2_004A81F0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCommand line argument: IS_ProxyWaiter_1_2_004A81F0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCommand line argument: debuglog1_2_004A81F0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCommand line argument: newlog1_2_004A81F0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCommand line argument: SetupSuite.cpp1_2_004A81F0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCommand line argument: SetupSuite.cpp1_2_004A81F0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCommand line argument: SetupSuite.cpp1_2_004A81F0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCommand line argument: SuiteSetup.ini1_2_004A81F0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCommand line argument: SuiteSetup.ini1_2_004A81F0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCommand line argument: clone_wait1_2_004A81F0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCommand line argument: debuglog1_2_004A81F0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCommand line argument: /debuglog1_2_004A81F0
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCommand line argument: /debuglog1_2_004A81F0
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeFile read: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\SuiteSetup.iniJump to behavior
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeFile read: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe "C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe"
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeProcess created: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe "C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe" -IS_temp ORIGINALSETUPEXEDIR="C:\Users\user\Desktop" ORIGINALSETUPEXENAME="WebSigner_SuiteMSI_Barclays.exe"
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeProcess created: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe "C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe" -embedded:EEFDEB78-A81F-4EAC-839B-C4BCB6470B9F -IS_temp
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeProcess created: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe "C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe" -IS_temp ORIGINALSETUPEXEDIR="C:\Users\user\Desktop" ORIGINALSETUPEXENAME="WebSigner_SuiteMSI_Barclays.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeProcess created: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe "C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe" -embedded:EEFDEB78-A81F-4EAC-839B-C4BCB6470B9F -IS_tempJump to behavior
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeSection loaded: sxs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeSection loaded: msi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeSection loaded: msftedit.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeSection loaded: windows.globalization.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeSection loaded: bcp47mrm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeSection loaded: globinputhost.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeSection loaded: windows.ui.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeFile written: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\SuiteSetup.iniJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeAutomated click: I accept the terms in the license agreement
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeAutomated click: I accept the terms in the license agreement
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeAutomated click: I accept the terms in the license agreement
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeAutomated click: I accept the terms in the license agreement
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeAutomated click: I accept the terms in the license agreement
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeAutomated click: I accept the terms in the license agreement
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeAutomated click: I accept the terms in the license agreement
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeAutomated click: I accept the terms in the license agreement
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeAutomated click: I accept the terms in the license agreement
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeAutomated click: I accept the terms in the license agreement
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeAutomated click: I accept the terms in the license agreement
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeAutomated click: I accept the terms in the license agreement
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeAutomated click: I accept the terms in the license agreement
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeAutomated click: I accept the terms in the license agreement
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeAutomated click: I accept the terms in the license agreement
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeAutomated click: I accept the terms in the license agreement
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeFile opened: C:\Windows\SysWOW64\msftedit.dllJump to behavior
Source: WebSigner_SuiteMSI_Barclays.exeStatic PE information: certificate valid
Source: WebSigner_SuiteMSI_Barclays.exeStatic file information: File size 3485736 > 1048576
Source: WebSigner_SuiteMSI_Barclays.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: WebSigner_SuiteMSI_Barclays.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: WebSigner_SuiteMSI_Barclays.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: WebSigner_SuiteMSI_Barclays.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: WebSigner_SuiteMSI_Barclays.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: WebSigner_SuiteMSI_Barclays.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: WebSigner_SuiteMSI_Barclays.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: WebSigner_SuiteMSI_Barclays.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\CodeBases\isdev\redist\language independent\x64\SetupSuite64.pdb source: setup64.exe, 00000002.00000000.1667433443.00007FF6237D9000.00000002.00000001.01000000.00000007.sdmp, setup64.exe, 00000002.00000002.2923632394.00007FF6237D9000.00000002.00000001.01000000.00000007.sdmp, setup64.exe.1.dr
Source: Binary string: C:\CodeBases\isdev\redist\Language Independent\i386\ISP\ISSetup.pdb source: ISSetup.dll.1.dr
Source: Binary string: C:\CodeBases\isdev\redist\language independent\i386\SetupSuite.pdb source: WebSigner_SuiteMSI_Barclays.exe, _is23C8.exe.0.dr
Source: Binary string: signtool.pdb source: signtool.exe.1.dr
Source: Binary string: C:\CodeBases\isdev\redist\language independent\i386\SetupSuite.pdbG source: WebSigner_SuiteMSI_Barclays.exe, _is23C8.exe.0.dr
Source: Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\ISBEW64\x64\Release\ISBEW64.pdb source: ISBEW64.exe.1.dr
Source: Binary string: E:\DEV_Encours\MESSAGE\Xmessage\obj\Release\Xmessage.pdb source: Xmessage.exe.1.dr
Source: Binary string: C:\CodeBases\isdev\redist\language independent\i386\Setup_UI.pdb source: _is23C8.exe, 00000001.00000002.2924966445.000000006CF41000.00000002.00000001.01000000.00000005.sdmp, Setup_UI.dll.1.dr
Source: WebSigner_SuiteMSI_Barclays.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: WebSigner_SuiteMSI_Barclays.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: WebSigner_SuiteMSI_Barclays.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: WebSigner_SuiteMSI_Barclays.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: WebSigner_SuiteMSI_Barclays.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00F20CE0 LoadLibraryW,GetProcAddress,FreeLibrary,0_2_00F20CE0
Source: initial sampleStatic PE information: section where entry point is pointing to: .rsrc
Source: WebSigner_SuiteMSI_Barclays.exeStatic PE information: section name: .orpc
Source: _is23C8.exe.0.drStatic PE information: section name: .orpc
Source: ISSetup.dll.1.drStatic PE information: section name: .orpc
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00F4CBF6 push ecx; ret 0_2_00F4CC09
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00F4D346 push ecx; ret 0_2_00F4D359
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00F5BC7D push dword ptr [esp+ecx-75h]; iretd 0_2_00F5BC81
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: 1_2_0050CBF6 push ecx; ret 1_2_0050CC09
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: 1_2_0050D346 push ecx; ret 1_2_0050D359
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: 1_2_0051BC7D push dword ptr [esp+ecx-75h]; iretd 1_2_0051BC81
Source: ISRT.dll.1.drStatic PE information: section name: .text entropy: 7.98362330850952
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeFile created: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Setup_UI.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeFile created: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\ISRT.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeFile created: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Xmessage.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeFile created: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\ISBEW64.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeFile created: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\signtool.exeJump to dropped file
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeFile created: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeFile created: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeFile created: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\ISSetup.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeFile created: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\eula.rtfJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Setup_UI.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\ISRT.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Xmessage.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\ISBEW64.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\signtool.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\ISSetup.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exeEvaded block: after key decision
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-67326
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeAPI coverage: 7.3 %
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exeAPI coverage: 6.2 %
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00EBFB60 FindFirstFileW,__CxxThrowException@8,FindClose,0_2_00EBFB60
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: 1_2_0047FB60 FindFirstFileW,__CxxThrowException@8,FindClose,1_2_0047FB60
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exeCode function: 2_2_00007FF6237D1B98 FindFirstFileExW,2_2_00007FF6237D1B98
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00EEEB40 VirtualQuery,GetSystemInfo,MapViewOfFile,UnmapViewOfFile,0_2_00EEEB40
Source: ISRT.dll.1.drBinary or memory string: RFqEMUdUD
Source: ISRT.dll.1.drBinary or memory string: _GetVirtualMachineType
Source: ISRT.dll.1.drBinary or memory string: _IsVirtualMachine
Source: _is23C8.exe, 00000001.00000000.1662044743.0000000000471000.00000020.00000001.01000000.00000004.sdmpBinary or memory string: hgFSd
Source: ISRT.dll.1.drBinary or memory string: AddIconCallDLLFnComponentViewCreateWindowComponentViewDestroyComponentViewRefreshComponentViewSelectAllComponentViewSetInfoComponentViewSetInfoExCreateFolderDeleteFolderDeleteIconEnableHourGlassEnumFoldersItemsGetCPUTypeGetFontSubGetHandleGetPortsGetSelectedItemStateIsEmptyIsNTAdminIsOSTypeNTIsObjectIsPowerUserLangLoadStringMessageBeepPPathCompactPathPixelPathCrackUrlPathGetDirPathGetDrivePathGetFilePathGetFileExtPathGetFileNamePathGetLongFromShortPathGetPathPathIsValidSyntaxQueryIconReadArrayPropertyReadBoolPropertyReadNumberPropertyReplaceIconShowFolderTextSubSubstituteVerGetFileVersionWriteArrayPropertyWriteBoolPropertyWriteNumberPropertyWriteStringProperty_AppSearch_BrowseForFolder_CCPSearch_CHARArrayToWCHARArray_CalculateAndAddFileCost_CleanupInet_CloseFile_CmdGetHwndDlg_CmdGetMsg_CmdGetParam1_CmdGetParam2_CoGetObject_CompareDWORD_ComponentAddItem_ComponentCompareSizeRequired_ComponentError_ComponentErrorInfo_ComponentFileEnum_ComponentFileInfo_ComponentFilterLanguage_ComponentFilterOS_ComponentGetCost_ComponentGetCostEx_ComponentGetData_ComponentGetItemSize_ComponentGetTotalCost_ComponentGetTotalCostEx_ComponentInitialize_ComponentIsItemSelected_ComponentListItems_ComponentLoadTarget_ComponentMoveData_ComponentPatch_ComponentReinstall_ComponentRemoveAll_ComponentRemoveAllInLogOnly_ComponentSaveTarget_ComponentSelectItem_ComponentSelectNew_ComponentSetData_ComponentSetupTypeEnum_ComponentSetupTypeGetData_ComponentSetupTypeSet_ComponentTotalSize_ComponentTransferData_ComponentUpdate_ComponentValidate_ComponentViewCreate_ComponentViewQueryInfo_CopyBytes_CreateDir_CreateObject_CreateRegistrySet_CreateShellObjects_CtrlGetNotificationCode_CtrlGetParentWindowHelper_CtrlGetSubCommand_CtrlGetUrlForLinkClicked_CtrlSetHtmlContent_CtrlSetMLERichText_DIFxDriverPackageGetPath_DIFxDriverPackageInstall_DIFxDriverPackagePreinstall_DIFxDriverPackageUninstall_DefineDialog_DeleteCHARArray_DialogSetFont_DisableBranding_DisableStatus_Divide_DoInstall_DoSprintf_DotNetCoCreateObject_DotNetUnloadAppDomain_EnableDialogCache_EnablePrevDialog_EnableSkins_EnableStatus_EnableWow64FsRedirection_EndDialog_ExistsDir_ExistsDisk_ExistsFile_ExitInstall_FeatureAddCost_FeatureAddUninstallCost_FeatureGetCost_FeatureInitialize_FeatureSpendCost_FeatureSpendUninstallCost_FileCopy_FloatingPointOperation_GenerateFileMD5SignatureHex_GetByte_GetCurrentDialogName_GetDiskInfo_GetDiskSpaceEx_GetDiskSpaceExEx_GetFont_GetGlobalFlags_GetGlobalMemorySize_GetInetFileSize_GetInetFileTime_GetLine_GetLineSize_GetObject_GetObjectByIndex_GetObjectCount_GetProcessorInfo_GetRunningChildProcess_GetRunningChildProcessEx_GetRunningChildProcessEx2_GetSelectedTreeComponent_GetStandardLangId_GetSupportDir_GetSystemDpi_GetTrueTypeFontFileInfo_GetVirtualMachineType_InetEndofTransfer_InetGetLastError_InetGetNextDisk_InitInstall_IsFontTypefaceNameAvailable_IsInAdminGroup_IsLangSupported_IsSkinLoaded_IsVirtualMachine_IsWindowsME_IsWow64_KillProcesses_ListAddItem_ListAddString_ListCount_ListCreate_ListCurrentIte
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00F5222D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00F5222D
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exeCode function: 2_2_00007FF6237BDEB4 GetLastError,IsDebuggerPresent,OutputDebugStringW,2_2_00007FF6237BDEB4
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00F5551A VirtualProtect ?,-00000001,00000104,?,?,?,0000001C0_2_00F5551A
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00F20CE0 LoadLibraryW,GetProcAddress,FreeLibrary,0_2_00F20CE0
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00F55CC5 mov eax, dword ptr fs:[00000030h]0_2_00F55CC5
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: 1_2_00515CC5 mov eax, dword ptr fs:[00000030h]1_2_00515CC5
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00F5A39A GetProcessHeap,0_2_00F5A39A
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00F5222D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00F5222D
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00F4CF12 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00F4CF12
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00F4D112 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00F4D112
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00F4D2A4 SetUnhandledExceptionFilter,0_2_00F4D2A4
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: 1_2_0051222D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0051222D
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: 1_2_0050CF12 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_0050CF12
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: 1_2_0050D112 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0050D112
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: 1_2_0050D2A4 SetUnhandledExceptionFilter,1_2_0050D2A4
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exeCode function: 2_2_00007FF6237C9CAC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF6237C9CAC
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exeCode function: 2_2_00007FF6237C6224 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00007FF6237C6224
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exeCode function: 2_2_00007FF6237C6764 SetUnhandledExceptionFilter,2_2_00007FF6237C6764
Source: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exeCode function: 2_2_00007FF6237C658C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF6237C658C
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeProcess created: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe "C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe" -embedded:EEFDEB78-A81F-4EAC-839B-C4BCB6470B9F -IS_tempJump to behavior
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00F43200 __EH_prolog3_GS,AllocateAndInitializeSid,AllocateAndInitializeSid,AllocateAndInitializeSid,AllocateAndInitializeSid,SetEntriesInAclW,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetTempPathW,0_2_00F43200
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00F43200 __EH_prolog3_GS,AllocateAndInitializeSid,AllocateAndInitializeSid,AllocateAndInitializeSid,AllocateAndInitializeSid,SetEntriesInAclW,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetTempPathW,0_2_00F43200
Source: ISSetup.dll.1.drBinary or memory string: ?OPTYPE_PROGMAN_FIELDSWWW
Source: ISSetup.dll.1.drBinary or memory string: ISLOG_VERSION_INFO..\..\..\Shared\LogServices2\LogDB.cppOPTYPE_PROGMANISLOGDB_USER_PROPERTIESD
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00F4D3C8 cpuid 0_2_00F4D3C8
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeQueries volume information: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\gemalto48.png VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeQueries volume information: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\gemalto48.png VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeQueries volume information: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\gemalto48.png VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeQueries volume information: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\gemalto48.png VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeQueries volume information: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\1reader.bmp VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeQueries volume information: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\40LE.bmp VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeQueries volume information: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\EzioBLE.bmp VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeQueries volume information: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Typical.png VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeQueries volume information: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Custom.png VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeQueries volume information: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Application.png VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeQueries volume information: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Folder.png VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeQueries volume information: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Folder.png VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeQueries volume information: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Folder.png VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeQueries volume information: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Folder.png VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeQueries volume information: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Folder.png VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeQueries volume information: C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Folder.png VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00ED2D20 CreateNamedPipeW,CloseHandle,GetLastError,CreateEventW,WaitForSingleObject,CloseHandle,new,CloseHandle,CloseHandle,CloseHandle,0_2_00ED2D20
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00F4D572 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00F4D572
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00EC2400 GetVersionExW,0_2_00EC2400
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00EB10E0 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,0_2_00EB10E0
Source: C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exeCode function: 0_2_00EB1040 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,0_2_00EB1040
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: 1_2_00471040 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,1_2_00471040
Source: C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exeCode function: 1_2_004710E0 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,1_2_004710E0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Access Token Manipulation		1
Disable or Modify Tools		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts3
Native API		Boot or Logon Initialization Scripts13
Process Injection		1
Access Token Manipulation		LSASS Memory31
Security Software Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		13
Process Injection		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Deobfuscate/Decode Files or Information		NTDS3
File and Directory Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
Obfuscated Files or Information		LSA Secrets24
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
Software Packing		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
WebSigner_SuiteMSI_Barclays.exe0%ReversingLabs
WebSigner_SuiteMSI_Barclays.exe0%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\ISBEW64.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\ISBEW64.exe0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\ISRT.dll4%ReversingLabs
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\ISRT.dll0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\ISSetup.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\ISSetup.dll0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Setup_UI.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Setup_UI.dll0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Xmessage.exe7%ReversingLabs
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Xmessage.exe3%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\signtool.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\signtool.exe0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe0%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.flexerasoftware.com00%URL Reputationsafe
http://logo.ve0%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.apache.org/licenses/LICENSE-2.0_is23C8.exe, 00000001.00000002.2924656843.0000000005B98000.00000004.00000020.00020000.00000000.sdmp, _is23C8.exe, 00000001.00000002.2924765043.0000000005C55000.00000004.00000020.00020000.00000000.sdmp, eula.rtf.1.drfalse
    		high
    http://www.apache.org/licenses/_is23C8.exe, 00000001.00000002.2924656843.0000000005B98000.00000004.00000020.00020000.00000000.sdmp, _is23C8.exe, 00000001.00000002.2924765043.0000000005C55000.00000004.00000020.00020000.00000000.sdmp, eula.rtf.1.drfalse
      		high
      http://www.symauth.com/rpa00_is23C8.exe, 00000001.00000002.2923780076.00000000012F5000.00000004.00000010.00020000.00000000.sdmp, ISRT.dll.1.dr, Setup_UI.dll.1.dr, ISBEW64.exe.1.drfalse
        		high
        https://mozilla.org/MPL/2.0/._is23C8.exe, 00000001.00000002.2924656843.0000000005B98000.00000004.00000020.00020000.00000000.sdmp, _is23C8.exe, 00000001.00000002.2924765043.0000000005C55000.00000004.00000020.00020000.00000000.sdmp, eula.rtf.1.drfalse
          		high
          https://opensource.org/licenses/Zlib)_is23C8.exe, 00000001.00000002.2924656843.0000000005B98000.00000004.00000020.00020000.00000000.sdmp, _is23C8.exe, 00000001.00000002.2924765043.0000000005C55000.00000004.00000020.00020000.00000000.sdmp, eula.rtf.1.drfalse
            		high
            https://supportportal.thalesgroup.com_is23C8.exe, 00000001.00000002.2924656843.0000000005B98000.00000004.00000020.00020000.00000000.sdmp, _is23C8.exe, 00000001.00000002.2924765043.0000000005C55000.00000004.00000020.00020000.00000000.sdmp, eula.rtf.1.drfalse
              		high
              http://www.gemalto.com_is23C8.exe, 00000001.00000002.2923886870.000000000140C000.00000004.00000020.00020000.00000000.sdmp, setup.xml.1.drfalse
                		high
                http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%dISSetup.dll.1.drfalse
                  		high
                  http://www.openssl.org/)eula.rtf.1.drfalse
                    		high
                    https://supportportal.thalesgroup.com/._is23C8.exe, 00000001.00000002.2924656843.0000000005B98000.00000004.00000020.00020000.00000000.sdmp, _is23C8.exe, 00000001.00000002.2924765043.0000000005C55000.00000004.00000020.00020000.00000000.sdmp, eula.rtf.1.drfalse
                      		high
                      http://www.flexerasoftware.com0_is23C8.exe, 00000001.00000002.2923780076.00000000012F5000.00000004.00000010.00020000.00000000.sdmp, ISRT.dll.1.dr, Setup_UI.dll.1.dr, ISBEW64.exe.1.drfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.symauth.com/cps0(_is23C8.exe, 00000001.00000002.2923780076.00000000012F5000.00000004.00000010.00020000.00000000.sdmp, ISRT.dll.1.dr, Setup_UI.dll.1.dr, ISBEW64.exe.1.drfalse
                        		high
                        http://logo.ve_is23C8.exe, 00000001.00000002.2924247309.0000000003930000.00000004.00000020.00020000.00000000.sdmpfalseunknown

                        World Map of Contacted IPs

                        No contacted IP infos

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1428711
                        Start date and time:2024-04-19 12:55:12 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 7m 35s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:8
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:WebSigner_SuiteMSI_Barclays.exe
                        Detection:CLEAN
                        Classification:clean16.winEXE@5/47@0/0
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 43
                        • Number of non-executed functions: 260
                        Cookbook Comments:
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report creation exceeded maximum time and may have missing disassembly code information.
                        • Report size exceeded maximum capacity and may have missing disassembly code.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        No simulations

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASNs

                        No context

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\ISBEW64.exePathWaveBenchVueDMM-2023-1-Setup-Basic.exeGet hashmaliciousUnknownBrowse
                          Nexus58_driver_cert.exeGet hashmaliciousUnknownBrowse
                            C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\ISRT.dllPathWaveBenchVueDMM-2023-1-Setup-Basic.exeGet hashmaliciousUnknownBrowse
                              Nexus58_driver_cert.exeGet hashmaliciousUnknownBrowse
                                C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\ISSetup.dllNexus58_driver_cert.exeGet hashmaliciousUnknownBrowse

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\1reader.bmp

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe
                                  File Type:PC bitmap, Windows 3.x format, 209 x 338 x 24, image size 212264, cbSize 212318, bits offset 54
                                  Category:dropped
                                  Size (bytes):212318
                                  Entropy (8bit):4.79068125174595
                                  Encrypted:false
                                  SSDEEP:1536:bmIoYHQeXPmtyu6tIgrQmWRZ4XEF/OeYtqQw9t3dVe:bzPygHc/OeYtqQw9tK
                                  MD5:54A78E9E9425552D9D7B6C6AF8B53291
                                  SHA1:AC9F618FC2FC670E7C9B2AB05F6C0BAA4C873CBA
                                  SHA-256:6B54A2F93264B546277D851CE3FF94BD2BC9460D577544B3CA204A3FBEC29E25
                                  SHA-512:259504F7D0A0EB9C3FBD772CF02D66144C27AF52E662C1FB85815E795BC077B2CB15D6DA771F9079E5FB0795F59C2D02AC32778E428E31554B321B5D0F769304
                                  Malicious:false
                                  Reputation:low
                                  Preview:BM^=......6...(.......R...........(=....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\40LE.bmp

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe
                                  File Type:PC bitmap, Windows 3.x format, 193 x 183 x 24, image size 106140, cbSize 106194, bits offset 54
                                  Category:dropped
                                  Size (bytes):106194
                                  Entropy (8bit):2.720687192031943
                                  Encrypted:false
                                  SSDEEP:1536:E9fAclyd1vgIXID/pI5LIiwqhkYjcXkvnpw3ecHT:0Yclyd18
                                  MD5:A4A7B646270B6E19F4B850404733BFEE
                                  SHA1:D9D393BC3A1B47FACD4039D29A352BF5EDCCD66C
                                  SHA-256:1B470E24DCF84FBA748FE33A4E0C1A61FB5803F481FC55E8B9B97A383E512EB0
                                  SHA-512:8474784F540AC29FF21B96BE02DF2185C281135D25189DE0FB2A70D99FE06198E2366D15DC1E2687E7276C84045919E521BF881987364C3AE66F12F855BA794D
                                  Malicious:false
                                  Reputation:low
                                  Preview:BM.......6...(.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Application.png

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe
                                  File Type:PNG image data, 47 x 51, 8-bit/color RGBA, non-interlaced
                                  Category:dropped
                                  Size (bytes):2677
                                  Entropy (8bit):7.917734280322567
                                  Encrypted:false
                                  SSDEEP:48:o/6Bxy4lYT3qV2a7WB32HU/EsZ5m4t3kODuOnjae/7H09wz2DyL8/LmLkVJK31hc:oSBxtaTWhcWXsZYg3bube/7HqXcovKPc
                                  MD5:B7562722E5218EFA4B4ABBF70725B8D4
                                  SHA1:5647FD4E44527CA2ECA6746E0FEDBD4A998B460A
                                  SHA-256:2F160F74D10BD366B022FB3AC8FEFA6783A925633C5C0511D44FE3B5B83D83C4
                                  SHA-512:C0A1DF973B8F28F0235FE684137F90670055D7A75BD57B28FEED8E5614F0EA26A46978CD8DA6A1D930C35FDEBACFA845E7B371696DFB2E5B6901B525859E79CF
                                  Malicious:false
                                  Reputation:moderate, very likely benign file
                                  Preview:.PNG........IHDR.../...3......3QL....pHYs.................tEXtSoftware.Adobe ImageReadyq.e<....IDATx..ZKl.W.....?c;.j.6....U..))!. ...Q...v..u...+.h...R!.K*.!.HH...JAUUJ!]...(M.:N..;1..}}..9..uf..\.A..i|.qf........kB.p.n.n....n......p._{i..X.`...P.-..X.....5.m........{...?...z`..;.|3s.....9..y7..V........{.L..x..........}.?y...u...9..`...0..J.]C"./HT........JG.=Z.{..s.....VV..^%P........I|.#...............l2..?...y!.0Z.....e....jI...@#.#Bm...m[......>......B......FU...UG[...<o....."...../.......m.,w......@.8KgqM....b...Z..x.M.....-d.......}....:...p...M...s.#.4.Dl...!..e2.5tnx.:.<d.(..O..'..:.3~X,n.....z..-.*...A...@./h...#G.7..;.<.'..f..m.Q...........UW...$..H.$.b%.....%.......<~.}5.v.H...~..}.. S.IX.6..?......}.Y.#..u^.*2.I....X:T-.#.$../..W. ..$Bb...yo:.|..5T..@.......hd..[.U..3.....@(..-.=.#.f3.....5.... H.\.B.-....=L...7E..I....fj.|.....$.H.>i.I.>......i..$.WZ..].Q.......h...&..K).g...pJ..6J".....L.|..e..5}!.6I.d..M<.S.O..j..o4....RO.%

                                  C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Custom.png

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe
                                  File Type:PNG image data, 59 x 51, 8-bit/color RGBA, non-interlaced
                                  Category:dropped
                                  Size (bytes):3678
                                  Entropy (8bit):7.9340424811774914
                                  Encrypted:false
                                  SSDEEP:96:OSBEcovLMuvMQTys5RIxIHEglEJ9yTLGVY0HMrlMl:OSOcovLMuvMts5QI5yJ9yvEsrWl
                                  MD5:2C2D11D76ACCCC73633B7782D430DDB7
                                  SHA1:3449C08F23DA8D657C075A66394FCB9530450954
                                  SHA-256:5E25814B728687E17C31572DA4B93CD6BA34E6D30C9760FDEDD8AE8598DA7720
                                  SHA-512:DE556D4ECB5C830D81DE149E889D9B67AA613118FC4FDE19660F38C989962C408E65209D5C746514C35A0F4237D8F0E76F1F3F660E5ED5DCD6A6BB001ABC6BE5
                                  Malicious:false
                                  Reputation:moderate, very likely benign file
                                  Preview:.PNG........IHDR...;...3.....)vp.....pHYs.................tEXtSoftware.Adobe ImageReadyq.e<....IDATx..Z.pT.....nH .A.D@.G.(.(.Xp.lG!.TKu..P@[A..Z.X.h...Q.Xi.R.P..L[.<...P.(".....<6.{.=..s.{.n.K....=.3..s.9......g.)%|U...P.t.....ya..}.... .\b.......j..l.2...U.U%G.|V.<......%N^.......>.=....=...........:.:..#..m...n.aY.\:........u...z..b.0...3..`...'..Q..p.N..u..$pj.I.7R.~...k.<w....g_EqZ6k.T..A..h...IRQ.G.J...VU2..1P{...S....]u..1.~W.ER..=I..Tf.3o..CSSc..=.i...@.\..3....A.6K.o.uF.....`......B..i.......A.}...w.q..h$........[...b.<..!n...$a..<.*.Y.D....z...Pf...7@$F.....I...'Y..:,..<G....04....F..f.5.s.... !.w.........oI.......Y...C....'{`....m...pV.x..E/._....l.r.n.um.:h..U...N.....X#....!.n.[0.wItnk> )+....4xp..g..j.%...G.Cf(...s`...0e......V...wM..9[\...j...0..%-"3C....Z.&/.Mm..m..n..W".Z.ZI.k7.n.2.23..H}.`.q[.2..;...&.........A.....!I.8Gp.......]VW...v.S.g.f......7.[........^....%....n....HIGO./"2\.."&.Map.......I..%x`....+[{..c.>T\<g..

                                  C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\EzioBLE.bmp

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe
                                  File Type:PC bitmap, Windows 3.x format, 399 x 55 x 24, image size 66000, cbSize 66054, bits offset 54
                                  Category:dropped
                                  Size (bytes):66054
                                  Entropy (8bit):1.0171720269723423
                                  Encrypted:false
                                  SSDEEP:96:sB7U1+6jPAQhQoy+hqhx2dR5Tx56GjVrgdWXyZO7gfZcWXQWXOSr2MT0l65IYZJU:vd
                                  MD5:AC74F17963C8D9F061A0BF83FD05FF16
                                  SHA1:EC09F2F54C95AD7EEDBC7B2E9BB9ABB573CCCDD5
                                  SHA-256:495AD32760185A0AA33D5C844F7841A7D0B8AF9200A80C31A64F9A54A9D02FCD
                                  SHA-512:C97403918E52B5E059F6DA392FD95180560805D4940538690C5DAE17A8B5CEA1BD441E9483D7710EB00B0FCEC474069E5DBCBEC01B0BC39E039655D5E8ECA0C8
                                  Malicious:false
                                  Reputation:low
                                  Preview:BM........6...(.......7.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Folder.png

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe
                                  File Type:PNG image data, 37 x 46, 8-bit/color RGBA, non-interlaced
                                  Category:dropped
                                  Size (bytes):620
                                  Entropy (8bit):7.47932737435809
                                  Encrypted:false
                                  SSDEEP:12:6v/7ND/6Tog8XMl8iUnGTazYbDJ3/whlQSRWT68davud7jz:c/6BxZUGmzCDZNSREb
                                  MD5:80582D4A22429E1D5AD512A2131361B1
                                  SHA1:18B3E0A3F74E9CD4F27BDB5B4358E540B8DC093A
                                  SHA-256:84A93202B47055C01412F0A485BAE56A187BE0AEA99DA9A91916FC9E76E30526
                                  SHA-512:F2DD048E2ACB5CC1B1520E61B87B92BC80DBC231370CB0FA595B5E48AF8ED8808AB7E135150891F93C03E9785DC07F1A45446643F90C8981C9F0B98AB0AFCFB6
                                  Malicious:false
                                  Reputation:moderate, very likely benign file
                                  Preview:.PNG........IHDR...%..........Y......pHYs.................tEXtSoftware.Adobe ImageReadyq.e<....IDATx..K.@..s.."B;.h.v...Z\:.tpshq.....]t.....C....D.\O.B.-.J.TjQZ._j.P.k...=.x!...w..+2MS....1..%..._.{_..v..}...mp..,.&...<.+{......VA.....{)..2.@..fW..\..m.......E.9...........J^.<M....H......#0....a...(.....:......h-v.1.0..Z..J.L(...J.....l..s`....S.K.zJ...Q...F..$.e].Z.P..U.V1..8.F....P..5.Btx..t........(G(v..`..de.R..Y.+.".#..2....+.pm]..l.e...J.P.$..8...<.5.Q.P..eb..2.mrv...+U..y..l7.#TasI'./.L..D..*.XP%N@..........|C..KH7#.{.....8t.iH.!.|..A...w.C.?8....P.J@./~.......x......IEND.B`.

                                  C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\GBDM.rtf

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe
                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                  Category:dropped
                                  Size (bytes):78277
                                  Entropy (8bit):5.018317951652924
                                  Encrypted:false
                                  SSDEEP:768:/1JW6eZAGSk49mebE1ag9FI6ICnoSseQOMjjv0dp+IHvVR6Tv/JJAJFJtGU8EKen:/emXVjm
                                  MD5:3EAFA59668EEB751792467F428BB807B
                                  SHA1:70A8D4591FE1CA4E03BEDDD2C744714D3992C8FB
                                  SHA-256:15075A5EE41B2EE5A849954B81D738418F4C1FB1DD816E3FB137BA8F979DA64B
                                  SHA-512:068AEB08658CCF6185D897FC34DEDD32331FBB76311CEF696C05F26D3E0370921DBE90B93B0DD756D407E01C06DF3C127F99EA5916B43EDE640A25B45EDFEC72
                                  Malicious:false
                                  Reputation:low
                                  Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch37\stshfhich37\stshfbi37\deflang1036\deflangfe1036\themelang1036\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol;}{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings;}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset0\fprq2{\*\panose 020f0502020204030204}Calibri;}{\f39\fbidi \fswiss\fcharset0\fprq2{\*\panose 00000000000000000000}Tahoma;}..{\f40\fbidi \fmodern\fcharset0\fprq1{\*\panose 00000000000000000000}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fr

                                  C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\ISBEW64.exe

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe
                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                  Category:dropped
                                  Size (bytes):183016
                                  Entropy (8bit):5.751899917626374
                                  Encrypted:false
                                  SSDEEP:3072:VIFNKUw8ALJ+C2T0FSmmiYQT4zF2E+JYSdeZ2bgA/qQ6vj:vUn0mT8Sc/T4x1b0xg84j
                                  MD5:FC6B38A02516871EC641E99FB18F448B
                                  SHA1:58754875D6B068D4C076363531674B5D8164E4DC
                                  SHA-256:9419696372F4460FDC12D96ECD9F3A9489E9070CCAB7CCA4B51602C051DB31BF
                                  SHA-512:9A9BB2AD036BA9141FE312AB199ED2EB75BB132F69CB4B1FE98F4DAAAC8698DEBF2F72FC4B7969B1386FD849EF857E6861F66B14CF43A86328CFBAC3617C6B98
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                  Joe Sandbox View:
                                  • Filename: PathWaveBenchVueDMM-2023-1-Setup-Basic.exe, Detection: malicious, Browse
                                  • Filename: Nexus58_driver_cert.exe, Detection: malicious, Browse
                                  Reputation:moderate, very likely benign file
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e.*.!.D.!.D.!.D../..D.D../..(.D../....D.... .D.!.E.[.D......D.....%.D..... .D.!.. .D..... .D.Rich!.D.........................PE..d......].........."......X...v.................@.........................................`..................................................J..........`.......$........ ..........`t..8...............................p............p...............................text....W.......X.................. ..`.rdata.......p.......\..............@..@.data... B...`.......D..............@....pdata..$............`..............@..@.rsrc...`............v..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\ISLogoBig.png

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe
                                  File Type:PNG image data, 100 x 101, 8-bit/color RGBA, non-interlaced
                                  Category:dropped
                                  Size (bytes):2119
                                  Entropy (8bit):7.873980167633021
                                  Encrypted:false
                                  SSDEEP:48:6/6Bx9Q7GbedZecHGF39sqCE8vIpJckD3yZ5dC:6SBz/yCcHGtCE8vIpJcMenC
                                  MD5:04FF43EFF306751E225EAC0C0D9AE6BA
                                  SHA1:BBA8A277930659563EFEBE42E1CFC77F16D45192
                                  SHA-256:995FF2F37E8688D9D65AA1219753A01078FB3CBD17B75B114AF56A61E3B63988
                                  SHA-512:A989D83F5E9C57EFCACA3AA8E146F34B19FF45E197C27B8A6D87C7EF38E1FD4503AF7C5583C485BBB81450DD86A82482635721FE8462B36445705A4040FB9F68
                                  Malicious:false
                                  Reputation:moderate, very likely benign file
                                  Preview:.PNG........IHDR...d...e.......F.....pHYs.................tEXtSoftware.Adobe ImageReadyq.e<....IDATx..}LUe...]W.m.(..@o..h**.....j.T6...H...R.m..6..m.s...R.[..9K....2.KB.D71..J.....};.s...v.{..=......<.....W2.c.P...9.JC@@HaL..?......C.b........|....L#e.F.y....".B" ..D@..y.t....8D.S....8D.'.f..&Q...=.7......nE..f9C...[.[.d.E.....C........D@.TiQ....C}?qd.]p....=......l..86.w....?3......cUa......91.daF4....EA.=7........@0hk........3@*...q@........G..}8..d.2J....0#&1..d..W.g....('-......_.Oo.S.o;%.8..2...2..QYI..|.s.;R..'.~.(.Ni...jb...k.....M...o].2.9.x{N..L2Y.B.j.u.`.'x]...d..I...:..agG..r..=...{.C...:8Q-(....`.u.."0#.HH@.......?,.....XI.r...Ag]8..$.`R0h|.Z.>..`..)i}C...`..I@."....!....kV..PG.....N..R.....e@H....~.%..W.yu.@v...M%{'.b.........&.IkD......#...t\...m...5.qA9....ly..'....*tC].....Z..w2.......@......y.wJ.+...d6{rF..]......o;7.D;[.Lj.%/...&[......+.)..K.d...._]@`......sTz.....B%V.O......@6...^.9..../7.....o.......e. ,S..[q..

                                  C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\ISLogoSmall.png

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe
                                  File Type:PNG image data, 50 x 50, 8-bit/color RGB, non-interlaced
                                  Category:dropped
                                  Size (bytes):1101
                                  Entropy (8bit):7.704601238804259
                                  Encrypted:false
                                  SSDEEP:24:8/6B94nwJezZEEkKnz1jf+Af6g+dw1Jg4tqH5oaNAfSo2gBs:8/6B9HMNEE9z175f6Bdwv/qHyaN4S13
                                  MD5:0DE9D9BD4AE583015157D5D3BC77801F
                                  SHA1:6201C31BADAB2C50FD0C619704622E0E0CAD9F5E
                                  SHA-256:3039E1E23AFC42BD3C07A8F4B65FB5D0377CA70F9F4FFB6FD7E7F33D82D837D1
                                  SHA-512:B393AD1DADB60723B6032C0DC6CB9C50709B516C5F5D414B788E79B944E8A4C988C2425798F4A9B8BD05BC6D18F37CB3FBA55CE93228E13D38E974EB18EE3BA2
                                  Malicious:false
                                  Preview:.PNG........IHDR...2...2......]......pHYs.................tEXtSoftware.Adobe ImageReadyq.e<....IDATx.b\.r....L......g.....$.Z.&>xCkx9.........$...E...<..,5.......a..9...2..H..p(..c.f....Y.l.K..}. \w%1L...:.s..hm.g.b...qg.#..,LU..@..L.B.5........B.@'...,...r40.............o.-;..{...o>.@S`#-.....L.B...o?........&s`..F..."0.{...y....3...p6W`Xs.....DmAh2..b.LU.... P..r`.D..[.<..?...%...f&.kU.LO..|..5.R-.....C_...-.A...d..>....-kE.l.(r.0^......l...pAsQ~+..=%QHz.c.P.....@.H.Z........\`a....O.~..o..'h4....-...y.g6.G1....Q.....0...v....0.)l.0+Zd7.9......7..9k.k...NX.S.u..7.#..@s....KZ.ws....>g...d.0....W.....'.......R...k....0sVg....&>Y ;.X.aU...}`.8....e.....`I.71aF<..a..V...&..?......5...3.....q.t..h.....2..o yxb.0.R.8..v.....0.g.....[...c..@.]...Y<i.kq.L..'D`.>9.J....{..K./.9tz.+...ng...t...;/..-Z..R1.H...B......|-01.c..}@..@.^....\.`........3...`....X'..M."i..g$....Y...m.*...B.X..h...@`..........o.z...b..@.G&....Um.....6.H..J.p...p"...Lp.h."`...#k.'..u...........

                                  C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\ISRT.dll

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed
                                  Category:dropped
                                  Size (bytes):436968
                                  Entropy (8bit):7.970462355107799
                                  Encrypted:false
                                  SSDEEP:12288:dquBBoy1WkagdDUwknDIPBVn+ClyIf/J+fHW:8ywkBhaIPBVJl5nEvW
                                  MD5:6142481421BD6CC14ADDF9606137973D
                                  SHA1:97686F0E3254C3C245256AE280ED36F9457B3EC2
                                  SHA-256:650D006D2F4F62D740D7D198F7FEBE201D3F528EE87E089958B5C4E1CD27E748
                                  SHA-512:21E9BD11B931BA20DFF2E30F3301FCB5FC119535A6428C175224E1A35E6C6C14B07F437A416D53787635CE8B8AA042D4DC514BEED41B0575591AE79C1592993B
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 4%
                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                  Joe Sandbox View:
                                  • Filename: PathWaveBenchVueDMM-2023-1-Setup-Basic.exe, Detection: malicious, Browse
                                  • Filename: Nexus58_driver_cert.exe, Detection: malicious, Browse
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........A.YA.YA.Yf.mYG.Y..nY].Y..XC.Y..mY@.Y..mY..Y..lY..Y...Y@.Y...YE.YA.Y..Y...YV.Y..lY..Y..iY@.Y..jY@.YA.4Y@.Y..oY@.YRichA.Y........PE..L......]...........!.....x...@...............................................@......Ag..............................p.......t...........h................ ...0.........8....................................................T..@....................text............P......PEC2MO...... ....rsrc....@.......4...T.............. ....reloc.......0......................@...................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\ISSetup.dll

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):1628672
                                  Entropy (8bit):5.912689265243494
                                  Encrypted:false
                                  SSDEEP:49152:hUiWx78RtgmwjQs4o6C5WZ/l0+VChSV9TE2:uZ8RtgmwjQj/HZ/+eCh
                                  MD5:4050114269619342AF2B3001406953A4
                                  SHA1:C9FAE87B5E7C0C4377F12D1DA3B4F01B233B4E3A
                                  SHA-256:80A16734E6E89BEB17B3D12164E49D5FA5D5806846E2529C653871937F5B9301
                                  SHA-512:9955D1B17F5AF35C5581CB1BC0E0B8DCBBC1C36E33E8BA071313165A5BDAD9613F24021D011AD6AFB323E848F5A2D8BE247428649D6A96D0C78DE493704B3923
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                  Joe Sandbox View:
                                  • Filename: Nexus58_driver_cert.exe, Detection: malicious, Browse
                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........v'^..I...I...I.......I.|....I.|....I.|....I.q`....I.q`....I..IM...I...H...I.q`....I./....I./....I./....I./....I./....I.......I./....I.Rich..I.........PE..L......]...........!.........p............................................................@......................... ...S............0...........................D......8...............................@...............<............................text............................... ..`.orpc... ........................... ..`.rdata..s...........................@..@.data....b..........................@....rsrc........0......................@..@.reloc...j.......l...n..............@..B................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Remove.png

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe
                                  File Type:PNG image data, 58 x 51, 8-bit/color RGBA, non-interlaced
                                  Category:dropped
                                  Size (bytes):1766
                                  Entropy (8bit):7.858990597945124
                                  Encrypted:false
                                  SSDEEP:48:N/6BglEcNs+cI4BltCD6MgbSFAPimHf27v4k7D0PReadiANU:NSBZcNSI4Blt5bogHf0v4k7wiANU
                                  MD5:A96BBEFB78F0C3DBEA0C24163A7071B5
                                  SHA1:E88BEF00865C1786CE35532F0BF06FFEDC4A86C7
                                  SHA-256:B83531648D506073C9E0A0481977EE378DE0D57EF2508145A7F23AF9E3344A41
                                  SHA-512:4263888FE08253E2334F8F50ED6E03BA76D077137521BD4F6B0DDCCC5824F9110C0E32B09E0D69FE6C66842B9D9661A553CE8E078515583779E1F91150FE4335
                                  Malicious:false
                                  Preview:.PNG........IHDR...:...3............pHYs.................tEXtSoftware.Adobe ImageReadyq.e<...sIDATx..ZKO.W.>..x<....Q.`.TmH...IU.*%j.(.?H..:../.}7,..J.&R.I#U.T..EH.G[..=x...{...{,.J.c..tt.....s.\.P..0x8$....[.C...!.fP&Ko%P.....l..s..KKK...c.c.{{zA.e...8..uH&....17==..@...pRU..N..UY..a..J%.........f.666!..|{..s...tqa!....8q.=%..C4..\6..K7K[.._..B..?....D................l...o}......=w....pUU'...@.|*......{...$J.....H.,...I....LB._nln.$I~|}.c.e....FM..z..K....%p..]O@:..(..t.P...<t........W.....5.....>y..)...h.....\.d...2...T...@.$Q..-...+.....q..8...6Z@....7..-.A(..&.iBWw...H.=?{........_,.....iJ......"p..<.. .(.`.....t3]...&p6.6.).$m...M.^..f.. 9:. B....._|.K|+..$..>.i ..0.*p.........$...c1.:. m.Q.....H.g.Y....@.=.P.;.G@....=\@].)...h..;..]...E-.q...TSB.Y..}......E.!S:b).H..SF..qpK.n........C..EB#.(?..x.....8.|5.i.}..J0.V.._.E!v.3.&......e.%A@Vy.|Z..?i.U)x..cu#.....u..R....m!.........W/.......T.5.2...w..!ip*..L.LF........-dV<j.@%v!.....wP...v =

                                  C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Repair.png

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe
                                  File Type:PNG image data, 59 x 51, 8-bit/color RGBA, non-interlaced
                                  Category:dropped
                                  Size (bytes):3160
                                  Entropy (8bit):7.919840334162329
                                  Encrypted:false
                                  SSDEEP:96:OSBhOktNWeePn34ZwudEYki0CeDjA5pI0hUG:OSnTNWeePYw8E1zCkapPhX
                                  MD5:260D3EDFC4ED042A8E152613CFC0D59C
                                  SHA1:E5DBE0736915D6E40F5DB8392C5001B57D98406E
                                  SHA-256:5B4CC813A251FBBE0C2EA6BAB31C512DA865BAA9B20FA61B46CA8A30D302BBFA
                                  SHA-512:5611AED5498591F97F6D145E36D106104317379D8A05436E169872CA52F354DB39972C1BBEB74C1E1AFF7779E7CD829D5631E3E7E5BAD7796D514B25CD549DCC
                                  Malicious:false
                                  Preview:.PNG........IHDR...;...3.....)vp.....pHYs.................tEXtSoftware.Adobe ImageReadyq.e<....IDATx..yl.W...7...].q.'..:..&H..HH8..F..!U.J.(.......D.B.UHi.E.B.?8.PE.@"-j".@.B...@.ql.v._.>vw...}.....k{7NT.....fv..}...Y!..[e3...n).H97.....X...c...!@..+...M..cA.zO..;.~...........|...M....|v...u.uAJ.0.w\....4-...../=.G...............^.b......t...........<l.....x.....3......Q...g..$.'n*....'.P..C.ah...+.......=.....W.45...$C<.x.......\RC}.....@;.....9.]...*.........l.n.,J.......k..8..~.m.....MAo.i..P..k....^..hDxA..7R.R.kPj..........&..BC..&..lh.w..S......|d.m.ra+....#.o...s"Y.../.Z..y.B.7.R...H....wWd..Q. p[....}5...=. ......=..N1...O.p....#.g....u.WZ......K...H.V?.:...A....bM..M.C.>.s...?...g..@...........X...:.r.......l.vBKT..........>.z...G?.v!$.4t].~x(.....+u6|....5.%Kj..Ax.w.!..1.5.....5.BGTB..68$=C...4..C][W....7@....7....>..nG.@.vT.Tx..*k,.o..o=.....B..o...W.......77p.x(.E.....y.J......l..AJ...2.wB.......+.40.R.E..n.j..v...F.....r#g

                                  C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Setup.inx

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):79670
                                  Entropy (8bit):7.37547764849457
                                  Encrypted:false
                                  SSDEEP:1536:jSeiZO/9RNbESS9fbiiEt4HGjwlv/54rMhU6:jpiZS9RKmiEt4LJ54riU6
                                  MD5:63E9EE20B35DC23FC91F0A6AA6D3E3F4
                                  SHA1:E578E9B4C8D7BF02E1109BB4D6D7042D497DDAF7
                                  SHA-256:004FBA43413D533B95AF09F2C0284EEB488C382EA7EA3D3A2D127805EFDCCA04
                                  SHA-512:741528736AA0C339A6FF488790D08F33253CC819CF6E6209E753914644B6CF68D57748FC42ECC1105DE7EFA09D4B85DC74EA1F442EA8A87C2D67B1E7D90766B2
                                  Malicious:false
                                  Preview:t.,....(... <$.M. .=..........l.............o.c...gWSl..SW..WS[//d.d l$.XX%.......................q.y}aGMmQFY]AV.M1.!!0)........................................}.m.m.au]}IeMm5U=]!E-M%5.=!%.-.......G.k.'.## T.....$.X..........x...}..4.....]i]UU.].....g....g.S.c+{.....7.k3L<.P(.L((..........X........Y..|... ....1II.1....W.k[k.......#...d<$@<<........xh(.....p...H..}uuM}.8...s...%==.%c.woWG.{3;W33....L,@0T..$\L......x.$.....|.Q..]q..h,T......MMM.5s.oCs....S.s[3#....L.P(.LXD.\H,.,.........\....X...y}}1e.,...s.w.Ss.=!!.)g.GsK?.........@hP,..........................1yQee.m.......{.8kok..CC.G.....C7._+[o`.(,(HP..H.....8.......p......}uu5}.T...... ...g.%%.-cW.W;k3KKKo7.....L ....H...(. <......e..l.....<...]UU.].0.......c_._3.S.....3.gK..0 .8$...D(0.H.....T...P..q..!q.(..$..@...,.c.cW.w.....W..o?.k'.3......h.l< \\H,..<$$T ..y.Qe..0...,..=Q..].o4....w...g..K7W;.......#.<4hT..(...H (. <.......]..T....0.<........5MM.5s.kc.._CWG.+Kc.....?.80dP,.

                                  C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Setup_UI.dll

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):927976
                                  Entropy (8bit):6.432430631858935
                                  Encrypted:false
                                  SSDEEP:12288:7BejzJoCzwNzqfZiCYEaMosQMth9F+52QXQVCid+JEG7SBFLCEMe:umC2wiEaMAMtvFnQXQVY7SBFLrMe
                                  MD5:6400100A51918A66E43E63049FAAF71B
                                  SHA1:737608EA45152BA40A74BEF5E1B4B3F2756B942B
                                  SHA-256:2C34F5032DD9794B7ABFA931D785281B6CA8111239009AC9B072D8C423602C25
                                  SHA-512:AD2C5C7B373697FE41895F65EEB8AFD12E910A1051D3086AEA0167A2BFEA00CB147EBB7CDC4C14148188079529C9959421D0D282EDAFD436827711E7EC535510
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                  Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......(...l..l..l...S[.}...SY.....SX.v......m......e..W...z..W...}......h..W...\..e.).j..e.9.w..l..~......q......m....U.m..l.=.m......m..Richl..........................PE..L...X..]...........!................EF.......................................`.......1....@.........................`...l...........`..h#............... ......h...P...p...............................@............................................text...|........................... ..`.rdata..>...........................@..@.data....[.......N..................@....gfids..T....@......................@..@.tls.........P......................@....rsrc...h#...`...$..................@..@.reloc..h............8..............@..B................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Setup_UI.xml

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):22153
                                  Entropy (8bit):5.556237125471998
                                  Encrypted:false
                                  SSDEEP:384:JVaXrX16Ggxyf4dCyZ2r7YGmb7fgECDJsE7hhK7SVrxwlNG7CMSG7CvJ1GJfTo7s:JVCrX0GDf4dj2JPhKrIx3uB7BmtIV9Xg
                                  MD5:25445F8616C400FA7CCA249BBE735748
                                  SHA1:59BD4FA45C22F0F2C7553C63E0B076B48B1650EA
                                  SHA-256:61F69AE665728A786828E65F8F329EDA5A41DB5C5D6AF01144E7DBF2D2A7AFD3
                                  SHA-512:470C7E3EE74A06ABF24461F231FEC0EDAE2DCDEE2DB34287292E255B28B6319AD214F69DA7ACE721E2E9E3B508386E278108932B7EFAA557542E96D7F57DAABD
                                  Malicious:false
                                  Preview:<UserInterface xmlns="installshield/2019/bootstrap/ui" ScaleFactors="150;200">...<Resources>....<FontSet Name="BodyFonts">.....<Font Name="Microsoft JhengHei UI" Size="10" Language="1028"/>.....<Font Name="SimSun" Size="10" Language="1028"/>.....<Font Name="Meiryo UI" Size="10" Language="1041"/>.....<Font Name="MS Mincho" Size="10" Language="1041"/>.....<Font Name="Malgun Gothic" Size="10" Language="1042"/>.....<Font Name="Dotum" Size="10" Language="1042"/>.....<Font Name="Microsoft YaHei UI" Size="10" Language="2052"/>.....<Font Name="SimSun" Size="10" Language="2052"/>.....<Font Name="Calibri" Size="10"/>.....<Font Name="Verdana" Size="8"/>.....<Font Name="Arial" Size="8"/>....</FontSet>....<Class Name="Header" Pen="0x000000">.....<Class.FontSet BasedOn="BodyFonts" Size="180" Weight="400"/>....</Class>....<Class Name="Body" Pen="0x101010">.....<Class.FontSet BasedOn="BodyFonts" Weight="400"/>....</Class>....<Class Name="BodyItalics" Pen="0x383838">.....<Class.FontSet BasedOn="BodyFon

                                  C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Typical.png

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe
                                  File Type:PNG image data, 59 x 51, 8-bit/color RGBA, non-interlaced
                                  Category:dropped
                                  Size (bytes):3932
                                  Entropy (8bit):7.941643377438535
                                  Encrypted:false
                                  SSDEEP:96:OSBUmbti17Hq2MwVBhJSPxiVMHZJIM9Gfvgpv7nT+kMj:OSiKUK23X2ioZJJMgpv7nT+
                                  MD5:18E81590AD31A376D07F0356505E9C18
                                  SHA1:F79801FB955797AD8790184B1700D0228C642882
                                  SHA-256:E5CBE9FC7F2CCDA733BEDBD355DC14EEEE83303D14E04CE09AD5DD08B3359C4E
                                  SHA-512:B0799BB3F1D3118967B77D1CE953F3DDFAFF2389F31C0A09657A661F08F2F854669E9E472B8872BB24AE5BB90D6D84B33B9063B2991FDBC3B9A34A482BCEBA40
                                  Malicious:false
                                  Preview:.PNG........IHDR...;...3.....)vp.....pHYs.................tEXtSoftware.Adobe ImageReadyq.e<....IDATx..Z.p....w..$7...%$A.(....j.. `..#.a.QPF....*..Hm.#....a$..|.NA.-6......X.!..B..y..{w....9.w/..wT.v3'.{v.........^.4M..l*|.6WW?........L.E..R...cE.U~..*...y..o.c...:>5k...........c.b...,..6q,..>..U...8.#.&.....hr..=`c%...-....Q...1..L..@1...t....a...........>...:..V....Q.h.....np......B...h~M.....<.....6we.%..,...hU...*.j.;...zd..U.+gd..9;....TN]..Jl.C.G..=n.j7..e;..'h..Hg....7m..e...7.yi..m.v.XZ.....K#F....,..... .....9+.{a....(...y%.....v.c.<.o]lhh..k......Z.>.X8L.c..g.$..E.uDo.u.._.z...g..;a..tE.$x.i.p..a}el4F..u.....aP.....b..e...Qt..Y.7.k<5.{.k..DTrDt..U...\....Bcc3TT..>}2.{....<..`....1.E....2i.`P.4.|.r0.c..-...\Vr..9....V.M.dbVCC....p...(.....=0x`/...{.eh.0Z....d.?..+b.#U<.rw....h.....0..y..5...BB...<....V.y.n..-....B..uX..$..W......7.E-%e[S.b.l.8..Y.O....@...].....c..,..|..G.).(H....u...hl`..`.HcF...9Z.4..m*<.p..%..)i.-g.@....}....@..)./.-&..

                                  C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Xmessage.exe

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe
                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Category:dropped
                                  Size (bytes):13824
                                  Entropy (8bit):5.244439963558431
                                  Encrypted:false
                                  SSDEEP:384:eKt1FH0CDLxnpVlFHzAHYV0ewoJ6ftCZR:eKt1FUgNzlwoJFZ
                                  MD5:975C4DEEC479BDDC701ED8CF150074B3
                                  SHA1:F8276D88CB375EB057B14836FA0B1B73EBD1C764
                                  SHA-256:A602B12EC70A2DFA928A95E646C540ADFC824E0FA67A0FEE7502AD9644C7CC4F
                                  SHA-512:B6392F35D881BEF7B83921A3A8DB85F476A4418856C6AE6E3352BAF24B568E347D866A2CED9BF2F95872F42FEDA940512E13CDAF81C5AA44984B1FDC3D1E7864
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 7%
                                  • Antivirus: Virustotal, Detection: 3%, Browse
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......[.........."...P..,...........K... ...`....@.. ....................................`..................................K..O....`..............................XJ............................................... ............... ..H............text....+... ...,.................. ..`.rsrc........`......................@..@.reloc...............4..............@..B.................K......H........%..$#...........H..p...........................................Z(....(....(.....o....*...(......(......( .....(!.....("...*F.(....o....(#...*..($...*.s%........s&........s'........s(........s)........*.~....o*...*.~....o+...*.~....o,...*.~....o-...*.~....o....*.~.....(/...,.r...p.....(0...o1...s2........~....*.~....*.......*.s....(3...t.........s4...(5........*..(6...*^(....o7...,.(....o8...*.0..R.......~....-E~......(9........(:...~....-.(...........s;...o<.........

                                  C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\_is24E1

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe
                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):9014
                                  Entropy (8bit):3.7602495449790565
                                  Encrypted:false
                                  SSDEEP:192:tVVLb08GhNKwlyLEtD1fdLTYVUkthCzHC:Jq+RLqD1fdLqVthCbC
                                  MD5:74DDDB1E51CA93A61A908243EA2EA945
                                  SHA1:08693206736E895DCDBD28EBC473D97E2B9C3492
                                  SHA-256:955A547F40CCEC5733371CDD54D8CDA9A657CF82D44F86E77C567B89394D4EBF
                                  SHA-512:2537E0E04E616EF40BBFD6D79816E0990591B1895F68A2C0E3F4E6C5EFC450B1DBFD5BA93346E11F46CACC3B71AD5FF1625434B73DA259410F663845686D8625
                                  Malicious:false
                                  Preview:..[.P.r.o.p.e.r.t.i.e.s.].....I.n.s.t.a.l.l.M.o.d.e.=.0.....I.S.S.e.l.e.c.t.e.d.L.a.n.g.u.a.g.e.=.1.0.3.3.........[.F.i.l.e.s.].....C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.{.D.2.9.D.5.C.0.3.-.D.2.3.1.-.4.2.8.0.-.A.B.2.D.-.8.B.9.9.5.F.A.7.A.B.B.9.}.\.s.e.t.u.p...x.m.l.=.Y.e.s.........[.F.e.a.t.u.r.e._.C.u.s.t.o.m.].....A.c.t.i.o.n.=.1.....D.e.t.e.c.t.=.0.........[.F.e.a.t.u.r.e._.C.C.].....A.c.t.i.o.n.=.1.....D.e.t.e.c.t.=.0.........[.F.e.a.t.u.r.e._.C.C.I.D.].....A.c.t.i.o.n.=.1.....D.e.t.e.c.t.=.0.........[.F.e.a.t.u.r.e._.e.S.i.g.n.e.r.].....A.c.t.i.o.n.=.1.....D.e.t.e.c.t.=.0.........[.F.e.a.t.u.r.e._.W.e.b.S.i.g.n.e.r._.B.a.r.c.l.a.y.s.].....A.c.t.i.o.n.=.1.....D.e.t.e.c.t.=.0.........[.F.e.a.t.u.r.e._.G.B.D.M.].....A.c.t.i.o.n.=.0.....D.e.t.e.c.t.=.0.........[.F.e.a.t.u.r.e._.M.D.].....A.c.t.i.o.n.=.1.....D.e.t.e.c.t.=.0.........[.P.a.r.c.e.l._.{.C.8.0.6.0.0.5.8.-.5.2.5.1.-.4.9.6.8.-.8.E.A.4.-.7.C.A.E.6.9.6.9.1.F.7.E.}.].....A.c.t.i.o.n.=.1.....D.e.t.e.

                                  C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\addExtension.bmp

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe
                                  File Type:PC bitmap, Windows 3.x format, 152 x 52 x 24, resolution 3779 x 3779 px/m, cbSize 23766, bits offset 54
                                  Category:dropped
                                  Size (bytes):23766
                                  Entropy (8bit):4.627080165762752
                                  Encrypted:false
                                  SSDEEP:192:Pr4V7k+9KIHgkqk626VaIAEVOUNStI3AMoSXY:z4ek/HgdvZz5VOHtI3AMoSXY
                                  MD5:D4A6FB8E8C69D5A29D3AD2B88D2DF629
                                  SHA1:19E2CCD49B0197E882173957BD74D62AC515CFB1
                                  SHA-256:8D397F35C16FA96D4A56E0D05930ACA16AF121F072431D2650306AD7449F6188
                                  SHA-512:BE0CAA933705376763E1E3A973BFDB74A9399502EEF8A60B9F01275169AA63B08D9DAE57D065859BD9A2C1DE352D928324292D50ADEA47FD1F619E9A7079BFEA
                                  Malicious:false
                                  Preview:BM.\......6...(.......4..............................................................................................................................................................................................................................................................................................>99........................>99..........................................................................................................................................................................................................................................................................................................................................................................................................................................(#$........................%!!.............................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\eula.rtf

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe
                                  File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                  Category:dropped
                                  Size (bytes):126694
                                  Entropy (8bit):5.194344968900601
                                  Encrypted:false
                                  SSDEEP:3072:VseX+IZ+YfEBy5DM37J9JtlXOSNc9OMTDlhK9jiYCDz:h/+YfOZtlXOiyhz
                                  MD5:342A53750A9D93AE3B9BE13A904064FD
                                  SHA1:FE56962DFABBEEEC19E22F1F0ABEF68FE7480682
                                  SHA-256:582218EA11A4600450C1FB6B9DA7BF416BC8A8C48A398DDCFD8F4B774335E123
                                  SHA-512:4AF1713CE1A7A73895C8BBD5C6BC8C13E954ADAFE57EBBBD1EFBE2E626767F4172A8820C85E9BA2003224AC9D5F0E719C8BC91D21E89E31459A413BDD6B3241D
                                  Malicious:false
                                  Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1033\deflangfe1033\themelang1029\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}..{\f37\fbidi \fswiss\fcharset0\fprq2{\*\panose 020f0502020204030204}Calibri;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fhimajor\f31502\fbidi \fswiss\fcharset0\fprq2{\*\panose 020f0302020204030204}Calibri Light;}..{\fbimajor\f31503\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\flominor\f31504\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\fdbminor\f31505\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Rom

                                  C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\extensionOK.bmp

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe
                                  File Type:PC bitmap, Windows 3.x format, 344 x 198 x 24, resolution 3779 x 3779 px/m, cbSize 204390, bits offset 54
                                  Category:dropped
                                  Size (bytes):204390
                                  Entropy (8bit):4.40753311126912
                                  Encrypted:false
                                  SSDEEP:1536:4hMMUYU9999998t9999999999999999999H99999999999999999999999999997:4jo11bOA5v6
                                  MD5:64A4F560C6A5034D0B6014361BFC21A8
                                  SHA1:BCB36C8B1EB82FEC40ED494F88107A9C50BB334A
                                  SHA-256:10FF3C5EBC089ED5EC30CEEB8B968C05BF648FEAB2F8A2D18A7FB18E204102F5
                                  SHA-512:014DD17822BE6FB0158E9971FDD4BE4A49E08EE02E2C35F983683FBF1F7D4BC4F6556194EC5EE3DA65A67CFADAE607E31882F9DCD677ADF3116646361AC3263B
                                  Malicious:false
                                  Preview:BMf.......6...(...X...................................pppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp

                                  C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\gemalto48.png

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe
                                  File Type:PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
                                  Category:dropped
                                  Size (bytes):2147
                                  Entropy (8bit):7.85825458770264
                                  Encrypted:false
                                  SSDEEP:48:IM0W5zbdfhy1nLbo0EhqYOw1C7UAuVQEEqAsL:35tdfk54qYVY7VuVRAY
                                  MD5:AF59B44E26F8772206188C03E8F8F8D7
                                  SHA1:DD175E75CDC34CA05782EBCBA6297CDD19D251A9
                                  SHA-256:5EED99BCA0D1B646B3285AA84AFBE819D5A5D988A6C08F3640AB15141872B903
                                  SHA-512:AF8DE6E76154C6C7040055B146360CFD72367C60FBE6F573ECD465CE0160D4CAF12121286ABA16702E908FF72FDA6411AA81886C9B2CEDA546FAC40F68A055BD
                                  Malicious:false
                                  Preview:.PNG........IHDR...0...0.....W.......tEXtSoftware.Adobe ImageReadyq.e<....IDATx..X.PT..>....]....!K..@$....1>......&.&c.T.@k-..L.....c..m.&F...:.....U....7....>..}.....w...g.{.......'.!..X..{..JE....K....o.I.yT+.|.........|f.R...7.n..#$ER......$..i......!....../$..Qxb....0.|.Y..tr.E.G...-x..c.m1..3j-.9.._.=....[.?..S.P.S....<ao8...^....d.f....7.Vu......n;......qQ....t4..h.`eu.....X....r._E..I....2..^.........K..@G...v6%.=..,.......)....Z3.` ....[.....>....;..w......L..-{.F.!.8.. ...a...(n.%..PZ...mQ?.........g.....g...Dlz#1.....!..1i....#.........@$bHJ...........X...2......Y.L...3..R5.hC7........G..ki...*2..b....v..h.L......n..-..x..pT.eCK..@..X.....:R..+ U..'+t]_.`o.h.hN<s..^.S.o.`.n.M..h....b.&..|`-.s..O..}7.z.o...4....Ig.....jll|R.ky...{.>.U.....lp..[....h.....(*.o<Y.....0...x(.:.-..xL'..bG._:>....fe.l.'.N.....JK?]......b.7+.B..R...e.`(.)=.....2.....k...7............~..z.....)..ha..........2....kkjS...............A....M........../..

                                  C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\scale-150\Application.png

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe
                                  File Type:PNG image data, 61 x 69, 8-bit/color RGBA, non-interlaced
                                  Category:dropped
                                  Size (bytes):4260
                                  Entropy (8bit):7.942367623306922
                                  Encrypted:false
                                  SSDEEP:96:Ym2UwQ4wmqsePU+EA0lWhtXZqbTonlkhy71RwcSOVdz0jdUjqSZ9h:bmqHMvAB7XgTHhy71KEX0juT9h
                                  MD5:46B2EB6C23572DA87ADA5A342F854641
                                  SHA1:A7F8188701C82DC7EB9D5F5A2B7FE2348AB462A2
                                  SHA-256:016604E80FFC9921EE9CA036B6DDE317094C9D1CD8BF4928087317C708EB7C84
                                  SHA-512:9377719AA40E352EA47002FDF9264A461E292CEA2CD21840F792409F6E6A59786D10234C3F8762C1E347618B2243DC6B604645A39A8CDDDC1328D391FE7407FF
                                  Malicious:false
                                  Preview:.PNG........IHDR...=...E........E....pHYs.........&.:4....tEXtSoftware.Adobe ImageReadyq.e<...1IDATx..\[l^G.....%.c.....)jI/I)MKK..P.V.*..<.x...R.z.T..U..JA..B.T..@+..U...AKC/**m..6..9n......23;.g......I.....{.3.....Z...w..o.@.CO.|t.k...Z.Q..?..,....f....,...K...._..h....>....,....Y.~z.K....4.h.:[.ho)m..S4h..ep...I@.1.........>mJ6....9...>..}Z>O...?......p....6.R....}. x.(....^-...O0M............h.$l#.5.7.8..xI.....O....2....}.A;A.p6.J..<o...=y.:I....U..<m.0.....r!...M.z...IO.#......Mr..a.....Y|F....h.':E8._................Q.n.I.......|.>(mg..x.......m I..-..]cU7A......6b.l..8.y..P.,.....'.I.:.3E...w.5J..T.T.W..lX....S.T....y.Q.2.p..9.cn.>..A...Y.D.T...a...f.2.$.FSLV.J:.j.B..8..Q....W..y...O.H2..\..#>.....r......%.8.......~Y.c.(...Yi{.....#.N.G#c.4ez+.m.y..\..K....j.6m.1}A...(.D...6..._......a.L..b..3n..Z.b7...*..].'.VGI... N...Ww...z;..:..pN......)..E}<....l:1l.m..3.N....r.'..F..~<...3.8...SHy"..vKA%...`....<./&ib.i.bJ@....b..jf.....k.l....cc".(.

                                  C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\scale-150\Custom.png

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe
                                  File Type:PNG image data, 78 x 69, 8-bit/color RGBA, non-interlaced
                                  Category:dropped
                                  Size (bytes):6044
                                  Entropy (8bit):7.9451860868796595
                                  Encrypted:false
                                  SSDEEP:96:tmVOnl+3YAzkUN1KKlUpfHT4jBGADFxNPa/v7jEFBH4w4wtyBpLCD:MAn4IAzdvKKlyfEdDJPaX7jELH4wTtyM
                                  MD5:41404BDC8ACC738078A96E03836A7017
                                  SHA1:CF09E2F6454A20089B809AF16C775ABB38907907
                                  SHA-256:2760DC6DA4DA352973B99D8209E54DC68C679D8C2800408F6D9481E03D9D3D9B
                                  SHA-512:14C218AC361BDACBDD1D67BF6AA58E6BA81700B853B295E8606D6722F4D48113D9FFC48C74B41EE0D125B3B433A9030769DBA00CE4666FF10F4DF185B7210EF9
                                  Malicious:false
                                  Preview:.PNG........IHDR...N...E......m......pHYs.........&.:4....tEXtSoftware.Adobe ImageReadyq.e<...)IDATx..\.p.U......@..........D...u.1 >(....Q...q.Q.t.UkW.-....d.]..8J.QG.......O.U$<.. ...s...sN..}o ..ve.u.}.vw......88RJ..x...f..[p.S....yc+..p....uA..8.:..s.5%.v...3...].G....~.....u.1.........'y.... vw.X.7.....G.............q[.w.M..SX.t.9O..p.........6..y...}.?.....M..N.2+...0.....6...&...Hc......8.i.N..&-)..P..!........0......c.@.f.....;77.....I/]R2....9&...y>.6.N.8.@..0~s.....m...3.9.T...S..7..9......i........v...r...q.S`S.k....V|]..[....SiC..p.$...G......w]2v.p.o...[..Y....o..q..S..r...L.y..;KW.U......8. <..i[.f.....1...E/...........'.....<..'?.8y..o/.qr.N...Uj........@.3..#......2.|..z....Sn.m.....!....qs.8.m....n......{`.s...M...<3.@.e.To.v...M.vc5.[.B"..T*.B3-W..)O.a....D..n}'.....T..9..a...G.e...8.._..z.q.T.m.T.r.l+.}..m.&...y..JX.a3.X.!.byx.........*...h4.K..9..3...s..9(u}..?|pd.....w.....m.>V..&T...r.....;:.0...k:..#..e..D..)t.h..`

                                  C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\scale-150\Folder.png

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe
                                  File Type:PNG image data, 46 x 39, 8-bit/color RGBA, non-interlaced
                                  Category:dropped
                                  Size (bytes):703
                                  Entropy (8bit):7.595889559578325
                                  Encrypted:false
                                  SSDEEP:12:6v/7+tR5rAXrHXaCUH5xnwiSsU3pSgTFu44wjI1p1pq20edfOSSOTi5JM63SKClg:xdWHKC6j1SsUrTFtls1p62ddfN9lg
                                  MD5:F3F9575A23F7C4CD35C8324231F5BD9E
                                  SHA1:CD69AF64528F48A8DD6652A04D4FD1C930D63A3F
                                  SHA-256:2EE9AA1DDA88CD9964D342DDA3FE56164C9906D5441E8381297F4DCDAE6C3E9D
                                  SHA-512:079CD249A9149AFBCCEA7993672D384FC896E86BEB8AAF374636B92466DCD26EB2B7E7FD0063316154A8427AFEAF1A3AA3B4A6E9FBEB7FEF03BC9A66C36A5B8F
                                  Malicious:false
                                  Preview:.PNG........IHDR.......'.....p.z.....pHYs.........&.:4....tEXtSoftware.Adobe ImageReadyq.e<...LIDATx..?H.P.....7t....{nq.f.A*:........"..:.....tU..<..N..q.(..R..+t.....^.w.^O.............=b..kE...&<^.....!....D6......\.C..2ti......!.......n.L|.{t.3r....+'5..G.m.g.&.....d.Zr|y.9...M.W...3.@a..]z5.].._....kO..^......24..C.S..Tz..;Ge...xR....r...cE...Z<9..2H|.@....Gh!.."Xh..bpF.4H$...M.REV..o.Q.m\.@..I.;.\Vt""S..I.+.A....n..K..>B.......!.O.AqE+....b .U..V.q.l....8.l/....:..QT.d..i...Y.q-.SL...:....3.oc..P.b...qV#..?...y...,....>..6.qGGO...STvt)......@...F%...)..t...t./+.].|...O..K...M.J..(....^......?m...8..o..."...7.'.0...O..&..^... ..7..;...{Z.....]....IEND.B`.

                                  C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\scale-150\ISLogoBig.png

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe
                                  File Type:PNG image data, 150 x 152, 8-bit/color RGB, non-interlaced
                                  Category:dropped
                                  Size (bytes):2919
                                  Entropy (8bit):7.890433217220344
                                  Encrypted:false
                                  SSDEEP:48:j78fWYtwYtCmV7Ec31HHeHoxToD3WRZ1aKtnqbaI/MoxUQGzuDNMTJVNkY:j70WQwYtPBt1btoDmLNtn4aI/nmzvNT
                                  MD5:D1EF62B54F9891D47FC45CEC0DC3BA66
                                  SHA1:B111B25F31DE42B0DF8033A4B900567D3EBB8D3D
                                  SHA-256:C2CC87D11211DBC67AE85BF317393912A4DEB092A70A4D1AA746F31F4E127A18
                                  SHA-512:AF4AB16181E98D0484518DC61B9DA66C36C60AD66BD9FD8C1B25267D9DBE5C91BA42812A3F73918518B4215FF051A7694CC598AE6217563E573726B91547B3A8
                                  Malicious:false
                                  Preview:.PNG........IHDR..............i......pHYs.........&.:4....tEXtSoftware.Adobe ImageReadyq.e<....IDATx..oLU......(...cAo.y.!.).z.a&Xh.."....mu...E..K.L...jlk..`R...L,&F'.a..-e.N.sV4...L..{}.....s.....7...*.{....=..yN..5H$;k.].BH".$BH.I.V....}.w..u.."..9u...W.:H..*_..:}:9R..$BH".$BH.I..D.I........'B......D.'D.0.#L.....G.l..6oeF...T.].hQ..E..o......()..)N.&f.DX.>...vR8.!B8..>...O..pK...~.Y..D.6;!....)s.'.....N.?X......,O.G.l..8.]...0.......:."D..uU..0...F..f..X.E..J...s.>.$.h9x.#.W..B...|e.x..G.mZ.....L.I......SQ.#.`...x...2..h..ZVX...w.-.o$...f.!......Bd(.j.k+V(....O.!.5..B(.s....e_INz...z!o!..P..U.L.X...$9.4..f....#..%...4....s.....|.....kv..v...T.J.k.c..1.}B.....'Q.E.O.38....!...)\.....J.p..S.i..hKOg..+7......j..8.X.H(..{o.%5u ...H....\..T...w.f<|.....!....i....I...<.m....&..B.I.7<xq.DZ.$.!..Wqz..:..i8..l...G>V>...Q.X..:B(.'...S.P..I...P..-N....K....e.".9P.....!....Q..a.d...=;.1..O.......IG..|e..W...X.$*.M..|..W.x...1?..]q....Q-?...OA....

                                  C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\scale-150\ISLogoSmall.png

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe
                                  File Type:PNG image data, 75 x 75, 8-bit/color RGB, non-interlaced
                                  Category:dropped
                                  Size (bytes):1610
                                  Entropy (8bit):7.842174890806451
                                  Encrypted:false
                                  SSDEEP:48:YE1fChxC9ZQNefvGdsVivJQEJVBW/f0stN:YE4HCboqvGssxQEJVBWJN
                                  MD5:A7D73D5BFF3EFF52325A53642FD31552
                                  SHA1:5ED0006EE052295E01091588C366952B4C185E29
                                  SHA-256:8B4F5BD1C8F01EF4775453A53FC827621B6FD2F2723D52DF6CE64E5D66595C33
                                  SHA-512:230A01C4230D0A5A08F02126FEDE6E8F2FDDFA19FAE6F6116130AA4DD5C9368FBC608F4ADA145AD2B3C2FD059A18643DEF9D3E8A5BBB62DB767043E59A8D222B
                                  Malicious:false
                                  Preview:.PNG........IHDR...K...K......,.....pHYs.........&.:4....tEXtSoftware.Adobe ImageReadyq.e<....IDATx..}L.w..;..[a......XeE..qt:.A.Y2e...H.:.F.e..-sY...1........... 2.......P2K6.ix..|....].w...6......~.y~..}~W...$.-L......./..V.|+...t..Q*...!MX.81.....L.....J.4S....S..g.jV....-....C.p...Iq.@..GJc... #.L...|..K...L.3W.L..~.I..\..f.L._.d^.."8....c...W..%.E.......p...n...M+....%.1`.6.P.qld,..Q...#.c...(...c..\.c..}.6.JT.....JS.q..y,.s.....O.......J...}#....2..N..2.L;..T.....&}c..CV.E...l8.4.../d;vq_.F.'@..i....`.j%|.Q.@..L_...m.. .....aO!w........}G..A............1.....o.2yv.."sZ.=CvT.Ty..y............|.\..'..;.'.-!.u.ep...J...9....>..B..p........l.+..._.2. .d.(M.Bp...|.....p...:..B......y.9P<......|==....#..WE.%.A.K!\.R..X.....w.8}..e38.H.....c.;.....6\tw....ZGp.S...k7n.7*..T......j`.6.`.;.Nj1Z....yo..:..5......qI.<..c.........24~.g...=.N].....?.V.r.....8...J8........F..s...[...R.".\.1H..:{j.. .).|.k.:.l.....n.............+o.<....`..=#..

