Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Thermo Fisher RFQ_TFS-1207.com.exe

Overview

General Information

Sample name:Thermo Fisher RFQ_TFS-1207.com.exe
Analysis ID:1501414
MD5:9768c048c979aeeeeb051574d452b626
SHA1:414d48d77fc71d29e58a92d02fa2d770fb854339
SHA256:19b8eabc143b4307a4496fec6012965f918e18d0e33a989292568f37a4c5f1ba
Tags:exe
Infos:

Detection

GuLoader
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
AI detected suspicious sample
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.4125826655.0000000007159000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Multi AV Scanner detection for submitted file
    Source: Thermo Fisher RFQ_TFS-1207.com.exeReversingLabs: Detection: 50%
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
    Machine Learning detection for sample
    Source: Thermo Fisher RFQ_TFS-1207.com.exeJoe Sandbox ML: detected
    Source: Thermo Fisher RFQ_TFS-1207.com.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: Thermo Fisher RFQ_TFS-1207.com.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeCode function: 0_2_00405C60 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C60
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeCode function: 0_2_00402930 FindFirstFileW,0_2_00402930
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeCode function: 0_2_004068B1 FindFirstFileW,FindClose,0_2_004068B1
    Source: Thermo Fisher RFQ_TFS-1207.com.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeCode function: 0_2_00405718 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405718

    System Summary

    barindex
    Initial sample is a PE file and has a suspicious name
    Source: initial sampleStatic PE information: Filename: Thermo Fisher RFQ_TFS-1207.com.exe
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeProcess Stats: CPU usage > 49%
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeCode function: 0_2_0040352F EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040352F
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeFile created: C:\Windows\resources\0809Jump to behavior
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeCode function: 0_2_73AC1BFF0_2_73AC1BFF
    Source: Thermo Fisher RFQ_TFS-1207.com.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: classification engineClassification label: mal72.troj.evad.winEXE@1/13@0/0
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeCode function: 0_2_0040352F EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040352F
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeCode function: 0_2_004049C4 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004049C4
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeCode function: 0_2_004021CF CoCreateInstance,0_2_004021CF
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeFile created: C:\Users\user\AppData\Local\Temp\nspEF6B.tmpJump to behavior
    Source: Thermo Fisher RFQ_TFS-1207.com.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: Thermo Fisher RFQ_TFS-1207.com.exeReversingLabs: Detection: 50%
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeFile read: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeJump to behavior
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeSection loaded: shfolder.dllJump to behavior
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeSection loaded: riched20.dllJump to behavior
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeSection loaded: msls31.dllJump to behavior
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
    Source: Thermo Fisher RFQ_TFS-1207.com.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

    Data Obfuscation

    barindex
    Yara detected GuLoader
    Source: Yara matchFile source: 00000000.00000002.4125826655.0000000007159000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeCode function: 0_2_73AC1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_73AC1BFF
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeCode function: 0_2_73AC30C0 push eax; ret 0_2_73AC30EE
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeFile created: C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\LangDLL.dllJump to dropped file
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeFile created: C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\nsExec.dllJump to dropped file
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeFile created: C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\nsDialogs.dllJump to dropped file
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeFile created: C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\System.dllJump to dropped file
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeFile created: C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\UserInfo.dllJump to dropped file
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Tries to detect virtualization through RDTSC time measurements
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeRDTSC instruction interceptor: First address: 764F355 second address: 764F355 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F1C60DFB5D6h 0x00000006 cmp ecx, edx 0x00000008 inc ebp 0x00000009 inc ebx 0x0000000a test dh, dh 0x0000000c rdtsc
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\LangDLL.dllJump to dropped file
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\nsExec.dllJump to dropped file
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\nsDialogs.dllJump to dropped file
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\System.dllJump to dropped file
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\UserInfo.dllJump to dropped file
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeCode function: 0_2_00405C60 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C60
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeCode function: 0_2_00402930 FindFirstFileW,0_2_00402930
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeCode function: 0_2_004068B1 FindFirstFileW,FindClose,0_2_004068B1
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeAPI call chain: ExitProcess graph end nodegraph_0-4812
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeAPI call chain: ExitProcess graph end nodegraph_0-4815
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeCode function: 0_2_73AC1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_73AC1BFF
    Source: C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exeCode function: 0_2_0040352F EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040352F

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
    Native API    		1
    DLL Side-Loading    		1
    Access Token Manipulation    		1
    Masquerading    		OS Credential Dumping1
    Security Software Discovery    		Remote Services1
    Archive Collected Data    		1
    Encrypted Channel    		Exfiltration Over Other Network Medium1
    System Shutdown/Reboot
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    DLL Side-Loading    		1
    Access Token Manipulation    		LSASS Memory2
    File and Directory Discovery    		Remote Desktop Protocol1
    Clipboard Data    		Junk DataExfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
    DLL Side-Loading    		Security Account Manager13
    System Information Discovery    		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    Obfuscated Files or Information    		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    Thermo Fisher RFQ_TFS-1207.com.exe50%ReversingLabsWin32.Trojan.Generic
    Thermo Fisher RFQ_TFS-1207.com.exe100%Joe Sandbox ML

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\LangDLL.dll0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\System.dll0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\UserInfo.dll0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\nsDialogs.dll0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\nsExec.dll0%ReversingLabs

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://nsis.sf.net/NSIS_ErrorErrorThermo Fisher RFQ_TFS-1207.com.exefalse
    • URL Reputation: safe
    		unknown

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:40.0.0 Tourmaline
    Analysis ID:1501414
    Start date and time:2024-08-29 21:45:51 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 6m 31s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:5
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:Thermo Fisher RFQ_TFS-1207.com.exe
    Detection:MAL
    Classification:mal72.troj.evad.winEXE@1/13@0/0
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 52
    • Number of non-executed functions: 28
    Cookbook Comments:
    • Found application associated with file extension: .exe
    • Override analysis time to 240s for sample files taking high CPU consumption

    Warnings

    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
    • Not all processes where analyzed, report is missing behavior information
    • Report size getting too big, too many NtOpenKeyEx calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.
    • Report size getting too big, too many NtSetInformationFile calls found.
    • VT rate limit hit for: Thermo Fisher RFQ_TFS-1207.com.exe

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\System.dllTRIAL_ORDER_CP.exeGet hashmaliciousFormBook, GuLoaderBrowse
      TRIAL_ORDER_CP.exeGet hashmaliciousGuLoaderBrowse
        Thermo Fisher RFQ_TFS-1805.xlsGet hashmaliciousGuLoaderBrowse
          FedEx Shipping Confirmation.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
            IMG_00991ORDER_FILES.exeGet hashmaliciousFormBook, GuLoaderBrowse
              FedEx Shipping Confirmation.exeGet hashmaliciousGuLoaderBrowse
                IMG_00991ORDER_FILES.exeGet hashmaliciousGuLoaderBrowse
                  SecuriteInfo.com.Trojan-Downloader.Office.Doc.30581.16938.xlsxGet hashmaliciousUnknownBrowse
                    AKgHw6grDP.exeGet hashmaliciousGuLoaderBrowse
                      AKgHw6grDP.exeGet hashmaliciousGuLoaderBrowse
                        C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\LangDLL.dllTRIAL_ORDER_CP.exeGet hashmaliciousFormBook, GuLoaderBrowse
                          TRIAL_ORDER_CP.exeGet hashmaliciousGuLoaderBrowse
                            Thermo Fisher RFQ_TFS-1805.xlsGet hashmaliciousGuLoaderBrowse
                              FedEx Shipping Confirmation.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                IMG_00991ORDER_FILES.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                  FedEx Shipping Confirmation.exeGet hashmaliciousGuLoaderBrowse
                                    IMG_00991ORDER_FILES.exeGet hashmaliciousGuLoaderBrowse
                                      SecuriteInfo.com.Trojan-Downloader.Office.Doc.30581.16938.xlsxGet hashmaliciousUnknownBrowse

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Roundness.ind

                                        Download File
                                        Process:C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):385015
                                        Entropy (8bit):1.253279247179919
                                        Encrypted:false
                                        SSDEEP:1536:kVTcKVFuJi5LXKLywcEhXygCilGHIQXMUmMAI:ywKLNLaLywRXygCilGzmMAI
                                        MD5:84182132BEAC6B4CDD42AE3C3504778F
                                        SHA1:9844B9B4ABEAC7B410809A582FE2E41BD38876A3
                                        SHA-256:5A2A01A88EC9FF56B80D957E4C5891A020435407F81DADA05DE58165C0C86F2D
                                        SHA-512:054C17E8AC2EDED927F24E77A81FBA74498C9F3ABD07F5E42D6F9E20A58D47D9C30FF1060CC8626DE93FDD5BBA2A0503FF61EC7F4F70858871C15E63DDC48A7F
                                        Malicious:false
                                        Reputation:low
                                        Preview:....E..........;................../..r.....5...............e......9...............................S............................................e..........................E..........................W.................................8....................j......3....................X............................Ql....T.................>g...'.............[...l...P.................................|................................q.....................3........v......t....H............................................s.................................................................................................................................................f....................................................................(..................................................;..$..................................................................o.-.........................................................l................. ...............................................Q......................

                                        C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Skremaskiner.Vig

                                        Download File
                                        Process:C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):295052
                                        Entropy (8bit):7.649643489698229
                                        Encrypted:false
                                        SSDEEP:6144:d5dDGsxj8/O4S6dAWxD5cHH3B3BZY8cdP5t2Z0:RD38/NBAW0HX3ZY86Bt+0
                                        MD5:87FC203CBBB62A9A54DF6DC6C05746DC
                                        SHA1:17FD595731DD4A17400EB51A1ED4DFE553DD5B8C
                                        SHA-256:F0C74501FA71948FD95D65EEA5697D3E5CED4D8F507F053D355C3A333DD0A29E
                                        SHA-512:08ED5ACC005284E127FDC2B76B2C19D9C86A65DB20DBEB8D6360CF4CEC263D199C095AC9DCC7858A756515C77B75221490DE9D4D605DB06C66D76A097B10AE6D
                                        Malicious:false
                                        Reputation:low
                                        Preview:............55....a........+......................yy.........................E......nnnnnn.|......%.....}...jj.;.~~~....................D.......xxx.BBBBBB........,...tt.............................W..mm..p.."""..N................OO...............!!..]......x.k.XXX.'...............................N.c.}........%%...............R....ll.......Z................&...............55.h........uu.................::...........(((.a.X..........gg.....N.U......tt..ZZZ...................x.......aa................... ..............??...kkk.....ssss....uu.........................A............i.......................................................................X.......NNN........x.0....5555......99.....>>>>>..............V.....SSS...................11..G.....................'.a..............._...............A..00..............88..............................^..?..........................vv..JJJJJJJJ............w....jjj.....................!..........hhh.ll........)))))...".k..........>.....%%%%......

                                        C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Surfboards\freemanship.txt

                                        Download File
                                        Process:C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe
                                        File Type:ASCII text, with very long lines (304), with no line terminators
                                        Category:dropped
                                        Size (bytes):304
                                        Entropy (8bit):4.14301130689188
                                        Encrypted:false
                                        SSDEEP:6:3CUzIrGx4igCDYUuTjAtLGafWWl2iEOQkAtj/jLsTzOwJT4HCALn:3CCF4igCDYA5Ga+Wl2iEOTAJryO8MHCu
                                        MD5:EF6FDEDE5EA8DBEF391FEC35BE82A5FC
                                        SHA1:6C88262F78E8B11651EEB6534F09C65CD0A8F8BB
                                        SHA-256:37B39724FD3B7FE48E1D65DA1A69BF4DBF809F34C67BAC7C4DA13F93DA9BE856
                                        SHA-512:5FB53ADEADB7C464A13EEECE64ADD35F972425D55447FFB84A277689BA3F4D5861A43B2883CB0744F98F164F2802C567F9969F777B98CE4609D28A64ED1101FD
                                        Malicious:false
                                        Reputation:low
                                        Preview:skydestigens dilettanist defmrkers,drmmene sprometrets taklingens crokinole ligegladestes,ultraremuneration dkketallerkners uncustomed filoversigterne.atomize koncentrationsevnens arthropodal epilepsis vakuums stabelvis lnregulering,catv skrivemaskinebordenes skydningerne.solanin godkendelsens gasogene.

                                        C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Surfboards\pressurization.pra

                                        Download File
                                        Process:C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):269664
                                        Entropy (8bit):1.2446463566225683
                                        Encrypted:false
                                        SSDEEP:768:3wSokH49c7ZKiDm+1Qer3C4XkGB3luG3fCHoEHKM/yP35tuIJ95oV31XfCp43UtM:55+1GbuKvP32IqV1fmPU0VicgRx
                                        MD5:084CDF1FE8920EACBC8DC0E839D9E5A7
                                        SHA1:5BB2E4E15941AC2AB4287A58F671B82DA5C9A384
                                        SHA-256:A6EB01651C833919FC27F9B7DD2B5C6D9F9DD8766BC7848679B5E664ECC6C8A7
                                        SHA-512:F856C41F540B7BD8233179CC752E63E4C88C1BBC38739B4FAF3DA09675B13FBC0219458AFE95D4C1DD481B35BB69DC9B66C2269C64B106DE3659A51CE9AE1B42
                                        Malicious:false
                                        Reputation:low
                                        Preview:...E.......c...............................0...............................................................c........................................n.......Y................................P..........................................................................................$........................................~.........................1...Z....................................m......................=.......................U............................................[....................................}.=..................-..........................................................t........................-....................m..............V...................................................................q............m.X..................................c....................................................................................'.........................T...R.............................................................^............|................................

                                        C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Surfboards\restriktivitets.bnk

                                        Download File
                                        Process:C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):131403
                                        Entropy (8bit):1.2526174536345023
                                        Encrypted:false
                                        SSDEEP:768:GGj5fMy6uanycN+gN/qEN+bHeC6roJdAGpeBgXU9ZWNAnu/Fkutb:L3l0fDkwaPA
                                        MD5:9AD6681DD2B309E6ACE142096F9E2870
                                        SHA1:5E02434342A98589A29B7E389E88DD4C60F09A8A
                                        SHA-256:576D2CD521891CF9C598B3CA0DADB89BD36CDE96B3F86F1CD27BF4FFCCE863CB
                                        SHA-512:28CFECE5E00AAB59758864503F4A9058EEF2FDFC8B73204ABF1E3B41011FBE5D9EAC3595E2EFA0E3B740B82F285B7EC8E42EA5DD42C39E5EFF39735A9C051CBB
                                        Malicious:false
                                        Reputation:low
                                        Preview:.............................>...................a...............................................>...............................Z......2.....................................................................U.................................J.....................................................................A@...Y..C..................1{.......................................................(.....................................................^......................................................V...........5.............................d.................................................+....{............................N........?.......................c.........y.........................................U................................:...................Y..........................................O....................!.......D.................................................}.....................................................................................................".......

                                        C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Surfboards\tresindstyvendedeles.ord

                                        Download File
                                        Process:C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):407199
                                        Entropy (8bit):1.2437541055056829
                                        Encrypted:false
                                        SSDEEP:1536:Jm/FJf9qdyY/zMFRdfxHg2jUsscLrP6d2i2SJ:Itlw7zMFHx/jUqOd2SJ
                                        MD5:D2D56C0A1BC3F0AE364C30A638393597
                                        SHA1:B564662188D504D42B22E18A487BF35503B87AF5
                                        SHA-256:E88BB71C91C537060F76CD2EF8633B767BFD720EFD7AF6F8300BA6883249EACB
                                        SHA-512:2756334999CFEE833DAC050193745C85D50A3884FCB18220243C1A71086B51E6FF6EB165189BE7748AABB6098F9BD693EB25E539D2ADE56486FA95CB297FD023
                                        Malicious:false
                                        Preview:..........................................................=...O}.............C.......................................................................................b..........0.......................................................m...................................................................................................&........-.........D..........................................................%....."......................................................z.......)....................................x............................&..........................................4.....[......V.........................................................=.J..........................................................................................Q.............z........................................................."%F.zt.....................=...............................................A......Y....................f..................................O.......................#.............

                                        C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\bucrane.erh

                                        Download File
                                        Process:C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):186880
                                        Entropy (8bit):1.2601075629320995
                                        Encrypted:false
                                        SSDEEP:768:597pZQKUv2av3tuZ8qbY2vFhkyd8MBkwaKKKbwspvRxtm8dBct2pEW5x1dGkrKLB:Ve2aPPET8MOwaKGeR//1T9dO
                                        MD5:AA2CD52ABEA96B7E317691ADD713125D
                                        SHA1:B34046DE9D9A275896762FD53A2DFF2D382EAE56
                                        SHA-256:C6AD2DCC3B851E06A60FA705CBAA83AADBEC68B10E24CA667088E8153973A7B2
                                        SHA-512:AD454262C5804887A9596D5CFFCC64D86EB1ED92813A5A37F57D9FCCA21D9C2EF465E51F05879F65BABA7752252B9FEC6352CFB5F678B21D3412B6906EB07C26
                                        Malicious:false
                                        Preview:..N......................p..........................................%.............................................................V.............z.N........................i......................................................................................................,(^.............b..n.....&...........................S..................>...................C.................................~...........................K.......................................B.....*..........L.....................j..............!...........O................S................a....C......x...y................................@..............................$...........................................N.........................g.................R...................................@.....................F...........+............................S..........R..............................................g.........................................................................................................

                                        C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\theatricism.Ste

                                        Download File
                                        Process:C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe
                                        File Type:ASCII text, with very long lines (65536), with no line terminators
                                        Category:dropped
                                        Size (bytes):115746
                                        Entropy (8bit):2.663564699952671
                                        Encrypted:false
                                        SSDEEP:1536:qku528DVwwkDee3DypumYQlBJjspxVhcoG/5V79OeEbuw2W4Oep9Y4H:7M2oT8Gp8GABWWe
                                        MD5:3A3D3671B7BCCEDA2CE7A8E26AE6E470
                                        SHA1:9B78F8D751482C6AB6515066A3145433152DC678
                                        SHA-256:C2377F8B2ED11EEABCC20008F119F12EC7A3D1519BCEEBD5F749133A22704422
                                        SHA-512:D5BB8C5F439D09DEA4FDCA5FB29EF175C14F60AD4D8489FF3C37763FE2A5A50174253D45F1681C4A150DBA46F0E59768F5346205CAF9717330C1A0369ED0B269
                                        Malicious:false
                                        Preview:0000000000007B008700AFAFAFAF0000AE000000FC007B7B0000009C9C00F200FFFF004000505000000000FFFF00BE002A2A000046000000530062004A4A00E00000000000410000C2C20000D9003100A0000000FC000000C200E50095001400008700E400005E0000000000FD00006C6C6C00AA00EF00D8D8D80000A4A40000004A0000006700000002005C000000D8001C004200EEEEEEEEEEEE00A2A2000000000000004D4D0000009090002A2A0000000000C1C1C100D7000047470000000000D8D8D80000C500005F5F0000000000EEEEEEEE00DD00ED000000E0000000F2F200E90000000000DC00460054540000C5C5005959002323000D00001010100000000000000000181800000000C8000000E6003D00002E005A00000074009F9F9F9F9F005200E2E2E20000F3F300000000007400005B5B0000B5B5003100009F9F00007F00E50000530000000000000000181818006A6A000000B5000E0E003E00F4007878000000008A8A8A009F0000A0000000004A4A0000CACA000000C5006D6D007575750000656500000000004B006A6A0000003B00DC0000A9000000000000000000C300A1A1008F8F001F1F1F00000000E0005200006767676767000000CC00CDCD000000003A0000F7F7F7F7F70000000002020000000016000000F5F500000000D3007474006500F8002200000093

                                        C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\LangDLL.dll

                                        Download File
                                        Process:C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe
                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):5632
                                        Entropy (8bit):3.817430038996001
                                        Encrypted:false
                                        SSDEEP:48:S46+/sTKYKxbWsptIp5tCZ0iVEAWyMEv9v/ft2O2B8mWofjLl:z+uPbO5tCZBVEAWyMEFv2Cm9L
                                        MD5:549EE11198143574F4D9953198A09FE8
                                        SHA1:2E89BA5F30E1C1C4CE517F28EC1505294BB6C4C1
                                        SHA-256:131AA0DF90C08DCE2EECEE46CCE8759E9AFFF04BF15B7B0002C2A53AE5E92C36
                                        SHA-512:0FB4CEA4FD320381FE50C52D1C198261F0347D6DCEE857917169FCC3E2083ED4933BEFF708E81D816787195CCA050F3F5F9C5AC9CC7F781831B028EF5714BEC8
                                        Malicious:false
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Joe Sandbox View:
                                        • Filename: TRIAL_ORDER_CP.exe, Detection: malicious, Browse
                                        • Filename: TRIAL_ORDER_CP.exe, Detection: malicious, Browse
                                        • Filename: Thermo Fisher RFQ_TFS-1805.xls, Detection: malicious, Browse
                                        • Filename: FedEx Shipping Confirmation.exe, Detection: malicious, Browse
                                        • Filename: IMG_00991ORDER_FILES.exe, Detection: malicious, Browse
                                        • Filename: FedEx Shipping Confirmation.exe, Detection: malicious, Browse
                                        • Filename: IMG_00991ORDER_FILES.exe, Detection: malicious, Browse
                                        • Filename: SecuriteInfo.com.Trojan-Downloader.Office.Doc.30581.16938.xlsx, Detection: malicious, Browse
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................>..........:..........Rich..........................PE..L....C.f...........!........."......?........ ...............................p............@.........................`"..I...\ ..P....P..`....................`....................................................... ..\............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...`....P......................@..@.reloc..`....`......................@..B................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\System.dll

                                        Download File
                                        Process:C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe
                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):12288
                                        Entropy (8bit):5.804946284177748
                                        Encrypted:false
                                        SSDEEP:192:ljHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZqE0QPi:R/Qlt7wiij/lMRv/9V4bfr
                                        MD5:192639861E3DC2DC5C08BB8F8C7260D5
                                        SHA1:58D30E460609E22FA0098BC27D928B689EF9AF78
                                        SHA-256:23D618A0293C78CE00F7C6E6DD8B8923621DA7DD1F63A070163EF4C0EC3033D6
                                        SHA-512:6E573D8B2EF6ED719E271FD0B2FD9CD451F61FC9A9459330108D6D7A65A0F64016303318CAD787AA1D5334BA670D8F1C7C13074E1BE550B4A316963ECC465CDC
                                        Malicious:false
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Joe Sandbox View:
                                        • Filename: TRIAL_ORDER_CP.exe, Detection: malicious, Browse
                                        • Filename: TRIAL_ORDER_CP.exe, Detection: malicious, Browse
                                        • Filename: Thermo Fisher RFQ_TFS-1805.xls, Detection: malicious, Browse
                                        • Filename: FedEx Shipping Confirmation.exe, Detection: malicious, Browse
                                        • Filename: IMG_00991ORDER_FILES.exe, Detection: malicious, Browse
                                        • Filename: FedEx Shipping Confirmation.exe, Detection: malicious, Browse
                                        • Filename: IMG_00991ORDER_FILES.exe, Detection: malicious, Browse
                                        • Filename: SecuriteInfo.com.Trojan-Downloader.Office.Doc.30581.16938.xlsx, Detection: malicious, Browse
                                        • Filename: AKgHw6grDP.exe, Detection: malicious, Browse
                                        • Filename: AKgHw6grDP.exe, Detection: malicious, Browse
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L....C.f...........!....."...........*.......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\UserInfo.dll

                                        Download File
                                        Process:C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe
                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):4096
                                        Entropy (8bit):3.3415738744933092
                                        Encrypted:false
                                        SSDEEP:48:qK5HC+J4apHT1wH8l9QcXygHg0ZShMmj3jk6TbGr7X:5QiRzuHOXTA0H6jk6nGr7X
                                        MD5:F8B6DD1F9620BE4EF2AD1E81FB6B79FA
                                        SHA1:F06C8C8650335BACE41C8DBE73307CBE4E61B3B1
                                        SHA-256:A921CC9CC4AF332BE96186D60D2539CB413DFA44CFD73E85687F9338505FF85E
                                        SHA-512:F15811088ECDE4CD0C038DB2C278B7214E41728E382B25C65C2EB491BC0379C075841398E8C99E8CCEBA8BE7E8342BC69D35836EBE9B12EBEBFF48D01D5FA61A
                                        Malicious:false
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K..................[.........Rich..........................PE..L....C.f...........!................~........ ...............................P............@.........................@"......l ..<............................@..p.................................................... ..L............................text............................... ..`.rdata....... ......................@..@.data...h....0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\nsDialogs.dll

                                        Download File
                                        Process:C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe
                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):9728
                                        Entropy (8bit):5.157714967617029
                                        Encrypted:false
                                        SSDEEP:96:ooEv02zUu56FcS817eTaXx85qHFcUcxSgB5PKtAtoniJninnt3DVEB3YMNqkzfFc:ooEvCu5e81785qHFcU0PuAw0uyyIFc
                                        MD5:B7D61F3F56ABF7B7FF0D4E7DA3AD783D
                                        SHA1:15AB5219C0E77FD9652BC62FF390B8E6846C8E3E
                                        SHA-256:89A82C4849C21DFE765052681E1FAD02D2D7B13C8B5075880C52423DCA72A912
                                        SHA-512:6467C0DE680FADB8078BDAA0D560D2B228F5A22D4D8358A1C7D564C6EBCEFACE5D377B870EAF8985FBEE727001DA569867554154D568E3B37F674096BBAFAFB8
                                        Malicious:false
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|..c8O`08O`08O`08Oa0.O`0.@=05O`0llP0=O`0.If09O`0.od09O`0Rich8O`0........PE..L....C.f...........!.........0......g........0............................................@..........................6..k....0.......p...............................................................................0...............................text............................... ..`.rdata..{....0......................@..@.data...h!...@......................@....rsrc........p....... ..............@..@.reloc..~............"..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\nsExec.dll

                                        Download File
                                        Process:C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe
                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):7168
                                        Entropy (8bit):5.295306975422517
                                        Encrypted:false
                                        SSDEEP:96:JgzdzBzMDhOZZDbXf5GsWvSv1ckne94SDbYkvML1HT1fUNQaSGYuHIDQ:JDQHDb2vSuOc41ZfUNQZGdHA
                                        MD5:11092C1D3FBB449A60695C44F9F3D183
                                        SHA1:B89D614755F2E943DF4D510D87A7FC1A3BCF5A33
                                        SHA-256:2CD3A2D4053954DB1196E2526545C36DFC138C6DE9B81F6264632F3132843C77
                                        SHA-512:C182E0A1F0044B67B4B9FB66CEF9C4955629F6811D98BBFFA99225B03C43C33B1E85CACABB39F2C45EAD81CD85E98B201D5F9DA4EE0038423B1AD947270C134A
                                        Malicious:false
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L....C.f...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                        Entropy (8bit):7.94032852740242
                                        TrID:
                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                        • DOS Executable Generic (2002/1) 0.02%
                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                        File name:Thermo Fisher RFQ_TFS-1207.com.exe
                                        File size:605'160 bytes
                                        MD5:9768c048c979aeeeeb051574d452b626
                                        SHA1:414d48d77fc71d29e58a92d02fa2d770fb854339
                                        SHA256:19b8eabc143b4307a4496fec6012965f918e18d0e33a989292568f37a4c5f1ba
                                        SHA512:9153c973c3ed1f5f1964671e084b1bd764d9850fd87feab3a78acf417178d8f32ee6c16c044020979066bf4b2ad7e2e1e3449a7df3954f78ab9ce9ea649c9bce
                                        SSDEEP:12288:QG05Z3OJwnoJIn8f/FAOeanklK9N8QGMi7B1mSwIhCjVnj:QGz4om8ftAOLKwuQWB1mSlCjVj
                                        TLSH:DDD42212D7A0B613D8A2A7356D3D7DE78D3A8C1C5A39D23537113B1A3FB61821D8DE06
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!.@.@...@...@../O...@...@..O@../O...@...c...@..+F...@..Rich.@..........................PE..L....C.f.................h....:....

