Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
WebSigner_SuiteMSI_Barclays.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
||
|
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\1reader.bmp
|
PC bitmap, Windows 3.x format, 209 x 338 x 24, image size 212264, cbSize 212318, bits offset 54
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\40LE.bmp
|
PC bitmap, Windows 3.x format, 193 x 183 x 24, image size 106140, cbSize 106194, bits offset 54
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Application.png
|
PNG image data, 47 x 51, 8-bit/color RGBA, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Custom.png
|
PNG image data, 59 x 51, 8-bit/color RGBA, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\EzioBLE.bmp
|
PC bitmap, Windows 3.x format, 399 x 55 x 24, image size 66000, cbSize 66054, bits offset 54
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Folder.png
|
PNG image data, 37 x 46, 8-bit/color RGBA, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\GBDM.rtf
|
Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\ISBEW64.exe
|
PE32+ executable (GUI) x86-64, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\ISLogoBig.png
|
PNG image data, 100 x 101, 8-bit/color RGBA, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\ISLogoSmall.png
|
PNG image data, 50 x 50, 8-bit/color RGB, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\ISRT.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\ISSetup.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Remove.png
|
PNG image data, 58 x 51, 8-bit/color RGBA, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Repair.png
|
PNG image data, 59 x 51, 8-bit/color RGBA, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Setup.inx
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Setup_UI.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Setup_UI.xml
|
ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Typical.png
|
PNG image data, 59 x 51, 8-bit/color RGBA, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\Xmessage.exe
|
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\_is24E1
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\addExtension.bmp
|
PC bitmap, Windows 3.x format, 152 x 52 x 24, resolution 3779 x 3779 px/m, cbSize 23766, bits offset 54
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\eula.rtf
|
Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\extensionOK.bmp
|
PC bitmap, Windows 3.x format, 344 x 198 x 24, resolution 3779 x 3779 px/m, cbSize 204390, bits offset 54
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\gemalto48.png
|
PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\scale-150\Application.png
|
PNG image data, 61 x 69, 8-bit/color RGBA, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\scale-150\Custom.png
|
PNG image data, 78 x 69, 8-bit/color RGBA, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\scale-150\Folder.png
|
PNG image data, 46 x 39, 8-bit/color RGBA, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\scale-150\ISLogoBig.png
|
PNG image data, 150 x 152, 8-bit/color RGB, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\scale-150\ISLogoSmall.png
|
PNG image data, 75 x 75, 8-bit/color RGB, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\scale-150\Remove.png
|
PNG image data, 50 x 70, 8-bit/color RGBA, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\scale-150\Repair.png
|
PNG image data, 79 x 69, 8-bit/color RGBA, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\scale-150\Typical.png
|
PNG image data, 78 x 69, 8-bit/color RGBA, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\scale-200\Application.png
|
PNG image data, 81 x 92, 8-bit/color RGBA, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\scale-200\Custom.png
|
PNG image data, 104 x 92, 8-bit/color RGBA, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\scale-200\Folder.png
|
PNG image data, 62 x 52, 8-bit/color RGBA, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\scale-200\ISLogoBig.png
|
PNG image data, 200 x 203, 8-bit/color RGBA, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\scale-200\ISLogoSmall.png
|
PNG image data, 100 x 100, 8-bit/color RGB, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\scale-200\Remove.png
|
PNG image data, 67 x 93, 8-bit/color RGBA, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\scale-200\Repair.png
|
PNG image data, 105 x 92, 8-bit/color RGBA, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\scale-200\Typical.png
|
PNG image data, 116 x 102, 8-bit/color RGBA, non-interlaced
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup.xml
|
XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe
|
PE32+ executable (GUI) x86-64, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\signtool.exe
|
PE32 executable (console) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\welcome.bmp
|
PC bitmap, Windows 3.x format, 499 x 312 x 32, image size 622752, resolution 2835 x 2835 px/m, cbSize 622806, bits offset
54
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\SuiteSetup.ini
|
ASCII text, with CRLF, CR, LF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe:Zone.Identifier
|
ASCII text, with CRLF line terminators
|
modified
|
There are 38 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe
|
"C:\Users\user\Desktop\WebSigner_SuiteMSI_Barclays.exe"
|
||
|
C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe
|
"C:\Users\user\AppData\Local\Temp\{D2FDF4C4-7908-4D9C-B7E2-6F8659460A24}\_is23C8.exe" -IS_temp ORIGINALSETUPEXEDIR="C:\Users\user\Desktop"
ORIGINALSETUPEXENAME="WebSigner_SuiteMSI_Barclays.exe"
|
||
|
C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe
|
"C:\Users\user\AppData\Local\Temp\{D29D5C03-D231-4280-AB2D-8B995FA7ABB9}\setup64.exe" -embedded:EEFDEB78-A81F-4EAC-839B-C4BCB6470B9F
-IS_temp
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://www.apache.org/licenses/LICENSE-2.0
|
unknown
|
||
|
http://www.apache.org/licenses/
|
unknown
|
||
|
http://www.symauth.com/rpa00
|
unknown
|
||
|
https://mozilla.org/MPL/2.0/.
|
unknown
|
||
|
https://opensource.org/licenses/Zlib)
|
unknown
|
||
|
https://supportportal.thalesgroup.com
|
unknown
|
||
|
http://www.gemalto.com
|
unknown
|
||
|
http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d
|
unknown
|
||
|
http://www.openssl.org/)
|
unknown
|
||
|
https://supportportal.thalesgroup.com/.
|
unknown
|
||
|
http://www.flexerasoftware.com0
|
unknown
|
||
|
http://www.symauth.com/cps0(
|
unknown
|
||
|
http://logo.ve
|
unknown
|
There are 3 hidden URLs, click here to show them.