                                  C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\scale-150\Remove.png

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe
                                  File Type:PNG image data, 50 x 70, 8-bit/color RGBA, non-interlaced
                                  Category:dropped
                                  Size (bytes):2868
                                  Entropy (8bit):7.906731719242294
                                  Encrypted:false
                                  SSDEEP:48:ujzZtSeGixozvbg1THbW3zR66DDGVxsJHoJ3XtbjPeqMN8NnpDRijK2frbP3gABc:uPHjGiOzuHa966DDGj2k3RjPNM+NpYjg
                                  MD5:3935F5F99E5930A26FF9C78E7004EF1E
                                  SHA1:1776AF49DFAF8A863E6A8E8989911D69D4D68364
                                  SHA-256:759A320B1B41F49D95333AE9636AB772C64DDE712208BBAE1850D134F870A70E
                                  SHA-512:A3B1D182A56D4508DD7DA1F07299FC155BD33F4DAA551634996BEB4C38CCB566BADE75C3D900CC3E07B83D7B702FB0006D2849462213BE0D864D0D142A42E5D8
                                  Malicious:false
                                  Preview:.PNG........IHDR...2...F........f....pHYs.........&.:4....tEXtSoftware.Adobe ImageReadyq.e<....IDATx..[[....>..s...f.&.(v..1XB&F.,..l......#...Hb....<..BDd..H..".,.8/.y.;.....ugv./9....t.=0...T.....[.SU.X.E.,.]...Q..n.{\.z..Y..w...]e\@.~.9.. ....f7P.....$.BZ.O.^.r.L....h6...W_...r....p...-[h....Y^^..o... ..{...Q ./_>.J....;....k6.T\\......{,)...L.hz:.y.X\...yHgv.}_~#@.^.x2.I..e...,..R.&...B..u.fg(.2..4...W.....}............b..33[.]*-q-.....7N...[.?....W..U.%*.-...;..@.?..23...Tb...j.-\=x.`).......m..TE.B.@+...~........v.u~......D%2...5....w.........Za{.........X@..8.iaZi6.&..z......8.q....2U.52-..R..;.avM..E.M..Q...d...C.~vv.a....{...|....*..8...9...h....s.........g1F.....fu....2..~.Y..vW...R...UEe.Q.U....U..]..5.t..#e...T:...q.j..\-...1q5..iH.0..lk......aPg.....0.V[..s..N.....!.H..N^.......~....]b7Zf7...\..3..J.3..#...(.ap.....^B..D. ..e.l.D..5m.F. ..h.U....#.....x...k"..X4.m.k%.........@..j.J.J..... .....0...'-lKJ....s.....a...,[..%...MW:.-

                                  C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\scale-150\Repair.png

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe
                                  File Type:PNG image data, 79 x 69, 8-bit/color RGBA, non-interlaced
                                  Category:dropped
                                  Size (bytes):5091
                                  Entropy (8bit):7.94632076328756
                                  Encrypted:false
                                  SSDEEP:96:a4lF0XeOh219Yd8r7D3stFSeCXz7Mlh3s/rIa46R7xhvrqpePc9:XFlO419Yd8r7DkVCD7GhGB1VhvrUePc9
                                  MD5:C404CB5D0854361968716C3AB8630F92
                                  SHA1:03C73C5400C3E51620D403F5FFB37C1959115B31
                                  SHA-256:ABDCECCB0963B6A2621BC1C1477C5D7FA0743E6656275FF1E3402464D7946C87
                                  SHA-512:70C253A88D6A9E3033AB47A67B420E22E2F875E388554A7DB532A90F8D48F73910ED2B5D4B5156CA1F519BF8AA2A2CF417E827BA64DEB4CE868E4DA149E26EED
                                  Malicious:false
                                  Preview:.PNG........IHDR...O...E.............pHYs.........&.:4....tEXtSoftware.Adobe ImageReadyq.e<...pIDATx..{l..y....;.).OQ..R..d...i.F...n...6Ha.A.6(.9(..\#u..i..H..N.(....6....6R..q.....$.H..x...N....;..x.......~.%..z............gr ,..m.....}<...t....6..y....W..6.<N...O..9\....S.;t...b7rQw"...X...[.z.\...s.r.>..x.T..x_n.>_...t..N..p.....|..c......S.....;..k.y......O."D.&.QT.hU..xO..H._#.o.+...<O.Q0.A.<Q...%+.Q..C.@.C.ay.........[*1e.y-....C.]..iB.B..i...>..;o..R.]m..K.... 2`....U .!z....0.....~o..i\.l..h..P.T#q}.o?........|../~Ty...7.....%.f.s...>..2..P'.v.V[.)5cUz..l.A.\..3.z......qZ...'.W.1z.cs.R}F~.b...X~..{..&..e[..@.,K.W..,(....U.B..*HG9.Z....|l{..N...O.%........Y...?.n./?....j+..I...C.....)...%..5.GWY......7g%.Np.RY.^o....J.C...Ft......'..W.{a......G..SO..j.*..2..ov.6AD..W....J..{._.O.....m%I..A...i.5...H....@`..S.....E..$!j..K.......q.........._......l9...h{...Ax.mQ.\.:...>.[[.n..t.....A.."}..,.H...OKc....]...3..J...

                                  C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\scale-150\Typical.png

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe
                                  File Type:PNG image data, 78 x 69, 8-bit/color RGBA, non-interlaced
                                  Category:dropped
                                  Size (bytes):6448
                                  Entropy (8bit):7.942394504787228
                                  Encrypted:false
                                  SSDEEP:96:tuQCbvBTE1UhXkAy5caRX8Idg2CwVRH3o9UOjSdbIZEif894jK2AXwIkguWRnoi8:/OKc25ZXhdg2tVho93E5mXlAX6u2R
                                  MD5:BE7A62B3CF3AA240CCBB2E8CDF60F29F
                                  SHA1:3FB97D5AAF9CBBF8C3489C26CC14A406FFA1819A
                                  SHA-256:1D21BEA5C93FCED9F777A86F2B7D9EE11B697BCB4D9306794A81BEBA60CA7AAC
                                  SHA-512:F73EF2173138F08EF0264BC9CB64C80C9BCEE927C50D70A0F2587D8B535E98EDA42FB8F31542A2421A34B89ACC19153F0EFBB0113593B22ED1C906FF548888ED
                                  Malicious:false
                                  Preview:.PNG........IHDR...N...E......m......pHYs.........&.:4....tEXtSoftware.Adobe ImageReadyq.e<....IDATx..\.x..^3..$$.$`.....S#._.J@+.. ....U....Z{{{...{.....k.....(./. E..%$@.@y..$..r.3.....3..9Ar.w.v.m3g.93.....%........G.=./....V..........x.e.i.S....8.....{...Y..9.Z..9...g%.Y.'...Gy..|.[A./.rB..t....)\....#?....o..].,.A....6...'.5...9...y.o...q.s.............i[d.P...P....................]4..j`..m.."#........ .>.........v4@...Y..pR.<...*)i..L.P....v..D.@+p.. .#0~3....r.....xe8+U..u.}..H.,.+..-.A....]v..t...c+.........".....[.w.......E8......u..;i..:...<..{...>...z..~\[....d....8.2..I*.w...z>...Q..x01.-.3...M.6..G.s:..]..{..OO.{....d...7.....f.=g.....U.m...`.u=.d:..=#.hS.=..^..Su...&O..}....:...x>;[.s.mb;...M....`.T..v....x.-.>N......j.R..O$....A,v...x.$..sC..'.....n]#Q._.+.I...*.....-.;..7.}...2....J........`[..#.lC..6..+&N,...^~u1...9}`?.+..}.9D.-.....U+........sp.9Hu}..7.......g....Ut.`.F.@^......n..B;.0.iy..<d..#...M..AS........?>

                                  C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\scale-200\Application.png

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe
                                  File Type:PNG image data, 81 x 92, 8-bit/color RGBA, non-interlaced
                                  Category:dropped
                                  Size (bytes):6213
                                  Entropy (8bit):7.945846271751275
                                  Encrypted:false
                                  SSDEEP:192:zBuUbwRzq3ByQgJ0NMFaJYyuCbDsKAbedY:z3wRzq83J0WFw8oDK8Y
                                  MD5:5CB34DD612581AB996FF4141E96140D2
                                  SHA1:72E44BAA670048725DAE89626091809E06648F35
                                  SHA-256:A057F7981A7932ADB78268F111C3100186B0DED651B1985F4DF969E786B481C8
                                  SHA-512:56C4CAF195DBF20257D3539F328B95F577ABF9FB72B61EBA151F1378625086B0AB9012E740E8D473ECB89A992307D52705A960842AD5BCE8EC34BCFEB4A3C421
                                  Malicious:false
                                  Preview:.PNG........IHDR...Q...\.......Y.....pHYs...%...%.IR$.....tEXtSoftware.Adobe ImageReadyq.e<....IDATx..y.].]...Y...m...z.8..&j.*4.-.$.!.A....... (.D...@a.. 5..J..B.P.M..DIQ[.m....n.=c{.3..g.{.......;..7..b..e.o...[..w~.Zh..........]..W/....9..@....y^..... .{.yh.......>.........m.^.>G....{....6...s{.....-.^ .....8..;...."`..?...._.......p.r...S.9.@......p.:..s..>....-..C..as;..?..hn;Z..Z.......!.......a.".:...~!PU...U.s....i.......S.C....8.u?P...a.".*Z.Bh.L..S....a...jE0......K....q.....*...........b...`.....:......(. L.....].Dte.,.~4...3...C.........L....\..8..~..,.Y{..4..G..RZ.V>{.T>C....0.c.>...|...eh.....5ew.j...S+.`.v...gd.N.Mb......C1dv...T...Hc...........P/C"L./......L: .S;.".F._....&X.:..~....'....!...?ci..#m%.D.)..@........Kp.n_.?..R...`>U.;.,jN..>.xS.pWo1...(..}...Bw.$5....c6EIL. .b..+...Vhu.....w..J....`:.La.......rr.~..o.....9._..7.....$r..c../.@0..O...>...}..^1.8^..^e.5.Y.D.H....#.{..<v...,((...P.......e...............(!.D.......

                                  C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\scale-200\Custom.png

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe
                                  File Type:PNG image data, 104 x 92, 8-bit/color RGBA, non-interlaced
                                  Category:dropped
                                  Size (bytes):8672
                                  Entropy (8bit):7.962843219146717
                                  Encrypted:false
                                  SSDEEP:192:53WFMLVwn/cVqRma/aLt+WTyDX4oI9Yf9cL7/t6woauPYTr9:1w/cdXL0W+NAUhfc9
                                  MD5:CA50DE91FD398EEA3960EEA2D5DFAF48
                                  SHA1:0F429F6CDD21E2C9E4E699D1AEB52CB9881033D3
                                  SHA-256:6274061D9A16D293D32E1EFEDEB149E6EB17370ACD9F5D597CE9E5EB746F4881
                                  SHA-512:B99E7E95F296A2AB7F23275CE297ACEEE9DAA66BC4210AA8B3883348FE267CF220F86F178D15D5E3E12F25326DA89E71F8CA77C70E3C942B63DAD1F1897FD80D
                                  Malicious:false
                                  Preview:.PNG........IHDR...h...\.............pHYs...%...%.IR$.....tEXtSoftware.Adobe ImageReadyq.e<..!mIDATx..]..T.>.UA.....I7.BC.D.A.1.L"m....pP.*#.u.DP'_.a4&...I.....`\X......}.f...z..=w{..zU.K.....{t.W.....9...#.1..xns...{......V}.0.@...7..N.#..~ .x.............u.~.y../....y....?G.5..:.k7.m....c..........;..U..."..1...:../U.."`.?v.>*..k........._g...fc.l.5..c.Q.x...~....6../..5|....(.ws....... Pr.$PN.P...X.C..!@.`Q.<..Y...1....T.......T.W.x..H...5.....*@|@.d...d...w.B;.T..Vs..~b...I`.j........+........K...b.R.0.T.u....E....\...}tvv.R.Y..'D...P~..m......e.S*..K..Qw..Z@...>IZ.U.|.m..X<.2.5.....$....,..*..>.IS.L...*......X..(....c....s......R.B.%s..D@....y@..#d. ....(3.$.E...mi.<.s..?.|C...............t\...1AL......$.....WM..)..JO....4....<.............?............k.../..... K.<s.}...s.X.....CI.S..V...8....g;.YI..t...f..1.Rc..B..Q.....:.H..w...TY.pfs`V..{..eW$.~.TC.......w^..._.......W.#....../;.n..8.O.....4.!F. ..Cp..z....A~~^.G..Y.|...N.?|..~.G..

                                  C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\scale-200\Folder.png

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe
                                  File Type:PNG image data, 62 x 52, 8-bit/color RGBA, non-interlaced
                                  Category:dropped
                                  Size (bytes):925
                                  Entropy (8bit):7.703310262967306
                                  Encrypted:false
                                  SSDEEP:12:6v/7J8VnSLnJCSSxY/fPD/wMjN/3tb3KmUqGViOmJluXDwLAFYhpxVy4z4AO9+PY:qinvSS0sUt33xmQluckF8xPEGp2n
                                  MD5:6C1C6B0901943F054FD7E8D0B9C25ACB
                                  SHA1:8EBD624F9D014EBA0A87DF3483509E5236C745E8
                                  SHA-256:BC18AAFA7D628B9C25E6BC8C114236D53FEB488A15D6B6B6420B1298BAC44ECD
                                  SHA-512:03EA6FBF0214E9B34DB78C93E6ACD6B92EF40623B70707DD37A989644BEDED2A4A10A8ACCE4E90D97485D6582197FC30E1B5B2800F1CD23AB7E62AA6A5782022
                                  Malicious:false
                                  Preview:.PNG........IHDR...>...4......Z."....pHYs...%...%.IR$.....tEXtSoftware.Adobe ImageReadyq.e<...*IDATx..?h.q..........].M.\3.6.`..)..:....... YD......QP...D..,.^.....Nu....9.K~.r.%.J.w..|9.k...{..}/.b.8y&_.B....\...x).g.k.]..y../+f..A.h(1a....`..Qb....?J..<...0..G.:..v.O/<....Uy....BMz...z..}.`...m...&k.f.Z.8.U.w..C}?..$.k.+.".UqziC.;6K......8s.a..m.......S.M...U....PF.[..f.....i..r....s6^.0.>.........JS....&.(..L.S..}.|,&.%.\.x...r..C..9.m.u......*...cT...?.!....x...B.....dk....C.....l..../..T.z.%`..4..9.]p|...x....=...0.z.....My...O S....g.q....*..\'..997..<&.g...B....kn.[-......!.1.X..q.....cNe..W...m.58.R+J.............BO.cc....y.;.zx.....p[U.(.76.8}!A&.bol....#cl.k.p.*wcs...,....fol.QW.H$.!p...........cs....5......9.....o..c.r..JE......8....3.........7...3.n...q......v.....|....e-.~1.~..4}..?..9.O.Q.;...U..Ba.=.(.XH..Y{.@.~......dq.,S]..'`.GP.Q.r.K.}......,J...*.....IEND.B`.

                                  C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\scale-200\ISLogoBig.png

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe
                                  File Type:PNG image data, 200 x 203, 8-bit/color RGBA, non-interlaced
                                  Category:dropped
                                  Size (bytes):3927
                                  Entropy (8bit):7.867628022986832
                                  Encrypted:false
                                  SSDEEP:96:DgcRZq+qXbjAxA446PygFDI63vK+Jo9QZuSkievB:kKs/ACCyi06LJPudiOB
                                  MD5:8DD8875C148136F4FAB3C3CF8CF7EED5
                                  SHA1:D83120EBA14A85CE48A2917601E6B4D97877F116
                                  SHA-256:3D58BDBA085344511994581785DEED8A66C05297F095FAEDD1FEF2D3692DBCE2
                                  SHA-512:3B25AB04395DE85AC101501AA3AFBEDBE74ADB31307A743B3EC9CE8B69F8D4CF6210BFC50AF41BC733623930EB480F2FDB359B0229A8C85D284A90E0390EA539
                                  Malicious:false
                                  Preview:.PNG........IHDR.............+..0....pHYs...%...%.IR$.....tEXtSoftware.Adobe ImageReadyq.e<....IDATx...lV....IA.(....+P.-6./C@......zE.fs...,.Y]t.l\b..8.@&(...r3D.....2...j.TgqHP.%....+.|m..y.9..~..K*`{z....{}..<......H.#...]. .... .... .... .N..._64}aj7...A,.sN.)-.C...... .... .... .... .. .... .... N.o@?.Oon..@2...2U%.....d.j.c.."n..@2*..2.Q..!...3.........!.@.s...E.A..S*..~=..q..@;..4........A.h.:eXA....a.... ....Gt.....1.....i.i..J........G'...qs...,z.....M......k&v......&!Hn..h]9..p.!.l. ..)..\_..@Ao...|F)..A.A/...&yc.T.z.....B.\..f....1'.....>...P"........C.......B.\.....wWw9....v..9....-......v.:...w]kbl..-....'....g%.........f.{..Z.jI.....).Vu.U.....)cKC.\..C.yn.iz.Z3s../.$.b.{.._..B.."..S....W.y.L.%jtzy-o.Ww..u...r.X'mP.........V.h.../|m...?y...#.;...MF..............5.^.......]."..t.r.....S>..;+..hl..i.~..k..v..mG..qL....}=nt..nS.h...An.>=... .!..]\.......W.l4KW...}...r..F..."... .D...Z....q......+..E.._|...LD.0"..d..Y..T. .6.....o..

                                  C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\scale-200\ISLogoSmall.png

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe
                                  File Type:PNG image data, 100 x 100, 8-bit/color RGB, non-interlaced
                                  Category:dropped
                                  Size (bytes):2060
                                  Entropy (8bit):7.87633508703651
                                  Encrypted:false
                                  SSDEEP:48:lU2gwgdgYGMaT1kyhq09/YJJuoyD5+UZXmxI84cTyump0qZc:i2gwgd/2mQqEgJJFykoXmxICyumpU
                                  MD5:B948E2717C6283CA2339EAEF8102837F
                                  SHA1:452459A3450A68D5A0EB7990918F85175957E696
                                  SHA-256:52C335337012024AE9742DD044FE673C3E26E2D2C83B0995E4BFC44884758650
                                  SHA-512:AF3646AB58BF9342059E03FA9A967D1BE7DCE3FE0EAB8B55A076844FBEED7980206A3892C99A87CBC28AD2E43C3A39E8211F531A71DD69BF849299A699CF20C3
                                  Malicious:false
                                  Preview:.PNG........IHDR...d...d.............pHYs...%...%.IR$.....tEXtSoftware.Adobe ImageReadyq.e<....IDATx..}L.w..+/N.LEa..Z..B...Q..B....2.....\.[&F\...L.2.n...L..6....(.._.....H....D./......w./..\.A......}...;G.=^*.Ff....Eay.,{m]...z).k....^.D.Y4.),.....y.V.$.6...bB....(,"K...3..".%..rRU...%.C_...N.:...%.X....p+K...+(,..<:....sg..7.G.,.6..V..#.D...Y.H....$m..VChHa..!..0...........G.%N!<.\.....Z;;.cO>..O..$..."$.{....1..o.+...0....9...T.Yo.(.D..Q.%.F.'..\l.....1h9.N...]...)L.....H,s^.D_.r..x.9Y..5po......!. .#...C............d}).A....l.R.9.e./.U;..9.E.}..N.?.r.\J\dQ.5..p.Wm~9W=..a..C..| x......n...).....,Np..6i...:c*J{....1..mgV.C.._.W...o.......&....6......X|.1.....X.?2..*..D..D.CmI.m;.%!e]Z..g.).?....wP.&.Nht.b.A..D.....Y..e..\8..y.._....+ ;.....@.K......FU^o.]_j .#....\+..+J/..{.k...0..np.>..d.g..ajE.@@.j.C. ^.sr.B...i.rx0.....x..'..{.j....:..u....d)>......hd.p.|.*g...p..h...L..Y.......7W=Y.8.v........CR.I.*[.'6!...pyGV....U........GgL.

                                  C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\scale-200\Remove.png

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe
                                  File Type:PNG image data, 67 x 93, 8-bit/color RGBA, non-interlaced
                                  Category:dropped
                                  Size (bytes):3713
                                  Entropy (8bit):7.939409223387352
                                  Encrypted:false
                                  SSDEEP:96:6qOeZUWFbbopicOUY9zwrINNQvrxb4ttw/dGZ4Oe:6/eZU8swcOpZwrLyttw/oZ4V
                                  MD5:87B76436D9D1EBCA360F2ADC79BC7053
                                  SHA1:61199A4BED5EE2BA33BA55696BA486372D9CA40F
                                  SHA-256:87B0A0B42F2973CF9AF958022438AB4B350DAE7700897204816E16A62E223433
                                  SHA-512:7F2236CF60B4783BAB5F7CEF7FB783701EDA3C4EEFCE52E134CCE3649CB4A8B2DF772465F5E80163B22BE060907E2515B82A3A9A79B0AE429A69C84827FF18E2
                                  Malicious:false
                                  Preview:.PNG........IHDR...C...]............pHYs...%...%.IR$.....tEXtSoftware.Adobe ImageReadyq.e<....IDATx..\Mp...~..V.%K..#....S..P..8@L.)...T.|.G|Knq*.......W...E...e..@.0.R.11.....JZ....}o.gG...Q.]3.........1. .......|y.......W./q<.x....F....0>..Q..T@.'.....Q2...l_...R.......%.|..>...W6=...x. .0-....m4<<L.tf....2.....o.R.".5......6....\.J..L...!...I.e.....4MNL..{....<..M..... ......Qr.......R~.J...B1J..).1..K.........<......ao..:t...8?6&@d...;w.$..+.....LS....7...p<.R.........999A......#G.u5....s...{.....Y.........j..........}Y.h.,%.4.}0.o.......2G..w...x....e.i.;.T">.....A.N......kT.&..N.ipp0.wrb....k.....w.A.^.14...G......M8..O.o!_.F...8....4..T.t..u$..|;..B.....m..,..b...-........I~...G.[.4.o..&...d...90<..$..-...cp..W.[;y.;v.$.q...)...;)v.8....h.q....DkU+..1....x..O?..C>:O.]a).8....=.5`p/qD.G.Xd..,=..O.}...N|.....B..[.<K..._....0\......[b...:...n..;.........w"..#.....Y. *.J.O.u..;c1`DU..r....Z...e...r.#..Ke.CD...}..Q...'....=.....>V...

                                  C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\scale-200\Repair.png

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe
                                  File Type:PNG image data, 105 x 92, 8-bit/color RGBA, non-interlaced
                                  Category:dropped
                                  Size (bytes):7385
                                  Entropy (8bit):7.958336818666451
                                  Encrypted:false
                                  SSDEEP:192:O4Va0+8xvosHz4ksTQCoechkWiuItjouth:/B+8xg4kksTxobhPPwouL
                                  MD5:47B0CE02632A248ECFAF538E910C33F1
                                  SHA1:3B156CE941E2B4BF339C86C5AE64C075738127B1
                                  SHA-256:490FEC5151E23B7A00CBEF9B5874244E65E0B9D0384786B298AD58C7E2CBD55E
                                  SHA-512:EC43C79F0E90C61EAC6BAF88672737A0ABC612C79736D7C892AFE135E906E1358F2FDEC604F9778F35606AE150E911F007F27030B97EECC7B86B324933C73B1C
                                  Malicious:false
                                  Preview:.PNG........IHDR...i...\.....m5.$....pHYs...%...%.IR$.....tEXtSoftware.Adobe ImageReadyq.e<...fIDATx.....Wy......sV...vu...4&....J8D........*...p$..al .RN.!....H....'...!.>..pXG.%.nk%..]iW..f......zzfgwz...f...g.}....!.1Hb.....tE{....#.....F..!@....)..k..$.../.k.......x[..>.....b.p..9.1.C...G..`.g.._.....7w.._..$q...}.oWu4.e.@7.a....T=..(...mT..............pU...Y.{....Z).|Nm.=.m|}?_O.....|]y]B...&9p.... .....'a.q...E...h.,....1......;...A.. ....U.b...P....E..P....a..h......`..........PS...jJ.6*.._........jX...8.eT.+.....N..PV....i..K..Ru. =(..8.|;.mXh`..(,c...b.4,.........I....$..,9H..U....c...c`.Ava..`1..+..>......`...i..a..$...zQ.,j`.3..,Z.K@Q................L.r..(......&!..B..e.....W}.V7.......'.S....]..k.u....(.W..u./..^<.j...KL.I..U.q....\3.ee.X.>$.2.x...sF...c.T.XN.M....I._....Rat1.F....W7..E~M?.<...#.Z..bw.. ^.........w.>../....o.ZA..... .4P.o{US.|...w.7>...Pn...z.......\...U.D...oHyM8._..,.A'L.2..Du2.M..D....m...#.n3..1.D.......D|.j.L....U.....E.

                                  C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\scale-200\Typical.png

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe
                                  File Type:PNG image data, 116 x 102, 8-bit/color RGBA, non-interlaced
                                  Category:dropped
                                  Size (bytes):9432
                                  Entropy (8bit):7.962526995464065
                                  Encrypted:false
                                  SSDEEP:192:N1KsfwPzkcK4pqQ/PabiFYqfpiEHomJthKoY8UQp5Xi2Ovu8DL:NoXPz9dqUiGomqQHy2Oh3
                                  MD5:A8EA2F7480FDA95BAB21A0E86386C551
                                  SHA1:3E124DB825B3CFF40F5C661C53C889132925FB1E
                                  SHA-256:57EE9024DD4BF02492C9750960D258AA7AA8DF94D528D266D8B5A18C3640B363
                                  SHA-512:FE9095BD54DE216146C13D9B89309C674E51974F48F30D72E101FE3CCBDA77FF53BAB7213D3B96AC2513A8C42D215C188DC3CA2E94AC5A3FDB5D772FEEB01903
                                  Malicious:false
                                  Preview:.PNG........IHDR...t...f.............pHYs...%...%.IR$.....tEXtSoftware.Adobe ImageReadyq.e<..$eIDATx...|U.........+$......m-`m.z....Z;3.hQ;3W..7.....wj..}!......X[.".mm.. .GB......o.....w<..%....>'.o}.........i.......~....h..V....<..3.|.Jny9......>!..yGQG.W.#..:..cb....9....kx-~.x..,....qf]?..-.........n.[}.......?...Lv.D!.Q..#..9R..._t3s. y-....*...|....d.5.....$X<S....&m./...[....-.o.ry_.d...E..B.`.7.x.;.`...q.)\)<.....A.O..5...z.?......\...}..v...pK.6.#..@``:\w~.,..`.....Y`.\.,M...X.l..5....o...8P.....h`&..?..k...K..j..o....k.....6\I.0PK.T.%..,...hy....<........M.Z.y....6Jjf_.;\vfE.$...T...T....t.......R....%.%.M.B.z.qh......>}...Emm...S.T.. :..T....d.X...0j.X...,...N..%.:.`)k.l'...."....U|[..e|Kx.[...o......-T.o...p...n.I.GT......`.._i~Q..:.:...y..."uZ`.Q.K.........c.....P..:.Z.....\..|...r.-^b.W.;...y._.)J;...... ..G.......Z..q.;.j......_B.-..]..P..".r...a.UW.........t.'.zan..;...7<aN.$T.m..g2....soZ.{..............

                                  C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup.xml

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe
                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):63695
                                  Entropy (8bit):5.731507911827756
                                  Encrypted:false
                                  SSDEEP:1536:DJH1x+nQPnOsiFn1Jntj992wXpeC5NSCnN5Wfib7X:DJHv+QPOsO1llr2wXpe1iX
                                  MD5:3C650419E132B96A3636BA2109655D6F
                                  SHA1:05B04065A7BF674702BFFE4B3166180837C1DE49
                                  SHA-256:1814DB6F6C3B65F62C41CDD7F5D6A6080796507E2A1F841812B834F1C845E0DB
                                  SHA-512:E9E3ADB769DD92925924C8A75A6171197A9610576FA0A77DCB734C6697290619D570723A2430B870F7DE96A91BC0ADF5F94EEEBC0C283C0D1FC6AEF70A84B1B8
                                  Malicious:false
                                  Preview:.<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<Setup SuiteId="{783F36BC-63CA-4E74-ABA6-81C222D2C3DD}" xmlns="installshield/2019/bootstrap">...<SetupConfigurations>....<Config Name="SplashScreenDelay" Value="500"/>....<Config Name="LoadingScreenMessage" Value=""/>...</SetupConfigurations>...<Resources>....<Resource Stream="Application.png"/>....<Resource Stream="Custom.png"/>....<Resource Stream="Folder.png"/>....<Resource Stream="Remove.png"/>....<Resource Stream="Repair.png"/>....<Resource Stream="Typical.png"/>....<Resource Stream="ISLogoBig.png"/>....<Resource Stream="ISLogoSmall.png"/>....<Resource Stream="scale-150\Application.png"/>....<Resource Stream="scale-150\Custom.png"/>....<Resource Stream="scale-150\Folder.png"/>....<Resource Stream="scale-150\Remove.png"/>....<Resource Stream="scale-150\Repair.png"/>....<Resource Stream="scale-150\Typical.png"/>....<Resource Stream="scale-150\ISLogoBig.png"/>....<Resource Stream="scale-150\ISLogoSmall.png"/>....<Resource St

                                  C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe
                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                  Category:dropped
                                  Size (bytes):286720
                                  Entropy (8bit):6.1981981749862
                                  Encrypted:false
                                  SSDEEP:6144:EXJqVC2DC02/5EttvTg0q6UMccu7VD3i1:sqrDshEzTKvMccu94
                                  MD5:7686C19501FFA9DA709A98AF94C0C844
                                  SHA1:C9B0A876CFBB092E55010D260A9A91389ABF91B7
                                  SHA-256:C65B3839BFF49D4D18AC37DB73F1E23637ABC256961F2F07FBA657E5948D4D96
                                  SHA-512:5CC82B9CB741881AC196C6B43958B3C5AC0163B9CE42947E7D7522D4873266BB8186D2EE100576058EEC920EF04E1516C5BDE6837CAC6896090593CD7E5D6BE1
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                  Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........:L..[".[".[".!...[".!....[".!...["..!.["..&.["...&.["...'.[".p.'.["..'.[".H...[".H...[".[#.Z"...+.[".....[".[..["... .[".Rich.[".................PE..d......].........."......x...........`.........@....................................6.....`..........................................................@..(C.......'...2..........(...p5..p....................5..(...0...........................@....................text...Pw.......x.................. ..`.rdata...$.......&...|..............@..@.data....*..........................@....pdata...'.......(..................@..@.gfids....... ......................@..@.tls.........0......................@....rsrc...(C...@...D..................@..@.reloc..(............(..............@..B........................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\signtool.exe

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe
                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):237392
                                  Entropy (8bit):6.3464030744891975
                                  Encrypted:false
                                  SSDEEP:6144:Wk4PcUOd7ZYKsN4JR7cFnNBPHgeUe3NmC:Wk4/Od7ZYvOD7cFnNBqC
                                  MD5:6581581A1F2EDA52D49DC1FB0619FF82
                                  SHA1:C1FEE5C60F43CCFCB1D9F0A72D914446E02BB5E3
                                  SHA-256:F91D5E8CC6F208E56660292B80AC3837787100306C786B9FEBA8F0152E1EB1A5
                                  SHA-512:DACD128A9195EABD9D8980064ADAF28AC9740281D63E78B663D0CE43DD6C45FD3DF5E041C325074F89AF6CC9F8940DD5BC7A571E913BC27CF7BD696C086BE81A
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........us.x. .x. .x. ... .x. ... .x. ... .x. .x. Rx. ... .x. ..e .x. ... .x. ... .x. Rich.x. ........................PE..L...,.[J.........."..................z...................................................@...... ................................... ..................P.......0....................................3..@...............<............................text............................... ..`.data....L..........................@....rsrc........ ......................@..@.reloc..$!......."...f..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\welcome.bmp

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe
                                  File Type:PC bitmap, Windows 3.x format, 499 x 312 x 32, image size 622752, resolution 2835 x 2835 px/m, cbSize 622806, bits offset 54
                                  Category:dropped
                                  Size (bytes):622806
                                  Entropy (8bit):2.463890393534144
                                  Encrypted:false
                                  SSDEEP:12288:lzP8Kr5hkczq27KVG5P5wVVwsx33ijLXLYS+:lzP8Kr5hkczq27KVG5P5wVVwsx33ijLG
                                  MD5:4F98D754BE22A34C4C317C7F40EA954B
                                  SHA1:75CBB537AFA903997C9BF688354FB6820AF5069E
                                  SHA-256:95AA33FC5D79A3A0B48B1B3CE0050B331871FAEA65047280AC54D2E3DEC7BD49
                                  SHA-512:5C1F123BDD64A618EDD926C1FA772B10DB1DFF1935866C54CD5D29EA3A5F96229098A3C6571888243958051FA9D8386E5546F269979563C7884A054FD1FF4F95
                                  Malicious:false
                                  Preview:BM.......6...(.......8..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\SuiteSetup.ini

                                  Download File
                                  Process:C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe
                                  File Type:ASCII text, with CRLF, CR, LF line terminators
                                  Category:dropped
                                  Size (bytes):108
                                  Entropy (8bit):4.738975458387928
                                  Encrypted:false
                                  SSDEEP:3:l4yNQal+53+HH8wvAGlFIAKEqdyhiXpu9Bil6:lh+53+n8wvAGUAKEqdyAXpu9Bil6
                                  MD5:FA448580C46C4B2955854B6168665F77
                                  SHA1:56C2E110E52685C5A0161D74438E047711167558
                                  SHA-256:98E5BB436F6F02F151C0C15BA30A509836AA63909CB4C730C399E6BA33E7C415
                                  SHA-512:CFD10D81CC9B55789E67A9A80D1F578F36EF5AF4F02FB29703E45D6B695344E1C535576290D86348A67FB7C42612F5E999FE6772BA5F5714070E0FFB67081C88
                                  Malicious:false
                                  Preview:[Settings]...Clone_Wait=Y...CreateDebugLog=N...SuiteExecutionTimeout=60000..DebugLogName=InstallShield.log..

                                  C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe
                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):3485736
                                  Entropy (8bit):7.618651309177703
                                  Encrypted:false
                                  SSDEEP:49152:3euedMsr34wuN1ddBV+1rfQ8T9H1iM8qZCAupNaMbRu7HyvKqeAZZXQkEuxQeYYS:eMI5QEHcTlpxlbO3yqxreGV
                                  MD5:C469B3646FBDDC8E03DCB9865B02E89C
                                  SHA1:46C0D0B632A9B2865CD79110F5549E3132CD313A
                                  SHA-256:C5E809AF345907819DF2CEBDA858E8C9B5614DE1F049BD347CEBB6305281790D
                                  SHA-512:42392843AF4BC024AC8F29907C32487B44F6E38D4F0C590A163F8659C3BC24A92BF740BDD055F4900FBF79197D326AD21FB5E8873309005049307752564AF439
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                  Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........&..jG.ZjG.ZjG.Z...ZfG.Z...Z.G.Z...ZrG.ZQ..[|G.ZQ..[yG.Z...[kG.Z...[fG.Z...[hG.ZQ..[RG.Z...ZnG.Z...Z{G.ZjG.Z.F.Z...[ G.Z...ZkG.ZjG~ZkG.Z...[kG.ZRichjG.Z........................PE..L......].................8...................`....@..........................p......".5...@..........................................................5.(....`..@....]..p...................@^......0o..@............`..(...|...`....................text...N5.......6.................. ..`.orpc........P.......:.............. ..`.rdata.......`.......<..............@..@.data....f.......Z..................@....gfids..4............8..............@..@.tls.................:..............@....rsrc...............<..............@..@.reloc..@....`......................@..B................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe:Zone.Identifier

                                  Download File
                                  Process:C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:modified
                                  Size (bytes):26
                                  Entropy (8bit):3.95006375643621
                                  Encrypted:false
                                  SSDEEP:3:ggPYV:rPYV
                                  MD5:187F488E27DB4AF347237FE461A079AD
                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                  Malicious:false
                                  Preview:[ZoneTransfer]....ZoneId=0

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):7.618651309177703
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 98.81%
                                  • Windows ActiveX control (116523/4) 1.15%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:WebSigner_SuiteMSI_Barclays.exe
                                  File size:3'485'736 bytes
                                  MD5:c469b3646fbddc8e03dcb9865b02e89c
                                  SHA1:46c0d0b632a9b2865cd79110f5549e3132cd313a
                                  SHA256:c5e809af345907819df2cebda858e8c9b5614de1f049bd347cebb6305281790d
                                  SHA512:42392843af4bc024ac8f29907c32487b44f6e38d4f0c590a163f8659c3bc24a92bf740bdd055f4900fbf79197d326ad21fb5e8873309005049307752564af439
                                  SSDEEP:49152:3euedMsr34wuN1ddBV+1rfQ8T9H1iM8qZCAupNaMbRu7HyvKqeAZZXQkEuxQeYYS:eMI5QEHcTlpxlbO3yqxreGV
                                  TLSH:7AF5D031F285E52AEAB201325A7DD65A512CBC350F6190CFE3D45A1E29F19C35B32F2B
                                  File Content Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........&..jG.ZjG.ZjG.Z...ZfG.Z...Z.G.Z...ZrG.ZQ..[|G.ZQ..[yG.Z...[kG.Z...[fG.Z...[hG.ZQ..[RG.Z...ZnG.Z...Z{G.ZjG.Z.F.Z...[ G.Z...ZkG.

                                  File Icon

                                  Icon Hash:497971328ce1634d

                                  Static PE Info

                                  General

                                  Entrypoint:0x49cbec
                                  Entrypoint Section:.text
                                  Digitally signed:true
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x5DFC1BBB [Fri Dec 20 00:54:19 2019 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:5
                                  OS Version Minor:1
                                  File Version Major:5
                                  File Version Minor:1
                                  Subsystem Version Major:5
                                  Subsystem Version Minor:1
                                  Import Hash:f989b4d9f8f6c3499d2c7b1b89767a69

                                  Authenticode Signature

                                  Signature Valid:true
                                  Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                  Signature Validation Error:The operation completed successfully
                                  Error Number:0
                                  Not Before, Not After
                                  • 17/06/2021 01:00:00 22/06/2024 00:59:59
                                  Subject Chain
                                  • E=NIS.Support@gemalto.com, CN=THALES DIS FRANCE SA, OU=BPS, O=THALES DIS FRANCE SA, L=Meudon, C=FR
                                  Version:3
                                  Thumbprint MD5:13D59590A6693D28C83B26073D425555
                                  Thumbprint SHA-1:8BD773156B284388331CD4DB74BFBADD14E586D0
                                  Thumbprint SHA-256:C2A1BF9C0F2109EECB77CD4C1812DC65438B0A3C7C51EA294A1E7B80301BC59D
                                  Serial:0E146E0631E80E5F85E2CFF9E87F433D

                                  Entrypoint Preview

                                  Instruction
                                  call 00007F43C4DD3826h
                                  jmp 00007F43C4DD2D33h
                                  mov ecx, dword ptr [ebp-0Ch]
                                  mov dword ptr fs:[00000000h], ecx
                                  pop ecx
                                  pop edi
                                  pop edi
                                  pop esi
                                  pop ebx
                                  mov esp, ebp
                                  pop ebp
                                  push ecx
                                  ret
                                  mov ecx, dword ptr [ebp-10h]
                                  xor ecx, ebp
                                  call 00007F43C4DD257Ah
                                  jmp 00007F43C4DD2E80h
                                  mov ecx, dword ptr [ebp-14h]
                                  xor ecx, ebp
                                  call 00007F43C4DD2569h
                                  jmp 00007F43C4DD2E6Fh
                                  push eax
                                  push dword ptr fs:[00000000h]
                                  lea eax, dword ptr [esp+0Ch]
                                  sub esp, dword ptr [esp+0Ch]
                                  push ebx
                                  push esi
                                  push edi
                                  mov dword ptr [eax], ebp
                                  mov ebp, eax
                                  mov eax, dword ptr [005210B0h]
                                  xor eax, ebp
                                  push eax
                                  push dword ptr [ebp-04h]
                                  mov dword ptr [ebp-04h], FFFFFFFFh
                                  lea eax, dword ptr [ebp-0Ch]
                                  mov dword ptr fs:[00000000h], eax
                                  ret
                                  push eax
                                  push dword ptr fs:[00000000h]
                                  lea eax, dword ptr [esp+0Ch]
                                  sub esp, dword ptr [esp+0Ch]
                                  push ebx
                                  push esi
                                  push edi
                                  mov dword ptr [eax], ebp
                                  mov ebp, eax
                                  mov eax, dword ptr [005210B0h]
                                  xor eax, ebp
                                  push eax
                                  mov dword ptr [ebp-10h], eax
                                  push dword ptr [ebp-04h]
                                  mov dword ptr [ebp-04h], FFFFFFFFh
                                  lea eax, dword ptr [ebp-0Ch]
                                  mov dword ptr fs:[00000000h], eax
                                  ret
                                  push eax
                                  push dword ptr fs:[00000000h]
                                  lea eax, dword ptr [esp+0Ch]
                                  sub esp, dword ptr [esp+0Ch]
                                  push ebx
                                  push esi
                                  push edi
                                  mov dword ptr [eax], ebp
                                  mov ebp, eax
                                  mov eax, dword ptr [005210B0h]

                                  Rich Headers

                                  Programming Language:
                                  • [ C ] VS2015 UPD3.1 build 24215
                                  • [C++] VS2015 UPD3.1 build 24215
                                  • [RES] VS2015 UPD3 build 24213
                                  • [LNK] VS2015 UPD3.1 build 24215

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x11eadc0xb4.rdata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x12a0000xb5e0.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x3502000x2e28
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1360000x10e40.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0xf5dd00x70.rdata
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0xf5e400x18.rdata
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xd6f300x40.rdata
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0xd60000x428.rdata
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x11e47c0x160.rdata
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x10000xd354e0xd36007d293e09dd530ce1ab3194b1b139e310False0.42576854486989946data6.418801187506675IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .orpc0xd50000x1a20x2004664b98c4a3972bd841bf18db12ee7e1False0.51171875data4.751976711186061IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .rdata0xd60000x4a0bc0x4a200ef1d4615d3babe5c2924fb3cfe1a6598False0.3147232029932546data4.470296685515313IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .data0x1210000x66fc0x5a0031ad777bf0f5389751929649c5e24a23False0.15421006944444443data4.752972087258717IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .gfids0x1280000x1340x20054d065222d6adb1f68aa7bb6c76f80b5False0.380859375data2.4607224828089094IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .tls0x1290000x90x2001f354d76203061bfdd5a53dae48d5435False0.033203125data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rsrc0x12a0000xb5e00xb600d78213cf2ff2341670ba40b47c534cb4False0.26122510302197804data4.7072002633550625IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0x1360000x10e400x110009c4489d743c1bf86f85c80794335417eFalse0.5521455652573529data6.566139626301982IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  TYPELIB0x12a2600x6814dataEnglishUnited States0.35325026272331483
                                  RT_ICON0x130a740x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024EnglishUnited States0.21808510638297873
                                  RT_ICON0x130edc0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096EnglishUnited States0.099906191369606
                                  RT_ICON0x131f840x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216EnglishUnited States0.06109958506224066
                                  RT_STRING0x13452c0x48dataEnglishUnited States0.6666666666666666
                                  RT_GROUP_ICON0x1345740x30dataEnglishUnited States0.8125
                                  RT_VERSION0x1345a40x45cdata0.4211469534050179
                                  RT_VERSION0x134a000x428dataEnglishUnited States0.40977443609022557
                                  RT_MANIFEST0x134e280x535XML 1.0 document, ASCII text, with CRLF line terminators0.46586646661665415
                                  RT_MANIFEST0x1353600x280XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.553125

                                  Imports

                                  DLLImport
                                  KERNEL32.dllReadFile, LocalFree, FindClose, FindFirstFileW, QueryPerformanceFrequency, CreateEventW, SetFilePointer, SystemTimeToFileTime, FileTimeToLocalFileTime, GetVersionExW, GetTempPathW, ReleaseMutex, CreateMutexW, GetExitCodeThread, CreateNamedPipeW, GetDriveTypeW, SetEvent, EnterCriticalSection, LeaveCriticalSection, CopyFileW, GetUserDefaultLangID, OpenEventW, DeleteCriticalSection, RaiseException, DecodePointer, GetCurrentThreadId, InitializeCriticalSectionEx, HeapFree, FileTimeToSystemTime, HeapReAlloc, HeapAlloc, GetProcessHeap, CompareStringA, VirtualQuery, GetSystemInfo, IsBadReadPtr, GetFileTime, WriteFile, FlushFileBuffers, GetUserDefaultLCID, GetSystemDefaultLCID, GetSystemDefaultUILanguage, GetACP, GetSystemDefaultLangID, LoadLibraryW, GetFileAttributesW, GetModuleHandleExW, ConnectNamedPipe, GetCurrentProcessId, GetStringTypeW, GetStdHandle, FreeLibrary, GetEnvironmentVariableW, ResumeThread, SetThreadContext, FlushInstructionCache, WriteProcessMemory, VirtualProtectEx, GetThreadContext, MoveFileExW, TerminateProcess, GetCurrentProcess, DuplicateHandle, ExitProcess, WaitForSingleObject, CreateProcessW, GetWindowsDirectoryW, SetCurrentDirectoryW, GetSystemDirectoryW, GetModuleFileNameW, RemoveDirectoryW, Sleep, DeleteFileW, CloseHandle, UnmapViewOfFile, WideCharToMultiByte, MapViewOfFile, CreateFileMappingW, GetFileSize, CreateFileW, lstrlenA, FormatMessageW, GetModuleHandleW, MultiByteToWideChar, SetLastError, GetLastError, LoadLibraryA, GetSystemDirectoryA, GetProcAddress, HeapSize, WriteConsoleW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, VirtualAlloc, FreeLibraryAndExitThread, ExitThread, CreateThread, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, RtlUnwind, EncodePointer, InitializeSListHead, GetSystemTimeAsFileTime, GetStartupInfoW, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, WaitForSingleObjectEx, LocalAlloc, GetCurrentThread, QueryPerformanceCounter, lstrlenW, lstrcatW, lstrcpyW, lstrcpynW, lstrcmpiW, GetTickCount, ResetEvent, SetStdHandle, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, FindNextFileW, FindFirstFileExW, GetOEMCP, IsValidCodePage, GetCPInfo, LCMapStringW, VirtualProtect, LoadLibraryExA, IsDebuggerPresent, OutputDebugStringW, InitializeCriticalSectionAndSpinCount, GetTimeFormatW, GetDateFormatW, InterlockedDecrement, GetVersion, GetProcessTimes, OpenProcess, GetExitCodeProcess, SetFileTime, CompareFileTime, LoadLibraryExW, GetTempFileNameW, GetFileType
                                  USER32.dllCharUpperW, wsprintfW, GetDesktopWindow, PostThreadMessageW, DispatchMessageA, DispatchMessageW, TranslateMessage, GetMessageA, GetMessageW, IsWindowUnicode, PeekMessageW, MsgWaitForMultipleObjectsEx, MessageBoxW, GetGUIThreadInfo, WaitForInputIdle, ExitWindowsEx, CharLowerW, MsgWaitForMultipleObjects
                                  ADVAPI32.dllLookupPrivilegeValueW, OpenProcessToken, AdjustTokenPrivileges, AllocateAndInitializeSid, FreeSid, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, RegOverridePredefKey, RegEnumValueW, SetEntriesInAclW, OpenThreadToken, GetTokenInformation, EqualSid, RegDeleteValueW, RegQueryInfoKeyW, RegEnumKeyExW, RegDeleteKeyW, RegSetValueExW, RegCreateKeyExW, RegQueryValueExW, RegOpenKeyExW, RegCloseKey, RegOpenKeyW
                                  SHELL32.dllSHGetSpecialFolderPathW, SHGetFolderPathW, ShellExecuteExW
                                  ole32.dllCoMarshalInterThreadInterfaceInStream, CoInitializeEx, CoUninitialize, CoRegisterPSClsid, CoRegisterClassObject, CoRevokeClassObject, CoGetInterfaceAndReleaseStream, CLSIDFromProgID, CoAddRefServerProcess, CoMarshalInterface, CreateStreamOnHGlobal, CoUnmarshalInterface, CoCreateInstance, CoReleaseMarshalData, CoCreateGuid, CoReleaseServerProcess
                                  OLEAUT32.dllSafeArrayCreate, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayGetDim, SafeArrayDestroy, SafeArrayGetElement, SafeArrayPutElement, VariantTimeToSystemTime, VariantChangeTypeEx, GetErrorInfo, LoadTypeLib, LoadRegTypeLib, VarBstrCat, SysAllocStringByteLen, SysStringByteLen, SystemTimeToVariantTime, VariantChangeType, BSTR_UserMarshal, VARIANT_UserMarshal, BSTR_UserUnmarshal, VARIANT_UserSize, VARIANT_UserUnmarshal, VARIANT_UserFree, BSTR_UserFree, BSTR_UserSize, SysAllocString, VariantCopy, VariantClear, VariantInit, SysStringLen, SysReAllocStringLen, SysAllocStringLen, SysFreeString, RegisterTypeLib, UnRegisterTypeLib
                                  SHLWAPI.dllSHCreateStreamOnFileW, PathFileExistsW
                                  RPCRT4.dllUuidToStringW, UuidCreate, RpcStringFreeW, IUnknown_QueryInterface_Proxy, NdrDllGetClassObject, NdrOleAllocate, IUnknown_Release_Proxy, NdrOleFree, NdrCStdStubBuffer2_Release, IUnknown_AddRef_Proxy, NdrStubCall2, NdrStubForwardingFunction

                                  Possible Origin

                                  Language of compilation systemCountry where language is spokenMap
                                  EnglishUnited States

                                  Network Behavior

                                  No network behavior found

                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:12:56:01
                                  Start date:19/04/2024
                                  Path:C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe"
                                  Imagebase:0xeb0000
                                  File size:3'485'736 bytes
                                  MD5 hash:C469B3646FBDDC8E03DCB9865B02E89C
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:false

                                  General

                                  Target ID:1
                                  Start time:12:56:01
                                  Start date:19/04/2024
                                  Path:C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe" -IS_temp ORIGINALSETUPEXEDIR="C:\Users\user\Desktop" ORIGINALSETUPEXENAME="WebSigner_SuiteMSI_Barclays.exe"
                                  Imagebase:0x470000
                                  File size:3'485'736 bytes
                                  MD5 hash:C469B3646FBDDC8E03DCB9865B02E89C
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Antivirus matches:
                                  • Detection: 0%, ReversingLabs
                                  • Detection: 0%, Virustotal, Browse
                                  Reputation:low
                                  Has exited:false

                                  General

                                  Target ID:2
                                  Start time:12:56:02
                                  Start date:19/04/2024
                                  Path:C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe" -embedded:EEFDEB78-A81F-4EAC-839B-C4BCB6470B9F -IS_temp
                                  Imagebase:0x7ff6237b0000
                                  File size:286'720 bytes
                                  MD5 hash:7686C19501FFA9DA709A98AF94C0C844
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Antivirus matches:
                                  • Detection: 0%, ReversingLabs
                                  • Detection: 0%, Virustotal, Browse
                                  Reputation:low
                                  Has exited:false