                                        File Icon

                                        Icon Hash:0f3341494d490706

                                        Static PE Info

                                        General

                                        Entrypoint:0x40352f
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                        Time Stamp:0x660843EA [Sat Mar 30 16:55:06 2024 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f4639a0b3116c2cfc71144b88a929cfd

                                        Entrypoint Preview

                                        Instruction
                                        sub esp, 000003F8h
                                        push ebp
                                        push esi
                                        push edi
                                        push 00000020h
                                        pop edi
                                        xor ebp, ebp
                                        push 00008001h
                                        mov dword ptr [esp+20h], ebp
                                        mov dword ptr [esp+18h], 0040A2D8h
                                        mov dword ptr [esp+14h], ebp
                                        call dword ptr [004080A4h]
                                        mov esi, dword ptr [004080A8h]
                                        lea eax, dword ptr [esp+34h]
                                        push eax
                                        mov dword ptr [esp+4Ch], ebp
                                        mov dword ptr [esp+0000014Ch], ebp
                                        mov dword ptr [esp+00000150h], ebp
                                        mov dword ptr [esp+38h], 0000011Ch
                                        call esi
                                        test eax, eax
                                        jne 00007F1C607F515Ah
                                        lea eax, dword ptr [esp+34h]
                                        mov dword ptr [esp+34h], 00000114h
                                        push eax
                                        call esi
                                        mov ax, word ptr [esp+48h]
                                        mov ecx, dword ptr [esp+62h]
                                        sub ax, 00000053h
                                        add ecx, FFFFFFD0h
                                        neg ax
                                        sbb eax, eax
                                        mov byte ptr [esp+0000014Eh], 00000004h
                                        not eax
                                        and eax, ecx
                                        mov word ptr [esp+00000148h], ax
                                        cmp dword ptr [esp+38h], 0Ah
                                        jnc 00007F1C607F5128h
                                        and word ptr [esp+42h], 0000h
                                        mov eax, dword ptr [esp+40h]
                                        movzx ecx, byte ptr [esp+3Ch]
                                        mov dword ptr [007A8318h], eax
                                        xor eax, eax
                                        mov ah, byte ptr [esp+38h]
                                        movzx eax, ax
                                        or eax, ecx
                                        xor ecx, ecx
                                        mov ch, byte ptr [esp+00000148h]
                                        movzx ecx, cx
                                        shl eax, 10h
                                        or eax, ecx
                                        movzx ecx, byte ptr [esp+0000004Eh]

                                        Rich Headers

                                        Programming Language:
                                        • [EXP] VC++ 6.0 SP5 build 8804

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x84fc0xa0.rdata
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x3d70000x5bd8.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x80000x2a8.rdata
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x10000x66d10x68001cb1571d2754df0a2b7df66b1b8d9089False0.6727388822115384data6.4708065613184305IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .rdata0x80000x13580x1400f0b500ff912dda10f31f36da3efc8a1eFalse0.44296875data5.102094016108248IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .data0xa0000x39e3780x60092e7d2d711bd61815cb4cc2d30d795b1unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .ndata0x3a90000x2e0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .rsrc0x3d70000x5bd80x5c00404c9a09ca105dd1961875fba238a9eeFalse0.4190726902173913data4.970988770122037IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_ICON0x3d72380x5000Device independent bitmap graphic, 70 x 140 x 32, image size 19600EnglishUnited States0.413525390625
                                        RT_DIALOG0x3dc2380xb8dataEnglishUnited States0.6467391304347826
                                        RT_DIALOG0x3dc2f00x144dataEnglishUnited States0.5216049382716049
                                        RT_DIALOG0x3dc4380x100dataEnglishUnited States0.5234375
                                        RT_DIALOG0x3dc5380x11cdataEnglishUnited States0.6056338028169014
                                        RT_DIALOG0x3dc6580x60dataEnglishUnited States0.7291666666666666
                                        RT_GROUP_ICON0x3dc6b80x14dataEnglishUnited States1.1
                                        RT_VERSION0x3dc6d00x274dataEnglishUnited States0.49203821656050956
                                        RT_MANIFEST0x3dc9480x290XML 1.0 document, ASCII text, with very long lines (656), with no line terminatorsEnglishUnited States0.5625

                                        Imports

                                        DLLImport
                                        ADVAPI32.dllRegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
                                        SHELL32.dllSHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
                                        ole32.dllCoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
                                        COMCTL32.dllImageList_Destroy, ImageList_AddMasked, ImageList_Create
                                        USER32.dllMessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
                                        GDI32.dllGetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
                                        KERNEL32.dlllstrcmpiA, CreateFileW, GetTempFileNameW, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, WriteFile, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, SetEnvironmentVariableW

                                        Possible Origin

                                        Language of compilation systemCountry where language is spokenMap
                                        EnglishUnited States

                                        Network Behavior

                                        No network behavior found

                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:15:46:41
                                        Start date:29/08/2024
                                        Path:C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe"
                                        Imagebase:0x400000
                                        File size:605'160 bytes
                                        MD5 hash:9768C048C979AEEEEB051574D452B626
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.4125826655.0000000007159000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:false