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_CURRENT_USER\SOFTWARE\InstallShield\SuiteInstallers\{783F36BC-63CA-4E74-ABA6-81C222D2C3DD}
|
InfoPath
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
39FF000
|
heap
|
page read and write
|
||
|
47C0000
|
trusted library section
|
page read and write
|
||
|
3E50000
|
trusted library allocation
|
page read and write
|
||
|
3997000
|
heap
|
page read and write
|
||
|
73B000
|
stack
|
page read and write
|
||
|
59A000
|
unkown
|
page readonly
|
||
|
FD1000
|
unkown
|
page read and write
|
||
|
47E0000
|
trusted library section
|
page read and write
|
||
|
7E0000
|
heap
|
page read and write
|
||
|
F90000
|
heap
|
page read and write
|
||
|
5C0E000
|
heap
|
page read and write
|
||
|
6CF76000
|
unkown
|
page readonly
|
||
|
3A50000
|
unkown
|
page readonly
|
||
|
61B0000
|
heap
|
page read and write
|
||
|
5C4B000
|
heap
|
page read and write
|
||
|
3A05000
|
heap
|
page read and write
|
||
|
25A4000
|
heap
|
page read and write
|
||
|
3C0E000
|
stack
|
page read and write
|
||
|
18EDF7F6000
|
heap
|
page read and write
|
||
|
F86000
|
unkown
|
page readonly
|
||
|
FDA000
|
unkown
|
page readonly
|
||
|
5B98000
|
heap
|
page read and write
|
||
|
6CF72000
|
unkown
|
page read and write
|
||
|
3992000
|
heap
|
page read and write
|
||
|
1477000
|
heap
|
page read and write
|
||
|
5F35000
|
trusted library allocation
|
page read and write
|
||
|
3999000
|
heap
|
page read and write
|
||
|
7FF6237EF000
|
unkown
|
page readonly
|
||
|
470000
|
unkown
|
page readonly
|
||
|
39F7000
|
heap
|
page read and write
|
||
|
3930000
|
heap
|
page read and write
|
||
|
37E8000
|
stack
|
page read and write
|
||
|
7FF6237B0000
|
unkown
|
page readonly
|
||
|
EB1000
|
unkown
|
page execute read
|
||
|
3980000
|
heap
|
page read and write
|
||
|
FA0000
|
heap
|
page read and write
|
||
|
7FF6237D9000
|
unkown
|
page readonly
|
||
|
39C5000
|
heap
|
page read and write
|
||
|
2670000
|
heap
|
page read and write
|
||
|
3A07000
|
heap
|
page read and write
|
||
|
30B0000
|
heap
|
page read and write
|
||
|
5F35000
|
trusted library allocation
|
page read and write
|
||
|
18EE12D0000
|
heap
|
page read and write
|
||
|
6CEA0000
|
unkown
|
page readonly
|
||
|
820000
|
heap
|
page read and write
|
||
|
3D0F000
|
stack
|
page read and write
|
||
|
59A000
|
unkown
|
page readonly
|
||
|
471000
|
unkown
|
page execute read
|
||
|
7CE000
|
stack
|
page read and write
|
||
|
3B90000
|
heap
|
page read and write
|
||
|
39FF000
|
heap
|
page read and write
|
||
|
18EDF7FC000
|
heap
|
page read and write
|
||
|
7FF6237B0000
|
unkown
|
page readonly
|
||
|
2690000
|
heap
|
page read and write
|
||
|
18EDF7C0000
|
heap
|
page read and write
|
||
|
140C000
|
heap
|
page read and write
|
||
|
EB0000
|
unkown
|
page readonly
|
||
|
34FF000
|
stack
|
page read and write
|
||
|
AEF000
|
stack
|
page read and write
|
||
|
138E000
|
stack
|
page read and write
|
||
|
12F5000
|
stack
|
page read and write
|
||
|
828000
|
heap
|
page read and write
|
||
|
596000
|
unkown
|
page read and write
|
||
|
546000
|
unkown
|
page readonly
|
||
|
470000
|
unkown
|
page readonly
|
||
|
7FF6237EC000
|
unkown
|
page read and write
|
||
|
47FA000
|
heap
|
page read and write
|
||
|
5BDF000
|
heap
|
page read and write
|
||
|
5C2F000
|
heap
|
page read and write
|
||
|
47FC000
|
heap
|
page read and write
|
||
|
7FF6237EC000
|
unkown
|
page write copy
|
||
|
13B8000
|
heap
|
page read and write
|
||
|
5F23000
|
trusted library allocation
|
page read and write
|
||
|
5C55000
|
heap
|
page read and write
|
||
|
39F4000
|
heap
|
page read and write
|
||
|
5FB5000
|
trusted library allocation
|
page read and write