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:2.8%
                                    Dynamic/Decrypted Code Coverage:0%
                                    Signature Coverage:18.2%
                                    Total number of Nodes:1695
                                    Total number of Limit Nodes:22
                                    execution_graph 65978 f4ca84 65979 f4ca90 ___BuildCatchObject 65978->65979 66003 f4c76e 65979->66003 65981 f4ca97 65983 f4cac0 65981->65983 66358 f4d112 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 65981->66358 65991 f4caff ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 65983->65991 66014 f569cf 65983->66014 65987 f4cadf ___BuildCatchObject 65988 f4cb5f 66024 f4d22d 65988->66024 65990 f4cb65 66028 ee81f0 65990->66028 65991->65988 66359 f52046 42 API calls 2 library calls 65991->66359 65996 f4cb81 65997 f4cb8b 65996->65997 66361 f55deb 32 API calls _abort 65996->66361 65998 f4cb94 65997->65998 66362 f55d8e 32 API calls _abort 65997->66362 66363 f4c8e5 13 API calls 2 library calls 65998->66363 66002 f4cb9c 66002->65987 66004 f4c777 66003->66004 66364 f4d3c8 IsProcessorFeaturePresent 66004->66364 66006 f4c783 66365 f51821 10 API calls 4 library calls 66006->66365 66008 f4c788 66009 f4c78c 66008->66009 66366 f5684a 66008->66366 66009->65981 66012 f4c7a3 66012->65981 66016 f569e6 66014->66016 66015 f4c2ea __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 66017 f4cad9 66015->66017 66016->66015 66017->65987 66018 f56973 66017->66018 66019 f569be 66018->66019 66021 f569a2 66018->66021 66020 f4c2ea __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 66019->66020 66022 f569cb 66020->66022 66021->66019 66435 f43a3c 66021->66435 66022->65991 66449 f4e2f0 66024->66449 66027 f4d253 66027->65990 66029 ee8244 66028->66029 66451 eb4000 66029->66451 66031 ee826b 66466 ec71e0 66031->66466 66036 ec7300 58 API calls 66037 ee82b2 66036->66037 66038 ee82c2 GetModuleHandleW GetProcAddress 66037->66038 66039 ee82e4 CoInitializeEx GetLastError SetLastError 66037->66039 66038->66039 66040 ee82dd 66038->66040 66490 eb9e40 66039->66490 66040->66039 66050 ee846d 66051 ee8d31 66050->66051 66053 ee8481 66050->66053 66540 f49ddb 66051->66540 66055 eb4150 32 API calls 66053->66055 66054 ee8d36 66056 ee8d3a 66054->66056 66057 ee8d57 66054->66057 66058 ee84a5 66055->66058 66546 f43200 66056->66546 66060 eb4150 32 API calls 66057->66060 66061 eb9510 61 API calls 66058->66061 66063 ee8d88 66060->66063 66064 ee84bf 66061->66064 66065 eb4150 32 API calls 66063->66065 66066 eb8b00 38 API calls 66064->66066 66067 ee8dc0 66065->66067 66074 ee84d2 66066->66074 67000 f43651 66067->67000 66070 ee8e01 66071 ee8e22 66070->66071 66072 eb4be0 std::generic_category 4 API calls 66070->66072 66073 ee8e43 66071->66073 66076 eb4be0 std::generic_category 4 API calls 66071->66076 66072->66071 66601 eb4150 66073->66601 66075 eb4be0 std::generic_category 4 API calls 66074->66075 66078 ee8507 66075->66078 66076->66073 66080 eb4be0 std::generic_category 4 API calls 66078->66080 66079 ee8e70 66607 eb8b00 66079->66607 66082 ee8516 66080->66082 66083 eb4be0 std::generic_category 4 API calls 66082->66083 66084 ee8522 66083->66084 66085 eb6f90 2 API calls 66084->66085 66087 ee8550 66085->66087 66086 ee8e8a 66620 eb4be0 GetLastError 66086->66620 66907 f417ce 66087->66907 66089 ee8ec2 66092 eb4be0 std::generic_category 4 API calls 66089->66092 66091 ee855d 66093 ee8564 66091->66093 66094 ee85b0 66091->66094 66095 ee8ed1 66092->66095 66096 eb4150 32 API calls 66093->66096 66098 eb6f90 2 API calls 66094->66098 66097 eb4150 32 API calls 66095->66097 66099 ee8588 66096->66099 66100 ee8ef5 66097->66100 66101 ee85dc 66098->66101 66953 eef710 84 API calls 66099->66953 66103 ee8f4d 66100->66103 66626 eef680 66100->66626 66104 ee6c40 134 API calls 66101->66104 66107 eb4be0 std::generic_category 4 API calls 66103->66107 66108 ee85ef 66104->66108 66105 ee85a4 66109 eb4be0 std::generic_category 4 API calls 66105->66109 66111 ee8f59 66107->66111 66954 ee7090 131 API calls 66108->66954 66109->66094 66110 ee8f29 66110->66103 66633 eef760 66110->66633 66113 eb6f90 2 API calls 66111->66113 66116 ee8f85 66113->66116 66114 ee8600 GetLastError SetLastError 66117 ee869b 66114->66117 66660 ee6c40 66116->66660 66120 eb3ed0 32 API calls 66117->66120 66122 ee86aa 66120->66122 66121 ee8fb7 GetLastError SetLastError 66127 ee906d 66121->66127 66124 ec7300 58 API calls 66122->66124 66123 ec7300 58 API calls 66123->66121 66126 ee86bf 66124->66126 66955 eb3330 30 API calls 66126->66955 66130 eb3ed0 32 API calls 66127->66130 66129 ee86d0 66131 ee875c 66129->66131 66132 ee86d8 66129->66132 66133 ee907c 66130->66133 66957 eb4ca0 GetLastError SetLastError 66131->66957 66135 ebc4e0 38 API calls 66132->66135 66136 ec7300 58 API calls 66133->66136 66138 ee86ed OpenEventW SetEvent 66135->66138 66143 ee9091 66136->66143 66137 ee876a 66145 eb3ed0 32 API calls 66137->66145 66139 ee8728 66138->66139 66142 eb4be0 std::generic_category 4 API calls 66139->66142 66140 ee90ed 66141 ee91d9 GetLastError SetLastError 66140->66141 66146 ee910a 66140->66146 66147 ee9186 66140->66147 66144 ee9270 66141->66144 66148 ee874a 66142->66148 66143->66140 66143->66143 66150 eb4000 30 API calls 66143->66150 66154 eb3ed0 32 API calls 66144->66154 66151 ee8799 66145->66151 67047 f394c0 80 API calls 66146->67047 66153 ebc4e0 38 API calls 66147->66153 66956 ee9580 47 API calls 2 library calls 66148->66956 66150->66140 66155 ec7300 58 API calls 66151->66155 66164 ee919e 66153->66164 66157 ee927f 66154->66157 66158 ee87ae 66155->66158 66156 ee9115 67048 ee9e80 38 API calls 2 library calls 66156->67048 66714 ec7540 66157->66714 66958 eb3330 30 API calls 66158->66958 66161 ee9127 67049 eb6b10 38 API calls 2 library calls 66161->67049 66162 eb4be0 std::generic_category 4 API calls 66162->66141 66164->66162 66165 eb4be0 std::generic_category 4 API calls 66166 ee9487 66165->66166 66171 eb4be0 std::generic_category 4 API calls 66166->66171 66167 ee92ce 66727 ee6160 66167->66727 66168 ee913c 67050 eb3f60 30 API calls 66168->67050 66170 ee87e6 66174 ee8a64 66170->66174 66179 ee88c8 66170->66179 66180 ee8809 66170->66180 66175 ee94a2 66171->66175 66980 ebb040 101 API calls 2 library calls 66174->66980 66181 eb4be0 std::generic_category 4 API calls 66175->66181 66177 ee928b 66177->66167 66184 eb4000 30 API calls 66177->66184 66178 ee915a 66185 eb4810 std::generic_category 4 API calls 66178->66185 66963 ec6af0 GetLastError SetLastError 66179->66963 66959 edb790 36 API calls 2 library calls 66180->66959 66187 ee94bd 66181->66187 66184->66167 66191 ee9169 66185->66191 66193 eb4be0 std::generic_category 4 API calls 66187->66193 66190 ee8a89 66981 eeaa90 217 API calls 66190->66981 66197 eb4810 std::generic_category 4 API calls 66191->66197 66192 ee8818 66198 eb4be0 std::generic_category 4 API calls 66192->66198 66199 ee94cc 66193->66199 66195 ee88da 66206 ee8900 66195->66206 66964 eb3f60 30 API calls 66195->66964 66202 ee9175 66197->66202 66203 ee8824 66198->66203 67051 eef440 5 API calls std::generic_category 66199->67051 66201 ee8895 66212 eb4be0 std::generic_category 4 API calls 66201->66212 66208 eb4810 std::generic_category 4 API calls 66202->66208 66209 eb9510 61 API calls 66203->66209 66965 eb4ca0 GetLastError SetLastError 66206->66965 66215 ee9184 66208->66215 66216 ee8841 66209->66216 66210 ee94db 66217 eb4be0 std::generic_category 4 API calls 66210->66217 66357 ee8755 66212->66357 66214 ee8aa1 66214->66201 66221 ee8add 66214->66221 66222 ee8b50 66214->66222 66215->66141 66223 f417ce 130 API calls 66216->66223 66224 ee94ea 66217->66224 66219 ee890b 66220 eb4150 32 API calls 66219->66220 66226 ee8933 66220->66226 66221->66201 66982 eb6d90 32 API calls 66221->66982 66238 ee8bee 66222->66238 66985 eb6d90 32 API calls 66222->66985 66227 ee884e 66223->66227 66228 ee94f2 CoUninitialize 66224->66228 66245 ee94f8 std::generic_category 66224->66245 66966 ee7fb0 74 API calls 3 library calls 66226->66966 66232 ee889f 66227->66232 66233 ee8855 66227->66233 66228->66245 66961 eb6720 32 API calls 66232->66961 66241 eb4150 32 API calls 66233->66241 66235 ee8942 66243 eb4be0 std::generic_category 4 API calls 66235->66243 66237 ee9542 SysFreeString 66247 f4c2ea __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 66237->66247 66988 eb4ca0 GetLastError SetLastError 66238->66988 66240 ee8b00 66983 eb6d90 32 API calls 66240->66983 66250 ee8879 66241->66250 66242 ebc740 13 API calls 66251 ee9361 66242->66251 66252 ee8950 66243->66252 66244 ee88b6 66962 f39420 34 API calls 66244->66962 66245->66237 66255 ee956f 66247->66255 66248 ee8ba8 66986 eb6d90 32 API calls 66248->66986 66960 ee7e40 107 API calls 2 library calls 66250->66960 66259 ebc8b0 36 API calls 66251->66259 66261 ee89a9 66252->66261 66262 ee8954 66252->66262 66254 ee8bfc 66276 eb3ed0 32 API calls 66254->66276 66360 f4d260 GetModuleHandleW 66255->66360 66257 ee8b14 66984 f393b0 101 API calls 66257->66984 66260 ee9379 66259->66260 66832 eb3d70 66260->66832 66969 f394c0 80 API calls 66261->66969 66269 eb8b00 38 API calls 66262->66269 66263 ee88c3 66977 eb4ca0 GetLastError SetLastError 66263->66977 66264 ee8bbc 66987 f393b0 101 API calls 66264->66987 66266 ee8886 66267 eb4be0 std::generic_category 4 API calls 66266->66267 66267->66201 66275 ee8967 66269->66275 66271 ee8b2b 66273 eb4810 std::generic_category 4 API calls 66271->66273 66272 ee8bd3 66278 eb4810 std::generic_category 4 API calls 66272->66278 66279 ee8b37 66273->66279 66274 ee89b1 66970 eb3f60 30 API calls 66274->66970 66291 eb4be0 std::generic_category 4 API calls 66275->66291 66281 ee8c21 66276->66281 66283 ee8bdf 66278->66283 66284 eb4810 std::generic_category 4 API calls 66279->66284 66287 ec7540 37 API calls 66281->66287 66282 ee8a01 66293 eb3ed0 32 API calls 66282->66293 66288 eb4810 std::generic_category 4 API calls 66283->66288 66284->66201 66285 ee939b 66289 eb4be0 std::generic_category 4 API calls 66285->66289 66292 ee8c2d 66287->66292 66288->66238 66294 ee93aa 66289->66294 66290 ee89cc 66971 eb4810 GetLastError 66290->66971 66296 ee8983 66291->66296 66989 eb3330 30 API calls 66292->66989 66298 ee8a26 66293->66298 66299 eb4be0 std::generic_category 4 API calls 66294->66299 66967 eb6720 32 API calls 66296->66967 66303 ec7300 58 API calls 66298->66303 66304 ee93b6 66299->66304 66300 ee89a7 66305 eb4be0 std::generic_category 4 API calls 66300->66305 66302 ee8c3c 66990 ee50d0 31 API calls 66302->66990 66309 ee8a3b 66303->66309 66310 eb4be0 std::generic_category 4 API calls 66304->66310 66311 ee89e4 66305->66311 66306 ee899a 66968 f39420 34 API calls 66306->66968 66308 ee8c47 66991 ee7c50 89 API calls 2 library calls 66308->66991 66978 eb3330 30 API calls 66309->66978 66315 ee93c5 66310->66315 66316 eb4be0 std::generic_category 4 API calls 66311->66316 66319 eb4be0 std::generic_category 4 API calls 66315->66319 66316->66263 66317 ee8c56 66992 ecb630 609 API calls 3 library calls 66317->66992 66318 ee8a4c 66321 ee8a55 66318->66321 66979 f394e0 81 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 66318->66979 66322 ee93d4 66319->66322 66325 eb4be0 std::generic_category 4 API calls 66321->66325 66326 eb4be0 std::generic_category 4 API calls 66322->66326 66323 ee8c7d 66327 ee8c9a 66323->66327 66328 ee8cd9 66323->66328 66325->66174 66329 ee93e3 66326->66329 66332 ee8ca3 66327->66332 66993 ecfa60 555 API calls 2 library calls 66327->66993 66997 ec7090 7 API calls 66328->66997 66330 eb4be0 std::generic_category 4 API calls 66329->66330 66333 ee93f2 66330->66333 66339 ee8cc3 66332->66339 66994 eda9e0 30 API calls 66332->66994 66337 eb4be0 std::generic_category 4 API calls 66333->66337 66334 ee8cd5 66998 ee4ce0 27 API calls std::generic_category 66334->66998 66340 ee9401 66337->66340 66995 ec7090 7 API calls 66339->66995 66343 eb4be0 std::generic_category 4 API calls 66340->66343 66341 ee8ced 66344 eb4be0 std::generic_category 4 API calls 66341->66344 66346 ee9410 66343->66346 66347 ee8cfc 66344->66347 66345 ee8cce 66996 ee7dd0 101 API calls 66345->66996 66349 eb6f90 2 API calls 66346->66349 66999 eb84a0 168 API calls 3 library calls 66347->66999 66351 ee9439 66349->66351 66845 ee7780 66351->66845 66354 eb4be0 std::generic_category 4 API calls 66355 ee946c 66354->66355 66356 eb4be0 std::generic_category 4 API calls 66355->66356 66356->66357 66357->66165 66358->65981 66359->65988 66360->65996 66361->65997 66362->65998 66363->66002 66364->66006 66365->66008 66370 f5a3b5 66366->66370 66369 f5184a 8 API calls 3 library calls 66369->66009 66371 f5a3d2 66370->66371 66374 f5a3ce 66370->66374 66371->66374 66376 f586ca 66371->66376 66373 f4c795 66373->66012 66373->66369 66388 f4c2ea 66374->66388 66377 f586d6 ___BuildCatchObject 66376->66377 66395 f59d76 EnterCriticalSection 66377->66395 66379 f586dd 66396 f5a883 66379->66396 66381 f586ec 66387 f586fb 66381->66387 66409 f5855e 29 API calls 66381->66409 66384 f586f6 66410 f58614 GetStdHandle GetFileType 66384->66410 66386 f5870c ___BuildCatchObject 66386->66371 66411 f58717 LeaveCriticalSection _abort 66387->66411 66389 f4c2f5 IsProcessorFeaturePresent 66388->66389 66390 f4c2f3 66388->66390 66392 f4cf4f 66389->66392 66390->66373 66434 f4cf12 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 66392->66434 66394 f4d032 66394->66373 66395->66379 66397 f5a88f ___BuildCatchObject 66396->66397 66398 f5a8b3 66397->66398 66399 f5a89c 66397->66399 66412 f59d76 EnterCriticalSection 66398->66412 66420 f55123 20 API calls _abort 66399->66420 66402 f5a8a1 66421 f523f7 26 API calls _abort 66402->66421 66404 f5a8eb 66422 f5a912 LeaveCriticalSection _abort 66404->66422 66405 f5a8ab ___BuildCatchObject 66405->66381 66406 f5a8bf 66406->66404 66413 f5a7d4 66406->66413 66409->66384 66410->66387 66411->66386 66412->66406 66423 f56bb6 66413->66423 66415 f5a7f3 66431 f56b2e 20 API calls __dosmaperr 66415->66431 66416 f5a7e6 66416->66415 66430 f589f2 11 API calls 2 library calls 66416->66430 66419 f5a845 66419->66406 66420->66402 66421->66405 66422->66405 66428 f56bc3 CallUnexpected 66423->66428 66424 f56c03 66433 f55123 20 API calls _abort 66424->66433 66425 f56bee RtlAllocateHeap 66426 f56c01 66425->66426 66425->66428 66426->66416 66428->66424 66428->66425 66432 f55990 7 API calls 2 library calls 66428->66432 66430->66416 66431->66419 66432->66428 66433->66426 66434->66394 66440 f43a55 66435->66440 66438 f43a4a 66438->66021 66446 f45667 GetModuleHandleW GetProcAddress 66440->66446 66442 f43a41 66442->66438 66443 f43a73 66442->66443 66444 f45667 4 API calls 66443->66444 66445 f43a82 66444->66445 66445->66438 66447 f45690 GetNativeSystemInfo 66446->66447 66448 f45688 GetSystemInfo 66446->66448 66447->66442 66448->66442 66450 f4d240 GetStartupInfoW 66449->66450 66450->66027 66452 eb400e 66451->66452 66453 eb40ee 66452->66453 66454 eb4066 66452->66454 66464 eb4035 66452->66464 67058 f3fb96 28 API calls 2 library calls 66453->67058 66458 eb4076 66454->66458 67052 eb4370 66454->67052 66458->66031 66464->66031 66467 ec724d SysAllocString 66466->66467 66469 ec7210 66466->66469 66468 ec725a 66467->66468 66467->66469 67063 ebaf20 RaiseException __CxxThrowException@8 66468->67063 67059 ec7680 66469->67059 66472 ec7264 66474 ec7300 66482 ec7350 66474->66482 66475 ec74d8 66476 f4c2ea __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 66475->66476 66477 ec74f2 66476->66477 66477->66036 66478 eb6ec0 32 API calls 66478->66482 66479 eb4be0 GetLastError SysFreeString SysFreeString SetLastError std::generic_category 66479->66482 66480 ec7488 SysAllocString 66480->66482 66483 ec7530 66480->66483 66482->66475 66482->66478 66482->66479 66482->66480 66485 ec74ac SysStringLen 66482->66485 66486 ec74f8 SysFreeString 66482->66486 67065 eb7830 66482->67065 67069 ebaf20 RaiseException __CxxThrowException@8 66483->67069 66485->66486 66489 ec74b7 SysFreeString 66485->66489 66486->66475 66488 ec753a 66489->66482 66491 eb9e8d 66490->66491 66492 eb9e83 66490->66492 66494 eb3ed0 SysStringLen 66491->66494 66492->66491 67081 eb34c0 30 API calls std::_Xinvalid_argument 66492->67081 66495 eb3ee8 SysReAllocStringLen 66494->66495 66496 eb3f00 66494->66496 66498 eb3f16 GetModuleFileNameW 66495->66498 66496->66498 67082 eb3e80 30 API calls 66496->67082 66500 eb9d60 GetLastError 66498->66500 66501 eb9ddb 66500->66501 66506 eb9d9b 66500->66506 66502 eb9e1d SetLastError 66501->66502 67083 eb9c30 64 API calls 2 library calls 66501->67083 66503 f4c2ea __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 66502->66503 66505 eb9e3c 66503->66505 66510 eef070 GetLastError SetLastError 66505->66510 66507 eb4000 30 API calls 66506->66507 66507->66501 66508 eb9df1 66509 eb4be0 std::generic_category 4 API calls 66508->66509 66509->66502 67084 edf680 66510->67084 66513 eb4000 30 API calls 66514 eef1a9 66513->66514 67087 eeef80 66514->67087 66518 eef200 ___scrt_get_show_window_mode 66520 eef214 SetFilePointer 66518->66520 66519 eef1f1 66522 f4c2ea __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 66519->66522 66521 eef23b 66520->66521 66521->66519 66524 eef254 ReadFile 66521->66524 66523 ee83e7 GetLastError SetLastError 66522->66523 66539 ee6ac0 GetLastError SetLastError GetLastError SetLastError 66523->66539 66524->66519 66525 eef276 66524->66525 66525->66519 67096 eef5c0 66525->67096 66528 eeef80 17 API calls 66529 eef2a9 66528->66529 67123 eefe20 SetFilePointer GetLastError 66529->67123 66530 eef307 66530->66519 67107 eefca0 66530->67107 66534 eef2c2 66534->66519 66535 eef2ca ReadFile 66534->66535 66535->66519 66536 eef2e2 66535->66536 66536->66519 66537 eef5c0 64 API calls 66536->66537 66538 eef2f3 66537->66538 66538->66530 66539->66050 67314 f49f62 GetVersion 66540->67314 66542 f49de0 66543 f49de4 66542->66543 67315 f49df3 GetCurrentThread OpenThreadToken 66542->67315 66543->66054 67341 f4cc61 66546->67341 66548 f4320f AllocateAndInitializeSid 66549 f43272 66548->66549 66550 f4328f AllocateAndInitializeSid 66548->66550 67364 eb4240 66549->67364 66550->66549 66551 f432af AllocateAndInitializeSid 66550->66551 66551->66549 66553 f432cf ___scrt_get_show_window_mode 66551->66553 66555 f432de SetEntriesInAclW 66553->66555 66554 f43287 std::generic_category 67377 f4cc0b 66554->67377 66555->66549 66556 f43380 std::generic_category 66555->66556 66556->66549 66557 f433a8 InitializeSecurityDescriptor 66556->66557 66558 f433b3 66557->66558 66559 f433cd SetSecurityDescriptorDacl 66557->66559 66561 eb4240 32 API calls 66558->66561 66559->66558 66560 f433e7 66559->66560 67342 eb4a50 66560->67342 66561->66554 66563 f43415 66564 eb9e40 30 API calls 66563->66564 66566 f4342e 66564->66566 66568 eb3ed0 32 API calls 66566->66568 66569 f4343d GetTempPathW 66568->66569 66570 eb9d60 66 API calls 66569->66570 66571 f43455 66570->66571 67345 f430d2 UuidCreate 66571->67345 66574 ebc4e0 38 API calls 66575 f43477 66574->66575 66576 ebc740 13 API calls 66575->66576 66577 f4348a 66576->66577 67350 eb33b0 66577->67350 66580 eb4be0 std::generic_category 4 API calls 66581 f434a2 66580->66581 66582 eb4be0 std::generic_category 4 API calls 66581->66582 66583 f434ad 66582->66583 66584 eb4be0 std::generic_category 4 API calls 66583->66584 66585 f434bc 66584->66585 66586 eb6f90 2 API calls 66585->66586 66587 f434e6 66586->66587 67353 f415c8 66587->67353 66589 f434eb 66590 f434f2 66589->66590 66591 f43509 66589->66591 66592 eb4240 32 API calls 66590->66592 67368 eb9260 66591->67368 66594 f43507 66592->66594 66595 eb4be0 std::generic_category 4 API calls 66594->66595 66595->66554 66596 eb6f90 66597 eb6fcd GetLastError 66596->66597 66598 eb6fc0 66596->66598 66599 eb44f0 66597->66599 66598->66597 66600 eb700d SetLastError 66599->66600 66600->66070 66602 eb418e GetLastError 66601->66602 66603 eb4181 66601->66603 66605 eb41c9 66602->66605 66603->66602 66604 eb4000 30 API calls 66606 eb41e9 SetLastError 66604->66606 66605->66604 66606->66079 66608 eb6f90 2 API calls 66607->66608 66609 eb8b53 66608->66609 66610 eb6f90 2 API calls 66609->66610 66611 eb8b7c 66610->66611 67410 eb8d40 66611->67410 66614 eb6f90 2 API calls 66615 eb8ba6 66614->66615 66616 eb4be0 std::generic_category 4 API calls 66615->66616 66617 eb8bc0 66616->66617 66618 f4c2ea __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 66617->66618 66619 eb8bd9 66618->66619 66619->66086 67437 f4c2fb 66620->67437 66622 eb4c2f SysFreeString 66623 eb4c48 SysFreeString 66622->66623 66625 eb4c50 SetLastError 66622->66625 66623->66625 66625->66089 66627 eef68e 66626->66627 66628 eef696 66626->66628 66627->66110 67438 ee0910 44 API calls 66628->67438 66630 eef6b0 66631 eef6d1 66630->66631 66632 eb7830 44 API calls 66630->66632 66631->66110 66632->66631 66634 eef7a9 CreateFileW 66633->66634 66636 eef7dd 66633->66636 66637 eef7d7 GetLastError 66634->66637 66638 eef800 SetFilePointer GetLastError 66634->66638 66639 f4c2ea __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 66636->66639 66637->66636 66641 eef82c 66638->66641 66640 eef7fa 66639->66640 66640->66103 66641->66636 66642 eef87f 66641->66642 66643 eef878 66641->66643 66646 eef862 CloseHandle 66641->66646 67457 eefb20 66642->67457 67439 eef910 66643->67439 66649 eef907 66646->66649 66650 eef893 66646->66650 66649->66636 66650->66649 66651 ef0d30 2 API calls 66650->66651 66652 eef8aa 66651->66652 67460 eb8380 27 API calls std::generic_category 66652->67460 66654 eef8c6 CreateFileW 66655 eef8f8 66654->66655 66656 eef8e8 66654->66656 66658 eb4be0 std::generic_category 4 API calls 66655->66658 67461 eb8210 7 API calls 66656->67461 66658->66649 66659 eef8f1 CloseHandle 66659->66655 66661 ee6c80 66660->66661 66662 eb6f90 2 API calls 66661->66662 66663 ee6cb5 66662->66663 66664 f417ce 130 API calls 66663->66664 66665 ee6cc2 66664->66665 66666 ee6cc9 66665->66666 67502 f477d1 66665->67502 66668 eb4be0 std::generic_category 4 API calls 66666->66668 66670 ee706d 66668->66670 66669 ee6cdb 66671 eb4150 32 API calls 66669->66671 66672 f4c2ea __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 66670->66672 66673 ee6d12 66671->66673 66674 ee7086 66672->66674 67512 eb67b0 66673->67512 66674->66121 66674->66123 66679 eb4150 32 API calls 66681 ee6d7e 66679->66681 66682 eb4150 32 API calls 66681->66682 66683 ee6db3 66682->66683 66684 eb4150 32 API calls 66683->66684 66685 ee6de8 66684->66685 67552 ee7120 66 API calls 2 library calls 66685->67552 66687 ee6e09 66688 eb4be0 std::generic_category 4 API calls 66687->66688 66689 ee6e1b 66688->66689 66690 eb4150 32 API calls 66689->66690 66691 ee6e51 66690->66691 66692 eb4150 32 API calls 66691->66692 66693 ee6e86 66692->66693 66694 eb4150 32 API calls 66693->66694 66695 ee6ebb 66694->66695 67553 ee7120 66 API calls 2 library calls 66695->67553 66697 ee6edc 66698 eb4be0 std::generic_category 4 API calls 66697->66698 66699 ee6eee 66698->66699 66700 eb4150 32 API calls 66699->66700 66701 ee6f24 66700->66701 66702 eb4150 32 API calls 66701->66702 66703 ee6f59 66702->66703 67554 f4932e 58 API calls 2 library calls 66703->67554 66705 ee6f6c 66706 eb4150 32 API calls 66705->66706 66707 ee6fa0 66706->66707 66708 eb4150 32 API calls 66707->66708 66709 ee6fd5 66708->66709 66710 eb4150 32 API calls 66709->66710 66711 ee700a 66710->66711 66712 eb4be0 std::generic_category 4 API calls 66711->66712 66713 ee6d41 66712->66713 67555 f478ce 30 API calls std::generic_category 66713->67555 66715 ec7570 66714->66715 66722 ec75bd 66714->66722 66717 ec7581 66715->66717 66718 ec7597 SysStringByteLen SysAllocStringByteLen 66715->66718 66716 ec7643 SysFreeString 66716->66717 66717->66177 66718->66177 66719 ec7601 SysStringLen 66721 ec7615 VarBstrCat 66719->66721 66719->66722 66723 ec762e SysFreeString 66721->66723 66724 ec7672 66721->66724 66722->66716 66722->66719 66722->66724 67797 ee62a0 30 API calls 66722->67797 66723->66722 67798 ebaf20 RaiseException __CxxThrowException@8 66724->67798 66726 ec7678 66728 eb6f90 2 API calls 66727->66728 66730 ee61bb 66728->66730 66729 ee622d 66731 eb9510 61 API calls 66729->66731 66730->66729 67799 ee5f80 63 API calls 2 library calls 66730->67799 66733 ee623d 66731->66733 66735 eb7ee0 2 API calls 66733->66735 66734 ee61d3 66736 eb7ee0 2 API calls 66734->66736 66737 ee624f 66735->66737 66741 ee61ef 66736->66741 66738 eb4be0 std::generic_category 4 API calls 66737->66738 66739 ee6265 66738->66739 66740 eb4be0 std::generic_category 4 API calls 66739->66740 66743 ee6274 66740->66743 66742 eb4be0 std::generic_category 4 API calls 66741->66742 66744 ee6221 66742->66744 66746 f4c2ea __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 66743->66746 66745 eb4be0 std::generic_category 4 API calls 66744->66745 66745->66729 66747 ee628d 66746->66747 66748 eb9510 66747->66748 66749 eb6f90 2 API calls 66748->66749 66750 eb956d 66749->66750 67800 eb8e60 66750->67800 66752 eb9591 66754 eb95be 66752->66754 67806 eb9300 58 API calls 2 library calls 66752->67806 66755 eb4150 32 API calls 66754->66755 66756 eb961d 66755->66756 66757 eb963e 66756->66757 66758 eb4be0 std::generic_category 4 API calls 66756->66758 66759 eb968e 66757->66759 66760 eb7ee0 2 API calls 66757->66760 66758->66757 66762 eb96c9 66759->66762 66765 eb9000 35 API calls 66759->66765 66763 eb965f 66760->66763 66761 eb975d 66764 eb6f90 2 API calls 66761->66764 66762->66761 66766 eb4150 32 API calls 66762->66766 66769 eb4be0 std::generic_category 4 API calls 66763->66769 66768 eb977d 66764->66768 66770 eb96bd 66765->66770 66767 eb96ec 66766->66767 67807 eb9300 58 API calls 2 library calls 66767->67807 66772 eb4be0 std::generic_category 4 API calls 66768->66772 66769->66759 66773 eb4be0 std::generic_category 4 API calls 66770->66773 66774 eb9799 66772->66774 66773->66762 66775 eb4be0 std::generic_category 4 API calls 66774->66775 66776 eb97a8 66775->66776 66778 f4c2ea __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 66776->66778 66777 eb96fe 67808 eb7d20 66777->67808 66780 eb97c2 66778->66780 66787 eb9000 66780->66787 66782 eb9742 66784 eb4be0 std::generic_category 4 API calls 66782->66784 66785 eb974e 66784->66785 66786 eb4be0 std::generic_category 4 API calls 66785->66786 66786->66761 67818 eb8f40 66787->67818 66790 eb4be0 std::generic_category 4 API calls 66791 eb9053 66790->66791 66792 eb6f90 2 API calls 66791->66792 66793 eb906a 66792->66793 66794 f4c2ea __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 66793->66794 66795 eb9091 66794->66795 66796 ebc4e0 66795->66796 66797 eb4150 32 API calls 66796->66797 66798 ebc544 66797->66798 66799 eb3d70 30 API calls 66798->66799 66800 ebc561 66799->66800 66801 eb6f90 2 API calls 66800->66801 66802 ebc57b 66801->66802 66803 eb4be0 std::generic_category 4 API calls 66802->66803 66804 ebc595 66803->66804 66805 f4c2ea __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 66804->66805 66806 ebc5ae 66805->66806 66807 ebc740 66806->66807 66808 eb6f90 2 API calls 66807->66808 66809 ebc796 66808->66809 66810 ebc7c9 GetLastError 66809->66810 66811 eb44f0 66810->66811 66812 ebc814 SetLastError 66811->66812 66813 eb6f90 2 API calls 66812->66813 66814 ebc85f 66813->66814 66815 eb4be0 std::generic_category 4 API calls 66814->66815 66816 ebc876 66815->66816 66817 eb4be0 std::generic_category 4 API calls 66816->66817 66818 ebc885 66817->66818 66819 f4c2ea __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 66818->66819 66820 ebc89e 66819->66820 66821 ebc8b0 66820->66821 66822 eb6f90 2 API calls 66821->66822 66823 ebc906 66822->66823 66824 eb3d70 30 API calls 66823->66824 66825 ebc923 66824->66825 66826 eb6f90 2 API calls 66825->66826 66827 ebc93d 66826->66827 66828 eb4be0 std::generic_category 4 API calls 66827->66828 66829 ebc957 66828->66829 66830 f4c2ea __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 66829->66830 66831 ebc970 66830->66831 66831->66242 66833 eb3e59 66832->66833 66834 eb3d89 66832->66834 67827 f3fbb6 28 API calls 2 library calls 66833->67827 66835 eb3e63 66834->66835 66836 eb3da5 66834->66836 67828 f3fb96 28 API calls 2 library calls 66835->67828 66839 eb3e6d 66836->66839 66840 eb3dbc 66836->66840 66844 eb3dca 66836->66844 67829 f3fb96 28 API calls 2 library calls 66839->67829 66842 eb4370 2 API calls 66840->66842 66840->66844 66842->66844 66844->66285 66846 ee78ec 66845->66846 66847 ee77cd 66845->66847 66849 eb6f90 2 API calls 66846->66849 66848 f49ddb 36 API calls 66847->66848 66850 ee77d2 66848->66850 66851 ee7915 66849->66851 66852 ee77d6 66850->66852 66853 ee77f5 66850->66853 66854 eb4150 32 API calls 66851->66854 66855 f43200 93 API calls 66852->66855 66856 eb4150 32 API calls 66853->66856 66857 ee794a 66854->66857 66860 ee77e2 66855->66860 66858 ee7826 66856->66858 66859 f43651 158 API calls 66857->66859 66861 eb4150 32 API calls 66858->66861 66862 ee795d CopyFileW 66859->66862 66867 ee78c8 66860->66867 66871 eb4be0 std::generic_category 4 API calls 66860->66871 66863 ee785e 66861->66863 66865 ee7988 GetLastError 66862->66865 66866 ee7995 66862->66866 66868 f43651 158 API calls 66863->66868 66869 ee7b68 66865->66869 67830 edb850 66866->67830 66867->66846 66874 eb4be0 std::generic_category 4 API calls 66867->66874 66868->66860 66872 eb4be0 std::generic_category 4 API calls 66869->66872 66871->66867 66875 ee7b74 66872->66875 66874->66846 66877 eb4be0 std::generic_category 4 API calls 66875->66877 66876 ebc740 13 API calls 66878 ee79be 66876->66878 66879 ee7b83 66877->66879 66880 ebc8b0 36 API calls 66878->66880 66881 f4c2ea __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 66879->66881 66882 ee79d0 66880->66882 66883 ee7b9d 66881->66883 66884 eb4be0 std::generic_category 4 API calls 66882->66884 66883->66354 66885 ee79e2 66884->66885 66886 eb4be0 std::generic_category 4 API calls 66885->66886 66887 ee79f1 66886->66887 66888 eb4150 32 API calls 66887->66888 66889 ee7a1d 66888->66889 66890 eb4150 32 API calls 66889->66890 66891 ee7a5d 66890->66891 66892 eb6f90 2 API calls 66891->66892 66893 ee7a8d 66892->66893 66894 eb4150 32 API calls 66893->66894 66895 ee7ac2 66894->66895 67872 f43a91 66895->67872 66898 eb4be0 std::generic_category 4 API calls 66899 ee7ae6 66898->66899 66900 ee7aea 66899->66900 66901 ee7af7 CloseHandle CloseHandle 66899->66901 66902 eb4be0 std::generic_category 4 API calls 66900->66902 67954 edb790 36 API calls 2 library calls 66901->67954 66902->66869 66904 ee7b22 66905 eb4be0 std::generic_category 4 API calls 66904->66905 66906 ee7b31 DeleteFileW RemoveDirectoryW 66905->66906 66906->66900 66908 f417dd __EH_prolog3_GS 66907->66908 66909 f41832 66908->66909 67996 edb530 54 API calls 66908->67996 66910 eb6f90 2 API calls 66909->66910 66912 f41854 66910->66912 67985 f42749 66912->67985 66913 f417f0 66913->66909 66914 f417f4 66913->66914 66916 eb6f90 2 API calls 66914->66916 66918 f41819 66916->66918 66917 f41859 66919 f41879 GetLastError 66917->66919 66923 f4181e 66917->66923 67997 f419c3 105 API calls 3 library calls 66918->67997 66921 f419b3 66919->66921 66922 f4188a 66919->66922 66924 eb4be0 std::generic_category 4 API calls 66921->66924 66922->66921 66925 f41967 66922->66925 66926 f4189c 66922->66926 66927 eb4be0 std::generic_category 4 API calls 66923->66927 66928 f4182b 66924->66928 66925->66923 66929 f41971 66925->66929 67998 f40502 GetLastError SetLastError 66926->67998 66927->66928 66933 f4cc0b 5 API calls 66928->66933 66931 eb6f90 2 API calls 66929->66931 66934 f4198c 66931->66934 66932 f418a7 66935 eb6f90 2 API calls 66932->66935 66936 f419c2 66933->66936 68000 ebf0f0 24 API calls new 66934->68000 66938 f418db 66935->66938 66936->66091 67999 f424d4 69 API calls 2 library calls 66938->67999 66939 f419a2 68001 f4e44a RaiseException 66939->68001 66942 f418e0 66943 f4193e GetLastError 66942->66943 66948 f418ea 66942->66948 66944 f41951 66943->66944 66945 eb4be0 std::generic_category 4 API calls 66944->66945 66946 f4195c 66945->66946 66947 eb4be0 std::generic_category 4 API calls 66946->66947 66947->66925 66949 eb4be0 std::generic_category 4 API calls 66948->66949 66950 f4192e 66949->66950 66951 eb4be0 std::generic_category 4 API calls 66950->66951 66952 f41939 66951->66952 66952->66923 66953->66105 66954->66114 66955->66129 66956->66357 66957->66137 66958->66170 66959->66192 66960->66266 66961->66244 66962->66263 66963->66195 66964->66206 66965->66219 66966->66235 66967->66306 66968->66300 66969->66274 66970->66290 68004 f4c2fb 66971->68004 66977->66282 66978->66318 66979->66321 66980->66190 66981->66214 66982->66240 66983->66257 66984->66271 66985->66248 66986->66264 66987->66272 66988->66254 66989->66302 66990->66308 66991->66317 66992->66323 66993->66332 66994->66339 66995->66345 66996->66334 66997->66334 66998->66341 66999->66201 67001 f43660 __EH_prolog3_GS 67000->67001 67002 f436b3 67001->67002 67004 eb9e40 30 API calls 67001->67004 67003 eb9260 36 API calls 67002->67003 67005 f436bf 67003->67005 67006 f4368c 67004->67006 68005 f43e17 67005->68005 67008 eb3ed0 32 API calls 67006->67008 67010 f4369b GetTempPathW 67008->67010 67009 f436c4 67011 eb4a50 2 API calls 67009->67011 67012 eb9d60 66 API calls 67010->67012 67028 f436e6 67011->67028 67012->67002 67013 f430d2 76 API calls 67013->67028 67014 eb9e40 30 API calls 67014->67028 67015 ebc4e0 38 API calls 67015->67028 67016 eb3ed0 32 API calls 67017 f437a2 GetTempFileNameW 67016->67017 67019 eb9d60 66 API calls 67017->67019 67018 ebc740 13 API calls 67018->67028 67019->67028 67020 f437cf DeleteFileW 67020->67028 67021 eb8b00 38 API calls 67021->67028 67022 eb4150 32 API calls 67022->67028 67024 eb4be0 GetLastError SysFreeString SysFreeString SetLastError std::generic_category 67024->67028 67026 eb9260 36 API calls 67026->67028 67027 eb6f90 GetLastError SetLastError 67027->67028 67028->67013 67028->67014 67028->67015 67028->67016 67028->67018 67028->67020 67028->67021 67028->67022 67028->67024 67028->67026 67028->67027 67029 f417ce 130 API calls 67028->67029 67030 f438ff 67028->67030 67031 f438e8 67028->67031 68013 eb90a0 48 API calls 67028->68013 68014 f44224 63 API calls 2 library calls 67028->68014 67029->67028 67032 f4392b 67030->67032 67034 eb6f90 2 API calls 67030->67034 67033 eb4240 32 API calls 67031->67033 67035 eb6f90 2 API calls 67032->67035 67036 f438fd 67033->67036 67037 f43926 67034->67037 67035->67036 67039 eb4be0 std::generic_category 4 API calls 67036->67039 67038 f43e17 70 API calls 67037->67038 67038->67032 67040 f43950 67039->67040 67041 eb4be0 std::generic_category 4 API calls 67040->67041 67042 f43958 67041->67042 67043 eb4be0 std::generic_category 4 API calls 67042->67043 67044 f43960 67043->67044 67045 f4cc0b 5 API calls 67044->67045 67046 ee8d46 67045->67046 67046->66596 67047->66156 67048->66161 67049->66168 67050->66178 67051->66210 67054 eb43b0 SysAllocStringLen 67052->67054 67056 eb4433 67054->67056 67055 eb445e SysFreeString 67057 eb4466 67055->67057 67056->67055 67056->67057 67057->66458 67060 ec768d ___scrt_get_show_window_mode 67059->67060 67061 ec7232 67059->67061 67060->67061 67064 ee62a0 30 API calls 67060->67064 67061->66474 67063->66472 67064->67060 67066 eb785e 67065->67066 67070 f52539 67066->67070 67069->66488 67071 f5254d 67070->67071 67072 f525d9 67070->67072 67077 eb7885 67071->67077 67078 f55123 20 API calls _abort 67071->67078 67080 f525f1 44 API calls 3 library calls 67072->67080 67075 f52564 67079 f523f7 26 API calls _abort 67075->67079 67077->66482 67078->67075 67079->67077 67080->67077 67081->66491 67082->66498 67083->66508 67124 f4c636 67084->67124 67143 eeed70 CreateFileW 67087->67143 67090 eeefef 67092 eef035 FindCloseChangeNotification 67090->67092 67093 eef03f 67090->67093 67092->67093 67094 eef058 CreateFileW 67093->67094 67095 eef04e CloseHandle 67093->67095 67094->66518 67094->66519 67095->67094 67179 eb3a20 67096->67179 67101 eef61f 67103 eb4810 std::generic_category 4 API calls 67101->67103 67102 ef0a80 64 API calls 67102->67101 67104 eef659 67103->67104 67105 f4c2ea __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 67104->67105 67106 eef28b 67105->67106 67106->66528 67106->66530 67118 eefcdb 67107->67118 67122 eefde0 67107->67122 67108 f4c2ea __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 67109 eefdfb 67108->67109 67109->66519 67110 f4c636 new 22 API calls 67110->67118 67112 eefd01 SetFilePointer 67252 eeff50 67112->67252 67115 eb6f90 2 API calls 67115->67118 67118->67110 67118->67115 67119 eb4be0 std::generic_category 4 API calls 67118->67119 67120 eb4be0 std::generic_category 4 API calls 67118->67120 67118->67122 67251 eefe70 GetLastError SetLastError 67118->67251 67282 ef0d30 67118->67282 67285 ef0b30 67118->67285 67290 ef0bf0 67118->67290 67119->67118 67121 eefdad SetFilePointer GetLastError 67120->67121 67121->67118 67122->67108 67123->66534 67128 f4c63b 67124->67128 67126 edf6b2 67126->66513 67128->67126 67131 f555eb 67128->67131 67138 f55990 7 API calls 2 library calls 67128->67138 67139 f4d3ab RaiseException __CxxThrowException@8 new 67128->67139 67140 f4d38e RaiseException Concurrency::cancel_current_task __CxxThrowException@8 67128->67140 67136 f56b68 CallUnexpected 67131->67136 67132 f56ba6 67142 f55123 20 API calls _abort 67132->67142 67134 f56b91 RtlAllocateHeap 67135 f56ba4 67134->67135 67134->67136 67135->67128 67136->67132 67136->67134 67141 f55990 7 API calls 2 library calls 67136->67141 67138->67128 67141->67136 67142->67135 67144 eeedde CreateFileMappingW 67143->67144 67145 eeedd0 67143->67145 67146 eeef0f GetLastError 67144->67146 67147 eeedfa GetSystemInfo MapViewOfFile 67144->67147 67145->67144 67145->67146 67154 eeeec4 67146->67154 67147->67146 67148 eeee2a 67147->67148 67149 eeee3d IsBadReadPtr 67148->67149 67148->67154 67151 eeee55 67149->67151 67149->67154 67150 eeef4f 67153 eeef68 67150->67153 67155 eeef5e CloseHandle 67150->67155 67151->67154 67156 eeee6b UnmapViewOfFile MapViewOfFile 67151->67156 67152 eeef45 CloseHandle 67152->67150 67153->67090 67160 eeece0 67153->67160 67154->67150 67154->67152 67155->67153 67157 eeee8b 67156->67157 67158 eeee98 67157->67158 67159 eeeea1 IsBadReadPtr 67157->67159 67158->67154 67159->67154 67159->67158 67161 eeed0f 67160->67161 67164 eeeb40 67161->67164 67165 eeeb8c VirtualQuery 67164->67165 67168 eeec7e 67164->67168 67174 eeeae0 67165->67174 67167 eeebb0 67169 eeeae0 CompareStringA 67167->67169 67171 eeebbc 67167->67171 67168->67090 67170 eeebdb 67169->67170 67170->67171 67173 eeeae0 CompareStringA 67170->67173 67171->67168 67172 eeec4b GetSystemInfo MapViewOfFile 67171->67172 67172->67168 67173->67171 67175 eeeb27 67174->67175 67177 eeeafe 67174->67177 67175->67167 67176 eeeb00 CompareStringA 67176->67177 67178 eeeb30 67176->67178 67177->67175 67177->67176 67178->67167 67180 eb3a72 GetLastError SetLastError 67179->67180 67181 eb3a65 67179->67181 67195 eb3970 67180->67195 67181->67180 67183 eb3ae1 67184 eb4810 std::generic_category 4 API calls 67183->67184 67185 eb3b23 SetLastError 67184->67185 67186 f4c2ea __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 67185->67186 67187 eb3b52 67186->67187 67188 ef0a80 67187->67188 67238 eb3b60 67188->67238 67190 ef0ac4 67191 eb4810 std::generic_category 4 API calls 67190->67191 67192 ef0b09 67191->67192 67193 f4c2ea __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 67192->67193 67194 eef61b 67193->67194 67194->67101 67194->67102 67206 eb48d0 GetLastError SetLastError 67195->67206 67197 eb39b5 67207 eb3760 67197->67207 67201 eb39e9 67202 eb4810 std::generic_category 4 API calls 67201->67202 67203 eb3a03 67202->67203 67204 f4c2ea __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 67203->67204 67205 eb3a1c 67204->67205 67205->67183 67206->67197 67208 eb37a9 67207->67208 67209 eb383e 67207->67209 67208->67209 67210 eb37b5 MultiByteToWideChar 67208->67210 67211 eb386d 67209->67211 67212 eb38f4 67209->67212 67234 f4c300 67210->67234 67235 f51fd9 20 API calls __dosmaperr 67211->67235 67237 eb3690 32 API calls 67212->67237 67216 eb3920 67220 eb4810 std::generic_category 4 API calls 67216->67220 67228 eb3825 std::generic_category 67220->67228 67221 eb388a 67236 eb3690 32 API calls 67221->67236 67224 eb38b9 67227 eb4810 std::generic_category 4 API calls 67224->67227 67225 f4c2ea __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 67226 eb3964 67225->67226 67229 eb4610 67226->67229 67227->67228 67228->67225 67230 eb464d GetLastError 67229->67230 67231 eb4640 67229->67231 67232 eb44f0 67230->67232 67231->67230 67233 eb468d SetLastError 67232->67233 67233->67201 67235->67221 67236->67224 67237->67216 67239 eb3bb2 GetLastError SetLastError 67238->67239 67240 eb3ba5 67238->67240 67241 eb3c0c 67239->67241 67242 eb3c12 67239->67242 67240->67239 67250 f51fa9 43 API calls 67241->67250 67244 eb3a20 45 API calls 67242->67244 67245 eb3c28 67244->67245 67246 eb4810 std::generic_category 4 API calls 67245->67246 67247 eb3c67 67246->67247 67248 f4c2ea __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 67247->67248 67249 eb3c88 67248->67249 67249->67190 67250->67242 67251->67112 67253 eeff8f ___scrt_get_show_window_mode 67252->67253 67254 ef0073 67252->67254 67258 eeffa2 ReadFile 67253->67258 67255 ef007c ReadFile 67254->67255 67256 ef01e9 ___scrt_get_show_window_mode 67254->67256 67257 eeffcf GetLastError 67255->67257 67264 ef00c8 ___scrt_get_show_window_mode 67255->67264 67260 ef01f9 ReadFile 67256->67260 67274 ef0158 std::generic_category 67257->67274 67258->67257 67259 eeffda 67258->67259 67259->67274 67302 eb9c30 64 API calls 2 library calls 67259->67302 67260->67257 67262 ef0227 67260->67262 67261 f4c2ea __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 67263 ef0375 67261->67263 67269 ef0234 ___scrt_get_show_window_mode 67262->67269 67262->67274 67263->67118 67267 ef012a ReadFile 67264->67267 67264->67274 67266 ef0002 67268 eb4be0 std::generic_category 4 API calls 67266->67268 67270 ef0148 GetLastError 67267->67270 67271 ef0162 67267->67271 67272 ef002c std::generic_category 67268->67272 67273 ef02bf ReadFile 67269->67273 67270->67274 67271->67274 67303 eb6ec0 67271->67303 67272->67274 67273->67270 67276 ef02e1 67273->67276 67274->67261 67276->67274 67278 eb6ec0 32 API calls 67276->67278 67277 ef01b2 67280 eb4be0 std::generic_category 4 API calls 67277->67280 67279 ef0320 67278->67279 67281 eb4be0 std::generic_category 4 API calls 67279->67281 67280->67272 67281->67272 67283 eb6f90 2 API calls 67282->67283 67284 ef0d75 67283->67284 67284->67118 67308 ee2b70 67285->67308 67288 ef0ba0 67288->67118 67289 eb6f90 2 API calls 67289->67288 67291 ef0c37 67290->67291 67292 ef0c71 67291->67292 67293 edc9b0 44 API calls 67291->67293 67295 ef0c83 67292->67295 67312 edc9b0 44 API calls 67292->67312 67293->67291 67311 eee410 32 API calls 2 library calls 67295->67311 67296 ef0cc7 67296->67295 67297 ef0cd8 67296->67297 67313 eee3b0 GetLastError SysFreeString SysFreeString SetLastError std::generic_category 67297->67313 67300 ef0c93 67300->67118 67301 ef0cdd 67301->67118 67302->67266 67304 eb6efd GetLastError 67303->67304 67305 eb6ef0 67303->67305 67306 eb4000 30 API calls 67304->67306 67305->67304 67307 eb6f3e SetLastError 67306->67307 67307->67277 67309 f4c636 new 22 API calls 67308->67309 67310 ee2ba4 67309->67310 67310->67288 67310->67289 67311->67300 67312->67296 67313->67301 67314->66542 67316 f49e2e GetLastError 67315->67316 67317 f49e69 GetTokenInformation 67315->67317 67318 f49e37 GetCurrentProcess OpenProcessToken GetLastError 67316->67318 67319 f49e4c 67316->67319 67320 f49e81 67317->67320 67321 f49e8f GetLastError 67317->67321 67318->67319 67319->67317 67324 f49e51 67319->67324 67340 f49f51 FindCloseChangeNotification 67320->67340 67321->67320 67323 f49e96 67321->67323 67325 f4c636 new 22 API calls 67323->67325 67339 f49f51 FindCloseChangeNotification 67324->67339 67326 f49e9e GetTokenInformation 67325->67326 67328 f49eb4 67326->67328 67329 f49eb7 AllocateAndInitializeSid 67326->67329 67338 f49f51 FindCloseChangeNotification 67328->67338 67329->67328 67337 f49ee2 67329->67337 67330 f4c2ea __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 67333 f49df0 67330->67333 67332 f49f1c FreeSid 67332->67328 67333->66054 67334 f49e5b std::generic_category 67334->67330 67335 f49eee EqualSid 67336 f49f05 67335->67336 67335->67337 67336->67332 67337->67332 67337->67335 67337->67336 67338->67334 67339->67334 67340->67334 67341->66548 67343 eb4a8d GetLastError SetLastError 67342->67343 67344 eb4a80 67342->67344 67343->66563 67344->67343 67380 f43034 67345->67380 67348 f4c2ea __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 67349 f4311a 67348->67349 67349->66574 67351 eb3d70 30 API calls 67350->67351 67352 eb33cf 67351->67352 67352->66580 67401 f4cc2d 67353->67401 67355 f415d4 GetModuleHandleW GetProcAddress 67356 f415f9 CreateDirectoryW 67355->67356 67357 f4160a GetModuleHandleW GetProcAddress 67355->67357 67358 f4162f 67356->67358 67357->67358 67359 f41623 67357->67359 67360 eb4be0 std::generic_category 4 API calls 67358->67360 67402 eb8380 27 API calls std::generic_category 67359->67402 67362 f41639 67360->67362 67362->66589 67363 f4162b 67363->67358 67365 eb426f 67364->67365 67366 eb4150 32 API calls 67365->67366 67367 eb4296 67366->67367 67367->66554 67403 eb91c0 67368->67403 67371 eb4be0 std::generic_category 4 API calls 67372 eb92b3 67371->67372 67373 eb6f90 2 API calls 67372->67373 67374 eb92ca 67373->67374 67375 f4c2ea __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 67374->67375 67376 eb92f1 67375->67376 67376->66594 67378 f4c2ea __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 67377->67378 67379 f4cc16 67378->67379 67379->67379 67381 f43040 __EH_prolog3_GS 67380->67381 67382 eb4a50 2 API calls 67381->67382 67383 f4306f UuidToStringW 67382->67383 67384 f4309e 67383->67384 67393 f4540d 67384->67393 67386 f430a6 RpcStringFreeW 67387 eb6f90 2 API calls 67386->67387 67388 f430c2 67387->67388 67389 eb4be0 std::generic_category 4 API calls 67388->67389 67390 f430ca 67389->67390 67391 f4cc0b 5 API calls 67390->67391 67392 f430d1 67391->67392 67392->67348 67394 f45419 __EH_prolog3 67393->67394 67395 eb9e40 30 API calls 67394->67395 67396 f45425 67395->67396 67397 eb3ed0 32 API calls 67396->67397 67398 f45434 CharUpperW 67397->67398 67399 eb9d60 66 API calls 67398->67399 67400 f45444 67399->67400 67400->67386 67401->67355 67402->67363 67404 eb91fb 67403->67404 67406 eb9220 67404->67406 67409 eb34c0 30 API calls std::_Xinvalid_argument 67404->67409 67407 eb6f90 2 API calls 67406->67407 67408 eb923a 67407->67408 67408->67371 67409->67406 67411 eb8d82 67410->67411 67415 eb8d7b 67410->67415 67412 eb4be0 std::generic_category 4 API calls 67411->67412 67413 eb8e03 67412->67413 67414 f4c2ea __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 67413->67414 67416 eb8b8c 67414->67416 67415->67411 67417 eb8e21 67415->67417 67418 eb8dd5 67415->67418 67416->66614 67419 eb8e25 67417->67419 67420 eb8de4 67417->67420 67418->67420 67428 eb34c0 30 API calls std::_Xinvalid_argument 67418->67428 67429 eb7ee0 67419->67429 67423 eb3d70 30 API calls 67420->67423 67423->67411 67425 eb3d70 30 API calls 67426 eb8e51 67425->67426 67427 eb4be0 std::generic_category 4 API calls 67426->67427 67427->67411 67428->67420 67432 eb7e10 67429->67432 67431 eb7f31 67431->67425 67433 eb7e4d GetLastError 67432->67433 67434 eb7e40 67432->67434 67435 eb44f0 67433->67435 67434->67433 67436 eb7e90 SetLastError 67435->67436 67436->67431 67438->66630 67440 eef97f CreateFileW 67439->67440 67441 eef97d 67439->67441 67442 eef9b0 67440->67442 67443 eef9a0 GetLastError 67440->67443 67441->67440 67446 eef9c0 ReadFile 67442->67446 67444 eefaf9 67443->67444 67445 f4c2ea __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 67444->67445 67447 eef87d 67445->67447 67448 eefae5 FlushFileBuffers CloseHandle 67446->67448 67454 eef9e6 std::generic_category 67446->67454 67447->66646 67448->67444 67449 eefa7b WriteFile 67449->67454 67450 ef0d30 2 API calls 67450->67454 67451 eefab8 ReadFile 67452 eefadc 67451->67452 67451->67454 67452->67448 67454->67448 67454->67449 67454->67450 67454->67451 67454->67452 67456 eb4be0 std::generic_category 4 API calls 67454->67456 67462 eb82e0 27 API calls 67454->67462 67463 eb81a0 lstrlenA lstrlenA std::generic_category 67454->67463 67456->67454 67464 f39e70 67457->67464 67460->66654 67461->66659 67462->67454 67463->67454 67465 f39e8b 67464->67465 67483 f3a280 67465->67483 67467 f39ee5 67468 f39efb CreateFileW 67467->67468 67482 f3a044 67467->67482 67469 f3a090 GetLastError 67468->67469 67479 f39f25 67468->67479 67469->67482 67470 f3a0ba 67471 f4c2ea __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 67470->67471 67473 eefb7f 67471->67473 67472 f3a0ad FindCloseChangeNotification 67472->67470 67473->66646 67475 f3a085 67475->67469 67476 f3a00e 67477 f3a019 FlushFileBuffers 67476->67477 67478 f3a02b SetFileTime 67477->67478 67477->67482 67478->67482 67479->67475 67479->67476 67480 f39fba WriteFile 67479->67480 67479->67482 67488 eefb90 67479->67488 67480->67479 67481 f3a05e GetLastError 67480->67481 67481->67482 67482->67470 67482->67472 67484 f3a287 67483->67484 67485 f3a28c 67483->67485 67484->67467 67497 f3cd40 67485->67497 67486 f3a2c4 67486->67467 67489 eefbac ___scrt_get_show_window_mode 67488->67489 67490 eefb9c SetLastError 67488->67490 67491 eefbbe ReadFile 67489->67491 67490->67479 67492 eefc5f 67491->67492 67493 eefbe0 67491->67493 67492->67479 67493->67492 67500 ef0380 29 API calls 2 library calls 67493->67500 67495 eefbf8 67495->67492 67501 eb81a0 lstrlenA lstrlenA std::generic_category 67495->67501 67498 f555eb new 21 API calls 67497->67498 67499 f3cd50 67498->67499 67499->67486 67500->67495 67501->67495 67503 f477dd __EH_prolog3 67502->67503 67556 f476c5 67503->67556 67505 f477ed 67506 eb4a50 2 API calls 67505->67506 67507 f47812 67506->67507 67508 eb4240 32 API calls 67507->67508 67509 f4782d 67508->67509 67510 eb4240 32 API calls 67509->67510 67511 f47860 67510->67511 67511->66669 67513 eb67e9 67512->67513 67514 eb6ec0 32 API calls 67513->67514 67515 eb6814 67514->67515 67516 f48d2b 67515->67516 67517 f48d3a __EH_prolog3_GS 67516->67517 67577 f47f49 67517->67577 67521 f48d61 67522 eb6f90 2 API calls 67521->67522 67523 f48dd7 67522->67523 67583 f4889e 67523->67583 67526 f49068 67616 eb8be0 30 API calls std::generic_category 67526->67616 67527 eb4a50 2 API calls 67549 f48e07 67527->67549 67529 f49073 67530 eb4be0 std::generic_category 4 API calls 67529->67530 67531 f4907b 67530->67531 67533 eb4be0 std::generic_category 4 API calls 67531->67533 67532 f49055 67535 eb4be0 std::generic_category 4 API calls 67532->67535 67534 f49083 67533->67534 67536 f4cc0b 5 API calls 67534->67536 67535->67526 67538 ee6d3d 67536->67538 67538->66679 67538->66713 67539 eb7d20 44 API calls 67539->67549 67540 eb7e10 2 API calls 67540->67549 67544 eb7ee0 GetLastError SetLastError 67544->67549 67549->67532 67549->67539 67549->67540 67549->67544 67550 eb4be0 GetLastError SysFreeString SysFreeString SetLastError std::generic_category 67549->67550 67551 f4b622 30 API calls 67549->67551 67608 eb8f10 29 API calls 67549->67608 67609 f48b21 44 API calls 67549->67609 67610 f4b5ec 22 API calls 67549->67610 67611 f475f8 30 API calls 67549->67611 67612 f48cae 52 API calls 67549->67612 67613 f4aa8a GetLastError SetLastError 67549->67613 67614 f475db GetLastError SetLastError 67549->67614 67615 f48c31 52 API calls 67549->67615 67550->67549 67551->67549 67552->66687 67553->66697 67554->66705 67555->66666 67557 f476d1 __EH_prolog3 67556->67557 67560 f47b72 67557->67560 67559 f476f5 67559->67505 67563 eb6e60 67560->67563 67562 f47b7d 67562->67559 67564 eb6e6a 67563->67564 67566 eb6e6e 67563->67566 67564->67562 67565 f4d38e Concurrency::cancel_current_task 67576 f4e44a RaiseException 67565->67576 67566->67565 67567 eb6eb1 67566->67567 67568 eb6e90 67566->67568 67569 f4c636 new 22 API calls 67567->67569 67568->67565 67571 eb6e9b 67568->67571 67572 eb6eb7 67569->67572 67574 f4c636 new 22 API calls 67571->67574 67572->67562 67573 f4d3aa 67575 eb6ea1 67574->67575 67575->67562 67576->67573 67617 f4696c 67577->67617 67580 f47ee0 67622 f47bf5 67580->67622 67584 f488aa __EH_prolog3_GS 67583->67584 67585 eb4a50 2 API calls 67584->67585 67586 f488d6 67585->67586 67587 eb6f90 2 API calls 67586->67587 67588 f488ff 67587->67588 67629 ebfdf0 67588->67629 67590 f489bc 67591 eb4be0 std::generic_category 4 API calls 67590->67591 67592 f489c4 67591->67592 67594 eb4be0 std::generic_category 4 API calls 67592->67594 67595 f489cc 67594->67595 67596 f4cc0b 5 API calls 67595->67596 67598 f489d4 67596->67598 67597 eb7ee0 2 API calls 67604 f48904 67597->67604 67598->67526 67598->67527 67600 eb4be0 std::generic_category 4 API calls 67600->67604 67601 f4897a 67601->67590 67602 eb7ee0 2 API calls 67601->67602 67603 f489a7 67602->67603 67652 ebbf50 34 API calls 67603->67652 67604->67590 67604->67597 67604->67600 67604->67601 67650 ebbf50 34 API calls 67604->67650 67651 f3fc63 44 API calls 67604->67651 67606 f489b4 67607 eb4be0 std::generic_category 4 API calls 67606->67607 67607->67590 67608->67549 67609->67549 67610->67549 67611->67549 67612->67549 67613->67549 67614->67549 67615->67549 67616->67529 67620 f46975 67617->67620 67618 f46986 67618->67580 67620->67618 67621 f47b46 30 API calls std::generic_category 67620->67621 67621->67620 67623 f47c31 67622->67623 67626 f47c08 67622->67626 67623->67521 67624 f47bf5 30 API calls 67624->67626 67625 eb4be0 std::generic_category 4 API calls 67625->67626 67626->67623 67626->67624 67626->67625 67628 eb6e00 26 API calls 2 library calls 67626->67628 67628->67626 67653 ec1460 GetLastError SetLastError 67629->67653 67631 ebfe54 67632 f4c636 new 22 API calls 67631->67632 67633 ebfe5f 67632->67633 67634 eb6f90 2 API calls 67633->67634 67635 ebfea3 67634->67635 67654 ebf630 67635->67654 67637 ebfec8 67638 eb4be0 std::generic_category 4 API calls 67637->67638 67639 ebfed9 67638->67639 67640 ebff17 67639->67640 67691 ebfd00 62 API calls std::generic_category 67639->67691 67677 ebf940 67640->67677 67644 eb4be0 std::generic_category 4 API calls 67645 ebff5a 67644->67645 67646 eb4be0 std::generic_category 4 API calls 67645->67646 67647 ebff69 67646->67647 67648 f4c2ea __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 67647->67648 67649 ebff83 67648->67649 67649->67604 67650->67604 67651->67604 67652->67606 67653->67631 67655 ebf940 28 API calls 67654->67655 67656 ebf65c 67655->67656 67657 f4c636 new 22 API calls 67656->67657 67658 ebf663 67657->67658 67659 f52539 44 API calls 67658->67659 67663 ebf6a8 67659->67663 67660 ebf70f 67661 f4c636 new 22 API calls 67660->67661 67662 ebf719 67661->67662 67715 ec1300 30 API calls new 67662->67715 67663->67660 67665 f52539 44 API calls 67663->67665 67667 ebf6c8 67665->67667 67666 ebf73f 67716 f45d6d 33 API calls 2 library calls 67666->67716 67667->67660 67668 ebf6cf 67667->67668 67692 f41641 GetModuleHandleW GetProcAddress 67668->67692 67671 ebf76a 67673 ebf6f9 67671->67673 67674 ebf76e GetLastError 67671->67674 67673->67637 67674->67637 67675 ebf6f2 67700 ec00d0 67675->67700 67678 ebf9ee 67677->67678 67681 ebf975 std::generic_category 67677->67681 67679 f4c2ea __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 67678->67679 67680 ebfa19 67679->67680 67680->67644 67681->67678 67682 ebf997 67681->67682 67794 ec0ce0 ResetEvent InterlockedDecrement 67681->67794 67682->67678 67684 ebf99f FindCloseChangeNotification 67682->67684 67684->67678 67685 ebf9aa 67684->67685 67686 eb6f90 2 API calls 67685->67686 67687 ebf9c5 67686->67687 67795 ebf010 25 API calls new 67687->67795 67689 ebf9dd 67796 f4e44a RaiseException 67689->67796 67691->67640 67693 f41664 CreateFileW 67692->67693 67694 f41689 GetModuleHandleW GetProcAddress 67692->67694 67698 ebf6e7 67693->67698 67696 f416a6 67694->67696 67697 f4169e 67694->67697 67696->67698 67717 eb8380 27 API calls std::generic_category 67697->67717 67698->67674 67698->67675 67718 ebfa20 67700->67718 67703 ebfa20 27 API calls 67705 ec018c 67703->67705 67708 ebf790 28 API calls 67705->67708 67714 ec0140 67705->67714 67711 ec01a5 67708->67711 67709 ec0133 67709->67703 67709->67714 67710 ebf790 28 API calls 67712 ec020c 67710->67712 67713 ec0af0 42 API calls 67711->67713 67712->67673 67713->67714 67714->67710 67715->67666 67716->67671 67717->67696 67719 ebfabb GetFileSize 67718->67719 67727 ebfa59 67718->67727 67720 ebfb1e 67719->67720 67721 ebfacc GetLastError 67719->67721 67723 f4c2ea __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 67720->67723 67721->67720 67722 ebfad8 67721->67722 67724 eb6f90 2 API calls 67722->67724 67725 ebfb38 67723->67725 67726 ebfaf4 67724->67726 67725->67709 67736 ebf790 67725->67736 67781 ebf0f0 24 API calls new 67726->67781 67727->67720 67729 eb6f90 2 API calls 67727->67729 67731 ebfa92 67729->67731 67730 ebfb0d 67782 f4e44a RaiseException 67730->67782 67779 ebf330 25 API calls new 67731->67779 67734 ebfaaa 67780 f4e44a RaiseException 67734->67780 67737 ebf825 SetFilePointer 67736->67737 67745 ebf7cd 67736->67745 67738 ebf83d 67737->67738 67739 ebf8d7 67737->67739 67740 ebf885 GetLastError 67738->67740 67743 eb6f90 2 API calls 67738->67743 67741 f4c2ea __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 67739->67741 67740->67739 67744 ebf891 67740->67744 67742 ebf8f1 67741->67742 67760 ec0af0 67742->67760 67746 ebf85c 67743->67746 67747 eb6f90 2 API calls 67744->67747 67745->67739 67748 eb6f90 2 API calls 67745->67748 67785 ebf010 25 API calls new 67746->67785 67750 ebf8ad 67747->67750 67751 ebf7fc 67748->67751 67787 ebf0f0 24 API calls new 67750->67787 67783 ebf330 25 API calls new 67751->67783 67752 ebf874 67786 f4e44a RaiseException 67752->67786 67756 ebf8c6 67788 f4e44a RaiseException 67756->67788 67757 ebf814 67784 f4e44a RaiseException 67757->67784 67761 ec0b9b ReadFile 67760->67761 67762 ec0b46 67760->67762 67764 ec0bad 67761->67764 67765 ec0bf1 67761->67765 67789 f4621c 15 API calls 67762->67789 67767 eb6f90 2 API calls 67764->67767 67766 f4c2ea __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 67765->67766 67768 ec0c0e 67766->67768 67770 ec0bc8 67767->67770 67768->67709 67769 ec0b4e 67769->67765 67771 eb6f90 2 API calls 67769->67771 67792 ebf010 25 API calls new 67770->67792 67773 ec0b72 67771->67773 67790 ebf330 25 API calls new 67773->67790 67774 ec0be0 67793 f4e44a RaiseException 67774->67793 67777 ec0b8a 67791 f4e44a RaiseException 67777->67791 67779->67734 67780->67719 67781->67730 67782->67720 67783->67757 67784->67737 67785->67752 67786->67740 67787->67756 67788->67739 67789->67769 67790->67777 67791->67761 67792->67774 67793->67765 67794->67682 67795->67689 67796->67678 67797->66722 67798->66726 67799->66734 67801 eb8e6d 67800->67801 67803 eb8e7c 67800->67803 67801->66752 67802 f52526 44 API calls 67802->67803 67803->67802 67804 f52539 44 API calls 67803->67804 67805 eb8ee3 67803->67805 67804->67803 67805->66752 67806->66754 67807->66777 67809 eb7d30 67808->67809 67813 eb7d35 67809->67813 67816 eb8010 44 API calls 67809->67816 67811 f52539 44 API calls 67812 eb7d70 67811->67812 67812->67811 67812->67813 67817 eb8010 44 API calls 67812->67817 67813->66782 67815 eb78f0 30 API calls 2 library calls 67813->67815 67815->66782 67816->67812 67817->67812 67819 eb8f79 67818->67819 67820 eb8fbd 67818->67820 67819->67820 67823 eb8faf 67819->67823 67824 eb8fa1 SysFreeString 67819->67824 67821 eb6f90 2 API calls 67820->67821 67822 eb8fd7 67821->67822 67822->66790 67826 eb42c0 28 API calls ___BuildCatchObject 67823->67826 67824->67823 67826->67820 67831 edb896 67830->67831 67832 edb8d7 67830->67832 67955 edbcd0 58 API calls 2 library calls 67831->67955 67834 edb907 67832->67834 67837 eb4be0 std::generic_category 4 API calls 67832->67837 67838 edbb08 67834->67838 67840 edb97d 67834->67840 67841 edb91a 67834->67841 67835 edb8ac 67836 eb7d20 44 API calls 67835->67836 67836->67832 67837->67834 67839 eb6f90 2 API calls 67838->67839 67843 edbb1f 67839->67843 67958 edcb30 38 API calls 2 library calls 67840->67958 67956 eb9c30 64 API calls 2 library calls 67841->67956 67846 f4c2ea __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 67843->67846 67845 edb971 67850 edb9c4 67845->67850 67852 eb4be0 std::generic_category 4 API calls 67845->67852 67848 edbb4c 67846->67848 67847 edb933 67957 edd980 30 API calls 2 library calls 67847->67957 67848->66876 67853 edb9e8 67850->67853 67855 eb4be0 std::generic_category 4 API calls 67850->67855 67851 edb958 67854 eb6f90 2 API calls 67851->67854 67852->67850 67856 edba0f 67853->67856 67857 eb4be0 std::generic_category 4 API calls 67853->67857 67854->67845 67855->67853 67858 edba15 67856->67858 67859 edba76 67856->67859 67857->67856 67959 eb9c30 64 API calls 2 library calls 67858->67959 67860 eb91c0 32 API calls 67859->67860 67863 edba6a 67860->67863 67862 edba2e 67864 eb3d70 30 API calls 67862->67864 67866 edbabd 67863->67866 67868 eb4be0 std::generic_category 4 API calls 67863->67868 67865 edba51 67864->67865 67867 eb6f90 2 API calls 67865->67867 67869 edbae1 67866->67869 67870 eb4be0 std::generic_category 4 API calls 67866->67870 67867->67863 67868->67866 67869->67838 67871 eb4be0 std::generic_category 4 API calls 67869->67871 67870->67869 67871->67838 67873 f43aa0 __EH_prolog3_GS 67872->67873 67874 f43ac1 67873->67874 67875 f43c23 ___scrt_get_show_window_mode 67873->67875 67876 edb850 75 API calls 67874->67876 67879 f43b2a ___scrt_get_show_window_mode 67874->67879 67878 f43c4e 67875->67878 67877 f43ad5 67876->67877 67880 eb4be0 std::generic_category 4 API calls 67877->67880 67881 eb9e40 30 API calls 67878->67881 67883 eb9e40 30 API calls 67879->67883 67884 f43add 67880->67884 67882 f43c63 67881->67882 67885 eb3ed0 32 API calls 67882->67885 67886 f43b83 67883->67886 67884->67879 67887 ebc740 13 API calls 67884->67887 67888 f43c72 67885->67888 67890 eb3ed0 32 API calls 67886->67890 67891 f43af4 67887->67891 67889 eb9d60 66 API calls 67888->67889 67892 f43c86 67889->67892 67893 f43b92 CreateProcessW 67890->67893 67894 ebc8b0 36 API calls 67891->67894 67895 eb9e40 30 API calls 67892->67895 67896 eb9d60 66 API calls 67893->67896 67897 f43b06 67894->67897 67898 f43c96 67895->67898 67899 f43bc3 67896->67899 67906 eb4be0 std::generic_category 4 API calls 67897->67906 67900 eb3ed0 32 API calls 67898->67900 67901 f43bc7 GetLastError 67899->67901 67902 f43c12 67899->67902 67903 f43ca5 67900->67903 67975 edb790 36 API calls 2 library calls 67901->67975 67904 f43d6e WaitForInputIdle 67902->67904 67907 eb9d60 66 API calls 67903->67907 67960 f4544a 67904->67960 67910 f43b1e 67906->67910 67913 f43cb9 67907->67913 67909 f43bde 67911 eb4be0 std::generic_category 4 API calls 67909->67911 67912 eb4be0 std::generic_category 4 API calls 67910->67912 67915 f43be6 67911->67915 67912->67879 67916 eb9e40 30 API calls 67913->67916 67914 f43d8d GetExitCodeProcess 67917 f43da2 GetLastError 67914->67917 67946 f43c0a 67914->67946 67918 eb6f90 2 API calls 67915->67918 67919 f43cd2 67916->67919 67979 edb790 36 API calls 2 library calls 67917->67979 67923 f43c05 67918->67923 67924 eb3ed0 32 API calls 67919->67924 67920 eb4be0 std::generic_category 4 API calls 67925 f43dff 67920->67925 67922 f43db9 67926 eb4be0 std::generic_category 4 API calls 67922->67926 67976 f4536e 4 API calls 2 library calls 67923->67976 67928 f43ce1 67924->67928 67929 eb4be0 std::generic_category 4 API calls 67925->67929 67930 f43dc1 67926->67930 67931 eb9d60 66 API calls 67928->67931 67932 f43e07 67929->67932 67933 eb6f90 2 API calls 67930->67933 67934 f43cf5 ShellExecuteExW 67931->67934 67935 eb4be0 std::generic_category 4 API calls 67932->67935 67937 f43de0 67933->67937 67938 f43d56 67934->67938 67939 f43d08 67934->67939 67936 f43e0f 67935->67936 67940 f4cc0b 5 API calls 67936->67940 67980 f4536e 4 API calls 2 library calls 67937->67980 67978 f4315c GetModuleHandleW GetProcAddress 67938->67978 67939->67938 67943 f43d10 67939->67943 67945 ee7acf 67940->67945 67944 ebc740 13 API calls 67943->67944 67948 f43d27 67944->67948 67945->66898 67946->67920 67947 f43d65 67947->67904 67949 ebc8b0 36 API calls 67948->67949 67950 f43d3b 67949->67950 67977 f4536e 4 API calls 2 library calls 67950->67977 67952 f43d43 67953 eb4be0 std::generic_category 4 API calls 67952->67953 67953->67946 67954->66904 67955->67835 67956->67847 67957->67851 67958->67845 67959->67862 67961 f45475 67960->67961 67962 f45518 67960->67962 67961->67962 67963 f45496 67961->67963 67964 f4548b 67961->67964 67962->67914 67982 f45520 WaitForSingleObject GetExitCodeProcess WaitForSingleObject 67963->67982 67981 f4315c GetModuleHandleW GetProcAddress 67964->67981 67967 f454a2 67967->67962 67970 f454d3 OpenProcess 67967->67970 67983 f42e81 69 API calls __EH_prolog3 67967->67983 67968 f45493 67968->67963 67970->67967 67971 f454e8 67970->67971 67984 f45520 WaitForSingleObject GetExitCodeProcess WaitForSingleObject 67971->67984 67973 f454f2 CloseHandle 67973->67962 67974 f45508 67973->67974 67974->67967 67975->67909 67976->67946 67977->67952 67978->67947 67979->67922 67980->67946 67981->67968 67982->67967 67983->67967 67984->67973 68002 f4cc2d 67985->68002 67987 f42755 GetModuleHandleW GetProcAddress 67988 f42787 GetModuleHandleW GetProcAddress 67987->67988 67989 f42777 GetFileAttributesW 67987->67989 67990 f427ab 67988->67990 67991 f427a0 67988->67991 67989->67990 67992 eb4be0 std::generic_category 4 API calls 67990->67992 68003 eb8380 27 API calls std::generic_category 67991->68003 67995 f427b5 67992->67995 67994 f427a8 67994->67990 67995->66917 67996->66913 67997->66923 67998->66932 67999->66942 68000->66939 68001->66921 68002->67987 68003->67994 68006 f43e23 __EH_prolog3 68005->68006 68007 eb9510 61 API calls 68006->68007 68008 f43e38 68007->68008 68015 f41d94 68008->68015 68011 eb4be0 std::generic_category 4 API calls 68012 f43e4a 68011->68012 68012->67009 68013->67028 68014->67028 68016 f41da3 __EH_prolog3_GS 68015->68016 68017 eb9260 36 API calls 68016->68017 68018 f41db7 68017->68018 68019 eb4be0 std::generic_category 4 API calls 68018->68019 68020 f41dc2 68019->68020 68021 eb4a50 2 API calls 68020->68021 68035 f41df3 68021->68035 68022 eb7d20 44 API calls 68022->68035 68023 eb7ee0 2 API calls 68023->68035 68024 f41f27 68025 eb4be0 std::generic_category 4 API calls 68024->68025 68027 f41f33 68025->68027 68028 eb4be0 std::generic_category 4 API calls 68027->68028 68029 f41f3b 68028->68029 68032 f4cc0b 5 API calls 68029->68032 68031 eb3d70 30 API calls 68031->68035 68033 f41f42 68032->68033 68033->68011 68034 eb4be0 std::generic_category 4 API calls 68034->68035 68035->68022 68035->68023 68035->68024 68035->68031 68035->68034 68036 eb6f90 2 API calls 68035->68036 68037 f415c8 36 API calls 68035->68037 68038 f41ec0 GetLastError 68035->68038 68045 effdc0 68035->68045 68054 ee5630 38 API calls 68035->68054 68036->68035 68037->68035 68038->68035 68039 f41ef5 68038->68039 68040 eb6f90 2 API calls 68039->68040 68041 f41f17 68040->68041 68055 f4536e 4 API calls 2 library calls 68041->68055 68043 f41f1c 68044 eb4be0 std::generic_category 4 API calls 68043->68044 68044->68024 68046 eb4150 32 API calls 68045->68046 68047 effe17 68046->68047 68048 eb7830 44 API calls 68047->68048 68049 effe30 68048->68049 68050 eb4be0 std::generic_category 4 API calls 68049->68050 68051 effe44 68050->68051 68052 f4c2ea __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 68051->68052 68053 effe5d 68052->68053 68053->68035 68054->68035 68055->68043 68056 eb25bc 68061 ee5900 GetWindowsDirectoryW 68056->68061 68060 eb25d2 68062 ee59c4 68061->68062 68063 ee5955 GetLastError 68061->68063 68065 eb4150 32 API calls 68062->68065 68064 f4c636 new 22 API calls 68063->68064 68066 ee59a0 68064->68066 68067 ee59f3 68065->68067 68078 f4e44a RaiseException 68066->68078 68079 ee6590 30 API calls 68067->68079 68070 ee5a0a 68071 eb6f90 2 API calls 68070->68071 68072 ee5a21 68071->68072 68073 eb4be0 std::generic_category 4 API calls 68072->68073 68074 ee5a41 68073->68074 68075 f4c2ea __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 68074->68075 68076 eb25c8 68075->68076 68077 f4c948 29 API calls __onexit 68076->68077 68077->68060 68078->68062 68079->68070