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:23%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:16%
                                          Total number of Nodes:1590
                                          Total number of Limit Nodes:42
                                          execution_graph 5188 404f40 GetDlgItem GetDlgItem 5189 404f92 7 API calls 5188->5189 5195 4051b7 5188->5195 5190 405039 DeleteObject 5189->5190 5191 40502c SendMessageW 5189->5191 5192 405042 5190->5192 5191->5190 5193 405079 5192->5193 5196 406591 21 API calls 5192->5196 5197 4044d3 22 API calls 5193->5197 5194 405345 5199 40534f SendMessageW 5194->5199 5206 405357 5194->5206 5198 405299 5195->5198 5219 405226 5195->5219 5242 404e8e SendMessageW 5195->5242 5200 40505b SendMessageW SendMessageW 5196->5200 5201 40508d 5197->5201 5198->5194 5203 4052f2 SendMessageW 5198->5203 5231 4051aa 5198->5231 5199->5206 5200->5192 5202 4044d3 22 API calls 5201->5202 5220 40509e 5202->5220 5209 405307 SendMessageW 5203->5209 5203->5231 5204 40528b SendMessageW 5204->5198 5205 40453a 8 API calls 5210 405546 5205->5210 5211 405370 5206->5211 5212 405369 ImageList_Destroy 5206->5212 5216 405380 5206->5216 5208 4054fa 5217 40550c ShowWindow GetDlgItem ShowWindow 5208->5217 5208->5231 5214 40531a 5209->5214 5215 405379 GlobalFree 5211->5215 5211->5216 5212->5211 5213 405179 GetWindowLongW SetWindowLongW 5218 405192 5213->5218 5225 40532b SendMessageW 5214->5225 5215->5216 5216->5208 5235 4053bb 5216->5235 5247 404f0e 5216->5247 5217->5231 5221 405197 ShowWindow 5218->5221 5222 4051af 5218->5222 5219->5198 5219->5204 5220->5213 5224 4050f1 SendMessageW 5220->5224 5226 405174 5220->5226 5228 405143 SendMessageW 5220->5228 5229 40512f SendMessageW 5220->5229 5240 404508 SendMessageW 5221->5240 5241 404508 SendMessageW 5222->5241 5224->5220 5225->5194 5226->5213 5226->5218 5228->5220 5229->5220 5231->5205 5232 4054c5 5233 4054d0 InvalidateRect 5232->5233 5236 4054dc 5232->5236 5233->5236 5234 4053e9 SendMessageW 5239 4053ff 5234->5239 5235->5234 5235->5239 5236->5208 5256 404e49 5236->5256 5238 405473 SendMessageW SendMessageW 5238->5239 5239->5232 5239->5238 5240->5231 5241->5195 5243 404eb1 GetMessagePos ScreenToClient SendMessageW 5242->5243 5244 404eed SendMessageW 5242->5244 5245 404ee5 5243->5245 5246 404eea 5243->5246 5244->5245 5245->5219 5246->5244 5259 406554 lstrcpynW 5247->5259 5249 404f21 5260 40649b wsprintfW 5249->5260 5251 404f2b 5252 40140b 2 API calls 5251->5252 5253 404f34 5252->5253 5261 406554 lstrcpynW 5253->5261 5255 404f3b 5255->5235 5262 404d80 5256->5262 5258 404e5e 5258->5208 5259->5249 5260->5251 5261->5255 5265 404d99 5262->5265 5263 406591 21 API calls 5264 404dfd 5263->5264 5266 406591 21 API calls 5264->5266 5265->5263 5267 404e08 5266->5267 5268 406591 21 API calls 5267->5268 5269 404e1e lstrlenW wsprintfW SetDlgItemTextW 5268->5269 5269->5258 5270 401bc0 5271 401c11 5270->5271 5272 401bcd 5270->5272 5273 401c16 5271->5273 5274 401c3b GlobalAlloc 5271->5274 5275 4023af 5272->5275 5280 401be4 5272->5280 5288 401c56 5273->5288 5291 406554 lstrcpynW 5273->5291 5276 406591 21 API calls 5274->5276 5277 406591 21 API calls 5275->5277 5276->5288 5279 4023bc 5277->5279 5283 405bb4 MessageBoxIndirectW 5279->5283 5279->5288 5289 406554 lstrcpynW 5280->5289 5281 401c28 GlobalFree 5281->5288 5283->5288 5284 401bf3 5290 406554 lstrcpynW 5284->5290 5286 401c02 5292 406554 lstrcpynW 5286->5292 5289->5284 5290->5286 5291->5281 5292->5288 5293 402641 5294 402dcb 21 API calls 5293->5294 5295 402648 5294->5295 5298 406044 GetFileAttributesW CreateFileW 5295->5298 5297 402654 5298->5297 4126 4025c3 4137 402e0b 4126->4137 4130 4025d6 4131 402953 4130->4131 4132 4025f2 RegEnumKeyW 4130->4132 4133 4025fe RegEnumValueW 4130->4133 4134 40261a RegCloseKey 4132->4134 4133->4134 4135 402613 4133->4135 4134->4131 4135->4134 4138 402dcb 21 API calls 4137->4138 4139 402e22 4138->4139 4140 4063c1 RegOpenKeyExW 4139->4140 4141 4025cd 4140->4141 4142 402da9 4141->4142 4143 406591 21 API calls 4142->4143 4144 402dbe 4143->4144 4144->4130 5299 404643 lstrlenW 5300 404662 5299->5300 5301 404664 WideCharToMultiByte 5299->5301 5300->5301 5302 4049c4 5303 4049f0 5302->5303 5304 404a01 5302->5304 5363 405b98 GetDlgItemTextW 5303->5363 5306 404a0d GetDlgItem 5304->5306 5312 404a6c 5304->5312 5308 404a21 5306->5308 5307 4049fb 5310 406802 5 API calls 5307->5310 5311 404a35 SetWindowTextW 5308->5311 5315 405ece 4 API calls 5308->5315 5309 404b50 5360 404cff 5309->5360 5365 405b98 GetDlgItemTextW 5309->5365 5310->5304 5316 4044d3 22 API calls 5311->5316 5312->5309 5317 406591 21 API calls 5312->5317 5312->5360 5314 40453a 8 API calls 5319 404d13 5314->5319 5320 404a2b 5315->5320 5321 404a51 5316->5321 5322 404ae0 SHBrowseForFolderW 5317->5322 5318 404b80 5323 405f2b 18 API calls 5318->5323 5320->5311 5329 405e23 3 API calls 5320->5329 5324 4044d3 22 API calls 5321->5324 5322->5309 5325 404af8 CoTaskMemFree 5322->5325 5326 404b86 5323->5326 5327 404a5f 5324->5327 5328 405e23 3 API calls 5325->5328 5366 406554 lstrcpynW 5326->5366 5364 404508 SendMessageW 5327->5364 5331 404b05 5328->5331 5329->5311 5334 404b3c SetDlgItemTextW 5331->5334 5338 406591 21 API calls 5331->5338 5333 404a65 5336 406948 5 API calls 5333->5336 5334->5309 5335 404b9d 5337 406948 5 API calls 5335->5337 5336->5312 5345 404ba4 5337->5345 5339 404b24 lstrcmpiW 5338->5339 5339->5334 5342 404b35 lstrcatW 5339->5342 5340 404be5 5367 406554 lstrcpynW 5340->5367 5342->5334 5343 404bec 5344 405ece 4 API calls 5343->5344 5346 404bf2 GetDiskFreeSpaceW 5344->5346 5345->5340 5349 405e6f 2 API calls 5345->5349 5350 404c3d 5345->5350 5348 404c16 MulDiv 5346->5348 5346->5350 5348->5350 5349->5345 5351 404e49 24 API calls 5350->5351 5361 404cae 5350->5361 5352 404c9b 5351->5352 5355 404cb0 SetDlgItemTextW 5352->5355 5356 404ca0 5352->5356 5353 40140b 2 API calls 5357 404cd1 5353->5357 5355->5361 5359 404d80 24 API calls 5356->5359 5368 4044f5 KiUserCallbackDispatcher 5357->5368 5358 404ced 5358->5360 5369 40491d 5358->5369 5359->5361 5360->5314 5361->5353 5361->5357 5363->5307 5364->5333 5365->5318 5366->5335 5367->5343 5368->5358 5370 404930 SendMessageW 5369->5370 5371 40492b 5369->5371 5370->5360 5371->5370 4153 4015c8 4154 402dcb 21 API calls 4153->4154 4155 4015cf SetFileAttributesW 4154->4155 4156 4015e1 4155->4156 4157 401fc9 4158 402dcb 21 API calls 4157->4158 4159 401fcf 4158->4159 4172 4055d9 4159->4172 4164 402002 CloseHandle 4168 402953 4164->4168 4167 401ff4 4169 402004 4167->4169 4170 401ff9 4167->4170 4169->4164 4191 40649b wsprintfW 4170->4191 4173 4055f4 4172->4173 4182 401fd9 4172->4182 4174 405610 lstrlenW 4173->4174 4175 406591 21 API calls 4173->4175 4176 405639 4174->4176 4177 40561e lstrlenW 4174->4177 4175->4174 4178 40564c 4176->4178 4179 40563f SetWindowTextW 4176->4179 4180 405630 lstrcatW 4177->4180 4177->4182 4181 405652 SendMessageW SendMessageW SendMessageW 4178->4181 4178->4182 4179->4178 4180->4176 4181->4182 4183 405b37 CreateProcessW 4182->4183 4184 401fdf 4183->4184 4185 405b6a CloseHandle 4183->4185 4184->4164 4184->4168 4186 4069f3 WaitForSingleObject 4184->4186 4185->4184 4187 406a0d 4186->4187 4188 406a1f GetExitCodeProcess 4187->4188 4192 406984 4187->4192 4188->4167 4191->4164 4193 4069a1 PeekMessageW 4192->4193 4194 4069b1 WaitForSingleObject 4193->4194 4195 406997 DispatchMessageW 4193->4195 4194->4187 4195->4193 5375 40554d 5376 405571 5375->5376 5377 40555d 5375->5377 5379 405579 IsWindowVisible 5376->5379 5385 405590 5376->5385 5378 405563 5377->5378 5387 4055ba 5377->5387 5381 40451f SendMessageW 5378->5381 5382 405586 5379->5382 5379->5387 5380 4055bf CallWindowProcW 5383 40556d 5380->5383 5381->5383 5384 404e8e 5 API calls 5382->5384 5384->5385 5385->5380 5386 404f0e 4 API calls 5385->5386 5386->5387 5387->5380 4196 40254f 4197 402e0b 21 API calls 4196->4197 4198 402559 4197->4198 4199 402dcb 21 API calls 4198->4199 4200 402562 4199->4200 4201 40256d RegQueryValueExW 4200->4201 4206 402953 4200->4206 4202 402593 RegCloseKey 4201->4202 4203 40258d 4201->4203 4202->4206 4203->4202 4207 40649b wsprintfW 4203->4207 4207->4202 4208 4021cf 4209 402dcb 21 API calls 4208->4209 4210 4021d6 4209->4210 4211 402dcb 21 API calls 4210->4211 4212 4021e0 4211->4212 4213 402dcb 21 API calls 4212->4213 4214 4021ea 4213->4214 4215 402dcb 21 API calls 4214->4215 4216 4021f4 4215->4216 4217 402dcb 21 API calls 4216->4217 4218 4021fe 4217->4218 4219 40223d CoCreateInstance 4218->4219 4220 402dcb 21 API calls 4218->4220 4223 40225c 4219->4223 4220->4219 4222 40231b 4223->4222 4224 401423 4223->4224 4225 4055d9 28 API calls 4224->4225 4226 401431 4225->4226 4226->4222 5388 40204f 5389 402dcb 21 API calls 5388->5389 5390 402056 5389->5390 5391 406948 5 API calls 5390->5391 5392 402065 5391->5392 5393 402081 GlobalAlloc 5392->5393 5394 4020f1 5392->5394 5393->5394 5395 402095 5393->5395 5396 406948 5 API calls 5395->5396 5397 40209c 5396->5397 5398 406948 5 API calls 5397->5398 5399 4020a6 5398->5399 5399->5394 5403 40649b wsprintfW 5399->5403 5401 4020df 5404 40649b wsprintfW 5401->5404 5403->5401 5404->5394 5405 73ac103d 5408 73ac101b 5405->5408 5409 73ac15b6 GlobalFree 5408->5409 5410 73ac1020 5409->5410 5411 73ac1024 5410->5411 5412 73ac1027 GlobalAlloc 5410->5412 5413 73ac15dd 3 API calls 5411->5413 5412->5411 5414 73ac103b 5413->5414 4258 403fd4 4259 403fec 4258->4259 4260 40414d 4258->4260 4259->4260 4261 403ff8 4259->4261 4262 40419e 4260->4262 4263 40415e GetDlgItem GetDlgItem 4260->4263 4264 404003 SetWindowPos 4261->4264 4265 404016 4261->4265 4267 4041f8 4262->4267 4278 401389 2 API calls 4262->4278 4266 4044d3 22 API calls 4263->4266 4264->4265 4269 404061 4265->4269 4270 40401f ShowWindow 4265->4270 4271 404188 SetClassLongW 4266->4271 4272 404148 4267->4272 4331 40451f 4267->4331 4275 404080 4269->4275 4276 404069 DestroyWindow 4269->4276 4273 40413a 4270->4273 4274 40403f GetWindowLongW 4270->4274 4277 40140b 2 API calls 4271->4277 4353 40453a 4273->4353 4274->4273 4280 404058 ShowWindow 4274->4280 4282 404085 SetWindowLongW 4275->4282 4283 404096 4275->4283 4281 40445c 4276->4281 4277->4262 4284 4041d0 4278->4284 4280->4269 4281->4272 4289 40448d ShowWindow 4281->4289 4282->4272 4283->4273 4287 4040a2 GetDlgItem 4283->4287 4284->4267 4288 4041d4 SendMessageW 4284->4288 4285 40140b 2 API calls 4300 40420a 4285->4300 4286 40445e DestroyWindow EndDialog 4286->4281 4290 4040d0 4287->4290 4291 4040b3 SendMessageW IsWindowEnabled 4287->4291 4288->4272 4289->4272 4293 4040dd 4290->4293 4294 404124 SendMessageW 4290->4294 4295 4040f0 4290->4295 4304 4040d5 4290->4304 4291->4272 4291->4290 4292 406591 21 API calls 4292->4300 4293->4294 4293->4304 4294->4273 4297 4040f8 4295->4297 4298 40410d 4295->4298 4347 40140b 4297->4347 4302 40140b 2 API calls 4298->4302 4299 40410b 4299->4273 4300->4272 4300->4285 4300->4286 4300->4292 4303 4044d3 22 API calls 4300->4303 4322 40439e DestroyWindow 4300->4322 4334 4044d3 4300->4334 4305 404114 4302->4305 4303->4300 4350 4044ac 4304->4350 4305->4273 4305->4304 4307 404285 GetDlgItem 4308 4042a2 ShowWindow KiUserCallbackDispatcher 4307->4308 4309 40429a 4307->4309 4337 4044f5 KiUserCallbackDispatcher 4308->4337 4309->4308 4311 4042cc EnableWindow 4316 4042e0 4311->4316 4312 4042e5 GetSystemMenu EnableMenuItem SendMessageW 4313 404315 SendMessageW 4312->4313 4312->4316 4313->4316 4316->4312 4338 404508 SendMessageW 4316->4338 4339 403fb5 4316->4339 4342 406554 lstrcpynW 4316->4342 4318 404344 lstrlenW 4319 406591 21 API calls 4318->4319 4320 40435a SetWindowTextW 4319->4320 4343 401389 4320->4343 4322->4281 4323 4043b8 CreateDialogParamW 4322->4323 4323->4281 4324 4043eb 4323->4324 4325 4044d3 22 API calls 4324->4325 4326 4043f6 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4325->4326 4327 401389 2 API calls 4326->4327 4328 40443c 4327->4328 4328->4272 4329 404444 ShowWindow 4328->4329 4330 40451f SendMessageW 4329->4330 4330->4281 4332 404537 4331->4332 4333 404528 SendMessageW 4331->4333 4332->4300 4333->4332 4335 406591 21 API calls 4334->4335 4336 4044de SetDlgItemTextW 4335->4336 4336->4307 4337->4311 4338->4316 4340 406591 21 API calls 4339->4340 4341 403fc3 SetWindowTextW 4340->4341 4341->4316 4342->4318 4345 401390 4343->4345 4344 4013fe 4344->4300 4345->4344 4346 4013cb MulDiv SendMessageW 4345->4346 4346->4345 4348 401389 2 API calls 4347->4348 4349 401420 4348->4349 4349->4304 4351 4044b3 4350->4351 4352 4044b9 SendMessageW 4350->4352 4351->4352 4352->4299 4354 4045fd 4353->4354 4355 404552 GetWindowLongW 4353->4355 4354->4272 4355->4354 4356 404567 4355->4356 4356->4354 4357 404594 GetSysColor 4356->4357 4358 404597 4356->4358 4357->4358 4359 4045a7 SetBkMode 4358->4359 4360 40459d SetTextColor 4358->4360 4361 4045c5 4359->4361 4362 4045bf GetSysColor 4359->4362 4360->4359 4363 4045cc SetBkColor 4361->4363 4364 4045d6 4361->4364 4362->4361 4363->4364 4364->4354 4365 4045f0 CreateBrushIndirect 4364->4365 4366 4045e9 DeleteObject 4364->4366 4365->4354 4366->4365 5415 401a55 5416 402dcb 21 API calls 5415->5416 5417 401a5e ExpandEnvironmentStringsW 5416->5417 5418 401a72 5417->5418 5420 401a85 5417->5420 5419 401a77 lstrcmpW 5418->5419 5418->5420 5419->5420 4446 4023d7 4447 4023df 4446->4447 4450 4023e5 4446->4450 4448 402dcb 21 API calls 4447->4448 4448->4450 4449 4023f3 4451 402401 4449->4451 4453 402dcb 21 API calls 4449->4453 4450->4449 4452 402dcb 21 API calls 4450->4452 4454 402dcb 21 API calls 4451->4454 4452->4449 4453->4451 4455 40240a WritePrivateProfileStringW 4454->4455 4456 4014d7 4457 402da9 21 API calls 4456->4457 4458 4014dd Sleep 4457->4458 4460 402c4f 4458->4460 5426 402459 5427 402461 5426->5427 5428 40248c 5426->5428 5429 402e0b 21 API calls 5427->5429 5430 402dcb 21 API calls 5428->5430 5431 402468 5429->5431 5432 402493 5430->5432 5434 402dcb 21 API calls 5431->5434 5436 4024a0 5431->5436 5437 402e89 5432->5437 5435 402479 RegDeleteValueW RegCloseKey 5434->5435 5435->5436 5438 402e9d 5437->5438 5440 402e96 5437->5440 5438->5440 5441 402ece 5438->5441 5440->5436 5442 4063c1 RegOpenKeyExW 5441->5442 5443 402efc 5442->5443 5444 402f0c RegEnumValueW 5443->5444 5448 402f2f 5443->5448 5452 402fa6 5443->5452 5445 402f96 RegCloseKey 5444->5445 5444->5448 5445->5452 5446 402f6b RegEnumKeyW 5447 402f74 RegCloseKey 5446->5447 5446->5448 5449 406948 5 API calls 5447->5449 5448->5445 5448->5446 5448->5447 5450 402ece 6 API calls 5448->5450 5451 402f84 5449->5451 5450->5448 5451->5452 5453 402f88 RegDeleteKeyW 5451->5453 5452->5440 5453->5452 4616 40175a 4617 402dcb 21 API calls 4616->4617 4618 401761 SearchPathW 4617->4618 4619 40177c 4618->4619 5454 401d5d 5455 402da9 21 API calls 5454->5455 5456 401d64 5455->5456 5457 402da9 21 API calls 5456->5457 5458 401d70 GetDlgItem 5457->5458 5459 40265d 5458->5459 5460 73ac170d 5461 73ac15b6 GlobalFree 5460->5461 5463 73ac1725 5461->5463 5462 73ac176b GlobalFree 5463->5462 5464 73ac1740 5463->5464 5465 73ac1757 VirtualFree 5463->5465 5464->5462 5465->5462 5466 402663 5467 402692 5466->5467 5468 402677 5466->5468 5470 4026c2 5467->5470 5471 402697 5467->5471 5469 402da9 21 API calls 5468->5469 5478 40267e 5469->5478 5473 402dcb 21 API calls 5470->5473 5472 402dcb 21 API calls 5471->5472 5474 40269e 5472->5474 5475 4026c9 lstrlenW 5473->5475 5483 406576 WideCharToMultiByte 5474->5483 5475->5478 5477 4026b2 lstrlenA 5477->5478 5479 4026f6 5478->5479 5480 40270c 5478->5480 5482 406125 5 API calls 5478->5482 5479->5480 5481 4060f6 WriteFile 5479->5481 5481->5480 5482->5479 5483->5477 5484 403be4 5485 403bef 5484->5485 5486 403bf6 GlobalAlloc 5485->5486 5487 403bf3 5485->5487 5486->5487 4620 401966 4621 401968 4620->4621 4622 402dcb 21 API calls 4621->4622 4623 40196d 4622->4623 4626 405c60 4623->4626 4665 405f2b 4626->4665 4629 405c88 DeleteFileW 4631 401976 4629->4631 4630 405c9f 4632 405dca 4630->4632 4679 406554 lstrcpynW 4630->4679 4632->4631 4639 4068b1 2 API calls 4632->4639 4634 405cc5 4635 405cd8 4634->4635 4636 405ccb lstrcatW 4634->4636 4680 405e6f lstrlenW 4635->4680 4637 405cde 4636->4637 4640 405cee lstrcatW 4637->4640 4642 405cf9 lstrlenW FindFirstFileW 4637->4642 4641 405de4 4639->4641 4640->4642 4641->4631 4643 405de8 4641->4643 4644 405dbf 4642->4644 4654 405d1b 4642->4654 4645 405e23 3 API calls 4643->4645 4644->4632 4646 405dee 4645->4646 4647 405c18 5 API calls 4646->4647 4650 405dfa 4647->4650 4649 405da2 FindNextFileW 4651 405db8 FindClose 4649->4651 4649->4654 4652 405e14 4650->4652 4653 405dfe 4650->4653 4651->4644 4656 4055d9 28 API calls 4652->4656 4653->4631 4657 4055d9 28 API calls 4653->4657 4654->4649 4658 405c60 64 API calls 4654->4658 4660 4055d9 28 API calls 4654->4660 4663 4055d9 28 API calls 4654->4663 4684 406554 lstrcpynW 4654->4684 4685 405c18 4654->4685 4693 406314 MoveFileExW 4654->4693 4656->4631 4659 405e0b 4657->4659 4658->4654 4661 406314 40 API calls 4659->4661 4660->4649 4662 405e12 4661->4662 4662->4631 4663->4654 4697 406554 lstrcpynW 4665->4697 4667 405f3c 4698 405ece CharNextW CharNextW 4667->4698 4670 405c80 4670->4629 4670->4630 4671 406802 5 API calls 4677 405f52 4671->4677 4672 405f83 lstrlenW 4673 405f8e 4672->4673 4672->4677 4674 405e23 3 API calls 4673->4674 4676 405f93 GetFileAttributesW 4674->4676 4675 4068b1 2 API calls 4675->4677 4676->4670 4677->4670 4677->4672 4677->4675 4678 405e6f 2 API calls 4677->4678 4678->4672 4679->4634 4681 405e7d 4680->4681 4682 405e83 CharPrevW 4681->4682 4683 405e8f 4681->4683 4682->4681 4682->4683 4683->4637 4684->4654 4686 40601f 2 API calls 4685->4686 4687 405c24 4686->4687 4688 405c45 4687->4688 4689 405c33 RemoveDirectoryW 4687->4689 4690 405c3b DeleteFileW 4687->4690 4688->4654 4691 405c41 4689->4691 4690->4691 4691->4688 4692 405c51 SetFileAttributesW 4691->4692 4692->4688 4694 406328 4693->4694 4696 406335 4693->4696 4704 40619a 4694->4704 4696->4654 4697->4667 4700 405efd 4698->4700 4701 405eeb 4698->4701 4699 405f21 4699->4670 4699->4671 4700->4699 4703 405e50 CharNextW 4700->4703 4701->4700 4702 405ef8 CharNextW 4701->4702 4702->4699 4703->4700 4705 4061f0 GetShortPathNameW 4704->4705 4706 4061ca 4704->4706 4707 406205 4705->4707 4708 40630f 4705->4708 4731 406044 GetFileAttributesW CreateFileW 4706->4731 4707->4708 4710 40620d wsprintfA 4707->4710 4708->4696 4712 406591 21 API calls 4710->4712 4711 4061d4 CloseHandle GetShortPathNameW 4711->4708 4713 4061e8 4711->4713 4714 406235 4712->4714 4713->4705 4713->4708 4732 406044 GetFileAttributesW CreateFileW 4714->4732 4716 406242 4716->4708 4717 406251 GetFileSize GlobalAlloc 4716->4717 4718 406273 4717->4718 4719 406308 CloseHandle 4717->4719 4720 4060c7 ReadFile 4718->4720 4719->4708 4721 40627b 4720->4721 4721->4719 4733 405fa9 lstrlenA 4721->4733 4724 406292 lstrcpyA 4726 4062b4 4724->4726 4725 4062a6 4727 405fa9 4 API calls 4725->4727 4728 4062eb SetFilePointer 4726->4728 4727->4726 4729 4060f6 WriteFile 4728->4729 4730 406301 GlobalFree 4729->4730 4730->4719 4731->4711 4732->4716 4734 405fea lstrlenA 4733->4734 4735 405ff2 4734->4735 4736 405fc3 lstrcmpiA 4734->4736 4735->4724 4735->4725 4736->4735 4737 405fe1 CharNextA 4736->4737 4737->4734 4738 4015e6 4739 402dcb 21 API calls 4738->4739 4740 4015ed 4739->4740 4741 405ece 4 API calls 4740->4741 4742 4015f6 4741->4742 4743 401656 4742->4743 4744 405e50 CharNextW 4742->4744 4754 40163c GetFileAttributesW 4742->4754 4757 405b1f 4742->4757 4760 405aa8 CreateDirectoryW 4742->4760 4764 405b02 CreateDirectoryW 4742->4764 4745 401688 4743->4745 4746 40165b 4743->4746 4744->4742 4748 401423 28 API calls 4745->4748 4747 401423 28 API calls 4746->4747 4749 401662 4747->4749 4755 401680 4748->4755 4763 406554 lstrcpynW 4749->4763 4753 40166f SetCurrentDirectoryW 4753->4755 4754->4742 4758 406948 5 API calls 4757->4758 4759 405b26 4758->4759 4759->4742 4761 405af4 4760->4761 4762 405af8 GetLastError 4760->4762 4761->4742 4762->4761 4763->4753 4765 405b12 4764->4765 4766 405b16 GetLastError 4764->4766 4765->4742 4766->4765 5488 401c68 5489 402da9 21 API calls 5488->5489 5490 401c6f 5489->5490 5491 402da9 21 API calls 5490->5491 5492 401c7c 5491->5492 5493 401c91 5492->5493 5494 402dcb 21 API calls 5492->5494 5495 402dcb 21 API calls 5493->5495 5499 401ca1 5493->5499 5494->5493 5495->5499 5496 401cf8 5498 402dcb 21 API calls 5496->5498 5497 401cac 5500 402da9 21 API calls 5497->5500 5501 401cfd 5498->5501 5499->5496 5499->5497 5502 401cb1 5500->5502 5503 402dcb 21 API calls 5501->5503 5504 402da9 21 API calls 5502->5504 5505 401d06 FindWindowExW 5503->5505 5506 401cbd 5504->5506 5509 401d28 5505->5509 5507 401ce8 SendMessageW 5506->5507 5508 401cca SendMessageTimeoutW 5506->5508 5507->5509 5508->5509 5510 4028e9 5511 4028ef 5510->5511 5512 4028f7 FindClose 5511->5512 5513 402c4f 5511->5513 5512->5513 5514 73ac1000 5515 73ac101b 5 API calls 5514->5515 5516 73ac1019 5515->5516 5517 4016f1 5518 402dcb 21 API calls 5517->5518 5519 4016f7 GetFullPathNameW 5518->5519 5520 401711 5519->5520 5526 401733 5519->5526 5523 4068b1 2 API calls 5520->5523 5520->5526 5521 401748 GetShortPathNameW 5522 402c4f 5521->5522 5524 401723 5523->5524 5524->5526 5527 406554 lstrcpynW 5524->5527 5526->5521 5526->5522 5527->5526 5528 401e73 GetDC 5529 402da9 21 API calls 5528->5529 5530 401e85 GetDeviceCaps MulDiv ReleaseDC 5529->5530 5531 402da9 21 API calls 5530->5531 5532 401eb6 5531->5532 5533 406591 21 API calls 5532->5533 5534 401ef3 CreateFontIndirectW 5533->5534 5535 40265d 5534->5535 5536 4014f5 SetForegroundWindow 5537 402c4f 5536->5537 5538 402975 5539 402dcb 21 API calls 5538->5539 5540 402981 5539->5540 5541 402997 5540->5541 5542 402dcb 21 API calls 5540->5542 5543 40601f 2 API calls 5541->5543 5542->5541 5544 40299d 5543->5544 5566 406044 GetFileAttributesW CreateFileW 5544->5566 5546 4029aa 5547 402a60 5546->5547 5548 4029c5 GlobalAlloc 5546->5548 5549 402a48 5546->5549 5550 402a67 DeleteFileW 5547->5550 5551 402a7a 5547->5551 5548->5549 5552 4029de 5548->5552 5553 4032d9 35 API calls 5549->5553 5550->5551 5567 4034e7 SetFilePointer 5552->5567 5555 402a55 CloseHandle 5553->5555 5555->5547 5556 4029e4 5557 4034d1 ReadFile 5556->5557 5558 4029ed GlobalAlloc 5557->5558 5559 402a31 5558->5559 5560 4029fd 5558->5560 5561 4060f6 WriteFile 5559->5561 5562 4032d9 35 API calls 5560->5562 5563 402a3d GlobalFree 5561->5563 5565 402a0a 5562->5565 5563->5549 5564 402a28 GlobalFree 5564->5559 5565->5564 5566->5546 5567->5556 5056 405b7a ShellExecuteExW 5568 40197b 5569 402dcb 21 API calls 5568->5569 5570 401982 lstrlenW 5569->5570 5571 40265d 5570->5571 5057 4020fd 5058 40210f 5057->5058 5068 4021c1 5057->5068 5059 402dcb 21 API calls 5058->5059 5061 402116 5059->5061 5060 401423 28 API calls 5066 40231b 5060->5066 5062 402dcb 21 API calls 5061->5062 5063 40211f 5062->5063 5064 402135 LoadLibraryExW 5063->5064 5065 402127 GetModuleHandleW 5063->5065 5067 402146 5064->5067 5064->5068 5065->5064 5065->5067 5080 4069b7 5067->5080 5068->5060 5071 402190 5075 4055d9 28 API calls 5071->5075 5072 402157 5073 402176 5072->5073 5074 40215f 5072->5074 5085 73ac1817 5073->5085 5076 401423 28 API calls 5074->5076 5077 402167 5075->5077 5076->5077 5077->5066 5078 4021b3 FreeLibrary 5077->5078 5078->5066 5127 406576 WideCharToMultiByte 5080->5127 5082 4069d4 5083 4069db GetProcAddress 5082->5083 5084 402151 5082->5084 5083->5084 5084->5071 5084->5072 5086 73ac184a 5085->5086 5087 73ac1bff 22 API calls 5086->5087 5088 73ac1851 5087->5088 5089 73ac1976 5088->5089 5090 73ac1869 5088->5090 5091 73ac1862 5088->5091 5089->5077 5128 73ac2480 5090->5128 5144 73ac243e 5091->5144 5096 73ac18cd 5102 73ac191e 5096->5102 5103 73ac18d3 5096->5103 5097 73ac18af 5157 73ac2655 5097->5157 5098 73ac187f 5101 73ac1885 5098->5101 5107 73ac1890 5098->5107 5099 73ac1898 5112 73ac188e 5099->5112 5154 73ac2e23 5099->5154 5101->5112 5138 73ac2b98 5101->5138 5105 73ac2655 10 API calls 5102->5105 5109 73ac1666 2 API calls 5103->5109 5110 73ac190f 5105->5110 5106 73ac18b5 5111 73ac1654 3 API calls 5106->5111 5148 73ac2810 5107->5148 5114 73ac18f0 5109->5114 5118 73ac1965 5110->5118 5168 73ac2618 5110->5168 5116 73ac18bb 5111->5116 5112->5096 5112->5097 5115 73ac2655 10 API calls 5114->5115 5115->5110 5119 73ac1312 2 API calls 5116->5119 5117 73ac1896 5117->5112 5118->5089 5120 73ac196f GlobalFree 5118->5120 5122 73ac18c1 GlobalFree 5119->5122 5120->5089 5122->5110 5124 73ac1951 5124->5118 5126 73ac15dd 3 API calls 5124->5126 5125 73ac194a FreeLibrary 5125->5124 5126->5118 5127->5082 5134 73ac2498 5128->5134 5130 73ac25c1 GlobalFree 5133 73ac186f 5130->5133 5130->5134 5131 73ac256b GlobalAlloc 5136 73ac2582 5131->5136 5132 73ac2540 GlobalAlloc WideCharToMultiByte 5132->5130 5133->5098 5133->5099 5133->5112 5134->5130 5134->5131 5134->5132 5135 73ac12cc GlobalAlloc lstrcpynW 5134->5135 5134->5136 5172 73ac135a 5134->5172 5135->5134 5136->5130 5176 73ac27a4 5136->5176 5140 73ac2baa 5138->5140 5139 73ac2c4f CreateFileA 5143 73ac2c6d 5139->5143 5140->5139 5142 73ac2d39 5142->5112 5179 73ac2b42 5143->5179 5145 73ac2453 5144->5145 5146 73ac245e GlobalAlloc 5145->5146 5147 73ac1868 5145->5147 5146->5145 5147->5090 5152 73ac2840 5148->5152 5149 73ac28ee 5151 73ac28f4 GlobalSize 5149->5151 5153 73ac28fe 5149->5153 5150 73ac28db GlobalAlloc 5150->5153 5151->5153 5152->5149 5152->5150 5153->5117 5155 73ac2e2e 5154->5155 5156 73ac2e6e GlobalFree 5155->5156 5183 73ac12bb GlobalAlloc 5157->5183 5159 73ac26d8 MultiByteToWideChar 5166 73ac265f 5159->5166 5160 73ac26fa StringFromGUID2 5160->5166 5161 73ac270b lstrcpynW 5161->5166 5162 73ac2742 GlobalFree 5162->5166 5163 73ac271e wsprintfW 5163->5166 5164 73ac2777 GlobalFree 5164->5106 5165 73ac1312 2 API calls 5165->5166 5166->5159 5166->5160 5166->5161 5166->5162 5166->5163 5166->5164 5166->5165 5184 73ac1381 5166->5184 5169 73ac1931 5168->5169 5170 73ac2626 5168->5170 5169->5124 5169->5125 5170->5169 5171 73ac2642 GlobalFree 5170->5171 5171->5170 5173 73ac1361 5172->5173 5174 73ac12cc 2 API calls 5173->5174 5175 73ac137f 5174->5175 5175->5134 5177 73ac2808 5176->5177 5178 73ac27b2 VirtualAlloc 5176->5178 5177->5136 5178->5177 5180 73ac2b4d 5179->5180 5181 73ac2b5d 5180->5181 5182 73ac2b52 GetLastError 5180->5182 5181->5142 5182->5181 5183->5166 5185 73ac13ac 5184->5185 5186 73ac138a 5184->5186 5185->5166 5186->5185 5187 73ac1390 lstrcpyW 5186->5187 5187->5185 5572 40497d 5573 4049b3 5572->5573 5574 40498d 5572->5574 5575 40453a 8 API calls 5573->5575 5576 4044d3 22 API calls 5574->5576 5577 4049bf 5575->5577 5578 40499a SetDlgItemTextW 5576->5578 5578->5573 5579 402b7e 5580 402bd0 5579->5580 5581 402b85 5579->5581 5583 406948 5 API calls 5580->5583 5582 402bce 5581->5582 5584 402da9 21 API calls 5581->5584 5585 402bd7 5583->5585 5586 402b93 5584->5586 5587 402dcb 21 API calls 5585->5587 5588 402da9 21 API calls 5586->5588 5589 402be0 5587->5589 5592 402b9f 5588->5592 5589->5582 5590 402be4 IIDFromString 5589->5590 5590->5582 5591 402bf3 5590->5591 5591->5582 5597 406554 lstrcpynW 5591->5597 