|
||
|
F80000
|
heap
|
page read and write
|
||
|
FD1000
|
unkown
|
page write copy
|
||
|
39F7000
|
heap
|
page read and write
|
||
|
FD8000
|
unkown
|
page readonly
|
||
|
3994000
|
heap
|
page read and write
|
||
|
7D0000
|
heap
|
page read and write
|
||
|
47F8000
|
heap
|
page read and write
|
||
|
7FF6237B1000
|
unkown
|
page execute read
|
||
|
6CEA1000
|
unkown
|
page execute read
|
||
|
18EE12A0000
|
heap
|
page read and write
|
||
|
3A05000
|
heap
|
page read and write
|
||
|
39A0000
|
heap
|
page read and write
|
||
|
591000
|
unkown
|
page write copy
|
||
|
4800000
|
heap
|
page read and write
|
||
|
39A3000
|
heap
|
page read and write
|
||
|
3989000
|
heap
|
page read and write
|
||
|
FD3000
|
unkown
|
page write copy
|
||
|
39E1000
|
heap
|
page read and write
|
||
|
47F0000
|
heap
|
page read and write
|
||
|
736000
|
stack
|
page read and write
|
||
|
780000
|
heap
|
page read and write
|
||
|
5FB5000
|
trusted library allocation
|
page read and write
|
||
|
7EE6CFA000
|
stack
|
page read and write
|
||
|
18EDF7F0000
|
heap
|
page read and write
|
||
|
469B000
|
stack
|
page read and write
|
||
|
6CF6F000
|
unkown
|
page write copy
|
||
|
FD8000
|
unkown
|
page readonly
|
||
|
598000
|
unkown
|
page readonly
|
||
|
1390000
|
heap
|
page read and write
|
||
|
FDA000
|
unkown
|
page readonly
|
||
|
309D000
|
stack
|
page read and write
|
||
|
598000
|
unkown
|
page readonly
|
||
|
47B0000
|
heap
|
page read and write
|
||
|
3710000
|
heap
|
page read and write
|
||
|
7FF6237F4000
|
unkown
|
page readonly
|
||
|
30BB000
|
heap
|
page read and write
|
||
|
6CF6E000
|
unkown
|
page read and write
|
||
|
39F2000
|
heap
|
page read and write
|
||
|
39F7000
|
heap
|
page read and write
|
||
|
18EDF7D0000
|
heap
|
page read and write
|
||
|
39E3000
|
heap
|
page read and write
|
||
|
301F000
|
stack
|
page read and write
|
||
|
39E4000
|
heap
|
page read and write
|
||
|
EB1000
|
unkown
|
page execute read
|
||
|
305E000
|
stack
|
page read and write
|
||
|
61A0000
|
heap
|
page read and write
|
||
|
18EE1170000
|
heap
|
page read and write
|
||
|
1393000
|
heap
|
page read and write
|
||
|
5B90000
|
heap
|
page read and write
|
||
|
39E8000
|
heap
|
page read and write
|
||
|
39EF000
|
heap
|
page read and write
|
||
|
546000
|
unkown
|
page readonly
|
||
|
F86000
|
unkown
|
page readonly
|
||
|
EB0000
|
unkown
|
page readonly
|
||
|
593000
|
unkown
|
page write copy
|
||
|
7FF6237B1000
|
unkown
|
page execute read
|
||
|
4805000
|
heap
|
page read and write
|
||
|
479D000
|
stack
|
page read and write
|
||
|
F1B000
|
stack
|
page read and write
|
||
|
3989000
|
heap
|
page read and write
|
||
|
5C0F000
|
heap
|
page read and write
|
||
|
6CF74000
|
unkown
|
page readonly
|
||
|
5F64000
|
trusted library allocation
|
page read and write
|
||
|
35FE000
|
stack
|
page read and write
|
||
|
7FF6237EF000
|
unkown
|
page readonly
|
||
|
5F23000
|
trusted library allocation
|
page read and write
|
||
|
7FF6237D9000
|
unkown
|
page readonly
|
||
|
63B000
|
stack
|
page read and write
|
||
|
5F64000
|
trusted library allocation
|
page read and write
|
||
|
47D0000
|
trusted library section
|
page read and write
|
||
|
3997000
|
heap
|
page read and write
|
||
|
30B6000
|
heap
|
page read and write
|
||
|
13B0000
|
heap
|
page read and write
|
||
|
591000
|
unkown
|
page read and write
|
||
|
471000
|
unkown
|
page execute read
|
||
|
38EA000
|
stack
|
page read and write
|
||
|
FD6000
|
unkown
|
page read and write
|
||
|
6CF41000
|
unkown
|
page readonly
|
||
|
61C8000
|
heap
|
page read and write
|
||
|
7FF6237F4000
|
unkown
|
page readonly
|
There are 146 hidden memdumps, click here to show them.