                                    Executed Functions

                                    Function 00EE81F0 Relevance: 69.5, APIs: 18, Strings: 21, Instructions: 1207libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(kernel32.dll,SetDefaultDllDirectories,00000000,00000001,00000001,00000000,00000001,00000001,00F8B388,00F8B386,33A37B94), ref: 00EE82CC
                                    • GetProcAddress.KERNEL32(00000000), ref: 00EE82D3
                                    • CoInitializeEx.OLE32(00000000,00000002), ref: 00EE82E8
                                    • GetLastError.KERNEL32 ref: 00EE830E
                                    • SetLastError.KERNEL32(00F908E8), ref: 00EE8379
                                    • GetModuleFileNameW.KERNEL32(00000000,00000000,00000208,?,00000208), ref: 00EE83B2
                                    • GetLastError.KERNEL32(?), ref: 00EE83FC
                                    • SetLastError.KERNEL32(00F908E8), ref: 00EE8458
                                      • Part of subcall function 00EE6AC0: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,000000FF), ref: 00EE6AFC
                                      • Part of subcall function 00EE6AC0: SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00EE6B3B
                                      • Part of subcall function 00EE6AC0: GetLastError.KERNEL32 ref: 00EE6B68
                                      • Part of subcall function 00EE6AC0: SetLastError.KERNEL32(?), ref: 00EE6BA4
                                    • GetLastError.KERNEL32 ref: 00EE8614
                                    • SetLastError.KERNEL32(00F908E8), ref: 00EE867F
                                    • OpenEventW.KERNEL32(10000000,00000000,?), ref: 00EE8707
                                    • SetEvent.KERNEL32(00000000), ref: 00EE871A
                                    • GetLastError.KERNEL32(00000000,00000001,00000001), ref: 00EE8FEA
                                    • SetLastError.KERNEL32(00F908E8), ref: 00EE9051
                                      • Part of subcall function 00EB4150: GetLastError.KERNEL32(33A37B94,?,?,?,?,?,00F60E09,000000FF,?,00EB304D), ref: 00EB4193
                                      • Part of subcall function 00EB4150: SetLastError.KERNEL32(?,00F8B388,00000000,?,?,?,?,?,00F60E09,000000FF,?,00EB304D), ref: 00EB4210
                                    • GetLastError.KERNEL32(00000000,00000000,00000001,?), ref: 00EE91ED
                                      • Part of subcall function 00EC7090: PostThreadMessageW.USER32 ref: 00EC70B1
                                    • SetLastError.KERNEL32(00F908E8), ref: 00EE9254
                                    • CoUninitialize.OLE32 ref: 00EE94F2
                                    • SysFreeString.OLEAUT32(?), ref: 00EE954F
                                      • Part of subcall function 00EB4CA0: GetLastError.KERNEL32(33A37B94,?,?,?,?,00F610C1,000000FF), ref: 00EB4CE2
                                      • Part of subcall function 00EB4CA0: SetLastError.KERNEL32(?,?,?,?,?,00F610C1,000000FF), ref: 00EB4D21
                                      • Part of subcall function 00EB3ED0: SysStringLen.OLEAUT32(?), ref: 00EB3EDE
                                      • Part of subcall function 00EB3ED0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00EB3EF8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$String$EventModule$AddressAllocFileFreeHandleInitializeMessageNameOpenPostProcThreadUninitialize
                                    • String ID: -IS_temp ORIGINALSETUPEXEDIR="$" ORIGINALSETUPEXENAME="$*** InstallShield suite engine (Unicode) started$,$/debuglog$Failed to initialize bootstrap interface$IS_ProxyWaiter_$IS_temp$Initializing engine...$InstallShield Wizard$InstallShield.log$ORIGINALSETUPEXEDIR$SetDefaultDllDirectories$SetupSuite.cpp$SuiteSetup.ini$clone_wait$debuglog$embedded:$kernel32.dll$newlog$runfromtemp
                                    • API String ID: 1432346620-3601580038
                                    • Opcode ID: c8d1bb1700195cbbd063e6c44cb1f8ddeab289148e634f77159e7c9f879fa7a5
                                    • Instruction ID: 6bda86212c2be54f9ccedb41234e882d88d149465ee2192c16fb6de41e36d42d
                                    • Opcode Fuzzy Hash: c8d1bb1700195cbbd063e6c44cb1f8ddeab289148e634f77159e7c9f879fa7a5
                                    • Instruction Fuzzy Hash: C2C2B870904298DEEB22EBA4CD95BEEBBB8AF15304F1441D9E009772D2DB705B88DB51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F43200 Relevance: 12.2, APIs: 8, Instructions: 244memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • __EH_prolog3_GS.LIBCMT ref: 00F4320A
                                    • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0000014C,00ED15F0,?,?,00000000), ref: 00F4326C
                                    • AllocateAndInitializeSid.ADVAPI32(00F9091C,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00F432A9
                                    • AllocateAndInitializeSid.ADVAPI32(00F9091C,00000002,00000020,00000221,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00F432C9
                                    • SetEntriesInAclW.ADVAPI32(00000002,?,00000000,?), ref: 00F43372
                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00F433A9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Initialize$Allocate$DescriptorEntriesH_prolog3_Security
                                    • String ID:
                                    • API String ID: 3621466317-0
                                    • Opcode ID: 56302306175896d893dbcf7476c0b288e4d29a42b9768545a0defb3a176b0093
                                    • Instruction ID: a18f6c2e1b5c87578a915abfaea8e485b8cba3e3ed58c868e43fa5f5f97e7c66
                                    • Opcode Fuzzy Hash: 56302306175896d893dbcf7476c0b288e4d29a42b9768545a0defb3a176b0093
                                    • Instruction Fuzzy Hash: 729151B1D4025CAADB24DF55CC85BEEBBB8BF04304F4040D9E509B6292EBB45B84EF61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EEEB40 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 146fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1051 eeeb40-eeeb86 1052 eeeb8c-eeebb2 VirtualQuery call eeeae0 1051->1052 1053 eeeca8 1051->1053 1059 eeebcf-eeebdf call eeeae0 1052->1059 1060 eeebb4-eeebba 1052->1060 1055 eeecaa-eeecb3 1053->1055 1057 eeecc8-eeecdb 1055->1057 1058 eeecb5-eeecbc 1055->1058 1058->1057 1061 eeecbe-eeecc1 1058->1061 1069 eeebf7-eeec14 1059->1069 1070 eeebe1-eeebf1 call eeeae0 1059->1070 1060->1059 1062 eeebbc-eeebcd 1060->1062 1061->1057 1065 eeec36-eeec43 1062->1065 1067 eeec89-eeec8b 1065->1067 1068 eeec45-eeec49 1065->1068 1067->1055 1072 eeec8d 1067->1072 1068->1067 1071 eeec4b-eeec7c GetSystemInfo MapViewOfFile 1068->1071 1069->1053 1074 eeec1a-eeec25 1069->1074 1070->1053 1070->1069 1071->1053 1076 eeec7e-eeec86 1071->1076 1077 eeec90-eeec9a 1072->1077 1074->1053 1075 eeec2b-eeec33 1074->1075 1075->1065 1076->1067 1079 eeec9e-eeeca4 1077->1079 1080 eeec9c 1077->1080 1079->1077 1081 eeeca6 1079->1081 1080->1079 1081->1055
                                    APIs
                                    • VirtualQuery.KERNEL32(?,?,0000001C,33A37B94,00000000,?,?), ref: 00EEEB93
                                      • Part of subcall function 00EEEAE0: CompareStringA.KERNELBASE(00000400,00000001,000000F8,00000008,.debug,000000FF,00000000,00000000,00000000,.debug,?,00EEEBB0), ref: 00EEEB0D
                                    • GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00F70328,000000FF), ref: 00EEEC4F
                                    • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,?,?), ref: 00EEEC72
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: CompareFileInfoQueryStringSystemViewVirtual
                                    • String ID: .debug$.rdata$.text
                                    • API String ID: 2597005349-733372908
                                    • Opcode ID: 0dd89dcc1f140fdce9840cc6fbbb6162148e101f298cff318f35a3a375b0be64
                                    • Instruction ID: e9e8e3dbd339cf5b4f2cc0f17c866143e129a96a5120643a681f1befd706c361
                                    • Opcode Fuzzy Hash: 0dd89dcc1f140fdce9840cc6fbbb6162148e101f298cff318f35a3a375b0be64
                                    • Instruction Fuzzy Hash: 5F516071B006599FDB18CF6AC984AAEF7F6BF88714F248129E819E7344D730E9018B90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F49DF3 Relevance: 19.6, APIs: 13, Instructions: 140threadmemoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 441 f49df3-f49e2c GetCurrentThread OpenThreadToken 442 f49e2e-f49e35 GetLastError 441->442 443 f49e69-f49e7f GetTokenInformation 441->443 444 f49e37-f49e4a GetCurrentProcess OpenProcessToken GetLastError 442->444 445 f49e4c-f49e4f 442->445 446 f49e81-f49e8a call f49f51 443->446 447 f49e8f-f49e94 GetLastError 443->447 444->445 450 f49e51 445->450 451 f49e62-f49e64 445->451 456 f49f3e-f49f40 446->456 447->446 449 f49e96-f49eb2 call f4c636 GetTokenInformation 447->449 459 f49eb4-f49eb5 449->459 460 f49eb7-f49ee0 AllocateAndInitializeSid 449->460 454 f49e53-f49e5d call f49f51 450->454 451->443 455 f49e66-f49e67 451->455 461 f49f41-f49f50 call f4c2ea 454->461 455->454 456->461 463 f49f28-f49f2b call f49f51 459->463 460->459 464 f49ee2-f49ee9 460->464 470 f49f30-f49f3c call f4c9b8 463->470 467 f49f1c-f49f25 FreeSid 464->467 468 f49eeb 464->468 467->463 471 f49eee-f49efb EqualSid 468->471 470->456 473 f49f07-f49f0b 471->473 474 f49efd-f49f03 471->474 477 f49f0d-f49f16 473->477 478 f49f18 473->478 474->471 476 f49f05 474->476 476->467 477->467 477->478 478->467
                                    APIs
                                    • GetCurrentThread.KERNEL32 ref: 00F49E17
                                    • OpenThreadToken.ADVAPI32(00000000,?,?,?,00F49DF0,00000001), ref: 00F49E1E
                                    • GetLastError.KERNEL32(?,?,?,00F49DF0,00000001), ref: 00F49E2E
                                    • GetCurrentProcess.KERNEL32(00000008,00F49DF0,?,?,?,00F49DF0,00000001), ref: 00F49E3D
                                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,00F49DF0,00000001), ref: 00F49E44
                                    • GetLastError.KERNEL32(?,?,?,00F49DF0,00000001), ref: 00F49E4A
                                    • GetTokenInformation.KERNELBASE(00F49DF0,00000002,00000000,00000000,?,?,?,?,?,00F49DF0,00000001), ref: 00F49E7B
                                    • GetLastError.KERNEL32(?,?,?,00F49DF0,00000001), ref: 00F49E8F
                                    • new.LIBCMT ref: 00F49E99
                                    • GetTokenInformation.KERNELBASE(00F49DF0,00000002,00000000,?,?,?,?,?,00F49DF0,00000001), ref: 00F49EAE
                                    • AllocateAndInitializeSid.ADVAPI32(00000001,00000002,00000020,00000223,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00F49DF0,00000001), ref: 00F49ED8
                                    • EqualSid.ADVAPI32(00000004,?,?,?,?,00F49DF0,00000001), ref: 00F49EF3
                                    • FreeSid.ADVAPI32(?,?,?,?,00F49DF0,00000001), ref: 00F49F1F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Token$ErrorLast$CurrentInformationOpenProcessThread$AllocateEqualFreeInitialize
                                    • String ID:
                                    • API String ID: 884311744-0
                                    • Opcode ID: ecc71640cd51682f6018fe53dde0ece2de460f5c5c3346eebd177e209bc9328a
                                    • Instruction ID: 103a0c5525af90a42b52d4537533d450af31bdfdffb7f7245caa5754daac4752
                                    • Opcode Fuzzy Hash: ecc71640cd51682f6018fe53dde0ece2de460f5c5c3346eebd177e209bc9328a
                                    • Instruction Fuzzy Hash: 6C414F71E0820DAEEF119BA4DC89FBFBFACEF04364F104419E901E6191D6B59D48AB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EEED70 Relevance: 16.7, APIs: 11, Instructions: 180fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 479 eeed70-eeedce CreateFileW 480 eeedde-eeedf4 CreateFileMappingW 479->480 481 eeedd0-eeedd8 479->481 482 eeef0f-eeef15 GetLastError 480->482 483 eeedfa-eeee24 GetSystemInfo MapViewOfFile 480->483 481->480 481->482 485 eeef18-eeef1e 482->485 483->482 484 eeee2a-eeee37 483->484 486 eeeecd 484->486 487 eeee3d-eeee53 IsBadReadPtr 484->487 488 eeef33-eeef3f 485->488 489 eeef20-eeef27 485->489 490 eeeed0-eeeed5 486->490 493 eeeec4-eeeecb 487->493 494 eeee55-eeee5e 487->494 491 eeef4f-eeef58 488->491 492 eeef41-eeef43 488->492 489->488 495 eeef29-eeef2c 489->495 496 eeeede-eeeee3 490->496 497 eeeed7-eeeedb 490->497 499 eeef5a-eeef5c 491->499 500 eeef68-eeef7c 491->500 492->491 498 eeef45-eeef48 CloseHandle 492->498 493->485 494->493 501 eeee60-eeee69 494->501 495->488 503 eeeeec-eeeef1 496->503 504 eeeee5-eeeee9 496->504 497->496 498->491 499->500 505 eeef5e-eeef61 CloseHandle 499->505 501->490 506 eeee6b-eeee96 UnmapViewOfFile MapViewOfFile call ef04a0 501->506 507 eeeefd-eeef02 503->507 508 eeeef3-eeeefa 503->508 504->503 505->500 513 eeee98-eeee9f 506->513 514 eeeea1-eeeeb7 IsBadReadPtr 506->514 510 eeef06-eeef0d 507->510 511 eeef04 507->511 508->507 510->485 511->510 513->485 514->493 515 eeeeb9-eeeec2 514->515 515->490 515->493
                                    APIs
                                    • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,33A37B94,?,00000000,00000001), ref: 00EEEDC6
                                    • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,?,?,?,?,00000000,00F70368,000000FF,?,00EEEFE2), ref: 00EEEDE9
                                    • GetSystemInfo.KERNELBASE(?,?,?,?,?,?,00000000,00F70368,000000FF,?,00EEEFE2,00000000,00000000,?,33A37B94,?), ref: 00EEEE03
                                    • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,?,?,?,?,?,?,00000000,00F70368,000000FF,?,00EEEFE2,00000000), ref: 00EEEE17
                                    • IsBadReadPtr.KERNEL32(?,000000F8,?,?,?,?,?,00000000,00F70368,000000FF,?,00EEEFE2,00000000,00000000,?,33A37B94), ref: 00EEEE4B
                                    • UnmapViewOfFile.KERNEL32(00000000,?,?,?,?,?,00000000,00F70368,000000FF,?,00EEEFE2,00000000,00000000,?,33A37B94,?), ref: 00EEEE6C
                                    • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,33A37B94,?,?,?,?,?,00000000,00F70368,000000FF,?,00EEEFE2,00000000), ref: 00EEEE7C
                                    • IsBadReadPtr.KERNEL32(00000101,000000F8,00000000,?,?,?,?,?,00000000,00F70368,000000FF,?,00EEEFE2,00000000,00000000,?), ref: 00EEEEAF
                                    • GetLastError.KERNEL32(?,?,?,?,?,00000000,00F70368,000000FF,?,00EEEFE2,00000000,00000000,?,33A37B94,?), ref: 00EEEF0F
                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00F70368,000000FF,?,00EEEFE2,00000000,00000000,?,33A37B94,?), ref: 00EEEF46
                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00F70368,000000FF,?,00EEEFE2,00000000,00000000,?,33A37B94,?), ref: 00EEEF5F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: File$View$CloseCreateHandleRead$ErrorInfoLastMappingSystemUnmap
                                    • String ID:
                                    • API String ID: 1718622468-0
                                    • Opcode ID: e8a6a545628cd37ca11947606090bcd08cbe1f3428b8dc199d3982974f32a74c
                                    • Instruction ID: 53dfc05277786edd9d5bb1ab19cd82736c5cf78dd847711c37532a282a643d1c
                                    • Opcode Fuzzy Hash: e8a6a545628cd37ca11947606090bcd08cbe1f3428b8dc199d3982974f32a74c
                                    • Instruction Fuzzy Hash: 56614B71A0135D9BDB20CFAACC48BAEBBB8BF04B14F145529E515FB391D7B49900CB94
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F43A91 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 258processCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • __EH_prolog3_GS.LIBCMT ref: 00F43A9B
                                    • CreateProcessW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000044,00FD689C,?,00000000,00F44B64,?,00000000), ref: 00F43BAC
                                    • GetLastError.KERNEL32 ref: 00F43BC7
                                    • ShellExecuteExW.SHELL32(0000003C), ref: 00F43CF9
                                    • WaitForInputIdle.USER32(?,000003E8), ref: 00F43D74
                                    • GetExitCodeProcess.KERNEL32(?,00FD6898), ref: 00F43D98
                                    • GetLastError.KERNEL32 ref: 00F43DA2
                                      • Part of subcall function 00EB4BE0: GetLastError.KERNEL32(33A37B94,?,?,33A37B94,?,00F61069,000000FF,?,00EB2A81,33A37B94), ref: 00EB4C1B
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(?), ref: 00EB4C35
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(33A37B98), ref: 00EB4C4A
                                      • Part of subcall function 00EB4BE0: SetLastError.KERNEL32(?,?,?,?,?,?,000000FF), ref: 00EB4C7A
                                      • Part of subcall function 00EBC740: GetLastError.KERNEL32(000000FF,000000FD,?,00000000,33A37B94,?), ref: 00EBC7D9
                                      • Part of subcall function 00EBC740: SetLastError.KERNEL32(00F908E8,00000000,00000000,000000FF), ref: 00EBC83B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$FreeProcessString$CodeCreateExecuteExitH_prolog3_IdleInputShellWait
                                    • String ID: <$D
                                    • API String ID: 1884863512-1382654409
                                    • Opcode ID: 0618589015d2b67ce9b832cbbc6714716a887487c9ebbf6378e5d00dd4c13546
                                    • Instruction ID: 797814acb2cec5e12b4685967f2b76751a88cbbcededefff66e9b5a6523247a8
                                    • Opcode Fuzzy Hash: 0618589015d2b67ce9b832cbbc6714716a887487c9ebbf6378e5d00dd4c13546
                                    • Instruction Fuzzy Hash: 56A15C75900248EFDF20EFA4D885BDE7BB8AF45300F14415AF905A7292EB74AA44EB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F415C8 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 40libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • __EH_prolog3.LIBCMT ref: 00F415CF
                                    • GetModuleHandleW.KERNEL32(kernel32.dll,CreateDirectoryW,00000000,00F41EB9), ref: 00F415EC
                                    • GetProcAddress.KERNEL32(00000000), ref: 00F415EF
                                    • CreateDirectoryW.KERNELBASE(00000000,?), ref: 00F41606
                                    • GetModuleHandleW.KERNEL32(kernel32.dll,CreateDirectoryA), ref: 00F41614
                                    • GetProcAddress.KERNEL32(00000000), ref: 00F41617
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: AddressHandleModuleProc$CreateDirectoryH_prolog3
                                    • String ID: CreateDirectoryA$CreateDirectoryW$kernel32.dll
                                    • API String ID: 662308948-2917578371
                                    • Opcode ID: f1143938c65a66e8cf7f11b16f742f36541f1f22d2d796bf3e1dcc2fe963e573
                                    • Instruction ID: 82b3352e0fd1a17db43ea87035497a425811524c83ec729fc4c0b8d050655c84
                                    • Opcode Fuzzy Hash: f1143938c65a66e8cf7f11b16f742f36541f1f22d2d796bf3e1dcc2fe963e573
                                    • Instruction Fuzzy Hash: B7F0C230600708ABCF00BFB4CC99AEE3AA8FF48B51B454114B905E7182CB38DA41EB95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F42749 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 37libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • __EH_prolog3.LIBCMT ref: 00F42750
                                    • GetModuleHandleW.KERNEL32(kernel32.dll,GetFileAttributesW,00000000,00F41859,?,?,?,?,?,?,?,?,?,?,?,00EB85CE), ref: 00F4276A
                                    • GetProcAddress.KERNEL32(00000000), ref: 00F4276D
                                    • GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00EB85CE), ref: 00F42783
                                    • GetModuleHandleW.KERNEL32(kernel32.dll,GetFileAttributesA,?,?,?,?,?,?,?,?,?,?,?,00EB85CE), ref: 00F42791
                                    • GetProcAddress.KERNEL32(00000000), ref: 00F42794
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: AddressHandleModuleProc$AttributesFileH_prolog3
                                    • String ID: GetFileAttributesA$GetFileAttributesW$kernel32.dll
                                    • API String ID: 3512441749-1399581607
                                    • Opcode ID: 8f538a0bc99c96e64981eae795a437ec03ba9aa1f7e1fcea7164d210e5b50aa6
                                    • Instruction ID: c75637087d85d13efc176f8f51aa49757b7d1733c143a64cae78a5fbb1ef6ab4
                                    • Opcode Fuzzy Hash: 8f538a0bc99c96e64981eae795a437ec03ba9aa1f7e1fcea7164d210e5b50aa6
                                    • Instruction Fuzzy Hash: 39F0F030600708ABCF50BF74CC1AEDE3AA4AF80B10B914524F801E7182CF35CA01EB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EE7780 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 280fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • CopyFileW.KERNELBASE(0000000D,?,00000001), ref: 00EE797E
                                    • GetLastError.KERNEL32 ref: 00EE7988
                                      • Part of subcall function 00F43200: __EH_prolog3_GS.LIBCMT ref: 00F4320A
                                      • Part of subcall function 00F43200: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0000014C,00ED15F0,?,?,00000000), ref: 00F4326C
                                      • Part of subcall function 00EB4150: GetLastError.KERNEL32(33A37B94,?,?,?,?,?,00F60E09,000000FF,?,00EB304D), ref: 00EB4193
                                      • Part of subcall function 00EB4150: SetLastError.KERNEL32(?,00F8B388,00000000,?,?,?,?,?,00F60E09,000000FF,?,00EB304D), ref: 00EB4210
                                      • Part of subcall function 00EB6F90: GetLastError.KERNEL32(33A37B94,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB6FD2
                                      • Part of subcall function 00EB6F90: SetLastError.KERNEL32(?,33A37B94,00000000,000000FF,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB7034
                                      • Part of subcall function 00F43A91: __EH_prolog3_GS.LIBCMT ref: 00F43A9B
                                      • Part of subcall function 00F43A91: CreateProcessW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000044,00FD689C,?,00000000,00F44B64,?,00000000), ref: 00F43BAC
                                      • Part of subcall function 00F43A91: GetLastError.KERNEL32 ref: 00F43BC7
                                      • Part of subcall function 00EB4BE0: GetLastError.KERNEL32(33A37B94,?,?,33A37B94,?,00F61069,000000FF,?,00EB2A81,33A37B94), ref: 00EB4C1B
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(?), ref: 00EB4C35
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(33A37B98), ref: 00EB4C4A
                                      • Part of subcall function 00EB4BE0: SetLastError.KERNEL32(?,?,?,?,?,?,000000FF), ref: 00EB4C7A
                                    • CloseHandle.KERNEL32 ref: 00EE7B09
                                    • CloseHandle.KERNEL32 ref: 00EE7B11
                                    • DeleteFileW.KERNEL32(?,?), ref: 00EE7B3D
                                    • RemoveDirectoryW.KERNEL32(?), ref: 00EE7B4F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$CloseFileFreeH_prolog3_HandleString$AllocateCopyCreateDeleteDirectoryInitializeProcessRemove
                                    • String ID: exe$open
                                    • API String ID: 3427983850-3420628079
                                    • Opcode ID: cf09f7c04c8812eff45e5588b9a3fbdb9f3db90caca7345bfba7ba09b694972b
                                    • Instruction ID: 84131dac13fef5f71ebf1c60d0bb5004c4948a6cf315b0f5fa728b18b19da960
                                    • Opcode Fuzzy Hash: cf09f7c04c8812eff45e5588b9a3fbdb9f3db90caca7345bfba7ba09b694972b
                                    • Instruction Fuzzy Hash: 26C1A1B0A0425CEEEF14DF64DC46BDDBBB8EF14304F244199E458A7282DBB45B84DB92
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EEFF50 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 276fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • ReadFile.KERNEL32(00EEFD27,?,00000138,00000000,00000000,00000000), ref: 00EEFFC5
                                    • GetLastError.KERNEL32 ref: 00EEFFCF
                                    • ReadFile.KERNEL32(00EEFD27,?,00000018,00000000,00000000,33A37B94,00000000,00000000,?), ref: 00EF00BA
                                    • ReadFile.KERNEL32(00EEFD27,00000000,?,00000018,00000000), ref: 00EF013E
                                    • GetLastError.KERNEL32 ref: 00EF0148
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: FileRead$ErrorLast
                                    • String ID: 0
                                    • API String ID: 1577890643-4108050209
                                    • Opcode ID: 611323b466aa80449986dd070b5ed07486e4e8369214388ee7d82955125593e2
                                    • Instruction ID: 9c39419e24a7a98169cba1c227f253e42df8944f52df531cf3184fc426e236b2
                                    • Opcode Fuzzy Hash: 611323b466aa80449986dd070b5ed07486e4e8369214388ee7d82955125593e2
                                    • Instruction Fuzzy Hash: 76C10875A013289FDB60DF64CC81BEAB7F8BF09700F40559AE949E7281E774AA80DF51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F41641 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 51libraryloaderfileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 783 f41641-f41662 GetModuleHandleW GetProcAddress 784 f41664-f4166e 783->784 785 f41689-f4169c GetModuleHandleW GetProcAddress 783->785 786 f41670 784->786 787 f41672-f41687 CreateFileW 784->787 788 f416bd 785->788 789 f4169e-f416bb call eb8380 785->789 786->787 790 f416c0-f416c3 787->790 788->790 789->790
                                    APIs
                                    • GetModuleHandleW.KERNEL32(kernel32.dll,CreateFileW,00000003,?,?,00EBF6E7,?,?,?,?,?,?,?), ref: 00F41657
                                    • GetProcAddress.KERNEL32(00000000), ref: 00F4165A
                                    • CreateFileW.KERNELBASE(?,?,?,?,?,?,00EBF6E7,?,00EBF6E7,?,?,?,?,?,?,?), ref: 00F41685
                                    • GetModuleHandleW.KERNEL32(kernel32.dll,CreateFileA,?,00EBF6E7,?,?,?,?,?,?,?), ref: 00F4168F
                                    • GetProcAddress.KERNEL32(00000000), ref: 00F41692
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: AddressHandleModuleProc$CreateFile
                                    • String ID: CreateFileA$CreateFileW$kernel32.dll
                                    • API String ID: 2362759813-3217398002
                                    • Opcode ID: 31820cf11da06c90864f003af11cfa2527fd72864cd44e0940773263f8af7710
                                    • Instruction ID: b3e99f9412636c4183cdc9e562a27a319a3992157c39b0ae696b3eb7d86b0038
                                    • Opcode Fuzzy Hash: 31820cf11da06c90864f003af11cfa2527fd72864cd44e0940773263f8af7710
                                    • Instruction Fuzzy Hash: 00015A32500219BBCF025FA4DC08DEE3F2AFF087A5B194519FE15A6161CB36D860FBA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F43651 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 212fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetTempFileNameW.KERNELBASE(?,_is,00000000,00000000,?,00000104,?,00000000), ref: 00F437B6
                                    • GetTempPathW.KERNEL32(00000104,00000000,?,00000104,0000010C,00ECBBC5,?,00000000,00F8B388,00000000,00000000), ref: 00F4369E
                                      • Part of subcall function 00EB9D60: GetLastError.KERNEL32(33A37B94,74DEDFA0,74DEE010), ref: 00EB9D8D
                                      • Part of subcall function 00EB9D60: SetLastError.KERNEL32(00000000), ref: 00EB9E1E
                                    • __EH_prolog3_GS.LIBCMT ref: 00F4365B
                                      • Part of subcall function 00EB3ED0: SysStringLen.OLEAUT32(?), ref: 00EB3EDE
                                      • Part of subcall function 00EB3ED0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00EB3EF8
                                    • DeleteFileW.KERNELBASE(?), ref: 00F437DB
                                      • Part of subcall function 00EB6F90: GetLastError.KERNEL32(33A37B94,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB6FD2
                                      • Part of subcall function 00EB6F90: SetLastError.KERNEL32(?,33A37B94,00000000,000000FF,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB7034
                                      • Part of subcall function 00F43E17: __EH_prolog3.LIBCMT ref: 00F43E1E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$FileStringTemp$AllocDeleteH_prolog3H_prolog3_NamePath
                                    • String ID: .tmp$_is
                                    • API String ID: 1410897340-3921807090
                                    • Opcode ID: 80092638975ebe2a1b0e76d848bafde1cc4b934ed6aa9a047ad351573540231c
                                    • Instruction ID: 6d261945270f0be2917ad0bcb34b81dafe2f5dca78e175911019f267fe71f44b
                                    • Opcode Fuzzy Hash: 80092638975ebe2a1b0e76d848bafde1cc4b934ed6aa9a047ad351573540231c
                                    • Instruction Fuzzy Hash: 219192B1A0025CDEDF15EBA0DC96BDEBBB8AF14300F100099E54573293DB75AB48DB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F39E70 Relevance: 10.7, APIs: 7, Instructions: 159filetimeCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 961 f39e70-f39eea call f4d6e0 call f3a280 966 f39ef0-f39ef7 961->966 967 f3a096 961->967 968 f39efb-f39f1f CreateFileW 966->968 969 f39ef9 966->969 970 f3a098-f3a0a2 967->970 971 f3a090 GetLastError 968->971 972 f39f25-f39f2d 968->972 969->968 973 f3a0a4-f3a0ab 970->973 974 f3a0ba-f3a0d7 call f4c2ea 970->974 971->967 976 f39f30-f39f53 call eefb90 972->976 973->974 977 f3a0ad-f3a0b0 FindCloseChangeNotification 973->977 981 f3a085-f3a08b call f3bbf0 976->981 982 f39f59-f39f60 976->982 977->974 981->971 983 f39f66-f39f72 982->983 984 f3a00e-f3a029 call f3bbf0 FlushFileBuffers 982->984 986 f39f80-f39fa6 call f3a410 983->986 991 f3a044-f3a04c 984->991 992 f3a02b-f3a03e SetFileTime 984->992 993 f3a073 986->993 994 f39fac-f39faf 986->994 991->970 992->991 997 f3a078-f3a083 call f3bbf0 993->997 995 f39fb1-f39fb4 994->995 996 f39fba-f39fee WriteFile 994->996 995->996 995->997 998 f39ff0-f39ff6 996->998 999 f3a05e-f3a071 GetLastError call f3bbf0 996->999 997->970 1002 f39ff8-f39fff 998->1002 1003 f3a04e-f3a05c call f3bbf0 998->1003 999->970 1002->986 1007 f3a005-f3a008 1002->1007 1003->970 1007->976 1007->984
                                    APIs
                                    • CreateFileW.KERNELBASE(00000004,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00F39F0E
                                    • WriteFile.KERNELBASE(?,?,00004000,?,00000000), ref: 00F39FE6
                                    • FlushFileBuffers.KERNEL32(?), ref: 00F3A020
                                    • SetFileTime.KERNELBASE(?,?,00000008,?), ref: 00F3A03E
                                    • FindCloseChangeNotification.KERNELBASE(?), ref: 00F3A0AE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: File$BuffersChangeCloseCreateFindFlushNotificationTimeWrite
                                    • String ID:
                                    • API String ID: 906025698-0
                                    • Opcode ID: 1a2a70d1f9dbc9c54733165c46fbaa27cd51c622bac5d54cb1d72d8e12bf9675
                                    • Instruction ID: 78eeea94bd0fabbbb3f77971559b5888dcb017673f85b3beeda48b7b8e69b3fc
                                    • Opcode Fuzzy Hash: 1a2a70d1f9dbc9c54733165c46fbaa27cd51c622bac5d54cb1d72d8e12bf9675
                                    • Instruction Fuzzy Hash: 445193B19006188BCB74DF25CC84BDEB7B8BB44330F1086A9D599E61D0DB749A8DEF51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EEF760 Relevance: 10.6, APIs: 7, Instructions: 149fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1009 eef760-eef7a7 1010 eef7a9-eef7b0 1009->1010 1011 eef7e0 1009->1011 1012 eef7b4-eef7d5 CreateFileW 1010->1012 1013 eef7b2 1010->1013 1014 eef7e2-eef7fd call f4c2ea 1011->1014 1015 eef7d7 GetLastError 1012->1015 1016 eef800-eef82a SetFilePointer GetLastError 1012->1016 1013->1012 1018 eef7dd 1015->1018 1020 eef82c-eef82e 1016->1020 1021 eef832-eef834 1016->1021 1018->1011 1022 eef836-eef851 1020->1022 1023 eef830 1020->1023 1021->1011 1021->1022 1024 eef869-eef876 1022->1024 1025 eef853-eef860 1022->1025 1023->1018 1026 eef87f call eefb20 1024->1026 1027 eef878-eef87d call eef910 1024->1027 1031 eef866 1025->1031 1032 eef862-eef864 1025->1032 1034 eef884 1026->1034 1027->1034 1031->1024 1035 eef886-eef891 CloseHandle 1032->1035 1034->1035 1036 eef907-eef909 1035->1036 1037 eef893-eef897 1035->1037 1036->1014 1037->1036 1038 eef899-eef89d 1037->1038 1038->1036 1039 eef89f-eef8bd call ef0d30 1038->1039 1042 eef8bf 1039->1042 1043 eef8c1-eef8e6 call eb8380 CreateFileW 1039->1043 1042->1043 1046 eef8f8-eef902 call eb4be0 1043->1046 1047 eef8e8-eef8f2 call eb8210 CloseHandle 1043->1047 1046->1036 1047->1046
                                    APIs
                                    • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,33A37B94,00F9091C,?,?), ref: 00EEF7C7
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,00F70530,000000FF,?,00EEF74D,00F9091C,00000000,00F9091C), ref: 00EEF7D7
                                    • SetFilePointer.KERNELBASE(00000000,00F9091C,?,00000000), ref: 00EEF815
                                    • GetLastError.KERNEL32 ref: 00EEF81E
                                    • CloseHandle.KERNEL32(?,?,00000000,00000000,?), ref: 00EEF889
                                    • CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000003,00000080,00000000,?), ref: 00EEF8DB
                                    • CloseHandle.KERNEL32(00000000), ref: 00EEF8F2
                                      • Part of subcall function 00EEF910: CreateFileW.KERNEL32(-00000004,40000000,00000000,00000000,00000002,00000080,00000000,33A37B94,00000000,?,00000000), ref: 00EEF992
                                      • Part of subcall function 00EEF910: GetLastError.KERNEL32 ref: 00EEF9A0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: File$CreateErrorLast$CloseHandle$Pointer
                                    • String ID:
                                    • API String ID: 115946061-0
                                    • Opcode ID: 9a0061c7c1c5d3ea29267e2ee0d0a665d899d54757c22eb34fa01b586a3fcbc3
                                    • Instruction ID: 5268e205004623ea203b94334e2e9e54d39915f535849f7dfc4d60f59701664c
                                    • Opcode Fuzzy Hash: 9a0061c7c1c5d3ea29267e2ee0d0a665d899d54757c22eb34fa01b586a3fcbc3
                                    • Instruction Fuzzy Hash: ED51AD30A0024CABDB24CFA5DC59BAEB7B5EF44714F10522AE812BB2D1DB70AD01CB54
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EBF630 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 119COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1082 ebf630-ebf683 call ebf940 call f4c636 1087 ebf68f-ebf693 1082->1087 1088 ebf685-ebf68a call eb44f0 1082->1088 1089 ebf699 1087->1089 1090 ebf695-ebf697 1087->1090 1088->1087 1092 ebf69b-ebf6ad call f52539 1089->1092 1090->1092 1095 ebf70f-ebf756 call f4c636 call ec1300 1092->1095 1096 ebf6af-ebf6b3 1092->1096 1106 ebf75a-ebf76c call f45d6d 1095->1106 1107 ebf758 1095->1107 1098 ebf6b9 1096->1098 1099 ebf6b5-ebf6b7 1096->1099 1101 ebf6bb-ebf6cd call f52539 1098->1101 1099->1101 1101->1095 1108 ebf6cf-ebf6f0 call f41641 1101->1108 1113 ebf6f9-ebf70c 1106->1113 1114 ebf76e-ebf785 GetLastError 1106->1114 1107->1106 1108->1114 1115 ebf6f2-ebf6f4 call ec00d0 1108->1115 1115->1113
                                    APIs
                                      • Part of subcall function 00EBF940: FindCloseChangeNotification.KERNELBASE(?,33A37B94,74DEE010), ref: 00EBF9A0
                                      • Part of subcall function 00EBF940: __CxxThrowException@8.LIBVCRUNTIME ref: 00EBF9E9
                                    • new.LIBCMT ref: 00EBF65E
                                    • new.LIBCMT ref: 00EBF714
                                      • Part of subcall function 00EC1300: new.LIBCMT ref: 00EC1383
                                      • Part of subcall function 00EC1300: new.LIBCMT ref: 00EC13A3
                                    • GetLastError.KERNEL32(00000003,00000000,80400100,toys::file,00007530,00000000,00000000,00000000,00000000), ref: 00EBF76E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ChangeCloseErrorException@8FindLastNotificationThrow
                                    • String ID: http://$https://$toys::file
                                    • API String ID: 2864113975-144175362
                                    • Opcode ID: 5503f108685365910003f1d95320e3c505a28eef2cd239440df55e8e911a6999
                                    • Instruction ID: 1dfe9994d67744d38ea36ef6986b39e49cde1c0ce7981f063e48c0e9275ec7d5
                                    • Opcode Fuzzy Hash: 5503f108685365910003f1d95320e3c505a28eef2cd239440df55e8e911a6999
                                    • Instruction Fuzzy Hash: 9D41F372A00704ABDB209F64DD42F9ABBA4FB04710F10463EFD15A72D1DB75E814DBA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F45667 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 16libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1117 f45667-f45686 GetModuleHandleW GetProcAddress 1118 f45690-f45693 GetNativeSystemInfo 1117->1118 1119 f45688-f4568f GetSystemInfo 1117->1119
                                    APIs
                                    • GetModuleHandleW.KERNEL32(kernel32,GetNativeSystemInfo,?,00F43A82,?,?,?,?,?,?,?,?,?,00EC2E11,33A37B94), ref: 00F45674
                                    • GetProcAddress.KERNEL32(00000000), ref: 00F4567B
                                    • GetSystemInfo.KERNEL32(00F43A82,?,00F43A82,?,?,?,?,?,?,?,?,?,00EC2E11,33A37B94), ref: 00F45688
                                    • GetNativeSystemInfo.KERNELBASE(00F43A82,?,00F43A82,?,?,?,?,?,?,?,?,?,00EC2E11,33A37B94), ref: 00F45690
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: InfoSystem$AddressHandleModuleNativeProc
                                    • String ID: GetNativeSystemInfo$kernel32
                                    • API String ID: 3433367815-3846845290
                                    • Opcode ID: b38be78bd84a5f404a813435e0de2ede55ac359df0a05d02ba85e20732024347
                                    • Instruction ID: c1733254d03b6cccd2deefd4732068e82e43a46628cbac39ebef7f1570e23671
                                    • Opcode Fuzzy Hash: b38be78bd84a5f404a813435e0de2ede55ac359df0a05d02ba85e20732024347
                                    • Instruction Fuzzy Hash: 8CD0C93164060DBF9F003BE1BC0D9F93B2CAB44F667400041F90DC4092DA72D0547B56
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EEF070 Relevance: 9.2, APIs: 6, Instructions: 239fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(33A37B94,?,00000000,?), ref: 00EEF0C0
                                    • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00F70427), ref: 00EEF0FF
                                      • Part of subcall function 00EDF680: new.LIBCMT ref: 00EDF6AD
                                    • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00F8B388,00F8B386), ref: 00EEF1E1
                                    • SetFilePointer.KERNELBASE(00000000,00F9091C,?,00000000), ref: 00EEF22C
                                    • ReadFile.KERNELBASE(00000000,?,0000002E,?,00000000), ref: 00EEF269
                                    • ReadFile.KERNEL32(00000000,?,0000002E,?,00000000,00000000,00F9091C,00000000,00000000,?), ref: 00EEF2D9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: File$ErrorLastRead$CreatePointer
                                    • String ID:
                                    • API String ID: 3079590808-0
                                    • Opcode ID: 20a1feed0d7561f9d033b8d8fb615d2f8144b88de299c963349b10f111b24fbb
                                    • Instruction ID: 0069529b09dafe96144fe16a9f3df48bfd2af378540f2550d07dbc424961c280
                                    • Opcode Fuzzy Hash: 20a1feed0d7561f9d033b8d8fb615d2f8144b88de299c963349b10f111b24fbb
                                    • Instruction Fuzzy Hash: 30A1BEB0A0078AEFDB20DF66C94879ABBF4FF44708F105529E506ABA81D775F915CB80
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F417CE Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132COMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog3_GS.LIBCMT ref: 00F417D8
                                    • GetLastError.KERNEL32 ref: 00F41879
                                    • GetLastError.KERNEL32 ref: 00F4193E
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00F419AE
                                      • Part of subcall function 00EB6F90: GetLastError.KERNEL32(33A37B94,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB6FD2
                                      • Part of subcall function 00EB6F90: SetLastError.KERNEL32(?,33A37B94,00000000,000000FF,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB7034
                                      • Part of subcall function 00F419C3: __EH_prolog3_catch_GS.LIBCMT ref: 00F419CD
                                      • Part of subcall function 00F419C3: __CxxThrowException@8.LIBVCRUNTIME ref: 00F41A8C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$Exception@8Throw$H_prolog3_H_prolog3_catch_
                                    • String ID:
                                    • API String ID: 3130792420-3916222277
                                    • Opcode ID: e0f6771bcbb6a36822ed050279f30f87c5cf6a1e0282430495063cf19714ccd3
                                    • Instruction ID: 19c6f4e9a3363a49e90cfa6df1b2ebd9b45ec61234af717814cd4acce5fe8943
                                    • Opcode Fuzzy Hash: e0f6771bcbb6a36822ed050279f30f87c5cf6a1e0282430495063cf19714ccd3
                                    • Instruction Fuzzy Hash: 7351BE7080025C9EEF25EB64CD95BED7FA4BF01354F481199EC4923293DB349AC9EB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EBF790 Relevance: 7.6, APIs: 5, Instructions: 106COMMON
                                    Download Yara Rule
                                    APIs
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00EBF820
                                      • Part of subcall function 00F4E44A: RaiseException.KERNEL32(?,?,00F3FBB5,?,?,00000000,?,?,?,?,?,00F3FBB5,?,00FCBE10,?), ref: 00F4E4A9
                                    • SetFilePointer.KERNELBASE(?,00000003,33A37B94,?,33A37B94,?,?,?), ref: 00EBF82C
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00EBF880
                                    • GetLastError.KERNEL32(00000001,00FCE19C,00F9091C,00000001,?,33A37B94), ref: 00EBF885
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00EBF8D2
                                      • Part of subcall function 00EB6F90: GetLastError.KERNEL32(33A37B94,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB6FD2
                                      • Part of subcall function 00EB6F90: SetLastError.KERNEL32(?,33A37B94,00000000,000000FF,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB7034
                                      • Part of subcall function 00EBF330: GetLastError.KERNEL32(33A37B94,00000000), ref: 00EBF393
                                      • Part of subcall function 00EBF330: new.LIBCMT ref: 00EBF3A9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$Exception@8Throw$ExceptionFilePointerRaise
                                    • String ID:
                                    • API String ID: 699254983-0
                                    • Opcode ID: 59d985d57378b83942ff7c574a639034662b9816b90ef3affdd72c79f050db27
                                    • Instruction ID: b397ba86dd9176be746dde1828ddbbce5a0fe32659d0907dfbf52d7e828f3cb3
                                    • Opcode Fuzzy Hash: 59d985d57378b83942ff7c574a639034662b9816b90ef3affdd72c79f050db27
                                    • Instruction Fuzzy Hash: AD416D71A00208EFDB14EFA4DD85FEFB7B8EB04314F104129F916A3292DB74AA09DB51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EEFCA0 Relevance: 6.1, APIs: 4, Instructions: 114COMMON
                                    Download Yara Rule
                                    APIs
                                    • new.LIBCMT ref: 00EEFCE2
                                      • Part of subcall function 00EEFE70: GetLastError.KERNEL32(33A37B94,?,00000000,00EEFD01,00000004,74DF34C0), ref: 00EEFEAC
                                      • Part of subcall function 00EEFE70: SetLastError.KERNEL32(?), ref: 00EEFEEB
                                    • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000001,00000004,74DF34C0), ref: 00EEFD16
                                      • Part of subcall function 00EEFF50: ReadFile.KERNEL32(00EEFD27,?,00000138,00000000,00000000,00000000), ref: 00EEFFC5
                                      • Part of subcall function 00EEFF50: GetLastError.KERNEL32 ref: 00EEFFCF
                                      • Part of subcall function 00EB6F90: GetLastError.KERNEL32(33A37B94,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB6FD2
                                      • Part of subcall function 00EB6F90: SetLastError.KERNEL32(?,33A37B94,00000000,000000FF,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB7034
                                      • Part of subcall function 00EB4BE0: GetLastError.KERNEL32(33A37B94,?,?,33A37B94,?,00F61069,000000FF,?,00EB2A81,33A37B94), ref: 00EB4C1B
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(?), ref: 00EB4C35
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(33A37B98), ref: 00EB4C4A
                                      • Part of subcall function 00EB4BE0: SetLastError.KERNEL32(?,?,?,?,?,?,000000FF), ref: 00EB4C7A
                                    • SetFilePointer.KERNELBASE(00000000,?,00000000,00000001,?,?,-00000010,00000000,00F9091C,00000000,00000000,?,00000000,00000000), ref: 00EEFDC9
                                    • GetLastError.KERNEL32(?,-00000010,00000000,00F9091C,00000000,00000000,?,00000000,00000000), ref: 00EEFDD1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$File$FreePointerString$Read
                                    • String ID:
                                    • API String ID: 3966585283-0
                                    • Opcode ID: ff5ab28f6dd9f69386e98f80dff4096200339245862ab12b6853fc6edb64c7e7
                                    • Instruction ID: ed1fd6facdd7fe84133adf66b181e256de3cfa61a65510507854cc2459dbebce
                                    • Opcode Fuzzy Hash: ff5ab28f6dd9f69386e98f80dff4096200339245862ab12b6853fc6edb64c7e7
                                    • Instruction Fuzzy Hash: F141EF71A00248EFDF10DFA5CD55BEEBBF8EB04314F204269E915E7292DB74AA04DB40
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EE5900 Relevance: 6.1, APIs: 4, Instructions: 77COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00EE594B
                                    • GetLastError.KERNEL32 ref: 00EE597C
                                    • new.LIBCMT ref: 00EE599B
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00EE59BF
                                      • Part of subcall function 00F4E44A: RaiseException.KERNEL32(?,?,00F3FBB5,?,?,00000000,?,?,?,?,?,00F3FBB5,?,00FCBE10,?), ref: 00F4E4A9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: DirectoryErrorExceptionException@8LastRaiseThrowWindows
                                    • String ID:
                                    • API String ID: 1415589362-0
                                    • Opcode ID: 152182543ebbb813cbd0cc0cc2727c790d4e335d9656b126e9e1b7fe232556cf
                                    • Instruction ID: 0be3551147f2625ae415e0d51d7d8f76610b8dd15a8559e241ac3b939e5f86ed
                                    • Opcode Fuzzy Hash: 152182543ebbb813cbd0cc0cc2727c790d4e335d9656b126e9e1b7fe232556cf
                                    • Instruction Fuzzy Hash: 87314DB1901258EEDB60EF94DC49BDDBBF8EB18704F0001D9E409A7292DBB45B84DF95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F39F74 Relevance: 6.1, APIs: 4, Instructions: 76filetimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WriteFile.KERNELBASE(?,?,00004000,?,00000000), ref: 00F39FE6
                                    • FlushFileBuffers.KERNEL32(?), ref: 00F3A020
                                    • SetFileTime.KERNELBASE(?,?,00000008,?), ref: 00F3A03E
                                    • GetLastError.KERNEL32(?,00004000,?,0000000C), ref: 00F3A090
                                    • FindCloseChangeNotification.KERNELBASE(?), ref: 00F3A0AE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: File$BuffersChangeCloseErrorFindFlushLastNotificationTimeWrite
                                    • String ID:
                                    • API String ID: 3065014259-0
                                    • Opcode ID: 00dccfc36386cccbae4548bdc7f5e81fa8a540a454da0bc0ab6ae1a02f053aa1
                                    • Instruction ID: 12414579c3f93e7512f4bfdbc38a79c2390ed6ad37eb66b00e00047c6c9a903b
                                    • Opcode Fuzzy Hash: 00dccfc36386cccbae4548bdc7f5e81fa8a540a454da0bc0ab6ae1a02f053aa1
                                    • Instruction Fuzzy Hash: F8217FB1A005188BCF74DB28CC847EDB379BB44330F1086AAD5A9961D0DB759E89EF52
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EB4610 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 58COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(33A37B94,?,00000000,?,00000000,00F60BC9,000000FF,?,string too long,invalid string position,invalid string position,?,00000000,?,?,00EB4050), ref: 00EB4652
                                    • SetLastError.KERNEL32(?,?,00000000,000000FF,?,00000000,00F60BC9,000000FF,?,string too long,invalid string position,invalid string position,?,00000000,?), ref: 00EB46B4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID: invalid string position$string too long
                                    • API String ID: 1452528299-4289949731
                                    • Opcode ID: 2b04ffc72bb57691fa5a822b7e83134d6ceeaef23bd4150fcab6d63fc434001a
                                    • Instruction ID: 69101a13a43dfae8b2747bcc989131936675096b70769c1963d5e78ca1d5174d
                                    • Opcode Fuzzy Hash: 2b04ffc72bb57691fa5a822b7e83134d6ceeaef23bd4150fcab6d63fc434001a
                                    • Instruction Fuzzy Hash: 81219DB1604649EFD700CF18C948BAABBF4FF49728F208359E4149B792D7B5E904DB80
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F41D94 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog3_GS.LIBCMT ref: 00F41D9E
                                      • Part of subcall function 00EB4BE0: GetLastError.KERNEL32(33A37B94,?,?,33A37B94,?,00F61069,000000FF,?,00EB2A81,33A37B94), ref: 00EB4C1B
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(?), ref: 00EB4C35
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(33A37B98), ref: 00EB4C4A
                                      • Part of subcall function 00EB4BE0: SetLastError.KERNEL32(?,?,?,?,?,?,000000FF), ref: 00EB4C7A
                                      • Part of subcall function 00EB4A50: GetLastError.KERNEL32(33A37B94,?,?,00FD1000,?,00F60FF9,000000FF,?,00EB23E3,?,00000000), ref: 00EB4A92
                                      • Part of subcall function 00EB4A50: SetLastError.KERNEL32(?,?,?,00FD1000,?,00F60FF9,000000FF,?,00EB23E3,?,00000000), ref: 00EB4AD1
                                    • GetLastError.KERNEL32 ref: 00F41EC0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$FreeString$H_prolog3_
                                    • String ID: \
                                    • API String ID: 2549205776-2967466578
                                    • Opcode ID: fd4baea4c9b77536176bd9d1495ec979b6dcb0e819da254dee5844b9d466870f
                                    • Instruction ID: 178b3d062fa437898991dc082e9ef248eabc8e8c3a15a9c179225742a9ac930c
                                    • Opcode Fuzzy Hash: fd4baea4c9b77536176bd9d1495ec979b6dcb0e819da254dee5844b9d466870f
                                    • Instruction Fuzzy Hash: 8241B3B591021CDEDF14EF64DC85BEE7BB8BF15310F101159E849A3283EB70AA89EB51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EC0AF0 Relevance: 4.6, APIs: 3, Instructions: 85fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00EC0B96
                                      • Part of subcall function 00F4E44A: RaiseException.KERNEL32(?,?,00F3FBB5,?,?,00000000,?,?,?,?,?,00F3FBB5,?,00FCBE10,?), ref: 00F4E4A9
                                    • ReadFile.KERNELBASE(?,00000000,000000FF,33A37B94,00000000), ref: 00EC0BA3
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00EC0BEC
                                      • Part of subcall function 00EB6F90: GetLastError.KERNEL32(33A37B94,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB6FD2
                                      • Part of subcall function 00EB6F90: SetLastError.KERNEL32(?,33A37B94,00000000,000000FF,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB7034
                                      • Part of subcall function 00EBF330: GetLastError.KERNEL32(33A37B94,00000000), ref: 00EBF393
                                      • Part of subcall function 00EBF330: new.LIBCMT ref: 00EBF3A9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$Exception@8Throw$ExceptionFileRaiseRead
                                    • String ID:
                                    • API String ID: 686783228-0
                                    • Opcode ID: 9d44139f922fff56a2209d5b0428fc9b9fe0bb182d670a15443ca6961d39ae86
                                    • Instruction ID: b9407262d8bb905e9b789f48688294b4d1cb192663011267dc008dd042e4f15a
                                    • Opcode Fuzzy Hash: 9d44139f922fff56a2209d5b0428fc9b9fe0bb182d670a15443ca6961d39ae86
                                    • Instruction Fuzzy Hash: 6B31FE75900218EFDB20DF54CD45FEFB7B8EB44714F00855AE819A3282DB75AA499B90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F43034 Relevance: 4.6, APIs: 3, Instructions: 52COMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog3_GS.LIBCMT ref: 00F4303B
                                      • Part of subcall function 00EB4A50: GetLastError.KERNEL32(33A37B94,?,?,00FD1000,?,00F60FF9,000000FF,?,00EB23E3,?,00000000), ref: 00EB4A92
                                      • Part of subcall function 00EB4A50: SetLastError.KERNEL32(?,?,?,00FD1000,?,00F60FF9,000000FF,?,00EB23E3,?,00000000), ref: 00EB4AD1
                                    • UuidToStringW.RPCRT4(?,?), ref: 00F4307B
                                      • Part of subcall function 00F4540D: __EH_prolog3.LIBCMT ref: 00F45414
                                      • Part of subcall function 00F4540D: CharUpperW.USER32(00000000,?,?,0000000C,00F430A6,00F8B388), ref: 00F45436
                                    • RpcStringFreeW.RPCRT4(00000000), ref: 00F430AA
                                      • Part of subcall function 00EB6F90: GetLastError.KERNEL32(33A37B94,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB6FD2
                                      • Part of subcall function 00EB6F90: SetLastError.KERNEL32(?,33A37B94,00000000,000000FF,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB7034
                                      • Part of subcall function 00EB4BE0: GetLastError.KERNEL32(33A37B94,?,?,33A37B94,?,00F61069,000000FF,?,00EB2A81,33A37B94), ref: 00EB4C1B
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(?), ref: 00EB4C35
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(33A37B98), ref: 00EB4C4A
                                      • Part of subcall function 00EB4BE0: SetLastError.KERNEL32(?,?,?,?,?,?,000000FF), ref: 00EB4C7A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$String$Free$CharH_prolog3H_prolog3_UpperUuid
                                    • String ID:
                                    • API String ID: 3172286170-0
                                    • Opcode ID: 13b31750d9e6da1a02d03a2a32f49b9d79b4064f5ca4e167ad57a6f3005331d2
                                    • Instruction ID: 5fbd7ff28a69a9860db704ad0ff3c1609efa411acbcde8d5f427a2e18a649bc1
                                    • Opcode Fuzzy Hash: 13b31750d9e6da1a02d03a2a32f49b9d79b4064f5ca4e167ad57a6f3005331d2
                                    • Instruction Fuzzy Hash: BD111C71E00618DBDB01EFD0DC95BEEB7B9BF44701F400029E505EB296DB749A49DB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F48D2B Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 231COMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog3_GS.LIBCMT ref: 00F48D35
                                      • Part of subcall function 00EB6F90: GetLastError.KERNEL32(33A37B94,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB6FD2
                                      • Part of subcall function 00EB6F90: SetLastError.KERNEL32(?,33A37B94,00000000,000000FF,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB7034
                                      • Part of subcall function 00F4889E: __EH_prolog3_GS.LIBCMT ref: 00F488A5
                                      • Part of subcall function 00EB4A50: GetLastError.KERNEL32(33A37B94,?,?,00FD1000,?,00F60FF9,000000FF,?,00EB23E3,?,00000000), ref: 00EB4A92
                                      • Part of subcall function 00EB4A50: SetLastError.KERNEL32(?,?,?,00FD1000,?,00F60FF9,000000FF,?,00EB23E3,?,00000000), ref: 00EB4AD1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$H_prolog3_
                                    • String ID: ]
                                    • API String ID: 3339191932-3352871620
                                    • Opcode ID: 7b6480c8fe3233e6b369a99756edf8f3f83e90ab0e0074391d9e4ae0a20d40fd
                                    • Instruction ID: d44d66110c2476278e354056b6c3dab570be715c7f01f747b6e012b75247dd46
                                    • Opcode Fuzzy Hash: 7b6480c8fe3233e6b369a99756edf8f3f83e90ab0e0074391d9e4ae0a20d40fd
                                    • Instruction Fuzzy Hash: 11A13E71900218DECB25EB64CC91BDEBBB8AF14300F504599E509B3292EF34AB89DF61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EB4000 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 150COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: string too long
                                    • API String ID: 0-2556327735
                                    • Opcode ID: 3755226ef6d9bae18869818bf64500124130ae172b2bbecb2213ebf4854ff218
                                    • Instruction ID: f519cb2101ec53667e649fb68ad7de41a031b8a522f03198a15e42d2181e1538
                                    • Opcode Fuzzy Hash: 3755226ef6d9bae18869818bf64500124130ae172b2bbecb2213ebf4854ff218
                                    • Instruction Fuzzy Hash: 9941E5B23142149B8624BE5CF8808EBF3FAEF94725310552FE646D7682D732EC5487A6
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EEEAE0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44COMMON
                                    Download Yara Rule
                                    APIs
                                    • CompareStringA.KERNELBASE(00000400,00000001,000000F8,00000008,.debug,000000FF,00000000,00000000,00000000,.debug,?,00EEEBB0), ref: 00EEEB0D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: CompareString
                                    • String ID: .debug
                                    • API String ID: 1825529933-652440927
                                    • Opcode ID: cad27cc1b09230d260ec6fe4b7dff25a6c8efa90d6e261735dffa688f525c768
                                    • Instruction ID: 722907cb600555141c6fad8ae4490bb6e5f55f82fe5c18cf3430d61cf6f190ea
                                    • Opcode Fuzzy Hash: cad27cc1b09230d260ec6fe4b7dff25a6c8efa90d6e261735dffa688f525c768
                                    • Instruction Fuzzy Hash: 30F02B3270001866CB208A4FAC86ABAF399EB84331F554266FD0ED7284D4619C4082A0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EEFB90 Relevance: 3.1, APIs: 2, Instructions: 104fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetLastError.KERNEL32(00000057), ref: 00EEFB9E
                                    • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00EEFBCF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorFileLastRead
                                    • String ID:
                                    • API String ID: 1948546556-0
                                    • Opcode ID: 6c768556e97cfa5664f5f59ea95770c8321636baf0b28f018665905b7f09d12d
                                    • Instruction ID: d4c8e0d15ff62a660ce3b782bf271ffdba364f6613b84f95b71977ff28e9d7fe
                                    • Opcode Fuzzy Hash: 6c768556e97cfa5664f5f59ea95770c8321636baf0b28f018665905b7f09d12d
                                    • Instruction Fuzzy Hash: 5531D031A0074D9FCB20CE29C880AABB7A6FF88310F218569EC56A7341D730ED10CB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EB4370 Relevance: 3.1, APIs: 2, Instructions: 95memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SysAllocStringLen.OLEAUT32(00000000,?), ref: 00EB43E8
                                    • SysFreeString.OLEAUT32(00000000), ref: 00EB4460
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: String$AllocFree
                                    • String ID:
                                    • API String ID: 344208780-0
                                    • Opcode ID: aff37bd0ecc918af2a8f4aff628e1f7e13b19102f9cee1a94a4b929a84dab0dc
                                    • Instruction ID: a9a32cc18030fd886d995fa05851d44f122172415888c8ac779c3a138c9bc1db
                                    • Opcode Fuzzy Hash: aff37bd0ecc918af2a8f4aff628e1f7e13b19102f9cee1a94a4b929a84dab0dc
                                    • Instruction Fuzzy Hash: 82317CB1A04704DBCB24CF68D9847ABB7F9FB44714F20062EE466E7791DB70A9148BA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EEEF80 Relevance: 3.1, APIs: 2, Instructions: 81COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00EEED70: CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,33A37B94,?,00000000,00000001), ref: 00EEEDC6
                                      • Part of subcall function 00EEED70: CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,?,?,?,?,00000000,00F70368,000000FF,?,00EEEFE2), ref: 00EEEDE9
                                      • Part of subcall function 00EEED70: GetSystemInfo.KERNELBASE(?,?,?,?,?,?,00000000,00F70368,000000FF,?,00EEEFE2,00000000,00000000,?,33A37B94,?), ref: 00EEEE03
                                      • Part of subcall function 00EEED70: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,?,?,?,?,?,?,00000000,00F70368,000000FF,?,00EEEFE2,00000000), ref: 00EEEE17
                                      • Part of subcall function 00EEED70: IsBadReadPtr.KERNEL32(?,000000F8,?,?,?,?,?,00000000,00F70368,000000FF,?,00EEEFE2,00000000,00000000,?,33A37B94), ref: 00EEEE4B
                                      • Part of subcall function 00EEED70: UnmapViewOfFile.KERNEL32(00000000,?,?,?,?,?,00000000,00F70368,000000FF,?,00EEEFE2,00000000,00000000,?,33A37B94,?), ref: 00EEEE6C
                                      • Part of subcall function 00EEED70: MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,33A37B94,?,?,?,?,?,00000000,00F70368,000000FF,?,00EEEFE2,00000000), ref: 00EEEE7C
                                    • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?), ref: 00EEF036
                                    • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00EEF04F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: File$View$CloseCreate$ChangeFindHandleInfoMappingNotificationReadSystemUnmap
                                    • String ID:
                                    • API String ID: 2649132672-0
                                    • Opcode ID: 430c9388a1dc7fe22e8f7c77955ef69ce092fdee83a309ac16df5e8bb1780266
                                    • Instruction ID: a53378ce475e67d46b096d296b0b76ddd4033ccae301e7e82b3bf955213912fa
                                    • Opcode Fuzzy Hash: 430c9388a1dc7fe22e8f7c77955ef69ce092fdee83a309ac16df5e8bb1780266
                                    • Instruction Fuzzy Hash: 9B21BF71E0169DABDB11CF99C944BAFBBF8EB44708F144229D810B7382D7B59E0487E1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EBF940 Relevance: 3.1, APIs: 2, Instructions: 66COMMON
                                    Download Yara Rule
                                    APIs
                                    • FindCloseChangeNotification.KERNELBASE(?,33A37B94,74DEE010), ref: 00EBF9A0
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00EBF9E9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ChangeCloseException@8FindNotificationThrow
                                    • String ID:
                                    • API String ID: 232429529-0
                                    • Opcode ID: 479ac40ebe5506fb6490b1a86985049ac49f9f69231a221cd62b318e8e68be81
                                    • Instruction ID: 9a81ba71c7931a4d71e5fe5df008c47539c3557fc5a4ff374111248228938768
                                    • Opcode Fuzzy Hash: 479ac40ebe5506fb6490b1a86985049ac49f9f69231a221cd62b318e8e68be81
                                    • Instruction Fuzzy Hash: A0218370600608EFCB24EFA4DD55BABB7B8FF04724F00462DE426A3AD1DB74A904CB80
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EB4150 Relevance: 2.6, APIs: 2, Instructions: 69COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(33A37B94,?,?,?,?,?,00F60E09,000000FF,?,00EB304D), ref: 00EB4193
                                    • SetLastError.KERNEL32(?,00F8B388,00000000,?,?,?,?,?,00F60E09,000000FF,?,00EB304D), ref: 00EB4210
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID:
                                    • API String ID: 1452528299-0
                                    • Opcode ID: 634070dcf000ab72c96320c31261fe811bcb02eebd44ca728f6c509b82f40322
                                    • Instruction ID: 55969db3dc5db2a0c2ef295f27f1f02f8001d046eb02a48053d39297ad811f1d
                                    • Opcode Fuzzy Hash: 634070dcf000ab72c96320c31261fe811bcb02eebd44ca728f6c509b82f40322
                                    • Instruction Fuzzy Hash: F721ACB160064AEFD700DF18C948B9AFBF4FB08314F148269E805D7B91D7B1EA50CB80
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EB6F90 Relevance: 2.6, APIs: 2, Instructions: 58COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(33A37B94,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB6FD2
                                    • SetLastError.KERNEL32(?,33A37B94,00000000,000000FF,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB7034
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID:
                                    • API String ID: 1452528299-0
                                    • Opcode ID: 7c29ea45b31cb719a97eb91f9444a95046cc8bfe4dfa5fb1e3b87384d2525b31
                                    • Instruction ID: 13d8adfda5f4b6a614ae28320366e813681dfced22ebe088b0e1eff5933c1252
                                    • Opcode Fuzzy Hash: 7c29ea45b31cb719a97eb91f9444a95046cc8bfe4dfa5fb1e3b87384d2525b31
                                    • Instruction Fuzzy Hash: F5219DB1604649EFD710CF18C948BAABBF4FF48728F208359E4249B791D7B5E904DB80
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EBFDF0 Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00EC1460: GetLastError.KERNEL32(33A37B94,74DEDFA0,?,?,?,00F645F9,000000FF,?,00EBF578,?,00000000), ref: 00EC1497
                                      • Part of subcall function 00EC1460: SetLastError.KERNEL32(?), ref: 00EC14D6
                                    • new.LIBCMT ref: 00EBFE5A
                                      • Part of subcall function 00EB6F90: GetLastError.KERNEL32(33A37B94,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB6FD2
                                      • Part of subcall function 00EB6F90: SetLastError.KERNEL32(?,33A37B94,00000000,000000FF,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB7034
                                      • Part of subcall function 00EBF630: new.LIBCMT ref: 00EBF65E
                                      • Part of subcall function 00EB4BE0: GetLastError.KERNEL32(33A37B94,?,?,33A37B94,?,00F61069,000000FF,?,00EB2A81,33A37B94), ref: 00EB4C1B
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(?), ref: 00EB4C35
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(33A37B98), ref: 00EB4C4A
                                      • Part of subcall function 00EB4BE0: SetLastError.KERNEL32(?,?,?,?,?,?,000000FF), ref: 00EB4C7A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$FreeString
                                    • String ID:
                                    • API String ID: 2425351278-0
                                    • Opcode ID: f314ab820f90b0b37665b7814af8672bac7684bee2d6cb514719d20f176e789f
                                    • Instruction ID: 14da673ef68657708a28b05ff0bfb47aeb5e46ed0f0a7056929902cca7a4290b
                                    • Opcode Fuzzy Hash: f314ab820f90b0b37665b7814af8672bac7684bee2d6cb514719d20f176e789f
                                    • Instruction Fuzzy Hash: B1418070901289DEEF21DFA8CC55BEEBBF0EB01314F104169E955BB2C1EB749A48CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F4889E Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog3_GS.LIBCMT ref: 00F488A5
                                      • Part of subcall function 00EB4A50: GetLastError.KERNEL32(33A37B94,?,?,00FD1000,?,00F60FF9,000000FF,?,00EB23E3,?,00000000), ref: 00EB4A92
                                      • Part of subcall function 00EB4A50: SetLastError.KERNEL32(?,?,?,00FD1000,?,00F60FF9,000000FF,?,00EB23E3,?,00000000), ref: 00EB4AD1
                                      • Part of subcall function 00EB6F90: GetLastError.KERNEL32(33A37B94,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB6FD2
                                      • Part of subcall function 00EB6F90: SetLastError.KERNEL32(?,33A37B94,00000000,000000FF,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB7034
                                      • Part of subcall function 00EBFDF0: new.LIBCMT ref: 00EBFE5A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$H_prolog3_
                                    • String ID:
                                    • API String ID: 3339191932-0
                                    • Opcode ID: ed40bf7dcb1bf603ef9cba05400853d7c265d2a76c4538339a2838efcdee165e
                                    • Instruction ID: 58a63d422b0b41bf76c13b5d1d4eaffa9c0704ee559056223fc49f463c3a0b6e
                                    • Opcode Fuzzy Hash: ed40bf7dcb1bf603ef9cba05400853d7c265d2a76c4538339a2838efcdee165e
                                    • Instruction Fuzzy Hash: 1F317E75904218ABDF10EBA4CC85AEFBBB8AF55754F100058F91577283EB70AE06DBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EE2B70 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a0c557db2288c89b9a1636e5f49f13dfaf7869b0b5c5b3268040336644c3bb21
                                    • Instruction ID: d13a8bdb201d23093750d31aa59b3e5a9a670b89e61f40f4ea0e1fde6c19e1a5
                                    • Opcode Fuzzy Hash: a0c557db2288c89b9a1636e5f49f13dfaf7869b0b5c5b3268040336644c3bb21
                                    • Instruction Fuzzy Hash: CF0180B1A012499FD724CF5DC941B96F7F8FB48724F14466EE915D7380E731A900CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F56BB6 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00F573BB,00000001,00000364,?,00F4DFF8,?,?,?,?,?,00F3FACB,00F3FBA7), ref: 00F56BF7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: d1238cbc7e7b3b3439d4b217b810e4509272d301560960fe082491582d8a51d0
                                    • Instruction ID: 323ec723297d8c9c99fb7b4987a319e5077d2086de3f1823f131f9ad379359d0
                                    • Opcode Fuzzy Hash: d1238cbc7e7b3b3439d4b217b810e4509272d301560960fe082491582d8a51d0
                                    • Instruction Fuzzy Hash: CAF0B432A08A25B69B219A269C05B9A3B58DF81773B544111BE68DB180DB34DC0DB2E0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F430D2 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                    Download Yara Rule
                                    APIs
                                    • UuidCreate.RPCRT4(?), ref: 00F430F0
                                      • Part of subcall function 00F43034: __EH_prolog3_GS.LIBCMT ref: 00F4303B
                                      • Part of subcall function 00F43034: UuidToStringW.RPCRT4(?,?), ref: 00F4307B
                                      • Part of subcall function 00F43034: RpcStringFreeW.RPCRT4(00000000), ref: 00F430AA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: StringUuid$CreateFreeH_prolog3_
                                    • String ID:
                                    • API String ID: 3372217299-0
                                    • Opcode ID: f0d9451ff7f1e652dda2ed39ff772eba6aa927dfe95e004d70138898d4e4edba
                                    • Instruction ID: 6f24367568de30b9219f116b9031c81022f92c05a764cda8cd9dd0cc406a86f7
                                    • Opcode Fuzzy Hash: f0d9451ff7f1e652dda2ed39ff772eba6aa927dfe95e004d70138898d4e4edba
                                    • Instruction Fuzzy Hash: A8F08232A01108A7CB00EFEDDD869AFFBB9EB45211F904169E905AB201DA765A0487E1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F56B68 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000000,00F3FBA7,?,?,00F4DFF8,?,?,?,?,?,00F3FACB,00F3FBA7,?,?,?,?), ref: 00F56B9A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: 368ad13a963fc2ce223c70b829a40c2ff98afdc2fae8c1b78ca944098f61787d
                                    • Instruction ID: 3206221ebf11a6bd168c87eb81ecb618ebd2971efa39c004843f8f8f41ef8bf5
                                    • Opcode Fuzzy Hash: 368ad13a963fc2ce223c70b829a40c2ff98afdc2fae8c1b78ca944098f61787d
                                    • Instruction Fuzzy Hash: 8DE0E5329046247BDA312B259D01F5A3B5C9B827F3F850210AE64E7091EE24DC4872E4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F43E17 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog3.LIBCMT ref: 00F43E1E
                                      • Part of subcall function 00F41D94: __EH_prolog3_GS.LIBCMT ref: 00F41D9E
                                      • Part of subcall function 00F41D94: GetLastError.KERNEL32 ref: 00F41EC0
                                      • Part of subcall function 00EB4BE0: GetLastError.KERNEL32(33A37B94,?,?,33A37B94,?,00F61069,000000FF,?,00EB2A81,33A37B94), ref: 00EB4C1B
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(?), ref: 00EB4C35
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(33A37B98), ref: 00EB4C4A
                                      • Part of subcall function 00EB4BE0: SetLastError.KERNEL32(?,?,?,?,?,?,000000FF), ref: 00EB4C7A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$FreeString$H_prolog3H_prolog3_
                                    • String ID:
                                    • API String ID: 2488494826-0
                                    • Opcode ID: a1c89428b3b549700c509d4259926585cd29d67d2661104a91d9cd9d2a9b27f1
                                    • Instruction ID: a8bee6be6312b0ab1df5ecb76819c28cafda084a4d483953583bcdf56efe1689
                                    • Opcode Fuzzy Hash: a1c89428b3b549700c509d4259926585cd29d67d2661104a91d9cd9d2a9b27f1
                                    • Instruction Fuzzy Hash: 17D0C2E89610006AEF48BB24CC135EE3B54EB10300F005829BE1547383FA38AA08D1E1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F49F51 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                    Download Yara Rule
                                    APIs
                                    • FindCloseChangeNotification.KERNELBASE(00F49DF0,?,00F49E8A,00F49DF0,00000000,?,?,?,00F49DF0,00000001), ref: 00F49F57
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ChangeCloseFindNotification
                                    • String ID:
                                    • API String ID: 2591292051-0
                                    • Opcode ID: e4a03b4a5323bc801596cb850bda8bfaceb5d5a9871090bc76ae848519ff7426
                                    • Instruction ID: aa67594c90a8508476019ea71abe04ae8b6912cbc12889c3e094f7e9dbac32df
                                    • Opcode Fuzzy Hash: e4a03b4a5323bc801596cb850bda8bfaceb5d5a9871090bc76ae848519ff7426
                                    • Instruction Fuzzy Hash: E0B0123800414CBBCF011F51EC084E87F6CDB05560B008050FC5C45323DB329511AB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Non-executed Functions