5596 40649b wsprintfW 5592->5596 5594 402c10 CoTaskMemFree 5594->5582 5596->5582 5597->5594 5598 401000 5599 401037 BeginPaint GetClientRect 5598->5599 5601 40100c DefWindowProcW 5598->5601 5602 4010f3 5599->5602 5603 401179 5601->5603 5604 401073 CreateBrushIndirect FillRect DeleteObject 5602->5604 5605 4010fc 5602->5605 5604->5602 5606 401102 CreateFontIndirectW 5605->5606 5607 401167 EndPaint 5605->5607 5606->5607 5608 401112 6 API calls 5606->5608 5607->5603 5608->5607 5609 402a80 5610 402da9 21 API calls 5609->5610 5611 402a86 5610->5611 5612 402ac9 5611->5612 5613 402aad 5611->5613 5622 402953 5611->5622 5614 402ae3 5612->5614 5615 402ad3 5612->5615 5616 402ab2 5613->5616 5617 402ac3 5613->5617 5619 406591 21 API calls 5614->5619 5618 402da9 21 API calls 5615->5618 5623 406554 lstrcpynW 5616->5623 5624 40649b wsprintfW 5617->5624 5618->5622 5619->5622 5623->5622 5624->5622 4059 401781 4065 402dcb 4059->4065 4063 40178f 4064 406073 2 API calls 4063->4064 4064->4063 4066 402dd7 4065->4066 4075 406591 4066->4075 4069 401788 4071 406073 4069->4071 4072 406080 GetTickCount GetTempFileNameW 4071->4072 4073 4060ba 4072->4073 4074 4060b6 4072->4074 4073->4063 4074->4072 4074->4073 4079 40659c 4075->4079 4076 4067e3 4077 402df8 4076->4077 4114 406554 lstrcpynW 4076->4114 4077->4069 4092 406802 4077->4092 4079->4076 4080 4067b4 lstrlenW 4079->4080 4081 4066ad GetSystemDirectoryW 4079->4081 4082 406591 15 API calls 4079->4082 4086 4066c3 GetWindowsDirectoryW 4079->4086 4087 406755 lstrcatW 4079->4087 4088 406802 5 API calls 4079->4088 4089 406591 15 API calls 4079->4089 4091 406725 SHGetPathFromIDListW CoTaskMemFree 4079->4091 4101 406422 4079->4101 4106 406948 GetModuleHandleA 4079->4106 4112 40649b wsprintfW 4079->4112 4113 406554 lstrcpynW 4079->4113 4080->4079 4081->4079 4082->4080 4086->4079 4087->4079 4088->4079 4089->4079 4091->4079 4098 40680f 4092->4098 4093 406885 4094 40688a CharPrevW 4093->4094 4096 4068ab 4093->4096 4094->4093 4095 406878 CharNextW 4095->4093 4095->4098 4096->4069 4098->4093 4098->4095 4099 406864 CharNextW 4098->4099 4100 406873 CharNextW 4098->4100 4122 405e50 4098->4122 4099->4098 4100->4095 4115 4063c1 4101->4115 4104 406486 4104->4079 4105 406456 RegQueryValueExW RegCloseKey 4105->4104 4107 406964 4106->4107 4108 40696e GetProcAddress 4106->4108 4119 4068d8 GetSystemDirectoryW 4107->4119 4111 40697d 4108->4111 4110 40696a 4110->4108 4110->4111 4111->4079 4112->4079 4113->4079 4114->4077 4116 4063d0 4115->4116 4117 4063d4 4116->4117 4118 4063d9 RegOpenKeyExW 4116->4118 4117->4104 4117->4105 4118->4117 4120 4068fa wsprintfW LoadLibraryExW 4119->4120 4120->4110 4123 405e56 4122->4123 4124 405e6c 4123->4124 4125 405e5d CharNextW 4123->4125 4124->4098 4125->4123 5625 401d82 5626 402da9 21 API calls 5625->5626 5627 401d93 SetWindowLongW 5626->5627 5628 402c4f 5627->5628 4145 401f03 4146 402da9 21 API calls 4145->4146 4147 401f09 4146->4147 4148 402da9 21 API calls 4147->4148 4149 401f15 4148->4149 4150 401f21 ShowWindow 4149->4150 4151 401f2c EnableWindow 4149->4151 4152 402c4f 4150->4152 4151->4152 5629 401503 5630 401508 5629->5630 5631 40152e 5629->5631 5632 402da9 21 API calls 5630->5632 5632->5631 5633 402903 5634 40290b 5633->5634 5635 40290f FindNextFileW 5634->5635 5638 402921 5634->5638 5636 402968 5635->5636 5635->5638 5639 406554 lstrcpynW 5636->5639 5639->5638 5640 73ac23e9 5641 73ac2453 5640->5641 5642 73ac245e GlobalAlloc 5641->5642 5643 73ac247d 5641->5643 5642->5641 5644 401588 5645 402bc9 5644->5645 5648 40649b wsprintfW 5645->5648 5647 402bce 5648->5647 5649 404609 lstrcpynW lstrlenW 5650 73ac10e1 5656 73ac1111 5650->5656 5651 73ac12b0 GlobalFree 5652 73ac1240 GlobalFree 5652->5656 5653 73ac11d7 GlobalAlloc 5653->5656 5654 73ac12ab 5654->5651 5655 73ac135a 2 API calls 5655->5656 5656->5651 5656->5652 5656->5653 5656->5654 5656->5655 5657 73ac129a GlobalFree 5656->5657 5658 73ac1312 2 API calls 5656->5658 5659 73ac116b GlobalAlloc 5656->5659 5660 73ac1381 lstrcpyW 5656->5660 5657->5656 5658->5656 5659->5656 5660->5656 5661 40198d 5662 402da9 21 API calls 5661->5662 5663 401994 5662->5663 5664 402da9 21 API calls 5663->5664 5665 4019a1 5664->5665 5666 402dcb 21 API calls 5665->5666 5667 4019b8 lstrlenW 5666->5667 5669 4019c9 5667->5669 5668 401a0a 5669->5668 5673 406554 lstrcpynW 5669->5673 5671 4019fa 5671->5668 5672 4019ff lstrlenW 5671->5672 5672->5668 5673->5671 5674 40168f 5675 402dcb 21 API calls 5674->5675 5676 401695 5675->5676 5677 4068b1 2 API calls 5676->5677 5678 40169b 5677->5678 5679 402b10 5680 402da9 21 API calls 5679->5680 5681 402b16 5680->5681 5682 406591 21 API calls 5681->5682 5683 402953 5681->5683 5682->5683 4227 402711 4228 402da9 21 API calls 4227->4228 4229 402720 4228->4229 4230 40276a ReadFile 4229->4230 4232 4027aa MultiByteToWideChar 4229->4232 4233 40285f 4229->4233 4236 402803 4229->4236 4237 4027d0 SetFilePointer MultiByteToWideChar 4229->4237 4238 402870 4229->4238 4240 40285d 4229->4240 4250 4060c7 ReadFile 4229->4250 4230->4229 4230->4240 4232->4229 4252 40649b wsprintfW 4233->4252 4236->4229 4236->4240 4241 406125 SetFilePointer 4236->4241 4237->4229 4239 402891 SetFilePointer 4238->4239 4238->4240 4239->4240 4242 406141 4241->4242 4249 406159 4241->4249 4243 4060c7 ReadFile 4242->4243 4244 40614d 4243->4244 4245 406162 SetFilePointer 4244->4245 4246 40618a SetFilePointer 4244->4246 4244->4249 4245->4246 4247 40616d 4245->4247 4246->4249 4253 4060f6 WriteFile 4247->4253 4249->4236 4251 4060e5 4250->4251 4251->4229 4252->4240 4254 406114 4253->4254 4254->4249 5684 401491 5685 4055d9 28 API calls 5684->5685 5686 401498 5685->5686 5687 404692 5688 4046aa 5687->5688 5692 4047c4 5687->5692 5693 4044d3 22 API calls 5688->5693 5689 40482e 5690 4048f8 5689->5690 5691 404838 GetDlgItem 5689->5691 5698 40453a 8 API calls 5690->5698 5694 404852 5691->5694 5695 4048b9 5691->5695 5692->5689 5692->5690 5696 4047ff GetDlgItem SendMessageW 5692->5696 5697 404711 5693->5697 5694->5695 5702 404878 SendMessageW LoadCursorW SetCursor 5694->5702 5695->5690 5703 4048cb 5695->5703 5720 4044f5 KiUserCallbackDispatcher 5696->5720 5700 4044d3 22 API calls 5697->5700 5701 4048f3 5698->5701 5707 40471e CheckDlgButton 5700->5707 5721 404941 5702->5721 5704 4048e1 5703->5704 5705 4048d1 SendMessageW 5703->5705 5704->5701 5709 4048e7 SendMessageW 5704->5709 5705->5704 5706 404829 5710 40491d SendMessageW 5706->5710 5718 4044f5 KiUserCallbackDispatcher 5707->5718 5709->5701 5710->5689 5713 40473c GetDlgItem 5719 404508 SendMessageW 5713->5719 5715 404752 SendMessageW 5716 404778 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5715->5716 5717 40476f GetSysColor 5715->5717 5716->5701 5717->5716 5718->5713 5719->5715 5720->5706 5724 405b7a ShellExecuteExW 5721->5724 5723 4048a7 LoadCursorW SetCursor 5723->5695 5724->5723 4255 73ac2a7f 4256 73ac2acf 4255->4256 4257 73ac2a8f VirtualProtect 4255->4257 4257->4256 4367 401794 4368 402dcb 21 API calls 4367->4368 4369 40179b 4368->4369 4370 4017c3 4369->4370 4371 4017bb 4369->4371 4428 406554 lstrcpynW 4370->4428 4427 406554 lstrcpynW 4371->4427 4374 4017ce 4429 405e23 lstrlenW CharPrevW 4374->4429 4375 4017c1 4378 406802 5 API calls 4375->4378 4383 4017e0 4378->4383 4380 40181c 4435 40601f GetFileAttributesW 4380->4435 4383->4380 4384 4017f2 CompareFileTime 4383->4384 4385 4018b2 4383->4385 4388 406554 lstrcpynW 4383->4388 4394 406591 21 API calls 4383->4394 4405 401889 4383->4405 4406 406044 GetFileAttributesW CreateFileW 4383->4406 4432 4068b1 FindFirstFileW 4383->4432 4438 405bb4 4383->4438 4384->4383 4386 4055d9 28 API calls 4385->4386 4389 4018bc 4386->4389 4387 4055d9 28 API calls 4393 40189e 4387->4393 4388->4383 4407 4032d9 4389->4407 4391 4018e3 SetFileTime 4395 4018f5 FindCloseChangeNotification 4391->4395 4394->4383 4395->4393 4396 401906 4395->4396 4397 40190b 4396->4397 4398 40191e 4396->4398 4400 406591 21 API calls 4397->4400 4399 406591 21 API calls 4398->4399 4402 401926 4399->4402 4401 401913 lstrcatW 4400->4401 4401->4402 4402->4393 4404 405bb4 MessageBoxIndirectW 4402->4404 4404->4393 4405->4387 4405->4393 4406->4383 4409 4032f2 4407->4409 4408 403320 4442 4034d1 4408->4442 4409->4408 4445 4034e7 SetFilePointer 4409->4445 4413 40346a 4415 4034ac 4413->4415 4420 40346e 4413->4420 4414 40333d GetTickCount 4416 4018cf 4414->4416 4423 403369 4414->4423 4417 4034d1 ReadFile 4415->4417 4416->4391 4416->4395 4417->4416 4418 4034d1 ReadFile 4418->4423 4419 4034d1 ReadFile 4419->4420 4420->4416 4420->4419 4421 4060f6 WriteFile 4420->4421 4421->4420 4422 4033bf GetTickCount 4422->4423 4423->4416 4423->4418 4423->4422 4424 4033e4 MulDiv wsprintfW 4423->4424 4426 4060f6 WriteFile 4423->4426 4425 4055d9 28 API calls 4424->4425 4425->4423 4426->4423 4427->4375 4428->4374 4430 4017d4 lstrcatW 4429->4430 4431 405e3f lstrcatW 4429->4431 4430->4375 4431->4430 4433 4068d2 4432->4433 4434 4068c7 FindClose 4432->4434 4433->4383 4434->4433 4436 406031 SetFileAttributesW 4435->4436 4437 40603e 4435->4437 4436->4437 4437->4383 4439 405bc9 4438->4439 4440 405c15 4439->4440 4441 405bdd MessageBoxIndirectW 4439->4441 4440->4383 4441->4440 4443 4060c7 ReadFile 4442->4443 4444 40332b 4443->4444 4444->4413 4444->4414 4444->4416 4445->4408 5725 73ac1979 5727 73ac199c 5725->5727 5726 73ac19e3 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 5729 73ac1312 2 API calls 5726->5729 5727->5726 5728 73ac19d1 GlobalFree 5727->5728 5728->5726 5730 73ac1b6e GlobalFree GlobalFree 5729->5730 5731 401a97 5732 402da9 21 API calls 5731->5732 5733 401aa0 5732->5733 5734 402da9 21 API calls 5733->5734 5735 401a45 5734->5735 4461 405718 4462 4058c2 4461->4462 4463 405739 GetDlgItem GetDlgItem GetDlgItem 4461->4463 4465 4058f3 4462->4465 4466 4058cb GetDlgItem CreateThread FindCloseChangeNotification 4462->4466 4507 404508 SendMessageW 4463->4507 4468 40591e 4465->4468 4469 405943 4465->4469 4470 40590a ShowWindow ShowWindow 4465->4470 4466->4465 4510 4056ac OleInitialize 4466->4510 4467 4057a9 4473 4057b0 GetClientRect GetSystemMetrics SendMessageW SendMessageW 4467->4473 4471 40592a 4468->4471 4472 40597e 4468->4472 4477 40453a 8 API calls 4469->4477 4509 404508 SendMessageW 4470->4509 4475 405932 4471->4475 4476 405958 ShowWindow 4471->4476 4472->4469 4480 40598c SendMessageW 4472->4480 4478 405802 SendMessageW SendMessageW 4473->4478 4479 40581e 4473->4479 4481 4044ac SendMessageW 4475->4481 4482 405978 4476->4482 4483 40596a 4476->4483 4488 405951 4477->4488 4478->4479 4486 405831 4479->4486 4487 405823 SendMessageW 4479->4487 4480->4488 4489 4059a5 CreatePopupMenu 4480->4489 4481->4469 4485 4044ac SendMessageW 4482->4485 4484 4055d9 28 API calls 4483->4484 4484->4482 4485->4472 4491 4044d3 22 API calls 4486->4491 4487->4486 4490 406591 21 API calls 4489->4490 4492 4059b5 AppendMenuW 4490->4492 4493 405841 4491->4493 4494 4059d2 GetWindowRect 4492->4494 4495 4059e5 TrackPopupMenu 4492->4495 4496 40584a ShowWindow 4493->4496 4497 40587e GetDlgItem SendMessageW 4493->4497 4494->4495 4495->4488 4499 405a00 4495->4499 4500 405860 ShowWindow 4496->4500 4501 40586d 4496->4501 4497->4488 4498 4058a5 SendMessageW SendMessageW 4497->4498 4498->4488 4502 405a1c SendMessageW 4499->4502 4500->4501 4508 404508 SendMessageW 4501->4508 4502->4502 4503 405a39 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4502->4503 4505 405a5e SendMessageW 4503->4505 4505->4505 4506 405a87 GlobalUnlock SetClipboardData CloseClipboard 4505->4506 4506->4488 4507->4467 4508->4497 4509->4468 4511 40451f SendMessageW 4510->4511 4512 4056cf 4511->4512 4515 401389 2 API calls 4512->4515 4516 4056f6 4512->4516 4513 40451f SendMessageW 4514 405708 OleUninitialize 4513->4514 4515->4512 4516->4513 4517 73ac1774 4518 73ac17a3 4517->4518 4541 73ac1bff 4518->4541 4520 73ac17aa 4521 73ac17bd 4520->4521 4522 73ac17b1 4520->4522 4524 73ac17e4 4521->4524 4525 73ac17c7 4521->4525 4523 73ac1312 2 API calls 4522->4523 4529 73ac17bb 4523->4529 4527 73ac180e 4524->4527 4528 73ac17ea 4524->4528 4575 73ac15dd wsprintfW 4525->4575 4530 73ac15dd 3 API calls 4527->4530 4532 73ac1654 3 API calls 4528->4532 4530->4529 4534 73ac17ef 4532->4534 4535 73ac1312 2 API calls 4534->4535 4537 73ac17f5 GlobalFree 4535->4537 4537->4529 4539 73ac1809 GlobalFree 4537->4539 4539->4529 4586 73ac12bb GlobalAlloc 4541->4586 4543 73ac1c26 4587 73ac12bb GlobalAlloc 4543->4587 4545 73ac1e6b GlobalFree GlobalFree GlobalFree 4546 73ac1e88 4545->4546 4559 73ac1ed2 4545->4559 4547 73ac227e 4546->4547 4554 73ac1e9d 4546->4554 4546->4559 4549 73ac22a0 GetModuleHandleW 4547->4549 4547->4559 4548 73ac1d26 GlobalAlloc 4565 73ac1c31 4548->4565 4551 73ac22c6 4549->4551 4552 73ac22b1 LoadLibraryW 4549->4552 4550 73ac1d8f GlobalFree 4550->4565 4594 73ac16bd WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4551->4594 4552->4551 4552->4559 4553 73ac1d71 lstrcpyW 4556 73ac1d7b lstrcpyW 4553->4556 4554->4559 4590 73ac12cc 4554->4590 4556->4565 4557 73ac2318 4557->4559 4562 73ac2325 lstrlenW 4557->4562 4558 73ac2126 4593 73ac12bb GlobalAlloc 4558->4593 4559->4520 4595 73ac16bd WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4562->4595 4563 73ac22d8 4563->4557 4573 73ac2302 GetProcAddress 4563->4573 4565->4545 4565->4548 4565->4550 4565->4553 4565->4556 4565->4558 4565->4559 4566 73ac2067 GlobalFree 4565->4566 4567 73ac21ae 4565->4567 4568 73ac1dcd 4565->4568 4570 73ac12cc 2 API calls 4565->4570 4566->4565 4567->4559 4572 73ac2216 lstrcpyW 4567->4572 4568->4565 4588 73ac162f GlobalSize GlobalAlloc 4568->4588 4569 73ac233f 4569->4559 4570->4565 4572->4559 4573->4557 4574 73ac212f 4574->4520 4576 73ac1312 2 API calls 4575->4576 4577 73ac15fe 4576->4577 4578 73ac1654 4577->4578 4597 73ac12bb GlobalAlloc 4578->4597 4580 73ac1659 4598 73ac1666 4580->4598 4583 73ac1312 4584 73ac131b GlobalAlloc lstrcpynW 4583->4584 4585 73ac1355 CloseHandle 4583->4585 4584->4585 4585->4529 4586->4543 4587->4565 4589 73ac164d 4588->4589 4589->4568 4596 73ac12bb GlobalAlloc 4590->4596 4592 73ac12db lstrcpynW 4592->4559 4593->4574 4594->4563 4595->4569 4596->4592 4597->4580 4599 73ac169f lstrcpyW 4598->4599 4600 73ac1672 wsprintfW 4598->4600 4603 73ac1663 4599->4603 4600->4603 4603->4583 4604 401598 4605 4015b1 4604->4605 4606 4015a8 ShowWindow 4604->4606 4607 402c4f 4605->4607 4608 4015bf ShowWindow 4605->4608 4606->4605 4608->4607 4609 402419 4610 402dcb 21 API calls 4609->4610 4611 402428 4610->4611 4612 402dcb 21 API calls 4611->4612 4613 402431 4612->4613 4614 402dcb 21 API calls 4613->4614 4615 40243b GetPrivateProfileStringW 4614->4615 5736 404d1a 5737 404d46 5736->5737 5738 404d2a 5736->5738 5740 404d79 5737->5740 5741 404d4c SHGetPathFromIDListW 5737->5741 5747 405b98 GetDlgItemTextW 5738->5747 5743 404d5c 5741->5743 5746 404d63 SendMessageW 5741->5746 5742 404d37 SendMessageW 5742->5737 5744 40140b 2 API calls 5743->5744 5744->5746 5746->5740 5747->5742 5748 40201b 5749 402dcb 21 API calls 5748->5749 5750 402022 5749->5750 5751 4068b1 2 API calls 5750->5751 5752 402028 5751->5752 5754 402039 5752->5754 5755 40649b wsprintfW 5752->5755 5755->5754 5756 401b9c 5757 402dcb 21 API calls 5756->5757 5758 401ba3 5757->5758 5759 402da9 21 API calls 5758->5759 5760 401bac wsprintfW 5759->5760 5761 402c4f 5760->5761 5762 40149e 5763 4023c2 5762->5763 5764 4014ac PostQuitMessage 5762->5764 5764->5763 5765 4016a0 5766 402dcb 21 API calls 5765->5766 5767 4016a7 5766->5767 5768 402dcb 21 API calls 5767->5768 5769 4016b0 5768->5769 5770 402dcb 21 API calls 5769->5770 5771 4016b9 MoveFileW 5770->5771 5772 4016c5 5771->5772 5773 4016cc 5771->5773 5774 401423 28 API calls 5772->5774 5775 4068b1 2 API calls 5773->5775 5777 40231b 5773->5777 5774->5777 5776 4016db 5775->5776 5776->5777 5778 406314 40 API calls 5776->5778 5778->5772 5779 401a24 5780 402dcb 21 API calls 5779->5780 5781 401a2b 5780->5781 5782 402dcb 21 API calls 5781->5782 5783 401a34 5782->5783 5784 401a3b lstrcmpiW 5783->5784 5785 401a4d lstrcmpW 5783->5785 5786 401a41 5784->5786 5785->5786 5787 402324 5788 402dcb 21 API calls 5787->5788 5789 40232a 5788->5789 5790 402dcb 21 API calls 5789->5790 5791 402333 5790->5791 5792 402dcb 21 API calls 5791->5792 5793 40233c 5792->5793 5794 4068b1 2 API calls 5793->5794 5795 402345 5794->5795 5796 402356 lstrlenW lstrlenW 5795->5796 5800 402349 5795->5800 5798 4055d9 28 API calls 5796->5798 5797 4055d9 28 API calls 5801 402351 5797->5801 5799 402394 SHFileOperationW 5798->5799 5799->5800 5799->5801 5800->5797 5800->5801 5802 401da6 5803 401db9 GetDlgItem 5802->5803 5804 401dac 5802->5804 5806 401db3 5803->5806 5805 402da9 21 API calls 5804->5805 5805->5806 5807 401dfa GetClientRect LoadImageW SendMessageW 5806->5807 5809 402dcb 21 API calls 5806->5809 5810 401e58 5807->5810 5812 401e64 5807->5812 5809->5807 5811 401e5d DeleteObject 5810->5811 5810->5812 5811->5812 5813 4023a8 5814 4023af 5813->5814 5817 4023c2 5813->5817 5815 406591 21 API calls 5814->5815 5816 4023bc 5815->5816 5816->5817 5818 405bb4 MessageBoxIndirectW 5816->5818 5818->5817 5819 402c2a SendMessageW 5820 402c44 InvalidateRect 5819->5820 5821 402c4f 5819->5821 5820->5821 4767 40352f SetErrorMode GetVersionExW 4768 403583 GetVersionExW 4767->4768 4769 4035bb 4767->4769 4768->4769 4770 403612 4769->4770 4771 406948 5 API calls 4769->4771 4772 4068d8 3 API calls 4770->4772 4771->4770 4773 403628 lstrlenA 4772->4773 4773->4770 4774 403638 4773->4774 4775 406948 5 API calls 4774->4775 4776 40363f 4775->4776 4777 406948 5 API calls 4776->4777 4778 403646 4777->4778 4779 406948 5 API calls 4778->4779 4780 403652 #17 OleInitialize SHGetFileInfoW 4779->4780 4855 406554 lstrcpynW 4780->4855 4783 4036a1 GetCommandLineW 4856 406554 lstrcpynW 4783->4856 4785 4036b3 4786 405e50 CharNextW 4785->4786 4787 4036d9 CharNextW 4786->4787 4792 4036eb 4787->4792 4788 4037ed 4789 403801 GetTempPathW 4788->4789 4857 4034fe 4789->4857 4791 403819 4793 403873 DeleteFileW 4791->4793 4794 40381d GetWindowsDirectoryW lstrcatW 4791->4794 4792->4788 4795 405e50 CharNextW 4792->4795 4801 4037ef 4792->4801 4867 4030a2 GetTickCount GetModuleFileNameW 4793->4867 4796 4034fe 12 API calls 4794->4796 4795->4792 4798 403839 4796->4798 4798->4793 4800 40383d GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 4798->4800 4799 403887 4805 405e50 CharNextW 4799->4805 4837 40392e 4799->4837 4846 40393e 4799->4846 4803 4034fe 12 API calls 4800->4803 4951 406554 lstrcpynW 4801->4951 4807 40386b 4803->4807 4816 4038a6 4805->4816 4807->4793 4807->4846 4809 403ab0 4812 403b34 ExitProcess 4809->4812 4813 403ab8 GetCurrentProcess OpenProcessToken 4809->4813 4810 403a8c 4811 405bb4 MessageBoxIndirectW 4810->4811 4815 403a9a ExitProcess 4811->4815 4817 403ad0 LookupPrivilegeValueW AdjustTokenPrivileges 4813->4817 4818 403b04 4813->4818 4819 403904 4816->4819 4820 403947 4816->4820 4817->4818 4822 406948 5 API calls 4818->4822 4823 405f2b 18 API calls 4819->4823 4821 405b1f 5 API calls 4820->4821 4824 40394c lstrlenW 4821->4824 4825 403b0b 4822->4825 4826 403910 4823->4826 4954 406554 lstrcpynW 4824->4954 4828 403b20 ExitWindowsEx 4825->4828 4830 403b2d 4825->4830 4826->4846 4952 406554 lstrcpynW 4826->4952 4828->4812 4828->4830 4829 403966 4832 40397e 4829->4832 4955 406554 lstrcpynW 4829->4955 4833 40140b 2 API calls 4830->4833 4838 4039a4 wsprintfW 4832->4838 4853 4039d0 4832->4853 4833->4812 4834 403923 4953 406554 lstrcpynW 4834->4953 4895 403c26 4837->4895 4839 406591 21 API calls 4838->4839 4839->4832 4840 405aa8 2 API calls 4840->4853 4841 405b02 2 API calls 4841->4853 4842 4039e0 GetFileAttributesW 4844 4039ec DeleteFileW 4842->4844 4842->4853 4843 403a1a SetCurrentDirectoryW 4845 406314 40 API calls 4843->4845 4844->4853 4847 403a29 CopyFileW 4845->4847 4956 403b4c 4846->4956 4847->4846 4847->4853 4848 405c60 71 API calls 4848->4853 4849 406314 40 API calls 4849->4853 4850 406591 21 API calls 4850->4853 4851 405b37 2 API calls 4851->4853 4852 403aa2 CloseHandle 4852->4846 4853->4832 4853->4838 4853->4840 4853->4841 4853->4842 4853->4843 4853->4846 4853->4848 4853->4849 4853->4850 4853->4851 4853->4852 4854 4068b1 2 API calls 4853->4854 4854->4853 4855->4783 4856->4785 4858 406802 5 API calls 4857->4858 4859 40350a 4858->4859 4860 403514 4859->4860 4861 405e23 3 API calls 4859->4861 4860->4791 4862 40351c 4861->4862 4863 405b02 2 API calls 4862->4863 4864 403522 4863->4864 4865 406073 2 API calls 4864->4865 4866 40352d 4865->4866 4866->4791 4963 406044 GetFileAttributesW CreateFileW 4867->4963 4869 4030e2 4888 4030f2 4869->4888 4964 406554 lstrcpynW 4869->4964 4871 403108 4872 405e6f 2 API calls 4871->4872 4873 40310e 4872->4873 4965 406554 lstrcpynW 4873->4965 4875 403119 GetFileSize 4876 403213 4875->4876 4894 403130 4875->4894 4966 40303e 4876->4966 4878 40321c 4880 40324c GlobalAlloc 4878->4880 4878->4888 4978 4034e7 SetFilePointer 4878->4978 4879 4034d1 ReadFile 4879->4894 4977 4034e7 SetFilePointer 4880->4977 4883 40327f 4885 40303e 6 API calls 4883->4885 4884 403267 4887 4032d9 35 API calls 4884->4887 4885->4888 4886 403235 4889 4034d1 ReadFile 4886->4889 4892 403273 4887->4892 4888->4799 4890 403240 4889->4890 4890->4880 4890->4888 4891 40303e 6 API calls 4891->4894 4892->4888 4892->4892 4893 4032b0 SetFilePointer 4892->4893 4893->4888 4894->4876 4894->4879 4894->4883 4894->4888 4894->4891 4896 406948 5 API calls 4895->4896 4897 403c3a 4896->4897 4898 403c40 4897->4898 4899 403c52 4897->4899 4987 40649b wsprintfW 4898->4987 4900 406422 3 API calls 4899->4900 4901 403c82 4900->4901 4903 403ca1 lstrcatW 4901->4903 4905 406422 3 API calls 4901->4905 4904 403c50 4903->4904 4979 403efc 4904->4979 4905->4903 4908 405f2b 18 API calls 4909 403cd3 4908->4909 4910 403d67 4909->4910 4912 406422 3 API calls 4909->4912 4911 405f2b 18 API calls 4910->4911 4913 403d6d 4911->4913 4914 403d05 4912->4914 4915 403d7d LoadImageW 4913->4915 4916 406591 21 API calls 4913->4916 4914->4910 4920 403d26 lstrlenW 4914->4920 4923 405e50 CharNextW 4914->4923 4917 403e23 4915->4917 4918 403da4 RegisterClassW 4915->4918 4916->4915 4919 40140b 2 API calls 4917->4919 4921 403dda SystemParametersInfoW CreateWindowExW 4918->4921 4950 403e2d 4918->4950 4922 403e29 4919->4922 4924 403d34 lstrcmpiW 4920->4924 4925 403d5a 4920->4925 4921->4917 4930 403efc 22 API calls 4922->4930 4922->4950 4928 403d23 4923->4928 4924->4925 4926 403d44 GetFileAttributesW 4924->4926 4927 405e23 3 API calls 4925->4927 4929 403d50 4926->4929 4931 403d60 4927->4931 4928->4920 4929->4925 4932 405e6f 2 API calls 4929->4932 4933 403e3a 4930->4933 4988 406554 lstrcpynW 4931->4988 4932->4925 4935 403e46 ShowWindow 4933->4935 4936 403ec9 4933->4936 4938 4068d8 3 API calls 4935->4938 4937 4056ac 5 API calls 4936->4937 4939 403ecf 4937->4939 4940 403e5e 4938->4940 4941 403ed3 4939->4941 4942 403eeb 4939->4942 4943 403e6c GetClassInfoW 4940->4943 4945 4068d8 3 API calls 4940->4945 4948 40140b 2 API calls 4941->4948 4941->4950 4944 40140b 2 API calls 4942->4944 4946 403e80 GetClassInfoW RegisterClassW 4943->4946 4947 403e96 DialogBoxParamW 4943->4947 4944->4950 4945->4943 4946->4947 4949 40140b 2 API calls 4947->4949 4948->4950 4949->4950 4950->4846 4951->4789 4952->4834 4953->4837 4954->4829 4955->4832 4957 403b64 4956->4957 4958 403b56 CloseHandle 4956->4958 4990 403b91 4957->4990 4958->4957 4961 405c60 71 API calls 4962 403a7f OleUninitialize 4961->4962 4962->4809 4962->4810 4963->4869 4964->4871 4965->4875 4967 403047 4966->4967 4968 40305f 4966->4968 4969 403050 DestroyWindow 4967->4969 4970 403057 4967->4970 4971 403067 4968->4971 4972 40306f GetTickCount 4968->4972 4969->4970 4970->4878 4973 406984 2 API calls 4971->4973 4974 4030a0 4972->4974 4975 40307d CreateDialogParamW ShowWindow 4972->4975 4976 40306d 4973->4976 4974->4878 4975->4974 4976->4878 4977->4884 4978->4886 4980 403f10 4979->4980 4989 40649b wsprintfW 4980->4989 4982 403f81 4983 403fb5 22 API calls 4982->4983 4985 403f86 4983->4985 4984 403cb1 4984->4908 4985->4984 4986 406591 21 API calls 4985->4986 4986->4985 4987->4904 4988->4910 4989->4982 4991 403b9f 4990->4991 4992 403b69 4991->4992 4993 403ba4 FreeLibrary GlobalFree 4991->4993 4992->4961 4993->4992 4993->4993 4994 4024af 4995 402dcb 21 API calls 4994->4995 4996 4024c1 4995->4996 4997 402dcb 21 API calls 4996->4997 4998 4024cb 4997->4998 5011 402e5b 4998->5011 5001 402c4f 5002 402503 5005 402da9 21 API calls 5002->5005 5007 40250f 5002->5007 5003 402dcb 21 API calls 5004 4024f9 lstrlenW 5003->5004 5004->5002 5005->5007 5006 40252e RegSetValueExW 5008 402544 RegCloseKey 5006->5008 5007->5006 5009 4032d9 35 API calls 5007->5009 5008->5001 5009->5006 5012 402e76 5011->5012 5015 4063ef 5012->5015 5016 4063fe 5015->5016 5017 4024db 5016->5017 5018 406409 RegCreateKeyExW 5016->5018 5017->5001 5017->5002 5017->5003 5018->5017 5822 73ac2d43 5823 73ac2d5b 5822->5823 5824 73ac162f 2 API calls 5823->5824 5825 73ac2d76 5824->5825 5019 402930 5020 402dcb 21 API calls 5019->5020 5021 402937 FindFirstFileW 5020->5021 5022 40294a 5021->5022 5023 40295f 5021->5023 5024 402968 5023->5024 5027 40649b wsprintfW 5023->5027 5028 406554 lstrcpynW 5024->5028 5027->5024 5028->5022 5826 401931 5827 401968 5826->5827 5828 402dcb 21 API calls 5827->5828 5829 40196d 5828->5829 5830 405c60 71 API calls 5829->5830 5831 401976 5830->5831 5029 73ac1058 5031 73ac1074 5029->5031 5030 73ac10dd 5031->5030 5032 73ac1092 5031->5032 5043 73ac15b6 5031->5043 5034 73ac15b6 GlobalFree 5032->5034 5035 73ac10a2 5034->5035 5036 73ac10a9 GlobalSize 5035->5036 5037 73ac10b2 5035->5037 5036->5037 5038 73ac10c8 5037->5038 5039 73ac10b6 GlobalAlloc 5037->5039 5042 73ac10d2 GlobalFree 5038->5042 5040 73ac15dd 3 API calls 5039->5040 5041 73ac10c7 5040->5041 5041->5038 5042->5030 5045 73ac15bc 5043->5045 5044 73ac15c2 5044->5032 5045->5044 5046 73ac15ce GlobalFree 5045->5046 5046->5032 5832 401934 5833 402dcb 21 API calls 5832->5833 5834 40193b 5833->5834 5835 405bb4 MessageBoxIndirectW 5834->5835 5836 401944 5835->5836 5047 4028b6 5048 4028bd 5047->5048 5049 402bce 5047->5049 5050 402da9 21 API calls 5048->5050 5051 4028c4 5050->5051 5052 4028d3 SetFilePointer 5051->5052 5052->5049 5053 4028e3 5052->5053 5055 40649b wsprintfW 5053->5055 5055->5049 5837 401f37 5838 402dcb 21 API calls 5837->5838 5839 401f3d 5838->5839 5840 402dcb 21 API calls 5839->5840 5841 401f46 5840->5841 5842 402dcb 21 API calls 5841->5842 5843 401f4f 5842->5843 5844 402dcb 21 API calls 5843->5844 5845 401f58 5844->5845 5846 401423 28 API calls 5845->5846 5847 401f5f 5846->5847 5854 405b7a ShellExecuteExW 5847->5854 5849 401fa7 5850 4069f3 5 API calls 5849->5850 5851 402953 5849->5851 5852 401fc4 CloseHandle 5850->5852 5852->5851 5854->5849 5855 4014b8 5856 4014be 5855->5856 5857 401389 2 API calls 5856->5857 5858 4014c6 5857->5858 5859 402fb8 5860 402fe3 5859->5860 5861 402fca SetTimer 5859->5861 5862 403038 5860->5862 5863 402ffd MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 5860->5863 5861->5860 5863->5862 5864 401d3c 5865 402da9 21 API calls 5864->5865 5866 401d42 IsWindow 5865->5866 5867 401a45 5866->5867

                                          Executed Functions

                                          Function 0040352F Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 464stringfilecomCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 40352f-403581 SetErrorMode GetVersionExW 1 403583-4035b3 GetVersionExW 0->1 2 4035bb-4035c0 0->2 1->2 3 4035c2 2->3 4 4035c8-40360a 2->4 3->4 5 40360c-403614 call 406948 4->5 6 40361d 4->6 5->6 11 403616 5->11 7 403622-403636 call 4068d8 lstrlenA 6->7 13 403638-403654 call 406948 * 3 7->13 11->6 20 403665-4036c9 #17 OleInitialize SHGetFileInfoW call 406554 GetCommandLineW call 406554 13->20 21 403656-40365c 13->21 28 4036d2-4036e6 call 405e50 CharNextW 20->28 29 4036cb-4036cd 20->29 21->20 25 40365e 21->25 25->20 32 4037e1-4037e7 28->32 29->28 33 4036eb-4036f1 32->33 34 4037ed 32->34 36 4036f3-4036f8 33->36 37 4036fa-403701 33->37 35 403801-40381b GetTempPathW call 4034fe 34->35 46 403873-40388d DeleteFileW call 4030a2 35->46 47 40381d-40383b GetWindowsDirectoryW lstrcatW call 4034fe 35->47 36->36 36->37 39 403703-403708 37->39 40 403709-40370d 37->40 39->40 42 403713-403719 40->42 43 4037ce-4037dd call 405e50 40->43 44 403733-40376c 42->44 45 40371b-403722 42->45 43->32 61 4037df-4037e0 43->61 51 403789-4037c3 44->51 52 40376e-403773 44->52 49 403724-403727 45->49 50 403729 45->50 66 403893-403899 46->66 67 403a7a-403a8a call 403b4c OleUninitialize 46->67 47->46 64 40383d-40386d GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 4034fe 47->64 49->44 49->50 50->44 58 4037c5-4037c9 51->58 59 4037cb-4037cd 51->59 52->51 56 403775-40377d 52->56 62 403784 56->62 63 40377f-403782 56->63 58->59 65 4037ef-4037fc call 406554 58->65 59->43 61->32 62->51 63->51 63->62 64->46 64->67 65->35 68 403932-403939 call 403c26 66->68 69 40389f-4038aa call 405e50 66->69 79 403ab0-403ab6 67->79 80 403a8c-403a9c call 405bb4 ExitProcess 67->80 78 40393e-403942 68->78 82 4038f8-403902 69->82 83 4038ac-4038e1 69->83 78->67 84 403b34-403b3c 79->84 85 403ab8-403ace GetCurrentProcess OpenProcessToken 79->85 92 403904-403912 call 405f2b 82->92 93 403947-40396d call 405b1f lstrlenW call 406554 82->93 89 4038e3-4038e7 83->89 86 403b42-403b46 ExitProcess 84->86 87 403b3e 84->87 90 403ad0-403afe LookupPrivilegeValueW AdjustTokenPrivileges 85->90 91 403b04-403b12 call 406948 85->91 87->86 94 4038f0-4038f4 89->94 95 4038e9-4038ee 89->95 90->91 104 403b20-403b2b ExitWindowsEx 91->104 105 403b14-403b1e 91->105 92->67 106 403918-40392e call 406554 * 2 92->106 110 40397e-403996 93->110 111 40396f-403979 call 406554 93->111 94->89 99 4038f6 94->99 95->94 95->99 99->82 104->84 108 403b2d-403b2f call 40140b 104->108 105->104 105->108 106->68 108->84 116 40399b-40399f 110->116 111->110 119 4039a4-4039ce wsprintfW call 406591 116->119 122 4039d0-4039d5 call 405aa8 119->122 123 4039d7 call 405b02 119->123 127 4039dc-4039de 122->127 123->127 128 4039e0-4039ea GetFileAttributesW 127->128 129 403a1a-403a39 SetCurrentDirectoryW call 406314 CopyFileW 127->129 130 403a0b-403a16 128->130 131 4039ec-4039f5 DeleteFileW 128->131 136 403a78 129->136 137 403a3b-403a5c call 406314 call 406591 call 405b37 129->137 130->116 134 403a18 130->134 131->130 133 4039f7-403a09 call 405c60 131->133 133->119 133->130 134->67 136->67 146 403aa2-403aae CloseHandle 137->146 147 403a5e-403a68 137->147 146->136 147->136 148 403a6a-403a72 call 4068b1 147->148 148->119 148->136
                                          APIs
                                          • SetErrorMode.KERNELBASE ref: 00403552
                                          • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040357D
                                          • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 00403590
                                          • lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 00403629
                                          • #17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403666
                                          • OleInitialize.OLE32(00000000), ref: 0040366D
                                          • SHGetFileInfoW.SHELL32(0079F708,00000000,?,000002B4,00000000), ref: 0040368C
                                          • GetCommandLineW.KERNEL32(007A7260,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004036A1
                                          • CharNextW.USER32(00000000,"C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe",00000020,"C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe",00000000,?,00000008,0000000A,0000000C), ref: 004036DA
                                          • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403812
                                          • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403823
                                          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040382F
                                          • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403843
                                          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 0040384B
                                          • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040385C
                                          • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403864
                                          • DeleteFileW.KERNELBASE(1033,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403878
                                          • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe",00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403951
                                            • Part of subcall function 00406554: lstrcpynW.KERNEL32(?,?,00000400,004036A1,007A7260,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406561
                                          • wsprintfW.USER32 ref: 004039AE
                                          • GetFileAttributesW.KERNEL32(868,C:\Users\user\AppData\Local\Temp\), ref: 004039E1
                                          • DeleteFileW.KERNEL32(868), ref: 004039ED
                                          • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403A1B
                                            • Part of subcall function 00406314: MoveFileExW.KERNEL32(?,?,00000005,00405E12,?,00000000,000000F1,?,?,?,?,?), ref: 0040631E
                                          • CopyFileW.KERNEL32(C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe,868,00000001,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403A31
                                            • Part of subcall function 00405B37: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4750,?,?,?,868,?), ref: 00405B60
                                            • Part of subcall function 00405B37: CloseHandle.KERNEL32(?,?,?,868,?), ref: 00405B6D
                                            • Part of subcall function 004068B1: FindFirstFileW.KERNELBASE(74DF3420,007A4798,007A3F50,00405F74,007A3F50,007A3F50,00000000,007A3F50,007A3F50,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C80,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 004068BC
                                            • Part of subcall function 004068B1: FindClose.KERNEL32(00000000), ref: 004068C8
                                          • OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A7F
                                          • ExitProcess.KERNEL32 ref: 00403A9C
                                          • CloseHandle.KERNEL32(00000000,007AC000,007AC000,?,868,00000000), ref: 00403AA3
                                          • GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403ABF
                                          • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403AC6
                                          • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403ADB
                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403AFE
                                          • ExitWindowsEx.USER32(00000002,80040002), ref: 00403B23
                                          • ExitProcess.KERNEL32 ref: 00403B46
                                            • Part of subcall function 00405B02: CreateDirectoryW.KERNELBASE(?,00000000,00403522,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 00405B08
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: File$Process$CloseDirectoryExit$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
                                          • String ID: "C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe"$1033$868$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical$C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Surfboards$C:\Users\user\Desktop$C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu%X.tmp
                                          • API String ID: 1813718867-293664213
                                          • Opcode ID: 4539d7b49e661c335d86d711c7dc70c0ceacb82e8b10bfdaa1b9f15d78561598
                                          • Instruction ID: 93f5a648143c5b163d48a65c291177ce643c8a453b959a17227cb1525d46e2db
                                          • Opcode Fuzzy Hash: 4539d7b49e661c335d86d711c7dc70c0ceacb82e8b10bfdaa1b9f15d78561598
                                          • Instruction Fuzzy Hash: 2CF10370604301AAD720AF659D05B2B7EE8EF85706F00483EF581B62D2DB7DDA45CB6E
                                          Function 00405718 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 151 405718-405733 152 4058c2-4058c9 151->152 153 405739-405800 GetDlgItem * 3 call 404508 call 404e61 GetClientRect GetSystemMetrics SendMessageW * 2 151->153 155 4058f3-405900 152->155 156 4058cb-4058ed GetDlgItem CreateThread FindCloseChangeNotification 152->156 171 405802-40581c SendMessageW * 2 153->171 172 40581e-405821 153->172 158 405902-405908 155->158 159 40591e-405928 155->159 156->155 161 405943-40594c call 40453a 158->161 162 40590a-405919 ShowWindow * 2 call 404508 158->162 163 40592a-405930 159->163 164 40597e-405982 159->164 175 405951-405955 161->175 162->159 168 405932-40593e call 4044ac 163->168 169 405958-405968 ShowWindow 163->169 164->161 166 405984-40598a 164->166 166->161 173 40598c-40599f SendMessageW 166->173 168->161 176 405978-405979 call 4044ac 169->176 177 40596a-405973 call 4055d9 169->177 171->172 180 405831-405848 call 4044d3 172->180 181 405823-40582f SendMessageW 172->181 182 405aa1-405aa3 173->182 183 4059a5-4059d0 CreatePopupMenu call 406591 AppendMenuW 173->183 176->164 177->176 190 40584a-40585e ShowWindow 180->190 191 40587e-40589f GetDlgItem SendMessageW 180->191 181->180 182->175 188 4059d2-4059e2 GetWindowRect 183->188 189 4059e5-4059fa TrackPopupMenu 183->189 188->189 189->182 193 405a00-405a17 189->193 194 405860-40586b ShowWindow 190->194 195 40586d 190->195 191->182 192 4058a5-4058bd SendMessageW * 2 191->192 192->182 196 405a1c-405a37 SendMessageW 193->196 197 405873-405879 call 404508 194->197 195->197 196->196 198 405a39-405a5c OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 196->198 197->191 200 405a5e-405a85 SendMessageW 198->200 200->200 201 405a87-405a9b GlobalUnlock SetClipboardData CloseClipboard 200->201 201->182
                                          APIs
                                          • GetDlgItem.USER32(?,00000403), ref: 00405776
                                          • GetDlgItem.USER32(?,000003EE), ref: 00405785
                                          • GetClientRect.USER32(?,?), ref: 004057C2
                                          • GetSystemMetrics.USER32(00000002), ref: 004057C9
                                          • SendMessageW.USER32(?,00001061,00000000,?), ref: 004057EA
                                          • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057FB
                                          • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040580E
                                          • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040581C
                                          • SendMessageW.USER32(?,00001024,00000000,?), ref: 0040582F
                                          • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405851
                                          • ShowWindow.USER32(?,00000008), ref: 00405865
                                          • GetDlgItem.USER32(?,000003EC), ref: 00405886
                                          • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405896
                                          • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004058AF
                                          • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004058BB
                                          • GetDlgItem.USER32(?,000003F8), ref: 00405794
                                            • Part of subcall function 00404508: SendMessageW.USER32(00000028,?,00000001,00404333), ref: 00404516
                                          • GetDlgItem.USER32(?,000003EC), ref: 004058D8
                                          • CreateThread.KERNELBASE(00000000,00000000,Function_000056AC,00000000), ref: 004058E6
                                          • FindCloseChangeNotification.KERNELBASE(00000000), ref: 004058ED
                                          • ShowWindow.USER32(00000000), ref: 00405911
                                          • ShowWindow.USER32(?,00000008), ref: 00405916
                                          • ShowWindow.USER32(00000008), ref: 00405960
                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405994
                                          • CreatePopupMenu.USER32 ref: 004059A5
                                          • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004059B9
                                          • GetWindowRect.USER32(?,?), ref: 004059D9
                                          • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059F2
                                          • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A2A
                                          • OpenClipboard.USER32(00000000), ref: 00405A3A
                                          • EmptyClipboard.USER32 ref: 00405A40
                                          • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A4C
                                          • GlobalLock.KERNEL32(00000000), ref: 00405A56
                                          • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A6A
                                          • GlobalUnlock.KERNEL32(00000000), ref: 00405A8A
                                          • SetClipboardData.USER32(0000000D,00000000), ref: 00405A95
                                          • CloseClipboard.USER32 ref: 00405A9B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
                                          • String ID: {
                                          • API String ID: 4154960007-366298937
                                          • Opcode ID: 245d7c75552d93292a5d0639f3ad285b68bcb815a2f70b75041fbe35360c6243
                                          • Instruction ID: d944e331103d7d797bb7559e04b2c0af071990b1bd98ce6caf222631f3d5da7c
                                          • Opcode Fuzzy Hash: 245d7c75552d93292a5d0639f3ad285b68bcb815a2f70b75041fbe35360c6243
                                          • Instruction Fuzzy Hash: 47B13971900608FFDB11AF60DD85EAE7B79FB48354F10813AFA41B61A0CB788A51DF68
                                          Function 73AC1BFF Relevance: 20.1, APIs: 13, Instructions: 597stringlibrarymemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 73AC12BB: GlobalAlloc.KERNEL32(00000040,?,73AC12DB,?,73AC137F,00000019,73AC11CA,-000000A0), ref: 73AC12C5
                                          • GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 73AC1D2D
                                          • lstrcpyW.KERNEL32(00000008,?), ref: 73AC1D75
                                          • lstrcpyW.KERNEL32(00000808,?), ref: 73AC1D7F
                                          • GlobalFree.KERNEL32(00000000), ref: 73AC1D92
                                          • GlobalFree.KERNEL32(?), ref: 73AC1E74
                                          • GlobalFree.KERNEL32(?), ref: 73AC1E79
                                          • GlobalFree.KERNEL32(?), ref: 73AC1E7E
                                          • GlobalFree.KERNEL32(00000000), ref: 73AC2068
                                          • lstrcpyW.KERNEL32(?,?), ref: 73AC2222
                                          • GetModuleHandleW.KERNEL32(00000008), ref: 73AC22A1
                                          • LoadLibraryW.KERNEL32(00000008), ref: 73AC22B2
                                          • GetProcAddress.KERNEL32(?,?), ref: 73AC230C
                                          • lstrlenW.KERNEL32(00000808), ref: 73AC2326
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4129567152.0000000073AC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 73AC0000, based on PE: true
                                          • Associated: 00000000.00000002.4129552548.0000000073AC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000000.00000002.4129578779.0000000073AC4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000000.00000002.4129592945.0000000073AC6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_73ac0000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
                                          • String ID:
                                          • API String ID: 245916457-0
                                          • Opcode ID: 227e83b2548e5e6173f9e66271e35245180e2ae82e95c96bb33d07deddb17268
                                          • Instruction ID: eb4b2c1ecd8498c567a924c7cd80e0d68e0897396a56f1b7d14efd692eb596ff
                                          • Opcode Fuzzy Hash: 227e83b2548e5e6173f9e66271e35245180e2ae82e95c96bb33d07deddb17268
                                          • Instruction Fuzzy Hash: 2322A971E0428ADBDF12CFA4C5867AEB7B5FB08305F14452FD1A6E2298D774DA81CB90
                                          Function 00405C60 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 671 405c60-405c86 call 405f2b 674 405c88-405c9a DeleteFileW 671->674 675 405c9f-405ca6 671->675 678 405e1c-405e20 674->678 676 405ca8-405caa 675->676 677 405cb9-405cc9 call 406554 675->677 679 405cb0-405cb3 676->679 680 405dca-405dcf 676->680 684 405cd8-405cd9 call 405e6f 677->684 685 405ccb-405cd6 lstrcatW 677->685 679->677 679->680 680->678 683 405dd1-405dd4 680->683 686 405dd6-405ddc 683->686 687 405dde-405de6 call 4068b1 683->687 688 405cde-405ce2 684->688 685->688 686->678 687->678 695 405de8-405dfc call 405e23 call 405c18 687->695 691 405ce4-405cec 688->691 692 405cee-405cf4 lstrcatW 688->692 691->692 694 405cf9-405d15 lstrlenW FindFirstFileW 691->694 692->694 696 405d1b-405d23 694->696 697 405dbf-405dc3 694->697 711 405e14-405e17 call 4055d9 695->711 712 405dfe-405e01 695->712 700 405d43-405d57 call 406554 696->700 701 405d25-405d2d 696->701 697->680 699 405dc5 697->699 699->680 713 405d59-405d61 700->713 714 405d6e-405d79 call 405c18 700->714 705 405da2-405db2 FindNextFileW 701->705 706 405d2f-405d37 701->706 705->696 709 405db8-405db9 FindClose 705->709 706->700 710 405d39-405d41 706->710 709->697 710->700 710->705 711->678 712->686 715 405e03-405e12 call 4055d9 call 406314 712->715 713->705 716 405d63-405d6c call 405c60 713->716 724 405d9a-405d9d call 4055d9 714->724 725 405d7b-405d7e 714->725 715->678 716->705 724->705 728 405d80-405d90 call 4055d9 call 406314 725->728 729 405d92-405d98 725->729 728->705 729->705
                                          APIs
                                          • DeleteFileW.KERNELBASE(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe"), ref: 00405C89
                                          • lstrcatW.KERNEL32(007A3750,\*.*), ref: 00405CD1
                                          • lstrcatW.KERNEL32(?,0040A014), ref: 00405CF4
                                          • lstrlenW.KERNEL32(?,?,0040A014,?,007A3750,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe"), ref: 00405CFA
                                          • FindFirstFileW.KERNEL32(007A3750,?,?,?,0040A014,?,007A3750,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe"), ref: 00405D0A
                                          • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405DAA
                                          • FindClose.KERNEL32(00000000), ref: 00405DB9
                                          Strings
                                          • \*.*, xrefs: 00405CCB
                                          • "C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe", xrefs: 00405C69
                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00405C6D
                                          • P7z, xrefs: 00405CB9
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                          • String ID: "C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe"$C:\Users\user\AppData\Local\Temp\$P7z$\*.*
                                          • API String ID: 2035342205-2117823521
                                          • Opcode ID: 504f622c36c52388dc620547c7079f2cd4c31ca565287661d2c47a2285e6f56d
                                          • Instruction ID: f748e5475402f1fc91d3f7fbe8cbfa38c73e6686c0f945f98d649a4eb698cdfa
                                          • Opcode Fuzzy Hash: 504f622c36c52388dc620547c7079f2cd4c31ca565287661d2c47a2285e6f56d
                                          • Instruction Fuzzy Hash: EB41B231800A14B6DB216B26CC49BAF7678EF81714F20813BF441B11D1DB7C4A829EAE
                                          Function 004021CF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CoCreateInstance.OLE32(004084DC,?,00000001,004084CC,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040224E
                                          Strings
                                          • C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Surfboards, xrefs: 0040228E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: CreateInstance
                                          • String ID: C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Surfboards
                                          • API String ID: 542301482-4294870087
                                          • Opcode ID: 2b629c1a17f3a3ffc56b825882c252300589c696d23cc712910858c93b1d4aeb
                                          • Instruction ID: d027746e191c14b49f1eee61a42344c893d98f4f720128a79e15815c221bbdc7
                                          • Opcode Fuzzy Hash: 2b629c1a17f3a3ffc56b825882c252300589c696d23cc712910858c93b1d4aeb
                                          • Instruction Fuzzy Hash: 3B411675A00209AFCB00DFE4C989AAD7BB5FF48318B20457EF505EB2D1DB799981CB54
                                          Function 004068B1 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNELBASE(74DF3420,007A4798,007A3F50,00405F74,007A3F50,007A3F50,00000000,007A3F50,007A3F50,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C80,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 004068BC
                                          • FindClose.KERNEL32(00000000), ref: 004068C8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: Find$CloseFileFirst
                                          • String ID:
                                          • API String ID: 2295610775-0
                                          • Opcode ID: 66bf9994b2f5814cd2018ee22faa20966fcafcce3cd9b2dc1ade219dc7786d58
                                          • Instruction ID: c1f58c6a55c378a7321320ff0386b713db4abc0e26cca29c2297fdfd4174c4a1
                                          • Opcode Fuzzy Hash: 66bf9994b2f5814cd2018ee22faa20966fcafcce3cd9b2dc1ade219dc7786d58
                                          • Instruction Fuzzy Hash: CFD0123251A1305BC28027386D0C84B7B98AF56331712CB36F16AF21E0C7748C6287A8
                                          Function 00402930 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 0040293F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: FileFindFirst
                                          • String ID:
                                          • API String ID: 1974802433-0
                                          • Opcode ID: 10d534dc46fcbba6b1f1659cf1ac7ba9eebf6811a433664e38e036bec13daf12
                                          • Instruction ID: bedb772ef0a2f17f15cc30cd16f16fd49c67dd7be69949238e740b54367540b4
                                          • Opcode Fuzzy Hash: 10d534dc46fcbba6b1f1659cf1ac7ba9eebf6811a433664e38e036bec13daf12
                                          • Instruction Fuzzy Hash: 08F0E231A04100EAD700EBA4DA499AEB374FF04314F20417BE101F30E0D7B84D409B2D
                                          Function 00403FD4 Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 202 403fd4-403fe6 203 403fec-403ff2 202->203 204 40414d-40415c 202->204 203->204 205 403ff8-404001 203->205 206 4041ab-4041c0 204->206 207 40415e-4041a6 GetDlgItem * 2 call 4044d3 SetClassLongW call 40140b 204->207 208 404003-404010 SetWindowPos 205->208 209 404016-40401d 205->209 211 404200-404205 call 40451f 206->211 212 4041c2-4041c5 206->212 207->206 208->209 214 404061-404067 209->214 215 40401f-404039 ShowWindow 209->215 220 40420a-404225 211->220 217 4041c7-4041d2 call 401389 212->217 218 4041f8-4041fa 212->218 223 404080-404083 214->223 224 404069-40407b DestroyWindow 214->224 221 40413a-404148 call 40453a 215->221 222 40403f-404052 GetWindowLongW 215->222 217->218 243 4041d4-4041f3 SendMessageW 217->243 218->211 219 4044a0 218->219 231 4044a2-4044a9 219->231 228 404227-404229 call 40140b 220->228 229 40422e-404234 220->229 221->231 222->221 230 404058-40405b ShowWindow 222->230 234 404085-404091 SetWindowLongW 223->234 235 404096-40409c 223->235 232 40447d-404483 224->232 228->229 240 40423a-404245 229->240 241 40445e-404477 DestroyWindow EndDialog 229->241 230->214 232->219 239 404485-40448b 232->239 234->231 235->221 242 4040a2-4040b1 GetDlgItem 235->242 239->219 244 40448d-404496 ShowWindow 239->244 240->241 245 40424b-404298 call 406591 call 4044d3 * 3 GetDlgItem 240->245 241->232 246 4040d0-4040d3 242->246 247 4040b3-4040ca SendMessageW IsWindowEnabled 242->247 243->231 244->219 274 4042a2-4042de ShowWindow KiUserCallbackDispatcher call 4044f5 EnableWindow 245->274 275 40429a-40429f 245->275 249 4040d5-4040d6 246->249 250 4040d8-4040db 246->250 247->219 247->246 254 404106-40410b call 4044ac 249->254 251 4040e9-4040ee 250->251 252 4040dd-4040e3 250->252 255 404124-404134 SendMessageW 251->255 257 4040f0-4040f6 251->257 252->255 256 4040e5-4040e7 252->256 254->221 255->221 256->254 260 4040f8-4040fe call 40140b 257->260 261 40410d-404116 call 40140b 257->261 270 404104 260->270 261->221 271 404118-404122 261->271 270->254 271->270 278 4042e0-4042e1 274->278 279 4042e3 274->279 275->274 280 4042e5-404313 GetSystemMenu EnableMenuItem SendMessageW 278->280 279->280 281 404315-404326 SendMessageW 280->281 282 404328 280->282 283 40432e-40436d call 404508 call 403fb5 call 406554 lstrlenW call 406591 SetWindowTextW call 401389 281->283 282->283 283->220 294 404373-404375 283->294 294->220 295 40437b-40437f 294->295 296 404381-404387 295->296 297 40439e-4043b2 DestroyWindow 295->297 296->219 298 40438d-404393 296->298 297->232 299 4043b8-4043e5 CreateDialogParamW 297->299 298->220 300 404399 298->300 299->232 301 4043eb-404442 call 4044d3 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 299->301 300->219 301->219 306 404444-404457 ShowWindow call 40451f 301->306 308 40445c 306->308 308->232
                                          APIs
                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404010
                                          • ShowWindow.USER32(?), ref: 00404030
                                          • GetWindowLongW.USER32(?,000000F0), ref: 00404042
                                          • ShowWindow.USER32(?,00000004), ref: 0040405B
                                          • DestroyWindow.USER32 ref: 0040406F
                                          • SetWindowLongW.USER32(?,00000000,00000000), ref: 00404088
                                          • GetDlgItem.USER32(?,?), ref: 004040A7
                                          • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004040BB
                                          • IsWindowEnabled.USER32(00000000), ref: 004040C2
                                          • GetDlgItem.USER32(?,00000001), ref: 0040416D
                                          • GetDlgItem.USER32(?,00000002), ref: 00404177
                                          • SetClassLongW.USER32(?,000000F2,?), ref: 00404191
                                          • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041E2
                                          • GetDlgItem.USER32(?,00000003), ref: 00404288
                                          • ShowWindow.USER32(00000000,?), ref: 004042A9
                                          • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004042BB
                                          • EnableWindow.USER32(?,?), ref: 004042D6
                                          • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042EC
                                          • EnableMenuItem.USER32(00000000), ref: 004042F3
                                          • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040430B
                                          • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040431E
                                          • lstrlenW.KERNEL32(007A1748,?,007A1748,00000000), ref: 00404348
                                          • SetWindowTextW.USER32(?,007A1748), ref: 0040435C
                                          • ShowWindow.USER32(?,0000000A), ref: 00404490
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                          • String ID:
                                          • API String ID: 121052019-0
                                          • Opcode ID: bc3e7111866138a7d9fc3d457d106daad5acaba352cfb8b9f49eaf3ae0b18d54
                                          • Instruction ID: 556acdb9000d186b886cde9212830cd241fbea6c4840fceff67d75b478af1997
                                          • Opcode Fuzzy Hash: bc3e7111866138a7d9fc3d457d106daad5acaba352cfb8b9f49eaf3ae0b18d54
                                          • Instruction Fuzzy Hash: 13C1C0B1500604ABDB206F61ED85B2A3A68FBD6359F00453EF791B51F0CB3D5891DB2E
                                          Function 00403C26 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 309 403c26-403c3e call 406948 312 403c40-403c50 call 40649b 309->312 313 403c52-403c89 call 406422 309->313 320 403cac-403cd5 call 403efc call 405f2b 312->320 318 403ca1-403ca7 lstrcatW 313->318 319 403c8b-403c9c call 406422 313->319 318->320 319->318 327 403d67-403d6f call 405f2b 320->327 328 403cdb-403ce0 320->328 334 403d71-403d78 call 406591 327->334 335 403d7d-403da2 LoadImageW 327->335 328->327 329 403ce6-403d0e call 406422 328->329 329->327 336 403d10-403d14 329->336 334->335 338 403e23-403e2b call 40140b 335->338 339 403da4-403dd4 RegisterClassW 335->339 341 403d26-403d32 lstrlenW 336->341 342 403d16-403d23 call 405e50 336->342 351 403e35-403e40 call 403efc 338->351 352 403e2d-403e30 338->352 343 403ef2 339->343 344 403dda-403e1e SystemParametersInfoW CreateWindowExW 339->344 348 403d34-403d42 lstrcmpiW 341->348 349 403d5a-403d62 call 405e23 call 406554 341->349 342->341 347 403ef4-403efb 343->347 344->338 348->349 350 403d44-403d4e GetFileAttributesW 348->350 349->327 355 403d50-403d52 350->355 356 403d54-403d55 call 405e6f 350->356 362 403e46-403e60 ShowWindow call 4068d8 351->362 363 403ec9-403eca call 4056ac 351->363 352->347 355->349 355->356 356->349 370 403e62-403e67 call 4068d8 362->370 371 403e6c-403e7e GetClassInfoW 362->371 366 403ecf-403ed1 363->366 368 403ed3-403ed9 366->368 369 403eeb-403eed call 40140b 366->369 368->352 372 403edf-403ee6 call 40140b 368->372 369->343 370->371 375 403e80-403e90 GetClassInfoW RegisterClassW 371->375 376 403e96-403eb9 DialogBoxParamW call 40140b 371->376 372->352 375->376 379 403ebe-403ec7 call 403b76 376->379 379->347
                                          APIs
                                            • Part of subcall function 00406948: GetModuleHandleA.KERNEL32(?,00000020,?,0040363F,0000000C,?,?,?,?,?,?,?,?), ref: 0040695A
                                            • Part of subcall function 00406948: GetProcAddress.KERNEL32(00000000,?), ref: 00406975
                                          • lstrcatW.KERNEL32(1033,007A1748), ref: 00403CA7