                                    Function 00ECB630 Relevance: 157.6, APIs: 17, Strings: 71, Instructions: 3644windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00EB4BE0: GetLastError.KERNEL32(33A37B94,?,?,33A37B94,?,00F61069,000000FF,?,00EB2A81,33A37B94), ref: 00EB4C1B
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(?), ref: 00EB4C35
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(33A37B98), ref: 00EB4C4A
                                      • Part of subcall function 00EB4BE0: SetLastError.KERNEL32(?,?,?,?,?,?,000000FF), ref: 00EB4C7A
                                      • Part of subcall function 00EB3ED0: SysStringLen.OLEAUT32(?), ref: 00EB3EDE
                                      • Part of subcall function 00EB3ED0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00EB3EF8
                                    • GetLastError.KERNEL32 ref: 00ECBC90
                                    • SetLastError.KERNEL32(00F908E8), ref: 00ECBCF7
                                    • MessageBoxW.USER32(00000000,?,?,00000010), ref: 00ECBF27
                                      • Part of subcall function 00EB6F90: GetLastError.KERNEL32(33A37B94,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB6FD2
                                      • Part of subcall function 00EB6F90: SetLastError.KERNEL32(?,33A37B94,00000000,000000FF,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB7034
                                      • Part of subcall function 00F417CE: __EH_prolog3_GS.LIBCMT ref: 00F417D8
                                    • MoveFileExW.KERNEL32(?,00000004,00000001,?,00F9091C,setup.xml,00000000,00000000,00000000,?,00000001,00000000,00F9091C), ref: 00ECC2FE
                                    • GetLastError.KERNEL32 ref: 00ECC33C
                                      • Part of subcall function 00F39100: GetDateFormatW.KERNEL32(00000800,00000000,00000000,M-d-yyyy,00000000,00000080,00000001,00000080,00000001,?), ref: 00F3917C
                                      • Part of subcall function 00F39100: GetTimeFormatW.KERNEL32(00000800,00000000,00000000,hh':'mm':'ss tt,00000000,00000080,?,00000080), ref: 00F391D8
                                      • Part of subcall function 00EB4810: GetLastError.KERNEL32(33A37B94,?,00F908F0,00F9091C,?,00F60F29,000000FF,?,00EB394A,00F8B388,?,?,00000000,33A37B94,?,00F908F0), ref: 00EB484B
                                      • Part of subcall function 00EB4810: SysFreeString.OLEAUT32(6F6C206F), ref: 00EB4865
                                      • Part of subcall function 00EB4810: SysFreeString.OLEAUT32(00F90920), ref: 00EB487A
                                      • Part of subcall function 00EB4810: SetLastError.KERNEL32(?), ref: 00EB48AA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$String$Free$Format$AllocDateFileH_prolog3_MessageMoveTime
                                    • String ID: .$An invalid condition was encountered:Error: 0x%08xThe setup will now abort.$BetaMarker.dat$Command Line: %s$Could not move setup.xml to new stage path, error %d, file will not be cleaned up$Determining setup mode...$Engine: ***warning: this suite appears to be running without elevated privileges, the InstallScript debugger requires admin privil$Engine: attempt to launch with updated suite install failed with status 0x%08x, continuing normal setup$Engine: command line specified maintenance/modify mode$Engine: command line specified remove mode$Engine: command line specified repair mode$Engine: command line specified stage only mode$Engine: failed to evaluate install mode %d condition, error %x$Engine: failed to initialize resources, error %x$Engine: final mode we're running in: %d$Engine: initialization complete$Engine: initializing predefined path properties$Engine: initializing resources$Engine: mode is maintenance: %s$Engine: no command line mode specified, evaluating setup.xml install mode block for mode$Engine: not rebooted or maintenance, checking for suite update (update: '%s', updated from: '%s')$Engine: parsing setup.xml$Engine: reloading engine state info for resume/reboot$Engine: running after reboot$Engine: script debug option specified, will enable script debugging; symbol path: '%s'$Engine: sending initialize event to UI$Engine: sending rebooted event to UI$Engine: setup will run silent$Engine: setup will run with minimal UI$Engine: update URL is '%s'$Engine: update not found$Engine: we're not running after reboot$Error extracting setup.xml.$EvalMarker.dat$Evaluating abort conditions$Failed to evaluate abort condition (text '%s'), result: %x$ISEnablePerParcelLogging$ISInstallMode$ISLogDir$ISOnRebooted$ISPassiveInstall$ISPassword$ISSelectedLanguage$ISSilentInstall$InstallMode$InstallShield$InstallShield Wizard$No UI DLL was initialized. This is likely due to a missing UIResource in setup.xml$No UI DLL was initialized. This is likely due to a missing UIResource in setup.xml.$No setup.xml was present in the setup stream$Password$ProductVersion$SetupEngine.cpp$ShowLanguageSelection$TempFolder$The resource %s failed to initialize, status %x$f3:$language:$log$modify$passive$password:$remove$repair$setup.xml$setup.xml$silent$stage_only$true$updated_from:$yes
                                    • API String ID: 4022214443-2701837669
                                    • Opcode ID: 083ecb1e06a4b1e37313618002ec416b3153ff8e34a7bb314b8358ec909ed5ea
                                    • Instruction ID: e78da4cfab0b3ffd23ea7e57c360b7446f03a2aa26179763f5db91f64c14d286
                                    • Opcode Fuzzy Hash: 083ecb1e06a4b1e37313618002ec416b3153ff8e34a7bb314b8358ec909ed5ea
                                    • Instruction Fuzzy Hash: 3483A9B09012889EDF25DB64CE85BDEBBB4AF10304F1401ADE5497B292DBB06F4ADF51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00ED2D20 Relevance: 40.6, APIs: 9, Strings: 14, Instructions: 316pipeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F430D2: UuidCreate.RPCRT4(?), ref: 00F430F0
                                    • CreateNamedPipeW.KERNEL32(?,00000003,00000000,00000001,00001000,00001000,00000000,00000000,?,?,?,?), ref: 00ED2DC4
                                    • GetLastError.KERNEL32(?,?,?,?), ref: 00ED2DFB
                                    • CreateEventW.KERNEL32(00000000,00000001,00000000,?,?,?,?,?,?,?,?), ref: 00ED2E57
                                    • CloseHandle.KERNEL32(00000000,?), ref: 00ED31DA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Create$CloseErrorEventHandleLastNamedPipeUuid
                                    • String ID: -IS_temp$!$-embedded:$Failed to allocate proxy handler$Failed to connect/verify proxy, error %x$Failed to create pipe server for elevated proxy, error %x$Failed to initialize proxy communication, error %x$Failed to launch proxy process '%s', error %x$IS_ProxyWaiter_$SetupEngine.cpp$Timed out waiting for proxy to respond$\\.\pipe\ISEngine_$open$runas
                                    • API String ID: 2889566602-412059878
                                    • Opcode ID: c0cb7602a0666c50477547398c06e131c4994db53339920f34f7197b790d7279
                                    • Instruction ID: b5a58f6c43a3ba6513b74a299b14ea16bc023963aa29697cb56189cf9eef42c6
                                    • Opcode Fuzzy Hash: c0cb7602a0666c50477547398c06e131c4994db53339920f34f7197b790d7279
                                    • Instruction Fuzzy Hash: E6D1AF70905258EEEF21DBA4DC45BEEBBB4AB15304F1401D9E408B72C2DBB45B49EF52
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EFCA90 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 364COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID: 0-3916222277
                                    • Opcode ID: 4732b13c94193840cb6c78f6a3d6c1cfe985c88080b5e76e17e01bd5e91669fa
                                    • Instruction ID: 02f9a7d5835bee156e14353f0c53826ef8d17d869300991e52181797924041d0
                                    • Opcode Fuzzy Hash: 4732b13c94193840cb6c78f6a3d6c1cfe985c88080b5e76e17e01bd5e91669fa
                                    • Instruction Fuzzy Hash: 00D19262D0B29DDBDB11C7B896063FEBEA00F21704F299499D945BB381D6744F04ABE2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EB5840 Relevance: 19.7, APIs: 10, Strings: 1, Instructions: 494COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID: 1
                                    • API String ID: 1452528299-2212294583
                                    • Opcode ID: 2fb996e2c5bed15a4d6407cb8a0e5d7ca8d0817115b804f47fe0e81b6bab69ce
                                    • Instruction ID: 2e0eb9345be067a300f5de3b9fe3d8f0e02edae90537c9b47b8ef41be2a83751
                                    • Opcode Fuzzy Hash: 2fb996e2c5bed15a4d6407cb8a0e5d7ca8d0817115b804f47fe0e81b6bab69ce
                                    • Instruction Fuzzy Hash: 7B220E71D00658DEDB24DB68C8857EEBBF0AF15318F1452A9D069B72C2DBB44E84DF81
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F00DF0 Relevance: 17.7, Strings: 14, Instructions: 155COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$FreeString
                                    • String ID: AnyContains$AnyEndsWith$AnyStartsWith$Compare$Contains$EndsWith$Equal$GreaterEqual$GreaterThan$HasFlags$LessEqual$LessThan$NotEqual$StartsWith
                                    • API String ID: 2425351278-1967529450
                                    • Opcode ID: 7ac743579c5514814b545a36d23516ab4fd82ffb784fc80a051ee3ea50630705
                                    • Instruction ID: 702f145483c4385c610a08d89e7deab2e38591505e020acd04e7076920823ea0
                                    • Opcode Fuzzy Hash: 7ac743579c5514814b545a36d23516ab4fd82ffb784fc80a051ee3ea50630705
                                    • Instruction Fuzzy Hash: EB519E319482169BEF24DBA0ED45FAEB6E4EF10744F208628E816735D1FFB09904FB81
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F44741 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51shutdownCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(00000000,SetupEngine.cpp,?,00000000,33A37B94), ref: 00F4475A
                                    • OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,33A37B94), ref: 00F44767
                                    • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00F4477E
                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000), ref: 00F447A9
                                    • ExitWindowsEx.USER32(00000002,0000FFFF), ref: 00F447B7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ProcessToken$AdjustCurrentExitLookupOpenPrivilegePrivilegesValueWindows
                                    • String ID: SeShutdownPrivilege
                                    • API String ID: 1314775590-3733053543
                                    • Opcode ID: 969d457eac1e0c035c00c8067f4a025fd023eb94568b5e14e899667f47305217
                                    • Instruction ID: a637abf21fe7461b04f46dfb0d86d279509a737ff053c9dd13e6659ae0bc7ba7
                                    • Opcode Fuzzy Hash: 969d457eac1e0c035c00c8067f4a025fd023eb94568b5e14e899667f47305217
                                    • Instruction Fuzzy Hash: F1013970A01229ABCF10DFE4DD4DAFEBFB8EF09700F000119E905E6281DB749A05ABA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F00520 Relevance: 7.8, APIs: 5, Instructions: 267timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SysFreeString.OLEAUT32(000000FF), ref: 00F00637
                                    • VariantChangeTypeEx.OLEAUT32(?,00000000,0000007F,00000000,00000007), ref: 00F00828
                                    • VariantTimeToSystemTime.OLEAUT32 ref: 00F00841
                                    • SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,?,00EC499E,00F9091C), ref: 00F0084F
                                    • VariantClear.OLEAUT32(?), ref: 00F00874
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Time$Variant$System$ChangeClearFileFreeStringType
                                    • String ID:
                                    • API String ID: 829595763-0
                                    • Opcode ID: 44ba2e5a20b757ed8049800882d11b33df711128dbffe5151e68357a6af8713c
                                    • Instruction ID: 0e364a3e4b00fba4fed54b1b8cf4443e02bc5c32cdc24f1bb2436c6129746930
                                    • Opcode Fuzzy Hash: 44ba2e5a20b757ed8049800882d11b33df711128dbffe5151e68357a6af8713c
                                    • Instruction Fuzzy Hash: 45A17D71E00218DBDF15DFA8D894BEEBBF5BF08710F148159E405AB2C1DB789A04EBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F09450 Relevance: 6.5, Strings: 5, Instructions: 295COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: Final action state for parcel %s: %d$PackagePath$Parcel.cpp$Parcel: disabling remove of parcel '%s' due to share count of %d$Parcel: disabling repair of parcel '%s' as this suite is not a client
                                    • API String ID: 0-2668638366
                                    • Opcode ID: 7bc886860227501c52bcf9ea206d7ffba0a401ddc73ae665dc5827c7238cd6b6
                                    • Instruction ID: c0fd076a2a72716217474c08407288553f98d64f14fb185397b6980f76f7f667
                                    • Opcode Fuzzy Hash: 7bc886860227501c52bcf9ea206d7ffba0a401ddc73ae665dc5827c7238cd6b6
                                    • Instruction Fuzzy Hash: E6B1B071A04206DFDF18DF64CCE0BADB7F5FB44304F548229D41A97292E7B0A855EB81
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F5551A Relevance: 6.1, APIs: 4, Instructions: 86memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00F55543
                                    • GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 00F5555B
                                    • VirtualAlloc.KERNEL32(?,-00000001,00001000,00000004,?,?,?,0000001C), ref: 00F555B1
                                    • VirtualProtect.KERNEL32(?,-00000001,00000104,?,?,?,0000001C), ref: 00F555C6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Virtual$AllocInfoProtectQuerySystem
                                    • String ID:
                                    • API String ID: 3562403962-0
                                    • Opcode ID: 0e461382f40a48932b853366499bc9ceacb2a6af6852b84798aa7aba05cd5a9f
                                    • Instruction ID: 2976be7878ed70596584cbc6f15fd8da9448188596930b980f9b2f7a3b588a63
                                    • Opcode Fuzzy Hash: 0e461382f40a48932b853366499bc9ceacb2a6af6852b84798aa7aba05cd5a9f
                                    • Instruction Fuzzy Hash: 04218672E0011CABCF20DFA4CC85AEEB7B9EB44765F150065EE05EB140EA349A08DB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F20CE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryW.KERNEL32(?,33A37B94,00000000,?), ref: 00F20D2C
                                    • GetProcAddress.KERNEL32(00000000,SuiteStartupInstall), ref: 00F20D4F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: SuiteStartupInstall
                                    • API String ID: 2574300362-3262701596
                                    • Opcode ID: 4ca54a0268ae1818dad81d8d00d8292626b42a5032affe406297dbcf2f3fc7c1
                                    • Instruction ID: 2b8f9cba5f0db8a8715fa91cc7f8ff063753f7792bd165d1f4bb9747c74da5e2
                                    • Opcode Fuzzy Hash: 4ca54a0268ae1818dad81d8d00d8292626b42a5032affe406297dbcf2f3fc7c1
                                    • Instruction Fuzzy Hash: 04318172D01218EFDB14CF98D844BAEBBB5FB45714F10012DE811AB382CB74AD01DBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F5222D Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00F3FBA7), ref: 00F52325
                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00F3FBA7), ref: 00F5232F
                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00F3FBA7), ref: 00F5233C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                    • String ID:
                                    • API String ID: 3906539128-0
                                    • Opcode ID: f5a75cc7dfe6c817c6dd46f6d546a731ce275cfc0da69b1df965a6a5530dddb4
                                    • Instruction ID: 23775d98556991946dd93f0167a9c61060b2316b843d7f608b8758f897482d4b
                                    • Opcode Fuzzy Hash: f5a75cc7dfe6c817c6dd46f6d546a731ce275cfc0da69b1df965a6a5530dddb4
                                    • Instruction Fuzzy Hash: 0131C47490122C9BCB61DF64DC887D8BBB8BF08310F5046EAE91CA6250EB749B859F44
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F4D3C8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                    Download Yara Rule
                                    APIs
                                    • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00F4D3E1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: FeaturePresentProcessor
                                    • String ID:
                                    • API String ID: 2325560087-3916222277
                                    • Opcode ID: 670621d596e24d96a294da79d62500df5edd09299187bc1712e204691317bfae
                                    • Instruction ID: d4a797d1760515f43e42ae3eabf7dcd3945042f4d3bb8871d4eeae2492de7279
                                    • Opcode Fuzzy Hash: 670621d596e24d96a294da79d62500df5edd09299187bc1712e204691317bfae
                                    • Instruction Fuzzy Hash: 71418E71E0120D9BEB14CFA9E8997AEBFF5FB48324F14816BD809E7254D374A840DB50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F5B2D0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bf88605dbd0322d2ecb5532771ae3339d28b7093155358778e131ecff2853dfc
                                    • Instruction ID: 449ce3e79de58896481e329bff6f2f2f4af3316a34d3309d42491a5ad233562f
                                    • Opcode Fuzzy Hash: bf88605dbd0322d2ecb5532771ae3339d28b7093155358778e131ecff2853dfc
                                    • Instruction Fuzzy Hash: 71023C71E002199FDF14CFA9C8806AEBBF1EF88325F258269D919E7385D731A945DB80
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F3CFF0 Relevance: 1.6, Strings: 1, Instructions: 377COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: @
                                    • API String ID: 0-2766056989
                                    • Opcode ID: 90c4dae4d91584c98b6940756602bc2427e1352042e00b236df98bba3062f34c
                                    • Instruction ID: 2e2d3cc44e671aa3e38f386a5dfac044e5325eca15b12571b178e4197f044b7e
                                    • Opcode Fuzzy Hash: 90c4dae4d91584c98b6940756602bc2427e1352042e00b236df98bba3062f34c
                                    • Instruction Fuzzy Hash: 15E16C71E00218CFCB28CFA8D4906ADBBB2FF49720F24416ED81AAB355D7759D86DB41
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EC2400 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetVersionExW.KERNEL32(00000294), ref: 00EC244E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Version
                                    • String ID:
                                    • API String ID: 1889659487-0
                                    • Opcode ID: f0d002ef0add50ff6779066248c27a66ff337428d33f3b765368abb6cde07ce5
                                    • Instruction ID: da3d0c1238efeb6197017ce48ebed67eb404ad2aeeb706ad5252903e198ef8af
                                    • Opcode Fuzzy Hash: f0d002ef0add50ff6779066248c27a66ff337428d33f3b765368abb6cde07ce5
                                    • Instruction Fuzzy Hash: BD11AD70A14208DBDB10EF98E949B9ABBF8FB09714F00026EE409EB381DBB55900CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EEC2B0 Relevance: 1.5, APIs: 1, Instructions: 37comCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CoCreateInstance.OLE32(00F865B8,00000000,00000001,00F974EC,?), ref: 00EEC2DE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: CreateInstance
                                    • String ID:
                                    • API String ID: 542301482-0
                                    • Opcode ID: 63985c77fb8dfeb5302312f5597fb05cdb499d42dbba0ed87a3522ad0b6ded9d
                                    • Instruction ID: e5a7eae2bdd1e62ef23c5faa1d519d8d3ad822f4b94ab92221cc4313212f58f6
                                    • Opcode Fuzzy Hash: 63985c77fb8dfeb5302312f5597fb05cdb499d42dbba0ed87a3522ad0b6ded9d
                                    • Instruction Fuzzy Hash: CFF0B4B22402259B83219A8AE880D47FB6CFF99B643104125FA08AB211C7719811C6E4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F4D2A4 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetUnhandledExceptionFilter.KERNEL32(Function_0009D2B0,00F4CA77), ref: 00F4D2A9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled
                                    • String ID:
                                    • API String ID: 3192549508-0
                                    • Opcode ID: 7c02758c23fa807ee68323e737c60a0f3f49794242fe4bfe28ad9f3914ac5947
                                    • Instruction ID: 808fe87c57b3895adb7af2e4d3c0852dd0c86db408e3193ec69713a5f95919e8
                                    • Opcode Fuzzy Hash: 7c02758c23fa807ee68323e737c60a0f3f49794242fe4bfe28ad9f3914ac5947
                                    • Instruction Fuzzy Hash:
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F5A39A Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: HeapProcess
                                    • String ID:
                                    • API String ID: 54951025-0
                                    • Opcode ID: 0e0159e40e231ca2c27069ba57755e4477c5f6fb62235696654136ed84ccb28e
                                    • Instruction ID: d8615022e966f7fe1a13908c6e6a8e5fd904f07e8d0a645804bca8309b8616ad
                                    • Opcode Fuzzy Hash: 0e0159e40e231ca2c27069ba57755e4477c5f6fb62235696654136ed84ccb28e
                                    • Instruction Fuzzy Hash: 46A0223020B308CF8300CF3AAF0830C3FEEBA022C0300C2AAA800CA230FB308000BB02
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F3AE43 Relevance: .9, Instructions: 878COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f07a09fc92beab59e46cdb05ae819f1a825e381e3bba5651ece469f2a0880131
                                    • Instruction ID: a713cd46b3478a0d98c3287f7616f2c4c6ba1a6ff047452a9bb59c74b8f23975
                                    • Opcode Fuzzy Hash: f07a09fc92beab59e46cdb05ae819f1a825e381e3bba5651ece469f2a0880131
                                    • Instruction Fuzzy Hash: 33724AB1E002199FCB08CF99C5906ADBBF1FF88324F2481AED955AB341D7359A46DF90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F3A410 Relevance: .8, Instructions: 750COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: afe5e1268f86b081c4aff82ea24175312e04f909044c70c72bd5282261cb1a10
                                    • Instruction ID: 80c5759ed92eac1ba0ebdbf378a2b3ba0f9f97814a2fbd1dea1c3cfb69947954
                                    • Opcode Fuzzy Hash: afe5e1268f86b081c4aff82ea24175312e04f909044c70c72bd5282261cb1a10
                                    • Instruction Fuzzy Hash: 65629EB1E00205DBDF14CF5AC5846ADBBB1BF88324F2881ADD854AB342D779DA42DF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F4A226 Relevance: .7, Instructions: 675COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 04fa3e7fe490313148d01498914685c832a4181b756cac296912fffe9db10e61
                                    • Instruction ID: 4259e80643933e57e606bde7a3602ff3de36fc4ceddd184646fc0e0d12a5a8f7
                                    • Opcode Fuzzy Hash: 04fa3e7fe490313148d01498914685c832a4181b756cac296912fffe9db10e61
                                    • Instruction Fuzzy Hash: 6F2273B7F515144BDB0CCA5DCCA23EDB2E3AFD4218B0E813DA80AE3745EA7DD9158684
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F3C830 Relevance: .4, Instructions: 413COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ec3d521a1bc445728d7ee59e52ec3459f6e041d1d6134f72bd092515bffe1742
                                    • Instruction ID: 7ed04e582ee56a5358516a9475643838b12b90b9eddece807c4e7d292208101a
                                    • Opcode Fuzzy Hash: ec3d521a1bc445728d7ee59e52ec3459f6e041d1d6134f72bd092515bffe1742
                                    • Instruction Fuzzy Hash: 06024535A00B008FD724CF29C480AA6B7F1FF48364F54496EE99A8BB51D735F991DB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F3D460 Relevance: .4, Instructions: 388COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7be10e1f0ffe327da101943046d924daf0a3c3fad0713b8dd69ece6b88f49366
                                    • Instruction ID: e16782455ce33cfa630e194ebd609e2bb79b23aab6cab6979859076a9fa21450
                                    • Opcode Fuzzy Hash: 7be10e1f0ffe327da101943046d924daf0a3c3fad0713b8dd69ece6b88f49366
                                    • Instruction Fuzzy Hash: BFE1B371E042559FCB04CF6CD5806ACFBF2EF99320F2881A9D495EB342D735AA06DB50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F508B3 Relevance: .3, Instructions: 345COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                    • Instruction ID: af44d608c50c1347139bcad71af8f3e291182f3fc7b5cd895dee9a3d6e22ed3f
                                    • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                    • Instruction Fuzzy Hash: 8CC1D1726051934ADF2D8639C53403FBAA15A927B331A476DDEF3CB1D5FE20C928E620
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F50CE8 Relevance: .3, Instructions: 341COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                    • Instruction ID: 4ea2c41689944740c2e92bcd16e3dd910665e24f492c3b530430840fc968434d
                                    • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                    • Instruction Fuzzy Hash: 58C1C6726050934ADF2D8639C53413FBAA15A927B331A476DDEF2CB4D4FE20D92DE620
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F3E270 Relevance: .3, Instructions: 331COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 39d04ea213e215d651511e788a7b3a724a841cd610a3980e295b98df4ec515e7
                                    • Instruction ID: c8523491ffbc26438e3b5ee0d20f2c58bb226323dd78daa79dee86d8b5a8113f
                                    • Opcode Fuzzy Hash: 39d04ea213e215d651511e788a7b3a724a841cd610a3980e295b98df4ec515e7
                                    • Instruction Fuzzy Hash: BFE1AC759092518FC70ACF18C4988F67BF5AF65720F1E82F9C8899B767C3329980DB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F5047E Relevance: .3, Instructions: 331COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                    • Instruction ID: 5dbd11031f1c56b41708ae8ab759f15dc8f45c59a60b9489622e3c2cf316a1ed
                                    • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                    • Instruction Fuzzy Hash: 80C1B4726050934ADF2D8639853453FBAA15AA27B331A476DDEF2CB4D0FE10C92DEA10
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F50066 Relevance: .3, Instructions: 323COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                    • Instruction ID: 545f0a3a625b7a4d45e55b543b2886d658880607a919a0272ffde86446d5c32e
                                    • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                    • Instruction Fuzzy Hash: 78C1B4726051934ADF2D8639853413FBAA15AA27B331A476DDEF3CB4D4FE20C92DE610
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F54576 Relevance: .2, Instructions: 237COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c4c15a6b2021b0395fccfac5a3033646063728dc7ea4377ff03b32ea4555246c
                                    • Instruction ID: 00f551265e1182481aa784f141631c7a589a7e8fc20f660a698234cb1a2a4627
                                    • Opcode Fuzzy Hash: c4c15a6b2021b0395fccfac5a3033646063728dc7ea4377ff03b32ea4555246c
                                    • Instruction Fuzzy Hash: E9619A72A0070867DA348A2858957BEB394AF1772FF140519EF42CB281E645FECDB745
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F3D890 Relevance: .2, Instructions: 189COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7ca912fbd74cdeef2b55000208cc960772fb1ca2d7e5a73aa174721ea2c6e582
                                    • Instruction ID: 6b0dde143c6968447cf0d50d021e7edec448daa7622075a303aac2c698d51ab5
                                    • Opcode Fuzzy Hash: 7ca912fbd74cdeef2b55000208cc960772fb1ca2d7e5a73aa174721ea2c6e582
                                    • Instruction Fuzzy Hash: 0F6132357102696FEB18CF1EECC08B67755E78A3113864229EA81CB3D5C635E927E7E0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F3ABED Relevance: .2, Instructions: 180COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ca407813887ac5ed2db7c8b1aa6ea359c85eee18d49da2cb8eca8892239c895b
                                    • Instruction ID: 3b75134a1f3407cbe4eb48aefb9935b75501a1ca13697484a05979d0a39369a3
                                    • Opcode Fuzzy Hash: ca407813887ac5ed2db7c8b1aa6ea359c85eee18d49da2cb8eca8892239c895b
                                    • Instruction Fuzzy Hash: 44616DB2E006158BCB08CF5AC5442ADFBB1FF88324F14C1AED818AB745D7759A42DF80
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F51298 Relevance: .1, Instructions: 116COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9c03aa0fa737a59770e6fc423e78525cd04325b6560e8fa474c5e57c54527a7d
                                    • Instruction ID: 7119f11e04778a1e62b4d05cc3ebc77795ea3f709b94fe52a2baaa32b4b006b4
                                    • Opcode Fuzzy Hash: 9c03aa0fa737a59770e6fc423e78525cd04325b6560e8fa474c5e57c54527a7d
                                    • Instruction Fuzzy Hash: 97315C6790D1C147C701877D88B97E6BBA5BF9333271D82AACAC147E49E152A41EF701
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EC2870 Relevance: .1, Instructions: 64COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 78678eb6c7b84fdfed71e0602582bba54129a6d7ac7f101c99b218783b5ec921
                                    • Instruction ID: 0577562a370e200e2d68a1fb4cd8471de26525ee4586f1047202a3fce2dad86f
                                    • Opcode Fuzzy Hash: 78678eb6c7b84fdfed71e0602582bba54129a6d7ac7f101c99b218783b5ec921
                                    • Instruction Fuzzy Hash: 6B11573B074E0E82C62C841C5620FE922416B11719B94262DE7C6F93C1EFA7D857D187
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EB10E0 Relevance: .0, Instructions: 35COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3f0f6efffb58c0845356d4de3b3b36cab0548beaf1ff68fc44e796011b855008
                                    • Instruction ID: 6c56038d272a5f121f6faf56d14b15d8a6c8e09b8ec48c953d38a60f6634c39d
                                    • Opcode Fuzzy Hash: 3f0f6efffb58c0845356d4de3b3b36cab0548beaf1ff68fc44e796011b855008
                                    • Instruction Fuzzy Hash: 8601A2B190A788DFC711EF68ED05B55B7A6F306734F1443AAE9259B3E0E735A400BB42
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EB1040 Relevance: .0, Instructions: 35COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 811bfd1cc25eeffef5514aed35109ec3bfc79133d3bd06e781100ddb0d2b1255
                                    • Instruction ID: 7b03cdf8aaa7d50d13d1ae7f51a4c9745d49f0116ef4ebeefe809783a45a77cd
                                    • Opcode Fuzzy Hash: 811bfd1cc25eeffef5514aed35109ec3bfc79133d3bd06e781100ddb0d2b1255
                                    • Instruction Fuzzy Hash: BB01DFB2909788DBC710EF68ED05B4577A1F304720F544B6AE8259B3D0F735A900AF42
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EB84A0 Relevance: 52.9, APIs: 27, Strings: 3, Instructions: 381COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,33A37B94,?,?,?,?,00F61E9C,000000FF), ref: 00EB84E6
                                    • SetLastError.KERNEL32(00F908E8,?,?,?,?,?,?,?,?,?,33A37B94,?,?,?,?,00F61E9C), ref: 00EB8535
                                      • Part of subcall function 00EB3ED0: SysStringLen.OLEAUT32(?), ref: 00EB3EDE
                                      • Part of subcall function 00EB3ED0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00EB3EF8
                                    • GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,00000104,?,?,?,?,?,?,?,?,?,33A37B94), ref: 00EB856A
                                      • Part of subcall function 00EB9D60: GetLastError.KERNEL32(33A37B94,74DEDFA0,74DEE010), ref: 00EB9D8D
                                      • Part of subcall function 00EB9D60: SetLastError.KERNEL32(00000000), ref: 00EB9E1E
                                      • Part of subcall function 00EB6F90: GetLastError.KERNEL32(33A37B94,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB6FD2
                                      • Part of subcall function 00EB6F90: SetLastError.KERNEL32(?,33A37B94,00000000,000000FF,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB7034
                                      • Part of subcall function 00F417CE: __EH_prolog3_GS.LIBCMT ref: 00F417D8
                                    • GetLastError.KERNEL32 ref: 00EB85ED
                                    • SetLastError.KERNEL32(00F908E8), ref: 00EB8645
                                    • GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 00EB8678
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00EB86AB
                                    • PathFileExistsW.SHLWAPI(?), ref: 00EB872D
                                    • GetLastError.KERNEL32 ref: 00EB8749
                                    • SetLastError.KERNEL32(00F908E8), ref: 00EB878F
                                      • Part of subcall function 00EB4BE0: GetLastError.KERNEL32(33A37B94,?,?,33A37B94,?,00F61069,000000FF,?,00EB2A81,33A37B94), ref: 00EB4C1B
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(?), ref: 00EB4C35
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(33A37B98), ref: 00EB4C4A
                                      • Part of subcall function 00EB4BE0: SetLastError.KERNEL32(?,?,?,?,?,?,000000FF), ref: 00EB4C7A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$String$DirectoryFileFree$AllocCurrentExistsH_prolog3_ModuleNamePathSystem
                                    • String ID: "$D$explorer.exe
                                    • API String ID: 3750105342-2425987333
                                    • Opcode ID: 3a5349d0becf8342a31c22663035bfd137a2774bfc6795e5785ff7d7631694b8
                                    • Instruction ID: 8fc5ba36aa46a5e924d0c7e13466961603295eb9567e4b625339023a8e6602ad
                                    • Opcode Fuzzy Hash: 3a5349d0becf8342a31c22663035bfd137a2774bfc6795e5785ff7d7631694b8
                                    • Instruction Fuzzy Hash: 04025A70D0425CEEEB21DFA4DD49BDEBBB8AF04704F104099E148B7292DBB46A88DF51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F13770 Relevance: 49.9, APIs: 32, Strings: 1, Instructions: 399COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID: c
                                    • API String ID: 1452528299-112844655
                                    • Opcode ID: 0e984010e65fcf0cfd3e0acf46785ffe4b9690d4db1ac9276e7e9203999f4279
                                    • Instruction ID: 33dcc2041cdf97117e62ee694f1c53ab3a4a60cc0707fd87ef31415b3cbd35c3
                                    • Opcode Fuzzy Hash: 0e984010e65fcf0cfd3e0acf46785ffe4b9690d4db1ac9276e7e9203999f4279
                                    • Instruction Fuzzy Hash: 4F22E5B0805B84CFDB61CFA9C54874ABFF0AF18308F14899DC48A97B52D7B5AA04DB95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EC9500 Relevance: 40.7, APIs: 3, Strings: 20, Instructions: 495synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00EB4150: GetLastError.KERNEL32(33A37B94,?,?,?,?,?,00F60E09,000000FF,?,00EB304D), ref: 00EB4193
                                      • Part of subcall function 00EB4150: SetLastError.KERNEL32(?,00F8B388,00000000,?,?,?,?,?,00F60E09,000000FF,?,00EB304D), ref: 00EB4210
                                      • Part of subcall function 00EB4BE0: GetLastError.KERNEL32(33A37B94,?,?,33A37B94,?,00F61069,000000FF,?,00EB2A81,33A37B94), ref: 00EB4C1B
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(?), ref: 00EB4C35
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(33A37B98), ref: 00EB4C4A
                                      • Part of subcall function 00EB4BE0: SetLastError.KERNEL32(?,?,?,?,?,?,000000FF), ref: 00EB4C7A
                                    • CreateMutexW.KERNEL32(00000000,00000001,-00000004,33A37B94,00000000), ref: 00EC9A15
                                    • GetLastError.KERNEL32 ref: 00EC9A29
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00EC9A56
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$FreeString$CreateException@8MutexThrow
                                    • String ID: ********$.$Engine: property '%s' value now '%s'$Engine: running from temp, original setup: %s$ISHiddenProperties$ISPassword$ISPasswordValid$ISSelectedLanguage$Invalid password supplied$ORIGINALSETUPEXEDIR$ORIGINALSETUPEXENAME$Password$Password set with no password in setup.xml$ReverseOfPackageOrder$SetupEngine.cpp$SuiteId$UninstallOrder$UpdateUrl$Valid password supplied$true
                                    • API String ID: 3035193437-1046570353
                                    • Opcode ID: b8a936fc034e424bb045db89ba14e28dd38b5aef4ad4fa7307c7e2b381955207
                                    • Instruction ID: 4cfdf83664c4214324d7526b74284c911cc4622c12926be53a0aafb9c3e76679
                                    • Opcode Fuzzy Hash: b8a936fc034e424bb045db89ba14e28dd38b5aef4ad4fa7307c7e2b381955207
                                    • Instruction Fuzzy Hash: 28225F70901248EEEF14EBA4CD89FEEBBB4AB11304F145199A40577283DB746F09DFA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00ED7430 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 213libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CoInitializeEx.OLE32(00000000,00000002,33A37B94), ref: 00ED7465
                                    • CoGetInterfaceAndReleaseStream.OLE32(?,00F9F884,00000000), ref: 00ED74B3
                                    • SetEvent.KERNEL32(?), ref: 00ED74C5
                                    • GetLastError.KERNEL32 ref: 00ED74DE
                                    • SetLastError.KERNEL32(00F908E8), ref: 00ED7528
                                    • GetProcAddress.KERNEL32(?,InitializeSuiteUI), ref: 00ED7540
                                    • GetLastError.KERNEL32 ref: 00ED754D
                                    • GetProcAddress.KERNEL32(?,ShutdownSuiteUI), ref: 00ED7598
                                    • GetLastError.KERNEL32 ref: 00ED75A5
                                    • SetEvent.KERNEL32(?), ref: 00ED761B
                                    • CoUninitialize.OLE32 ref: 00ED76BF
                                    Strings
                                    • Failed to obtain UI resource uninit entry point, error 0x%08x, xrefs: 00ED75B1
                                    • Failure during UI resource initializer call, xrefs: 00ED75F2
                                    • Failed to obtain UI resource entry point, error %x, xrefs: 00ED7559
                                    • ShutdownSuiteUI, xrefs: 00ED758D
                                    • InitializeSuiteUI, xrefs: 00ED7535
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$AddressEventProc$InitializeInterfaceReleaseStreamUninitialize
                                    • String ID: Failed to obtain UI resource entry point, error %x$Failed to obtain UI resource uninit entry point, error 0x%08x$Failure during UI resource initializer call$InitializeSuiteUI$ShutdownSuiteUI
                                    • API String ID: 2855471474-2626213526
                                    • Opcode ID: f48018c9d43b542c2400fb6b9721f6ea600217567df8f27117311f62070b6ba0
                                    • Instruction ID: 2e464e85e76ed203a093b9686c879eb447b44ba0eee8e46616763b78d52f9436
                                    • Opcode Fuzzy Hash: f48018c9d43b542c2400fb6b9721f6ea600217567df8f27117311f62070b6ba0
                                    • Instruction Fuzzy Hash: 80913A70A04249DFDB01DFE4C889BAEBBB4FF08704F244069E551FB291EB75A906DB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00ED37F0 Relevance: 33.5, APIs: 8, Strings: 11, Instructions: 298COMMON
                                    Download Yara Rule
                                    Strings
                                    • Failed to allocate proxy handler, xrefs: 00ED3B2B
                                    • Failed to launch 64-bit proxy handler '%s' through elevated embed, error %x, xrefs: 00ED3A0D
                                    • SetupEngine.cpp, xrefs: 00ED3916, 00ED393C, 00ED3A13, 00ED3A71, 00ED3B14, 00ED3BB1
                                    • setup64.exe, xrefs: 00ED384A
                                    • Failed to create pipe server for elevated 64-bit proxy, error %x, xrefs: 00ED3937
                                    • \\.\pipe\ISEngine_, xrefs: 00ED38B8
                                    • -embedded:, xrefs: 00ED39A3
                                    • IS_ProxyWaiter_, xrefs: 00ED3959
                                    • Failed to connect/verify 64-bit elevated proxy, error %x, xrefs: 00ED3B89
                                    • Timed out waiting for 64-bit elevated proxy to respond, xrefs: 00ED3A85
                                    • Failed to initialize 64-bit elevated proxy communication, error %x, xrefs: 00ED3BA6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: -embedded:$Failed to allocate proxy handler$Failed to connect/verify 64-bit elevated proxy, error %x$Failed to create pipe server for elevated 64-bit proxy, error %x$Failed to initialize 64-bit elevated proxy communication, error %x$Failed to launch 64-bit proxy handler '%s' through elevated embed, error %x$IS_ProxyWaiter_$SetupEngine.cpp$Timed out waiting for 64-bit elevated proxy to respond$\\.\pipe\ISEngine_$setup64.exe
                                    • API String ID: 0-4276722301
                                    • Opcode ID: fb57751cb6afbc64779208cd38c3571c66828fb2dd588ffe3761174f3611dbf9
                                    • Instruction ID: 2952c812af1e094e9d60f22f7fb15ab7b82be04bc2466660e65f92d3f20099ed
                                    • Opcode Fuzzy Hash: fb57751cb6afbc64779208cd38c3571c66828fb2dd588ffe3761174f3611dbf9
                                    • Instruction Fuzzy Hash: EFC18170D0425CEAEF21DBA4DC45BEEB7B4AB04304F5401EAE509B7282DBB49B49DB52
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EBA580 Relevance: 31.8, APIs: 14, Strings: 4, Instructions: 276COMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantCopy.OLEAUT32(?,00EBA378), ref: 00EBA60B
                                    • VariantCopy.OLEAUT32(?,00F9091C), ref: 00EBA62B
                                    • VariantCopy.OLEAUT32(?,?), ref: 00EBA64B
                                    • VariantCopy.OLEAUT32(?,?), ref: 00EBA66B
                                    • VariantCopy.OLEAUT32(00F9091C,?), ref: 00EBA68B
                                    • VariantCopy.OLEAUT32(?,?), ref: 00EBA701
                                    • VariantCopy.OLEAUT32(?,?), ref: 00EBA719
                                    • VariantCopy.OLEAUT32(?,?), ref: 00EBA733
                                    • VariantClear.OLEAUT32(?), ref: 00EBA74C
                                      • Part of subcall function 00EBAF20: __CxxThrowException@8.LIBVCRUNTIME ref: 00EBAF32
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Variant$Copy$ClearException@8Throw
                                    • String ID: Common\IScriptExtension.cpp$ScriptInvoke: failed to get id for function '%s', error 0x%08x$i$p=<u
                                    • API String ID: 1212477081-4073536936
                                    • Opcode ID: 807b6c7b53994189e4e816c4680d08a76d1edbc43e659581aa257601698c4892
                                    • Instruction ID: 592e36a0720cb1357aad4ab7cbd78147e1c5d55ca0e0e0f78321b70dbefb8859
                                    • Opcode Fuzzy Hash: 807b6c7b53994189e4e816c4680d08a76d1edbc43e659581aa257601698c4892
                                    • Instruction Fuzzy Hash: 34A1F8B1A00359AFDF10DFA4CC84BEEBBB9FF48304F185569E509E7241E7759A048B62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EBB3C0 Relevance: 30.1, APIs: 11, Strings: 6, Instructions: 314COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,33A37B94), ref: 00EBB4E4
                                    • SetLastError.KERNEL32(00F908E8), ref: 00EBB53C
                                    • GetLastError.KERNEL32(?,33A37B94), ref: 00EBB595
                                    • SetLastError.KERNEL32(00F908E8), ref: 00EBB5DB
                                    • VariantInit.OLEAUT32(?), ref: 00EBB627
                                    • VariantClear.OLEAUT32(?), ref: 00EBB6DB
                                    • VariantClear.OLEAUT32(?), ref: 00EBB70C
                                      • Part of subcall function 00EB4810: GetLastError.KERNEL32(33A37B94,?,00F908F0,00F9091C,?,00F60F29,000000FF,?,00EB394A,00F8B388,?,?,00000000,33A37B94,?,00F908F0), ref: 00EB484B
                                      • Part of subcall function 00EB4810: SysFreeString.OLEAUT32(6F6C206F), ref: 00EB4865
                                      • Part of subcall function 00EB4810: SysFreeString.OLEAUT32(00F90920), ref: 00EB487A
                                      • Part of subcall function 00EB4810: SetLastError.KERNEL32(?), ref: 00EB48AA
                                    • GetLastError.KERNEL32(?,33A37B94), ref: 00EBB741
                                    • SetLastError.KERNEL32(00F908E8), ref: 00EBB787
                                    • GetLastError.KERNEL32 ref: 00EBB7B1
                                    • SetLastError.KERNEL32(00F908E8), ref: 00EBB818
                                      • Part of subcall function 00EBB990: GetLastError.KERNEL32(33A37B94), ref: 00EBBA1E
                                      • Part of subcall function 00EBB990: SetLastError.KERNEL32(00F908E8), ref: 00EBBA68
                                      • Part of subcall function 00EBB990: VariantInit.OLEAUT32(?), ref: 00EBBAC0
                                      • Part of subcall function 00EBB990: VariantChangeType.OLEAUT32(?,?,00000000,00000008), ref: 00EBBB33
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$Variant$ClearFreeInitString$ChangeType
                                    • String ID: #$;$Ctor$SuiteObject call ('%s') failed with error %08x$SuiteObject: initialize object for '%s' failed with error %08x$Value
                                    • API String ID: 3163211979-2604594377
                                    • Opcode ID: 6d7ba6b528adbca73702ecb0078f84a71f4701895bfda42645da357a5e761abb
                                    • Instruction ID: 7483cd05fe22fba25b69f67a78097c80d8a61f34b1d94be0b1e473ad2091cb1e
                                    • Opcode Fuzzy Hash: 6d7ba6b528adbca73702ecb0078f84a71f4701895bfda42645da357a5e761abb
                                    • Instruction Fuzzy Hash: B0F10670D00259DEEB60DFA8C948BDEBBF4BF08304F148199D558B7291DBB45A88DFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00ED6D60 Relevance: 28.4, APIs: 7, Strings: 9, Instructions: 394COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00EB6F90: GetLastError.KERNEL32(33A37B94,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB6FD2
                                      • Part of subcall function 00EB6F90: SetLastError.KERNEL32(?,33A37B94,00000000,000000FF,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB7034
                                    • GetLastError.KERNEL32(00000000,00000000,33A37B94,00000000,?), ref: 00ED6ED9
                                    • SetLastError.KERNEL32(00F908E8), ref: 00ED6F25
                                    • GetLastError.KERNEL32 ref: 00ED6F3F
                                    • SetLastError.KERNEL32(00F908E8), ref: 00ED6FA6
                                    • new.LIBCMT ref: 00ED7092
                                    • GetLastError.KERNEL32(00F9091C,/isupdate.xml,0000000D), ref: 00ED7108
                                    • SetLastError.KERNEL32(00F908E8), ref: 00ED716F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID: '$/isupdate.xml$Engine: failed to download update XML file '%s', error 0x%08x$Engine: no update XML URL specified$Engine: update URL does not provide a path for isupdate.xml$ISUpdateAvailable$ISUpdateVersion$SetupEngine.cpp$Url
                                    • API String ID: 1452528299-591482025
                                    • Opcode ID: 29cc9756b8319fafaf85503c65faacdb106bfb443c4cdcaa0b8dd27f4c7bb462
                                    • Instruction ID: 5e0bcdb54aa790c47588d70cc69b346c87e58c2848461e6f7b15e231a014a9b4
                                    • Opcode Fuzzy Hash: 29cc9756b8319fafaf85503c65faacdb106bfb443c4cdcaa0b8dd27f4c7bb462
                                    • Instruction Fuzzy Hash: 531269B090429CDEEF21DBA4CC48BDEBBB4AF15308F144099D448B7282DBB41B89DF52
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EF8330 Relevance: 26.6, APIs: 9, Strings: 6, Instructions: 388COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(33A37B94,?,?,?), ref: 00EF83A3
                                    • SetLastError.KERNEL32(00F908E8,?,?,?), ref: 00EF83F0
                                      • Part of subcall function 00EB3ED0: SysStringLen.OLEAUT32(?), ref: 00EB3EDE
                                      • Part of subcall function 00EB3ED0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00EB3EF8
                                    • GetLastError.KERNEL32(?,00000104,?,00000104,?,?,?), ref: 00EF84FF
                                    • SetLastError.KERNEL32(00F908E8,?,00000104,?,00000104,?,?,?), ref: 00EF8549
                                      • Part of subcall function 00EB9D60: GetLastError.KERNEL32(33A37B94,74DEDFA0,74DEE010), ref: 00EB9D8D
                                      • Part of subcall function 00EB9D60: SetLastError.KERNEL32(00000000), ref: 00EB9E1E
                                    • GetLastError.KERNEL32(?,00000104,?,00000104,?,?,?), ref: 00EF8648
                                    • SetLastError.KERNEL32(00F908E8,?,00000104,?,00000104,?,?,?), ref: 00EF8692
                                    • VariantInit.OLEAUT32(?), ref: 00EF8770
                                    • VariantClear.OLEAUT32(?), ref: 00EF8824
                                    • VariantClear.OLEAUT32(?), ref: 00EF8843
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$Variant$ClearString$AllocInit
                                    • String ID: Condition.cpp$LocalPackage$MsiInstalled condition: failed to convert registered version value (%s), error %x$MsiInstalled condition: failed to evaluate comparison, error %x$PackageCode$VersionString
                                    • API String ID: 2423531521-4192797876
                                    • Opcode ID: f17dcd2852eb28b2cb9c2aa11ed366be550d5b1abf420a66fe2f904afda0cbf2
                                    • Instruction ID: d4a1844f3487e559b6a01fd07304cb7254b36354ea7362b5af51793800c51b21
                                    • Opcode Fuzzy Hash: f17dcd2852eb28b2cb9c2aa11ed366be550d5b1abf420a66fe2f904afda0cbf2
                                    • Instruction Fuzzy Hash: C3024A7190428CDFEB11DFA8C948BEEBBF4AF19304F148099D149B7292DB749A48DF61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F1D270 Relevance: 25.0, APIs: 11, Strings: 3, Instructions: 470libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00EB6EC0: GetLastError.KERNEL32(33A37B94,?,00EB5D01,00EB5D01,00F90920,00F60FF9,000000FF,?,00EB6814,00F8B388,00000000,?,00000000), ref: 00EB6F02
                                      • Part of subcall function 00EB6EC0: SetLastError.KERNEL32(00F908E8,00F8B388,00000000,?,00EB5D01,00EB5D01,00F90920,00F60FF9,000000FF,?,00EB6814,00F8B388,00000000,?,00000000), ref: 00EB6F65
                                      • Part of subcall function 00EB4150: GetLastError.KERNEL32(33A37B94,?,?,?,?,?,00F60E09,000000FF,?,00EB304D), ref: 00EB4193
                                      • Part of subcall function 00EB4150: SetLastError.KERNEL32(?,00F8B388,00000000,?,?,?,?,?,00F60E09,000000FF,?,00EB304D), ref: 00EB4210
                                      • Part of subcall function 00EB4BE0: GetLastError.KERNEL32(33A37B94,?,?,33A37B94,?,00F61069,000000FF,?,00EB2A81,33A37B94), ref: 00EB4C1B
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(?), ref: 00EB4C35
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(33A37B98), ref: 00EB4C4A
                                      • Part of subcall function 00EB4BE0: SetLastError.KERNEL32(?,?,?,?,?,?,000000FF), ref: 00EB4C7A
                                    • LoadLibraryW.KERNEL32(?,?,00F9091C,setup.inx,?,00000000,?,00F9091C,ISSetup.dll,?,00000000,00F8B388,?,?,00000000,00F8B388), ref: 00F1D3E3
                                    • GetLastError.KERNEL32 ref: 00F1D3FF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$FreeString$LibraryLoad
                                    • String ID: !$ISSetup.dll$setup.inx
                                    • API String ID: 132963947-4047876747
                                    • Opcode ID: 77cbf4b83207a129a4cc8a563d883350986a55914c6050d728f8910e4a711b4d
                                    • Instruction ID: 87b4dd9a06b1bd5fc5762ce54f3abc6cae02e30cde8f23a2d9e5d000af66c33d
                                    • Opcode Fuzzy Hash: 77cbf4b83207a129a4cc8a563d883350986a55914c6050d728f8910e4a711b4d
                                    • Instruction Fuzzy Hash: 7C228A70905258DFDB11EBA8DD99BDEBBB4AF14304F1440D9E008A7292DBB45F88DF92
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EFA1C0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 204libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F0D230: new.LIBCMT ref: 00F0D25D
                                    • GetUserDefaultLCID.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00F73079,000000FF), ref: 00EFA28E
                                    • GetSystemDefaultLCID.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00F73079,000000FF), ref: 00EFA297
                                    • GetSystemDefaultUILanguage.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00F73079,000000FF), ref: 00EFA2A0
                                    • GetACP.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00F73079,000000FF), ref: 00EFA2AA
                                    • GetLastError.KERNEL32 ref: 00EFA2CC
                                    • SetLastError.KERNEL32(?), ref: 00EFA30A
                                    • GetLastError.KERNEL32 ref: 00EFA328
                                    • SetLastError.KERNEL32(?), ref: 00EFA361
                                    • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00EFA375
                                    • GetProcAddress.KERNEL32(00000000,GetUserDefaultLocaleName), ref: 00EFA38D
                                    • GetProcAddress.KERNEL32(00000000,GetSystemDefaultLocaleName), ref: 00EFA39A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$Default$AddressProcSystem$HandleLanguageModuleUser
                                    • String ID: GetSystemDefaultLocaleName$GetUserDefaultLocaleName$kernel32.dll
                                    • API String ID: 1013420760-1337869891
                                    • Opcode ID: 3171d949fe49551960fe5c29ff26ffed427e223ece368dbc6103e78cc77df5c5
                                    • Instruction ID: b5f02804dfe5918922d626a37026cdaff7c504c324a500f9ea6cebadd595f6b2
                                    • Opcode Fuzzy Hash: 3171d949fe49551960fe5c29ff26ffed427e223ece368dbc6103e78cc77df5c5
                                    • Instruction Fuzzy Hash: 44A16DB0805748DFDB11DFA8D988799BFF0BF09308F14819AD508AB392D7B59A44DF92
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F10BC0 Relevance: 23.1, APIs: 1, Strings: 12, Instructions: 394COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: End proxy transaction result: %x$End transaction result: %x$Running transaction parcels$Running with current process transaction, starting transaction (if supported)$Running with out-proc transaction, starting transaction (if supported)$Skipping parcel with no action$Transaction.cpp$Transaction: finished running parcels, will %s transaction$Transaction: parcel returned error status %x$commit$roll back$}
                                    • API String ID: 0-457923003
                                    • Opcode ID: 1629d8cc2f50b46f04a9d95ba7113c5e81ee86ca901597e511451696a542d2f4
                                    • Instruction ID: b0b161936e9a50c0001b1a7df2c125f47bfdbce5859a04a60419214c463c63fd
                                    • Opcode Fuzzy Hash: 1629d8cc2f50b46f04a9d95ba7113c5e81ee86ca901597e511451696a542d2f4
                                    • Instruction Fuzzy Hash: 62F1C3B0D00298DFEF21DB64D8427EEBBB0AF04314F14816DE5446B292DBB46E84EF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F298A0 Relevance: 23.1, APIs: 1, Strings: 12, Instructions: 365COMMON
                                    Download Yara Rule
                                    APIs
                                    • new.LIBCMT ref: 00F29B02
                                      • Part of subcall function 00EB4150: GetLastError.KERNEL32(33A37B94,?,?,?,?,?,00F60E09,000000FF,?,00EB304D), ref: 00EB4193
                                      • Part of subcall function 00EB4150: SetLastError.KERNEL32(?,00F8B388,00000000,?,?,?,?,?,00F60E09,000000FF,?,00EB304D), ref: 00EB4210
                                      • Part of subcall function 00EB4BE0: GetLastError.KERNEL32(33A37B94,?,?,33A37B94,?,00F61069,000000FF,?,00EB2A81,33A37B94), ref: 00EB4C1B
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(?), ref: 00EB4C35
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(33A37B98), ref: 00EB4C4A
                                      • Part of subcall function 00EB4BE0: SetLastError.KERNEL32(?,?,?,?,?,?,000000FF), ref: 00EB4C7A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$FreeString
                                    • String ID: 3$Appx detect condition: failed to evaluate condition, status 0x%08x$Appx detect condition: failed to validate condition, status 0x%08x$Appx parcel detect: condition is overridden by setup.xml detect$Appx parcel detect: failed to create new installed condition$AppxParcelHandler.cpp$Compare$Equal$Name$ProcessorArchitecture$Publisher$Version
                                    • API String ID: 2425351278-3743069896
                                    • Opcode ID: 89c5a43569b5ea7a29b5727ad96deca546edacd2889d12d5747b82c920752f3a
                                    • Instruction ID: acd9d79b0fc381a8311617af207e130c6f7f8375b45ffa08afb31046338ca86e
                                    • Opcode Fuzzy Hash: 89c5a43569b5ea7a29b5727ad96deca546edacd2889d12d5747b82c920752f3a
                                    • Instruction Fuzzy Hash: 5B029FB0905258DEEB25DBA4DC95BDEBBB4BF15304F0441C9E40977282DBB05B48EF92
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00ED56C0 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 277windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(33A37B94,?,00000001), ref: 00ED5704
                                    • SetLastError.KERNEL32(00F908E8), ref: 00ED5753
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00ED576D
                                    • SetLastError.KERNEL32(00F908E8), ref: 00ED57C5
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00ED57D9
                                    • SetLastError.KERNEL32(00F908E8), ref: 00ED581F
                                      • Part of subcall function 00EB4150: GetLastError.KERNEL32(33A37B94,?,?,?,?,?,00F60E09,000000FF,?,00EB304D), ref: 00EB4193
                                      • Part of subcall function 00EB4150: SetLastError.KERNEL32(?,00F8B388,00000000,?,?,?,?,?,00F60E09,000000FF,?,00EB304D), ref: 00EB4210
                                      • Part of subcall function 00EB3ED0: SysStringLen.OLEAUT32(?), ref: 00EB3EDE
                                      • Part of subcall function 00EB3ED0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00EB3EF8
                                      • Part of subcall function 00EB4BE0: GetLastError.KERNEL32(33A37B94,?,?,33A37B94,?,00F61069,000000FF,?,00EB2A81,33A37B94), ref: 00EB4C1B
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(?), ref: 00EB4C35
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(33A37B98), ref: 00EB4C4A
                                      • Part of subcall function 00EB4BE0: SetLastError.KERNEL32(?,?,?,?,?,?,000000FF), ref: 00EB4C7A
                                    • MessageBoxW.USER32(00000000,00000000,00F9091C,00000030), ref: 00ED5AB3
                                    Strings
                                    • IDS_SUITE_BETA, xrefs: 00ED59CE
                                    • This setup was created with an EVALUATION VERSION of %s, xrefs: 00ED59B1
                                    • IDS_SUITE_EVAL, xrefs: 00ED5917
                                    • IDS_PRODUCTNAME_INSTALLSHIELD, xrefs: 00ED5846
                                    • InstallShield, xrefs: 00ED5A78
                                    • This setup was created with a BETA VERSION of %s, xrefs: 00ED5A64
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$String$Free$AllocMessage
                                    • String ID: IDS_PRODUCTNAME_INSTALLSHIELD$IDS_SUITE_BETA$IDS_SUITE_EVAL$InstallShield$This setup was created with a BETA VERSION of %s$This setup was created with an EVALUATION VERSION of %s
                                    • API String ID: 4144628438-1802893656
                                    • Opcode ID: 81ac1afe155d165bc5043520b4196d60feb3ed61d0090edac300409095445154
                                    • Instruction ID: 369a70e875c4c7c5a0c1fd3b9729ba42847a969e0a3a1ffb46b3562082ff5412
                                    • Opcode Fuzzy Hash: 81ac1afe155d165bc5043520b4196d60feb3ed61d0090edac300409095445154
                                    • Instruction Fuzzy Hash: 4FC16871D0425CDEEF10DBA8C895BDEBBF4AF14304F14819AE019B7292DBB45A88DF61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F0EAD0 Relevance: 23.0, APIs: 4, Strings: 9, Instructions: 257libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00EB4810: GetLastError.KERNEL32(33A37B94,?,00F908F0,00F9091C,?,00F60F29,000000FF,?,00EB394A,00F8B388,?,?,00000000,33A37B94,?,00F908F0), ref: 00EB484B
                                      • Part of subcall function 00EB4810: SysFreeString.OLEAUT32(6F6C206F), ref: 00EB4865
                                      • Part of subcall function 00EB4810: SysFreeString.OLEAUT32(00F90920), ref: 00EB487A
                                      • Part of subcall function 00EB4810: SetLastError.KERNEL32(?), ref: 00EB48AA
                                    • LoadLibraryW.KERNEL32(?), ref: 00F0EC50
                                    • GetLastError.KERNEL32 ref: 00F0EC7D
                                    • GetProcAddress.KERNEL32(00000000,GetSuiteObject), ref: 00F0ECD2
                                    • GetLastError.KERNEL32 ref: 00F0ECDE
                                    Strings
                                    • SuiteObject: failed to create suite extension, status 0x%08x, xrefs: 00F0ED59
                                    • Failed to load resource DLL in SON extension object (%s), error: %08x, xrefs: 00F0ECAF
                                    • Resource DLL GetSuiteObject (obj '%s') returned error %08x, xrefs: 00F0EDC8
                                    • 8, xrefs: 00F0EE1E
                                    • .dll, xrefs: 00F0EB59
                                    • GetSuiteObject, xrefs: 00F0ECCC
                                    • Unknown resource DLL in SON extension object reference: %s, xrefs: 00F0EC34
                                    • Invalid resource name or object name in SON extension object reference: Dll '%s', Object '%s', xrefs: 00F0EE28
                                    • Resource DLL '%s' does not provide a suite object factor, error %08x, xrefs: 00F0ED10
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$FreeString$AddressLibraryLoadProc
                                    • String ID: .dll$8$Failed to load resource DLL in SON extension object (%s), error: %08x$GetSuiteObject$Invalid resource name or object name in SON extension object reference: Dll '%s', Object '%s'$Resource DLL '%s' does not provide a suite object factor, error %08x$Resource DLL GetSuiteObject (obj '%s') returned error %08x$SuiteObject: failed to create suite extension, status 0x%08x$Unknown resource DLL in SON extension object reference: %s
                                    • API String ID: 3058898142-2981135431
                                    • Opcode ID: 9480cfbc59fe5a8a0505d09df9fa76e7f4747ec2848fff33204888c476d1086a
                                    • Instruction ID: 2a27f0d891bdfc48b4e36982a4754b7b3bd0ee67840cd07176619004028335d7
                                    • Opcode Fuzzy Hash: 9480cfbc59fe5a8a0505d09df9fa76e7f4747ec2848fff33204888c476d1086a
                                    • Instruction Fuzzy Hash: DCA181B1D00258DFDF24EFA4CC45BDEB7B8AF14314F148499E419B7281EB749A48EBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EF1500 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 211COMMON
                                    Download Yara Rule
                                    APIs
                                    • new.LIBCMT ref: 00EF155A
                                    • new.LIBCMT ref: 00EF15A7
                                      • Part of subcall function 00EF0E50: GetLastError.KERNEL32 ref: 00EF0ED7
                                      • Part of subcall function 00EF0E50: SetLastError.KERNEL32(?), ref: 00EF0F19
                                      • Part of subcall function 00EF0E50: GetLastError.KERNEL32 ref: 00EF0F35
                                      • Part of subcall function 00EF0E50: SetLastError.KERNEL32(?), ref: 00EF0F71
                                      • Part of subcall function 00EF0E50: GetLastError.KERNEL32 ref: 00EF0F90
                                      • Part of subcall function 00EF0E50: SetLastError.KERNEL32(?), ref: 00EF0FCC
                                    • new.LIBCMT ref: 00EF160F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID: CallClr$CallDll$CallExe$CallInstallScript$CallPowerShell$SetProperty
                                    • API String ID: 1452528299-737400278
                                    • Opcode ID: e14eeff9fedf5f6e049ba92128f8c5ebd4a30f74104b80e20d5ad6efc522b4db
                                    • Instruction ID: 40ee43f31364348d1eca64a61545034cde39bfa699e7f0210b9620efb17816c3
                                    • Opcode Fuzzy Hash: e14eeff9fedf5f6e049ba92128f8c5ebd4a30f74104b80e20d5ad6efc522b4db
                                    • Instruction Fuzzy Hash: A6610771F043189BDF24EF689C027ADB7E5EB80720F1046AEE919A73C1EBB55A0197C1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F141B0 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 201COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: Appx$Exe$Isp$Msi$Msp$WebDeploy
                                    • API String ID: 0-1138894300
                                    • Opcode ID: 2021dbc0d8686fd3b7eb92dc958602360359b8207e1f56458241c7fb1a9693c4
                                    • Instruction ID: 2a62ba07adaeafcd2ad15a9eb62c97703d752ac0b4a52ed0b9df78b2a450634b
                                    • Opcode Fuzzy Hash: 2021dbc0d8686fd3b7eb92dc958602360359b8207e1f56458241c7fb1a9693c4
                                    • Instruction Fuzzy Hash: 2671B2B1A00345ABDF14DF64C805BAEBBE4BF84350F10852DE819DB381EBB5E940EB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EBCF40 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 189COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetLastError.KERNEL32(80004005,33A37B94), ref: 00EBCF93
                                      • Part of subcall function 00EB48D0: GetLastError.KERNEL32(33A37B94,?,?,?,?,00F60F81,000000FF,?,00EB2726), ref: 00EB4907
                                      • Part of subcall function 00EB48D0: SetLastError.KERNEL32(?,?,?,?,?,00F60F81,000000FF), ref: 00EB4946
                                    • SetLastError.KERNEL32(8007007E), ref: 00EBCFFE
                                    • SetLastError.KERNEL32(80004005,33A37B94), ref: 00EBD107
                                    Strings
                                    • Extension: couldn't find entry point '%s' in script, error 0x%08x, xrefs: 00EBD1B6
                                    • _Validate, xrefs: 00EBD02F, 00EBD138
                                    • e, xrefs: 00EBD1BC
                                    • Extension resource for entry point '%s' failed to load or is not a DLL (validate), xrefs: 00EBCFE4
                                    • Validation function entry point '%s' not found for extension condition in DLL '%s', xrefs: 00EBD091
                                    • ExtensionDelegate.cpp, xrefs: 00EBCFDD, 00EBD08A, 00EBD1AF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID: Extension resource for entry point '%s' failed to load or is not a DLL (validate)$Extension: couldn't find entry point '%s' in script, error 0x%08x$ExtensionDelegate.cpp$Validation function entry point '%s' not found for extension condition in DLL '%s'$_Validate$e
                                    • API String ID: 1452528299-3069477522
                                    • Opcode ID: a8eb58259102bddd7e0e4fb808402f33be442831fc5776f3da80873186f87104
                                    • Instruction ID: 2e0f2464b51150187c0ef2734015957ca78df43ff023de800836740d2f3fb182
                                    • Opcode Fuzzy Hash: a8eb58259102bddd7e0e4fb808402f33be442831fc5776f3da80873186f87104
                                    • Instruction Fuzzy Hash: 62815EB1905209EFEB10EFA4D945BDEBBF4FB14709F20501DD445B7282EBB4A648CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EBD270 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 188COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetLastError.KERNEL32(80004005,33A37B94), ref: 00EBD2C3
                                      • Part of subcall function 00EB48D0: GetLastError.KERNEL32(33A37B94,?,?,?,?,00F60F81,000000FF,?,00EB2726), ref: 00EB4907
                                      • Part of subcall function 00EB48D0: SetLastError.KERNEL32(?,?,?,?,?,00F60F81,000000FF), ref: 00EB4946
                                    • SetLastError.KERNEL32(8007007E), ref: 00EBD32E
                                    • SetLastError.KERNEL32(80004005,33A37B94), ref: 00EBD437
                                    Strings
                                    • Extension: couldn't find entry point '%s' in script, error 0x%08x, xrefs: 00EBD4E0
                                    • x, xrefs: 00EBD31A
                                    • ExtensionDelegate.cpp, xrefs: 00EBD30D, 00EBD3BA, 00EBD4D9
                                    • Extension resource for entry point '%s' failed to load or is not a DLL (evaluate), xrefs: 00EBD314
                                    • _Evaluate, xrefs: 00EBD35F, 00EBD468
                                    • Evaluation function entry point '%s' not for extension condition in DLL '%s', xrefs: 00EBD3C1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID: Evaluation function entry point '%s' not for extension condition in DLL '%s'$Extension resource for entry point '%s' failed to load or is not a DLL (evaluate)$Extension: couldn't find entry point '%s' in script, error 0x%08x$ExtensionDelegate.cpp$_Evaluate$x
                                    • API String ID: 1452528299-1918396859
                                    • Opcode ID: bb6dc5b74097b152c00e49f8ea23fb7ca88828e4ab2bcffbacf68dd7b34e32f0
                                    • Instruction ID: b225744e7085b7405ed9d8d9d64898bf06f33f1b2353d87eb831819939316299
                                    • Opcode Fuzzy Hash: bb6dc5b74097b152c00e49f8ea23fb7ca88828e4ab2bcffbacf68dd7b34e32f0
                                    • Instruction Fuzzy Hash: 11815EB1904209DFDB10DFA4C949BDEBBF4FB14308F20502DD455B7282EBB4A648CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F442FD Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 97libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog3_GS.LIBCMT ref: 00F44307
                                    • GetModuleHandleW.KERNEL32(kernel32.dll,CreateToolhelp32Snapshot,000002A8,00F42EDD,00F43D8D,?,?,00000068,00F454C9,00F43D8D,?,?), ref: 00F4431F
                                    • GetProcAddress.KERNEL32(00000000), ref: 00F44322
                                    • GetModuleHandleW.KERNEL32(Kernel32.dll,Process32First,?,00000068,00F454C9,00F43D8D,?,?), ref: 00F4435D
                                    • GetProcAddress.KERNEL32(00000000), ref: 00F44360
                                    • GetModuleHandleW.KERNEL32(Kernel32.dll,Process32Next,?,00000068,00F454C9,00F43D8D,?,?), ref: 00F44376
                                    • GetProcAddress.KERNEL32(00000000), ref: 00F44379
                                      • Part of subcall function 00F44466: __EH_prolog3_GS.LIBCMT ref: 00F44470
                                      • Part of subcall function 00F44466: GetModuleHandleW.KERNEL32(Ntdll.dll,NtQueryInformationProcess,?,00000400,?,000004A0,00F44454,00000000,?,00000068,00F454C9,00F43D8D,?,?), ref: 00F444A0
                                      • Part of subcall function 00F44466: GetProcAddress.KERNEL32(00000000), ref: 00F444A7
                                      • Part of subcall function 00F44466: OpenProcess.KERNEL32(00000400,00000000,?,?,00000068,00F454C9,00F43D8D,?,?), ref: 00F444D3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: AddressHandleModuleProc$H_prolog3_$OpenProcess
                                    • String ID: CreateToolhelp32Snapshot$Kernel32.dll$Process32First$Process32Next$kernel32.dll
                                    • API String ID: 175859365-1872946363
                                    • Opcode ID: 7dabd24be8fd08690a43e044517b5be0a6d4a20bff630042521559791886bc55
                                    • Instruction ID: 369dd3a4169b73c7f022ee5b7201dd6aca0aac69979eef3e8c0002ed270c86ea
                                    • Opcode Fuzzy Hash: 7dabd24be8fd08690a43e044517b5be0a6d4a20bff630042521559791886bc55
                                    • Instruction Fuzzy Hash: 59316F71A00218ABDF24EBA0CC89BED7B78AF05700F204095E905B7192DF74AE44AF12
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EF4A00 Relevance: 19.8, APIs: 6, Strings: 7, Instructions: 283COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(33A37B94), ref: 00EF4A44
                                    • SetLastError.KERNEL32(00F908E8), ref: 00EF4A93
                                    • GetLastError.KERNEL32 ref: 00EF4AAA
                                    • SetLastError.KERNEL32(00F908E8), ref: 00EF4AF0
                                    • GetLastError.KERNEL32 ref: 00EF4B07
                                    • SetLastError.KERNEL32(00F908E8), ref: 00EF4B5F
                                      • Part of subcall function 00EB4150: GetLastError.KERNEL32(33A37B94,?,?,?,?,?,00F60E09,000000FF,?,00EB304D), ref: 00EB4193
                                      • Part of subcall function 00EB4150: SetLastError.KERNEL32(?,00F8B388,00000000,?,?,?,?,?,00F60E09,000000FF,?,00EB304D), ref: 00EB4210
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID: "$Check64Bit$Condition.cpp$Invalid registry exists condition: no key specified$Key$ValueName$true
                                    • API String ID: 1452528299-3014655832
                                    • Opcode ID: c8248a7a888e0c731a89a578eea69158bfd8056cf9052fdcddf080820296f796
                                    • Instruction ID: 86c960f7ff8a47789340b58946ce070c71973f6be828892f911642dda12e7551
                                    • Opcode Fuzzy Hash: c8248a7a888e0c731a89a578eea69158bfd8056cf9052fdcddf080820296f796
                                    • Instruction Fuzzy Hash: 5BD158B0D0529CDEEF21DBA4DC54BEEBBB4AB14308F148199D048B72D2DBB45A48DF61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00ED5100 Relevance: 19.6, APIs: 3, Strings: 8, Instructions: 379COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDriveTypeW.KERNEL32(-00000004,00F9091C,00000000,?,00000000,Engine: registering/unregistering ARP entry, will use maintenance mode detection from setup.xml,?,00000000,SetupEngine.cpp,?,00000000,33A37B94,?,00000000), ref: 00ED5443
                                    • GetLastError.KERNEL32(?,00000000,SetupEngine.cpp,?,00000000,33A37B94,?,00000000), ref: 00ED547B
                                    • SetLastError.KERNEL32(00F908E8,?,00000000,SetupEngine.cpp,?,00000000,33A37B94,?,00000000), ref: 00ED54C5
                                      • Part of subcall function 00EB4810: GetLastError.KERNEL32(33A37B94,?,00F908F0,00F9091C,?,00F60F29,000000FF,?,00EB394A,00F8B388,?,?,00000000,33A37B94,?,00F908F0), ref: 00EB484B
                                      • Part of subcall function 00EB4810: SysFreeString.OLEAUT32(6F6C206F), ref: 00EB4865
                                      • Part of subcall function 00EB4810: SysFreeString.OLEAUT32(00F90920), ref: 00EB487A
                                      • Part of subcall function 00EB4810: SetLastError.KERNEL32(?), ref: 00EB48AA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$FreeString$DriveType
                                    • String ID: =$Engine: %s ARP entry$Engine: registering/unregistering ARP entry, will use maintenance mode detection from setup.xml$No ARP information provided in setup.xml, skipping register/unregister ARP info$No maintenance mode detection condition in setup.xml, skipping register/unregister ARP info$SetupEngine.cpp$registering$unregistering
                                    • API String ID: 568823952-2460947592
                                    • Opcode ID: 427071bb8a9cb61df4f76a9e749d6a61379c3dc49879bd3adde01127b9d2eebe
                                    • Instruction ID: e417a231a09814e9aa944d3be5c6e7670ee666b25ade45195359171fd68978c4
                                    • Opcode Fuzzy Hash: 427071bb8a9cb61df4f76a9e749d6a61379c3dc49879bd3adde01127b9d2eebe
                                    • Instruction Fuzzy Hash: C7F1C170A05388EEEF24DF64DC48BEEBBB1EF01308F185159E4057B292DBB45A49DB51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EBCA50 Relevance: 19.6, APIs: 3, Strings: 8, Instructions: 337COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(33A37B94), ref: 00EBCABE
                                    • SetLastError.KERNEL32(?), ref: 00EBCAFD
                                      • Part of subcall function 00EB48D0: GetLastError.KERNEL32(33A37B94,?,?,?,?,00F60F81,000000FF,?,00EB2726), ref: 00EB4907
                                      • Part of subcall function 00EB48D0: SetLastError.KERNEL32(?,?,?,?,?,00F60F81,000000FF), ref: 00EB4946
                                      • Part of subcall function 00EB4150: GetLastError.KERNEL32(33A37B94,?,?,?,?,?,00F60E09,000000FF,?,00EB304D), ref: 00EB4193
                                      • Part of subcall function 00EB4150: SetLastError.KERNEL32(?,00F8B388,00000000,?,?,?,?,?,00F60E09,000000FF,?,00EB304D), ref: 00EB4210
                                      • Part of subcall function 00EB4BE0: GetLastError.KERNEL32(33A37B94,?,?,33A37B94,?,00F61069,000000FF,?,00EB2A81,33A37B94), ref: 00EB4C1B
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(?), ref: 00EB4C35
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(33A37B98), ref: 00EB4C4A
                                      • Part of subcall function 00EB4BE0: SetLastError.KERNEL32(?,?,?,?,?,?,000000FF), ref: 00EB4C7A
                                    • new.LIBCMT ref: 00EBCE8E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$FreeString
                                    • String ID: !$Extension: failed to get ISRT.dll resource, error 0x%08x$Extension: failed to get setup.inx resource, error 0x%08x$ExtensionDelegate.cpp$ISRT.dll$ISSetup.dll$IScript:$setup.inx
                                    • API String ID: 2425351278-1511573062
                                    • Opcode ID: 337ca88aeeacdc326598aa822c79bab680c302228a6fad9a1f175d32524701d3
                                    • Instruction ID: af21599004a413ac8836b0e0ba2210e28707bcfe6c211cb9e1701978aa9bcfc4
                                    • Opcode Fuzzy Hash: 337ca88aeeacdc326598aa822c79bab680c302228a6fad9a1f175d32524701d3
                                    • Instruction Fuzzy Hash: 3CE1BD70A09258DEEF24DF64CC95BEEBBF4AF15304F1441E8E449B7282DB709A48DB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F2CF80 Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 283COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: !$Compare$Equal$ISP parcel detect: condition is overridden by setup.xml detect$Isp parcel detection: failed to create new installed condition$Isp parcel detection: failed to evaluate installed condition, error %x$Isp parcel detection: failed to validate installed condition, error %x$IspParcelHandler.cpp$ProductCode$ProductVersion
                                    • API String ID: 0-4212178543
                                    • Opcode ID: 6cf02b042597e31a45a1f665bde9ed32ef9b70647154bc3b5e371f3da47ec394
                                    • Instruction ID: b664e6dd47150e306820dbce91baaab18427a55e065c29e73510a24c7b9bb868
                                    • Opcode Fuzzy Hash: 6cf02b042597e31a45a1f665bde9ed32ef9b70647154bc3b5e371f3da47ec394
                                    • Instruction Fuzzy Hash: 31C1D0B0900258EFEF24DBA4DC85BDEBBB0FF15304F144189E44577282DBB45A89EB92
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00ED1AA8 Relevance: 19.5, APIs: 3, Strings: 8, Instructions: 229COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(00F9091C,80000000,00000003,00000080,00000003,00000000,00000000,00F9091C,00000000), ref: 00ED1AD5
                                    • SetLastError.KERNEL32(00F908E8), ref: 00ED1B3C
                                    • new.LIBCMT ref: 00ED1C2A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID: $%I64d$?$Engine: attempting to download updated suite$Engine: failed to download suite update, error 0x%08x$Name$SetupEngine.cpp$Size
                                    • API String ID: 1452528299-4000506540
                                    • Opcode ID: 24a312862a2b05d9a09d211d3d31da17513d9c1efe3be50ba7f3d1407943f4a2
                                    • Instruction ID: 055a538b5b6d56e412781c8c20d03b761db7bcdc5eafbec593005a381b856380
                                    • Opcode Fuzzy Hash: 24a312862a2b05d9a09d211d3d31da17513d9c1efe3be50ba7f3d1407943f4a2
                                    • Instruction Fuzzy Hash: 08B18AB0905298DEEF11DBA4D949BDEBBB0AB10304F1440EAE44877292DBB41F49DF52
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EBA8D0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 155COMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantInit.OLEAUT32(?), ref: 00EBA91B
                                      • Part of subcall function 00EB3ED0: SysStringLen.OLEAUT32(?), ref: 00EB3EDE
                                      • Part of subcall function 00EB3ED0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00EB3EF8
                                      • Part of subcall function 00EBAE70: VariantClear.OLEAUT32(?), ref: 00EBAE86
                                      • Part of subcall function 00EBAE70: SysAllocString.OLEAUT32(?), ref: 00EBAE99
                                      • Part of subcall function 00EB6CA0: GetLastError.KERNEL32(33A37B94,?,?,?,00FD21E8,?,00F61B59,000000FF,?,00EB1414,installshield/2019/bootstrap,?,00000000,33A37B94,?,00F7979A), ref: 00EB6CE3
                                      • Part of subcall function 00EB6CA0: SetLastError.KERNEL32(?,00F8B388,00000000,?,?,?,00FD21E8,?,00F61B59,000000FF,?,00EB1414,installshield/2019/bootstrap,?,00000000,33A37B94), ref: 00EB6D60
                                    • VariantInit.OLEAUT32 ref: 00EBA97F
                                    • VariantInit.OLEAUT32 ref: 00EBA99B
                                    • VariantInit.OLEAUT32 ref: 00EBA9B7
                                    • VariantCopy.OLEAUT32(?,?), ref: 00EBA9D2
                                    • VariantClear.OLEAUT32(?), ref: 00EBAA76
                                    • VariantClear.OLEAUT32(?), ref: 00EBAA83
                                      • Part of subcall function 00EBAF20: __CxxThrowException@8.LIBVCRUNTIME ref: 00EBAF32
                                      • Part of subcall function 00EBAAB0: VariantInit.OLEAUT32(?), ref: 00EBAB14
                                      • Part of subcall function 00EBAAB0: VariantInit.OLEAUT32 ref: 00EBAB52
                                      • Part of subcall function 00EBAAB0: VariantInit.OLEAUT32 ref: 00EBAB6E
                                      • Part of subcall function 00EBAAB0: VariantInit.OLEAUT32 ref: 00EBAB8A
                                      • Part of subcall function 00EBAAB0: VariantInit.OLEAUT32 ref: 00EBABA6
                                      • Part of subcall function 00EBAAB0: VariantCopy.OLEAUT32(?,?), ref: 00EBABBE
                                    Strings
                                    • ScriptExtension: failed to init script, error 0x%08x, xrefs: 00EBAA3A
                                    • |, xrefs: 00EBAA40
                                    • Common\IScriptExtension.cpp, xrefs: 00EBAA33
                                    • __ISRTSuiteExtInit, xrefs: 00EBA94A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Variant$Init$ClearString$AllocCopyErrorLast$Exception@8Throw
                                    • String ID: Common\IScriptExtension.cpp$ScriptExtension: failed to init script, error 0x%08x$__ISRTSuiteExtInit$|
                                    • API String ID: 2418387389-689324398
                                    • Opcode ID: 3ae7175a5a9d52a3ade225eed12d64846a461557570a1249913ba113a9ab9326
                                    • Instruction ID: fa5422c5d150864f9703720585d40df8ac035ff5412dd4d76cdd2c132e6141e8
                                    • Opcode Fuzzy Hash: 3ae7175a5a9d52a3ade225eed12d64846a461557570a1249913ba113a9ab9326
                                    • Instruction Fuzzy Hash: 4F512CB1D043489EDB05DFA8D945B9EBBF8EF08310F1481AEE409E7352DB749A04DB92
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F43558 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 88registrylibraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(Kernel32.dll,?,?,?,?,?,?,?,?,00F06BB9,33A37B94,?,00000000,00000000,00F9091C), ref: 00F4356D
                                    • GetProcAddress.KERNEL32(00000000,GetSystemDefaultUILanguage), ref: 00F4357D
                                    • RegOpenKeyExW.ADVAPI32(80000003,.Default\Control Panel\desktop\ResourceLocale,00000000,000F003F,?,33A37B94), ref: 00F435B6
                                    • RegQueryValueExW.ADVAPI32(?,00F8B388,00000000,00000000,?,0000000A), ref: 00F435CE
                                    • RegOpenKeyExW.ADVAPI32(80000003,.DEFAULT\Control Panel\International,00000000,000F003F,?), ref: 00F435EF
                                    • RegQueryValueExW.ADVAPI32(?,Locale,00000000,00000000,?,0000000A), ref: 00F43609
                                    Strings
                                    • .Default\Control Panel\desktop\ResourceLocale, xrefs: 00F435A9
                                    • .DEFAULT\Control Panel\International, xrefs: 00F435E5
                                    • Locale, xrefs: 00F43601
                                    • Kernel32.dll, xrefs: 00F43568
                                    • GetSystemDefaultUILanguage, xrefs: 00F43577
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: OpenQueryValue$AddressHandleModuleProc
                                    • String ID: .DEFAULT\Control Panel\International$.Default\Control Panel\desktop\ResourceLocale$GetSystemDefaultUILanguage$Kernel32.dll$Locale
                                    • API String ID: 1454740049-3798069133
                                    • Opcode ID: 1b8d80f68c15c3c1e7d11551aad2f6edc4c3f5a032755644fbf215fbab3a4112
                                    • Instruction ID: f318dc39f567f799f6681a35673aae0fbff777672410b5860ad00e82bcaa3cba
                                    • Opcode Fuzzy Hash: 1b8d80f68c15c3c1e7d11551aad2f6edc4c3f5a032755644fbf215fbab3a4112
                                    • Instruction Fuzzy Hash: 61213271E0021EBEEB11ABA18C45EFF77ACEB14745F150129BD01F2141DA749E05A7A5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00ED87F0 Relevance: 18.5, APIs: 10, Strings: 2, Instructions: 454COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00EB6F90: GetLastError.KERNEL32(33A37B94,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB6FD2
                                      • Part of subcall function 00EB6F90: SetLastError.KERNEL32(?,33A37B94,00000000,000000FF,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB7034
                                    • GetLastError.KERNEL32 ref: 00ED8936
                                    • SetLastError.KERNEL32(00F908E8), ref: 00ED8994
                                    • GetLastError.KERNEL32 ref: 00ED89A8
                                    • SetLastError.KERNEL32(00F908E8), ref: 00ED89EE
                                    • GetLastError.KERNEL32 ref: 00ED8A02
                                    • SetLastError.KERNEL32(00F908E8), ref: 00ED8A48
                                    • GetLastError.KERNEL32 ref: 00ED8A62
                                    • SetLastError.KERNEL32(00F908E8), ref: 00ED8AC9
                                    • GetLastError.KERNEL32 ref: 00ED8AE3
                                    • SetLastError.KERNEL32(00F908E8), ref: 00ED8B4A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID: $$**********
                                    • API String ID: 1452528299-2042610098
                                    • Opcode ID: eaa4482908121a5fe8a2d0233dad064a6bbf91d7face882074a575f828e7f59e
                                    • Instruction ID: 43457fd44b9430a7d39c455864182a1952afbb203a1ad571815883ca1bdb0635
                                    • Opcode Fuzzy Hash: eaa4482908121a5fe8a2d0233dad064a6bbf91d7face882074a575f828e7f59e
                                    • Instruction Fuzzy Hash: 18225870904298DEEF25DB68CD94BDEBBB4AF15304F1480DAD049B7282DBB05B89DF61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EF8CE0 Relevance: 18.3, APIs: 2, Strings: 10, Instructions: 332COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(33A37B94), ref: 00EF8D52
                                    • SetLastError.KERNEL32(00F908E8), ref: 00EF8D9C
                                      • Part of subcall function 00EB3ED0: SysStringLen.OLEAUT32(?), ref: 00EB3EDE
                                      • Part of subcall function 00EB3ED0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00EB3EF8
                                      • Part of subcall function 00EF9290: VariantInit.OLEAUT32(00000007), ref: 00EF9330
                                      • Part of subcall function 00EF9290: VariantInit.OLEAUT32(?), ref: 00EF9347
                                      • Part of subcall function 00EF9290: GetLastError.KERNEL32 ref: 00EF9381
                                      • Part of subcall function 00EF9290: SetLastError.KERNEL32(?), ref: 00EF93C3
                                      • Part of subcall function 00EF9290: GetLastError.KERNEL32 ref: 00EF93E2
                                      • Part of subcall function 00EB4150: GetLastError.KERNEL32(33A37B94,?,?,?,?,?,00F60E09,000000FF,?,00EB304D), ref: 00EB4193
                                      • Part of subcall function 00EB4150: SetLastError.KERNEL32(?,00F8B388,00000000,?,?,?,?,?,00F60E09,000000FF,?,00EB304D), ref: 00EB4210
                                      • Part of subcall function 00EB4BE0: GetLastError.KERNEL32(33A37B94,?,?,33A37B94,?,00F61069,000000FF,?,00EB2A81,33A37B94), ref: 00EB4C1B
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(?), ref: 00EB4C35
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(33A37B98), ref: 00EB4C4A
                                      • Part of subcall function 00EB4BE0: SetLastError.KERNEL32(?,?,?,?,?,?,000000FF), ref: 00EB4C7A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$String$FreeInitVariant$Alloc
                                    • String ID: Compare$Condition.cpp$GreaterEqual$GreaterThan$LessEqual$LessThan$MsiRelated evaluation: failed to build MsiInstalled condition, error %x$MsiRelated evaluation: failed to evaluate MsiInstalled condition, error %x$ProductCode$ProductVersion
                                    • API String ID: 1079116179-3350049033
                                    • Opcode ID: e3da44d9e7835da5d26bd074c08f9fcecfff87adf3c7213b4e35b51a77f38a22
                                    • Instruction ID: 0d0b90fb135d422222de5a47721ae53129b0e6b980f03fbb88707cbc0a60e324
                                    • Opcode Fuzzy Hash: e3da44d9e7835da5d26bd074c08f9fcecfff87adf3c7213b4e35b51a77f38a22
                                    • Instruction Fuzzy Hash: A3F1477190525CDEEF21DB64CC88BEEBBB8AF15304F1440D9D149B7292DBB05A88DF62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F30AA0 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 242COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00EB4150: GetLastError.KERNEL32(33A37B94,?,?,?,?,?,00F60E09,000000FF,?,00EB304D), ref: 00EB4193
                                      • Part of subcall function 00EB4150: SetLastError.KERNEL32(?,00F8B388,00000000,?,?,?,?,?,00F60E09,000000FF,?,00EB304D), ref: 00EB4210
                                      • Part of subcall function 00EB4BE0: GetLastError.KERNEL32(33A37B94,?,?,33A37B94,?,00F61069,000000FF,?,00EB2A81,33A37B94), ref: 00EB4C1B
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(?), ref: 00EB4C35
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(33A37B98), ref: 00EB4C4A
                                      • Part of subcall function 00EB4BE0: SetLastError.KERNEL32(?,?,?,?,?,?,000000FF), ref: 00EB4C7A
                                    • new.LIBCMT ref: 00F30BB8