                                          • lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical,1033,007A1748,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1748,00000000,00000002,74DF3420), ref: 00403D27
                                          • lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical,1033,007A1748,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1748,00000000), ref: 00403D3A
                                          • GetFileAttributesW.KERNEL32(Call), ref: 00403D45
                                          • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical), ref: 00403D8E
                                            • Part of subcall function 0040649B: wsprintfW.USER32 ref: 004064A8
                                          • RegisterClassW.USER32(007A7200), ref: 00403DCB
                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DE3
                                          • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403E18
                                          • ShowWindow.USER32(00000005,00000000), ref: 00403E4E
                                          • GetClassInfoW.USER32(00000000,RichEdit20W,007A7200), ref: 00403E7A
                                          • GetClassInfoW.USER32(00000000,RichEdit,007A7200), ref: 00403E87
                                          • RegisterClassW.USER32(007A7200), ref: 00403E90
                                          • DialogBoxParamW.USER32(?,00000000,00403FD4,00000000), ref: 00403EAF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                          • String ID: "C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                          • API String ID: 1975747703-2933156622
                                          • Opcode ID: 889c8ef34167dee75fdbefa7f7ea3591ee246ed7a83750caaaa5a9fc269d37bc
                                          • Instruction ID: 87c0a3a17ad5e1939fcd37e1134105fdbaf016035d588be57f40016c0fe971d1
                                          • Opcode Fuzzy Hash: 889c8ef34167dee75fdbefa7f7ea3591ee246ed7a83750caaaa5a9fc269d37bc
                                          • Instruction Fuzzy Hash: CA61D370100605AED720BF269D45F2B3AACFB85B49F40453EF951B62E2DB7C9901CB6D
                                          Function 004030A2 Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 181memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 383 4030a2-4030f0 GetTickCount GetModuleFileNameW call 406044 386 4030f2-4030f7 383->386 387 4030fc-40312a call 406554 call 405e6f call 406554 GetFileSize 383->387 388 4032d2-4032d6 386->388 395 403130 387->395 396 403215-403223 call 40303e 387->396 398 403135-40314c 395->398 402 403225-403228 396->402 403 403278-40327d 396->403 400 403150-403159 call 4034d1 398->400 401 40314e 398->401 410 40327f-403287 call 40303e 400->410 411 40315f-403166 400->411 401->400 405 40322a-403242 call 4034e7 call 4034d1 402->405 406 40324c-403276 GlobalAlloc call 4034e7 call 4032d9 402->406 403->388 405->403 433 403244-40324a 405->433 406->403 432 403289-40329a 406->432 410->403 415 4031e2-4031e6 411->415 416 403168-40317c call 405fff 411->416 421 4031f0-4031f6 415->421 422 4031e8-4031ef call 40303e 415->422 416->421 430 40317e-403185 416->430 423 403205-40320d 421->423 424 4031f8-403202 call 406a35 421->424 422->421 423->398 431 403213 423->431 424->423 430->421 436 403187-40318e 430->436 431->396 437 4032a2-4032a7 432->437 438 40329c 432->438 433->403 433->406 436->421 439 403190-403197 436->439 440 4032a8-4032ae 437->440 438->437 439->421 441 403199-4031a0 439->441 440->440 442 4032b0-4032cb SetFilePointer call 405fff 440->442 441->421 443 4031a2-4031c2 441->443 446 4032d0 442->446 443->403 445 4031c8-4031cc 443->445 447 4031d4-4031dc 445->447 448 4031ce-4031d2 445->448 446->388 447->421 449 4031de-4031e0 447->449 448->431 448->447 449->421
                                          APIs
                                          • GetTickCount.KERNEL32 ref: 004030B3
                                          • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe,00000400), ref: 004030CF
                                            • Part of subcall function 00406044: GetFileAttributesW.KERNELBASE(00000003,004030E2,C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe,80000000,00000003), ref: 00406048
                                            • Part of subcall function 00406044: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606A
                                          • GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe,C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe,80000000,00000003), ref: 0040311B
                                          • GlobalAlloc.KERNELBASE(00000040,?), ref: 00403251
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                          • String ID: "C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft$;$;
                                          • API String ID: 2803837635-1106213238
                                          • Opcode ID: a0dd9f8ef326ba969c16cb1fd88c965c76ed405712e773b35a873600aa04ef71
                                          • Instruction ID: 049f7c6d5ff3921a21710fe3aab5a9d19a74ce2d4ccd47fede02a431b1dffc51
                                          • Opcode Fuzzy Hash: a0dd9f8ef326ba969c16cb1fd88c965c76ed405712e773b35a873600aa04ef71
                                          • Instruction Fuzzy Hash: A4519F71901204AFDF209FA5DD86BAE7EACAB45356F20817BF500B62D1CA7C9E408B5D
                                          Function 00406591 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 204stringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 735 406591-40659a 736 40659c-4065ab 735->736 737 4065ad-4065c7 735->737 736->737 738 4067d7-4067dd 737->738 739 4065cd-4065d9 737->739 741 4067e3-4067f0 738->741 742 4065eb-4065f8 738->742 739->738 740 4065df-4065e6 739->740 740->738 744 4067f2-4067f7 call 406554 741->744 745 4067fc-4067ff 741->745 742->741 743 4065fe-406607 742->743 746 4067c4 743->746 747 40660d-406650 743->747 744->745 749 4067d2-4067d5 746->749 750 4067c6-4067d0 746->750 751 406656-406662 747->751 752 406768-40676c 747->752 749->738 750->738 753 406664 751->753 754 40666c-40666e 751->754 755 4067a0-4067a4 752->755 756 40676e-406775 752->756 753->754 761 406670-40668e call 406422 754->761 762 4066a8-4066ab 754->762 757 4067b4-4067c2 lstrlenW 755->757 758 4067a6-4067af call 406591 755->758 759 406785-406791 call 406554 756->759 760 406777-406783 call 40649b 756->760 757->738 758->757 774 406796-40679c 759->774 760->774 773 406693-406696 761->773 763 4066ad-4066b9 GetSystemDirectoryW 762->763 764 4066be-4066c1 762->764 769 40674b-40674e 763->769 770 4066d3-4066d7 764->770 771 4066c3-4066cf GetWindowsDirectoryW 764->771 775 406760-406766 call 406802 769->775 776 406750-406753 769->776 770->769 777 4066d9-4066f7 770->777 771->770 773->776 778 40669c-4066a3 call 406591 773->778 774->757 779 40679e 774->779 775->757 776->775 780 406755-40675b lstrcatW 776->780 782 4066f9-4066ff 777->782 783 40670b-406717 call 406948 777->783 778->769 779->775 780->775 788 406707-406709 782->788 791 40671f-406723 783->791 788->783 790 406745-406749 788->790 790->769 792 406725-406738 SHGetPathFromIDListW CoTaskMemFree 791->792 793 40673a-406743 791->793 792->790 792->793 793->777 793->790
                                          APIs
                                          • GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 004066B3
                                          • GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\System.dll,?,?,00000000,00000000,0079A700,74DF23A0), ref: 004066C9
                                          • SHGetPathFromIDListW.SHELL32(00000000,Call), ref: 00406727
                                          • CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 00406730
                                          • lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040675B
                                          • lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\System.dll,?,?,00000000,00000000,0079A700,74DF23A0), ref: 004067B5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
                                          • String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                          • API String ID: 4024019347-3938387642
                                          • Opcode ID: fb78c655de7e04e2c0873077e29524e20483bf8d3f5bca8374ab451ad378ea15
                                          • Instruction ID: 996034b20cbe1ccfc182dbfd15fdcef075a6e82f48079f00531b92f4adf5a68d
                                          • Opcode Fuzzy Hash: fb78c655de7e04e2c0873077e29524e20483bf8d3f5bca8374ab451ad378ea15
                                          • Instruction Fuzzy Hash: D56135716046119BD720AF24DD84B7B77E4AB85318F25063FF687B32D0DA3C8961865E
                                          Function 00401794 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 794 401794-4017b9 call 402dcb call 405e9a 799 4017c3-4017d5 call 406554 call 405e23 lstrcatW 794->799 800 4017bb-4017c1 call 406554 794->800 806 4017da-4017db call 406802 799->806 800->806 809 4017e0-4017e4 806->809 810 4017e6-4017f0 call 4068b1 809->810 811 401817-40181a 809->811 819 401802-401814 810->819 820 4017f2-401800 CompareFileTime 810->820 813 401822-40183e call 406044 811->813 814 40181c-40181d call 40601f 811->814 821 401840-401843 813->821 822 4018b2-4018db call 4055d9 call 4032d9 813->822 814->813 819->811 820->819 823 401894-40189e call 4055d9 821->823 824 401845-401883 call 406554 * 2 call 406591 call 406554 call 405bb4 821->824 836 4018e3-4018ef SetFileTime 822->836 837 4018dd-4018e1 822->837 834 4018a7-4018ad 823->834 824->809 858 401889-40188a 824->858 838 402c58 834->838 840 4018f5-401900 FindCloseChangeNotification 836->840 837->836 837->840 844 402c5a-402c5e 838->844 842 401906-401909 840->842 843 402c4f-402c52 840->843 846 40190b-40191c call 406591 lstrcatW 842->846 847 40191e-401921 call 406591 842->847 843->838 852 401926-4023bd 846->852 847->852 856 4023c2-4023c7 852->856 857 4023bd call 405bb4 852->857 856->844 857->856 858->834 859 40188c-40188d 858->859 859->823
                                          APIs
                                          • lstrcatW.KERNEL32(00000000,00000000), ref: 004017D5
                                          • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Surfboards,?,?,00000031), ref: 004017FA
                                            • Part of subcall function 00406554: lstrcpynW.KERNEL32(?,?,00000400,004036A1,007A7260,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406561
                                            • Part of subcall function 004055D9: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\System.dll,00000000,0079A700,74DF23A0,?,?,?,?,?,?,?,?,?,0040341A,00000000,?), ref: 00405611
                                            • Part of subcall function 004055D9: lstrlenW.KERNEL32(0040341A,Skipped: C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\System.dll,00000000,0079A700,74DF23A0,?,?,?,?,?,?,?,?,?,0040341A,00000000), ref: 00405621
                                            • Part of subcall function 004055D9: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\System.dll,0040341A), ref: 00405634
                                            • Part of subcall function 004055D9: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\System.dll), ref: 00405646
                                            • Part of subcall function 004055D9: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566C
                                            • Part of subcall function 004055D9: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405686
                                            • Part of subcall function 004055D9: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405694
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                          • String ID: C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Surfboards$C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp$C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\System.dll$Call
                                          • API String ID: 1941528284-3903362452
                                          • Opcode ID: 459ca0f14b307942bd3c4c52a70d437b093103bc39e5b4f15ac77f378917437c
                                          • Instruction ID: 1e9ca80c6a5dacc7cd580e770cf15d3f22a044297d5b9cee136244b7a600bee5
                                          • Opcode Fuzzy Hash: 459ca0f14b307942bd3c4c52a70d437b093103bc39e5b4f15ac77f378917437c
                                          • Instruction Fuzzy Hash: C441E871400104BADF11BBB5DD85DBE3AB5EF45329B21823FF012B10E1DB3C8A91966D
                                          Function 004055D9 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 860 4055d9-4055ee 861 4055f4-405605 860->861 862 4056a5-4056a9 860->862 863 405610-40561c lstrlenW 861->863 864 405607-40560b call 406591 861->864 866 405639-40563d 863->866 867 40561e-40562e lstrlenW 863->867 864->863 868 40564c-405650 866->868 869 40563f-405646 SetWindowTextW 866->869 867->862 870 405630-405634 lstrcatW 867->870 871 405652-405694 SendMessageW * 3 868->871 872 405696-405698 868->872 869->868 870->866 871->872 872->862 873 40569a-40569d 872->873 873->862
                                          APIs
                                          • lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\System.dll,00000000,0079A700,74DF23A0,?,?,?,?,?,?,?,?,?,0040341A,00000000,?), ref: 00405611
                                          • lstrlenW.KERNEL32(0040341A,Skipped: C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\System.dll,00000000,0079A700,74DF23A0,?,?,?,?,?,?,?,?,?,0040341A,00000000), ref: 00405621
                                          • lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\System.dll,0040341A), ref: 00405634
                                          • SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\System.dll), ref: 00405646
                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566C
                                          • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405686
                                          • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405694
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                          • String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\System.dll
                                          • API String ID: 2531174081-2916774448
                                          • Opcode ID: da048427165e3fda7d212e1d25adb62017d163fe0601bf1cc7e6f9066e197b12
                                          • Instruction ID: 329114e2e26f34c588cdeed9baab55c5e37b8eaf8a8cec26a94c2fb3a39dc2c1
                                          • Opcode Fuzzy Hash: da048427165e3fda7d212e1d25adb62017d163fe0601bf1cc7e6f9066e197b12
                                          • Instruction Fuzzy Hash: F921B371900618BACF119F65DD449CFBFB8EF95364F10843AF908B22A0C77A4A50CFA8
                                          Function 004032D9 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 161COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 874 4032d9-4032f0 875 4032f2 874->875 876 4032f9-403302 874->876 875->876 877 403304 876->877 878 40330b-403310 876->878 877->878 879 403320-40332d call 4034d1 878->879 880 403312-40331b call 4034e7 878->880 884 403333-403337 879->884 885 4034bf 879->885 880->879 886 40346a-40346c 884->886 887 40333d-403363 GetTickCount 884->887 888 4034c1-4034c2 885->888 889 4034ac-4034af 886->889 890 40346e-403471 886->890 891 4034c7 887->891 892 403369-403371 887->892 893 4034ca-4034ce 888->893 894 4034b1 889->894 895 4034b4-4034bd call 4034d1 889->895 890->891 896 403473 890->896 891->893 897 403373 892->897 898 403376-403384 call 4034d1 892->898 894->895 895->885 907 4034c4 895->907 900 403476-40347c 896->900 897->898 898->885 906 40338a-403393 898->906 903 403480-40348e call 4034d1 900->903 904 40347e 900->904 903->885 912 403490-40349c call 4060f6 903->912 904->903 909 403399-4033b9 call 406aa3 906->909 907->891 916 403462-403464 909->916 917 4033bf-4033d2 GetTickCount 909->917 918 403466-403468 912->918 919 40349e-4034a8 912->919 916->888 920 4033d4-4033dc 917->920 921 40341d-40341f 917->921 918->888 919->900 922 4034aa 919->922 923 4033e4-403415 MulDiv wsprintfW call 4055d9 920->923 924 4033de-4033e2 920->924 925 403421-403425 921->925 926 403456-40345a 921->926 922->891 932 40341a 923->932 924->921 924->923 929 403427-40342e call 4060f6 925->929 930 40343c-403447 925->930 926->892 927 403460 926->927 927->891 935 403433-403435 929->935 931 40344a-40344e 930->931 931->909 934 403454 931->934 932->921 934->891 935->918 936 403437-40343a 935->936 936->931
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: CountTick$wsprintf
                                          • String ID: ... %d%%$STy
                                          • API String ID: 551687249-2882605797
                                          • Opcode ID: 35df2eeb44d66dae63b1d0c24c026509dc1c2a142cef09f029ae2f44a6fc0423
                                          • Instruction ID: eb1ee041d621481d77111d3da967b5f6536357fdff7ba477760ccc35d22143eb
                                          • Opcode Fuzzy Hash: 35df2eeb44d66dae63b1d0c24c026509dc1c2a142cef09f029ae2f44a6fc0423
                                          • Instruction Fuzzy Hash: FD515F71910219EBCF11CF65DA8469E7FA8AB00756F14417BE804BA2C1C7789B41CBAA
                                          Function 00402711 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 937 402711-40272a call 402da9 940 402730-402737 937->940 941 402c4f-402c52 937->941 942 402739 940->942 943 40273c-40273f 940->943 944 402c58-402c5e 941->944 942->943 945 4028a3-4028ab 943->945 946 402745-402754 call 4064b4 943->946 945->941 946->945 950 40275a 946->950 951 402760-402764 950->951 952 4027f9-4027fc 951->952 953 40276a-402785 ReadFile 951->953 955 402814-402824 call 4060c7 952->955 956 4027fe-402801 952->956 953->945 954 40278b-402790 953->954 954->945 958 402796-4027a4 954->958 955->945 964 402826 955->964 956->955 959 402803-40280e call 406125 956->959 961 4027aa-4027bc MultiByteToWideChar 958->961 962 40285f-40286b call 40649b 958->962 959->945 959->955 961->964 965 4027be-4027c1 961->965 962->944 968 402829-40282c 964->968 969 4027c3-4027ce 965->969 968->962 971 40282e-402833 968->971 969->968 972 4027d0-4027f5 SetFilePointer MultiByteToWideChar 969->972 973 402870-402874 971->973 974 402835-40283a 971->974 972->969 975 4027f7 972->975 977 402891-40289d SetFilePointer 973->977 978 402876-40287a 973->978 974->973 976 40283c-40284f 974->976 975->964 976->945 979 402851-402857 976->979 977->945 980 402882-40288f 978->980 981 40287c-402880 978->981 979->951 982 40285d 979->982 980->945 981->977 981->980 982->945
                                          APIs
                                          • ReadFile.KERNELBASE(?,?,?,?), ref: 0040277D
                                          • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004027B8
                                          • SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027DB
                                          • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027F1
                                            • Part of subcall function 00406125: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 0040613B
                                          • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040289D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: File$Pointer$ByteCharMultiWide$Read
                                          • String ID: 9
                                          • API String ID: 163830602-2366072709
                                          • Opcode ID: 233c6f879122765c140ec07ecab3eee11d9f6e18c011ef8f82b6bc4890f14a46
                                          • Instruction ID: 94532b36e9b1b55a0417b46d3f551769048a354c57792839695d4204f468be83
                                          • Opcode Fuzzy Hash: 233c6f879122765c140ec07ecab3eee11d9f6e18c011ef8f82b6bc4890f14a46
                                          • Instruction Fuzzy Hash: D6510C75D04119AADF20EFD4CA84AAEBBB9FF44304F14817BE541B62D0D7B89D82CB58
                                          Function 004068D8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 983 4068d8-4068f8 GetSystemDirectoryW 984 4068fa 983->984 985 4068fc-4068fe 983->985 984->985 986 406900-406909 985->986 987 40690f-406911 985->987 986->987 988 40690b-40690d 986->988 989 406912-406945 wsprintfW LoadLibraryExW 987->989 988->989
                                          APIs
                                          • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068EF
                                          • wsprintfW.USER32 ref: 0040692A
                                          • LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 0040693E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: DirectoryLibraryLoadSystemwsprintf
                                          • String ID: %s%S.dll$UXTHEME
                                          • API String ID: 2200240437-1106614640
                                          • Opcode ID: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
                                          • Instruction ID: 3d91c3bba12f32b4d8e24f08bfb099957206232b6387f0edcfac50a9fed73821
                                          • Opcode Fuzzy Hash: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
                                          • Instruction Fuzzy Hash: 80F0F671501219ABDB20BB68DD0EF9B376CAB00304F10447AA546F10E0EB789B69CB98
                                          Function 73AC1817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 990 73ac1817-73ac1856 call 73ac1bff 994 73ac185c-73ac1860 990->994 995 73ac1976-73ac1978 990->995 996 73ac1869-73ac1876 call 73ac2480 994->996 997 73ac1862-73ac1868 call 73ac243e 994->997 1002 73ac1878-73ac187d 996->1002 1003 73ac18a6-73ac18ad 996->1003 997->996 1006 73ac187f-73ac1880 1002->1006 1007 73ac1898-73ac189b 1002->1007 1004 73ac18cd-73ac18d1 1003->1004 1005 73ac18af-73ac18cb call 73ac2655 call 73ac1654 call 73ac1312 GlobalFree 1003->1005 1012 73ac191e-73ac1924 call 73ac2655 1004->1012 1013 73ac18d3-73ac191c call 73ac1666 call 73ac2655 1004->1013 1029 73ac1925-73ac1929 1005->1029 1010 73ac1888-73ac1889 call 73ac2b98 1006->1010 1011 73ac1882-73ac1883 1006->1011 1007->1003 1008 73ac189d-73ac189e call 73ac2e23 1007->1008 1021 73ac18a3 1008->1021 1024 73ac188e 1010->1024 1017 73ac1885-73ac1886 1011->1017 1018 73ac1890-73ac1896 call 73ac2810 1011->1018 1012->1029 1013->1029 1017->1003 1017->1010 1028 73ac18a5 1018->1028 1021->1028 1024->1021 1028->1003 1033 73ac192b-73ac1939 call 73ac2618 1029->1033 1034 73ac1966-73ac196d 1029->1034 1040 73ac193b-73ac193e 1033->1040 1041 73ac1951-73ac1958 1033->1041 1034->995 1036 73ac196f-73ac1970 GlobalFree 1034->1036 1036->995 1040->1041 1042 73ac1940-73ac1948 1040->1042 1041->1034 1043 73ac195a-73ac1965 call 73ac15dd 1041->1043 1042->1041 1044 73ac194a-73ac194b FreeLibrary 1042->1044 1043->1034 1044->1041
                                          APIs
                                            • Part of subcall function 73AC1BFF: GlobalFree.KERNEL32(?), ref: 73AC1E74
                                            • Part of subcall function 73AC1BFF: GlobalFree.KERNEL32(?), ref: 73AC1E79
                                            • Part of subcall function 73AC1BFF: GlobalFree.KERNEL32(?), ref: 73AC1E7E
                                          • GlobalFree.KERNEL32(00000000), ref: 73AC18C5
                                          • FreeLibrary.KERNEL32(?), ref: 73AC194B
                                          • GlobalFree.KERNEL32(00000000), ref: 73AC1970
                                            • Part of subcall function 73AC243E: GlobalAlloc.KERNEL32(00000040,?), ref: 73AC246F
                                            • Part of subcall function 73AC2810: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,73AC1896,00000000), ref: 73AC28E0
                                            • Part of subcall function 73AC1666: wsprintfW.USER32 ref: 73AC1694
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4129567152.0000000073AC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 73AC0000, based on PE: true
                                          • Associated: 00000000.00000002.4129552548.0000000073AC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000000.00000002.4129578779.0000000073AC4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000000.00000002.4129592945.0000000073AC6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_73ac0000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: Global$Free$Alloc$Librarywsprintf
                                          • String ID:
                                          • API String ID: 3962662361-3916222277
                                          • Opcode ID: ab0a88c22153eeb1d3dddf4f25271521c278a5262eaf9978ac185ff1e238e5f1
                                          • Instruction ID: ba403c24ebb13f5be7de9930a700ff8a0c74cbc96c6c6089e1f8f42c441744b9
                                          • Opcode Fuzzy Hash: ab0a88c22153eeb1d3dddf4f25271521c278a5262eaf9978ac185ff1e238e5f1
                                          • Instruction Fuzzy Hash: A241C0726003859BEF019F64CA86B9537BCFF09314F18446BE90BAA1DEDB78C08587A0
                                          Function 004024AF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1047 4024af-4024e0 call 402dcb * 2 call 402e5b 1054 4024e6-4024f0 1047->1054 1055 402c4f-402c5e 1047->1055 1056 4024f2-4024ff call 402dcb lstrlenW 1054->1056 1057 402503-402506 1054->1057 1056->1057 1060 402508-402519 call 402da9 1057->1060 1061 40251a-40251d 1057->1061 1060->1061 1065 40252e-402542 RegSetValueExW 1061->1065 1066 40251f-402529 call 4032d9 1061->1066 1067 402544 1065->1067 1068 402547-402628 RegCloseKey 1065->1068 1066->1065 1067->1068 1068->1055
                                          APIs
                                          • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp,00000023,00000011,00000002), ref: 004024FA
                                          • RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp,00000000,00000011,00000002), ref: 0040253A
                                          • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp,00000000,00000011,00000002), ref: 00402622
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: CloseValuelstrlen
                                          • String ID: C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp
                                          • API String ID: 2655323295-3349095799
                                          • Opcode ID: f2eb1e95bb37b6daebf5b2789ea60323440975f3bfcbdfb9fc0150329e8b97d8
                                          • Instruction ID: b5124b365774ee0dd77fffeda1a995c18ababb59e8a55150708f98195cc7d2d6
                                          • Opcode Fuzzy Hash: f2eb1e95bb37b6daebf5b2789ea60323440975f3bfcbdfb9fc0150329e8b97d8
                                          • Instruction Fuzzy Hash: B8117231D00114BEDB01EFA59E59AAEB6B4EF54358F20443FF504B61D1C7B88E40966C
                                          Function 00406073 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1072 406073-40607f 1073 406080-4060b4 GetTickCount GetTempFileNameW 1072->1073 1074 4060c3-4060c5 1073->1074 1075 4060b6-4060b8 1073->1075 1077 4060bd-4060c0 1074->1077 1075->1073 1076 4060ba 1075->1076 1076->1077
                                          APIs
                                          • GetTickCount.KERNEL32 ref: 00406091
                                          • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040352D,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819), ref: 004060AC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: CountFileNameTempTick
                                          • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                          • API String ID: 1716503409-678247507
                                          • Opcode ID: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
                                          • Instruction ID: 3a9c7f2d553a521e2ba94e631897efa79da28a954d47360b9b57a106d7dab247
                                          • Opcode Fuzzy Hash: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
                                          • Instruction Fuzzy Hash: 83F09076B40204BFEB00CF69ED05F9EB7ACEB95750F11803AED05F7180E6B099548768
                                          Function 004015E6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00405ECE: CharNextW.USER32(?,?,007A3F50,?,00405F42,007A3F50,007A3F50,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C80,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe"), ref: 00405EDC
                                            • Part of subcall function 00405ECE: CharNextW.USER32(00000000), ref: 00405EE1
                                            • Part of subcall function 00405ECE: CharNextW.USER32(00000000), ref: 00405EF9
                                          • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040163F
                                            • Part of subcall function 00405AA8: CreateDirectoryW.KERNELBASE(?,?), ref: 00405AEA
                                          • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Surfboards,?,00000000,000000F0), ref: 00401672
                                          Strings
                                          • C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Surfboards, xrefs: 00401665
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                          • String ID: C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical\Surfboards
                                          • API String ID: 1892508949-4294870087
                                          • Opcode ID: 50ea165480be81357ae25d464df0ca33580a3cea203c3df2541c43cefebea8af
                                          • Instruction ID: 2b03c7a92312b5a1b0d009ad41e3f6a941738229f321331d68055a18e38198b9
                                          • Opcode Fuzzy Hash: 50ea165480be81357ae25d464df0ca33580a3cea203c3df2541c43cefebea8af
                                          • Instruction Fuzzy Hash: 4511D031504514EBCF207FA5CD056AF36A0EF04368B25493FE941B22F1D63D4A81DA5E
                                          Function 00406422 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegQueryValueExW.KERNELBASE(?,00000000,00000000,?,?,00000800,00000000,?,?,?,?,Call,?,00000000,00406693,80000002), ref: 00406468
                                          • RegCloseKey.KERNELBASE(?), ref: 00406473
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: CloseQueryValue
                                          • String ID: Call
                                          • API String ID: 3356406503-1824292864
                                          • Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                          • Instruction ID: 8bbbfa9f798598a3d1dedb2a9c281e33174829b5b93865dedadbfc74a219c892
                                          • Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                          • Instruction Fuzzy Hash: 9F01B132110209BADF21CF51CD05EDB3BA8EB44360F018039FD1692150D738DA64DBA4
                                          Function 004020FD Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402128
                                            • Part of subcall function 004055D9: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\System.dll,00000000,0079A700,74DF23A0,?,?,?,?,?,?,?,?,?,0040341A,00000000,?), ref: 00405611
                                            • Part of subcall function 004055D9: lstrlenW.KERNEL32(0040341A,Skipped: C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\System.dll,00000000,0079A700,74DF23A0,?,?,?,?,?,?,?,?,?,0040341A,00000000), ref: 00405621
                                            • Part of subcall function 004055D9: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\System.dll,0040341A), ref: 00405634
                                            • Part of subcall function 004055D9: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\System.dll), ref: 00405646
                                            • Part of subcall function 004055D9: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566C
                                            • Part of subcall function 004055D9: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405686
                                            • Part of subcall function 004055D9: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405694
                                          • LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00402139
                                          • FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 004021B6
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                          • String ID:
                                          • API String ID: 334405425-0
                                          • Opcode ID: dcba619cb82ab47283cf557ceb482ce7c42642f37134084d7f931d873524d78e
                                          • Instruction ID: 73d72cb5994b484f29e4ff80cb350354ef05bb92eb19bb99874f54bc55697afd
                                          • Opcode Fuzzy Hash: dcba619cb82ab47283cf557ceb482ce7c42642f37134084d7f931d873524d78e
                                          • Instruction Fuzzy Hash: EF21A131904104EACF10AFA5CF89A9E7A71BF54359F30413FF105B91E5DBBD89829A2E
                                          Function 73AC1058 Relevance: 4.6, APIs: 3, Instructions: 55memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GlobalSize.KERNEL32(00000000), ref: 73AC10AA
                                          • GlobalAlloc.KERNEL32(00000040,00000000), ref: 73AC10B9
                                          • GlobalFree.KERNEL32(00000000), ref: 73AC10D6
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4129567152.0000000073AC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 73AC0000, based on PE: true
                                          • Associated: 00000000.00000002.4129552548.0000000073AC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000000.00000002.4129578779.0000000073AC4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000000.00000002.4129592945.0000000073AC6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_73ac0000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: Global$AllocFreeSize
                                          • String ID:
                                          • API String ID: 465308736-0
                                          • Opcode ID: 374841e7aa9bae762ef7f7790583f238dbdc20fca2a9e53477266afa4b084d53
                                          • Instruction ID: e2af2277ce85cd4de38c493a3c806b7984e7f32954d3f6d51c68cf8511e00910
                                          • Opcode Fuzzy Hash: 374841e7aa9bae762ef7f7790583f238dbdc20fca2a9e53477266afa4b084d53
                                          • Instruction Fuzzy Hash: B401B5736003846BD711BBB76986B5B37ADEF48211710452BFA0AC7348FE74C4028B55
                                          Function 004025C3 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025F6
                                          • RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 00402609
                                          • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp,00000000,00000011,00000002), ref: 00402622
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: Enum$CloseValue
                                          • String ID:
                                          • API String ID: 397863658-0
                                          • Opcode ID: 6b26a19a6a49c8cdb85b468f9485b09a4b214ce950142c5c676665e06fea9f6e
                                          • Instruction ID: e355f0d3af3fae611af142f11dea5172e840e8f974d60c5f977c655607c85d86
                                          • Opcode Fuzzy Hash: 6b26a19a6a49c8cdb85b468f9485b09a4b214ce950142c5c676665e06fea9f6e
                                          • Instruction Fuzzy Hash: 5801DF71A04605BBEB149F94DE48BAFB668FF80308F10443EF001B21D0D7B84E41976D
                                          Function 73AC1774 Relevance: 3.8, APIs: 3, Instructions: 53COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 73AC1BFF: GlobalFree.KERNEL32(?), ref: 73AC1E74
                                            • Part of subcall function 73AC1BFF: GlobalFree.KERNEL32(?), ref: 73AC1E79
                                            • Part of subcall function 73AC1BFF: GlobalFree.KERNEL32(?), ref: 73AC1E7E
                                          • CloseHandle.KERNELBASE(00000000), ref: 73AC17DC
                                            • Part of subcall function 73AC1312: GlobalAlloc.KERNEL32(00000040,?,?,73AC15FE,?), ref: 73AC1328
                                            • Part of subcall function 73AC1312: lstrcpynW.KERNEL32(00000004,?,?,73AC15FE,?), ref: 73AC133E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4129567152.0000000073AC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 73AC0000, based on PE: true
                                          • Associated: 00000000.00000002.4129552548.0000000073AC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000000.00000002.4129578779.0000000073AC4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000000.00000002.4129592945.0000000073AC6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_73ac0000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: Global$Free$AllocCloseHandlelstrcpyn
                                          • String ID:
                                          • API String ID: 363591596-0
                                          • Opcode ID: 0116338d09dd72e0ba21ba84338d4d3fd32c0fc2bcce999671ba2a9a9f9035cd
                                          • Instruction ID: 75329e18b6f84f6d3a7f8cf1e0f570e94aeea1a00060a95edba840bbec15e174
                                          • Opcode Fuzzy Hash: 0116338d09dd72e0ba21ba84338d4d3fd32c0fc2bcce999671ba2a9a9f9035cd
                                          • Instruction Fuzzy Hash: C001C4737083C09FEB11AB76D607B8A37E4FF45214F24491BF58AD6298DB38D4418BA6
                                          Function 0040254F Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 00402580
                                          • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp,00000000,00000011,00000002), ref: 00402622
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: CloseQueryValue
                                          • String ID:
                                          • API String ID: 3356406503-0
                                          • Opcode ID: 10d431b75224574b74b8678e8ea25e03ded551cf9e81ebafd7ca8e2dd7976e21
                                          • Instruction ID: 6577050f37a29122a5cb82ae63a7e3627040baffe8f236fb698a7bc144352859
                                          • Opcode Fuzzy Hash: 10d431b75224574b74b8678e8ea25e03ded551cf9e81ebafd7ca8e2dd7976e21
                                          • Instruction Fuzzy Hash: 51119E71904216EADF15DFA0DA589AEB7B4FF04348F20443FE802B62D0D7B84A45DB5E
                                          Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                          • SendMessageW.USER32(0040A2D8,00000402,00000000), ref: 004013F4
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID:
                                          • API String ID: 3850602802-0
                                          • Opcode ID: 2a9df91d450fb50793c14fb38bc67898e6fb514a90870fda1bdd56b9451edd81
                                          • Instruction ID: cd791cecd07b1aef7d4b508d0a52a2ac0ec5e235a68ccce80931b69816989e44
                                          • Opcode Fuzzy Hash: 2a9df91d450fb50793c14fb38bc67898e6fb514a90870fda1bdd56b9451edd81
                                          • Instruction Fuzzy Hash: 6301F4326242109BE7195B389D05B6B36A8F791314F10863FF955F62F1DA78CC42DB4D
                                          Function 00405AA8 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateDirectoryW.KERNELBASE(?,?), ref: 00405AEA
                                          • GetLastError.KERNEL32 ref: 00405AF8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: CreateDirectoryErrorLast
                                          • String ID:
                                          • API String ID: 1375471231-0
                                          • Opcode ID: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
                                          • Instruction ID: 13352011552d0ddc4b0c1568d720dcd5f2ba617a9a750a7f60e40e4c0ab4bb23
                                          • Opcode Fuzzy Hash: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
                                          • Instruction Fuzzy Hash: 52F0F4B0D0060EDADB00CFA4C6487EFBBB4AB04309F10812AD941B6281D7B882488FA9
                                          Function 00401F03 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                          Download Yara Rule
                                          APIs
                                          • ShowWindow.USER32(00000000,00000000), ref: 00401F21
                                          • EnableWindow.USER32(00000000,00000000), ref: 00401F2C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: Window$EnableShow
                                          • String ID:
                                          • API String ID: 1136574915-0
                                          • Opcode ID: 43dff4b1693335f93dfca754fceec6b37362f049de9d354dc4597a38bacc65dc
                                          • Instruction ID: 98303f18ab294370b9404d3d0833ea925ed9fe29ea468c813ed2a63de2513d45
                                          • Opcode Fuzzy Hash: 43dff4b1693335f93dfca754fceec6b37362f049de9d354dc4597a38bacc65dc
                                          • Instruction Fuzzy Hash: 28E04F76908610DFE748EBA4AE499AEB7B4FF80365B20497FE001F11E1DBB94D00966D
                                          Function 00405B37 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4750,?,?,?,868,?), ref: 00405B60
                                          • CloseHandle.KERNEL32(?,?,?,868,?), ref: 00405B6D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: CloseCreateHandleProcess
                                          • String ID:
                                          • API String ID: 3712363035-0
                                          • Opcode ID: 1cf2fe051d34b4090bca479d50b9d9e6ed2e29e2a91626cbf83b173b154ad348
                                          • Instruction ID: e42c3092a0fd4a031c4fd4b3b8927d6f3122727aa63034fdce6a98e2e8d9435a
                                          • Opcode Fuzzy Hash: 1cf2fe051d34b4090bca479d50b9d9e6ed2e29e2a91626cbf83b173b154ad348
                                          • Instruction Fuzzy Hash: ECE09AB4900249BFEB109F64AD05E7B776CE745644F008525BD10F6151D775A8148A79
                                          Function 00401598 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: ShowWindow
                                          • String ID:
                                          • API String ID: 1268545403-0
                                          • Opcode ID: 161f1189b96c1e050d17504ce5c39e59e81e919b68ff6b2bf5ceaddda9e07bf6
                                          • Instruction ID: d7c79e80ad2a22e998040c9ddd7ac57f7a29ae31a8ed4af3f77ef46bec42490e
                                          • Opcode Fuzzy Hash: 161f1189b96c1e050d17504ce5c39e59e81e919b68ff6b2bf5ceaddda9e07bf6
                                          • Instruction Fuzzy Hash: 48E04F32A14514ABCB18CBA8EDD086E73B6FB84310310453FE502B36A4C6789C00CB58
                                          Function 00406948 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleA.KERNEL32(?,00000020,?,0040363F,0000000C,?,?,?,?,?,?,?,?), ref: 0040695A
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00406975
                                            • Part of subcall function 004068D8: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068EF
                                            • Part of subcall function 004068D8: wsprintfW.USER32 ref: 0040692A
                                            • Part of subcall function 004068D8: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 0040693E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                          • String ID:
                                          • API String ID: 2547128583-0
                                          • Opcode ID: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
                                          • Instruction ID: 551f93d59f6a57a7cc32b559d7ebc8a6d8da67cd5dc02587d5b4d2bd1ffdf244
                                          • Opcode Fuzzy Hash: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
                                          • Instruction Fuzzy Hash: 95E08673504310AAD2105A705E04C2B73B89F85740302443EF942F2140D734DC32E769
                                          Function 00406044 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetFileAttributesW.KERNELBASE(00000003,004030E2,C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe,80000000,00000003), ref: 00406048
                                          • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: File$AttributesCreate
                                          • String ID:
                                          • API String ID: 415043291-0
                                          • Opcode ID: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
                                          • Instruction ID: 9d50a09f5748d4f60ef03139cc16a9656d1073ae209d3065c053d14625e31d4c
                                          • Opcode Fuzzy Hash: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
                                          • Instruction Fuzzy Hash: 87D09E31654301AFEF098F20DE16F2EBAA2EB84B00F11552CB682941E0DA715819DB15
                                          Function 00405B02 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateDirectoryW.KERNELBASE(?,00000000,00403522,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 00405B08
                                          • GetLastError.KERNEL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405B16
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: CreateDirectoryErrorLast
                                          • String ID:
                                          • API String ID: 1375471231-0
                                          • Opcode ID: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
                                          • Instruction ID: 7bb2d1eb449126eed485e4eb4fbdbafbf981390ed288ef949080c13de55397a1
                                          • Opcode Fuzzy Hash: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
                                          • Instruction Fuzzy Hash: 7CC08C30314902DADA802B209F0870B3A60AB80340F154439A582E00E4CA30A445C92D
                                          Function 73AC2B98 Relevance: 1.6, APIs: 1, Instructions: 143fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileA.KERNELBASE(00000000), ref: 73AC2C57
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4129567152.0000000073AC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 73AC0000, based on PE: true
                                          • Associated: 00000000.00000002.4129552548.0000000073AC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000000.00000002.4129578779.0000000073AC4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000000.00000002.4129592945.0000000073AC6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_73ac0000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: f64b2b87b26503f970d6c6f0895df722b1dad0c8838984a9142722ac29a6bffa
                                          • Instruction ID: 70dc007ae60db350d14a911d6db7f0e1e4bbffa3b985b98e743b186f5d5838ed
                                          • Opcode Fuzzy Hash: f64b2b87b26503f970d6c6f0895df722b1dad0c8838984a9142722ac29a6bffa
                                          • Instruction Fuzzy Hash: D34182B35003889FEF11AF66DA47B693779FB58310F30842BF40AC6258D739D4819B95
                                          Function 004028B6 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 004028D4
                                            • Part of subcall function 0040649B: wsprintfW.USER32 ref: 004064A8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: FilePointerwsprintf
                                          • String ID:
                                          • API String ID: 327478801-0
                                          • Opcode ID: 874a48f5052de35ce3f5d68bebafa1d1d6b4bc0d038a260f4494356ae22f2f83
                                          • Instruction ID: d8afcb7e31c577c7df5a47bf7b189458025ebbcb83da75e60b69e678f76aa364
                                          • Opcode Fuzzy Hash: 874a48f5052de35ce3f5d68bebafa1d1d6b4bc0d038a260f4494356ae22f2f83
                                          • Instruction Fuzzy Hash: E8E06D71904104AADB00EFA5AE498AE77B9EB80349B20443FF101B00E9C67859109A3D
                                          Function 004023D7 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                          Download Yara Rule
                                          APIs
                                          • WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 0040240E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: PrivateProfileStringWrite
                                          • String ID:
                                          • API String ID: 390214022-0
                                          • Opcode ID: cc309e7f02997b5e016163de44fe3fdddd8bf4d3fe64c06df27e2bc62d43203d
                                          • Instruction ID: ca2f62041d63e4abf833ada0eb3473e8090594299762c22e2e4a91b8788c92d6
                                          • Opcode Fuzzy Hash: cc309e7f02997b5e016163de44fe3fdddd8bf4d3fe64c06df27e2bc62d43203d
                                          • Instruction Fuzzy Hash: CEE086319105266BDB103AF20ECE9BE2058AF48308B24093FF512B61C2DEFC8C42567D
                                          Function 0040175A Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                          Download Yara Rule
                                          APIs
                                          • SearchPathW.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 0040176E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: PathSearch
                                          • String ID:
                                          • API String ID: 2203818243-0
                                          • Opcode ID: 05a45ba0fbdca432f99f2945050b89cf5dd6b3df4aa2657fab958fcfff1ad0d5
                                          • Instruction ID: 5ef6c9dc075d7657941f8fe9075485116ee4ddb5350d9d3ef67c2e6f18a0d880
                                          • Opcode Fuzzy Hash: 05a45ba0fbdca432f99f2945050b89cf5dd6b3df4aa2657fab958fcfff1ad0d5
                                          • Instruction Fuzzy Hash: 6FE04871204101AAE700DB94DD49EAF7768DF50358F20813BE511A60D1E6B49914972D
                                          Function 004063EF Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E7C,00000000,?,?), ref: 00406418
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
                                          • Instruction ID: 1ec48b264e911f442ad562827ea2aeba8bdc9c692846981259ff7ce92a87d17c
                                          • Opcode Fuzzy Hash: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
                                          • Instruction Fuzzy Hash: 60E0BF72110109BFEF095F90DD0AD7B761DE704210B01452EF906D4051E6B5A9305674
                                          Function 004060C7 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034E4,00000000,00000000,0040332B,000000FF,00000004,00000000,00000000,00000000), ref: 004060DB
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: FileRead
                                          • String ID:
                                          • API String ID: 2738559852-0
                                          • Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
                                          • Instruction ID: 1a6ac9c2f17c3bf7024e7b579d6ce6ab3b84958f313ea5b4b1ce89539a84cc3a
                                          • Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
                                          • Instruction Fuzzy Hash: 55E0EC3225026AABDF10DE55DC00EEB7BACEB053A0F018437F956E7150DA31E93197A8
                                          Function 004060F6 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040349A,00000000,00793700,000000FF,00793700,000000FF,000000FF,00000004,00000000), ref: 0040610A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: FileWrite
                                          • String ID:
                                          • API String ID: 3934441357-0
                                          • Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
                                          • Instruction ID: 280cd4c212b49affc14266408846aa3a30e7e9a640caac8a44b81d30c287abca
                                          • Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
                                          • Instruction Fuzzy Hash: E1E08C3221025AABCF109E908C01EEB7B6CEB043A0F014433FD16EB051D230E8319BA8
                                          Function 73AC2A7F Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualProtect.KERNELBASE(73AC505C,00000004,00000040,73AC504C), ref: 73AC2A9D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4129567152.0000000073AC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 73AC0000, based on PE: true
                                          • Associated: 00000000.00000002.4129552548.0000000073AC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000000.00000002.4129578779.0000000073AC4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000000.00000002.4129592945.0000000073AC6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_73ac0000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: ProtectVirtual
                                          • String ID:
                                          • API String ID: 544645111-0
                                          • Opcode ID: 87ad7aaabf7a98af40e8a8d394e2650e93202e277379ee9fe158561152ef162a
                                          • Instruction ID: ae5ae529543fb748e89696f328f30457cc865244fc91d50ed5b92d565e44232a
                                          • Opcode Fuzzy Hash: 87ad7aaabf7a98af40e8a8d394e2650e93202e277379ee9fe158561152ef162a
                                          • Instruction Fuzzy Hash: 49F0AEF2A44280DECF51EF2B84467293BF0FB68304BA4452BF59CDA285E7348046DF99
                                          Function 00402419 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 0040244A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: PrivateProfileString
                                          • String ID:
                                          • API String ID: 1096422788-0
                                          • Opcode ID: 979b3f2ec0bc23d324c76cc3db4c1f8da93b0e1d0eaca7bbe8bd823efade59bd
                                          • Instruction ID: 53345aa50f94a5dbc05c73a67e8aa0b188b477950ab0ef6c1fe412bbc790425e
                                          • Opcode Fuzzy Hash: 979b3f2ec0bc23d324c76cc3db4c1f8da93b0e1d0eaca7bbe8bd823efade59bd
                                          • Instruction Fuzzy Hash: E7E04F3180021AAADB00AFA0CE0ADAD3678AF00304F10493EF510BB0D1E7F889509759
                                          Function 004063C1 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,0040644F,?,?,?,?,Call,?,00000000), ref: 004063E5
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: Open
                                          • String ID:
                                          • API String ID: 71445658-0
                                          • Opcode ID: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
                                          • Instruction ID: e359b3f9d4e5954a9af9fcfc08987e0780d6658b6568ce36bf776d9a1ed3ba47
                                          • Opcode Fuzzy Hash: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
                                          • Instruction Fuzzy Hash: 5AD0123210020DBBDF115F90AD01FAB771DAB08310F014826FE17E40D0D775D530A7A4
                                          Function 004015C8 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015D3
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: AttributesFile
                                          • String ID:
                                          • API String ID: 3188754299-0
                                          • Opcode ID: 7eccfe31bafa3dcd48d048314c709a01750866e7234f026f470328f7be052334
                                          • Instruction ID: 2b9d1094eaa3a8f74ec8242088029bd2eb80cc7fbaada08ad61a8f4613916ca8
                                          • Opcode Fuzzy Hash: 7eccfe31bafa3dcd48d048314c709a01750866e7234f026f470328f7be052334
                                          • Instruction Fuzzy Hash: 8BD05B72B08101D7DB00DBE89B48A9E77609B50368B30C53BD111F11E4D6B8C555A71D
                                          Function 0040451F Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404531
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID:
                                          • API String ID: 3850602802-0
                                          • Opcode ID: f1c7da54befd6d6a563f00396e813b8d921f3a4fa707ebac73e9c93964ba1fa7
                                          • Instruction ID: 80e323bcaa4fb1d2d6ad7f8777a1edc32b6b0207238f0482179e9273dd0660e4
                                          • Opcode Fuzzy Hash: f1c7da54befd6d6a563f00396e813b8d921f3a4fa707ebac73e9c93964ba1fa7
                                          • Instruction Fuzzy Hash: 10C09BB57443007BDA149B509E45F17776467D4741F14C5797340F50F0C774E450D62C
                                          Function 00405B7A Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                          Download Yara Rule
                                          APIs
                                          • ShellExecuteExW.SHELL32(?), ref: 00405B89
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: ExecuteShell
                                          • String ID:
                                          • API String ID: 587946157-0
                                          • Opcode ID: accb29398adcd6f2598047f0fcddae8b07494e52d9cc9fcafc25c5f5f83f3143
                                          • Instruction ID: 080962bbef7e268e86b0d243ececfcd1ad47764945baea7f73af6130fa7b9bd6
                                          • Opcode Fuzzy Hash: accb29398adcd6f2598047f0fcddae8b07494e52d9cc9fcafc25c5f5f83f3143
                                          • Instruction Fuzzy Hash: A9C092F2100201EFE301CF80CB09F067BE8AF54306F028058E1899A060CB788800CB29
                                          Function 00404508 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000028,?,00000001,00404333), ref: 00404516
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID:
                                          • API String ID: 3850602802-0
                                          • Opcode ID: d8acea26a230a6f6dce64032923e754adb325d86aa568b2d6d5b5dd5df397682
                                          • Instruction ID: c6ab7f6cffe81da1172822363f1dd48ca364d348eecf8336b79a6db78a7c4a26
                                          • Opcode Fuzzy Hash: d8acea26a230a6f6dce64032923e754adb325d86aa568b2d6d5b5dd5df397682
                                          • Instruction Fuzzy Hash: 18B09235184A00ABDA515B00DE09F467B62E7A4701F008538B240640F0CBB200A0DB0A
                                          Function 004034E7 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403267,?), ref: 004034F5
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: FilePointer
                                          • String ID:
                                          • API String ID: 973152223-0
                                          • Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                          • Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
                                          • Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                          • Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D
                                          Function 004044F5 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                          Download Yara Rule
                                          APIs
                                          • KiUserCallbackDispatcher.NTDLL(?,004042CC), ref: 004044FF
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: CallbackDispatcherUser
                                          • String ID:
                                          • API String ID: 2492992576-0
                                          • Opcode ID: c966d15b9c294ca5f877954a8561fb6b5762177598d7c32600178bcf5d115e9d
                                          • Instruction ID: b0a400b6fcb01754b069d8f8c1c9044561b78d1e04efb9d0fff21555a903a89e
                                          • Opcode Fuzzy Hash: c966d15b9c294ca5f877954a8561fb6b5762177598d7c32600178bcf5d115e9d
                                          • Instruction Fuzzy Hash: DFA00176444910ABDA02AB50EF0984ABB62FBE5701B519879A286510348B365820FB19
                                          Function 00401FC9 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 004055D9: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\System.dll,00000000,0079A700,74DF23A0,?,?,?,?,?,?,?,?,?,0040341A,00000000,?), ref: 00405611
                                            • Part of subcall function 004055D9: lstrlenW.KERNEL32(0040341A,Skipped: C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\System.dll,00000000,0079A700,74DF23A0,?,?,?,?,?,?,?,?,?,0040341A,00000000), ref: 00405621
                                            • Part of subcall function 004055D9: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\System.dll,0040341A), ref: 00405634
                                            • Part of subcall function 004055D9: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\System.dll), ref: 00405646
                                            • Part of subcall function 004055D9: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566C
                                            • Part of subcall function 004055D9: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405686
                                            • Part of subcall function 004055D9: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405694
                                            • Part of subcall function 00405B37: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4750,?,?,?,868,?), ref: 00405B60
                                            • Part of subcall function 00405B37: CloseHandle.KERNEL32(?,?,?,868,?), ref: 00405B6D
                                          • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00402010
                                            • Part of subcall function 004069F3: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406A04
                                            • Part of subcall function 004069F3: GetExitCodeProcess.KERNEL32(?,?), ref: 00406A26
                                            • Part of subcall function 0040649B: wsprintfW.USER32 ref: 004064A8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                          • String ID:
                                          • API String ID: 2972824698-0
                                          • Opcode ID: 6a4a35ee59a0022a8f9558aa0da532edee76dee6ec420d45f67ada4f4d53e101
                                          • Instruction ID: 31278e7032d6d459f1869afa1fc16bf8b986fef5f9539014001fbe5517bff4f7
                                          • Opcode Fuzzy Hash: 6a4a35ee59a0022a8f9558aa0da532edee76dee6ec420d45f67ada4f4d53e101
                                          • Instruction Fuzzy Hash: 83F09672905511DBDB20BBA59A8999E7664DF0031CF21413FF202B25D5CABC4E41EA6E
                                          Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Sleep.KERNELBASE(00000000), ref: 004014EA
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: Sleep
                                          • String ID:
                                          • API String ID: 3472027048-0
                                          • Opcode ID: b83d77026a0eef837aee2cf9f67490139d75f0ecd08a9ee5abe0a22eb8051c76
                                          • Instruction ID: e3f6ed4717897a2e6ecee164b05e04455bfe3191319e132c95f7d07364d35911
                                          • Opcode Fuzzy Hash: b83d77026a0eef837aee2cf9f67490139d75f0ecd08a9ee5abe0a22eb8051c76
                                          • Instruction Fuzzy Hash: 48D0A773A146008BD744EBB8BE8546F73E8FB903193204C3BD102E10E1E67CC911461C