                                      • Part of subcall function 00EF9290: VariantInit.OLEAUT32(00000007), ref: 00EF9330
                                      • Part of subcall function 00EF9290: VariantInit.OLEAUT32(?), ref: 00EF9347
                                      • Part of subcall function 00EF9290: GetLastError.KERNEL32 ref: 00EF9381
                                      • Part of subcall function 00EF9290: SetLastError.KERNEL32(?), ref: 00EF93C3
                                      • Part of subcall function 00EF9290: GetLastError.KERNEL32 ref: 00EF93E2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$FreeInitStringVariant
                                    • String ID: Failed to allocate msi installed condition$MSI patch detect: evaluate status: %x, is installed: %s$MSI patch detect: failed to validate condition, error: %x$MSI patch detect: product code: '%s', patch code: '%s'$MsiParcelHandler.cpp$PatchCode$ProductCode$false$true
                                    • API String ID: 4090687836-2311497672
                                    • Opcode ID: 93ddb4dd53c2725495acb6d50140cda52ee52029ab44b996e7b484ee1d157246
                                    • Instruction ID: b7a048251911f219a238faace4f5473da169fad95a34258985d0e5fa9636d765
                                    • Opcode Fuzzy Hash: 93ddb4dd53c2725495acb6d50140cda52ee52029ab44b996e7b484ee1d157246
                                    • Instruction Fuzzy Hash: 0DB1ADB0904258EFEF21DBA4DC99BDEBBB4BF15304F14418AE40577292DBB05A48DBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F457C2 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 161stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: lstrcpylstrlen$ErrorH_prolog3Lastlstrcatlstrcmpi
                                    • String ID: <$GET
                                    • API String ID: 152113618-427699995
                                    • Opcode ID: ddd3397338d6db3e400ea7c0a6741a70e7dc0d25b9bc0383298be589e77b1462
                                    • Instruction ID: 39e60b26bee2b8ebddb5f93b22aacc14bad542f5c0766370afff0a4260fa16df
                                    • Opcode Fuzzy Hash: ddd3397338d6db3e400ea7c0a6741a70e7dc0d25b9bc0383298be589e77b1462
                                    • Instruction Fuzzy Hash: A4515872901119EFDF15AFA1DD09AAE7F76FF08760F044029FE05AA262DB358911EB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EF9290 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 147COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F0D230: new.LIBCMT ref: 00F0D25D
                                    • VariantInit.OLEAUT32(00000007), ref: 00EF9330
                                    • VariantInit.OLEAUT32(?), ref: 00EF9347
                                    • GetLastError.KERNEL32 ref: 00EF9381
                                    • SetLastError.KERNEL32(?), ref: 00EF93C3
                                    • GetLastError.KERNEL32 ref: 00EF93E2
                                    • SetLastError.KERNEL32(?), ref: 00EF941E
                                    • GetLastError.KERNEL32 ref: 00EF943D
                                    • SetLastError.KERNEL32(?), ref: 00EF9479
                                    • VariantInit.OLEAUT32(?), ref: 00EF9496
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$InitVariant
                                    • String ID: GreaterThan
                                    • API String ID: 201494241-2075541825
                                    • Opcode ID: d0c827f654b0ee78c55cb7097ec1631a6ef3dd65c33606b1717134a6c5107e98
                                    • Instruction ID: 81be693b02789bb8282970f11f243015829a633379e8c17c21fe402a6c2f4525
                                    • Opcode Fuzzy Hash: d0c827f654b0ee78c55cb7097ec1631a6ef3dd65c33606b1717134a6c5107e98
                                    • Instruction Fuzzy Hash: B87102B0805788CFDB60CF69C54878ABFF0BF09314F10899DD4899B762D775AA08DB95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F06A80 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 138COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: T$Using command line language %d$Using default language %d$Using installed language %d$Using system default UI language %d$Using system default language %d$Using user default language %d$a
                                    • API String ID: 0-2116512202
                                    • Opcode ID: eb289110a5ba41a6d3c5887a6f9d71562f11279c2e9190093d57f001c87335c3
                                    • Instruction ID: a0dc6deeefc2b8675f253236e3b2cf29017bfe610b4e8fcf772ca97844d1406b
                                    • Opcode Fuzzy Hash: eb289110a5ba41a6d3c5887a6f9d71562f11279c2e9190093d57f001c87335c3
                                    • Instruction Fuzzy Hash: 7941DB72604309ABCB10FF14D8059ABBBD9EFD4314F00446EF984D7291D7B99528BBE6
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F4559A Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 76libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F45694: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00F455A3,?,?,00EBEFA6,00000000,FileProvider: check is on 64-bit path,?,00000000,c:\codebases\isdev\src\runtime\shared\setupsuite\FileProvider.h,?), ref: 00F456A7
                                      • Part of subcall function 00F45694: GetProcAddress.KERNEL32(00000000), ref: 00F456AE
                                      • Part of subcall function 00F45694: GetCurrentProcess.KERNEL32(00000000,?,?,00F455A3,?,?,00EBEFA6,00000000,FileProvider: check is on 64-bit path,?,00000000,c:\codebases\isdev\src\runtime\shared\setupsuite\FileProvider.h,?), ref: 00F456BE
                                    • GetModuleHandleW.KERNEL32(kernel32,Wow64DisableWow64FsRedirection,?,?,?,?,?,00EBEFA6,00000000,FileProvider: check is on 64-bit path,?,00000000,c:\codebases\isdev\src\runtime\shared\setupsuite\FileProvider.h,?), ref: 00F455BF
                                    • GetProcAddress.KERNEL32(00000000), ref: 00F455C8
                                    • GetModuleHandleW.KERNEL32(kernel32,Wow64RevertWow64FsRedirection,?,?,00EBEFA6,00000000,FileProvider: check is on 64-bit path,?,00000000,c:\codebases\isdev\src\runtime\shared\setupsuite\FileProvider.h,?), ref: 00F455D3
                                    • GetProcAddress.KERNEL32(00000000), ref: 00F455D6
                                    • GetModuleHandleW.KERNEL32(kernel32,Wow64EnableWow64FsRedirection,?,?,00EBEFA6,00000000,FileProvider: check is on 64-bit path,?,00000000,c:\codebases\isdev\src\runtime\shared\setupsuite\FileProvider.h,?), ref: 00F45649
                                    • GetProcAddress.KERNEL32(00000000), ref: 00F4564C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: AddressHandleModuleProc$CurrentProcess
                                    • String ID: Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32
                                    • API String ID: 565683799-3439747844
                                    • Opcode ID: ec35febbcbfefce1f2da385b8b3c09f8328468f68dae31c30036623d11710915
                                    • Instruction ID: b19537f35cb9e5b742233982f9b97634cb6db49b2564d6fdb46f0089c2e48c4c
                                    • Opcode Fuzzy Hash: ec35febbcbfefce1f2da385b8b3c09f8328468f68dae31c30036623d11710915
                                    • Instruction Fuzzy Hash: B4110331B0170CABDB10BBB59C85BAE7F9D9F84B20F85002AEC04D3292DA79DD04BB11
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F08330 Relevance: 16.9, APIs: 2, Strings: 9, Instructions: 403COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(00F925F8,?,?,?), ref: 00F08485
                                    • SetLastError.KERNEL32(00F908E8,?,?,?), ref: 00F084E4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID: :$ForceStageSourceType$GetPathOnly$Name$Package path not found while trying to stage package. Containing parcel has no ID$Package.cpp$ParcelId$RootPath$Source path not found attempting to stage parcel
                                    • API String ID: 1452528299-4144558148
                                    • Opcode ID: 856730a7935b793a57107b637b8b9252cc6ff79f0b12754a377bdc06097af837
                                    • Instruction ID: 8a5af7902ec4e015114f215ecf036dd6e20a6d26d12daa471dd9279dcaa3746c
                                    • Opcode Fuzzy Hash: 856730a7935b793a57107b637b8b9252cc6ff79f0b12754a377bdc06097af837
                                    • Instruction Fuzzy Hash: 3402AB70904258EEEF25EBA4DC95BEEBBB4BF14300F54419DE045632C2DBB05B49EB62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F32390 Relevance: 16.7, APIs: 10, Strings: 1, Instructions: 162COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F0D230: new.LIBCMT ref: 00F0D25D
                                      • Part of subcall function 00EEA8B0: new.LIBCMT ref: 00EEA8DD
                                    • GetLastError.KERNEL32(33A37B94,?,?,00F32966,00000010), ref: 00F32444
                                    • SetLastError.KERNEL32(?), ref: 00F32486
                                    • GetLastError.KERNEL32 ref: 00F324A2
                                    • SetLastError.KERNEL32(?), ref: 00F324DE
                                    • GetLastError.KERNEL32 ref: 00F324FA
                                    • SetLastError.KERNEL32(?), ref: 00F32536
                                    • GetLastError.KERNEL32 ref: 00F32555
                                    • SetLastError.KERNEL32(?), ref: 00F32591
                                    • GetLastError.KERNEL32 ref: 00F325B0
                                    • SetLastError.KERNEL32(?), ref: 00F325EC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID: $
                                    • API String ID: 1452528299-3993045852
                                    • Opcode ID: 17512f93112a44ae0c39e4f4fb5b34a1124e8bd2c36bf5c74b346321cdcf359b
                                    • Instruction ID: fbdb20ddb4d468fce1f0668ecf38e6a7168adf3155dbd9c5a9d89524c0b708d0
                                    • Opcode Fuzzy Hash: 17512f93112a44ae0c39e4f4fb5b34a1124e8bd2c36bf5c74b346321cdcf359b
                                    • Instruction Fuzzy Hash: A18117B0801788CFDB60CFA9C54874ABFF0BF08314F148A9DD489A7752D7B5AA04DB95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F1CE40 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 291libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00EB6EC0: GetLastError.KERNEL32(33A37B94,?,00EB5D01,00EB5D01,00F90920,00F60FF9,000000FF,?,00EB6814,00F8B388,00000000,?,00000000), ref: 00EB6F02
                                      • Part of subcall function 00EB6EC0: SetLastError.KERNEL32(00F908E8,00F8B388,00000000,?,00EB5D01,00EB5D01,00F90920,00F60FF9,000000FF,?,00EB6814,00F8B388,00000000,?,00000000), ref: 00EB6F65
                                    • LoadLibraryW.KERNEL32(?,00F8B388,?,?,00000000,33A37B94), ref: 00F1CED1
                                    • GetLastError.KERNEL32 ref: 00F1CEE7
                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00F1CF67
                                    • GetLastError.KERNEL32 ref: 00F1CF77
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$AddressLibraryLoadProc
                                    • String ID: _SuiteClrActionEntry@16$_SuitePSHostEntry@8
                                    • API String ID: 1866314245-1896176088
                                    • Opcode ID: 067619bece29970aa3ff6159c0c4f113718f1c372112198258f980bb91615fec
                                    • Instruction ID: e46adfb8369a507d0b6f97a08a0a316ab3a109a4abb8986c7a1e68d533cf6726
                                    • Opcode Fuzzy Hash: 067619bece29970aa3ff6159c0c4f113718f1c372112198258f980bb91615fec
                                    • Instruction Fuzzy Hash: 8EC17070A00259DFDB24DF98CC94BEEB7B4AF54304F148199E409B7242DB70AE89EF61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EC4510 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 188registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegQueryValueExW.ADVAPI32(00000000,?,00000000,?,00000000,?,?,?,00020019,33A37B94), ref: 00EC45BF
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00EC4607
                                      • Part of subcall function 00F45694: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00F455A3,?,?,00EBEFA6,00000000,FileProvider: check is on 64-bit path,?,00000000,c:\codebases\isdev\src\runtime\shared\setupsuite\FileProvider.h,?), ref: 00F456A7
                                      • Part of subcall function 00F45694: GetProcAddress.KERNEL32(00000000), ref: 00F456AE
                                      • Part of subcall function 00F45694: GetCurrentProcess.KERNEL32(00000000,?,?,00F455A3,?,?,00EBEFA6,00000000,FileProvider: check is on 64-bit path,?,00000000,c:\codebases\isdev\src\runtime\shared\setupsuite\FileProvider.h,?), ref: 00F456BE
                                    • RegQueryValueExW.ADVAPI32(00000000,?,00000000,?,?,?), ref: 00EC475C
                                    Strings
                                    • Evaluate registry condition: error %x querying reg value, xrefs: 00EC4782
                                    • Z, xrefs: 00EC4788
                                    • RegistryProvider.cpp, xrefs: 00EC45DD, 00EC4688, 00EC477B
                                    • q=, xrefs: 00EC4702, 00EC470F
                                    • Evaluate registry value condition: unable to allocate memory for reg value, xrefs: 00EC46AA
                                    • Evaluate registry value condition: unexpected error 0x%08x querying registry value '%s', xrefs: 00EC45E4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: QueryValue$AddressCloseCurrentHandleModuleProcProcess
                                    • String ID: Evaluate registry condition: error %x querying reg value$Evaluate registry value condition: unable to allocate memory for reg value$Evaluate registry value condition: unexpected error 0x%08x querying registry value '%s'$RegistryProvider.cpp$Z$q=
                                    • API String ID: 3054686338-3571612815
                                    • Opcode ID: 9f397c9825a498d6ccce53cd92db8b6c38dfef5e8fc452b2910f4d5d893215e6
                                    • Instruction ID: 9d9ebe06de1b9896f6c9bd758fdd0e2500f431224f37570630c61e7122663139
                                    • Opcode Fuzzy Hash: 9f397c9825a498d6ccce53cd92db8b6c38dfef5e8fc452b2910f4d5d893215e6
                                    • Instruction Fuzzy Hash: C671F1B0900248EFEF20DFA4DD55BAEBBB5EF05308F24415DE841BB292C7755909DB92
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EBAAB0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 137COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Variant$Init$Clear$Copy
                                    • String ID: __SetSuiteExtension
                                    • API String ID: 3833040332-3087628983
                                    • Opcode ID: a212001148184b8949a1189bd77d536e7116aca63a71222630182ebfc8ca1efc
                                    • Instruction ID: 05a0597181d8452b5125492d04834294281d7149b5a15d76d1f517abdd54707c
                                    • Opcode Fuzzy Hash: a212001148184b8949a1189bd77d536e7116aca63a71222630182ebfc8ca1efc
                                    • Instruction Fuzzy Hash: 315107B1D052489EDB15DFA8C909B9EBFF8EF08310F1481AEE409EB351D7749A04DB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F460EE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 117stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,00F46249,?,00000000,?,?,?,00EC0B4E,00000000,000000FF,33A37B94), ref: 00F4611E
                                    • wsprintfW.USER32 ref: 00F46152
                                    • lstrcatW.KERNEL32(?,?), ref: 00F46166
                                    • ResetEvent.KERNEL32(?,?,?,00F46249,?,00000000,?,?,?,00EC0B4E,00000000,000000FF,33A37B94), ref: 00F46175
                                    • GetLastError.KERNEL32(?,00F46249,?,00000000,?,?,?,00EC0B4E,00000000,000000FF,33A37B94), ref: 00F46181
                                    • ResetEvent.KERNEL32(?,?,?,00F46249,?,00000000,?,?,?,00EC0B4E,00000000,000000FF,33A37B94), ref: 00F461DC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorEventLastReset$lstrcatwsprintf
                                    • String ID: A$Range: bytes=%d-$Range: bytes=%d-
                                    • API String ID: 2894917480-4039695729
                                    • Opcode ID: 962876d9863ff3c71d369e2adb12db8a68d8603a1373f8f5c5915fe2a51bb324
                                    • Instruction ID: 054d9a8c88037ed3ff109162b5ddca0bd7548aac32fddcd77252dc08e45201e2
                                    • Opcode Fuzzy Hash: 962876d9863ff3c71d369e2adb12db8a68d8603a1373f8f5c5915fe2a51bb324
                                    • Instruction Fuzzy Hash: E8418F71600104EFDF158F64DC88A6A7FA9FF86710B1440A9FE05CA16ADB32DC50FB12
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EBD920 Relevance: 15.2, APIs: 10, Instructions: 186COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Variant$Init$Copy
                                    • String ID:
                                    • API String ID: 3837755448-0
                                    • Opcode ID: 8ad59700976d3c1f7389b286b97cd5b2b0b64d0c3574962710821ed08cd0a1ce
                                    • Instruction ID: 92a426bcc911d446238ff40ee750d7354843ee5902846db0b3bb919ed0f66f85
                                    • Opcode Fuzzy Hash: 8ad59700976d3c1f7389b286b97cd5b2b0b64d0c3574962710821ed08cd0a1ce
                                    • Instruction Fuzzy Hash: 4B714570909248DFDB10DF68C949BAABBF4EF09314F1581AEE449EB351EB349A44CF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EBD660 Relevance: 15.2, APIs: 10, Instructions: 180COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Variant$Init$Copy
                                    • String ID:
                                    • API String ID: 3837755448-0
                                    • Opcode ID: 628b40a0d4796184fe422acada6a6639c224cb51ed3160514d849f9c2a852ede
                                    • Instruction ID: 73cf31f5eb80ba24177f5ad93798ac824dfda3dd60bffbcc276522c3be3f33d5
                                    • Opcode Fuzzy Hash: 628b40a0d4796184fe422acada6a6639c224cb51ed3160514d849f9c2a852ede
                                    • Instruction Fuzzy Hash: A27158B0905218DFDB14DF68C949B9ABBF8BF08300F1481AEE448E7351EB349A44DFA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F24B90 Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 326libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryW.KERNEL32(00000001,33A37B94,00000000,00000000,00F92610), ref: 00F24BF5
                                    • GetLastError.KERNEL32 ref: 00F24C0E
                                    Strings
                                    • Failed to create extension handler for parcel interface on DLL call, error 0x%08x, xrefs: 00F24E97
                                    • Proxy DLL call action request failed, status 0x%08x, xrefs: 00F24F9D
                                    • Failed to create extension handler for DLL action, error %x, xrefs: 00F24D6A
                                    • Failed to obtain proxy handler for DLL call action, xrefs: 00F24CA8
                                    • ProxyApi.cpp, xrefs: 00F24C83, 00F24D70, 00F24E9C, 00F24EAF, 00F24F93
                                    • (DLL Action): , xrefs: 00F24DAC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLastLibraryLoad
                                    • String ID: (DLL Action): $Failed to create extension handler for DLL action, error %x$Failed to create extension handler for parcel interface on DLL call, error 0x%08x$Failed to obtain proxy handler for DLL call action$Proxy DLL call action request failed, status 0x%08x$ProxyApi.cpp
                                    • API String ID: 3568775529-1975990019
                                    • Opcode ID: 1488e74cd4a6ec2e75c421504fd52e747bb561e93fd042d4dbd30dadb64d68cd
                                    • Instruction ID: 3d3f1316c3f54fcc5876ebf37c3657ce3d462192bd8dd3e8881f606ffda14149
                                    • Opcode Fuzzy Hash: 1488e74cd4a6ec2e75c421504fd52e747bb561e93fd042d4dbd30dadb64d68cd
                                    • Instruction Fuzzy Hash: 4CE19EB0A01268DFDB24DF54DC84BDEBBB5AF05310F1441D9E409A7282DB74AE48DFA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F23580 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 223COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00EB4150: GetLastError.KERNEL32(33A37B94,?,?,?,?,?,00F60E09,000000FF,?,00EB304D), ref: 00EB4193
                                      • Part of subcall function 00EB4150: SetLastError.KERNEL32(?,00F8B388,00000000,?,?,?,?,?,00F60E09,000000FF,?,00EB304D), ref: 00EB4210
                                      • Part of subcall function 00EBE730: GetLastError.KERNEL32(33A37B94,?,00000000,?,?,?,00000000,00F63A01,000000FF,?,00EBE6C8,00000000,?,33A37B94), ref: 00EBE770
                                      • Part of subcall function 00EBE730: SetLastError.KERNEL32(?,?,00000000,?,?,?,00000000,00F63A01,000000FF,?,00EBE6C8,00000000,?,33A37B94), ref: 00EBE7B5
                                      • Part of subcall function 00EBE730: SetLastError.KERNEL32(?,00000000,-00000002,?,?,00000000), ref: 00EBE806
                                    • GetLastError.KERNEL32(00000000,?,-00000003,00000000,?,00000000,?,00F92584,00000001,00000001,?,00F8B388,?,00000000,33A37B94), ref: 00F2370A
                                    • SetLastError.KERNEL32(00F908E8, ,00000003,?,00F8B388,?,00000000,33A37B94), ref: 00F2376F
                                    • GetLastError.KERNEL32(00000000,00000000,?,00000000,00000000,?,000000FF,00000000,?,00F8B388,?,00000000,33A37B94), ref: 00F237EE
                                    • SysFreeString.OLEAUT32(00000000), ref: 00F2380E
                                    • SysFreeString.OLEAUT32(?), ref: 00F2381D
                                    • SetLastError.KERNEL32(00F9091C), ref: 00F23847
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$FreeString
                                    • String ID: $invalid string position
                                    • API String ID: 2425351278-2310507360
                                    • Opcode ID: 8b51e8927e88c7060025bc29bd85e08ef40a10600c7727e82b6137cafa4b9d0c
                                    • Instruction ID: 4e498bdb31b1600356b5a0c76888bc2a015b87a015720467d4d1359d84025d61
                                    • Opcode Fuzzy Hash: 8b51e8927e88c7060025bc29bd85e08ef40a10600c7727e82b6137cafa4b9d0c
                                    • Instruction Fuzzy Hash: 87A169B1D00268DFDF10DFA8D858BDEBBB4AF04314F108599E419B7292CB749A48DFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EE4000 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 189windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SysFreeString.OLEAUT32(?), ref: 00EE4038
                                    • SysFreeString.OLEAUT32(?), ref: 00EE4058
                                    • GetErrorInfo.OLEAUT32(00000000,00000000,00000000,000000FF,00000000,000000FF,33A37B94,00000001,00000000,?,?,?), ref: 00EE4084
                                    • CLSIDFromProgID.OLE32(00000064,-00000020,?,?), ref: 00EE4119
                                    • FormatMessageW.KERNEL32(00001300,00000000,?,00000000,?,00000000,00000000,?,?), ref: 00EE4165
                                    • LocalFree.KERNEL32(?,00F8B388,?,?,?), ref: 00EE41B2
                                    • SysFreeString.OLEAUT32(?), ref: 00EE41D4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Free$String$ErrorFormatFromInfoLocalMessageProg
                                    • String ID: Unknown error
                                    • API String ID: 734698119-83687255
                                    • Opcode ID: b8cb5dc8a600922ae2f5cdbef334cf5278ee3a4b8fd433489f60a9baeb57469c
                                    • Instruction ID: ce154aaed3c1eb4bdd0a4cbc91fe72530211d6d6da96690f993272347505bfa0
                                    • Opcode Fuzzy Hash: b8cb5dc8a600922ae2f5cdbef334cf5278ee3a4b8fd433489f60a9baeb57469c
                                    • Instruction Fuzzy Hash: A07168B0A0064AAFDB14DFA9DD45BAAB7F8FF08314F104259E415EB691DB30E950CBA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F22F90 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 183registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00EB4150: GetLastError.KERNEL32(33A37B94,?,?,?,?,?,00F60E09,000000FF,?,00EB304D), ref: 00EB4193
                                      • Part of subcall function 00EB4150: SetLastError.KERNEL32(?,00F8B388,00000000,?,?,?,?,?,00F60E09,000000FF,?,00EB304D), ref: 00EB4210
                                    • RegQueryValueExW.ADVAPI32(00000000,Language,00000000,?,00000000,74DEDFA0,80000002,-00000004,00020019,?,00000010,Software\Microsoft\Windows\CurrentVersion\Uninstall,?,00000000,33A37B94), ref: 00F23098
                                    • RegCloseKey.ADVAPI32(00000000,Maintenance: no uninstall key present,?,00000000,Common\MaintenanceRegistrar.cpp,?,00000000,80000002,-00000004,00020019,?,00000010,Software\Microsoft\Windows\CurrentVersion\Uninstall,?,00000000,33A37B94), ref: 00F23236
                                    Strings
                                    • Common\MaintenanceRegistrar.cpp, xrefs: 00F230B4, 00F230FB, 00F2317D
                                    • Maintenance: no uninstall key present, xrefs: 00F2319F
                                    • Maintenance: uninstall key present but has no language value, xrefs: 00F2311D
                                    • Maintenance: got installed language: %d, xrefs: 00F230BE
                                    • Language, xrefs: 00F23092
                                    • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00F22FEE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$CloseQueryValue
                                    • String ID: Common\MaintenanceRegistrar.cpp$Language$Maintenance: got installed language: %d$Maintenance: no uninstall key present$Maintenance: uninstall key present but has no language value$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                    • API String ID: 2032585594-644924750
                                    • Opcode ID: 05dd6c8fa871d69ec74e4c6839c61120afe5e738bee8a6c153ab7471e7524a2e
                                    • Instruction ID: d4b8c5442aef0724ed695cb978e4023c4d398f5e3ba3b0db556db2d4f9514969
                                    • Opcode Fuzzy Hash: 05dd6c8fa871d69ec74e4c6839c61120afe5e738bee8a6c153ab7471e7524a2e
                                    • Instruction Fuzzy Hash: F8819EB0D05258EEEF20DBA4EC45BDEBBB4BF11308F144159E440772C2DBB85A49EB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EBA250 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 171COMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantInit.OLEAUT32(?), ref: 00EBA2B1
                                      • Part of subcall function 00EB6CA0: GetLastError.KERNEL32(33A37B94,?,?,?,00FD21E8,?,00F61B59,000000FF,?,00EB1414,installshield/2019/bootstrap,?,00000000,33A37B94,?,00F7979A), ref: 00EB6CE3
                                      • Part of subcall function 00EB6CA0: SetLastError.KERNEL32(?,00F8B388,00000000,?,?,?,00FD21E8,?,00F61B59,000000FF,?,00EB1414,installshield/2019/bootstrap,?,00000000,33A37B94), ref: 00EB6D60
                                    • VariantInit.OLEAUT32 ref: 00EBA2EF
                                    • VariantInit.OLEAUT32 ref: 00EBA30B
                                    • VariantInit.OLEAUT32 ref: 00EBA327
                                    • VariantInit.OLEAUT32 ref: 00EBA343
                                    • VariantInit.OLEAUT32 ref: 00EBA35F
                                      • Part of subcall function 00EBA580: VariantCopy.OLEAUT32(?,00EBA378), ref: 00EBA60B
                                      • Part of subcall function 00EBA580: VariantCopy.OLEAUT32(?,00F9091C), ref: 00EBA62B
                                      • Part of subcall function 00EBA580: VariantCopy.OLEAUT32(?,?), ref: 00EBA64B
                                      • Part of subcall function 00EBA580: VariantCopy.OLEAUT32(?,?), ref: 00EBA66B
                                      • Part of subcall function 00EBA580: VariantCopy.OLEAUT32(00F9091C,?), ref: 00EBA68B
                                      • Part of subcall function 00EB4810: GetLastError.KERNEL32(33A37B94,?,00F908F0,00F9091C,?,00F60F29,000000FF,?,00EB394A,00F8B388,?,?,00000000,33A37B94,?,00F908F0), ref: 00EB484B
                                      • Part of subcall function 00EB4810: SysFreeString.OLEAUT32(6F6C206F), ref: 00EB4865
                                      • Part of subcall function 00EB4810: SysFreeString.OLEAUT32(00F90920), ref: 00EB487A
                                      • Part of subcall function 00EB4810: SetLastError.KERNEL32(?), ref: 00EB48AA
                                    • VariantClear.OLEAUT32(?), ref: 00EBA3E4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Variant$Init$Copy$ErrorLast$FreeString$Clear
                                    • String ID: __ISRTSuiteExtUninit
                                    • API String ID: 424148749-4113025277
                                    • Opcode ID: 972b142e302508783b209ce47d9e4814f6a1452f9582470b08e23ae6698a2de2
                                    • Instruction ID: 32e0a04d880ea4715be39bed7d4c4b78e69393d1af525c219e57bc0749e11adf
                                    • Opcode Fuzzy Hash: 972b142e302508783b209ce47d9e4814f6a1452f9582470b08e23ae6698a2de2
                                    • Instruction Fuzzy Hash: 7D7126B0905348DFDB14DFA8C549B9EBFF4AF09304F1881AEE019AB391D7749A04CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00ED8F20 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 171registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00EB4150: GetLastError.KERNEL32(33A37B94,?,?,?,?,?,00F60E09,000000FF,?,00EB304D), ref: 00EB4193
                                      • Part of subcall function 00EB4150: SetLastError.KERNEL32(?,00F8B388,00000000,?,?,?,?,?,00F60E09,000000FF,?,00EB304D), ref: 00EB4210
                                      • Part of subcall function 00EB4BE0: GetLastError.KERNEL32(33A37B94,?,?,33A37B94,?,00F61069,000000FF,?,00EB2A81,33A37B94), ref: 00EB4C1B
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(?), ref: 00EB4C35
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(33A37B98), ref: 00EB4C4A
                                      • Part of subcall function 00EB4BE0: SetLastError.KERNEL32(?,?,?,?,?,?,000000FF), ref: 00EB4C7A
                                      • Part of subcall function 00EC3B20: GetModuleHandleW.KERNEL32(Advapi32.dll,?,00000000,?,00000000,?,00F38DE1,80000001,SOFTWARE\InstallShield\25.0\Professional,00020019,33A37B94,?), ref: 00EC3B44
                                      • Part of subcall function 00EC3B20: RegCloseKey.ADVAPI32(00000000,?,00F38DE1,80000001,SOFTWARE\InstallShield\25.0\Professional,00020019,33A37B94,?), ref: 00EC3BA7
                                    • GetLastError.KERNEL32(80000002,?,00020019,?,?,Software\InstallShield\SuiteInstallers\Parcels,?,00000000,33A37B94,?,?,00000000), ref: 00ED8FF9
                                    • SetLastError.KERNEL32(00F908E8,?,00000000), ref: 00ED9043
                                    • RegQueryValueExW.ADVAPI32(00000000,Clients,00000000,?,00000000,?,?,00000000), ref: 00ED9066
                                    • RegCloseKey.ADVAPI32(00000000,33A37B94,?,?,00000000), ref: 00ED914D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$CloseFreeString$HandleModuleQueryValue
                                    • String ID: Clients$SetupEngine.cpp$SetupEngine: parcel '%s' shared client count: %d$Software\InstallShield\SuiteInstallers\Parcels
                                    • API String ID: 2931441609-3980309948
                                    • Opcode ID: bd70a1e9acc4f9781f0426fc2c70d2092168896c7111a54111cafa3818e9c698
                                    • Instruction ID: 115d122251678ca2279637ecb8e3b95d3bc88fcbb88495cb677ee206d6fa6f34
                                    • Opcode Fuzzy Hash: bd70a1e9acc4f9781f0426fc2c70d2092168896c7111a54111cafa3818e9c698
                                    • Instruction Fuzzy Hash: 82711970904258DEEB10DFA8DC99BEEBBF4FB04304F108199E115B7282DB756A49DF61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EED7B0 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 168registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegCloseKey.ADVAPI32(?,000000CA,State manager: removing state info,?,00000000,StateManager.cpp,?,00000000,80000001,?,0002001F,33A37B94), ref: 00EED911
                                    • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,33A37B94,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,80000001,Software\InstallShield\SuiteInstallers,0002001F), ref: 00EED979
                                      • Part of subcall function 00EB4150: GetLastError.KERNEL32(33A37B94,?,?,?,?,?,00F60E09,000000FF,?,00EB304D), ref: 00EB4193
                                      • Part of subcall function 00EB4150: SetLastError.KERNEL32(?,00F8B388,00000000,?,?,?,?,?,00F60E09,000000FF,?,00EB304D), ref: 00EB4210
                                    • RegCloseKey.ADVAPI32(00000000,33A37B94), ref: 00EED9C6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: CloseErrorLast$InfoQuery
                                    • String ID: Software\InstallShield$Software\InstallShield\SuiteInstallers$State manager: removing state info$StateManager.cpp$SuiteInstallers
                                    • API String ID: 1667384322-2728777982
                                    • Opcode ID: 3d212931835dfbce3d8df0a759cf0bd6576ecb9e7c2a9b50f05cff72f7cf4b30
                                    • Instruction ID: 00e02e879611cfeb4a29a798d2969ee12f3961361b5ceb0dac91bf077a7543ee
                                    • Opcode Fuzzy Hash: 3d212931835dfbce3d8df0a759cf0bd6576ecb9e7c2a9b50f05cff72f7cf4b30
                                    • Instruction Fuzzy Hash: 1861697090425CEAEB24EBA5DC45BEEBBB4FF04704F20511EE511B7283DBB06A09DB95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EBE940 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 142COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: access$create$modified
                                    • API String ID: 0-2206879983
                                    • Opcode ID: 79b05202e30f6408c983016775c5ebd1cdb63dda14021bc1cee8eef6f973c903
                                    • Instruction ID: e86bb7f6f032535efa33087f94b1e096d01f6a97dfa12f7c5849f8e14384ba3a
                                    • Opcode Fuzzy Hash: 79b05202e30f6408c983016775c5ebd1cdb63dda14021bc1cee8eef6f973c903
                                    • Instruction Fuzzy Hash: 77514F75A0021D9FDF20DBA4CD45BDEBBB8EB05300F5041A9E949F3282DB74AE48DB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EBAC40 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 116COMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantInit.OLEAUT32(?), ref: 00EBAC84
                                      • Part of subcall function 00EB6CA0: GetLastError.KERNEL32(33A37B94,?,?,?,00FD21E8,?,00F61B59,000000FF,?,00EB1414,installshield/2019/bootstrap,?,00000000,33A37B94,?,00F7979A), ref: 00EB6CE3
                                      • Part of subcall function 00EB6CA0: SetLastError.KERNEL32(?,00F8B388,00000000,?,?,?,00FD21E8,?,00F61B59,000000FF,?,00EB1414,installshield/2019/bootstrap,?,00000000,33A37B94), ref: 00EB6D60
                                    • VariantInit.OLEAUT32 ref: 00EBACC5
                                    • VariantInit.OLEAUT32 ref: 00EBACE1
                                    • VariantInit.OLEAUT32 ref: 00EBACFD
                                    • VariantInit.OLEAUT32 ref: 00EBAD19
                                    • VariantInit.OLEAUT32 ref: 00EBAD35
                                      • Part of subcall function 00EBA580: VariantCopy.OLEAUT32(?,00EBA378), ref: 00EBA60B
                                      • Part of subcall function 00EBA580: VariantCopy.OLEAUT32(?,00F9091C), ref: 00EBA62B
                                      • Part of subcall function 00EBA580: VariantCopy.OLEAUT32(?,?), ref: 00EBA64B
                                      • Part of subcall function 00EBA580: VariantCopy.OLEAUT32(?,?), ref: 00EBA66B
                                      • Part of subcall function 00EBA580: VariantCopy.OLEAUT32(00F9091C,?), ref: 00EBA68B
                                      • Part of subcall function 00EB4810: GetLastError.KERNEL32(33A37B94,?,00F908F0,00F9091C,?,00F60F29,000000FF,?,00EB394A,00F8B388,?,?,00000000,33A37B94,?,00F908F0), ref: 00EB484B
                                      • Part of subcall function 00EB4810: SysFreeString.OLEAUT32(6F6C206F), ref: 00EB4865
                                      • Part of subcall function 00EB4810: SysFreeString.OLEAUT32(00F90920), ref: 00EB487A
                                      • Part of subcall function 00EB4810: SetLastError.KERNEL32(?), ref: 00EB48AA
                                    • VariantClear.OLEAUT32(?), ref: 00EBAD67
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Variant$Init$Copy$ErrorLast$FreeString$Clear
                                    • String ID: __RevokeSuiteExtension
                                    • API String ID: 424148749-93083935
                                    • Opcode ID: b2723f2012879397b1fb32acebe701237bb9f07db38de9aa432352e7b3707afd
                                    • Instruction ID: c740f641724dd8f34c2982be3d338318b98efb6e9096c89f977552e50f181cb7
                                    • Opcode Fuzzy Hash: b2723f2012879397b1fb32acebe701237bb9f07db38de9aa432352e7b3707afd
                                    • Instruction Fuzzy Hash: 554108B0D15248DEDB05DFACD90AA9EBFF8EB08310F1581AEE009EB351D7749A04DB95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F424D4 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 56libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog3_GS.LIBCMT ref: 00F424DE
                                    • GetModuleHandleW.KERNEL32(kernel32.dll,FindFirstFileW,00000254,00F418E0), ref: 00F424FA
                                    • GetProcAddress.KERNEL32(00000000), ref: 00F424FD
                                    • GetModuleHandleW.KERNEL32(kernel32.dll,FindFirstFileA), ref: 00F4253D
                                    • GetProcAddress.KERNEL32(00000000), ref: 00F42540
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: AddressHandleModuleProc$H_prolog3_
                                    • String ID: FindFirstFileA$FindFirstFileW$kernel32.dll
                                    • API String ID: 762132516-163559883
                                    • Opcode ID: 165fa7644356f463c51d3bc78258f0b9926ec71ca3c654f365a84c234e70d358
                                    • Instruction ID: 6a09c9419e02fed035bda6894d0f8a4507962190d48d28fa5368f1b0b1d8865e
                                    • Opcode Fuzzy Hash: 165fa7644356f463c51d3bc78258f0b9926ec71ca3c654f365a84c234e70d358
                                    • Instruction Fuzzy Hash: 5C11C131D00628ABCF54FB64CC9DAEE3A64AB84761F940664BC15A71C1DB34DE45EBD0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F45286 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 39libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog3.LIBCMT ref: 00F4528D
                                    • GetModuleHandleW.KERNEL32(kernel32.dll,SetFileAttributesW,00000000,00F4179C,?,00000000), ref: 00F452A7
                                    • GetProcAddress.KERNEL32(00000000), ref: 00F452AA
                                    • GetModuleHandleW.KERNEL32(kernel32.dll,SetFileAttributesA), ref: 00F452D1
                                    • GetProcAddress.KERNEL32(00000000), ref: 00F452D4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: AddressHandleModuleProc$H_prolog3
                                    • String ID: SetFileAttributesA$SetFileAttributesW$kernel32.dll
                                    • API String ID: 1623054726-3589348009
                                    • Opcode ID: 24c826266f9e84a35f78456d71b3663439c1fea1e2779ead5f5df53134a773fd
                                    • Instruction ID: 87e26deae89f9f490f5d0e6f4189f8ff64e570cf0491dc91497535201f988e60
                                    • Opcode Fuzzy Hash: 24c826266f9e84a35f78456d71b3663439c1fea1e2779ead5f5df53134a773fd
                                    • Instruction Fuzzy Hash: 25F0AF71500A18ABCF55BF74DC199DE3AA4AF84B50B914505F901EB182DB75C601EB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F28BD0 Relevance: 13.9, APIs: 2, Strings: 7, Instructions: 358COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,Running Appx parcel operation,?,00000000,AppxParcelHandler.cpp,?,00000000,33A37B94), ref: 00F28D4C
                                    • SetLastError.KERNEL32(00F908E8,?,Running Appx parcel operation,?,00000000,AppxParcelHandler.cpp,?,00000000,33A37B94), ref: 00F28D99
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID: ?$Appx parcel final status: 0x%08x$Appx parcel target: %s$AppxParcelHandler.cpp$ForceAppShutdown$Running Appx parcel operation$yes
                                    • API String ID: 1452528299-3765110158
                                    • Opcode ID: 1650d96b6f927656fc57fc0b7f1cdee8a4866c60f4dd3acf58f0b44920a22a71
                                    • Instruction ID: 5db362fbedeb93f4eaea85c9459ce405cc031af11ce8d365f2b5c9635d919a9b
                                    • Opcode Fuzzy Hash: 1650d96b6f927656fc57fc0b7f1cdee8a4866c60f4dd3acf58f0b44920a22a71
                                    • Instruction Fuzzy Hash: 6DE1CD70D05268EEDF14DBA4EC44BEEBBB4EF00304F144199E415B72C2DB74AA49EB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F012E0 Relevance: 13.8, APIs: 9, Instructions: 327COMMON
                                    Download Yara Rule
                                    APIs
                                    • SafeArrayGetLBound.OLEAUT32(00000000,00000001,?), ref: 00F014DA
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00F014F6
                                    • SafeArrayGetUBound.OLEAUT32(00000000,00000001,?), ref: 00F01529
                                    • SafeArrayGetLBound.OLEAUT32(00000000,00000001,?), ref: 00F015AC
                                    • SafeArrayGetUBound.OLEAUT32(00000000,00000001,?), ref: 00F015D3
                                    • SafeArrayDestroy.OLEAUT32(00000000), ref: 00F016BE
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00F016D0
                                    • SafeArrayDestroy.OLEAUT32(00000000,?,00FCE384,?,?,?,33A37B94,?,00000000,?), ref: 00F016F4
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00F01706
                                      • Part of subcall function 00EB4CA0: GetLastError.KERNEL32(33A37B94,?,?,?,?,00F610C1,000000FF), ref: 00EB4CE2
                                      • Part of subcall function 00EB4CA0: SetLastError.KERNEL32(?,?,?,?,?,00F610C1,000000FF), ref: 00EB4D21
                                      • Part of subcall function 00F01C00: SafeArrayGetLBound.OLEAUT32(00000000,00000001,00000000), ref: 00F01C17
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ArraySafe$Bound$Exception@8Throw$DestroyErrorLast
                                    • String ID:
                                    • API String ID: 3163121579-0
                                    • Opcode ID: 853f3e8341c12daa9afd08cd86e9fac14fcd177681ef8b40bb21c21ea897a3ed
                                    • Instruction ID: 75efcfc45ebabaf41a9bf7ad5c71bbc60affa6f756744a62d34051eece74b25b
                                    • Opcode Fuzzy Hash: 853f3e8341c12daa9afd08cd86e9fac14fcd177681ef8b40bb21c21ea897a3ed
                                    • Instruction Fuzzy Hash: 36D1AF71D00258DAEF25DBA4CC95BEEBBB8BF10304F144199E406A71D2EB74AE48FB50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F1C570 Relevance: 13.7, APIs: 9, Instructions: 223fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00EB6EC0: GetLastError.KERNEL32(33A37B94,?,00EB5D01,00EB5D01,00F90920,00F60FF9,000000FF,?,00EB6814,00F8B388,00000000,?,00000000), ref: 00EB6F02
                                      • Part of subcall function 00EB6EC0: SetLastError.KERNEL32(00F908E8,00F8B388,00000000,?,00EB5D01,00EB5D01,00F90920,00F60FF9,000000FF,?,00EB6814,00F8B388,00000000,?,00000000), ref: 00EB6F65
                                    • GetFileAttributesW.KERNEL32(?,00F8B388,?,?,00000000,00F8B388,?,?,00000000,33A37B94), ref: 00F1C6A1
                                    • WriteFile.KERNEL32(00F8CBA0,?,00000010,?,00000000,00F8B388,?,?,00000000,00F8B388,?,?,00000000,33A37B94), ref: 00F1C700
                                    • GetLastError.KERNEL32 ref: 00F1C70C
                                    • WriteFile.KERNEL32(00F8CBA0,00000000,00000004,00000000,00000000), ref: 00F1C727
                                    • GetLastError.KERNEL32 ref: 00F1C72D
                                    • WriteFile.KERNEL32(?,?,00000010,00000000,00000000,00F9091C,00F9091C,74DEE010,00F8B388,?,00F9091C,74DF35B0,00F8B388,?,?,00000000), ref: 00F1C829
                                    • GetLastError.KERNEL32 ref: 00F1C835
                                    • WriteFile.KERNEL32(?,00000003,0000001C,00000000,00000000), ref: 00F1C853
                                    • GetLastError.KERNEL32 ref: 00F1C859
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$File$Write$Attributes
                                    • String ID:
                                    • API String ID: 1843076501-0
                                    • Opcode ID: f7c7865106556c352bfbea07929d5bd8c4dc5555f0ed6f87b59a88aab6aa9fe2
                                    • Instruction ID: 431d52179f68fdf06e85a85c386f70507cce1bbc543df633e97fc50466634605
                                    • Opcode Fuzzy Hash: f7c7865106556c352bfbea07929d5bd8c4dc5555f0ed6f87b59a88aab6aa9fe2
                                    • Instruction Fuzzy Hash: 02A11AB1A0025DDFEB24DF54CC94BDEBBB8EB08314F10819AE519A7281D7B05E85DF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F06810 Relevance: 13.7, APIs: 2, Strings: 7, Instructions: 171COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(33A37B94), ref: 00F0685B
                                    • SetLastError.KERNEL32(00F908E8), ref: 00F068A8
                                      • Part of subcall function 00F06DE0: SetLastError.KERNEL32(00F908E8), ref: 00F06EA4
                                      • Part of subcall function 00F06DE0: SetLastError.KERNEL32(00F908E8), ref: 00F06F40
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID: ISDefaultLanguage$ISRTLLangs$ISSelectedLanguage$ISSetupLanguages$ISShowLanguageSelection$false$true
                                    • API String ID: 1452528299-3800006133
                                    • Opcode ID: a11ec899b8c379432bb5886d2541f68fddf933dac5dffd80540aaea26874f3f6
                                    • Instruction ID: f9b21fc813e4efe7fa7720063ab3e4929344bf305d11c92e66d45ead3ae1fe28
                                    • Opcode Fuzzy Hash: a11ec899b8c379432bb5886d2541f68fddf933dac5dffd80540aaea26874f3f6
                                    • Instruction Fuzzy Hash: CF516D71A04208EADF04DFA4D956BEEBBF8FF04714F10452DE406E7681EB749A18EB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F13330 Relevance: 13.6, APIs: 8, Strings: 1, Instructions: 150COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID:
                                    • API String ID: 1452528299-3916222277
                                    • Opcode ID: c1dfe4f46c277ce38495cb61efd82786a89dffa80b555eef19da3483392e3065
                                    • Instruction ID: ad105a4ce72eccc2216ea958fa996dd36dd4a44d4876508be686c137e303bedf
                                    • Opcode Fuzzy Hash: c1dfe4f46c277ce38495cb61efd82786a89dffa80b555eef19da3483392e3065
                                    • Instruction Fuzzy Hash: 5D81F8B0805784CFEB60CF69C54878ABFF0BF08308F14869DC4899B752D7B6A609DB95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00ED26C0 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 330COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00EB6CA0: GetLastError.KERNEL32(33A37B94,?,?,?,00FD21E8,?,00F61B59,000000FF,?,00EB1414,installshield/2019/bootstrap,?,00000000,33A37B94,?,00F7979A), ref: 00EB6CE3
                                      • Part of subcall function 00EB6CA0: SetLastError.KERNEL32(?,00F8B388,00000000,?,?,?,00FD21E8,?,00F61B59,000000FF,?,00EB1414,installshield/2019/bootstrap,?,00000000,33A37B94), ref: 00EB6D60
                                      • Part of subcall function 00F38C90: RegQueryValueExW.ADVAPI32(00000000,DoVerboseLogging,00000000,00F8B388,00000000,?,80000001,SOFTWARE\InstallShield\25.0\Professional,00020019,00000001,?), ref: 00F38CED
                                      • Part of subcall function 00F38C90: RegCloseKey.ADVAPI32(00000000,80000001,SOFTWARE\InstallShield\25.0\Professional,00020019,00000001,?), ref: 00F38D0D
                                    • VariantClear.OLEAUT32(?), ref: 00ED2B4A
                                    Strings
                                    • NotifyUIForUpgradingParcels: failed to create parcel collection, error %x, xrefs: 00ED27F1
                                    • SetupEngine.cpp, xrefs: 00ED271C, 00ED27E7, 00ED2946, 00ED2A53
                                    • !, xrefs: 00ED2B3F
                                    • Setup was canceled during upgrade check, xrefs: 00ED2A75
                                    • Engine: notifying UI for any parcels that require upgrade confirmation, xrefs: 00ED2741
                                    • Engine: upgrade notification has no parcels installing, skipping notify, xrefs: 00ED2968
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$ClearCloseQueryValueVariant
                                    • String ID: !$Engine: notifying UI for any parcels that require upgrade confirmation$Engine: upgrade notification has no parcels installing, skipping notify$NotifyUIForUpgradingParcels: failed to create parcel collection, error %x$Setup was canceled during upgrade check$SetupEngine.cpp
                                    • API String ID: 2814348128-2178872588
                                    • Opcode ID: 7431ebeeed786bdf9041e1842d4ea84c84d28ad4509ccaa061b3b020e4fd5d37
                                    • Instruction ID: 4380f67ed1c8dfac309db64e0e070aeebe968b550af0c5105fc645ae087492bf
                                    • Opcode Fuzzy Hash: 7431ebeeed786bdf9041e1842d4ea84c84d28ad4509ccaa061b3b020e4fd5d37
                                    • Instruction Fuzzy Hash: 0DE1A070905248DFEB25DFA4C884BDDBBB0EF15308F24419EE5056B382DBB46A46DF51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F26F90 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 306fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WriteFile.KERNEL32(?,?,00000010,?,00000000,Parcel extension received no data for out-proc extension request,?,00000000,ProxyApi.cpp,?,00000000,33A37B94), ref: 00F270FF
                                    • GetLastError.KERNEL32(?,00000000,ProxyApi.cpp,?,00000000,33A37B94), ref: 00F2710B
                                    • WriteFile.KERNEL32(DE55ADFF,80004005,00000004,00000000,00000000,?,00000000,ProxyApi.cpp,?,00000000,33A37B94), ref: 00F27126
                                    • GetLastError.KERNEL32(?,00000000,ProxyApi.cpp,?,00000000,33A37B94), ref: 00F2712C
                                      • Part of subcall function 00EB33E0: SysStringLen.OLEAUT32(?), ref: 00EB33EE
                                      • Part of subcall function 00EB33E0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00EB3408
                                    Strings
                                    • Parcel extension received unsupported request (%x) for out-proc extension, xrefs: 00F27150
                                    • Parcel extension received no data for out-proc extension request, xrefs: 00F2701F
                                    • ProxyApi.cpp, xrefs: 00F26FF1, 00F27146
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorFileLastStringWrite$Alloc
                                    • String ID: Parcel extension received no data for out-proc extension request$Parcel extension received unsupported request (%x) for out-proc extension$ProxyApi.cpp
                                    • API String ID: 581789320-2742531627
                                    • Opcode ID: ec36de14edd73b2ba9df811d9e6d6e7f19e7ce47f788c6b1e1b6c4d04d47b370
                                    • Instruction ID: 0b0383092426b651b6edbaf33028f095cc97a857185e4c40f6828acea2e9d2b6
                                    • Opcode Fuzzy Hash: ec36de14edd73b2ba9df811d9e6d6e7f19e7ce47f788c6b1e1b6c4d04d47b370
                                    • Instruction Fuzzy Hash: 5ED15FB1A0425ADFDB10EFA0DC84BAEB7B9FF04304F10419AE509AB241D7749E49EF61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F11AC0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 257COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(00F9EE68,00000000,00000002,33A37B94), ref: 00F11BE3
                                    • SetLastError.KERNEL32(00F908E8), ref: 00F11C2D
                                      • Part of subcall function 00EB6F90: GetLastError.KERNEL32(33A37B94,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB6FD2
                                      • Part of subcall function 00EB6F90: SetLastError.KERNEL32(?,33A37B94,00000000,000000FF,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB7034
                                      • Part of subcall function 00EB4150: GetLastError.KERNEL32(33A37B94,?,?,?,?,?,00F60E09,000000FF,?,00EB304D), ref: 00EB4193
                                      • Part of subcall function 00EB4150: SetLastError.KERNEL32(?,00F8B388,00000000,?,?,?,?,?,00F60E09,000000FF,?,00EB304D), ref: 00EB4210
                                      • Part of subcall function 00EB4BE0: GetLastError.KERNEL32(33A37B94,?,?,33A37B94,?,00F61069,000000FF,?,00EB2A81,33A37B94), ref: 00EB4C1B
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(?), ref: 00EB4C35
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(33A37B98), ref: 00EB4C4A
                                      • Part of subcall function 00EB4BE0: SetLastError.KERNEL32(?,?,?,?,?,?,000000FF), ref: 00EB4C7A
                                    • VariantInit.OLEAUT32(?), ref: 00F11DCA
                                    • VariantClear.OLEAUT32(?), ref: 00F11E0B
                                    • VariantClear.OLEAUT32(?), ref: 00F11E47
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$Variant$ClearFreeString$Init
                                    • String ID: $%d:
                                    • API String ID: 2399893328-2489501889
                                    • Opcode ID: 21a352330132e155a451b89b8df13654b3a67e6e495b27c7e305f995d047101c
                                    • Instruction ID: c1b439ec4c74b2a85dd111d6c5e9f91c682e8854aa7bf89b9306d35160f772a2
                                    • Opcode Fuzzy Hash: 21a352330132e155a451b89b8df13654b3a67e6e495b27c7e305f995d047101c
                                    • Instruction Fuzzy Hash: A4B14A71D0525CDEDF20DBA8CC84BDEBBB8BB05304F14419AE509B7282DB745A84DFA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EF97B0 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 211COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00EDF680: new.LIBCMT ref: 00EDF6AD
                                      • Part of subcall function 00F4C948: __onexit.LIBCMT ref: 00F4C94E
                                      • Part of subcall function 00EB3ED0: SysStringLen.OLEAUT32(?), ref: 00EB3EDE
                                      • Part of subcall function 00EB3ED0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00EB3EF8
                                      • Part of subcall function 00EBAE70: VariantClear.OLEAUT32(?), ref: 00EBAE86
                                      • Part of subcall function 00EBAE70: SysAllocString.OLEAUT32(?), ref: 00EBAE99
                                    • VariantClear.OLEAUT32(?), ref: 00EF993D
                                    Strings
                                    • Parcel ref condition of parcel ID %s appears to be causing an infinite loop, xrefs: 00EF9890
                                    • Failed to evaluate eligibility condition for ParcelRef (%s), error %x, xrefs: 00EF99D7
                                    • Unknown error attempting to get parcel '%s' from collection, error %x, xrefs: 00EF996A
                                    • Condition.cpp, xrefs: 00EF9889, 00EF98CD, 00EF9963, 00EF99D0, 00EF9A12
                                    • Failed to obtain parcel collection for ParcelRef, error %x, xrefs: 00EF98D4
                                    • Invalid/unknown parcel ID specified for ParcelRef: %s, xrefs: 00EF9A19
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: String$AllocClearVariant$__onexit
                                    • String ID: Condition.cpp$Failed to evaluate eligibility condition for ParcelRef (%s), error %x$Failed to obtain parcel collection for ParcelRef, error %x$Invalid/unknown parcel ID specified for ParcelRef: %s$Parcel ref condition of parcel ID %s appears to be causing an infinite loop$Unknown error attempting to get parcel '%s' from collection, error %x
                                    • API String ID: 1494525647-1580832900
                                    • Opcode ID: 04081f9ba5dab4ff7c12abfb8af351249fcb1519799cf193838a623f5c215e34
                                    • Instruction ID: 46d38c6247cb1cd665a6b6d494b26dec957fb7a813a93223d65cfc352d7e07c6
                                    • Opcode Fuzzy Hash: 04081f9ba5dab4ff7c12abfb8af351249fcb1519799cf193838a623f5c215e34
                                    • Instruction Fuzzy Hash: B081AFB1901209DFCB10EF98C844BEEBBF9BF59314F140259E505BB382E7799944CBA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EF5280 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 204COMMON
                                    Download Yara Rule
                                    Strings
                                    • Evaluate registry value condition: failed to convert data to requested format (%x), xrefs: 00EF551E
                                    • Evaluate registry value condition: unsupported reg value type (%x), xrefs: 00EF54F0
                                    • Condition.cpp, xrefs: 00EF5395, 00EF54E6, 00EF5514, 00EF5523
                                    • RegistryValue condition: failed to get data for value, error %08x, xrefs: 00EF539F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: Condition.cpp$Evaluate registry value condition: failed to convert data to requested format (%x)$Evaluate registry value condition: unsupported reg value type (%x)$RegistryValue condition: failed to get data for value, error %08x
                                    • API String ID: 0-2993858370
                                    • Opcode ID: fc38b6d3eeee1c31986c0e3b278cb3b6deebe1724bbe4cf2e3de1b40e746c7f9
                                    • Instruction ID: 31ecfd8f752225d6c6650481eefc55f95113ce8f66922f782bf108076dda7a15
                                    • Opcode Fuzzy Hash: fc38b6d3eeee1c31986c0e3b278cb3b6deebe1724bbe4cf2e3de1b40e746c7f9
                                    • Instruction Fuzzy Hash: B091427190025EEEDB25DB54CC45BEEBBB8BB15304F0045AAE609B3181EB745B88DF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EF7500 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 157COMMON
                                    Download Yara Rule
                                    APIs
                                    • new.LIBCMT ref: 00EF7570
                                      • Part of subcall function 00EB4150: GetLastError.KERNEL32(33A37B94,?,?,?,?,?,00F60E09,000000FF,?,00EB304D), ref: 00EB4193
                                      • Part of subcall function 00EB4150: SetLastError.KERNEL32(?,00F8B388,00000000,?,?,?,?,?,00F60E09,000000FF,?,00EB304D), ref: 00EB4210
                                      • Part of subcall function 00EBCA50: GetLastError.KERNEL32(33A37B94), ref: 00EBCABE
                                      • Part of subcall function 00EBCA50: SetLastError.KERNEL32(?), ref: 00EBCAFD
                                    • GetLastError.KERNEL32(ExtType,?,00000000), ref: 00EF76E4
                                    • GetLastError.KERNEL32 ref: 00EF76EA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID: Condition.cpp$ExtType$Extension handler: error 0x%08x trying to get validator$Extension handler: failed to create extension delegate
                                    • API String ID: 1452528299-3301772165
                                    • Opcode ID: 476693cbedb7141dc0a204cab600827740ecbca5e0694c8c507be9acba5534ba
                                    • Instruction ID: 377a798add24f0457a62b9c0b5f227c23e9a84dd4046995bfc7ebf11431a6e2d
                                    • Opcode Fuzzy Hash: 476693cbedb7141dc0a204cab600827740ecbca5e0694c8c507be9acba5534ba
                                    • Instruction Fuzzy Hash: 43618DB0D05258DADB20EF64DD45BEEBBB4AB04314F2042AAE519B72C1DB745F44CF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F448FC Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 74libraryregistryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog3.LIBCMT ref: 00F44903
                                      • Part of subcall function 00EB6F90: GetLastError.KERNEL32(33A37B94,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB6FD2
                                      • Part of subcall function 00EB6F90: SetLastError.KERNEL32(?,33A37B94,00000000,000000FF,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB7034
                                      • Part of subcall function 00F4536E: __EH_prolog3.LIBCMT ref: 00F45375
                                    • LoadLibraryExW.KERNEL32(33A37B94,00000000,00000008), ref: 00F44975
                                    • GetLastError.KERNEL32 ref: 00F44986
                                    • RegOverridePredefKey.ADVAPI32(80000000,00000000), ref: 00F449D9
                                      • Part of subcall function 00F44EF0: GetVersionExW.KERNEL32(?), ref: 00F44F14
                                      • Part of subcall function 00F40823: RegOverridePredefKey.ADVAPI32(80000000,?), ref: 00F4085B
                                    • GetProcAddress.KERNEL32(00000000,DllRegisterServer), ref: 00F449A1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$H_prolog3OverridePredef$AddressLibraryLoadProcVersion
                                    • String ID: DllRegisterServer$DllUnregisterServer
                                    • API String ID: 2457836926-2931954178
                                    • Opcode ID: 8f46cf8ee7617ad5b662d30f7b8db4263d91d96930863e65394484414e0c0d35
                                    • Instruction ID: 322720c12a3ebb168035956840271624683eac319e449ee455697655d91d68cc
                                    • Opcode Fuzzy Hash: 8f46cf8ee7617ad5b662d30f7b8db4263d91d96930863e65394484414e0c0d35
                                    • Instruction Fuzzy Hash: 1421D170905288AEEF00EFB4C8563EE3FA4AF11304F144058ED45B7283D734AA08FB51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F425C6 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 58libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(kernel32.dll,FindNextFileW,00000000,00000000), ref: 00F425EB
                                    • GetProcAddress.KERNEL32(00000000), ref: 00F425F2
                                    • GetModuleHandleW.KERNEL32(kernel32.dll,FindNextFileA), ref: 00F42628
                                    • GetProcAddress.KERNEL32(00000000), ref: 00F4262F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: AddressHandleModuleProc
                                    • String ID: FindNextFileA$FindNextFileW$kernel32.dll
                                    • API String ID: 1646373207-719559652
                                    • Opcode ID: 2bd676b455be6f2290a6472d39d92f5507b6be3036389a42f8b6766cc6b84253
                                    • Instruction ID: 9dd33c85d107d487ee30f4d54cc452dfdef510438519bdfd406a33d02a14ffd8
                                    • Opcode Fuzzy Hash: 2bd676b455be6f2290a6472d39d92f5507b6be3036389a42f8b6766cc6b84253
                                    • Instruction Fuzzy Hash: 8911E532A01618ABDB54AFA4DC0DFFEBBA89F84B11B410165BC05E3141DB74EE44EB95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F43185 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 52libraryloadertimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(kernel32.dll,GetProcessId,00000000,00F43D8D,?,00F42EB5,00000000,?,?,?,?,?,00000068,00F454C9,00F43D8D,?), ref: 00F431A6
                                    • GetProcAddress.KERNEL32(00000000), ref: 00F431AD
                                    • OpenProcess.KERNEL32(001F0FFF,00000001,?,?,00000000,00F43D8D,?,00F42EB5,00000000,?,?,?,?,?,00000068,00F454C9), ref: 00F431CD
                                    • GetProcessTimes.KERNEL32(00F43D8D,00F454C9,00000068,?,?,?,00000000,00F43D8D,?,00F42EB5,00000000,?,?,?,?,?), ref: 00F431E6
                                    • CloseHandle.KERNEL32(00F43D8D,?,00F42EB5,00000000,?,?,?,?,?,00000068,00F454C9,00F43D8D,?,?), ref: 00F431F3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: HandleProcess$AddressCloseModuleOpenProcTimes
                                    • String ID: GetProcessId$kernel32.dll
                                    • API String ID: 4254294609-399901964
                                    • Opcode ID: f55335edac323755845d316daee491a69589e9568b780342877e40472da511a7
                                    • Instruction ID: 4de64ce733552b3ca12721741af8dc499d4e383ca9aae021e586b13f0e0d9a0b
                                    • Opcode Fuzzy Hash: f55335edac323755845d316daee491a69589e9568b780342877e40472da511a7
                                    • Instruction Fuzzy Hash: 22018F37E4161A7B4F221FA49C089AB3F59AFC6BB17090014FD10E7211DA21DD0167A1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EF26A0 Relevance: 12.2, APIs: 2, Strings: 6, Instructions: 220COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00EB4150: GetLastError.KERNEL32(33A37B94,?,?,?,?,?,00F60E09,000000FF,?,00EB304D), ref: 00EB4193
                                      • Part of subcall function 00EB4150: SetLastError.KERNEL32(?,00F8B388,00000000,?,?,?,?,?,00F60E09,000000FF,?,00EB304D), ref: 00EB4210
                                      • Part of subcall function 00EB6F90: GetLastError.KERNEL32(33A37B94,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB6FD2
                                      • Part of subcall function 00EB6F90: SetLastError.KERNEL32(?,33A37B94,00000000,000000FF,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB7034
                                      • Part of subcall function 00F43A91: __EH_prolog3_GS.LIBCMT ref: 00F43A9B
                                      • Part of subcall function 00F43A91: CreateProcessW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000044,00FD689C,?,00000000,00F44B64,?,00000000), ref: 00F43BAC
                                      • Part of subcall function 00F43A91: GetLastError.KERNEL32 ref: 00F43BC7
                                    • CloseHandle.KERNEL32 ref: 00EF291F
                                    • CloseHandle.KERNEL32 ref: 00EF2927
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$CloseHandle$CreateH_prolog3_Process
                                    • String ID: Actions.cpp$EXE (non-elevated) launch failed with status 0x%08x$EXE for action '%s' returned value 0x%08x$Launching EXE action (%s) '%s', file '%s', arguments '%s'$no wait$wait
                                    • API String ID: 49200223-560129040
                                    • Opcode ID: 9f54dc21bc8c7af2c8a809426ce19fbeae7885ddb3d1a0c5503d5887f4529b48
                                    • Instruction ID: 2e117ea161316d96bee71901db5660a5764e24901c53ae6871ca8a9bd9e70ae0
                                    • Opcode Fuzzy Hash: 9f54dc21bc8c7af2c8a809426ce19fbeae7885ddb3d1a0c5503d5887f4529b48
                                    • Instruction Fuzzy Hash: E4917F71900248DEDF10DFA4DC45BEE7BB8EF45304F24416DE944AB282DB746A49DFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F5AF80 Relevance: 12.2, APIs: 8, Instructions: 216COMMON
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00F549C0,00F549C0,?,?,?,00F5B1D1,00000001,00000001,62E85006), ref: 00F5AFDA
                                    • __alloca_probe_16.LIBCMT ref: 00F5B012
                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00F5B1D1,00000001,00000001,62E85006,?,?,?), ref: 00F5B060
                                    • __alloca_probe_16.LIBCMT ref: 00F5B0F7
                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,62E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00F5B15A
                                    • __freea.LIBCMT ref: 00F5B167
                                      • Part of subcall function 00F56B68: RtlAllocateHeap.NTDLL(00000000,00F3FBA7,?,?,00F4DFF8,?,?,?,?,?,00F3FACB,00F3FBA7,?,?,?,?), ref: 00F56B9A
                                    • __freea.LIBCMT ref: 00F5B170
                                    • __freea.LIBCMT ref: 00F5B195
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                    • String ID:
                                    • API String ID: 3864826663-0
                                    • Opcode ID: 0c1064152316ad7ec7f57f5298a13036f13da997c483d69782086373009512d9
                                    • Instruction ID: b43304583e844905232ed0e33110093f306141a94b891be6a1dd4a8e691bfaf4
                                    • Opcode Fuzzy Hash: 0c1064152316ad7ec7f57f5298a13036f13da997c483d69782086373009512d9
                                    • Instruction Fuzzy Hash: AC511472A00A16AFDB258F60CC91FBB77A9EB407A1F144629FE04D7190EB38DC48E650
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F462C2 Relevance: 12.2, APIs: 8, Instructions: 163COMMON
                                    Download Yara Rule
                                    APIs
                                    • QueryPerformanceCounter.KERNEL32(?,33A37B94,?,00000000,?,00EC0B4E,00000000,000000FF), ref: 00F46316
                                    • GetTickCount.KERNEL32 ref: 00F4631E
                                    • ResetEvent.KERNEL32(?), ref: 00F4632E
                                    • QueryPerformanceCounter.KERNEL32(00000000), ref: 00F46381
                                    • GetTickCount.KERNEL32 ref: 00F4638F
                                    • __alldvrm.LIBCMT ref: 00F463FD
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F46417
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F4643C
                                      • Part of subcall function 00F465FF: GetTickCount.KERNEL32 ref: 00F4660E
                                      • Part of subcall function 00F465FF: GetTickCount.KERNEL32 ref: 00F46637
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: CountTick$CounterPerformanceQueryUnothrow_t@std@@@__ehfuncinfo$??2@$EventReset__alldvrm
                                    • String ID:
                                    • API String ID: 3317835756-0
                                    • Opcode ID: 46be88025937186f68e5f3b09182e056b0360a62662b2daff8ed4bdf86acc6c8
                                    • Instruction ID: 8e2f0f2605d3b2e6147a1a92f59d48afd2f0260367d884538ade9db95de4e987
                                    • Opcode Fuzzy Hash: 46be88025937186f68e5f3b09182e056b0360a62662b2daff8ed4bdf86acc6c8
                                    • Instruction Fuzzy Hash: 17518E71E0074AAFDB14CFA4C884BAABBF4FF49325F008129E814D7650D738AD50EB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EFDA90 Relevance: 12.1, APIs: 8, Instructions: 133COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F0D230: new.LIBCMT ref: 00F0D25D
                                    • VariantInit.OLEAUT32(00000028), ref: 00EFDB30
                                    • VariantInit.OLEAUT32(00000038), ref: 00EFDB47
                                    • GetLastError.KERNEL32 ref: 00EFDB6C
                                    • SetLastError.KERNEL32(?), ref: 00EFDBAE
                                    • GetLastError.KERNEL32 ref: 00EFDBCA
                                    • SetLastError.KERNEL32(?), ref: 00EFDC06
                                    • GetLastError.KERNEL32 ref: 00EFDC25
                                    • SetLastError.KERNEL32(?), ref: 00EFDC61
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$InitVariant
                                    • String ID:
                                    • API String ID: 201494241-0
                                    • Opcode ID: f1dc7927edb06154143f2b5c6fefb173837ba1cd39f300936d32e2c706482ce8
                                    • Instruction ID: c36ef5bd209b7323e17fb69173348ce93142034b2158ec6693ced139702d1b0c
                                    • Opcode Fuzzy Hash: f1dc7927edb06154143f2b5c6fefb173837ba1cd39f300936d32e2c706482ce8
                                    • Instruction Fuzzy Hash: 706102B0804748DFDB20CFA9C54874ABFF0BF08314F14869ED4899B752D7B5AA08DB95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F054B0 Relevance: 10.8, APIs: 5, Strings: 2, Instructions: 338COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32 ref: 00F0553E
                                    • SetLastError.KERNEL32(?), ref: 00F0559F
                                      • Part of subcall function 00F4C948: __onexit.LIBCMT ref: 00F4C94E
                                    • GetLastError.KERNEL32 ref: 00F05610
                                    • SetLastError.KERNEL32(?), ref: 00F05677
                                    • SetLastError.KERNEL32(8004070E,00000000,00000002,00000002,00F966B4,?,00000001,?,00F9091C,IDS_STAGEDOWNLOAD_FAILRETRY,?), ref: 00F059B7
                                      • Part of subcall function 00EB4BE0: GetLastError.KERNEL32(33A37B94,?,?,33A37B94,?,00F61069,000000FF,?,00EB2A81,33A37B94), ref: 00EB4C1B
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(?), ref: 00EB4C35
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(33A37B98), ref: 00EB4C4A
                                      • Part of subcall function 00EB4BE0: SetLastError.KERNEL32(?,?,?,?,?,?,000000FF), ref: 00EB4C7A
                                      • Part of subcall function 00EB4CA0: GetLastError.KERNEL32(33A37B94,?,?,?,?,00F610C1,000000FF), ref: 00EB4CE2
                                      • Part of subcall function 00EB4CA0: SetLastError.KERNEL32(?,?,?,?,?,00F610C1,000000FF), ref: 00EB4D21
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$FreeString$__onexit
                                    • String ID: #$IDS_STAGEDOWNLOAD_FAILRETRY
                                    • API String ID: 696547012-4145211882
                                    • Opcode ID: 808454dc767873db0684e34ea3faf48bce4ba6ff4269ae48b122bc80bb97f107
                                    • Instruction ID: ad248227fbd66c07d3fe63b5eda3accf901c63ec4d9b5b30e3b80363d57f5a6c
                                    • Opcode Fuzzy Hash: 808454dc767873db0684e34ea3faf48bce4ba6ff4269ae48b122bc80bb97f107
                                    • Instruction Fuzzy Hash: EDE1B070A0A708DFDB00EF78ED55B9A7BA2EB04700F54416AE4059B2E2F7719A04FF52
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EFA9D0 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 318COMMON
                                    Download Yara Rule
                                    APIs
                                    • SysFreeString.OLEAUT32(00F9A694), ref: 00EFAB88
                                      • Part of subcall function 00EB4BE0: GetLastError.KERNEL32(33A37B94,?,?,33A37B94,?,00F61069,000000FF,?,00EB2A81,33A37B94), ref: 00EB4C1B
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(?), ref: 00EB4C35
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(33A37B98), ref: 00EB4C4A
                                      • Part of subcall function 00EB4BE0: SetLastError.KERNEL32(?,?,?,?,?,?,000000FF), ref: 00EB4C7A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: FreeString$ErrorLast
                                    • String ID: $Condition.cpp$Locale: ignoring presumed %s locale name '%s'; cannot verify on this system$Locale: invalid %s language value '%s'$abcdefghijklmnopqrstuvwxyz-*
                                    • API String ID: 2541235897-449814090
                                    • Opcode ID: 51a86b48714d26ff3d6d1333d6047b52f4af64b4dfb13b9267bef02e3e6af864
                                    • Instruction ID: 10fa10cbed7fb2e483b4b1181eea9358d80f3af726c0ba79d799e6d8984fc1cb
                                    • Opcode Fuzzy Hash: 51a86b48714d26ff3d6d1333d6047b52f4af64b4dfb13b9267bef02e3e6af864
                                    • Instruction Fuzzy Hash: ABD1AEB0A0421CEFDF24DBA4CC95BEEB7B8AF15304F5440A9E519B7281DB705A88DF52
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F16A51 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 235COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: All$Any$D$ExtType$Not
                                    • API String ID: 0-4154192528
                                    • Opcode ID: 5004a5b32e3c85337faa4dce2e0b8e23f32a9deeb8aea3cf6ab68c67544a928d
                                    • Instruction ID: b8aaf6be644d3605742bbbc64e24c3d701aff3c4bbf13a41fc1bee81ad9e0315
                                    • Opcode Fuzzy Hash: 5004a5b32e3c85337faa4dce2e0b8e23f32a9deeb8aea3cf6ab68c67544a928d
                                    • Instruction Fuzzy Hash: 23A1BC71904228DBDF24DB64CD55BEEB7B8AF84350F644299D00AA72C1EF74AF84EB40
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F0A1D0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 230COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F0BE70: VariantInit.OLEAUT32(?), ref: 00F0BEF6
                                      • Part of subcall function 00F0BE70: VariantClear.OLEAUT32(00000009), ref: 00F0BF2B
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00F0A38C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Variant$ClearException@8InitThrow
                                    • String ID: Parcel operation return status: %x$Parcel status appears to indicate a reboot is necessary$Parcel.cpp$Running parcel operation for parcel %s$Setup running after reboot, parcel operation already ran
                                    • API String ID: 538707214-425875968
                                    • Opcode ID: 9d344fdaf52ea445a160af04908de1e65df5aff91ecfb2a904d0a6e191376b04
                                    • Instruction ID: a5ca4c671e360ac97a5d2fc0e40c0e2a2e048a6f9993b6193122dd45af6240e9
                                    • Opcode Fuzzy Hash: 9d344fdaf52ea445a160af04908de1e65df5aff91ecfb2a904d0a6e191376b04
                                    • Instruction Fuzzy Hash: 67A19E70A04348DEEB24EF64DC45BEEBBB1BB04304F14425EE145AB2D2DBB55949EB42
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F0C350 Relevance: 10.7, APIs: 7, Instructions: 189memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantInit.OLEAUT32(?), ref: 00F0C3EC
                                    • VariantClear.OLEAUT32(00000008), ref: 00F0C424
                                    • SysAllocString.OLEAUT32(?), ref: 00F0C43A
                                    • VariantClear.OLEAUT32(00000003), ref: 00F0C464
                                    • VariantClear.OLEAUT32(00000003), ref: 00F0C493
                                    • VariantClear.OLEAUT32(?), ref: 00F0C4BF
                                    • VariantClear.OLEAUT32(?), ref: 00F0C565
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Variant$Clear$AllocInitString
                                    • String ID:
                                    • API String ID: 347172062-0
                                    • Opcode ID: 063f4d142901602741486b772443cf7ac85fc31eee6d26aac92d14a977dbb592
                                    • Instruction ID: c55f79a1c953209845c70a06b01a7d50486e703f50c086dbab38e45690755d7e
                                    • Opcode Fuzzy Hash: 063f4d142901602741486b772443cf7ac85fc31eee6d26aac92d14a977dbb592
                                    • Instruction Fuzzy Hash: 08712B74E013099BDB20CFA5C944BEDBBB4EF08300F14816AE509EB281E775AE45EB95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F39100 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 178timeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00EB48D0: GetLastError.KERNEL32(33A37B94,?,?,?,?,00F60F81,000000FF,?,00EB2726), ref: 00EB4907
                                      • Part of subcall function 00EB48D0: SetLastError.KERNEL32(?,?,?,?,?,00F60F81,000000FF), ref: 00EB4946
                                      • Part of subcall function 00EB33E0: SysStringLen.OLEAUT32(?), ref: 00EB33EE
                                      • Part of subcall function 00EB33E0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00EB3408
                                    • GetDateFormatW.KERNEL32(00000800,00000000,00000000,M-d-yyyy,00000000,00000080,00000001,00000080,00000001,?), ref: 00F3917C
                                      • Part of subcall function 00EB3C90: GetLastError.KERNEL32(33A37B94,?,?,?,?,?,?,00000000,00F60DB0,000000FF,?,00EB2773,?,?,00000000,00000410), ref: 00EB3CBD
                                      • Part of subcall function 00EB3C90: SetLastError.KERNEL32(00000000,?,?,?,?,?,?,00000000,00F60DB0,000000FF,?,00EB2773,?,?,00000000,00000410), ref: 00EB3D4E
                                    • GetTimeFormatW.KERNEL32(00000800,00000000,00000000,hh':'mm':'ss tt,00000000,00000080,?,00000080), ref: 00F391D8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$FormatString$AllocDateTime
                                    • String ID: %s[%s]: %s$%s[%s]: %s -- File: %s, Line: %d$M-d-yyyy$hh':'mm':'ss tt
                                    • API String ID: 3619946683-1641453432
                                    • Opcode ID: bd77b371469bdd2794fd27150eeb630d0cd1f5ce7d55ad2584dd8f977f45b947
                                    • Instruction ID: c9620c482794b3e0ef0bf508ade963904c0e9731c7b0f78c83935eda9f159fe7
                                    • Opcode Fuzzy Hash: bd77b371469bdd2794fd27150eeb630d0cd1f5ce7d55ad2584dd8f977f45b947
                                    • Instruction Fuzzy Hash: 94718D70905298EEDB15EBA4DD56BEEBBB8AF25300F10419DE405731C2DBB42B48DB72
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EEF910 Relevance: 10.7, APIs: 7, Instructions: 169fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(-00000004,40000000,00000000,00000000,00000002,00000080,00000000,33A37B94,00000000,?,00000000), ref: 00EEF992
                                    • GetLastError.KERNEL32 ref: 00EEF9A0
                                    • ReadFile.KERNEL32(?,00000000,00000400,?,00000000), ref: 00EEF9D8
                                    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00EEFA8A
                                    • ReadFile.KERNEL32(?,?,00000400,?,00000000), ref: 00EEFACE
                                    • FlushFileBuffers.KERNEL32(?), ref: 00EEFAE9
                                    • CloseHandle.KERNEL32(?), ref: 00EEFAF0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: File$Read$BuffersCloseCreateErrorFlushHandleLastWrite
                                    • String ID:
                                    • API String ID: 1893000674-0
                                    • Opcode ID: 244320cd97350e8fc730f48d2f98b5c68503f7493fcc3c604848dc9f90d9e835
                                    • Instruction ID: 8b9381c578de96e2f28351be6ff9b418a4164189c48c103eab6d9a83047f2f69
                                    • Opcode Fuzzy Hash: 244320cd97350e8fc730f48d2f98b5c68503f7493fcc3c604848dc9f90d9e835
                                    • Instruction Fuzzy Hash: 0D615C71E00248AFDB24DFE5DC85BAEBBB5FF48704F104129E90AAB291DB71A905CB50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F12270 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 158COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F0D230: new.LIBCMT ref: 00F0D25D
                                    • GetLastError.KERNEL32 ref: 00F1234B
                                    • SetLastError.KERNEL32(?), ref: 00F1238D
                                    • GetLastError.KERNEL32 ref: 00F123F5
                                    • SetLastError.KERNEL32(?), ref: 00F12431
                                    • GetLastError.KERNEL32 ref: 00F12459
                                    • SetLastError.KERNEL32(?), ref: 00F12495
                                      • Part of subcall function 00EDF770: new.LIBCMT ref: 00EDF79D
                                      • Part of subcall function 00EB48D0: GetLastError.KERNEL32(33A37B94,?,?,?,?,00F60F81,000000FF,?,00EB2726), ref: 00EB4907
                                      • Part of subcall function 00EB48D0: SetLastError.KERNEL32(?,?,?,?,?,00F60F81,000000FF), ref: 00EB4946
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID: $
                                    • API String ID: 1452528299-3993045852
                                    • Opcode ID: 580a292d2647ab50da2c6d1bd2dfab9c05b62f088215465e8ff2a23faf370f7f
                                    • Instruction ID: d00fc2e08e1d23ada10af332d62a2c1b78e982439d338bd1e0167e61db81c4ad
                                    • Opcode Fuzzy Hash: 580a292d2647ab50da2c6d1bd2dfab9c05b62f088215465e8ff2a23faf370f7f
                                    • Instruction Fuzzy Hash: B7910AB0805784DFEB50CF69C58878ABFF0BF18308F1485ADC4899B792D3B59648DBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EE56B0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00EC1460: GetLastError.KERNEL32(33A37B94,74DEDFA0,?,?,?,00F645F9,000000FF,?,00EBF578,?,00000000), ref: 00EC1497
                                      • Part of subcall function 00EC1460: SetLastError.KERNEL32(?), ref: 00EC14D6
                                    • GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 00EE58CA
                                      • Part of subcall function 00EC1570: GetLastError.KERNEL32(33A37B94,?,?,?,00F64628,000000FF), ref: 00EC15B0
                                      • Part of subcall function 00EC1570: new.LIBCMT ref: 00EC15C6
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00EE5764
                                      • Part of subcall function 00F4E44A: RaiseException.KERNEL32(?,?,00F3FBB5,?,?,00000000,?,?,?,?,?,00F3FBB5,?,00FCBE10,?), ref: 00F4E4A9
                                    • GetWindowsDirectoryW.KERNEL32(00000000,00000104,?,00000104,?,?), ref: 00EE5735
                                      • Part of subcall function 00EB9D60: GetLastError.KERNEL32(33A37B94,74DEDFA0,74DEE010), ref: 00EB9D8D
                                      • Part of subcall function 00EB9D60: SetLastError.KERNEL32(00000000), ref: 00EB9E1E
                                    • GetWindowsDirectoryW.KERNEL32(00000000,00000104,?,00000104,?,?), ref: 00EE5857
                                      • Part of subcall function 00EB3ED0: SysStringLen.OLEAUT32(?), ref: 00EB3EDE
                                      • Part of subcall function 00EB3ED0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00EB3EF8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$Directory$StringWindows$AllocExceptionException@8RaiseSystemThrow
                                    • String ID: sysnative$syswow64
                                    • API String ID: 904407786-1057783856
                                    • Opcode ID: 72aa1a99cb5206a79dfbfbf9dcf3748b82acd07198c6e6185f06ebeee0823abb
                                    • Instruction ID: f2c3bc16ca352fb0477b30cfc0ab435e29e32fe49f6d4a6a1e1c3aa9d8a197aa
                                    • Opcode Fuzzy Hash: 72aa1a99cb5206a79dfbfbf9dcf3748b82acd07198c6e6185f06ebeee0823abb
                                    • Instruction Fuzzy Hash: DF51AE71A0024CDEEB10EBA4CD46BDEBBF4BF15308F144099E541B7293DBB06A48DB92
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F5D88D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00F5E002,?,00000000,?,00000000,00000000), ref: 00F5D8CF
                                    • __fassign.LIBCMT ref: 00F5D94A
                                    • __fassign.LIBCMT ref: 00F5D965
                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00F5D98B
                                    • WriteFile.KERNEL32(?,?,00000000,00F5E002,00000000,?,?,?,?,?,?,?,?,?,00F5E002,?), ref: 00F5D9AA
                                    • WriteFile.KERNEL32(?,?,00000001,00F5E002,00000000,?,?,?,?,?,?,?,?,?,00F5E002,?), ref: 00F5D9E3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                    • String ID:
                                    • API String ID: 1324828854-0
                                    • Opcode ID: e48ab05d44aec3c7f433528daeffa533366d3cf81391b8abc6fb7a3c93acca02
                                    • Instruction ID: 4fd9e0d5398feeb73825992ae70cbb5f7a8217eb5f576666b1c305e76f492f08
                                    • Opcode Fuzzy Hash: e48ab05d44aec3c7f433528daeffa533366d3cf81391b8abc6fb7a3c93acca02
                                    • Instruction Fuzzy Hash: FA51B5B1D052499FCF20CFA8D845AEEBBF9FF09311F14411AEA55E7292E7309944DBA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F233E0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 133libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(msi.dll,MsiSetExternalUIRecord,?,00000000,00000000,?,?,?,?,00000000), ref: 00F23425
                                    • GetProcAddress.KERNEL32(00000000), ref: 00F2342C
                                    Strings
                                    • MsiSetExternalUIRecord, xrefs: 00F2341B
                                    • +, xrefs: 00F2344A
                                    • msi.dll, xrefs: 00F23420
                                    • Could not obtain function proc address for MsiSetExternalUIRecord from msi.dll, xrefs: 00F23444
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: AddressHandleModuleProc
                                    • String ID: +$Could not obtain function proc address for MsiSetExternalUIRecord from msi.dll$MsiSetExternalUIRecord$msi.dll
                                    • API String ID: 1646373207-1877515688
                                    • Opcode ID: c17c4b60e82cc0114090bf1153194aa3450c7fb7b4f76118c4e8091354b4852c
                                    • Instruction ID: 0efc612cd89938a39f304069afec667fbf210504db9fd7427debc354350a7aaf
                                    • Opcode Fuzzy Hash: c17c4b60e82cc0114090bf1153194aa3450c7fb7b4f76118c4e8091354b4852c
                                    • Instruction Fuzzy Hash: CF41CEB1200218EFEB24DF18EC4EF6A37A5EF41319F140469F905DB291C778EA54EBA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EB34C0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 128COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Xinvalid_argument.LIBCPMT ref: 00EB3568
                                    • std::_Xinvalid_argument.LIBCPMT ref: 00EB3572
                                      • Part of subcall function 00EB4370: SysAllocStringLen.OLEAUT32(00000000,?), ref: 00EB43E8
                                      • Part of subcall function 00EB4370: SysFreeString.OLEAUT32(00000000), ref: 00EB4460
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: StringXinvalid_argumentstd::_$AllocFree
                                    • String ID: >'$>'$>'$string too long
                                    • API String ID: 2819953329-2006352014
                                    • Opcode ID: 4756e713a4a536e7885435a850220f7de506fcf877eea8e53665778a1d9247bc
                                    • Instruction ID: 3588a598d3e7c94fee2514d520774e5b5cb04724ac493056d33dccd61855f070
                                    • Opcode Fuzzy Hash: 4756e713a4a536e7885435a850220f7de506fcf877eea8e53665778a1d9247bc
                                    • Instruction Fuzzy Hash: DE41F0722043149BDB249F68E841AABF3E8FF94714F20452FE456D7650DB72EA048B91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F44466 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 84libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog3_GS.LIBCMT ref: 00F44470
                                    • GetModuleHandleW.KERNEL32(Ntdll.dll,NtQueryInformationProcess,?,00000400,?,000004A0,00F44454,00000000,?,00000068,00F454C9,00F43D8D,?,?), ref: 00F444A0
                                    • GetProcAddress.KERNEL32(00000000), ref: 00F444A7
                                    • OpenProcess.KERNEL32(00000400,00000000,?,?,00000068,00F454C9,00F43D8D,?,?), ref: 00F444D3
                                      • Part of subcall function 00F40200: __EH_prolog3_catch.LIBCMT ref: 00F40207
                                      • Part of subcall function 00EB4BE0: GetLastError.KERNEL32(33A37B94,?,?,33A37B94,?,00F61069,000000FF,?,00EB2A81,33A37B94), ref: 00EB4C1B
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(?), ref: 00EB4C35
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(33A37B98), ref: 00EB4C4A
                                      • Part of subcall function 00EB4BE0: SetLastError.KERNEL32(?,?,?,?,?,?,000000FF), ref: 00EB4C7A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorFreeLastString$AddressH_prolog3_H_prolog3_catchHandleModuleOpenProcProcess
                                    • String ID: NtQueryInformationProcess$Ntdll.dll
                                    • API String ID: 1707509531-801751246
                                    • Opcode ID: afdac83519fe65644f0113b2ad450de970d5d67167dccc3ddfc046d226d4cb57
                                    • Instruction ID: 5c970238709a9de77502371ebb576d895023294e578ecb0b5e2183940d78150d
                                    • Opcode Fuzzy Hash: afdac83519fe65644f0113b2ad450de970d5d67167dccc3ddfc046d226d4cb57