                                          Non-executed Functions

                                          Function 004049C4 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDlgItem.USER32(?,000003FB), ref: 00404A13
                                          • SetWindowTextW.USER32(00000000,?), ref: 00404A3D
                                          • SHBrowseForFolderW.SHELL32(?), ref: 00404AEE
                                          • CoTaskMemFree.OLE32(00000000), ref: 00404AF9
                                          • lstrcmpiW.KERNEL32(Call,007A1748,00000000,?,?), ref: 00404B2B
                                          • lstrcatW.KERNEL32(?,Call), ref: 00404B37
                                          • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B49
                                            • Part of subcall function 00405B98: GetDlgItemTextW.USER32(?,?,00000400,00404B80), ref: 00405BAB
                                            • Part of subcall function 00406802: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 00406865
                                            • Part of subcall function 00406802: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406874
                                            • Part of subcall function 00406802: CharNextW.USER32(?,"C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 00406879
                                            • Part of subcall function 00406802: CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 0040688C
                                          • GetDiskFreeSpaceW.KERNEL32(0079F718,?,?,0000040F,?,0079F718,0079F718,?,00000001,0079F718,?,?,000003FB,?), ref: 00404C0C
                                          • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404C27
                                            • Part of subcall function 00404D80: lstrlenW.KERNEL32(007A1748,007A1748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E21
                                            • Part of subcall function 00404D80: wsprintfW.USER32 ref: 00404E2A
                                            • Part of subcall function 00404D80: SetDlgItemTextW.USER32(?,007A1748), ref: 00404E3D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                          • String ID: A$C:\Users\user\AppData\Local\Temp\bygvrkerne\linda\balaamitical$Call
                                          • API String ID: 2624150263-294240499
                                          • Opcode ID: d546a645e60e6957f04ba02b6a3eb8270b6339cfa2b22d8784a61d082e69804a
                                          • Instruction ID: db18d61dd8e36d4389a3b44505c0f864e6ca322f8728bcf89e652d7f1c678b9a
                                          • Opcode Fuzzy Hash: d546a645e60e6957f04ba02b6a3eb8270b6339cfa2b22d8784a61d082e69804a
                                          • Instruction Fuzzy Hash: 25A185B1900208ABDB11AFA5DD45BEFB7B8EF84314F11403BF611B62D1D77C9A418B69
                                          Function 00404F40 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDlgItem.USER32(?,000003F9), ref: 00404F58
                                          • GetDlgItem.USER32(?,00000408), ref: 00404F63
                                          • GlobalAlloc.KERNEL32(00000040,?), ref: 00404FAD
                                          • LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404FC4
                                          • SetWindowLongW.USER32(?,000000FC,0040554D), ref: 00404FDD
                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FF1
                                          • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00405003
                                          • SendMessageW.USER32(?,00001109,00000002), ref: 00405019
                                          • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405025
                                          • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00405037
                                          • DeleteObject.GDI32(00000000), ref: 0040503A
                                          • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405065
                                          • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405071
                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 0040510C
                                          • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 0040513C
                                            • Part of subcall function 00404508: SendMessageW.USER32(00000028,?,00000001,00404333), ref: 00404516
                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00405150
                                          • GetWindowLongW.USER32(?,000000F0), ref: 0040517E
                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040518C
                                          • ShowWindow.USER32(?,00000005), ref: 0040519C
                                          • SendMessageW.USER32(?,00000419,00000000,?), ref: 00405297
                                          • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052FC
                                          • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405311
                                          • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405335
                                          • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405355
                                          • ImageList_Destroy.COMCTL32(?), ref: 0040536A
                                          • GlobalFree.KERNEL32(?), ref: 0040537A
                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053F3
                                          • SendMessageW.USER32(?,00001102,?,?), ref: 0040549C
                                          • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004054AB
                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 004054D6
                                          • ShowWindow.USER32(?,00000000), ref: 00405524
                                          • GetDlgItem.USER32(?,000003FE), ref: 0040552F
                                          • ShowWindow.USER32(00000000), ref: 00405536
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                          • String ID: $M$N
                                          • API String ID: 2564846305-813528018
                                          • Opcode ID: 118804aa0d3f553a5cfa041bdbc592f4de402f04deb09a42b48635efc9d72333
                                          • Instruction ID: 3f60975f1bbea04172c566a814ac76c3bf8fe72ba7ce1bc18d7d222ec834a39f
                                          • Opcode Fuzzy Hash: 118804aa0d3f553a5cfa041bdbc592f4de402f04deb09a42b48635efc9d72333
                                          • Instruction Fuzzy Hash: B2027870900609AFDF20DF65DC85AAF7BB5FB85314F10816AFA10BA2E1D7798A41CF58
                                          Function 00404692 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404730
                                          • GetDlgItem.USER32(?,000003E8), ref: 00404744
                                          • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404761
                                          • GetSysColor.USER32(?), ref: 00404772
                                          • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404780
                                          • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040478E
                                          • lstrlenW.KERNEL32(?), ref: 00404793
                                          • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004047A0
                                          • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004047B5
                                          • GetDlgItem.USER32(?,0000040A), ref: 0040480E
                                          • SendMessageW.USER32(00000000), ref: 00404815
                                          • GetDlgItem.USER32(?,000003E8), ref: 00404840
                                          • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404883
                                          • LoadCursorW.USER32(00000000,00007F02), ref: 00404891
                                          • SetCursor.USER32(00000000), ref: 00404894
                                          • LoadCursorW.USER32(00000000,00007F00), ref: 004048AD
                                          • SetCursor.USER32(00000000), ref: 004048B0
                                          • SendMessageW.USER32(00000111,00000001,00000000), ref: 004048DF
                                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 004048F1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                          • String ID: F@$Call$N
                                          • API String ID: 3103080414-3713480610
                                          • Opcode ID: cd157397fad3e9ba876edf76049899dad645a115876cfb537e4ce2c7fc417499
                                          • Instruction ID: 45fb83ade45cfc86163e6b15eb7062ba83955ff26de70ff6e3d1e782862a206c
                                          • Opcode Fuzzy Hash: cd157397fad3e9ba876edf76049899dad645a115876cfb537e4ce2c7fc417499
                                          • Instruction Fuzzy Hash: 1861A2B1900209BFDF10AF60DD85A6A7B69FB85314F00843AF705B62E0C778AD51CFA9
                                          Function 0040619A Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130memorystringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406335,?,?), ref: 004061D5
                                          • GetShortPathNameW.KERNEL32(?,007A4DE8,00000400), ref: 004061DE
                                            • Part of subcall function 00405FA9: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040628E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FB9
                                            • Part of subcall function 00405FA9: lstrlenA.KERNEL32(00000000,?,00000000,0040628E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FEB
                                          • GetShortPathNameW.KERNEL32(?,007A55E8,00000400), ref: 004061FB
                                          • wsprintfA.USER32 ref: 00406219
                                          • GetFileSize.KERNEL32(00000000,00000000,007A55E8,C0000000,00000004,007A55E8,?,?,?,?,?), ref: 00406254
                                          • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406263
                                          • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040629B
                                          • SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,007A49E8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062F1
                                          • GlobalFree.KERNEL32(00000000), ref: 00406302
                                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406309
                                            • Part of subcall function 00406044: GetFileAttributesW.KERNELBASE(00000003,004030E2,C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe,80000000,00000003), ref: 00406048
                                            • Part of subcall function 00406044: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                          • String ID: %ls=%ls$[Rename]$Mz$Uz$Uz
                                          • API String ID: 2171350718-3350566011
                                          • Opcode ID: a33c05bce7c125d61af8aa6c61577077044d65e406db0fd5498825754e73940b
                                          • Instruction ID: b6cadbeacbe634b6bd87c882f2c351c0ea44a21df7cd689b804f2f2a1cba60a5
                                          • Opcode Fuzzy Hash: a33c05bce7c125d61af8aa6c61577077044d65e406db0fd5498825754e73940b
                                          • Instruction Fuzzy Hash: 2F313770600715BBD2206B658D49F6B3A5CDF82714F16003EFE02F72D2DA7D982486BD
                                          Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                          Download Yara Rule
                                          APIs
                                          • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                          • BeginPaint.USER32(?,?), ref: 00401047
                                          • GetClientRect.USER32(?,?), ref: 0040105B
                                          • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                          • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                          • DeleteObject.GDI32(?), ref: 004010ED
                                          • CreateFontIndirectW.GDI32(?), ref: 00401105
                                          • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                          • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                          • SelectObject.GDI32(00000000,?), ref: 00401140
                                          • DrawTextW.USER32(00000000,007A7260,000000FF,00000010,00000820), ref: 00401156
                                          • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                          • DeleteObject.GDI32(?), ref: 00401165
                                          • EndPaint.USER32(?,?), ref: 0040116E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                          • String ID: F
                                          • API String ID: 941294808-1304234792
                                          • Opcode ID: 0065e8d55c47ea3cbcda8c109104f1eee6ee8d4d6af800c5cfa02106002edbf4
                                          • Instruction ID: f4bc5d4286e22692ddece56c15c19c5fca937d6aefcb7484b61e28148d91a738
                                          • Opcode Fuzzy Hash: 0065e8d55c47ea3cbcda8c109104f1eee6ee8d4d6af800c5cfa02106002edbf4
                                          • Instruction Fuzzy Hash: 3F418A71804209AFCF058FA5CE459BFBBB9FF45314F00802EF591AA1A0CB389A55DFA4
                                          Function 00402FB8 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 40timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FD6
                                          • MulDiv.KERNEL32(00093BE4,00000064,00093BE8), ref: 00403001
                                          • wsprintfW.USER32 ref: 00403011
                                          • SetWindowTextW.USER32(?,?), ref: 00403021
                                          • SetDlgItemTextW.USER32(?,00000406,?), ref: 00403033
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: Text$ItemTimerWindowwsprintf
                                          • String ID: verifying installer: %d%%$;$;
                                          • API String ID: 1451636040-142298927
                                          • Opcode ID: c24f39b73ea1f3b51e5f33cc7d94247a9242632f843dd5f1d8eee7270cd10b93
                                          • Instruction ID: 52c7d57b2d50c4e26d0c42f1be749ca1a93388b8845742b28701603c77c86054
                                          • Opcode Fuzzy Hash: c24f39b73ea1f3b51e5f33cc7d94247a9242632f843dd5f1d8eee7270cd10b93
                                          • Instruction Fuzzy Hash: 89016270640209BBEF209F60DD4AFEE3B79EB04344F10803AFA02B51D0DBB99A559F58
                                          Function 00406802 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                          Download Yara Rule
                                          APIs
                                          • CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 00406865
                                          • CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406874
                                          • CharNextW.USER32(?,"C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 00406879
                                          • CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040350A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 0040688C
                                          Strings
                                          • "C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe", xrefs: 00406846
                                          • *?|<>/":, xrefs: 00406854
                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00406803
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: Char$Next$Prev
                                          • String ID: "C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                          • API String ID: 589700163-2531517970
                                          • Opcode ID: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
                                          • Instruction ID: 8a5b279eb1c6e0cea376d4f623a12da6f674b8daf8575b9a92ef11e753d0d18b
                                          • Opcode Fuzzy Hash: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
                                          • Instruction Fuzzy Hash: D111B66780121299DB303B158C44AB766E8EF54794F52C03FED8A732C0E77C4C9286AD
                                          Function 0040453A Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetWindowLongW.USER32(?,000000EB), ref: 00404557
                                          • GetSysColor.USER32(00000000), ref: 00404595
                                          • SetTextColor.GDI32(?,00000000), ref: 004045A1
                                          • SetBkMode.GDI32(?,?), ref: 004045AD
                                          • GetSysColor.USER32(?), ref: 004045C0
                                          • SetBkColor.GDI32(?,?), ref: 004045D0
                                          • DeleteObject.GDI32(?), ref: 004045EA
                                          • CreateBrushIndirect.GDI32(?), ref: 004045F4
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                          • String ID:
                                          • API String ID: 2320649405-0
                                          • Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                                          • Instruction ID: 9e725ab64d6b149d2d2f876944178e70108deb967c5ff43b0f72f150d1bef9aa
                                          • Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                                          • Instruction Fuzzy Hash: DA2177B1500704AFCB309F78DD18B5BBBF4BF41710B04892EEA96A22E0D739E944CB54
                                          Function 73AC2480 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GlobalFree.KERNEL32(00000000), ref: 73AC25C2
                                            • Part of subcall function 73AC12CC: lstrcpynW.KERNEL32(00000000,?,73AC137F,00000019,73AC11CA,-000000A0), ref: 73AC12DC
                                          • GlobalAlloc.KERNEL32(00000040), ref: 73AC2548
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 73AC2563
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4129567152.0000000073AC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 73AC0000, based on PE: true
                                          • Associated: 00000000.00000002.4129552548.0000000073AC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000000.00000002.4129578779.0000000073AC4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000000.00000002.4129592945.0000000073AC6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_73ac0000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
                                          • String ID: @Hmu
                                          • API String ID: 4216380887-887474944
                                          • Opcode ID: 94d46913132798f4c0473e38e004ffc557cdc11e19b5235203a85ce6f4644d14
                                          • Instruction ID: 6d302886ea3c55939b845d1fa3dfdc612e0e814f5440c55dca3ebf57ac88314f
                                          • Opcode Fuzzy Hash: 94d46913132798f4c0473e38e004ffc557cdc11e19b5235203a85ce6f4644d14
                                          • Instruction Fuzzy Hash: C841E2B110438DDFEB15EF29D942B6677B8FB98310F10492FE44A86289EB38E545CB61
                                          Function 00404E8E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404EA9
                                          • GetMessagePos.USER32 ref: 00404EB1
                                          • ScreenToClient.USER32(?,?), ref: 00404ECB
                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404EDD
                                          • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404F03
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: Message$Send$ClientScreen
                                          • String ID: f
                                          • API String ID: 41195575-1993550816
                                          • Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
                                          • Instruction ID: 20ba1dd8c6eb147b8de8e184d932bb38cbf2a2b27d4ef3642ae6e6b093867634
                                          • Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
                                          • Instruction Fuzzy Hash: D6015E72900219BADB00DB95DD85FFEBBBCAF95711F10412BBB51B61D0C7B49A018BA4
                                          Function 00401E73 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDC.USER32(?), ref: 00401E76
                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E90
                                          • MulDiv.KERNEL32(00000000,00000000), ref: 00401E98
                                          • ReleaseDC.USER32(?,00000000), ref: 00401EA9
                                          • CreateFontIndirectW.GDI32(0040CDC8), ref: 00401EF8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: CapsCreateDeviceFontIndirectRelease
                                          • String ID: Times New Roman
                                          • API String ID: 3808545654-927190056
                                          • Opcode ID: ef63408107684041e4866229634915ac86451c59f948bd83cb9cb27aef798f6a
                                          • Instruction ID: 03fa82d4c3f414405e360d431a269216209ac9bc2718b2d324fdabe448a9bb24
                                          • Opcode Fuzzy Hash: ef63408107684041e4866229634915ac86451c59f948bd83cb9cb27aef798f6a
                                          • Instruction Fuzzy Hash: 28018471954250EFEB015BB4AE89BDD3FB4AF59301F10497AF142BA1E2CAB90444DB3D
                                          Function 73AC2655 Relevance: 9.1, APIs: 6, Instructions: 109COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 73AC12BB: GlobalAlloc.KERNEL32(00000040,?,73AC12DB,?,73AC137F,00000019,73AC11CA,-000000A0), ref: 73AC12C5
                                          • GlobalFree.KERNEL32(?), ref: 73AC2743
                                          • GlobalFree.KERNEL32(00000000), ref: 73AC2778
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4129567152.0000000073AC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 73AC0000, based on PE: true
                                          • Associated: 00000000.00000002.4129552548.0000000073AC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000000.00000002.4129578779.0000000073AC4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000000.00000002.4129592945.0000000073AC6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_73ac0000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: Global$Free$Alloc
                                          • String ID:
                                          • API String ID: 1780285237-0
                                          • Opcode ID: 33f68150e5155cf85d069975bd1db510147ce2f4edaafabe07a0abe3a11fc129
                                          • Instruction ID: b3098d7363a7a3f6bda7f10d5a7abb8d578373c29147eb50f2f4c28cfc8889f3
                                          • Opcode Fuzzy Hash: 33f68150e5155cf85d069975bd1db510147ce2f4edaafabe07a0abe3a11fc129
                                          • Instruction Fuzzy Hash: 0A31CF76604189DFDF179F55CAC6F2A7BBBFB8A304324452EF10683668CB34D8068B61
                                          Function 00402975 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029D6
                                          • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029F2
                                          • GlobalFree.KERNEL32(?), ref: 00402A2B
                                          • GlobalFree.KERNEL32(00000000), ref: 00402A3E
                                          • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A5A
                                          • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A6D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: Global$AllocFree$CloseDeleteFileHandle
                                          • String ID:
                                          • API String ID: 2667972263-0
                                          • Opcode ID: f8901aaeb9f2a00daffea08b67dde5f98bd57e3c49cf530dd80c48c95695eb95
                                          • Instruction ID: 5c013e3641f51b8511de27967d5ac64a9b846b719b0e1cdf51d049a21d65d460
                                          • Opcode Fuzzy Hash: f8901aaeb9f2a00daffea08b67dde5f98bd57e3c49cf530dd80c48c95695eb95
                                          • Instruction Fuzzy Hash: 3D31B171D00128BBCF21AFA5CE4999E7E79AF45324F10423AF511762E1CB794D419F98
                                          Function 73AC1979 Relevance: 7.7, APIs: 5, Instructions: 194COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4129567152.0000000073AC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 73AC0000, based on PE: true
                                          • Associated: 00000000.00000002.4129552548.0000000073AC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000000.00000002.4129578779.0000000073AC4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000000.00000002.4129592945.0000000073AC6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_73ac0000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: FreeGlobal
                                          • String ID:
                                          • API String ID: 2979337801-0
                                          • Opcode ID: 0f1e3a9cdd31fcba2f09a301caeca97f533bb524f98172647ac34febe8552492
                                          • Instruction ID: 0ad2464cb5b308cba590b4a0fc3732473a6e452daca00059e296b44595a9f6b6
                                          • Opcode Fuzzy Hash: 0f1e3a9cdd31fcba2f09a301caeca97f533bb524f98172647ac34febe8552492
                                          • Instruction Fuzzy Hash: 8951C332F00199ABDF029FA485437ADBBBAEF48308F14815FD406A339CE675E9458B91
                                          Function 00402ECE Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F22
                                          • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F6E
                                          • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F77
                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F8E
                                          • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F99
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: CloseEnum$DeleteValue
                                          • String ID:
                                          • API String ID: 1354259210-0
                                          • Opcode ID: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
                                          • Instruction ID: 9b286c5d8e76f57eb0c9cc6cf8757f48d710680964e76fdf16ae971aa0981de0
                                          • Opcode Fuzzy Hash: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
                                          • Instruction Fuzzy Hash: 64215A7150010ABFDF129F90CE89EEF7A7DEB14398F110076B909B21A0D7B48E54AA64
                                          Function 00401DA6 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDlgItem.USER32(?,?), ref: 00401DBF
                                          • GetClientRect.USER32(?,?), ref: 00401E0A
                                          • LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E3A
                                          • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E4E
                                          • DeleteObject.GDI32(00000000), ref: 00401E5E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                          • String ID:
                                          • API String ID: 1849352358-0
                                          • Opcode ID: f9512a0e8a514307da24a6b29ff575f3dda491a4b437724600ff434ac20b261f
                                          • Instruction ID: bf706e621430f2b8e1e8296bf8ea73d697ba0e02d4cfc8f60e3200fcd9798b2c
                                          • Opcode Fuzzy Hash: f9512a0e8a514307da24a6b29ff575f3dda491a4b437724600ff434ac20b261f
                                          • Instruction Fuzzy Hash: 57212A72904119AFCB05DF94DE45AEEBBB5EB08300F14403AF945F62A0DB389D81DB98
                                          Function 73AC16BD Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,73AC22D8,?,00000808), ref: 73AC16D5
                                          • GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,73AC22D8,?,00000808), ref: 73AC16DC
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,73AC22D8,?,00000808), ref: 73AC16F0
                                          • GetProcAddress.KERNEL32(73AC22D8,00000000), ref: 73AC16F7
                                          • GlobalFree.KERNEL32(00000000), ref: 73AC1700
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4129567152.0000000073AC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 73AC0000, based on PE: true
                                          • Associated: 00000000.00000002.4129552548.0000000073AC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000000.00000002.4129578779.0000000073AC4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000000.00000002.4129592945.0000000073AC6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_73ac0000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
                                          • String ID:
                                          • API String ID: 1148316912-0
                                          • Opcode ID: 8ab4508b21f5e3813c6f025136fce55d0a3d36ae8a8d6273e420267e90e02255
                                          • Instruction ID: 5c44f8dfe1ad575b7a64f371ff90cdd140b9c840f4b4f80fc4bf37d7aec5b834
                                          • Opcode Fuzzy Hash: 8ab4508b21f5e3813c6f025136fce55d0a3d36ae8a8d6273e420267e90e02255
                                          • Instruction Fuzzy Hash: FEF08C332061387BC62126A78C0CDABBF9DEF8B2F5B210211F22C92190C6254C02C7F5
                                          Function 00401C68 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CD8
                                          • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CF0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: MessageSend$Timeout
                                          • String ID: !
                                          • API String ID: 1777923405-2657877971
                                          • Opcode ID: c23d5500826537fa29cebf8011e108a036ebafb4b175d524911a422f69a294dc
                                          • Instruction ID: 31ba3c168d84f0c85bcad1357d39928db2ba622a9cc012c1a012c7db44d830b4
                                          • Opcode Fuzzy Hash: c23d5500826537fa29cebf8011e108a036ebafb4b175d524911a422f69a294dc
                                          • Instruction Fuzzy Hash: 66218071D1421AAEEB05AFA4D94AAFE7BB0EF44304F10453FF505B61D0D7B88941DB98
                                          Function 00404D80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenW.KERNEL32(007A1748,007A1748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E21
                                          • wsprintfW.USER32 ref: 00404E2A
                                          • SetDlgItemTextW.USER32(?,007A1748), ref: 00404E3D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: ItemTextlstrlenwsprintf
                                          • String ID: %u.%u%s%s
                                          • API String ID: 3540041739-3551169577
                                          • Opcode ID: 21d04326a64a20976fb5de8d07180004ad871368d5848da8d0db5094891019e4
                                          • Instruction ID: afd2be291b2a15d2af8ae11ee91158e81c8ac3063311500d61ab43a3e8b0c9b4
                                          • Opcode Fuzzy Hash: 21d04326a64a20976fb5de8d07180004ad871368d5848da8d0db5094891019e4
                                          • Instruction Fuzzy Hash: 6F11E77360423837DB10996D9C45E9E3298DF85374F254237FA66F31D1EA79DC2182E8
                                          Function 00405F2B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00406554: lstrcpynW.KERNEL32(?,?,00000400,004036A1,007A7260,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406561
                                            • Part of subcall function 00405ECE: CharNextW.USER32(?,?,007A3F50,?,00405F42,007A3F50,007A3F50,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C80,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe"), ref: 00405EDC
                                            • Part of subcall function 00405ECE: CharNextW.USER32(00000000), ref: 00405EE1
                                            • Part of subcall function 00405ECE: CharNextW.USER32(00000000), ref: 00405EF9
                                          • lstrlenW.KERNEL32(007A3F50,00000000,007A3F50,007A3F50,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C80,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe"), ref: 00405F84
                                          • GetFileAttributesW.KERNEL32(007A3F50,007A3F50,007A3F50,007A3F50,007A3F50,007A3F50,00000000,007A3F50,007A3F50,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C80,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 00405F94
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                          • String ID: C:\Users\user\AppData\Local\Temp\$P?z
                                          • API String ID: 3248276644-3492887852
                                          • Opcode ID: bcbf200ecc0ebcd9a110e0aedcb8263399075ff3aca88ce7f3d60eb64f48f27a
                                          • Instruction ID: f4f6e0775867387827aab8404002f3e8856b431f62ec50d584846b16db6dccac
                                          • Opcode Fuzzy Hash: bcbf200ecc0ebcd9a110e0aedcb8263399075ff3aca88ce7f3d60eb64f48f27a
                                          • Instruction Fuzzy Hash: 9BF02D36105E5319D62273365C09AAF1544CF86358709057BF852B12D5CF3C8A53CC7E
                                          Function 00405E23 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040351C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 00405E29
                                          • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040351C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403819,?,00000008,0000000A,0000000C), ref: 00405E33
                                          • lstrcatW.KERNEL32(?,0040A014), ref: 00405E45
                                          Strings
                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00405E23
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: CharPrevlstrcatlstrlen
                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                          • API String ID: 2659869361-3081826266
                                          • Opcode ID: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
                                          • Instruction ID: d63f260b1a4b66e3edf6d37d75e222a08c60d96d58f132ba82df153afabc7d48
                                          • Opcode Fuzzy Hash: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
                                          • Instruction Fuzzy Hash: EDD0A771101534BAC212AB54AC04CDF73ACAF46344342403BF541B30A5C77C5D5187FD
                                          Function 73AC10E1 Relevance: 6.4, APIs: 5, Instructions: 145memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GlobalAlloc.KERNEL32(00000040,?), ref: 73AC1171
                                          • GlobalAlloc.KERNEL32(00000040,?), ref: 73AC11E3
                                          • GlobalFree.KERNEL32 ref: 73AC124A
                                          • GlobalFree.KERNEL32(?), ref: 73AC129B
                                          • GlobalFree.KERNEL32(00000000), ref: 73AC12B1
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4129567152.0000000073AC1000.00000020.00000001.01000000.00000009.sdmp, Offset: 73AC0000, based on PE: true
                                          • Associated: 00000000.00000002.4129552548.0000000073AC0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000000.00000002.4129578779.0000000073AC4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000000.00000002.4129592945.0000000073AC6000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_73ac0000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: Global$Free$Alloc
                                          • String ID:
                                          • API String ID: 1780285237-0
                                          • Opcode ID: b91a7d8f638cc0d130d2a24f8324fb527e8b1cd4af2c1431303311083ba6cb16
                                          • Instruction ID: 81879a22a6ce0aaaa6e7b24f00ce70f5d51cc0a9dbe5941e703908c0b5155397
                                          • Opcode Fuzzy Hash: b91a7d8f638cc0d130d2a24f8324fb527e8b1cd4af2c1431303311083ba6cb16
                                          • Instruction Fuzzy Hash: 93519FBA600341DFEB05EF6AC986B2577F8FB09315B14412AF90ADB358EB38D901CB54
                                          Function 00402663 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\System.dll), ref: 004026BA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: lstrlen
                                          • String ID: C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp$C:\Users\user\AppData\Local\Temp\nsqF0F3.tmp\System.dll
                                          • API String ID: 1659193697-3747480807
                                          • Opcode ID: 9b1e63793fec7cddd71c9e4d09a620ca33840b4aa6a8db6fbdf3e38666f13665
                                          • Instruction ID: 017f71272b68274a12e342b3970613002fe1d3414b89f7e2a3fd3533f9475010
                                          • Opcode Fuzzy Hash: 9b1e63793fec7cddd71c9e4d09a620ca33840b4aa6a8db6fbdf3e38666f13665
                                          • Instruction Fuzzy Hash: C7110D72A10206BBCB00BBB19F46AAE7B616F51748F20843FF502F61D1DAFD8851631E
                                          Function 0040303E Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                          Download Yara Rule
                                          APIs
                                          • DestroyWindow.USER32(00000000,00000000,0040321C,00000001), ref: 00403051
                                          • GetTickCount.KERNEL32 ref: 0040306F
                                          • CreateDialogParamW.USER32(0000006F,00000000,00402FB8,00000000), ref: 0040308C
                                          • ShowWindow.USER32(00000000,00000005), ref: 0040309A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: Window$CountCreateDestroyDialogParamShowTick
                                          • String ID:
                                          • API String ID: 2102729457-0
                                          • Opcode ID: 69c8c07bcb791fb785738829cd10c29190a6685c9026359a959baa5e0d41d55b
                                          • Instruction ID: 04dff40eaa5975d4421a2039d3eb5be5080597dcfa90b8d0ab21d67e5ec7c10f
                                          • Opcode Fuzzy Hash: 69c8c07bcb791fb785738829cd10c29190a6685c9026359a959baa5e0d41d55b
                                          • Instruction Fuzzy Hash: BFF05430406621AFC6616F50FD08A9B7B69FB45B12B45843BF145F11E8C73C48818B9D
                                          Function 0040554D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • IsWindowVisible.USER32(?), ref: 0040557C
                                          • CallWindowProcW.USER32(?,?,?,?), ref: 004055CD
                                            • Part of subcall function 0040451F: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404531
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: Window$CallMessageProcSendVisible
                                          • String ID:
                                          • API String ID: 3748168415-3916222277
                                          • Opcode ID: 1c6db2fb8bf2a941a381235c92e780c462a7a47fd759007b21bb5a8fe18e5fa5
                                          • Instruction ID: 8cb385540c394feb6b7acedb458c1b163c7bd0e2eecbca803c6ec6ccc0281e24
                                          • Opcode Fuzzy Hash: 1c6db2fb8bf2a941a381235c92e780c462a7a47fd759007b21bb5a8fe18e5fa5
                                          • Instruction Fuzzy Hash: 68017C71101609FBEF205F11DD84A9B3A2BEBC4754F20403BFA05761D5D73A8D929E6D
                                          Function 00403B91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                          Download Yara Rule
                                          APIs
                                          • FreeLibrary.KERNEL32(?,74DF3420,00000000,C:\Users\user\AppData\Local\Temp\,00403B69,00403A7F,?,?,00000008,0000000A,0000000C), ref: 00403BAB
                                          • GlobalFree.KERNEL32(00A05C00), ref: 00403BB2
                                          Strings
                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00403B91
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: Free$GlobalLibrary
                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                          • API String ID: 1100898210-3081826266
                                          • Opcode ID: 00efa9c9f1272b7cc7d931f24958e2d47b6ee42ce3838b547fcba19599468942
                                          • Instruction ID: b7081a2a86391088548fef66407111aafa244a1a89fd4905b066b82f00895e7d
                                          • Opcode Fuzzy Hash: 00efa9c9f1272b7cc7d931f24958e2d47b6ee42ce3838b547fcba19599468942
                                          • Instruction Fuzzy Hash: 59E0C23340053057CB211F45ED04B1AB778AF95B26F09807BE940BB2618BBC2C438FC8
                                          Function 00405E6F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,0040310E,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe,C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe,80000000,00000003), ref: 00405E75
                                          • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,0040310E,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe,C:\Users\user\Desktop\Thermo Fisher RFQ_TFS-1207.com.exe,80000000,00000003), ref: 00405E85
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: CharPrevlstrlen
                                          • String ID: C:\Users\user\Desktop
                                          • API String ID: 2709904686-224404859
                                          • Opcode ID: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
                                          • Instruction ID: e625fb8110be14d05545ed3956eb9dcd351d24123ebbdb87cfc6543e98ba95a5
                                          • Opcode Fuzzy Hash: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
                                          • Instruction Fuzzy Hash: 27D05EB3400920AAC312A704DD00DAF73A8EF523447464466F881A71A5D7785D8186EC
                                          Function 00405FA9 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040628E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FB9
                                          • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FD1
                                          • CharNextA.USER32(00000000,?,00000000,0040628E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FE2
                                          • lstrlenA.KERNEL32(00000000,?,00000000,0040628E,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FEB
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4124937507.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4124923321.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124952362.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007A5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4124967068.00000000007D1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4125374081.00000000007D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_Thermo Fisher RFQ_TFS-1207.jbxd
                                          Similarity
                                          • API ID: lstrlen$CharNextlstrcmpi
                                          • String ID:
                                          • API String ID: 190613189-0
                                          • Opcode ID: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
                                          • Instruction ID: 0ddac3552a90187c63c7b8d1f8650bd486a880c4da7af56fddea67c471c8745b
                                          • Opcode Fuzzy Hash: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
                                          • Instruction Fuzzy Hash: 5AF09631104515FFCB029FA5DE04D9FBBA8EF05350B2540B9F880F7250D678DE01ABA9