                                    • Instruction Fuzzy Hash: CC314FB19402299BDF20EB60CC85BDDBB78AF44704F4444D5AB08B7182DB74AF89EF59
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EEEA00 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 82registrylibraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(Advapi32.dll,00000000,?,000001F0,00000000,?,00F21826,80000002,?,00000000,00000000,0002001F,00000000,00000000,000001F0), ref: 00EEEA24
                                    • GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 00EEEA3B
                                    • RegCreateKeyExW.ADVAPI32(000001F0,00000000,00000000,00000000,0002001F,00000000,00000000,00000000,00000000,00000000,?,000001F0,00000000,?,00F21826,80000002), ref: 00EEEA8E
                                    • RegCloseKey.ADVAPI32(00000000,?,00F21826,80000002,?,00000000,00000000,0002001F,00000000,00000000,000001F0), ref: 00EEEAAD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: AddressCloseCreateHandleModuleProc
                                    • String ID: Advapi32.dll$RegCreateKeyTransactedW
                                    • API String ID: 1765684683-2994018265
                                    • Opcode ID: 917cf53c56c8b23949012372430938447ec6c8e0246eb0738f8f112ac36a41b9
                                    • Instruction ID: 717dc805f9aa4a6bf89e1584585d978d2ed59e1e35e8cc4d4d2a1591d48879ba
                                    • Opcode Fuzzy Hash: 917cf53c56c8b23949012372430938447ec6c8e0246eb0738f8f112ac36a41b9
                                    • Instruction Fuzzy Hash: F921277220024EEBEF11CF4ADC45FAA7BA9FF48744F14842DF909A6250E772D960EB51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F3F47F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                    • API String ID: 0-1718035505
                                    • Opcode ID: e18127a9e7dcd9cc639910ca0805ed7e429046b62fdfb0c3a9a95843ce7ee1b6
                                    • Instruction ID: 116256356a93fb7c76f9ffaaffc420a3c300a187c8910baaac7562393787976f
                                    • Opcode Fuzzy Hash: e18127a9e7dcd9cc639910ca0805ed7e429046b62fdfb0c3a9a95843ce7ee1b6
                                    • Instruction Fuzzy Hash: 7301A472F523629B4F20AF78DC955E737D99F42B36B28003BE801D7205D612C849F7A0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F451F4 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog3.LIBCMT ref: 00F451FB
                                    • GetModuleHandleW.KERNEL32(kernel32.dll,RemoveDirectoryW,00000004,00F41D52), ref: 00F45210
                                    • GetProcAddress.KERNEL32(00000000), ref: 00F45217
                                      • Part of subcall function 00EB6F90: GetLastError.KERNEL32(33A37B94,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB6FD2
                                      • Part of subcall function 00EB6F90: SetLastError.KERNEL32(?,33A37B94,00000000,000000FF,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB7034
                                    • GetLastError.KERNEL32 ref: 00F45256
                                      • Part of subcall function 00F45315: __EH_prolog3_GS.LIBCMT ref: 00F4531C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$AddressH_prolog3H_prolog3_HandleModuleProc
                                    • String ID: RemoveDirectoryW$kernel32.dll
                                    • API String ID: 516058616-3934976865
                                    • Opcode ID: 38b24629f063281b455081114ba6c72d918740e3b0304f738988c1eaa2c52793
                                    • Instruction ID: 1034253fe2bdddc2ae6a0ef7cd491e20dd04a2b3db0ee6cba955ae13a9e7d7a6
                                    • Opcode Fuzzy Hash: 38b24629f063281b455081114ba6c72d918740e3b0304f738988c1eaa2c52793
                                    • Instruction Fuzzy Hash: 5701D1B1A006089BDF55BFA8DC0A6AE3BA4AF18B11F404119FC04D6283DB74DA00EB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F416C4 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog3.LIBCMT ref: 00F416CB
                                    • GetModuleHandleW.KERNEL32(kernel32.dll,DeleteFileW,00000004,00F417B6,?,00000000,00000000), ref: 00F416E0
                                    • GetProcAddress.KERNEL32(00000000), ref: 00F416E7
                                      • Part of subcall function 00EB6F90: GetLastError.KERNEL32(33A37B94,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB6FD2
                                      • Part of subcall function 00EB6F90: SetLastError.KERNEL32(?,33A37B94,00000000,000000FF,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB7034
                                    • GetLastError.KERNEL32 ref: 00F41726
                                      • Part of subcall function 00F45315: __EH_prolog3_GS.LIBCMT ref: 00F4531C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$AddressH_prolog3H_prolog3_HandleModuleProc
                                    • String ID: DeleteFileW$kernel32.dll
                                    • API String ID: 516058616-2218860424
                                    • Opcode ID: 0186783956663630043d64f88fe28d97ef0d601766c5a9de18a7989d5fb60ae3
                                    • Instruction ID: 4037df2ddd46b2b1e89adddd4f9066eabc5674cc915997c3d7e59c1822b07282
                                    • Opcode Fuzzy Hash: 0186783956663630043d64f88fe28d97ef0d601766c5a9de18a7989d5fb60ae3
                                    • Instruction Fuzzy Hash: FA01D1B1A012089BDF54BFA8DC0A6AE3BA4AF08711B004128FC04D6283DB34CA40EB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EB1000 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 20libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(KERNEL32), ref: 00EB1006
                                    • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00EB1014
                                    • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00EB102B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: AddressProc$HandleModule
                                    • String ID: KERNEL32$SetDllDirectoryW$SetSearchPathMode
                                    • API String ID: 667068680-4129897381
                                    • Opcode ID: 9650aafedc27b24a86d3c04778fe3f7937208ee9ff8b351df0eece8158e48bec
                                    • Instruction ID: 3bf32024e61ba8d5b53884f8a86966cabcd35c33581252953eddca9a3d821cf4
                                    • Opcode Fuzzy Hash: 9650aafedc27b24a86d3c04778fe3f7937208ee9ff8b351df0eece8158e48bec
                                    • Instruction Fuzzy Hash: 4BD09E30341B15AAA72037B16C0EDFE3954AF45FA6B440050B801E1092DF52C945B7B7
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EC4B60 Relevance: 10.1, APIs: 8, Instructions: 135COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00EC4BA6
                                    • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00EC4BEB
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00EC4C0A
                                    • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00EC4C46
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00EC4C62
                                    • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00EC4C9E
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00EC4CBD
                                    • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00EC4CF9
                                      • Part of subcall function 00EDF680: new.LIBCMT ref: 00EDF6AD
                                      • Part of subcall function 00F477D1: __EH_prolog3.LIBCMT ref: 00F477D8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$H_prolog3
                                    • String ID:
                                    • API String ID: 3502553090-0
                                    • Opcode ID: 3d6b4c25c8a3d75f5ff4b387520cf0b7f17d6150811bf0d28dd6724bba504dfe
                                    • Instruction ID: 80173a571b9817c09a9f9c1577d2af254565ebd12eb19829a908f5c5321b95fe
                                    • Opcode Fuzzy Hash: 3d6b4c25c8a3d75f5ff4b387520cf0b7f17d6150811bf0d28dd6724bba504dfe
                                    • Instruction Fuzzy Hash: 1A6127B0805784CFDB60CF69C54878ABBF0BF08304F148A5DD489A7752D775AA04DB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F1E9C0 Relevance: 9.3, APIs: 6, Instructions: 258registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(33A37B94), ref: 00F1EA17
                                    • SetLastError.KERNEL32(00F908E8), ref: 00F1EA66
                                    • GetLastError.KERNEL32 ref: 00F1EA7D
                                    • SetLastError.KERNEL32(00F908E8), ref: 00F1EAC3
                                    • RegCloseKey.ADVAPI32(00000000,?,?,00F908E8,?,00000000,000000FF,00F8B388,?,?,00000000,?,00000000,000000FF,00F8B388,?), ref: 00F1ED4C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$Close
                                    • String ID:
                                    • API String ID: 2117561858-0
                                    • Opcode ID: ed30205daba14ef8f41d66b5dc3dcc3b39e826ef531172e506ed0ae4961ecc44
                                    • Instruction ID: 49667e2b938b87e376619d0d38ccb9d04313b2f6f6427f0b3d730c6a4e68d9a4
                                    • Opcode Fuzzy Hash: ed30205daba14ef8f41d66b5dc3dcc3b39e826ef531172e506ed0ae4961ecc44
                                    • Instruction Fuzzy Hash: 08C12671D00258DEDF20DFA8DC94BDEBBB4AF14304F148199E509BB282D7749A88DFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EFB660 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(33A37B94), ref: 00EFB6A9
                                    Strings
                                    • AppxInstalled: condition not supported on this platform, will return false, xrefs: 00EFB6F2
                                    • AppxInstalled: failed to obtain appx helper proxy handler, xrefs: 00EFB780
                                    • AppxInstalled: result 0x%08x, xrefs: 00EFB8F7
                                    • Condition.cpp, xrefs: 00EFB6CD, 00EFB75B, 00EFB8B9, 00EFB8F0
                                    • AppxInstalled: failed to evaluate condition, error 0x%08x, xrefs: 00EFB8C0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID: AppxInstalled: condition not supported on this platform, will return false$AppxInstalled: failed to evaluate condition, error 0x%08x$AppxInstalled: failed to obtain appx helper proxy handler$AppxInstalled: result 0x%08x$Condition.cpp
                                    • API String ID: 1452528299-4237545306
                                    • Opcode ID: fda1e4c2282c35dd2443cd1b8287e1087cd3c5411b55db6ab30e160bfac5fa6b
                                    • Instruction ID: ca11b990f6c505090a75f1b61a56bf40eb7f28d7044009c01037bb2109f7572b
                                    • Opcode Fuzzy Hash: fda1e4c2282c35dd2443cd1b8287e1087cd3c5411b55db6ab30e160bfac5fa6b
                                    • Instruction Fuzzy Hash: 63818EB0D00258EFEB20DFA8DC85BAEBBB4BF45304F14425EE545A7282DBB45A04DB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EDA620 Relevance: 9.2, APIs: 6, Instructions: 179memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantInit.OLEAUT32(?), ref: 00EDA6AA
                                    • VariantClear.OLEAUT32(00000008), ref: 00EDA6E2
                                    • SysAllocString.OLEAUT32(?), ref: 00EDA6FA
                                    • VariantClear.OLEAUT32(00000014), ref: 00EDA729
                                    • VariantClear.OLEAUT32(00000014), ref: 00EDA75E
                                    • VariantClear.OLEAUT32(?), ref: 00EDA7F4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Variant$Clear$AllocInitString
                                    • String ID:
                                    • API String ID: 347172062-0
                                    • Opcode ID: 527a53714145d7ad2cbc459a02b0d30dfa3178ceade227f0078025617e340b7e
                                    • Instruction ID: 81e0bb32d5465229ad982fa3aaf440ec76ac4b4213fd685e9ec2ec68d24c68f9
                                    • Opcode Fuzzy Hash: 527a53714145d7ad2cbc459a02b0d30dfa3178ceade227f0078025617e340b7e
                                    • Instruction Fuzzy Hash: 0861F475A00258EBDB10DFA8C884BEDBBB4FF08704F18512AE905FB390E7749A46DB55
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F0C110 Relevance: 9.2, APIs: 6, Instructions: 178memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantInit.OLEAUT32(?), ref: 00F0C1A4
                                    • VariantClear.OLEAUT32(00000009), ref: 00F0C1D9
                                    • VariantClear.OLEAUT32(00000008), ref: 00F0C210
                                    • SysAllocString.OLEAUT32(?), ref: 00F0C22A
                                    • VariantClear.OLEAUT32(00000003), ref: 00F0C254
                                    • VariantClear.OLEAUT32(?), ref: 00F0C2E5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Variant$Clear$AllocInitString
                                    • String ID:
                                    • API String ID: 347172062-0
                                    • Opcode ID: 4012d973b84ab083e60ec0c643402ed4a5c9ea52d1c964ea555a7ad179d7d38a
                                    • Instruction ID: fb412500dc6a7b94b89d2db6d336f39fd8fe52abf1737f056481a80d97329013
                                    • Opcode Fuzzy Hash: 4012d973b84ab083e60ec0c643402ed4a5c9ea52d1c964ea555a7ad179d7d38a
                                    • Instruction Fuzzy Hash: ED71F671E00258EBDF20CFE8D844B9EBBB8FF08714F14422AE905EB281D7759945EB95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F0B1D0 Relevance: 9.2, APIs: 6, Instructions: 175COMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantInit.OLEAUT32(?), ref: 00F0C1A4
                                    • VariantClear.OLEAUT32(00000009), ref: 00F0C1D9
                                    • VariantClear.OLEAUT32(00000008), ref: 00F0C210
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Variant$Clear$Init
                                    • String ID:
                                    • API String ID: 3740757921-0
                                    • Opcode ID: ab6aa1305de4b3ab8ee72533abe22d343f84994d0ccdfdb339bd95419e871bb9
                                    • Instruction ID: 51f45f1c8aa18ebed122ca5d802e0a47faad47cfed18abc7eff281cb9ffc2f86
                                    • Opcode Fuzzy Hash: ab6aa1305de4b3ab8ee72533abe22d343f84994d0ccdfdb339bd95419e871bb9
                                    • Instruction Fuzzy Hash: B6611871E00258ABDF20CFE8D844B9DBBF8BF08714F14422AE505EB281E7749945EB95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F38450 Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 170COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(33A37B94,00F92610,?,?), ref: 00F3848E
                                    • SetLastError.KERNEL32(00F908E8,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00F384DB
                                    Strings
                                    • CWindowsFeatureParcel::CallDismApi result: 0x%08x, xrefs: 00F38622
                                    • ISInstallWindowsFeatures, xrefs: 00F385DA
                                    • CWindowsFeatureParcel::CallDismApi: failed to create extension, status 0x%08x, xrefs: 00F3854F
                                    • WindowsFeatureParcel.cpp, xrefs: 00F38545, 00F3861B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID: CWindowsFeatureParcel::CallDismApi result: 0x%08x$CWindowsFeatureParcel::CallDismApi: failed to create extension, status 0x%08x$ISInstallWindowsFeatures$WindowsFeatureParcel.cpp
                                    • API String ID: 1452528299-3795504945
                                    • Opcode ID: 189f9f056899f3f24df4bbc6bbda1c07f333f28edfdbb63a2ca825f26e7fadf3
                                    • Instruction ID: d4a1258253375ef8defb16ce557303e5f416df985a8ea79c7c98dfe8a464ea60
                                    • Opcode Fuzzy Hash: 189f9f056899f3f24df4bbc6bbda1c07f333f28edfdbb63a2ca825f26e7fadf3
                                    • Instruction Fuzzy Hash: 5A717CB0D01258DFDB10DFA8C945BDEBBF4BF44714F248259E408A7282DBB89A09DF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F06410 Relevance: 9.2, APIs: 6, Instructions: 161memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantInit.OLEAUT32(?), ref: 00F06497
                                    • VariantClear.OLEAUT32(00000008), ref: 00F064CC
                                    • SysAllocString.OLEAUT32(?), ref: 00F064E4
                                    • VariantClear.OLEAUT32(00000003), ref: 00F06504
                                    • VariantClear.OLEAUT32(?), ref: 00F06531
                                    • VariantClear.OLEAUT32(?), ref: 00F065B1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Variant$Clear$AllocInitString
                                    • String ID:
                                    • API String ID: 347172062-0
                                    • Opcode ID: 4198bdd28beced7b32a9a3d3bdd0fc7c5f139ead59afdf82e672c7ce79578c8f
                                    • Instruction ID: 05ad5c0c6984eaa5d65e502f49dfb0e7c9dc01b5c905282781f3a401947afa56
                                    • Opcode Fuzzy Hash: 4198bdd28beced7b32a9a3d3bdd0fc7c5f139ead59afdf82e672c7ce79578c8f
                                    • Instruction Fuzzy Hash: 7D514DB1E01348ABDB21CFA4C944BDEBBF8EF08714F24402AE504FB285D775AA45EB55
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F85000 Relevance: 9.1, APIs: 6, Instructions: 135COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: _memcmp
                                    • String ID:
                                    • API String ID: 2931989736-0
                                    • Opcode ID: 8825654a1f393153d23045d7280b992b42f0582be4eaf2be23049881e6d59623
                                    • Instruction ID: b81257756279d8cb7234d3bd9a386e98a1c0e6f798d77dd87ad7248570259da0
                                    • Opcode Fuzzy Hash: 8825654a1f393153d23045d7280b992b42f0582be4eaf2be23049881e6d59623
                                    • Instruction Fuzzy Hash: 17511975E0060CEFDB04DF94C998BEDBBB1EB48704F2485A9E509AB340D3759B84EB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EC7540 Relevance: 9.1, APIs: 6, Instructions: 119memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SysStringByteLen.OLEAUT32(?), ref: 00EC7598
                                    • SysAllocStringByteLen.OLEAUT32(?,00000000), ref: 00EC75A1
                                    • SysStringLen.OLEAUT32(?), ref: 00EC760B
                                    • VarBstrCat.OLEAUT32(00000000,?,?), ref: 00EC7624
                                    • SysFreeString.OLEAUT32(00000000), ref: 00EC762F
                                    • SysFreeString.OLEAUT32(00000000), ref: 00EC7658
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: String$ByteFree$AllocBstr
                                    • String ID:
                                    • API String ID: 2225039195-0
                                    • Opcode ID: 8dca0963bfc09b2f9c21a9f5cd7457b0cda730bbcd2631d10dd5622c5c19378d
                                    • Instruction ID: 9fa49123e558df6d8257e585b69449e8d43a20db8f9efa55cae89b63ebcacc8d
                                    • Opcode Fuzzy Hash: 8dca0963bfc09b2f9c21a9f5cd7457b0cda730bbcd2631d10dd5622c5c19378d
                                    • Instruction Fuzzy Hash: 7A41A071A04619AFDB10CFA8D944FAAFBB8FB04724F10422EE950E7350D772A900CBD0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F38F80 Relevance: 9.1, APIs: 6, Instructions: 117fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(-00000004,C0000000,00000001,00000000,00000004,00000080,00000000), ref: 00F38FE6
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00F3901E
                                    • ReadFile.KERNEL32(00000000,00000000,00000002,00000000,00000000), ref: 00F39031
                                    • WriteFile.KERNEL32(00000000,0000FEFF,00000002,00000000,00000000), ref: 00F39071
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00F39085
                                    • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00F390A4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: File$PointerWrite$CreateRead
                                    • String ID:
                                    • API String ID: 2028722953-0
                                    • Opcode ID: 74cbac80458328e2c0e65e55e3dc9ac829d73e6408372f07a09e5a4300846f93
                                    • Instruction ID: 3663d1966b600f8af11c6f728dd4733cdc5da2b441d62d6603c150e57bdc627f
                                    • Opcode Fuzzy Hash: 74cbac80458328e2c0e65e55e3dc9ac829d73e6408372f07a09e5a4300846f93
                                    • Instruction Fuzzy Hash: AA41A170A05248EEEB20DFB4DC49BED7BB8EB04714F200119F511E72D2DBB45908DB65
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F44B87 Relevance: 9.1, APIs: 6, Instructions: 111registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog3.LIBCMT ref: 00F44B8E
                                      • Part of subcall function 00EB6F90: GetLastError.KERNEL32(33A37B94,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB6FD2
                                      • Part of subcall function 00EB6F90: SetLastError.KERNEL32(?,33A37B94,00000000,000000FF,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB7034
                                      • Part of subcall function 00F4536E: __EH_prolog3.LIBCMT ref: 00F45375
                                    • LoadTypeLib.OLEAUT32(33A37B94,?), ref: 00F44C06
                                    • RegisterTypeLib.OLEAUT32(?,33A37B94,00000000), ref: 00F44C20
                                    • RegOverridePredefKey.ADVAPI32(80000000,00000000), ref: 00F44CC2
                                      • Part of subcall function 00F44EF0: GetVersionExW.KERNEL32(?), ref: 00F44F14
                                      • Part of subcall function 00F40823: RegOverridePredefKey.ADVAPI32(80000000,?), ref: 00F4085B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorH_prolog3LastOverridePredefType$LoadRegisterVersion
                                    • String ID:
                                    • API String ID: 751726694-0
                                    • Opcode ID: 41bb3da409545f2d305d551a4b1dbbfe640ce9dc44ea91620bcb2100c16fea75
                                    • Instruction ID: 71b12633bbfee7a08710e91f257f2b65cddef03ad55af3eb95152850dc7d8e14
                                    • Opcode Fuzzy Hash: 41bb3da409545f2d305d551a4b1dbbfe640ce9dc44ea91620bcb2100c16fea75
                                    • Instruction Fuzzy Hash: B9416870A01249EFDF44DF64C884BAD3FA8AF04308F588059FE15EB252D775EA46EB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F019E0 Relevance: 9.1, APIs: 6, Instructions: 93memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SafeArrayGetElement.OLEAUT32(00000002,000000FF,00000000), ref: 00F01A3A
                                    • SysStringByteLen.OLEAUT32(00000000), ref: 00F01ACC
                                    • SysAllocStringByteLen.OLEAUT32(00000000,00000000), ref: 00F01AD6
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00F01A50
                                      • Part of subcall function 00F4E44A: RaiseException.KERNEL32(?,?,00F3FBB5,?,?,00000000,?,?,?,?,?,00F3FBB5,?,00FCBE10,?), ref: 00F4E4A9
                                    • SysFreeString.OLEAUT32(00000000), ref: 00F01A79
                                    • SysFreeString.OLEAUT32(00000000), ref: 00F01AAD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: String$ByteFree$AllocArrayElementExceptionException@8RaiseSafeThrow
                                    • String ID:
                                    • API String ID: 904061660-0
                                    • Opcode ID: 6c5a80e1b74999fbdfb299aeeb5a397f2f7e37d8dd4aabe74a24da48480fcc58
                                    • Instruction ID: 50523729d08e2c1d0403b37cac9a2678931918a0870edb697854c5741282caab
                                    • Opcode Fuzzy Hash: 6c5a80e1b74999fbdfb299aeeb5a397f2f7e37d8dd4aabe74a24da48480fcc58
                                    • Instruction Fuzzy Hash: 82319E71A01259EFCB11DFA8C945BAEBBF8FF14310F10816AE814E7291D7789A04EB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00ED7740 Relevance: 9.1, APIs: 6, Instructions: 64windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 00ED7755
                                    • PeekMessageW.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00ED778B
                                    • GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00ED779B
                                    • DispatchMessageW.USER32(?), ref: 00ED77A1
                                    • PeekMessageW.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00ED77AF
                                    • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 00ED77C4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Message$MultipleObjectsPeekWait$Dispatch
                                    • String ID:
                                    • API String ID: 1963227181-0
                                    • Opcode ID: cda3a56ed600c74b36dde7643d0b4ba044bb20ecbf69dd234e8e2f0567671c1d
                                    • Instruction ID: 2b57614f900c689ef34a7f7231081b546eb985e76b1633119ee099b0677c837a
                                    • Opcode Fuzzy Hash: cda3a56ed600c74b36dde7643d0b4ba044bb20ecbf69dd234e8e2f0567671c1d
                                    • Instruction Fuzzy Hash: CC11847178430D7AFB109BA59C86FEA739C9B04F51F204523BB10FA2C0EAE1E80587B4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F16542 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 184COMMON
                                    Download Yara Rule
                                    APIs
                                    • new.LIBCMT ref: 00F165D5
                                      • Part of subcall function 00F11360: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00F113DF
                                      • Part of subcall function 00F11360: SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00F11421
                                      • Part of subcall function 00F11360: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00F1143D
                                      • Part of subcall function 00F11360: SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00F11479
                                      • Part of subcall function 00EFEEA0: std::_Xinvalid_argument.LIBCPMT ref: 00EFEF10
                                    • new.LIBCMT ref: 00F16722
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$Xinvalid_argumentstd::_
                                    • String ID: ,$File$Folder
                                    • API String ID: 1024515993-1844102309
                                    • Opcode ID: 685e3415181510ddcd8db10ebafdf75c786a5d362a6d922edae854fd1157ffb2
                                    • Instruction ID: bb8dee28d82aace76fb56ef3b8ded7b4db376514362e174fc3a73c51d600d5a7
                                    • Opcode Fuzzy Hash: 685e3415181510ddcd8db10ebafdf75c786a5d362a6d922edae854fd1157ffb2
                                    • Instruction Fuzzy Hash: 1C817871900218DFDB21DF64CD54BDEBBB5AF48320F5082D9E809A7290DB35AE84EF90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F04630 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 163fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32 ref: 00F04690
                                    • SetLastError.KERNEL32(00F908E8), ref: 00F046FE
                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00F04736
                                    • ReadFile.KERNEL32(00000000,?,00001000,?,00000000), ref: 00F04776
                                    Strings
                                    • %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X, xrefs: 00F0480B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorFileLast$CreateRead
                                    • String ID: %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X
                                    • API String ID: 1307834717-2582415446
                                    • Opcode ID: 035cdac6ecdecfc8f5452c875181dcd42bf7f3b72772358a6ebd2c4e08bbd133
                                    • Instruction ID: a45926cf9b46f6cc635cad2dad97ccbac91cd111b20f6b714263080366207edb
                                    • Opcode Fuzzy Hash: 035cdac6ecdecfc8f5452c875181dcd42bf7f3b72772358a6ebd2c4e08bbd133
                                    • Instruction Fuzzy Hash: 766156B1D042D8AEDB21CB99CC44BEEBBF8AB09310F1441D6F598E2181D7B85B84DF61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F16327 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 158COMMON
                                    Download Yara Rule
                                    APIs
                                    • new.LIBCMT ref: 00F163BA
                                      • Part of subcall function 00F11360: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00F113DF
                                      • Part of subcall function 00F11360: SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00F11421
                                      • Part of subcall function 00F11360: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00F1143D
                                      • Part of subcall function 00F11360: SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00F11479
                                    • new.LIBCMT ref: 00F164D6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID: &$File$Folder
                                    • API String ID: 1452528299-1471521411
                                    • Opcode ID: 4d449d768f16a3d953b5116566a988c4f7fcdcda83d1d4af760af148aac21884
                                    • Instruction ID: b8f2f731f101fdc7699a0c46fe5ee586d9bb8ef10c4d60fecff9b89a9c5baeb7
                                    • Opcode Fuzzy Hash: 4d449d768f16a3d953b5116566a988c4f7fcdcda83d1d4af760af148aac21884
                                    • Instruction Fuzzy Hash: 8B615871900218DFCB25DF64CD51ADABBB5BF48310F5046A9E809A7290DB35AE80EF90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00ED7A90 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 152COMMON
                                    Download Yara Rule
                                    APIs
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00ED7C6B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Exception@8Throw
                                    • String ID: Action '%s' does not exist$Action '%s' returned status 0x%08x$Running event '%s'$SetupEngine.cpp
                                    • API String ID: 2005118841-2967741759
                                    • Opcode ID: 591861fc3cad8243b1b09b0488df8c33ca13705df20ee02370e8c9327f62d7f8
                                    • Instruction ID: 8a6eab928e4a63a1b4ade8e0ec139ee1f142fea9bb312d3891ed1340a86a1718
                                    • Opcode Fuzzy Hash: 591861fc3cad8243b1b09b0488df8c33ca13705df20ee02370e8c9327f62d7f8
                                    • Instruction Fuzzy Hash: C9515971A04218DFCB24DF54CC85B9AB7B9FB44304F5441AAE859BB241E731EE45CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F38D20 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 151COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,00000104,?,?,?,00000000), ref: 00F38E90
                                    Strings
                                    • SOFTWARE\InstallShield\25.0\Professional, xrefs: 00F38DC5
                                    • InstallShield.log, xrefs: 00F38EFB
                                    • VerboseLogPath, xrefs: 00F38E32
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: FileModuleName
                                    • String ID: InstallShield.log$SOFTWARE\InstallShield\25.0\Professional$VerboseLogPath
                                    • API String ID: 514040917-4197916691
                                    • Opcode ID: 838e729c23bbed4acf1d6598642059df95ae6ffd6970316139a129a045a5b3df
                                    • Instruction ID: b1ea784c55b8979be13be4b4e76bf04259a123ebce3946af9a0182e1ad66d753
                                    • Opcode Fuzzy Hash: 838e729c23bbed4acf1d6598642059df95ae6ffd6970316139a129a045a5b3df
                                    • Instruction Fuzzy Hash: 6F61AD70905358EEEB20EBA4DD55BEEBBB4AF15304F10419DE409B72C2DBB41B48DB62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00ED3230 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 123COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(33A37B94,00F92610,00F8B388), ref: 00ED3281
                                    • SetLastError.KERNEL32(00F908E8), ref: 00ED32CE
                                    • GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,00000104), ref: 00ED3307
                                    Strings
                                    • Failed to obtain the running setup path for elevated proxy, xrefs: 00ED3363
                                    • SetupEngine.cpp, xrefs: 00ED333B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$FileModuleName
                                    • String ID: Failed to obtain the running setup path for elevated proxy$SetupEngine.cpp
                                    • API String ID: 1026760046-2980962360
                                    • Opcode ID: a783a3df0766186ecca2efd629cea7d460ef75f28a5ac71b3ef9e949d5f4837f
                                    • Instruction ID: c7d39b9ca6295ff47bc6161f47df23a62d0ae07db6ae7737efe08b7fb590949b
                                    • Opcode Fuzzy Hash: a783a3df0766186ecca2efd629cea7d460ef75f28a5ac71b3ef9e949d5f4837f
                                    • Instruction Fuzzy Hash: 22515A70A04248EFEB14DBA4C949BDEBBB0FF09304F14519AE445B7292CBB45A45DB92
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00ED3410 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 123COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(33A37B94,00F9271C,00000000), ref: 00ED3461
                                    • SetLastError.KERNEL32(00F908E8), ref: 00ED34AE
                                    • GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,00000104), ref: 00ED34E7
                                    Strings
                                    • SetupEngine.cpp, xrefs: 00ED351B
                                    • Failed to obtain the running setup path for nonelevated proxy, xrefs: 00ED3543
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$FileModuleName
                                    • String ID: Failed to obtain the running setup path for nonelevated proxy$SetupEngine.cpp
                                    • API String ID: 1026760046-3061179590
                                    • Opcode ID: d77cbd7f811db4cda54af9cc5b9bdf77776b15bcae06a8d3e7ed9b03b5615e19
                                    • Instruction ID: 8f012981ebaf656c75fb5439e9d43460384d48cdf5285a8d14718080bd50b5bc
                                    • Opcode Fuzzy Hash: d77cbd7f811db4cda54af9cc5b9bdf77776b15bcae06a8d3e7ed9b03b5615e19
                                    • Instruction Fuzzy Hash: 02516C70A04248EFEB14DFA4D849BDEBBB0FF09304F14519AE105B7292DBB45A49DF92
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EE5A60 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00000000,00020019,00000000,33A37B94), ref: 00EE5AF6
                                    • RegQueryValueExW.ADVAPI32(00000000,CommonFilesDir,00000000,00000000,?,?), ref: 00EE5B33
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: OpenQueryValue
                                    • String ID: CommonFilesDir$ProgramFilesDir$SOFTWARE\Microsoft\Windows\CurrentVersion
                                    • API String ID: 4153817207-3256072622
                                    • Opcode ID: bbb19c817ce01befcfe03c0e26917ffe8f88c46c02f2b09ba5272b3d79d73db5
                                    • Instruction ID: 5c7fe812875a8758c30b65e91c4a0551285019b56f966ad017d2fb5b61390b00
                                    • Opcode Fuzzy Hash: bbb19c817ce01befcfe03c0e26917ffe8f88c46c02f2b09ba5272b3d79d73db5
                                    • Instruction Fuzzy Hash: E64191B1A01258AFEB60DF54CC49BDEBBB8EB44704F1001E9E41DB7281DBB45A84DF95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F447D0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 95COMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog3_GS.LIBCMT ref: 00F447D7
                                      • Part of subcall function 00EB6F90: GetLastError.KERNEL32(33A37B94,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB6FD2
                                      • Part of subcall function 00EB6F90: SetLastError.KERNEL32(?,33A37B94,00000000,000000FF,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB7034
                                      • Part of subcall function 00F4536E: __EH_prolog3.LIBCMT ref: 00F45375
                                      • Part of subcall function 00EE5F80: GetLastError.KERNEL32(0000003C,00000000,33A37B94,0000003C,00000000,00000000), ref: 00EE5FEC
                                      • Part of subcall function 00EE5F80: SetLastError.KERNEL32(00F908E8), ref: 00EE602A
                                      • Part of subcall function 00F44A92: __EH_prolog3_GS.LIBCMT ref: 00F44A99
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$H_prolog3_$H_prolog3
                                    • String ID: .DLL$.EXE$.OCX$.TLB
                                    • API String ID: 532146472-324785130
                                    • Opcode ID: 2b9363902129bb994741783df8812909b34aad6e92ab4f3f606729bc0fe6348f
                                    • Instruction ID: 4029c5bdba1a3fe4bdd3af154e977927b3d0e4be8b1055d99596060de2d30324
                                    • Opcode Fuzzy Hash: 2b9363902129bb994741783df8812909b34aad6e92ab4f3f606729bc0fe6348f
                                    • Instruction Fuzzy Hash: E43188B5900208AFDF04FF64DC829FE7FA8AF04744B505029FC05B6252EB75E956EB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F1D838 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 94COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00EB4CA0: GetLastError.KERNEL32(33A37B94,?,?,?,?,00F610C1,000000FF), ref: 00EB4CE2
                                      • Part of subcall function 00EB4CA0: SetLastError.KERNEL32(?,?,?,?,?,00F610C1,000000FF), ref: 00EB4D21
                                    • GetModuleHandleExW.KERNEL32(00000006,?,?), ref: 00F1D85F
                                      • Part of subcall function 00EB3ED0: SysStringLen.OLEAUT32(?), ref: 00EB3EDE
                                      • Part of subcall function 00EB3ED0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00EB3EF8
                                    • GetModuleFileNameW.KERNEL32(?,00000000,00000104,?,00000104), ref: 00F1D899
                                      • Part of subcall function 00EB9D60: GetLastError.KERNEL32(33A37B94,74DEDFA0,74DEE010), ref: 00EB9D8D
                                      • Part of subcall function 00EB9D60: SetLastError.KERNEL32(00000000), ref: 00EB9E1E
                                      • Part of subcall function 00EB4BE0: GetLastError.KERNEL32(33A37B94,?,?,33A37B94,?,00F61069,000000FF,?,00EB2A81,33A37B94), ref: 00EB4C1B
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(?), ref: 00EB4C35
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(33A37B98), ref: 00EB4C4A
                                      • Part of subcall function 00EB4BE0: SetLastError.KERNEL32(?,?,?,?,?,?,000000FF), ref: 00EB4C7A
                                    Strings
                                    • Exception address 0x%08x in module %s (base 0x%08x), xrefs: 00F1D935
                                    • Exception caught while running script action, exception code 0x%08x at 0x%08x, xrefs: 00F1D8F5
                                    • :, xrefs: 00F1D972
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$String$FreeModule$AllocFileHandleName
                                    • String ID: :$Exception address 0x%08x in module %s (base 0x%08x)$Exception caught while running script action, exception code 0x%08x at 0x%08x
                                    • API String ID: 1895926925-941225769
                                    • Opcode ID: a6d48178de412c0220dcfccb9df47e62f8b501c59452ead0ee71e019cca1c072
                                    • Instruction ID: 1705927619b3f84f26ca9e9aad7a157bee8c9061fb1b4bfe52657c2b6d741bf1
                                    • Opcode Fuzzy Hash: a6d48178de412c0220dcfccb9df47e62f8b501c59452ead0ee71e019cca1c072
                                    • Instruction Fuzzy Hash: 14412C70900248EFDB11EBA4CD8ABDEB7B8AF15304F6040A9E145B71A2DB716F44DF51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F34B70 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 80libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetVersionExW.KERNEL32(00000294,?,?,?,?,00F35ECD,00000000,?,?), ref: 00F34B92
                                    • GetModuleHandleW.KERNEL32(kernel32.dll,GetProductInfo,?,?), ref: 00F34BD5
                                    • GetProcAddress.KERNEL32(00000000), ref: 00F34BDC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: AddressHandleModuleProcVersion
                                    • String ID: GetProductInfo$kernel32.dll
                                    • API String ID: 3310240892-182221857
                                    • Opcode ID: 696682540451a36ea70accbace1bf301be8d6e6370b27fe87ffa011b282a57fc
                                    • Instruction ID: 5a343fedb58a1640b60bca7c91bce8027f2dc97915f47a0b8ed4b16e0ab84e24
                                    • Opcode Fuzzy Hash: 696682540451a36ea70accbace1bf301be8d6e6370b27fe87ffa011b282a57fc
                                    • Instruction Fuzzy Hash: C1213831E022056ADF3457999C8D7ACF728A7467F0F281192E938D3060D368FC88A3C2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F1D984 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 74COMMON
                                    Download Yara Rule
                                    APIs
                                    • __set_se_translator.LIBVCRUNTIME ref: 00F1D9AD
                                    • VariantClear.OLEAUT32(?), ref: 00F1D9EC
                                    • VariantClear.OLEAUT32(?), ref: 00F1DA03
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ClearVariant$__set_se_translator
                                    • String ID: !$(
                                    • API String ID: 2601108747-43236505
                                    • Opcode ID: f55725e2cf8cc822297148c31867559a825b9dee3506b89f3c42deb931d5e750
                                    • Instruction ID: bb51372989c494ac35649074d76fc7d967bdd55d7111abca6e947755813b8147
                                    • Opcode Fuzzy Hash: f55725e2cf8cc822297148c31867559a825b9dee3506b89f3c42deb931d5e750
                                    • Instruction Fuzzy Hash: 0A31DE30909298DFDB10EBA4D999BDEBBF0AF24300F1440E9D048A7292DB745F88DF12
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EC2DC0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SysAllocStringLen.OLEAUT32(33A37B94,?), ref: 00EC2E6F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: AllocString
                                    • String ID: IA64$Unknown$x64$x86
                                    • API String ID: 2525500382-3030484263
                                    • Opcode ID: ece011574b8c103e201ad27578d9d25c5fe1e23aefae8d90a4274096d73ded3b
                                    • Instruction ID: f976ab37043a3af424f6d69479f0a049d3aa1cd70f3edadbd08b231a0c627f64
                                    • Opcode Fuzzy Hash: ece011574b8c103e201ad27578d9d25c5fe1e23aefae8d90a4274096d73ded3b
                                    • Instruction Fuzzy Hash: 0221CF71E0421DDACF15EFA8DD52BEEB7B4BB04710F10412EE812B3281DB75AA06D795
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F33250 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 61COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Xinvalid_argument.LIBCPMT ref: 00F332D4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Xinvalid_argumentstd::_
                                    • String ID: vector<T> too long$yxxx$yxxx$yxxx
                                    • API String ID: 909987262-1981109606
                                    • Opcode ID: 6e2eb256d3b0ebd9a76a388d190db76679b4149a431e08826f50ef15c8c7d953
                                    • Instruction ID: b2d4e00dc73879dc812792d5a67008fbd29f6111635f5566b2ff4a35ce15ccd9
                                    • Opcode Fuzzy Hash: 6e2eb256d3b0ebd9a76a388d190db76679b4149a431e08826f50ef15c8c7d953
                                    • Instruction Fuzzy Hash: E40181737004251B4B0C983D8DA552B658797ED37432AC279E907DFF8AC824ED8AE6D4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EEE7E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(Advapi32.dll,00000000,?,00EEE9AD,?,?,00000000), ref: 00EEE80A
                                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00EEE81A
                                      • Part of subcall function 00EEE780: GetModuleHandleW.KERNEL32(Advapi32.dll,00000000,?,00EEE7F7,00000000,?,00000000,?,00EEE9AD,?,?,00000000), ref: 00EEE790
                                      • Part of subcall function 00EEE780: GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 00EEE7A0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: AddressHandleModuleProc
                                    • String ID: Advapi32.dll$RegDeleteKeyExW
                                    • API String ID: 1646373207-2191092095
                                    • Opcode ID: 64f39eed04c0dc45bd9ebd3d7a9544a572d46e2e7e3ee227786de132a80a5c66
                                    • Instruction ID: 929e34d65b38b16d299b01fed412e06e161f7e61bfc9addec39cdcda2317a983
                                    • Opcode Fuzzy Hash: 64f39eed04c0dc45bd9ebd3d7a9544a572d46e2e7e3ee227786de132a80a5c66
                                    • Instruction Fuzzy Hash: 0D01B13610838CAEEB21AFA5FC04B957F95BB14790F18402BF945E6261DB728450FB59
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F45694 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00F455A3,?,?,00EBEFA6,00000000,FileProvider: check is on 64-bit path,?,00000000,c:\codebases\isdev\src\runtime\shared\setupsuite\FileProvider.h,?), ref: 00F456A7
                                    • GetProcAddress.KERNEL32(00000000), ref: 00F456AE
                                    • GetCurrentProcess.KERNEL32(00000000,?,?,00F455A3,?,?,00EBEFA6,00000000,FileProvider: check is on 64-bit path,?,00000000,c:\codebases\isdev\src\runtime\shared\setupsuite\FileProvider.h,?), ref: 00F456BE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: AddressCurrentHandleModuleProcProcess
                                    • String ID: IsWow64Process$kernel32
                                    • API String ID: 4190356694-3789238822
                                    • Opcode ID: 615ae155157f5d8401973fece86837a6801c73cd1a9bbb957a83ee13aa9b0311
                                    • Instruction ID: c602cf8b319a466f576a47cad38e8e596004f3de285ce5cdc127643ad0b7200c
                                    • Opcode Fuzzy Hash: 615ae155157f5d8401973fece86837a6801c73cd1a9bbb957a83ee13aa9b0311
                                    • Instruction Fuzzy Hash: 56E04F72D4172CBBCB10ABF09D0EAEE7B6CEB04B22F110555F800D7192D6398A04AB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EF6CD0 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 217COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(0000002D,00000000,00000000,00000001,?,00F96F78,00000000,00000001), ref: 00EF6DA3
                                    • SetLastError.KERNEL32(00F908E8), ref: 00EF6DF3
                                    • GetLastError.KERNEL32 ref: 00EF6E07
                                    • SetLastError.KERNEL32(00F908E8), ref: 00EF6E51
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID:
                                    • API String ID: 1452528299-410699589
                                    • Opcode ID: ac0a968abc6e5dc62e694e6cb1d4ef89206ffee07c7adb93bde239d6292856cd
                                    • Instruction ID: 093d1c25fe774bffb406c25c051ba827c2b7c011954856cafda1e5c586d78c57
                                    • Opcode Fuzzy Hash: ac0a968abc6e5dc62e694e6cb1d4ef89206ffee07c7adb93bde239d6292856cd
                                    • Instruction Fuzzy Hash: 5EA15471E0425CDFDF14CFA4C894BEEBBB4AF05304F14819AE559AB281DBB46A48CF51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F2C9C0 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 203COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(33A37B94), ref: 00F2CA0A
                                    • SetLastError.KERNEL32(00F908E8), ref: 00F2CA57
                                    Strings
                                    • ISP parcel handler: failed to resolve source media file %s, error %x, requesting parcel abort, xrefs: 00F2CBED
                                    • IspParcelHandler.cpp, xrefs: 00F2CAC5, 00F2CBE6
                                    • ISP parcel handler: failed to unmarshal parcel, error 0x%08x. Progress information will not be available., xrefs: 00F2CACC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID: ISP parcel handler: failed to resolve source media file %s, error %x, requesting parcel abort$ISP parcel handler: failed to unmarshal parcel, error 0x%08x. Progress information will not be available.$IspParcelHandler.cpp
                                    • API String ID: 1452528299-1073711128
                                    • Opcode ID: d9ccf6e7d07978877a7cdc0871d280161f1c94d8cc2d1b7ab61a9ac828ec9aca
                                    • Instruction ID: 8404338bcfc3fa11ea95c40129a865f8fdd1901d08fa22a1193e4ad4edd6c45d
                                    • Opcode Fuzzy Hash: d9ccf6e7d07978877a7cdc0871d280161f1c94d8cc2d1b7ab61a9ac828ec9aca
                                    • Instruction Fuzzy Hash: B3918B71D00258DFDB04DFA8D849BDEBBF4BF48314F148159E416AB282DB74AA09DB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00ECB250 Relevance: 7.7, APIs: 5, Instructions: 192COMMON
                                    Download Yara Rule
                                    APIs
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00ECB441
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00ECB2C0
                                      • Part of subcall function 00F4E44A: RaiseException.KERNEL32(?,?,00F3FBB5,?,?,00000000,?,?,?,?,?,00F3FBB5,?,00FCBE10,?), ref: 00F4E4A9
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00ECB30C
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00ECB3AB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Exception@8Throw$ExceptionRaise
                                    • String ID:
                                    • API String ID: 3476068407-0
                                    • Opcode ID: 783abd660d624e4929d9ef0e23f23671804c9493f7528fbaff3b60187c293210
                                    • Instruction ID: 5e2bc79cfcedcbbea9618c0f224cb0f67cef2ad12431b8c9ff07bfdbe2e8ed82
                                    • Opcode Fuzzy Hash: 783abd660d624e4929d9ef0e23f23671804c9493f7528fbaff3b60187c293210
                                    • Instruction Fuzzy Hash: BD71AD7190425CDACB29EBA0CD52FEEB7B8BF14304F04509DE415B7082EB35AB49DB52
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EE49C0 Relevance: 7.7, APIs: 5, Instructions: 184COMMON
                                    Download Yara Rule
                                    APIs
                                    • EnterCriticalSection.KERNEL32(00FD7548,33A37B94), ref: 00EE4A21
                                    • GetModuleFileNameW.KERNEL32(?,00000104), ref: 00EE4A9C
                                    • LoadTypeLib.OLEAUT32(?,00000000), ref: 00EE4AD1
                                    • LoadRegTypeLib.OLEAUT32(00F9F784,00000001,00000000,?,00000000), ref: 00EE4AFF
                                    • LeaveCriticalSection.KERNEL32(00FD7548), ref: 00EE4C24
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: CriticalLoadSectionType$EnterFileLeaveModuleName
                                    • String ID:
                                    • API String ID: 2487232618-0
                                    • Opcode ID: bb71dbc4d662b8f74e6640238ff40e4879fe6b73e096d92f97300eb86c5ea953
                                    • Instruction ID: 874e1676499f486110d660b53b5eb6e7caaf25c7f70f3657d6ba320ecabbf9a6
                                    • Opcode Fuzzy Hash: bb71dbc4d662b8f74e6640238ff40e4879fe6b73e096d92f97300eb86c5ea953
                                    • Instruction Fuzzy Hash: 69717FB050125CEFDB21DFA5D848B9AB7F8AB48314F144099E409E7291DB75EE81CF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F36029 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 178COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,Server,00000000,?,?), ref: 00F360C3
                                    • SetLastError.KERNEL32(00F908E8,?,?,?,?,?,?,Server,00000000,?,?), ref: 00F3610D
                                    • GetLastError.KERNEL32(?,?,?,?,Server,00000000,?,?), ref: 00F361CA
                                    • SetLastError.KERNEL32(00F908E8,?,?,?,?,Server,00000000,?,?), ref: 00F36214
                                      • Part of subcall function 00EB4810: GetLastError.KERNEL32(33A37B94,?,00F908F0,00F9091C,?,00F60F29,000000FF,?,00EB394A,00F8B388,?,?,00000000,33A37B94,?,00F908F0), ref: 00EB484B
                                      • Part of subcall function 00EB4810: SysFreeString.OLEAUT32(6F6C206F), ref: 00EB4865
                                      • Part of subcall function 00EB4810: SysFreeString.OLEAUT32(00F90920), ref: 00EB487A
                                      • Part of subcall function 00EB4810: SetLastError.KERNEL32(?), ref: 00EB48AA
                                    Strings
                                    • Final feature list for current item is: %s, xrefs: 00F36254
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$FreeString
                                    • String ID: Final feature list for current item is: %s
                                    • API String ID: 2425351278-4291577261
                                    • Opcode ID: 062033e528ec3e4069163fca339689aa66f380ce30935dee16724571184ad2f6
                                    • Instruction ID: 07630e0c2d51587093358f1d89e0dfe15a7c9e2c08e29406ffdbe0e685213ffa
                                    • Opcode Fuzzy Hash: 062033e528ec3e4069163fca339689aa66f380ce30935dee16724571184ad2f6
                                    • Instruction Fuzzy Hash: 168128B0D01298DEEF21DFA4C985BDDBBB0BF15314F148099D448B7242DB751A49EF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EDA260 Relevance: 7.7, APIs: 5, Instructions: 169memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantInit.OLEAUT32(?), ref: 00EDA2F4
                                    • VariantClear.OLEAUT32(00000009), ref: 00EDA329
                                    • VariantClear.OLEAUT32(00000008), ref: 00EDA360
                                    • SysAllocString.OLEAUT32(?), ref: 00EDA37A
                                    • VariantClear.OLEAUT32(?), ref: 00EDA40E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Variant$Clear$AllocInitString
                                    • String ID:
                                    • API String ID: 347172062-0
                                    • Opcode ID: 24e8e48b710fe0797748e1c252505e135340281b5861edc8b23c3a9590b92bf7
                                    • Instruction ID: 4b85f3228b79bd00dff66463932b0b609ee3dc5ee219b85affe99ce0ef53cc47
                                    • Opcode Fuzzy Hash: 24e8e48b710fe0797748e1c252505e135340281b5861edc8b23c3a9590b92bf7
                                    • Instruction Fuzzy Hash: 7D613671E00258ABDB10CFE4C844BDEBBB5FF08704F18512AE515BB381D7B5AA45CB95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F18AB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantInit.OLEAUT32(?), ref: 00F18B39
                                    • VariantClear.OLEAUT32(00000009), ref: 00F18B6E
                                    • VariantCopy.OLEAUT32(?,?), ref: 00F18B9A
                                    • VariantClear.OLEAUT32(00000002), ref: 00F18BB3
                                    • VariantClear.OLEAUT32(?), ref: 00F18C3D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Variant$Clear$CopyInit
                                    • String ID:
                                    • API String ID: 24293632-0
                                    • Opcode ID: 6812ff8d7821bcc506646d35df0a88c045f929354173a8227efb61c88eb3e039
                                    • Instruction ID: e0346a9403419141caa84fb626ce42db63cc6d5826b7b36f3af7de9a6a2a047a
                                    • Opcode Fuzzy Hash: 6812ff8d7821bcc506646d35df0a88c045f929354173a8227efb61c88eb3e039
                                    • Instruction Fuzzy Hash: 305148B1E05258AFCB10CFE4C988BDEBBB8FF48714F14412AE505EB281D774A945DB94
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EBB990 Relevance: 7.7, APIs: 5, Instructions: 157COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(33A37B94), ref: 00EBBA1E
                                    • SetLastError.KERNEL32(00F908E8), ref: 00EBBA68
                                      • Part of subcall function 00EB4BE0: GetLastError.KERNEL32(33A37B94,?,?,33A37B94,?,00F61069,000000FF,?,00EB2A81,33A37B94), ref: 00EB4C1B
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(?), ref: 00EB4C35
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(33A37B98), ref: 00EB4C4A
                                      • Part of subcall function 00EB4BE0: SetLastError.KERNEL32(?,?,?,?,?,?,000000FF), ref: 00EB4C7A
                                    • VariantInit.OLEAUT32(?), ref: 00EBBAC0
                                    • VariantChangeType.OLEAUT32(?,?,00000000,00000008), ref: 00EBBB33
                                    • VariantClear.OLEAUT32(?), ref: 00EBBB80
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$Variant$FreeString$ChangeClearInitType
                                    • String ID:
                                    • API String ID: 2032598660-0
                                    • Opcode ID: d3626b53ab230d7612e5c1821afe75aa87a85cad31eacffb8495f2e4089b8035
                                    • Instruction ID: 221cd398990f8f772f7140fd8f47c692e3087e7e3d678d734c354ae1fd9fe0b2
                                    • Opcode Fuzzy Hash: d3626b53ab230d7612e5c1821afe75aa87a85cad31eacffb8495f2e4089b8035
                                    • Instruction Fuzzy Hash: A061D571D00259DFDB10DFA8C985BDEBBB4FB08314F1081A9E559E7292DB74AA44CFA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EF0E50 Relevance: 7.6, APIs: 6, Instructions: 127COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F0D230: new.LIBCMT ref: 00F0D25D
                                      • Part of subcall function 00EB48D0: GetLastError.KERNEL32(33A37B94,?,?,?,?,00F60F81,000000FF,?,00EB2726), ref: 00EB4907
                                      • Part of subcall function 00EB48D0: SetLastError.KERNEL32(?,?,?,?,?,00F60F81,000000FF), ref: 00EB4946
                                    • GetLastError.KERNEL32 ref: 00EF0ED7
                                    • SetLastError.KERNEL32(?), ref: 00EF0F19
                                    • GetLastError.KERNEL32 ref: 00EF0F35
                                    • SetLastError.KERNEL32(?), ref: 00EF0F71
                                    • GetLastError.KERNEL32 ref: 00EF0F90
                                    • SetLastError.KERNEL32(?), ref: 00EF0FCC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID:
                                    • API String ID: 1452528299-0
                                    • Opcode ID: bc6769fecd7d7ab189e403bf261ba227f69f48c4b6f5d94f2ad256790c60f916
                                    • Instruction ID: caa194d600be3eb8c2e46d06e2308d58bc5a395c206bb83e4bf2719ac8bd3d4b
                                    • Opcode Fuzzy Hash: bc6769fecd7d7ab189e403bf261ba227f69f48c4b6f5d94f2ad256790c60f916
                                    • Instruction Fuzzy Hash: 9F6108B0805784DFE720CFA9C54879ABFF0BF09308F1485ADD4899B792D7B5A608DB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F1C3D0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 125COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00EB4150: GetLastError.KERNEL32(33A37B94,?,?,?,?,?,00F60E09,000000FF,?,00EB304D), ref: 00EB4193
                                      • Part of subcall function 00EB4150: SetLastError.KERNEL32(?,00F8B388,00000000,?,?,?,?,?,00F60E09,000000FF,?,00EB304D), ref: 00EB4210
                                      • Part of subcall function 00EB6F90: GetLastError.KERNEL32(33A37B94,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB6FD2
                                      • Part of subcall function 00EB6F90: SetLastError.KERNEL32(?,33A37B94,00000000,000000FF,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB7034
                                      • Part of subcall function 00F43A91: __EH_prolog3_GS.LIBCMT ref: 00F43A9B
                                      • Part of subcall function 00F43A91: CreateProcessW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000044,00FD689C,?,00000000,00F44B64,?,00000000), ref: 00F43BAC
                                      • Part of subcall function 00F43A91: GetLastError.KERNEL32 ref: 00F43BC7
                                      • Part of subcall function 00EB4BE0: GetLastError.KERNEL32(33A37B94,?,?,33A37B94,?,00F61069,000000FF,?,00EB2A81,33A37B94), ref: 00EB4C1B
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(?), ref: 00EB4C35
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(33A37B98), ref: 00EB4C4A
                                      • Part of subcall function 00EB4BE0: SetLastError.KERNEL32(?,?,?,?,?,?,000000FF), ref: 00EB4C7A
                                    • CloseHandle.KERNEL32 ref: 00F1C4DA
                                    • CloseHandle.KERNEL32 ref: 00F1C4E2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$CloseFreeHandleString$CreateH_prolog3_Process
                                    • String ID: open
                                    • API String ID: 627463535-2758837156
                                    • Opcode ID: 756ff26c8295cd103e6abf81715e47fc929ee9adcedb2d5b83ab0b7f69d421fb
                                    • Instruction ID: d8c3206918f8400966c0bf6078527e7bab83059e08936cf797356c6fd3cbba88
                                    • Opcode Fuzzy Hash: 756ff26c8295cd103e6abf81715e47fc929ee9adcedb2d5b83ab0b7f69d421fb
                                    • Instruction Fuzzy Hash: 8941E171A00258EFEF10DFA8DC46BAEBBB5EF04714F10011AE914AB2D1DBB16905EB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EBC040 Relevance: 7.6, APIs: 5, Instructions: 110COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(33A37B94,?,00000000,?,?), ref: 00EBC07A
                                    • SetLastError.KERNEL32(?), ref: 00EBC0B9
                                    • VariantInit.OLEAUT32(?), ref: 00EBC11F
                                    • VariantChangeType.OLEAUT32(?,00000000,00000000,00000008), ref: 00EBC12E
                                    • VariantClear.OLEAUT32(00000008), ref: 00EBC174
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Variant$ErrorLast$ChangeClearInitType
                                    • String ID:
                                    • API String ID: 3873592113-0
                                    • Opcode ID: 2a99a9e5bc13548ac517b991a311fc70e3ac35860b3ca2d4dce22daadb5d713b
                                    • Instruction ID: 53a791f32fe04f685d8cc6749a637b4f3eedf22fe07f39af237d02e76865939d
                                    • Opcode Fuzzy Hash: 2a99a9e5bc13548ac517b991a311fc70e3ac35860b3ca2d4dce22daadb5d713b
                                    • Instruction Fuzzy Hash: 1141A3B5A04605EFCB04EF68CD09BEAB7F4FF08714F14821DE506A7692D774A940CB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F590AC Relevance: 7.6, APIs: 5, Instructions: 110COMMON
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(?,00000000,?,00000008,00000000,00000000,00000000,?,00000000,?,00000001,00000008,?,00000001,00000000,00000000), ref: 00F590F9
                                    • __alloca_probe_16.LIBCMT ref: 00F59131
                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,00000008,00000000,00000000,?,00000000,?,00000001,00000008,?,00000001,00000000,00000000,?), ref: 00F59182
                                    • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,00000000,?,00000001,00000008,?,00000001,00000000,00000000,?,00000008,00000000), ref: 00F59194
                                    • __freea.LIBCMT ref: 00F5919D
                                      • Part of subcall function 00F56B68: RtlAllocateHeap.NTDLL(00000000,00F3FBA7,?,?,00F4DFF8,?,?,?,?,?,00F3FACB,00F3FBA7,?,?,?,?), ref: 00F56B9A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                    • String ID:
                                    • API String ID: 313313983-0
                                    • Opcode ID: 9a34228bf062a933095a86b55d5a9f4aa53a0750913fcc4d4e3db9aa61bc5c2f
                                    • Instruction ID: 322518db6c2683ddf822bd0ece300a784315f055ea337ed5643b6ae9d452308e
                                    • Opcode Fuzzy Hash: 9a34228bf062a933095a86b55d5a9f4aa53a0750913fcc4d4e3db9aa61bc5c2f
                                    • Instruction Fuzzy Hash: 9431F032A0061AEFDF289F64CC49EAE7BA5EB01711F044128FD08D6291E775DD58EB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EC52D0 Relevance: 7.6, APIs: 6, Instructions: 110COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F0D230: new.LIBCMT ref: 00F0D25D
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00EC5356
                                    • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00EC5398
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00EC53B4
                                    • SetLastError.KERNEL32(00F908E8,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00EC53F0
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00EC540C
                                    • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00EC5448
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID:
                                    • API String ID: 1452528299-0
                                    • Opcode ID: 7fb9dd46a3755cd14eecfcf83b41ab574f13e1136abb499ecb82daeaedcfe717
                                    • Instruction ID: 0f023cb7c663fcabc0bdff5f4efe892fc5dd5c2274b9a9f69f46924817dd6177
                                    • Opcode Fuzzy Hash: 7fb9dd46a3755cd14eecfcf83b41ab574f13e1136abb499ecb82daeaedcfe717
                                    • Instruction Fuzzy Hash: F05127B0901784DFDB60CFA9C64874ABBF0BF08318F14869DD4899B752D3B5A604DF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EFD780 Relevance: 7.6, APIs: 6, Instructions: 109COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F0D230: new.LIBCMT ref: 00F0D25D
                                    • GetLastError.KERNEL32(33A37B94,?,00000000,?), ref: 00EFD80F
                                    • SetLastError.KERNEL32(?,?,00000000,?), ref: 00EFD851
                                    • GetLastError.KERNEL32(?,00000000,?), ref: 00EFD86D
                                    • SetLastError.KERNEL32(?,?,00000000,?), ref: 00EFD8A9
                                    • GetLastError.KERNEL32(?,00000000,?), ref: 00EFD8C5
                                    • SetLastError.KERNEL32(?,?,00000000,?), ref: 00EFD901
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID:
                                    • API String ID: 1452528299-0
                                    • Opcode ID: 28e1f345dde0d68f2d8d17bf25427c7d654298a14565c7b090f96323670c12af
                                    • Instruction ID: 9649abe5044302a9b53ae14bae5cf21ce93a74a459902622f76175567a458f6b
                                    • Opcode Fuzzy Hash: 28e1f345dde0d68f2d8d17bf25427c7d654298a14565c7b090f96323670c12af
                                    • Instruction Fuzzy Hash: FC5104B1905788DFDB20CFA9C94874ABFF0BF08314F108A9DD48997752D3B5AA04DB95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F11710 Relevance: 7.6, APIs: 6, Instructions: 109COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F0D230: new.LIBCMT ref: 00F0D25D
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00F11793
                                    • SetLastError.KERNEL32(?), ref: 00F117D5
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00F117F1
                                    • SetLastError.KERNEL32(?), ref: 00F1182D
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00F11849
                                    • SetLastError.KERNEL32(?), ref: 00F11885
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID:
                                    • API String ID: 1452528299-0
                                    • Opcode ID: c5b0c00e758ca596fc1d3986b49a5c95ca73800494785e9bd955ee1c6e49707a
                                    • Instruction ID: 26a712dd751bad484eef95a32d0a447b447a8451614e455619f1f6908403e6cc
                                    • Opcode Fuzzy Hash: c5b0c00e758ca596fc1d3986b49a5c95ca73800494785e9bd955ee1c6e49707a
                                    • Instruction Fuzzy Hash: 105117B0905744DFDB20CFA9C94874ABBF0BF08318F10869DD4899B752D3B5AA04DB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EFD920 Relevance: 7.6, APIs: 5, Instructions: 102COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F0D230: new.LIBCMT ref: 00F0D25D
                                    • VariantInit.OLEAUT32(00000028), ref: 00EFD9C0
                                    • VariantInit.OLEAUT32(00000038), ref: 00EFD9D7
                                    • GetLastError.KERNEL32 ref: 00EFDA11
                                    • SetLastError.KERNEL32(?), ref: 00EFDA4D
                                    • VariantInit.OLEAUT32(00F98664), ref: 00EFDA6E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: InitVariant$ErrorLast
                                    • String ID:
                                    • API String ID: 313805207-0
                                    • Opcode ID: 5ac5df82ffb40adc0f15777155a29cf450727b0e26895b878afa894c9cd27a96
                                    • Instruction ID: a0337de3fefa0d68503b4624cdcbacda1bc3fd783d839f50313d317db7cc52fb
                                    • Opcode Fuzzy Hash: 5ac5df82ffb40adc0f15777155a29cf450727b0e26895b878afa894c9cd27a96
                                    • Instruction Fuzzy Hash: 6F4121B0804748DFDB20CF68D548B8ABFF4FB09314F11859ED4899B362D7B5AA08DB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EF1790 Relevance: 7.6, APIs: 6, Instructions: 96COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00EF0E50: GetLastError.KERNEL32 ref: 00EF0ED7
                                      • Part of subcall function 00EF0E50: SetLastError.KERNEL32(?), ref: 00EF0F19
                                      • Part of subcall function 00EF0E50: GetLastError.KERNEL32 ref: 00EF0F35
                                      • Part of subcall function 00EF0E50: SetLastError.KERNEL32(?), ref: 00EF0F71
                                      • Part of subcall function 00EF0E50: GetLastError.KERNEL32 ref: 00EF0F90
                                      • Part of subcall function 00EF0E50: SetLastError.KERNEL32(?), ref: 00EF0FCC
                                    • GetLastError.KERNEL32 ref: 00EF17E5
                                    • SetLastError.KERNEL32(?), ref: 00EF1827
                                    • GetLastError.KERNEL32 ref: 00EF1846
                                    • SetLastError.KERNEL32(?), ref: 00EF1882
                                    • GetLastError.KERNEL32 ref: 00EF18A1
                                    • SetLastError.KERNEL32(00F908E8), ref: 00EF18DD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID:
                                    • API String ID: 1452528299-0
                                    • Opcode ID: c0ed76d28b19abef28bf2cceccb60abc72a779196c343930c0eb4c7baa2799dd
                                    • Instruction ID: 9d64782b2c9b88d7af9c666b912461d3392f5010fb17e9f47625e17a7beb3ded
                                    • Opcode Fuzzy Hash: c0ed76d28b19abef28bf2cceccb60abc72a779196c343930c0eb4c7baa2799dd
                                    • Instruction Fuzzy Hash: 6E4133B0901B84CFDB60CFA9C94874ABBF0BF08714F108A5DD48AA7B52D775AA04DB95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EFD0D0 Relevance: 7.6, APIs: 5, Instructions: 88COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00EFCF80: GetLastError.KERNEL32 ref: 00EFD00F
                                      • Part of subcall function 00EFCF80: SetLastError.KERNEL32(?), ref: 00EFD051
                                      • Part of subcall function 00EFCF80: GetLastError.KERNEL32 ref: 00EFD06D
                                      • Part of subcall function 00EFCF80: SetLastError.KERNEL32(?), ref: 00EFD0A9
                                    • VariantInit.OLEAUT32(000000A0), ref: 00EFD144
                                    • VariantInit.OLEAUT32(000000B0), ref: 00EFD15B
                                    • GetLastError.KERNEL32 ref: 00EFD18D
                                    • SetLastError.KERNEL32(?), ref: 00EFD1C9
                                    • VariantInit.OLEAUT32(000000F0), ref: 00EFD1E9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$InitVariant
                                    • String ID:
                                    • API String ID: 201494241-0
                                    • Opcode ID: 16c373888ebe594883f1e62fe7ed4a1c30ebef2f02e9de66828ab0166a409c9f
                                    • Instruction ID: 4b2489bd9172ce3a24fb70c8a916158dd03881edb5573ddff043378575df1f70
                                    • Opcode Fuzzy Hash: 16c373888ebe594883f1e62fe7ed4a1c30ebef2f02e9de66828ab0166a409c9f
                                    • Instruction Fuzzy Hash: 444153B0904744DFD724CF68D948B8ABBF4FB09314F1086AEE049DB752D774AA04DB95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EFD360 Relevance: 7.6, APIs: 5, Instructions: 88COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00EFD210: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F73A13,000000FF), ref: 00EFD29F
                                      • Part of subcall function 00EFD210: SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F73A13), ref: 00EFD2E1
                                      • Part of subcall function 00EFD210: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F73A13,000000FF), ref: 00EFD2FD
                                      • Part of subcall function 00EFD210: SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F73A13), ref: 00EFD339
                                    • VariantInit.OLEAUT32(00000098), ref: 00EFD3D1
                                    • VariantInit.OLEAUT32(000000A8), ref: 00EFD3E8
                                    • GetLastError.KERNEL32 ref: 00EFD417
                                    • SetLastError.KERNEL32(?), ref: 00EFD453
                                    • VariantInit.OLEAUT32(000000E8), ref: 00EFD473
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$InitVariant
                                    • String ID:
                                    • API String ID: 201494241-0
                                    • Opcode ID: 4e307db63ef7b85482cec791a4f056c9ac72b38e396b1277bbe59996541f445f
                                    • Instruction ID: dc28d1d5a6e73eea16282a668482c50790f278b79f05ab981f531b0953d38272
                                    • Opcode Fuzzy Hash: 4e307db63ef7b85482cec791a4f056c9ac72b38e396b1277bbe59996541f445f
                                    • Instruction Fuzzy Hash: 9A4144B0804784DFDB24CF68D948B4ABBF4FB08314F1085AED0499B362D774AA04DF94
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EF7770 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 82COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00EBD270: SetLastError.KERNEL32(80004005,33A37B94), ref: 00EBD2C3
                                    • GetLastError.KERNEL32(33A37B94), ref: 00EF77C4
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00EF77CE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID: Condition.cpp$Extension condition evaluation failed with status %x$Extension handler: error 0x%08x trying to get evaluator
                                    • API String ID: 1452528299-1845061947
                                    • Opcode ID: 3c0524fcf00daa07f16d979f3c6a6b70620986e41398eb11dc19e7a2cf95702d
                                    • Instruction ID: 670cc7cf7005769e83197598a96d423f252de1f82473b415401649238388bbe5
                                    • Opcode Fuzzy Hash: 3c0524fcf00daa07f16d979f3c6a6b70620986e41398eb11dc19e7a2cf95702d
                                    • Instruction Fuzzy Hash: A1319FB1D0429C9BDB14DFE4C945BEEBBF8EB04750F108229E816FB281EB749A04C791
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EB8210 Relevance: 7.6, APIs: 5, Instructions: 50fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileSize.KERNEL32(?,00000000), ref: 00EB8221
                                    • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,00000000,00000000,?,00000000), ref: 00EB8231
                                    • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,?,?,00000000,00000004,00000000,00000000,00000000,?,00000000), ref: 00EB8244
                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 00EB8264
                                    • CloseHandle.KERNEL32(00000000,?,?,00000000,00000004,00000000,00000000,00000000,?,00000000), ref: 00EB826B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: File$View$CloseCreateHandleMappingSizeUnmap
                                    • String ID:
                                    • API String ID: 1558290345-0
                                    • Opcode ID: 429165cd9ab0a0c0be42c08d5108a9335ec40a336ecfbff7dc67683eb2e5dff7
                                    • Instruction ID: 74f8f7f2ac7bcc7ae1bea49f8664f40121e1a1c2cc6307372b7672c5acc19723
                                    • Opcode Fuzzy Hash: 429165cd9ab0a0c0be42c08d5108a9335ec40a336ecfbff7dc67683eb2e5dff7
                                    • Instruction Fuzzy Hash: 94F08C32A01A58BBD7201BAAAC4DCEF7EBCDBC6F15F400069FA05E2212DA704D01C7B0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EB78F0 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 406COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Xinvalid_argument.LIBCPMT ref: 00EB7D0D
                                    • std::_Xinvalid_argument.LIBCPMT ref: 00EB7D17
                                      • Part of subcall function 00EB4370: SysAllocStringLen.OLEAUT32(00000000,?), ref: 00EB43E8
                                      • Part of subcall function 00EB4370: SysFreeString.OLEAUT32(00000000), ref: 00EB4460
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: StringXinvalid_argumentstd::_$AllocFree
                                    • String ID: invalid string position$string too long
                                    • API String ID: 2819953329-4289949731
                                    • Opcode ID: 823ad7a4d0a60d722ddb7f560760153eb015461c4e976f3b29874807e13f8121
                                    • Instruction ID: a620c290ec26f609e2fa3b0e04daee071689f4a993c7405f9e4902e77f718710
                                    • Opcode Fuzzy Hash: 823ad7a4d0a60d722ddb7f560760153eb015461c4e976f3b29874807e13f8121
                                    • Instruction Fuzzy Hash: 7FE1297060820ADBCB24CF58D9C08DBB7B6FFC87047205969E895ABA15D730EE55CBA4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F20AC0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Xinvalid_argument.LIBCPMT ref: 00F20CC5
                                    • std::_Xinvalid_argument.LIBCPMT ref: 00F20CCF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Xinvalid_argumentstd::_
                                    • String ID: invalid string position$string too long
                                    • API String ID: 909987262-4289949731
                                    • Opcode ID: d354bcc3bfeb0c24594f2d238a987387a1215eae0fa8b6c343979005faf48cea
                                    • Instruction ID: 8086365747af694cc9d4134c512445a57a3402c0747951cf57ea3ab4103e7cb4
                                    • Opcode Fuzzy Hash: d354bcc3bfeb0c24594f2d238a987387a1215eae0fa8b6c343979005faf48cea
                                    • Instruction Fuzzy Hash: 9C61A372B00229DB8B24DF58E88086AB3F6FFC4714720462EE846CB652DF31D915EB95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EC8FA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 207synchronizationthreadwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PostThreadMessageW.USER32 ref: 00EC8FF3
                                      • Part of subcall function 00ED7740: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 00ED7755
                                      • Part of subcall function 00ED7740: PeekMessageW.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00ED778B
                                      • Part of subcall function 00ED7740: GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00ED779B
                                      • Part of subcall function 00ED7740: DispatchMessageW.USER32(?), ref: 00ED77A1
                                      • Part of subcall function 00ED7740: PeekMessageW.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00ED77AF
                                      • Part of subcall function 00ED7740: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 00ED77C4
                                      • Part of subcall function 00EB4BE0: GetLastError.KERNEL32(33A37B94,?,?,33A37B94,?,00F61069,000000FF,?,00EB2A81,33A37B94), ref: 00EB4C1B
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(?), ref: 00EB4C35
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(33A37B98), ref: 00EB4C4A
                                      • Part of subcall function 00EB4BE0: SetLastError.KERNEL32(?,?,?,?,?,?,000000FF), ref: 00EB4C7A
                                    • ReleaseMutex.KERNEL32(?), ref: 00EC9043
                                    • CloseHandle.KERNEL32(?), ref: 00EC904F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Message$ErrorFreeLastMultipleObjectsPeekStringWait$CloseDispatchHandleMutexPostReleaseThread
                                    • String ID: '
                                    • API String ID: 3972460781-1997036262
                                    • Opcode ID: f3b0dc8685d27a62bd27aa66f28c572d36d99173742815e84e84246d91fcf3da
                                    • Instruction ID: f61eb17643a8923a0408119b75bd24ae8f800931a3959af9ecbf08dd24172f52
                                    • Opcode Fuzzy Hash: f3b0dc8685d27a62bd27aa66f28c572d36d99173742815e84e84246d91fcf3da
                                    • Instruction Fuzzy Hash: EFA1CF70A09689EEDB05DBA4C9457DEFFB0AF15304F14419DE544A7382CBB52B08EBE2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00ED4610 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 196COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00EB3ED0: SysStringLen.OLEAUT32(?), ref: 00EB3EDE
                                      • Part of subcall function 00EB3ED0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00EB3EF8
                                      • Part of subcall function 00EBAE70: VariantClear.OLEAUT32(?), ref: 00EBAE86
                                      • Part of subcall function 00EBAE70: SysAllocString.OLEAUT32(?), ref: 00EBAE99
                                    • VariantClear.OLEAUT32(00F9091C), ref: 00ED46BB
                                    • VariantClear.OLEAUT32(?), ref: 00ED4737
                                    Strings
                                    • Engine: couldn't get feature '%s', xrefs: 00ED47F7
                                    • SetupEngine.cpp, xrefs: 00ED47F0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ClearStringVariant$Alloc
                                    • String ID: Engine: couldn't get feature '%s'$SetupEngine.cpp
                                    • API String ID: 4285173129-2539324038
                                    • Opcode ID: c3ad4ff12811b45aa5ad033377838c95a5fd82f84e401956498377cdc6547529
                                    • Instruction ID: 359fc3c1513bb54a05d7e76185fb5c960652fcadc165a1c066376ba99826c10a
                                    • Opcode Fuzzy Hash: c3ad4ff12811b45aa5ad033377838c95a5fd82f84e401956498377cdc6547529
                                    • Instruction Fuzzy Hash: F9812EB4A00249DFDB04DFA8C544BAEBBB9FF59304F14819EE405EB381D735AA45CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EDD980 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 181COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Xinvalid_argument.LIBCPMT ref: 00EDDB23
                                    • std::_Xinvalid_argument.LIBCPMT ref: 00EDDB2D
                                      • Part of subcall function 00EB4370: SysAllocStringLen.OLEAUT32(00000000,?), ref: 00EB43E8
                                      • Part of subcall function 00EB4370: SysFreeString.OLEAUT32(00000000), ref: 00EB4460
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: StringXinvalid_argumentstd::_$AllocFree
                                    • String ID: invalid string position$string too long
                                    • API String ID: 2819953329-4289949731
                                    • Opcode ID: 5180611e269e1936a0c691683648a7de400a31a14b169acb0145231b8c97d091
                                    • Instruction ID: 5c7376d885da483fa382fc05edf65b12b53e9e14157ba0e5df2a4fa3f5090dd8
                                    • Opcode Fuzzy Hash: 5180611e269e1936a0c691683648a7de400a31a14b169acb0145231b8c97d091
                                    • Instruction Fuzzy Hash: 19516D7170820A9FCB24DF58DC8089AB7E9FF84344721992FE846D7351EB31E956CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00ECC779 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 165COMMON
                                    Download Yara Rule
                                    APIs
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00ECC8A5
                                    • SysFreeString.OLEAUT32(?), ref: 00ECCA05
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Exception@8FreeStringThrow
                                    • String ID: .$SetupEngine.cpp$The resource %s failed to initialize, status %x
                                    • API String ID: 59539279-1675980340
                                    • Opcode ID: 5e11203e36db536baf35bf2763b12371594cf68b799b2bc53d4fc5649300f1df
                                    • Instruction ID: dd994ef23425745f17cba4947d43baf3a653ccb1a9679a558cb5546083f226c7
                                    • Opcode Fuzzy Hash: 5e11203e36db536baf35bf2763b12371594cf68b799b2bc53d4fc5649300f1df
                                    • Instruction Fuzzy Hash: 986197709042189BDF25DB64CA84BDEB7B8AF01304F2052EDE549BB292DB31AF41CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00ECA3B0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 141COMMON
                                    Download Yara Rule
                                    APIs
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00ECA4E6
                                    Strings
                                    • SetupEngine.cpp, xrefs: 00ECA401, 00ECA54E
                                    • Engine: disallowing use of suite update since we're running with existing state information., xrefs: 00ECA573
                                    • Failed to initialize state information, is SuiteId missing from the setup element?, xrefs: 00ECA426
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Exception@8Throw
                                    • String ID: Engine: disallowing use of suite update since we're running with existing state information.$Failed to initialize state information, is SuiteId missing from the setup element?$SetupEngine.cpp
                                    • API String ID: 2005118841-1047235996
                                    • Opcode ID: 2f81586f55b5715266bcc4251519c038e1fdb993ab4b8416ef12b2c231c11295
                                    • Instruction ID: 82e0bd7ab3eb5ffcb4f4b66af2453e3b62581dd0985e2d1a4f3f9b8e7eeff235
                                    • Opcode Fuzzy Hash: 2f81586f55b5715266bcc4251519c038e1fdb993ab4b8416ef12b2c231c11295
                                    • Instruction Fuzzy Hash: AC5181B090538CDEEF24EBA4DD45BDDBBB0AB01318F28525DE411771D2DBB45A06DB42
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F28AB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 107COMMON
                                    Download Yara Rule
                                    APIs
                                    • PathFileExistsW.SHLWAPI(?), ref: 00F28AD6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ExistsFilePath
                                    • String ID: TrustedPeople
                                    • API String ID: 1174141254-1224236647
                                    • Opcode ID: 56e6f94cb1b25942fa1e23817ed8effe77538f9ae8d192c2e1572f4b7cad47c5
                                    • Instruction ID: b90ff459ebc393637dab58f7e02275edcd1d347a0275ef3fa527c035499cc4cb
                                    • Opcode Fuzzy Hash: 56e6f94cb1b25942fa1e23817ed8effe77538f9ae8d192c2e1572f4b7cad47c5
                                    • Instruction Fuzzy Hash: F831C431B4222CBBDF209F94EC09B997BA9EB08756F100096F908E7190DF719E51EB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EB25E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _strstr.LIBCMT ref: 00EB2623
                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00EB2656
                                    • LoadLibraryA.KERNEL32(00000000), ref: 00EB26B2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: DirectoryLibraryLoadSystem_strstr
                                    • String ID: api-ms-win-core-
                                    • API String ID: 3099798052-1285793476
                                    • Opcode ID: 24de4a1684d135c83089994b868cbcbe70d75c5e59d96cdc4f4afc0d52c4904c
                                    • Instruction ID: 996cce8911ee2112d18f0e0cc3d41f7c5ba757de0dfb0140581234bfe9da96d3
                                    • Opcode Fuzzy Hash: 24de4a1684d135c83089994b868cbcbe70d75c5e59d96cdc4f4afc0d52c4904c
                                    • Instruction Fuzzy Hash: CC2127319052089FDF20EB749C49BEB7BE4DF15304F04549DD9C2F7189DAB1A988CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F44A92 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog3_GS.LIBCMT ref: 00F44A99
                                      • Part of subcall function 00EB6F90: GetLastError.KERNEL32(33A37B94,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB6FD2
                                      • Part of subcall function 00EB6F90: SetLastError.KERNEL32(?,33A37B94,00000000,000000FF,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB7034
                                      • Part of subcall function 00F4536E: __EH_prolog3.LIBCMT ref: 00F45375
                                      • Part of subcall function 00EB4150: GetLastError.KERNEL32(33A37B94,?,?,?,?,?,00F60E09,000000FF,?,00EB304D), ref: 00EB4193
                                      • Part of subcall function 00EB4150: SetLastError.KERNEL32(?,00F8B388,00000000,?,?,?,?,?,00F60E09,000000FF,?,00EB304D), ref: 00EB4210
                                      • Part of subcall function 00EB9C30: GetLastError.KERNEL32(33A37B94,74DEDFA0,?,00000000,?,?,?,?,?,?,?,?,?,?,00F62401,000000FF), ref: 00EB9C87
                                      • Part of subcall function 00EB9C30: SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00F62401,000000FF,?,00EB9DF1), ref: 00EB9CC8
                                      • Part of subcall function 00F43A91: __EH_prolog3_GS.LIBCMT ref: 00F43A9B
                                      • Part of subcall function 00F43A91: CreateProcessW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000044,00FD689C,?,00000000,00F44B64,?,00000000), ref: 00F43BAC
                                      • Part of subcall function 00F43A91: GetLastError.KERNEL32 ref: 00F43BC7
                                      • Part of subcall function 00EB4BE0: GetLastError.KERNEL32(33A37B94,?,?,33A37B94,?,00F61069,000000FF,?,00EB2A81,33A37B94), ref: 00EB4C1B
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(?), ref: 00EB4C35
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(33A37B98), ref: 00EB4C4A
                                      • Part of subcall function 00EB4BE0: SetLastError.KERNEL32(?,?,?,?,?,?,000000FF), ref: 00EB4C7A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$FreeH_prolog3_String$CreateH_prolog3Process
                                    • String ID: /REGSERVER$ /UNREGSERVER$open
                                    • API String ID: 811671759-1423703008
                                    • Opcode ID: b5d9fafb6743b1ce1baf71a619a7710fe107c0619a2ce6a4d79ccced02aba7cf
                                    • Instruction ID: a8963bd923f29b232ea77585a222e7931d915e087ab32acf112def2cd699b7fa
                                    • Opcode Fuzzy Hash: b5d9fafb6743b1ce1baf71a619a7710fe107c0619a2ce6a4d79ccced02aba7cf
                                    • Instruction Fuzzy Hash: 1D2185B5E50348AEEF10EBA4CC427EDBFA8AF50700F140059FD04AB2C2D7B59A469792
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F38C90 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00EC3B20: GetModuleHandleW.KERNEL32(Advapi32.dll,?,00000000,?,00000000,?,00F38DE1,80000001,SOFTWARE\InstallShield\25.0\Professional,00020019,33A37B94,?), ref: 00EC3B44
                                      • Part of subcall function 00EC3B20: RegCloseKey.ADVAPI32(00000000,?,00F38DE1,80000001,SOFTWARE\InstallShield\25.0\Professional,00020019,33A37B94,?), ref: 00EC3BA7
                                    • RegQueryValueExW.ADVAPI32(00000000,DoVerboseLogging,00000000,00F8B388,00000000,?,80000001,SOFTWARE\InstallShield\25.0\Professional,00020019,00000001,?), ref: 00F38CED
                                    • RegCloseKey.ADVAPI32(00000000,80000001,SOFTWARE\InstallShield\25.0\Professional,00020019,00000001,?), ref: 00F38D0D
                                    Strings
                                    • DoVerboseLogging, xrefs: 00F38CE7
                                    • SOFTWARE\InstallShield\25.0\Professional, xrefs: 00F38C9D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Close$HandleModuleQueryValue
                                    • String ID: DoVerboseLogging$SOFTWARE\InstallShield\25.0\Professional
                                    • API String ID: 2971604672-3930117262
                                    • Opcode ID: a21fdc23f8e9ae18594a57b8786dfb66e5a702854900a4c29df356624c931c4c
                                    • Instruction ID: c305828c3e0396960ad77ff219bfe9ca3a41314a57c41e12a8365ca645fa4f3a
                                    • Opcode Fuzzy Hash: a21fdc23f8e9ae18594a57b8786dfb66e5a702854900a4c29df356624c931c4c
                                    • Instruction Fuzzy Hash: 60017CB1D41319EADB20CB90DC49BEFBBB8EF15769F100145E901B6180D7795B09EBE1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EEE780 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(Advapi32.dll,00000000,?,00EEE7F7,00000000,?,00000000,?,00EEE9AD,?,?,00000000), ref: 00EEE790
                                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 00EEE7A0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: AddressHandleModuleProc
                                    • String ID: Advapi32.dll$RegDeleteKeyTransactedW
                                    • API String ID: 1646373207-2168864297
                                    • Opcode ID: a05833786f5a91036f0697ae4c8e3b7d48f90a90e22d79913ac600c2a239459f
                                    • Instruction ID: f8791b9f0f506041b805dbf8d14203fc3092aaed1a5cb0e49204a45161c16b20
                                    • Opcode Fuzzy Hash: a05833786f5a91036f0697ae4c8e3b7d48f90a90e22d79913ac600c2a239459f
                                    • Instruction Fuzzy Hash: 7FF0303225031CAAFB202F95EC4AFE67799AB04F56F144027FA44F51D1D7B2D490EB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F4315C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(kernel32.dll,GetProcessId,?,00F43D65,?), ref: 00F43169
                                    • GetProcAddress.KERNEL32(00000000), ref: 00F43170
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: AddressHandleModuleProc
                                    • String ID: GetProcessId$kernel32.dll
                                    • API String ID: 1646373207-399901964
                                    • Opcode ID: 870c22a0f4e39e08a3af65628c859622c3c0e094cf8bccf83fff5771d5045b75
                                    • Instruction ID: affffeadeb5d00e89061bda5b7bc318096497d90b62ac36753ade35feb711172
                                    • Opcode Fuzzy Hash: 870c22a0f4e39e08a3af65628c859622c3c0e094cf8bccf83fff5771d5045b75
                                    • Instruction Fuzzy Hash: F2D01231A8470C7BAF046FF5BC0D8A93F5C9B80F527004021B40CD5052DA76C511B755
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F41031 Relevance: 6.3, APIs: 4, Instructions: 318COMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog3_catch_GS.LIBCMT ref: 00F4103B
                                      • Part of subcall function 00EB6F90: GetLastError.KERNEL32(33A37B94,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB6FD2
                                      • Part of subcall function 00EB6F90: SetLastError.KERNEL32(?,33A37B94,00000000,000000FF,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB7034
                                      • Part of subcall function 00F43E17: __EH_prolog3.LIBCMT ref: 00F43E1E
                                    • GetLastError.KERNEL32 ref: 00F41085
                                      • Part of subcall function 00F4536E: __EH_prolog3.LIBCMT ref: 00F45375
                                      • Part of subcall function 00F43968: __EH_prolog3_GS.LIBCMT ref: 00F43972
                                      • Part of subcall function 00F43968: __CxxThrowException@8.LIBVCRUNTIME ref: 00F439D4
                                      • Part of subcall function 00F43968: GetFileTime.KERNEL32(?,00000000,00F9091C,00F9091C,00000108,00F4121B,?,?,?,00F9091C,80000000,00000001,00000080,00000003,00000000,00000000), ref: 00F439DE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$H_prolog3$Exception@8FileH_prolog3_H_prolog3_catch_ThrowTime
                                    • String ID:
                                    • API String ID: 2315665788-0
                                    • Opcode ID: 59ead20004b62ad4f0e734f0ae020560983060e6028576747e5ceaf354eb1bec
                                    • Instruction ID: dffe18f0201573bf57f97eee1ba22816c50a3d1c9601ae8741a98659020d18d6
                                    • Opcode Fuzzy Hash: 59ead20004b62ad4f0e734f0ae020560983060e6028576747e5ceaf354eb1bec
                                    • Instruction Fuzzy Hash: 84D1817180125CEEEF20EF64CC45BEE7BB8AF40314F104199E81967292EB745F88EB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EC6290 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 231COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00EB6F90: GetLastError.KERNEL32(33A37B94,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB6FD2
                                      • Part of subcall function 00EB6F90: SetLastError.KERNEL32(?,33A37B94,00000000,000000FF,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB7034
                                    • GetLastError.KERNEL32(00F928C0,000000FF,00000001,0000003C,00000000,00F8B388,00000000,00F8B388,00000000,33A37B94,0000003C,74DEDFA0,0000003C), ref: 00EC64C6
                                    • SetLastError.KERNEL32(00F908E8), ref: 00EC6510
                                      • Part of subcall function 00EB4150: GetLastError.KERNEL32(33A37B94,?,?,?,?,?,00F60E09,000000FF,?,00EB304D), ref: 00EB4193
                                      • Part of subcall function 00EB4150: SetLastError.KERNEL32(?,00F8B388,00000000,?,?,?,?,?,00F60E09,000000FF,?,00EB304D), ref: 00EB4210
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID: http://$https://
                                    • API String ID: 1452528299-1916535328
                                    • Opcode ID: a79ee983f44439f9bae272f9f5834a6297dfda8eac4d9c5ac49fce4822a5bd76
                                    • Instruction ID: 4ae86254e00284d46a667583c019ae25811c1f1781a575c30cd09d7a79e9aa6c
                                    • Opcode Fuzzy Hash: a79ee983f44439f9bae272f9f5834a6297dfda8eac4d9c5ac49fce4822a5bd76
                                    • Instruction Fuzzy Hash: ECA1D270904258EEDF20DBA4DD95BEEBBB4AF14304F2401A9E115B72C2DBB15F49CB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EF70E0 Relevance: 6.2, APIs: 4, Instructions: 228COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetVersionExW.KERNEL32(00000294), ref: 00EF7157
                                    • GetVersionExW.KERNEL32(00000294), ref: 00EF71D7
                                    • GetVersionExW.KERNEL32(00000294), ref: 00EF728C
                                    • GetVersionExW.KERNEL32(00000294), ref: 00EF72C3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Version
                                    • String ID:
                                    • API String ID: 1889659487-0
                                    • Opcode ID: ddb892d0d15108808e98fe15b14e75bcde9a47854e0da18efce16d68c919072c
                                    • Instruction ID: 8f5e2add53492aed6a7fe1bee8074eb585a30e8edb7889fc55920dcedd494a57
                                    • Opcode Fuzzy Hash: ddb892d0d15108808e98fe15b14e75bcde9a47854e0da18efce16d68c919072c
                                    • Instruction Fuzzy Hash: 8191E03050E34CCEEB35DB28C948BF977A1AF52308F182069DAC6AB2A1D775588AD751
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F0EE80 Relevance: 6.2, APIs: 4, Instructions: 212COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: CopyVariant
                                    • String ID:
                                    • API String ID: 3840901598-0
                                    • Opcode ID: b51da4b65689dcfa6282ba15cecc218212821abe82f1ae9700871e2485739f53
                                    • Instruction ID: 3d878690858c4948073c5da43fcd671a9d6dbd4682b83baccf3562cbca6f60d6
                                    • Opcode Fuzzy Hash: b51da4b65689dcfa6282ba15cecc218212821abe82f1ae9700871e2485739f53
                                    • Instruction Fuzzy Hash: 47716172E00209AFDB18DF68C944BAEB7F5EF88311F148569E915EB381E731AD05DB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EF3820 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 184COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(33A37B94), ref: 00EF3860
                                    • SetLastError.KERNEL32(00F908E8), ref: 00EF38AD
                                    Strings
                                    • Can't run CLR action, clrwrap.dll not present, xrefs: 00EF390A
                                    • Actions.cpp, xrefs: 00EF38E2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID: Actions.cpp$Can't run CLR action, clrwrap.dll not present
                                    • API String ID: 1452528299-3708759318
                                    • Opcode ID: 983b89408ae11f7f595c9bf8ac70a18e129a76c9b5c88cb328e1cc560dae4658
                                    • Instruction ID: b2c059dd1a25da29df17c2a97c9d7dea55bd1ea23a72282debf810acbfb3af88
                                    • Opcode Fuzzy Hash: 983b89408ae11f7f595c9bf8ac70a18e129a76c9b5c88cb328e1cc560dae4658
                                    • Instruction Fuzzy Hash: C5915B7090529CDEEF21DFA4DC44BEEBBF4AB05304F14419AE149B7282D7B45B48DB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EC7300 Relevance: 6.2, APIs: 4, Instructions: 178memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SysAllocString.OLEAUT32(-00000004), ref: 00EC7489
                                    • SysStringLen.OLEAUT32(00000000), ref: 00EC74AD
                                    • SysFreeString.OLEAUT32(00000000), ref: 00EC74BF
                                    • SysFreeString.OLEAUT32(00000000), ref: 00EC7526
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: String$Free$Alloc
                                    • String ID:
                                    • API String ID: 986138563-0
                                    • Opcode ID: a2afcaae0dc494daae19de318b608dbb91c19927aa98b4b55bb9d1a3124703c1
                                    • Instruction ID: 6db4d0de207e7ced72047d115274c4a981959f72f4c2fb1a41d47e53f9088f99
                                    • Opcode Fuzzy Hash: a2afcaae0dc494daae19de318b608dbb91c19927aa98b4b55bb9d1a3124703c1
                                    • Instruction Fuzzy Hash: 266179719042189BDB24CFA8C984BEEBBB4FF04314F24425DE865B7281DB319A46DF90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EF2DA0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 158COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(33A37B94), ref: 00EF2DE0
                                    • SetLastError.KERNEL32(00F908E8), ref: 00EF2E2D
                                    Strings
                                    • Actions.cpp, xrefs: 00EF2E62
                                    • Can't run powershell action, clrwrap.dll not present, xrefs: 00EF2E8A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID: Actions.cpp$Can't run powershell action, clrwrap.dll not present
                                    • API String ID: 1452528299-1221417118
                                    • Opcode ID: 0546cdd48e91301d1aade514b5a8966b2c2d7504e1244145410f7430b4876934
                                    • Instruction ID: e215ad088ad4d8c627a77fd3a27b167bd4bf49bdc6237279de94b4e1e5448c66
                                    • Opcode Fuzzy Hash: 0546cdd48e91301d1aade514b5a8966b2c2d7504e1244145410f7430b4876934
                                    • Instruction Fuzzy Hash: EE716B7090529CDEEF20DFA4D848BEEBBF4AB05308F14419EE105BB282D7B45A48DF61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F386B0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 155COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(33A37B94), ref: 00F3872E
                                    • SetLastError.KERNEL32(00F908E8), ref: 00F38778
                                      • Part of subcall function 00F45694: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,00F455A3,?,?,00EBEFA6,00000000,FileProvider: check is on 64-bit path,?,00000000,c:\codebases\isdev\src\runtime\shared\setupsuite\FileProvider.h,?), ref: 00F456A7
                                      • Part of subcall function 00F45694: GetProcAddress.KERNEL32(00000000), ref: 00F456AE
                                      • Part of subcall function 00F45694: GetCurrentProcess.KERNEL32(00000000,?,?,00F455A3,?,?,00EBEFA6,00000000,FileProvider: check is on 64-bit path,?,00000000,c:\codebases\isdev\src\runtime\shared\setupsuite\FileProvider.h,?), ref: 00F456BE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$AddressCurrentHandleModuleProcProcess
                                    • String ID: /norestart /quiet /iu:$pkgmgr.exe
                                    • API String ID: 2162457882-2476661344
                                    • Opcode ID: e08ebe07fa5965075eb1d2dedeb61683de99e292587ec807770f4b047625f1d1
                                    • Instruction ID: bc594e88ff3ddd616dbeb5964fed7ce3f8d8de6a29f25f839460cf84469661db
                                    • Opcode Fuzzy Hash: e08ebe07fa5965075eb1d2dedeb61683de99e292587ec807770f4b047625f1d1
                                    • Instruction Fuzzy Hash: F1715BB1D0025CDEDB20DFA4C945BDEBBF4AF04314F148199E419B7282DBB45A49DFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EF3030 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 149COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00EB6F90: GetLastError.KERNEL32(33A37B94,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB6FD2
                                      • Part of subcall function 00EB6F90: SetLastError.KERNEL32(?,33A37B94,00000000,000000FF,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB7034
                                    • GetLastError.KERNEL32 ref: 00EF30E1
                                    • SetLastError.KERNEL32(00F908E8), ref: 00EF312B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID: Actions.cpp$Launching InstallScript action in function '%s'
                                    • API String ID: 1452528299-2626941881
                                    • Opcode ID: 0eda76b1acf608014e49fd38e95e249d8ad1bb4d9191c9c898faef983fd99c6a
                                    • Instruction ID: 5c8a290e7858e4d99b0534c6485b4d07ea5ea3db1961f5a81a33bda53049e0a3
                                    • Opcode Fuzzy Hash: 0eda76b1acf608014e49fd38e95e249d8ad1bb4d9191c9c898faef983fd99c6a
                                    • Instruction Fuzzy Hash: 3B616A70A04358DFDF10CFA4C848BEEBBB5BF49304F148199D549AB282DB745A48DFA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F2A510 Relevance: 6.1, APIs: 4, Instructions: 147COMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantInit.OLEAUT32(?), ref: 00F2A599
                                    • VariantClear.OLEAUT32(00000003), ref: 00F2A5C9
                                    • VariantClear.OLEAUT32(00000009), ref: 00F2A5FF
                                    • VariantClear.OLEAUT32(?), ref: 00F2A67F
                                      • Part of subcall function 00EBAF20: __CxxThrowException@8.LIBVCRUNTIME ref: 00EBAF32
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Variant$Clear$Exception@8InitThrow
                                    • String ID:
                                    • API String ID: 3663099706-0
                                    • Opcode ID: 09291b80ba3c0196ab0477bb6fc16e05dc4ed135796ac0615fd6cb3b7ae9075d
                                    • Instruction ID: a3bbbef407e6d7d6bc9d54f897569c0e5f1153be193047118bb846a1bb3d8550
                                    • Opcode Fuzzy Hash: 09291b80ba3c0196ab0477bb6fc16e05dc4ed135796ac0615fd6cb3b7ae9075d
                                    • Instruction Fuzzy Hash: F9513771E04368EFDB11CFA8D949BDEBBF8AF08710F18412AE805EB281D774A945DB51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00ED91A0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00EB4150: GetLastError.KERNEL32(33A37B94,?,?,?,?,?,00F60E09,000000FF,?,00EB304D), ref: 00EB4193
                                      • Part of subcall function 00EB4150: SetLastError.KERNEL32(?,00F8B388,00000000,?,?,?,?,?,00F60E09,000000FF,?,00EB304D), ref: 00EB4210
                                      • Part of subcall function 00EB4BE0: GetLastError.KERNEL32(33A37B94,?,?,33A37B94,?,00F61069,000000FF,?,00EB2A81,33A37B94), ref: 00EB4C1B
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(?), ref: 00EB4C35
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(33A37B98), ref: 00EB4C4A
                                      • Part of subcall function 00EB4BE0: SetLastError.KERNEL32(?,?,?,?,?,?,000000FF), ref: 00EB4C7A
                                    • GetLastError.KERNEL32(?,?,Software\InstallShield\SuiteInstallers\Parcels,?,00000000,33A37B94,00000000), ref: 00ED927C
                                    • SetLastError.KERNEL32(00F908E8), ref: 00ED92C6
                                    Strings
                                    • Software\InstallShield\SuiteInstallers\Parcels, xrefs: 00ED9217
                                    • Clients, xrefs: 00ED92EB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$FreeString
                                    • String ID: Clients$Software\InstallShield\SuiteInstallers\Parcels
                                    • API String ID: 2425351278-1925417990
                                    • Opcode ID: e8c4a0fdb89de251d9ec4c84f20c74d8e622f97cae5df1a24e780493b2091046
                                    • Instruction ID: 76b4aadd324e44bb943533fd0d595bfb2a7ee346cd71b6491008ae390df21e5d
                                    • Opcode Fuzzy Hash: e8c4a0fdb89de251d9ec4c84f20c74d8e622f97cae5df1a24e780493b2091046
                                    • Instruction Fuzzy Hash: D16146B1900258EFDB10DFA8CC58BEEBBB4FF04304F148199E415B7282DB745A49DB92
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EE62A0 Relevance: 6.1, APIs: 4, Instructions: 109memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SysStringLen.OLEAUT32(-00000002), ref: 00EE62D8
                                    • SysAllocStringLen.OLEAUT32(00000002), ref: 00EE632A
                                    • SysStringLen.OLEAUT32(00000000), ref: 00EE6346
                                    • SysFreeString.OLEAUT32(00000000), ref: 00EE638E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: String$AllocFree
                                    • String ID:
                                    • API String ID: 344208780-0
                                    • Opcode ID: 2f47b0a7693c284db9da74a21d968998b18ec7fa86425c712240f695efbce099
                                    • Instruction ID: cb42ab24e476ee5f0c726380d4f1e828143e099972708e1788a81bb1bb3c26c7
                                    • Opcode Fuzzy Hash: 2f47b0a7693c284db9da74a21d968998b18ec7fa86425c712240f695efbce099
                                    • Instruction Fuzzy Hash: 8131CB3660014D9BDF249F6EE84456DF7A9EFA4364B10822FFC04E7361DA72DD249790
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EFFA80 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::cancel_current_task.LIBCPMT ref: 00EFFAC3
                                    • Concurrency::cancel_current_task.LIBCPMT ref: 00EFFAE2
                                    • new.LIBCMT ref: 00EFFAE8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Concurrency::cancel_current_task
                                    • String ID:
                                    • API String ID: 118556049-0
                                    • Opcode ID: 2c16820f92f5b23dca2f28d048d3569721f427231d1ccb103de6338e301ce95d
                                    • Instruction ID: 0245088af0a50eb68b8aee204485aed30723bb472b13c2be59990dab62ab6232
                                    • Opcode Fuzzy Hash: 2c16820f92f5b23dca2f28d048d3569721f427231d1ccb103de6338e301ce95d
                                    • Instruction Fuzzy Hash: 7941F5B19002099BC718DF5CC881BAEBBF9EF84750F10823EE816A7350E735A904CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EEE870 Relevance: 6.1, APIs: 4, Instructions: 102registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00EC3B20: GetModuleHandleW.KERNEL32(Advapi32.dll,?,00000000,?,00000000,?,00F38DE1,80000001,SOFTWARE\InstallShield\25.0\Professional,00020019,33A37B94,?), ref: 00EC3B44
                                      • Part of subcall function 00EC3B20: RegCloseKey.ADVAPI32(00000000,?,00F38DE1,80000001,SOFTWARE\InstallShield\25.0\Professional,00020019,33A37B94,?), ref: 00EC3BA7
                                    • RegEnumKeyExW.ADVAPI32(00000000,00000000,?,?,00000000,00000000,00000000,33A37B94,?,?,?,33A37B94,?,00000000), ref: 00EEE921
                                    • RegEnumKeyExW.ADVAPI32(00000000,00000000,?,00000100,00000000,00000000,00000000,?,?,00000000), ref: 00EEE971
                                    • RegCloseKey.ADVAPI32(00000000,?,00000000), ref: 00EEE982
                                    • RegCloseKey.ADVAPI32(00000000,?,?,?,33A37B94,?,00000000), ref: 00EEE9C1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Close$Enum$HandleModule
                                    • String ID:
                                    • API String ID: 2852649468-0
                                    • Opcode ID: 1263d9d6ac406bc2c4b6c7966ac29471e1043a2266406a6d4726036f7d0f7a55
                                    • Instruction ID: 9f7abf7f09248bf28e49cef50f3f747d366b63c86234396b4b41928aad69130f
                                    • Opcode Fuzzy Hash: 1263d9d6ac406bc2c4b6c7966ac29471e1043a2266406a6d4726036f7d0f7a55
                                    • Instruction Fuzzy Hash: DB415B7184122CABDB20DF55DC88BEABBF8FF48354F1042D9E808A6240D7359E84CF90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F242F0 Relevance: 6.1, APIs: 4, Instructions: 86fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ReadFile.KERNEL32(?,?,00000010,?,00000000,00000000,00000000), ref: 00F2431A
                                    • GetLastError.KERNEL32 ref: 00F24324
                                    • ReadFile.KERNEL32(?,00000000,?,00000000,00000000), ref: 00F2439D
                                    • GetLastError.KERNEL32 ref: 00F243A7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorFileLastRead
                                    • String ID:
                                    • API String ID: 1948546556-0
                                    • Opcode ID: d15c26ec9ef1e958e4bcb051f82da49d26a8549c8c82012265c3adcd197495f9
                                    • Instruction ID: d2e19863f801612e8464a61f875e71c57c4ece098266a3df6c2396d61c9f3597
                                    • Opcode Fuzzy Hash: d15c26ec9ef1e958e4bcb051f82da49d26a8549c8c82012265c3adcd197495f9
                                    • Instruction Fuzzy Hash: 9B216271A01519ABDB10DFA5EC55BAEBBB8EB08310F00416AED05E7640EBB4AD14EBD1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F240D0 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::cancel_current_task.LIBCPMT ref: 00F24110
                                    • Concurrency::cancel_current_task.LIBCPMT ref: 00F2412A
                                    • new.LIBCMT ref: 00F24130
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Concurrency::cancel_current_task
                                    • String ID:
                                    • API String ID: 118556049-0
                                    • Opcode ID: c5037d630e42c4e6056e4c4d4ef631960a26ec2e8793e81ee3ed2e26998d94cc
                                    • Instruction ID: d08bd4eab63bd6cbc1f7b10ca4abf190f732fd5dc6a4abae976f92df4a859e9f
                                    • Opcode Fuzzy Hash: c5037d630e42c4e6056e4c4d4ef631960a26ec2e8793e81ee3ed2e26998d94cc
                                    • Instruction Fuzzy Hash: F221F1B2900215AFCB15DF68DC81A6ABBE8FB04360F10432AFC15D3290E775FA50DB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F07490 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::cancel_current_task.LIBCPMT ref: 00F074D0
                                    • Concurrency::cancel_current_task.LIBCPMT ref: 00F074E6
                                    • new.LIBCMT ref: 00F074EC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Concurrency::cancel_current_task
                                    • String ID:
                                    • API String ID: 118556049-0
                                    • Opcode ID: 2ccb92fc488060a8ce498a6495df1c2b0be68745c6de64d87e4032d14de91ef2
                                    • Instruction ID: 2a2ac98b5d788b2072f50fe2ae3f4a9cff44d4b809d7b708661cfb436f65b69d
                                    • Opcode Fuzzy Hash: 2ccb92fc488060a8ce498a6495df1c2b0be68745c6de64d87e4032d14de91ef2
                                    • Instruction Fuzzy Hash: AA2182B2D04615AFC714EF68CD81A6ABBA8FB04360B10472AF815D3290EB75F914EB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EC0DE0 Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00EC0D30: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,33A37B94,00000000,00000000,?,00F64466,000000FF,?,00EC0E10,33A37B94,00000003,00EC1332,33A37B94), ref: 00EC0D75
                                      • Part of subcall function 00EC0D30: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,00EC0E10,33A37B94), ref: 00EC0D8D
                                    • new.LIBCMT ref: 00EC0E2D
                                    • GetDesktopWindow.USER32 ref: 00EC0EAB
                                    • new.LIBCMT ref: 00EC0EDB
                                    • QueryPerformanceFrequency.KERNEL32(?), ref: 00EC0F09
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: CreateEvent$DesktopFrequencyPerformanceQueryWindow
                                    • String ID:
                                    • API String ID: 3646735809-0
                                    • Opcode ID: ce461dcd4f134a6afc2cea9d3d302c87d57b414cf651dc3b3c91f6d83f3041f2
                                    • Instruction ID: e64950b186d699c81392cd658a9f90f5e1d239c6b8e1fa70d40a08b40aab1713
                                    • Opcode Fuzzy Hash: ce461dcd4f134a6afc2cea9d3d302c87d57b414cf651dc3b3c91f6d83f3041f2
                                    • Instruction Fuzzy Hash: 304123B0800B84CFE760DF64C55978BBBF0BB04308F10895DD49A9BB81DBBAA108DF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EE54C0 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetTempPathW.KERNEL32(00000104,?,33A37B94), ref: 00EE5510
                                    • GetLastError.KERNEL32 ref: 00EE5541
                                    • new.LIBCMT ref: 00EE5560
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00EE5584
                                      • Part of subcall function 00F4E44A: RaiseException.KERNEL32(?,?,00F3FBB5,?,?,00000000,?,?,?,?,?,00F3FBB5,?,00FCBE10,?), ref: 00F4E4A9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorExceptionException@8LastPathRaiseTempThrow
                                    • String ID:
                                    • API String ID: 1555486328-0
                                    • Opcode ID: 8fd3e73278a80afb17ad3a3d49ce1c73d87a5dd612042b74b0cc3acd43589396
                                    • Instruction ID: aaa159a0e2cd65850689f23b1c3ac82b1edf460a5090013d840197f523f9e3f4
                                    • Opcode Fuzzy Hash: 8fd3e73278a80afb17ad3a3d49ce1c73d87a5dd612042b74b0cc3acd43589396
                                    • Instruction Fuzzy Hash: 75311BB19012589EDB60EF94DC497DDBBB8EB04704F1001D9E409A7291DBB45B88DF95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F243E0 Relevance: 6.1, APIs: 4, Instructions: 77fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WriteFile.KERNEL32(?,?,00000010,00000000,00000000,00000000,00000000), ref: 00F24447
                                    • GetLastError.KERNEL32 ref: 00F24451
                                    • WriteFile.KERNEL32(?,00000001,00ECAEEB,00000000,00000000), ref: 00F24475
                                    • GetLastError.KERNEL32 ref: 00F2447F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorFileLastWrite
                                    • String ID:
                                    • API String ID: 442123175-0
                                    • Opcode ID: 57e4dcb0b1540332f6cd1015399f8a521e2d221343e8127130ae86f7062c4bd7
                                    • Instruction ID: bb1b6ebd59b202aba6526168439e971e6bf7a8e723398e7efd11b027e58ba668
                                    • Opcode Fuzzy Hash: 57e4dcb0b1540332f6cd1015399f8a521e2d221343e8127130ae86f7062c4bd7
                                    • Instruction Fuzzy Hash: 97216272A0111D9BCB10EF94E815BFFBBB8EF48711F00416AED05E6241D7B59901AB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F2CC70 Relevance: 6.1, APIs: 4, Instructions: 74fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00EB3ED0: SysStringLen.OLEAUT32(?), ref: 00EB3EDE
                                      • Part of subcall function 00EB3ED0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00EB3EF8
                                      • Part of subcall function 00F0C110: VariantInit.OLEAUT32(?), ref: 00F0C1A4
                                      • Part of subcall function 00F0C110: VariantClear.OLEAUT32(00000009), ref: 00F0C1D9
                                      • Part of subcall function 00F0C110: VariantClear.OLEAUT32(00000008), ref: 00F0C210
                                      • Part of subcall function 00F0C110: SysAllocString.OLEAUT32(?), ref: 00F0C22A
                                    • WriteFile.KERNEL32(?,?,?,?,?,?,00000010,?,00000000,?,00000000,?,00000000), ref: 00F2CD07
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,00000010,?,00000000,?,00000000,?,00000000), ref: 00F2CD17
                                    • WriteFile.KERNEL32(?,?,0000000C,?,00000000,?,?,?,?,?,?,00000010,?,00000000,?,00000000), ref: 00F2CD2E
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,00000010,?,00000000,?,00000000,?,00000000), ref: 00F2CD38
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: StringVariant$AllocClearErrorFileLastWrite$Init
                                    • String ID:
                                    • API String ID: 579143929-0
                                    • Opcode ID: b3fbb4318168aa555eb2256fec0c5672db75fb064e2d7bc5fff79566e4f070b9
                                    • Instruction ID: bf19b18c47673a8e37ec3e190eff193b38e4942f04d8e1d0e33dbe0751f8319b
                                    • Opcode Fuzzy Hash: b3fbb4318168aa555eb2256fec0c5672db75fb064e2d7bc5fff79566e4f070b9
                                    • Instruction Fuzzy Hash: FA214871208305AFD710DF64C881AABBBE8FF88754F000A2EF999D7251E770E904DB92
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F2CD50 Relevance: 6.1, APIs: 4, Instructions: 66fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00EB3ED0: SysStringLen.OLEAUT32(?), ref: 00EB3EDE
                                      • Part of subcall function 00EB3ED0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00EB3EF8
                                      • Part of subcall function 00F0C350: VariantInit.OLEAUT32(?), ref: 00F0C3EC
                                      • Part of subcall function 00F0C350: VariantClear.OLEAUT32(00000008), ref: 00F0C424
                                      • Part of subcall function 00F0C350: SysAllocString.OLEAUT32(?), ref: 00F0C43A
                                      • Part of subcall function 00F0C350: VariantClear.OLEAUT32(00000003), ref: 00F0C464
                                      • Part of subcall function 00F0C350: VariantClear.OLEAUT32(00000003), ref: 00F0C493
                                    • WriteFile.KERNEL32 ref: 00F2CDE7
                                    • GetLastError.KERNEL32 ref: 00F2CDF1
                                    • WriteFile.KERNEL32(?,00000000,0000000C,?,00000000), ref: 00F2CE0C
                                    • GetLastError.KERNEL32 ref: 00F2CE16
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Variant$ClearString$AllocErrorFileLastWrite$Init
                                    • String ID:
                                    • API String ID: 1952979597-0
                                    • Opcode ID: 674437de5ff575c555997390cd425c1beefb63d896fe5b9ce56163d49b8c8b7b
                                    • Instruction ID: 72eed024ae9743a7ec2ddf0dd4c78cc6ffb2deda95d46c6dd62db05834888412
                                    • Opcode Fuzzy Hash: 674437de5ff575c555997390cd425c1beefb63d896fe5b9ce56163d49b8c8b7b
                                    • Instruction Fuzzy Hash: BA215971208305AFD710DF50D885BABBBE8FF48754F404A1DF989D62A1E770D910DB96
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EB4810 Relevance: 6.1, APIs: 4, Instructions: 55COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(33A37B94,?,00F908F0,00F9091C,?,00F60F29,000000FF,?,00EB394A,00F8B388,?,?,00000000,33A37B94,?,00F908F0), ref: 00EB484B
                                    • SysFreeString.OLEAUT32(6F6C206F), ref: 00EB4865
                                    • SysFreeString.OLEAUT32(00F90920), ref: 00EB487A
                                    • SetLastError.KERNEL32(?), ref: 00EB48AA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorFreeLastString
                                    • String ID:
                                    • API String ID: 3822639702-0
                                    • Opcode ID: bbcb943596aa5c749d6a30ab6ab35d52417d9afaeb54fe504e6b77d7e9c79cc8
                                    • Instruction ID: 3e4dad9ea0fa399aeb539f16ac64aac8ad6f60c0d81a1717cb000b3b53178b52
                                    • Opcode Fuzzy Hash: bbcb943596aa5c749d6a30ab6ab35d52417d9afaeb54fe504e6b77d7e9c79cc8
                                    • Instruction Fuzzy Hash: 6521AC75805744EFC720CF58E908B89FBF5FF08720F104669E859A37A1D771AA14DB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EB4BE0 Relevance: 6.1, APIs: 4, Instructions: 55COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(33A37B94,?,?,33A37B94,?,00F61069,000000FF,?,00EB2A81,33A37B94), ref: 00EB4C1B
                                    • SysFreeString.OLEAUT32(?), ref: 00EB4C35
                                    • SysFreeString.OLEAUT32(33A37B98), ref: 00EB4C4A
                                    • SetLastError.KERNEL32(?,?,?,?,?,?,000000FF), ref: 00EB4C7A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorFreeLastString
                                    • String ID:
                                    • API String ID: 3822639702-0
                                    • Opcode ID: c561111f46f4f172e3278d7f6beebdf246f00e0e865c35d94d02e5d61d796589
                                    • Instruction ID: fcd6eb183ea2fbb6af74ce87e118e66766a545f86ed7aab169eb34c08bb2aca4
                                    • Opcode Fuzzy Hash: c561111f46f4f172e3278d7f6beebdf246f00e0e865c35d94d02e5d61d796589
                                    • Instruction Fuzzy Hash: 72219A75401744EFDB20CF58E908B89FBF5FF08B20F104669E859A37A1D771AA14DB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F5881C Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,00F587C3,00000000,00000000,00000000,00000000,?,00F589C0,00000006,FlsSetValue), ref: 00F5884E
                                    • GetLastError.KERNEL32(?,00F587C3,00000000,00000000,00000000,00000000,?,00F589C0,00000006,FlsSetValue,00F88DF0,00F88DF8,00000000,00000364,?,00F573D8), ref: 00F5885A
                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00F587C3,00000000,00000000,00000000,00000000,?,00F589C0,00000006,FlsSetValue,00F88DF0,00F88DF8,00000000), ref: 00F58868
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: LibraryLoad$ErrorLast
                                    • String ID:
                                    • API String ID: 3177248105-0
                                    • Opcode ID: 1dc4bfd9e68d799ff27838ba5a6413a08b707e2e9342c1b16fb1101d817fc7cd
                                    • Instruction ID: 6e27a7c9f51afa6ce4fe497f9b8c8dc747c16158017c98ec453e9f88d7343c26
                                    • Opcode Fuzzy Hash: 1dc4bfd9e68d799ff27838ba5a6413a08b707e2e9342c1b16fb1101d817fc7cd
                                    • Instruction Fuzzy Hash: 8B01FC36A412266BCB215B789C44AA67798EF05BF37550620FF05E7241DF20D806EBD0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F5729C Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,?,00F51EB5,?,?,?,00F51F0F,?,?,?,?,?,00000410,00000000), ref: 00F572A0
                                    • SetLastError.KERNEL32(00000000,?,?,?,?,?,00000410,00000000,?,?,?,?,?,?,?,?), ref: 00F57308
                                    • SetLastError.KERNEL32(00000000,?,?,?,?,?,00000410,00000000,?,?,?,?,?,?,?,?), ref: 00F57314
                                    • _abort.LIBCMT ref: 00F5731A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$_abort
                                    • String ID:
                                    • API String ID: 88804580-0
                                    • Opcode ID: aec8e8e6ec18eba3326e365daa8cd84e17be204fee38e3fce838dea25da0a423
                                    • Instruction ID: a751631a80da512f77ab0f82a24082e0cbd54d347b300183ac00b00ddfa98ab4
                                    • Opcode Fuzzy Hash: aec8e8e6ec18eba3326e365daa8cd84e17be204fee38e3fce838dea25da0a423
                                    • Instruction Fuzzy Hash: 57F0A436908B0437D6127335BD0AB6A3A5BABC1B73F240014FF14E31D3EE28880EB561
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F4E775 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • ___BuildCatchObject.LIBVCRUNTIME ref: 00F4E78C
                                      • Part of subcall function 00F4EDC4: ___AdjustPointer.LIBCMT ref: 00F4EE0E
                                    • _UnwindNestedFrames.LIBCMT ref: 00F4E7A3
                                    • ___FrameUnwindToState.LIBVCRUNTIME ref: 00F4E7B5
                                    • CallCatchBlock.LIBVCRUNTIME ref: 00F4E7D9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                    • String ID:
                                    • API String ID: 2633735394-0
                                    • Opcode ID: 4056feabde770098383f8d373bf91f4ae19ead3c68d4d0ccba28ff6cc4da5191
                                    • Instruction ID: e26b12581aac788f6e0c26202f15ba85c5276d38625dee300be9afa53d36d947
                                    • Opcode Fuzzy Hash: 4056feabde770098383f8d373bf91f4ae19ead3c68d4d0ccba28ff6cc4da5191
                                    • Instruction Fuzzy Hash: 1B01E532400109BBCF129F65DC41EDA3FBAFF48764F158424FE1866120D33AE8A1EBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EB6A50 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: dc978cc889e40049f6676613c9accee11237620b85b9323038526c00a13686a1
                                    • Instruction ID: 486d7780011c519efcbbc23181fbc58611c4c0ef632a13f8b733e9527d3b4e15
                                    • Opcode Fuzzy Hash: dc978cc889e40049f6676613c9accee11237620b85b9323038526c00a13686a1
                                    • Instruction Fuzzy Hash: 2DF05CF36042040A9F28E7749C13D7F77849B20364700D23AF81FE2291F52BED10D19A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EDF710 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f8b82be66d9b7f57e999b9b9356d376a45b5be56236216bcf9e074ef363957e6
                                    • Instruction ID: 6b92c4b6e4ffe278778bf270956adb1a4dd4b1db14b85b972bf6aba2a7129cfd
                                    • Opcode Fuzzy Hash: f8b82be66d9b7f57e999b9b9356d376a45b5be56236216bcf9e074ef363957e6
                                    • Instruction Fuzzy Hash: 2EF05CF36141040A9718E7745C42C7E7684CB20364700523FF81FD6391F923E911D19A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EBC370 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4d253d5f1bc75003ff249671036eb7cd1ebb9bbe2da2241c4e9248067d64837f
                                    • Instruction ID: 7bd9afa4640b516304e79ed774d6fee54786eaef472e235560c6090f499734b9
                                    • Opcode Fuzzy Hash: 4d253d5f1bc75003ff249671036eb7cd1ebb9bbe2da2241c4e9248067d64837f
                                    • Instruction Fuzzy Hash: CDF027B32082040BE728E7B89C92E7F77C8DB20354751A07AF91ED7151FA23ED14D25A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F4599B Relevance: 6.0, APIs: 4, Instructions: 37windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F459CB
                                    • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,?,000004FF), ref: 00F459E4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: MessageMultipleObjectsPeekWait
                                    • String ID:
                                    • API String ID: 3986374578-0
                                    • Opcode ID: eb7309a7f0b1955f83b97b8db7b57fe50cce5cfbb18b351d6e918a6ae0c8dd0a
                                    • Instruction ID: 28fb92f034d360663b46f9f7c967f4e63cfb6543422aee118e5f090065fbd94e
                                    • Opcode Fuzzy Hash: eb7309a7f0b1955f83b97b8db7b57fe50cce5cfbb18b351d6e918a6ae0c8dd0a
                                    • Instruction Fuzzy Hash: 5FF0BDB294020EBFDF00AFE4DC89EBA77ACFB08755F408421FA15D6151D675D905AB60
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F333F0 Relevance: 6.0, APIs: 4, Instructions: 36COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 901f6e5775b60f4b596ae9248164c26d9d70438d9510b4ebaee3e4f28b06b90a
                                    • Instruction ID: 914b3cd0f96b2437bab54edd69bb40b6205d23c3f2c0084853b9599c69cc4dee
                                    • Opcode Fuzzy Hash: 901f6e5775b60f4b596ae9248164c26d9d70438d9510b4ebaee3e4f28b06b90a
                                    • Instruction Fuzzy Hash: D2F0A7F2A041040A972DE778DC5792EBA889B24370F01443AF90EC7692F527EA54F15B
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F51821 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                    Download Yara Rule
                                    APIs
                                    • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00F51821
                                    • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00F51826
                                    • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00F5182B
                                      • Part of subcall function 00F51CCE: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00F51CDF
                                    • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00F51840
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                    • String ID:
                                    • API String ID: 1761009282-0
                                    • Opcode ID: 0eee5113ad118f836d94d3046ddd1d69c662c15e477f19fc3b677e335823fb7f
                                    • Instruction ID: 67cab69079442af9b811a9acb70636ca666b1821b578b162b823d511a2b3bbe1
                                    • Opcode Fuzzy Hash: 0eee5113ad118f836d94d3046ddd1d69c662c15e477f19fc3b677e335823fb7f
                                    • Instruction Fuzzy Hash: 31C04824842AC0501E303AB12E533ED37943C6379BBD911C1BF6227203AE8E3C0EB472
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F42862 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 308COMMON
                                    Download Yara Rule
                                    APIs
                                    • FindClose.KERNEL32(00000000), ref: 00F42B58
                                      • Part of subcall function 00EB4A50: GetLastError.KERNEL32(33A37B94,?,?,00FD1000,?,00F60FF9,000000FF,?,00EB23E3,?,00000000), ref: 00EB4A92
                                      • Part of subcall function 00EB4A50: SetLastError.KERNEL32(?,?,?,00FD1000,?,00F60FF9,000000FF,?,00EB23E3,?,00000000), ref: 00EB4AD1
                                      • Part of subcall function 00EB4BE0: GetLastError.KERNEL32(33A37B94,?,?,33A37B94,?,00F61069,000000FF,?,00EB2A81,33A37B94), ref: 00EB4C1B
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(?), ref: 00EB4C35
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(33A37B98), ref: 00EB4C4A
                                      • Part of subcall function 00EB4BE0: SetLastError.KERNEL32(?,?,?,?,?,?,000000FF), ref: 00EB4C7A
                                    • __EH_prolog3_GS.LIBCMT ref: 00F4286C
                                      • Part of subcall function 00EB6F90: GetLastError.KERNEL32(33A37B94,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB6FD2
                                      • Part of subcall function 00EB6F90: SetLastError.KERNEL32(?,33A37B94,00000000,000000FF,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB7034
                                      • Part of subcall function 00F417CE: __EH_prolog3_GS.LIBCMT ref: 00F417D8
                                      • Part of subcall function 00F424D4: __EH_prolog3_GS.LIBCMT ref: 00F424DE
                                      • Part of subcall function 00F424D4: GetModuleHandleW.KERNEL32(kernel32.dll,FindFirstFileW,00000254,00F418E0), ref: 00F424FA
                                      • Part of subcall function 00F424D4: GetProcAddress.KERNEL32(00000000), ref: 00F424FD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$H_prolog3_$FreeString$AddressCloseFindHandleModuleProc
                                    • String ID: *.*
                                    • API String ID: 2540153828-438819550
                                    • Opcode ID: 0c4fc5f03b9dfc0279466f58d8ad1c9216c8baa6abaff785461c370a7e8c8a4e
                                    • Instruction ID: 55a1bf61856a22478e79fcef071bfd33af33ff8d256d6bc6fb19b943081e133c
                                    • Opcode Fuzzy Hash: 0c4fc5f03b9dfc0279466f58d8ad1c9216c8baa6abaff785461c370a7e8c8a4e
                                    • Instruction Fuzzy Hash: E6D169B1D0021C9EEF21EF64CC95BEEBBB8AF15314F500199E808A7282DB719B85DF51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F4B85C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 223COMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog3_catch_GS.LIBCMT ref: 00F4B866
                                    • std::_Xinvalid_argument.LIBCPMT ref: 00F4B8DE
                                      • Part of subcall function 00F3FB96: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00F3FBA2
                                      • Part of subcall function 00F3FB96: __CxxThrowException@8.LIBVCRUNTIME ref: 00F3FBB0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Exception@8H_prolog3_catch_ThrowXinvalid_argumentstd::_std::invalid_argument::invalid_argument
                                    • String ID: vector<T> too long
                                    • API String ID: 3455652888-3788999226
                                    • Opcode ID: c74917d0e2abf29bb0eb5ca6f037b8a91bc44e26a30aff91d4645f4a7a33f4f7
                                    • Instruction ID: c9d7e38429892d9586d266feac6276379e6dbfe39cfcc95eca2ba28012d16ae2
                                    • Opcode Fuzzy Hash: c74917d0e2abf29bb0eb5ca6f037b8a91bc44e26a30aff91d4645f4a7a33f4f7
                                    • Instruction Fuzzy Hash: 49815DB2A001189FDF14DF68CD86B9EBBB9EF54310F148169F809AB246D774EA44DF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EDCD60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 183COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Xinvalid_argument.LIBCPMT ref: 00EDCEA6
                                    • std::_Xinvalid_argument.LIBCPMT ref: 00EDCEB0
                                      • Part of subcall function 00EB4370: SysAllocStringLen.OLEAUT32(00000000,?), ref: 00EB43E8
                                      • Part of subcall function 00EB4370: SysFreeString.OLEAUT32(00000000), ref: 00EB4460
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: StringXinvalid_argumentstd::_$AllocFree
                                    • String ID: string too long
                                    • API String ID: 2819953329-2556327735
                                    • Opcode ID: 19f0dcb6b5529869f9b13c1305d4c7b65694ad9286d3b104c6a3e3aebaef9251
                                    • Instruction ID: 3bd0478680aa49b095b06e5200c9df1bd28ee3cba79b9d80fdda718af6cb3e51
                                    • Opcode Fuzzy Hash: 19f0dcb6b5529869f9b13c1305d4c7b65694ad9286d3b104c6a3e3aebaef9251
                                    • Instruction Fuzzy Hash: 225103723142059BD724CF18EC80A7AB7EAEF85791B30192FE946D7740DB31AC02D7A5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F42E81 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog3.LIBCMT ref: 00F42E88
                                    • CompareFileTime.KERNEL32(00000000,?,?,?,PSTORES.EXE,00000000,00000000,?,?,00000068,00F454C9,00F43D8D,?,?), ref: 00F43001
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: CompareFileH_prolog3Time
                                    • String ID: PSTORES.EXE
                                    • API String ID: 2703394530-1209905799
                                    • Opcode ID: 5e96823891d12ae5c97639666b726176ffd901945818d97772d9aecf5c4574fc
                                    • Instruction ID: 70ad5645db82b4e4186f9ae36860549564eabdaca5ee424617ef18a843b6a52f
                                    • Opcode Fuzzy Hash: 5e96823891d12ae5c97639666b726176ffd901945818d97772d9aecf5c4574fc
                                    • Instruction Fuzzy Hash: FB514F72D002099FCF11DFE4C9819EEBFB8AF58310FA44565E911B7241DB34AE49EB60
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00ED9570 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00EB6F90: GetLastError.KERNEL32(33A37B94,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB6FD2
                                      • Part of subcall function 00EB6F90: SetLastError.KERNEL32(?,33A37B94,00000000,000000FF,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB7034
                                    • RegCloseKey.ADVAPI32(00000000,80000002,?,00020019,?,00F9091C,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00000000,{00000000-0000-0000-0000-000000000000},?,00000000,33A37B94,00000000,?,00000000), ref: 00ED976C
                                    Strings
                                    • {00000000-0000-0000-0000-000000000000}, xrefs: 00ED95E3
                                    • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00ED9673
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$Close
                                    • String ID: Software\Microsoft\Windows\CurrentVersion\Uninstall${00000000-0000-0000-0000-000000000000}
                                    • API String ID: 2117561858-829741748
                                    • Opcode ID: c671d93d54b3cc10bf333ef4e27f7d4342ed2807ad8757226eb6e01bc4f22044
                                    • Instruction ID: 8ee3617d221e520b6e4a02e6f985babd7fd2e36d9af7b609cb8aa4e3f5940227
                                    • Opcode Fuzzy Hash: c671d93d54b3cc10bf333ef4e27f7d4342ed2807ad8757226eb6e01bc4f22044
                                    • Instruction Fuzzy Hash: DD615B71900258DEDB20DFA4CD94BDEFBB4FB04304F14859AD519B7282DB716A89CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F18270 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 128COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Xinvalid_argument.LIBCPMT ref: 00F182E0
                                      • Part of subcall function 00F3FB96: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00F3FBA2
                                      • Part of subcall function 00F3FB96: __CxxThrowException@8.LIBVCRUNTIME ref: 00F3FBB0
                                    • std::_Xinvalid_argument.LIBCPMT ref: 00F18366
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Xinvalid_argumentstd::_$Exception@8Throwstd::invalid_argument::invalid_argument
                                    • String ID: vector<T> too long
                                    • API String ID: 1284171080-3788999226
                                    • Opcode ID: 62353efd82872c96b5787b3a3ed87c7ea7753375a981bb18ae211eaf3b1786a5
                                    • Instruction ID: 69e786795962a74d5f9fa3e39b4e6879acb584e7cbef4108cadf224db5628a66
                                    • Opcode Fuzzy Hash: 62353efd82872c96b5787b3a3ed87c7ea7753375a981bb18ae211eaf3b1786a5
                                    • Instruction Fuzzy Hash: B941D571B046069FCB18CF29CA906ADBBE1FB58750F28C62DE456C7780DB71E881D780
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F183E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 128COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Xinvalid_argument.LIBCPMT ref: 00F18450
                                      • Part of subcall function 00F3FB96: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00F3FBA2
                                      • Part of subcall function 00F3FB96: __CxxThrowException@8.LIBVCRUNTIME ref: 00F3FBB0
                                    • std::_Xinvalid_argument.LIBCPMT ref: 00F184D6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Xinvalid_argumentstd::_$Exception@8Throwstd::invalid_argument::invalid_argument
                                    • String ID: vector<T> too long
                                    • API String ID: 1284171080-3788999226
                                    • Opcode ID: 9f34ae9350b90d830dc51d0fabe9a57a3df9347e8a0b1943068975c7ad4d65c2
                                    • Instruction ID: 67d1b3d5f7b1cd80a9d7bcf82f89810bb8fc5ae6db17c6fbae12898863578799
                                    • Opcode Fuzzy Hash: 9f34ae9350b90d830dc51d0fabe9a57a3df9347e8a0b1943068975c7ad4d65c2
                                    • Instruction Fuzzy Hash: 8A4195717046069FCB18CF29CA946A9BBE6FB95360F24C62DE456C7780DB71E841D780
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EFEEA0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 128COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Xinvalid_argument.LIBCPMT ref: 00EFEF10
                                      • Part of subcall function 00F3FB96: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00F3FBA2
                                      • Part of subcall function 00F3FB96: __CxxThrowException@8.LIBVCRUNTIME ref: 00F3FBB0
                                    • std::_Xinvalid_argument.LIBCPMT ref: 00EFEF96
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Xinvalid_argumentstd::_$Exception@8Throwstd::invalid_argument::invalid_argument
                                    • String ID: vector<T> too long
                                    • API String ID: 1284171080-3788999226
                                    • Opcode ID: 2ece35303588b69eb83f5a8ead8235d969af94fcc2beba05a49bf5969de01661
                                    • Instruction ID: e9f59a80fe39c7c501d57125cf2b63372b301a4821eee77c4e0df6c4085058db
                                    • Opcode Fuzzy Hash: 2ece35303588b69eb83f5a8ead8235d969af94fcc2beba05a49bf5969de01661
                                    • Instruction Fuzzy Hash: 3B41AF72B0460A9FCB18CF28C994669BBE1FB88310F24C66EE55AD7790C771F940C780
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F46A22 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Xinvalid_argument.LIBCPMT ref: 00F46B41
                                    • __EH_prolog3_catch.LIBCMT ref: 00F46B4E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: H_prolog3_catchXinvalid_argumentstd::_
                                    • String ID: map/set<T> too long
                                    • API String ID: 4202626062-1285458680
                                    • Opcode ID: 1e935035b6f9fdd901a557c709e37b6c16641cf65eca157511a76b08ae3920e4
                                    • Instruction ID: 2138a5e7df44cb217355e074f9f5fbd840810c7d3ce989d6f68e2f3b26b92e19
                                    • Opcode Fuzzy Hash: 1e935035b6f9fdd901a557c709e37b6c16641cf65eca157511a76b08ae3920e4
                                    • Instruction Fuzzy Hash: 5A511E306046409FDB15CF18C588B59BFE1AF4A328F19C498E849DB262C77AEC81EF52
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F18550 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Xinvalid_argument.LIBCPMT ref: 00F185BB
                                      • Part of subcall function 00F3FB96: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00F3FBA2
                                      • Part of subcall function 00F3FB96: __CxxThrowException@8.LIBVCRUNTIME ref: 00F3FBB0
                                    • std::_Xinvalid_argument.LIBCPMT ref: 00F18633
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Xinvalid_argumentstd::_$Exception@8Throwstd::invalid_argument::invalid_argument
                                    • String ID: vector<T> too long
                                    • API String ID: 1284171080-3788999226
                                    • Opcode ID: 919208462271e6a667d8131da124ecd481f769a186482dc797c6109dc996d374
                                    • Instruction ID: 36060fedd5702938eed860e6574dec53fe4f6eb8a39ce317c07244e31e81483b
                                    • Opcode Fuzzy Hash: 919208462271e6a667d8131da124ecd481f769a186482dc797c6109dc996d374
                                    • Instruction Fuzzy Hash: 544197717006069FCB28CE29CED565ABBE2FB94760F24C63DE456C7784DA71E881D780
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F186A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Xinvalid_argument.LIBCPMT ref: 00F1870B
                                      • Part of subcall function 00F3FB96: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00F3FBA2
                                      • Part of subcall function 00F3FB96: __CxxThrowException@8.LIBVCRUNTIME ref: 00F3FBB0
                                    • std::_Xinvalid_argument.LIBCPMT ref: 00F18783
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Xinvalid_argumentstd::_$Exception@8Throwstd::invalid_argument::invalid_argument
                                    • String ID: vector<T> too long
                                    • API String ID: 1284171080-3788999226
                                    • Opcode ID: 377e017cbc41a568ead04c488b38511b40896e756b69e8bc9f27fe0042a34749
                                    • Instruction ID: f30bd955e106e25ac254d2324a6ef807eca2064927a035fb4bff30d246faa88e
                                    • Opcode Fuzzy Hash: 377e017cbc41a568ead04c488b38511b40896e756b69e8bc9f27fe0042a34749
                                    • Instruction Fuzzy Hash: 5241A6757006069FCB28CF29CAD465ABBE2FB94760F24CA3DE456C77C4DA31E8819740
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EB6520 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Xinvalid_argument.LIBCPMT ref: 00EB661B
                                    • std::_Xinvalid_argument.LIBCPMT ref: 00EB6625
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Xinvalid_argumentstd::_
                                    • String ID: vector<T> too long
                                    • API String ID: 909987262-3788999226
                                    • Opcode ID: 46656312a14af3f7b312f32aeca08f2a22a6d46d3edcb5f8dfa237f04888d411
                                    • Instruction ID: f1757329eef30896726b0e655871169c6442c64f80c024c7775efe8a65e00c8d
                                    • Opcode Fuzzy Hash: 46656312a14af3f7b312f32aeca08f2a22a6d46d3edcb5f8dfa237f04888d411
                                    • Instruction Fuzzy Hash: D23191717016028FDB2C8E3DC9D546BB7D2FB94324728CA3DE587DB688DA75E8418A40
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F07390 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Xinvalid_argument.LIBCPMT ref: 00F0747A
                                    • std::_Xinvalid_argument.LIBCPMT ref: 00F07484
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Xinvalid_argumentstd::_
                                    • String ID: vector<T> too long
                                    • API String ID: 909987262-3788999226
                                    • Opcode ID: 9bb34757cb60c85c44a8a35608b955e9a6c129814a6181cfae1ce72029c4395d
                                    • Instruction ID: 6f4d7d3f08d30d98aac3bcbc42a0ff0d13f4b7048414d97263d91d49f60f1874
                                    • Opcode Fuzzy Hash: 9bb34757cb60c85c44a8a35608b955e9a6c129814a6181cfae1ce72029c4395d
                                    • Instruction Fuzzy Hash: 0E31A235B14702CFCB2CEE3DC9D442EBB96AB94760324CA7DE956C76C4DA30F845A644
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F0C010 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Xinvalid_argument.LIBCPMT ref: 00F0C0FD
                                    • std::_Xinvalid_argument.LIBCPMT ref: 00F0C107
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Xinvalid_argumentstd::_
                                    • String ID: vector<T> too long
                                    • API String ID: 909987262-3788999226
                                    • Opcode ID: b958e6ef6e8d05660c561b6561bd9bfd403d7af89a9d93c2edf62f8e611e5769
                                    • Instruction ID: 78162b14023b6bec6d112d56324144c8f34d42156defc0959324036c1d55e6e7
                                    • Opcode Fuzzy Hash: b958e6ef6e8d05660c561b6561bd9bfd403d7af89a9d93c2edf62f8e611e5769
                                    • Instruction Fuzzy Hash: 5B3181717012068FCB2C9E7DCDD546AB7D6EB98320328CB3DE596CB684D671F840E680
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F16F67 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 104COMMON
                                    Download Yara Rule
                                    APIs
                                    • new.LIBCMT ref: 00F16F6C
                                      • Part of subcall function 00F183E0: std::_Xinvalid_argument.LIBCPMT ref: 00F18450
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Xinvalid_argumentstd::_
                                    • String ID: J$When
                                    • API String ID: 909987262-2313060179
                                    • Opcode ID: add1661cbb7d2694d03dc559631780cf49bc30da95d8c0977a331ca78f929595
                                    • Instruction ID: 18f944cb5c7c638c296f8d6c4597f36af3d34900285608d8a80150da36bf6e78
                                    • Opcode Fuzzy Hash: add1661cbb7d2694d03dc559631780cf49bc30da95d8c0977a331ca78f929595
                                    • Instruction Fuzzy Hash: 73417971A00219DFDF25DF64C950BEAB7B1BF44314F5081A9E40EA7290DB35AE84EF50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EC47A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 94COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    • RegistryProvider.cpp, xrefs: 00EC4882
                                    • Convert reg data: unsupported reg value type (%x), xrefs: 00EC4889
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: InitVariant
                                    • String ID: Convert reg data: unsupported reg value type (%x)$RegistryProvider.cpp
                                    • API String ID: 1927566239-2501269308
                                    • Opcode ID: c93cece29c327cff902b5d48485353cd61e060238895378ac2ed49d15803dd63
                                    • Instruction ID: 028e96037c180743c242562f6664483d767826a3f5812443a862c52a538ac7ed
                                    • Opcode Fuzzy Hash: c93cece29c327cff902b5d48485353cd61e060238895378ac2ed49d15803dd63
                                    • Instruction Fuzzy Hash: 804159B1A00249DFDB14DFA4C855BAEBBF4FF48704F10852EE806A7391D775AA05DB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F419C3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog3_catch_GS.LIBCMT ref: 00F419CD
                                      • Part of subcall function 00EBF530: new.LIBCMT ref: 00EBF581
                                      • Part of subcall function 00EB6F90: GetLastError.KERNEL32(33A37B94,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB6FD2
                                      • Part of subcall function 00EB6F90: SetLastError.KERNEL32(?,33A37B94,00000000,000000FF,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB7034
                                      • Part of subcall function 00EBF630: new.LIBCMT ref: 00EBF65E
                                      • Part of subcall function 00EB4BE0: GetLastError.KERNEL32(33A37B94,?,?,33A37B94,?,00F61069,000000FF,?,00EB2A81,33A37B94), ref: 00EB4C1B
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(?), ref: 00EB4C35
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(33A37B98), ref: 00EB4C4A
                                      • Part of subcall function 00EB4BE0: SetLastError.KERNEL32(?,?,?,?,?,?,000000FF), ref: 00EB4C7A
                                      • Part of subcall function 00EBF330: GetLastError.KERNEL32(33A37B94,00000000), ref: 00EBF393
                                      • Part of subcall function 00EBF330: new.LIBCMT ref: 00EBF3A9
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00F41A8C
                                      • Part of subcall function 00F4E44A: RaiseException.KERNEL32(?,?,00F3FBB5,?,?,00000000,?,?,?,?,?,00F3FBB5,?,00FCBE10,?), ref: 00F4E4A9
                                      • Part of subcall function 00EBF940: FindCloseChangeNotification.KERNELBASE(?,33A37B94,74DEE010), ref: 00EBF9A0
                                      • Part of subcall function 00EBF940: __CxxThrowException@8.LIBVCRUNTIME ref: 00EBF9E9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$Exception@8FreeStringThrow$ChangeCloseExceptionFindH_prolog3_catch_NotificationRaise
                                    • String ID:
                                    • API String ID: 2271739304-3916222277
                                    • Opcode ID: 59277fc5d90efec1769a5aab00a3ed634f0700491101b2ed8209cdc76b41be51
                                    • Instruction ID: 6e7f512a6d6b816c29679d0a42c0b47a72fdc430f53e4f4a8f326f20faa23be8
                                    • Opcode Fuzzy Hash: 59277fc5d90efec1769a5aab00a3ed634f0700491101b2ed8209cdc76b41be51
                                    • Instruction Fuzzy Hash: 94417274C10258EAEF10EBA4DC95FDEBBB4AF10304F445099E90977283EBB45B48EB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EE64A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Xinvalid_argument.LIBCPMT ref: 00EE652D
                                    • std::_Xinvalid_argument.LIBCPMT ref: 00EE6537
                                      • Part of subcall function 00EB4370: SysAllocStringLen.OLEAUT32(00000000,?), ref: 00EB43E8
                                      • Part of subcall function 00EB4370: SysFreeString.OLEAUT32(00000000), ref: 00EB4460
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: StringXinvalid_argumentstd::_$AllocFree
                                    • String ID: string too long
                                    • API String ID: 2819953329-2556327735
                                    • Opcode ID: f344b34f58105a5436e499d820aba3b6501d3ee0b46e4ecee64e9b0228f2aca9
                                    • Instruction ID: 894e43b2a3b4e00bfc1150bfd7848b07b9a51d1e518045ca016ab0d1c6e6f108
                                    • Opcode Fuzzy Hash: f344b34f58105a5436e499d820aba3b6501d3ee0b46e4ecee64e9b0228f2aca9
                                    • Instruction Fuzzy Hash: 952105323047489BCB309F99E801A1AF7F5FB95B71F000A2FE556D7690DB32E4088796
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EFC780 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetVersionExW.KERNEL32(00000294,33A37B94), ref: 00EFC7CA
                                    Strings
                                    • UWPIsTypePresent: unsupported platform (minimum required Windows 8.x), condition evaluated as false, xrefs: 00EFC82C
                                    • Condition.cpp, xrefs: 00EFC807
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Version
                                    • String ID: Condition.cpp$UWPIsTypePresent: unsupported platform (minimum required Windows 8.x), condition evaluated as false
                                    • API String ID: 1889659487-4227069442
                                    • Opcode ID: 56154a9b442426756e4c69bae022894c59cbdd1354f6c0de4eab64f8c2975ea5
                                    • Instruction ID: 1ec8356a94d14d96bd7ffa596a4cd30fed69411c3ae6b9268959a2b224735302
                                    • Opcode Fuzzy Hash: 56154a9b442426756e4c69bae022894c59cbdd1354f6c0de4eab64f8c2975ea5
                                    • Instruction Fuzzy Hash: 3341157090528CDEEB14EF64EC457EDBBB1FB01308F28022AE0016B2D2D7B42945DB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F4266B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog3_GS.LIBCMT ref: 00F42672
                                      • Part of subcall function 00EE5F80: GetLastError.KERNEL32(0000003C,00000000,33A37B94,0000003C,00000000,00000000), ref: 00EE5FEC
                                      • Part of subcall function 00EE5F80: SetLastError.KERNEL32(00F908E8), ref: 00EE602A
                                      • Part of subcall function 00EB6F90: GetLastError.KERNEL32(33A37B94,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB6FD2
                                      • Part of subcall function 00EB6F90: SetLastError.KERNEL32(?,33A37B94,00000000,000000FF,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB7034
                                      • Part of subcall function 00F447D0: __EH_prolog3_GS.LIBCMT ref: 00F447D7
                                    Strings
                                    • .EXE, xrefs: 00F4268F
                                    • SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00F426F4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$H_prolog3_
                                    • String ID: .EXE$SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
                                    • API String ID: 3339191932-4260402741
                                    • Opcode ID: 6bdb74a585e5ab53d974e471a4b0c193dae4b15e233ae0a662fb5542768d0c4f
                                    • Instruction ID: b6447085d50377a85eeff9dae614d228a631b2a380dc900ccad68e27c4aada01
                                    • Opcode Fuzzy Hash: 6bdb74a585e5ab53d974e471a4b0c193dae4b15e233ae0a662fb5542768d0c4f
                                    • Instruction Fuzzy Hash: 5721D3B4D01208AEDB10FF64CC86ADEBFA8EF05300F10005DF8086B382D7759646DBA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F12C60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    • Failed to convert string to safe array, error %x, xrefs: 00F12CC1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Variant$ClearInit
                                    • String ID: Failed to convert string to safe array, error %x
                                    • API String ID: 2610073882-4186055195
                                    • Opcode ID: 0459fa450cfe676800175dae5d77f8aaadec52888f597cf146593b739911c7c2
                                    • Instruction ID: 12028ba2e45f88fd42b3f7ac4ccb7409683f2f150210a4518366fc1a42977aac
                                    • Opcode Fuzzy Hash: 0459fa450cfe676800175dae5d77f8aaadec52888f597cf146593b739911c7c2
                                    • Instruction Fuzzy Hash: 8421EEB5D002099FCB44DFA8C945ADEBBF8FB08314F10466AE815E7341E775AA05DB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EBE380 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: false$true
                                    • API String ID: 0-2658103896
                                    • Opcode ID: 281bcee4a1e92a08c078c64c882bed0c699cd53ea2706ecb059a46063a9d31e3
                                    • Instruction ID: 6aef53dd64ad8b412ceb91353b74145491437c4d34d7637320d6693a30fbe47f
                                    • Opcode Fuzzy Hash: 281bcee4a1e92a08c078c64c882bed0c699cd53ea2706ecb059a46063a9d31e3
                                    • Instruction Fuzzy Hash: 23217A71A00208DFCB14DF94C884BEEBBB9FF08714F50422DE826A7390DB749945DB80
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F459F6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: Event
                                    • String ID: d
                                    • API String ID: 4201588131-2564639436
                                    • Opcode ID: a7d92322d6a1e7f5bb8d3a6237b1c40e50035dc4d1ccfd63e749076695cb9b5d
                                    • Instruction ID: c773a3106bd7281eb15ca6acfa990c33719f9ac6c8dff8fd11a0c282743a9c2e
                                    • Opcode Fuzzy Hash: a7d92322d6a1e7f5bb8d3a6237b1c40e50035dc4d1ccfd63e749076695cb9b5d
                                    • Instruction Fuzzy Hash: 6C213B71500A09DFCB24DF54D884B667BF4FF09725F20865AF9068B261C775E851EB81
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F1105F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                                    Download Yara Rule
                                    APIs
                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00F11074
                                      • Part of subcall function 00F4E44A: RaiseException.KERNEL32(?,?,00F3FBB5,?,?,00000000,?,?,?,?,?,00F3FBB5,?,00FCBE10,?), ref: 00F4E4A9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ExceptionException@8RaiseThrow
                                    • String ID: End transaction result: %x$Transaction.cpp
                                    • API String ID: 3976011213-34192366
                                    • Opcode ID: 9e2a30d3129bc008c0698bb101d3b20cd2c4cfcfd2a7acc6e0c0983dd4492795
                                    • Instruction ID: 223c3643f25b66bdea5996c00067999cf39bc7cdd6f308830141f4f98b97bc98
                                    • Opcode Fuzzy Hash: 9e2a30d3129bc008c0698bb101d3b20cd2c4cfcfd2a7acc6e0c0983dd4492795
                                    • Instruction Fuzzy Hash: 78F09C71A00108AAEB20EB949C42BADBB74FB44710F104269FA19B62D2DB7519446B15
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F3F9C3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00EEC310: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,00F3F9F2,?,?,?,00EB23C3), ref: 00EEC315
                                      • Part of subcall function 00EEC310: GetLastError.KERNEL32(?,?,?,00EB23C3), ref: 00EEC31F
                                    • IsDebuggerPresent.KERNEL32(?,?,?,00EB23C3), ref: 00F3F9F6
                                    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00EB23C3), ref: 00F3FA05
                                    Strings
                                    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00F3FA00
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
                                    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                    • API String ID: 3511171328-631824599
                                    • Opcode ID: 652f8816a12c3dec12f471e25dc24a5a7547e92cbdf61ec386f9b95fb053029a
                                    • Instruction ID: 5ad7ae16a0611993baa008ee87343cc645a26c6a0911e2381c034c82a2561d16
                                    • Opcode Fuzzy Hash: 652f8816a12c3dec12f471e25dc24a5a7547e92cbdf61ec386f9b95fb053029a
                                    • Instruction Fuzzy Hash: 63E09270A013918FDB20AF38E8057827BE4AF04354F048D6DE459DB740FBB8E448AB51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00ED84D0 Relevance: 5.2, APIs: 4, Instructions: 159COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00EB6F90: GetLastError.KERNEL32(33A37B94,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB6FD2
                                      • Part of subcall function 00EB6F90: SetLastError.KERNEL32(?,33A37B94,00000000,000000FF,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB7034
                                      • Part of subcall function 00F0D230: new.LIBCMT ref: 00F0D25D
                                    • GetLastError.KERNEL32(00FD21B8,00000000,33A37B94,74DEE010,00000000), ref: 00ED85BE
                                    • SetLastError.KERNEL32(00F908E8), ref: 00ED8604
                                    • GetLastError.KERNEL32 ref: 00ED8618
                                    • SetLastError.KERNEL32(00F908E8), ref: 00ED865E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID:
                                    • API String ID: 1452528299-0
                                    • Opcode ID: 1711225aeffe189acc0bddc42431f1f775b054f16ecbb93c13f2a5275f589cd8
                                    • Instruction ID: f21b1dca194ad04a98f708c208fa202cd464980bfee6a86368c6e26be7eca1c2
                                    • Opcode Fuzzy Hash: 1711225aeffe189acc0bddc42431f1f775b054f16ecbb93c13f2a5275f589cd8
                                    • Instruction Fuzzy Hash: 1681F3B0D0529CDEEB51CFA8C958BDDBBF4AB14308F2041AAD408A7282D7B55B48DF61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00ED4E20 Relevance: 5.1, APIs: 4, Instructions: 146COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00EB6F90: GetLastError.KERNEL32(33A37B94,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB6FD2
                                      • Part of subcall function 00EB6F90: SetLastError.KERNEL32(?,33A37B94,00000000,000000FF,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB7034
                                    • GetLastError.KERNEL32(00000000,00000000,33A37B94,?,00000000), ref: 00ED4EAE
                                    • SetLastError.KERNEL32(00F908E8), ref: 00ED4EF4
                                    • GetLastError.KERNEL32 ref: 00ED4F08
                                    • SetLastError.KERNEL32(00F908E8), ref: 00ED4F4E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID:
                                    • API String ID: 1452528299-0
                                    • Opcode ID: 4a04e597f435252ffa45bca524c96008a45098d234e52e546d8c01c89d18957e
                                    • Instruction ID: db6e191bde2cfd6febd0ace0a427cc631c5d505f7da75da3fbcb4bd4ebb86a6b
                                    • Opcode Fuzzy Hash: 4a04e597f435252ffa45bca524c96008a45098d234e52e546d8c01c89d18957e
                                    • Instruction Fuzzy Hash: 2B6136B1D0425CDFDB10DFA8D948BDDBBF0AB18304F2481AAD444BB282DBB56A49DB51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EB70D0 Relevance: 5.1, APIs: 4, Instructions: 139COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,00000000,33A37B94), ref: 00EB7151
                                    • SetLastError.KERNEL32(00F908E8,?,00000000,33A37B94), ref: 00EB719B
                                    • GetLastError.KERNEL32(?,00000000,33A37B94), ref: 00EB71B3
                                    • SetLastError.KERNEL32(00F908E8,?,00000000,33A37B94), ref: 00EB71FD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID:
                                    • API String ID: 1452528299-0
                                    • Opcode ID: 842ed22663bd3d01c2b8ff32ee87f482952cc43bba4c4bc66c1c8e051e93f287
                                    • Instruction ID: e3490413a540c1e85e1267beb8a1c4098bea520e8b60f0be1f876b7dbfe5e6c7
                                    • Opcode Fuzzy Hash: 842ed22663bd3d01c2b8ff32ee87f482952cc43bba4c4bc66c1c8e051e93f287
                                    • Instruction Fuzzy Hash: 1C5127B0D04248DEDF50CFA8C998BEEBBF4AF04308F248199E455B7292D7759A48DB51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EBB1D0 Relevance: 5.1, APIs: 4, Instructions: 120COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(33A37B94), ref: 00EBB21F
                                    • SetLastError.KERNEL32(00F908E8), ref: 00EBB272
                                    • GetLastError.KERNEL32 ref: 00EBB289
                                    • SetLastError.KERNEL32(00F908E8), ref: 00EBB2D3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID:
                                    • API String ID: 1452528299-0
                                    • Opcode ID: dd39f0da0dc9c094007d10852f44d0441da53f36ccb21f119ae9a03a26b5b9ec
                                    • Instruction ID: 51b776eec06954f63f443afa70fa98899d848222fe6252af93b7e25dd2001c08
                                    • Opcode Fuzzy Hash: dd39f0da0dc9c094007d10852f44d0441da53f36ccb21f119ae9a03a26b5b9ec
                                    • Instruction Fuzzy Hash: 0351E4B1D04258DFDB50CFA8C948BDEBBF4AF08304F1481A9E405AB292D7B59A04DF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F040D0 Relevance: 5.1, APIs: 4, Instructions: 101COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(33A37B94), ref: 00F0411E
                                    • SetLastError.KERNEL32(00F908E8), ref: 00F0416B
                                    • GetLastError.KERNEL32 ref: 00F04186
                                    • SetLastError.KERNEL32(00F908E8), ref: 00F041D0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID:
                                    • API String ID: 1452528299-0
                                    • Opcode ID: f5a0929b6df6a983344485e07158eb0151ed0f1f06f0889a7f80e1a380220500
                                    • Instruction ID: 9d62563f9518b54a6c3cffa5c87a1b78234dd8b41df4235f89984998f1ccfacf
                                    • Opcode Fuzzy Hash: f5a0929b6df6a983344485e07158eb0151ed0f1f06f0889a7f80e1a380220500
                                    • Instruction Fuzzy Hash: AE41E1B1D04288EFDF10DFA8D948BDEBBB4FB08314F14816AE414A7292D7756A09DF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EC65F0 Relevance: 5.1, APIs: 4, Instructions: 98COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(33A37B94,00F9091C,00000000), ref: 00EC663C
                                    • SetLastError.KERNEL32(00F908E8), ref: 00EC668F
                                    • GetLastError.KERNEL32 ref: 00EC66A6
                                    • SetLastError.KERNEL32(00F908E8), ref: 00EC66F0
                                      • Part of subcall function 00EB6F90: GetLastError.KERNEL32(33A37B94,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB6FD2
                                      • Part of subcall function 00EB6F90: SetLastError.KERNEL32(?,33A37B94,00000000,000000FF,?,?,?,?,00F60FF9,000000FF,?,00EB4F40), ref: 00EB7034
                                      • Part of subcall function 00EB4BE0: GetLastError.KERNEL32(33A37B94,?,?,33A37B94,?,00F61069,000000FF,?,00EB2A81,33A37B94), ref: 00EB4C1B
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(?), ref: 00EB4C35
                                      • Part of subcall function 00EB4BE0: SysFreeString.OLEAUT32(33A37B98), ref: 00EB4C4A
                                      • Part of subcall function 00EB4BE0: SetLastError.KERNEL32(?,?,?,?,?,?,000000FF), ref: 00EB4C7A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast$FreeString
                                    • String ID:
                                    • API String ID: 2425351278-0
                                    • Opcode ID: bdafc4c20b9b2b8832772bde4daaaa8fc6f9f79385ec5af797323db1a2919618
                                    • Instruction ID: 79b010691280f1c7adbee6c2fce34f412793b78f74fa2ada3391f0cd847c7d41
                                    • Opcode Fuzzy Hash: bdafc4c20b9b2b8832772bde4daaaa8fc6f9f79385ec5af797323db1a2919618
                                    • Instruction Fuzzy Hash: 0541C1B0D04298DEEB50DFE8D9487DEBBF4AB08308F248169D404AB292D7B55A08DF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F11360 Relevance: 5.1, APIs: 4, Instructions: 93COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F0D230: new.LIBCMT ref: 00F0D25D
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00F113DF
                                    • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00F11421
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00F1143D
                                    • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00F11479
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID:
                                    • API String ID: 1452528299-0
                                    • Opcode ID: f86500089e5eb4ddc4798dbcffe8fdbf38337de04265a873aa121005f553b63c
                                    • Instruction ID: 79b5f2ae0f3f11dc3580ece700c196f314cb074d1c2553f20d677fddaf3b87dd
                                    • Opcode Fuzzy Hash: f86500089e5eb4ddc4798dbcffe8fdbf38337de04265a873aa121005f553b63c
                                    • Instruction Fuzzy Hash: BF4108B0805744DFDB20CFA9C54874ABBF0FF08318F10869DD4899B792D7B5A608DB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EFCF80 Relevance: 5.1, APIs: 4, Instructions: 87COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F0D230: new.LIBCMT ref: 00F0D25D
                                    • GetLastError.KERNEL32 ref: 00EFD00F
                                    • SetLastError.KERNEL32(?), ref: 00EFD051
                                    • GetLastError.KERNEL32 ref: 00EFD06D
                                    • SetLastError.KERNEL32(?), ref: 00EFD0A9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID:
                                    • API String ID: 1452528299-0
                                    • Opcode ID: fa34719d273fb507d995877a126ae67bbb4d4541720cfebcade806e894ffb424
                                    • Instruction ID: 3ef74738b8bb5c1a0f93c9ee411576336a0b713e8bafe8f1cedec69550667a4d
                                    • Opcode Fuzzy Hash: fa34719d273fb507d995877a126ae67bbb4d4541720cfebcade806e894ffb424
                                    • Instruction Fuzzy Hash: 884103B1905788DFDB20CFA9CA4874ABBF0FB08714F10869DD48997752D3B5A604DB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EFD210 Relevance: 5.1, APIs: 4, Instructions: 87COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00F0D230: new.LIBCMT ref: 00F0D25D
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F73A13,000000FF), ref: 00EFD29F
                                    • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F73A13), ref: 00EFD2E1
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F73A13,000000FF), ref: 00EFD2FD
                                    • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F73A13), ref: 00EFD339
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID:
                                    • API String ID: 1452528299-0
                                    • Opcode ID: 098f8611dd141ea49ca0e125093748fd4940a98cd45f0cdbf17b6671c3f8c1a9
                                    • Instruction ID: 0a6ec947499f49d52dc75ced86287adc1ba67f378eae9aad5a4890f02a518d42
                                    • Opcode Fuzzy Hash: 098f8611dd141ea49ca0e125093748fd4940a98cd45f0cdbf17b6671c3f8c1a9
                                    • Instruction Fuzzy Hash: 314114B1905744DFDB20CFA9C94874ABBF0FF08314F10865DD489AB752D3B5AA04DB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F115E0 Relevance: 5.1, APIs: 4, Instructions: 79COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00EC5220: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,000000FF), ref: 00EC525C
                                      • Part of subcall function 00EC5220: SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00EC529B
                                    • GetLastError.KERNEL32 ref: 00F11635
                                    • SetLastError.KERNEL32(?), ref: 00F11677
                                    • GetLastError.KERNEL32 ref: 00F11697
                                    • SetLastError.KERNEL32(?), ref: 00F116D3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID:
                                    • API String ID: 1452528299-0
                                    • Opcode ID: 81539fc3c7c4773a57eb88042360af3f340d2cb003c8e4e52b9a23b2841e7e96
                                    • Instruction ID: df5bea9ab077e842fefb2d98045ddd9a7a4f81c9e7dc46d822c9ff9549351ee0
                                    • Opcode Fuzzy Hash: 81539fc3c7c4773a57eb88042360af3f340d2cb003c8e4e52b9a23b2841e7e96
                                    • Instruction Fuzzy Hash: 764178B1905784DFD720CFA9C948B4ABBF0FF08314F10869DD48997752D3B5AA04DB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EC5580 Relevance: 5.1, APIs: 4, Instructions: 79COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00EC5220: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,000000FF), ref: 00EC525C
                                      • Part of subcall function 00EC5220: SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00EC529B
                                    • GetLastError.KERNEL32 ref: 00EC55D5
                                    • SetLastError.KERNEL32(?), ref: 00EC5617
                                    • GetLastError.KERNEL32 ref: 00EC5637
                                    • SetLastError.KERNEL32(?), ref: 00EC5673
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID:
                                    • API String ID: 1452528299-0
                                    • Opcode ID: ddc0be0dfd1b11978adfa7ff99e4293afcb82bb46fd177960c9b128a69ccc118
                                    • Instruction ID: a79ce93ee84220ad3e82b29e47efe6c39220b4ad55e2cf644f17af1aa43390b4
                                    • Opcode Fuzzy Hash: ddc0be0dfd1b11978adfa7ff99e4293afcb82bb46fd177960c9b128a69ccc118
                                    • Instruction Fuzzy Hash: 294177B0905B84DFD720CFA9C948B4ABBF0FF08314F108A9DD48997752D3B5AA04DB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EF13E0 Relevance: 5.1, APIs: 4, Instructions: 73COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(33A37B94,0000001F,?), ref: 00EF1433
                                    • SetLastError.KERNEL32(?), ref: 00EF146F
                                    • GetLastError.KERNEL32 ref: 00EF148F
                                    • SetLastError.KERNEL32(?), ref: 00EF14CB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID:
                                    • API String ID: 1452528299-0
                                    • Opcode ID: 684c15df9864604f8f7b28a56a114618867869c11d74077780a44a03bad60a6e
                                    • Instruction ID: 8f084fd5414a87a7539bceb52e13659a8ae2599a50dd2e3f575eddd9bdd50071
                                    • Opcode Fuzzy Hash: 684c15df9864604f8f7b28a56a114618867869c11d74077780a44a03bad60a6e
                                    • Instruction Fuzzy Hash: EC3112B0905B88DFDB20CF69C90874ABBF0BF08714F10869DD48997762D7B5AA08DB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00EE6AC0 Relevance: 5.1, APIs: 4, Instructions: 68COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,000000FF), ref: 00EE6AFC
                                    • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,000000FF), ref: 00EE6B3B
                                    • GetLastError.KERNEL32 ref: 00EE6B68
                                    • SetLastError.KERNEL32(?), ref: 00EE6BA4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID:
                                    • API String ID: 1452528299-0
                                    • Opcode ID: 5c9a110d958352256c800e56610aa46f43b25cdf06bff79a1b31241167a42816
                                    • Instruction ID: 52376f7eee09718896116f9f1dd42277a455b960180de9db62c4b4d4dcbb85c5
                                    • Opcode Fuzzy Hash: 5c9a110d958352256c800e56610aa46f43b25cdf06bff79a1b31241167a42816
                                    • Instruction Fuzzy Hash: EA3130B0905A89EFD750CF69CA4878ABBF0FF08718F10825AD449D3B92D7B4A614DB81
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00F466CA Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,?,00F466AF,?,?,?), ref: 00F466D0
                                    • GetLastError.KERNEL32(?,?,00F466AF,?,?,?), ref: 00F466DA
                                    • SetLastError.KERNEL32(00000000,?,?,00F466AF,?,?,?), ref: 00F4671C
                                    • SetLastError.KERNEL32(00000000,?,?,00F466AF,?,?,?), ref: 00F46726
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2923630768.0000000000EB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EB0000, based on PE: true
                                    • Associated: 00000000.00000002.2923602041.0000000000EB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923769646.0000000000F86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923820515.0000000000FD1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923845677.0000000000FD3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923867936.0000000000FD6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923887658.0000000000FD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2923916130.0000000000FDA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_eb0000_WebSigner_SuiteMSI_Barclays.jbxd
                                    Similarity
                                    • API ID: ErrorLast
                                    • String ID:
                                    • API String ID: 1452528299-0
                                    • Opcode ID: d5e3782de293703eeb44ad2263b8c792ae20fd71b8a743d176d24da5ffe146da
                                    • Instruction ID: b6477faf239f6235a3c69e8f70940448f779fbd4b6419248642181cac988fbbc
                                    • Opcode Fuzzy Hash: d5e3782de293703eeb44ad2263b8c792ae20fd71b8a743d176d24da5ffe146da
                                    • Instruction Fuzzy Hash: 01F0543050064897DF312F11DC4D7AD7F59EB16B6DF105415FC45C51A2CB798891F752
                                    Uniqueness

                                    Uniqueness Score: -1.00%