Analysis Report Sleaford Medical Group.exe

Overview

General Information

Sample Name:	Sleaford Medical Group.exe
Analysis ID:	358420
MD5:	dde7e39d025b75849184c077517030ae
SHA1:	6350e468239b6099421676fb6ff289a27f8cda5a
SHA256:	ba1ae604539b6cde921342baaceb3eb82149b0f15c369b77020b38254a586629
Tags:	GuLoader
Infos:
Most interesting Screenshot:

Detection

FormBook GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

Yara detected Generic Dropper

Yara detected GuLoader

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Creates autostart registry keys with suspicious values (likely registry only malware)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected VB6 Downloader Generic

Abnormal high CPU Usage

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.exe

ReversingLabs: Detection: 10%

Multi AV Scanner detection for submitted file

Source: Sleaford Medical Group.exe	Virustotal: Detection: 47%			Perma Link
Source: Sleaford Medical Group.exe	ReversingLabs: Detection: 10%

Yara detected FormBook

Source: Yara match	File source: 0000001C.00000002.731485750.0000000003530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.731784931.0000000003560000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.551412840.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.584974843.000000001E150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.730784207.0000000002EC0000.00000040.00000001.sdmp, type: MEMORY

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Sleaford Medical Group.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 22.3.Sleaford Medical Group.exe.8cfbb0.0.unpack

Avira: Label: TR/Patched.Gen

Compliance:

Uses 32bit PE files

Source: Sleaford Medical Group.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 159.203.144.58:443 -> 192.168.2.3:49734 version: TLS 1.2

Binary contains paths to debug symbols

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000018.00000000.528248843.000000000E1C0000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: Sleaford Medical Group.exe, 00000016.00000003.497880207.000000001E1D0000.00000004.00000001.sdmp, help.exe, 0000001C.00000002.734476074.00000000038BF000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Sleaford Medical Group.exe, help.exe
Source:	Binary string: help.pdbGCTL source: Sleaford Medical Group.exe, 00000016.00000002.558311091.00000000000D0000.00000040.00000001.sdmp
Source:	Binary string: help.pdb source: Sleaford Medical Group.exe, 00000016.00000002.558311091.00000000000D0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000018.00000000.528248843.000000000E1C0000.00000002.00000001.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\help.exe

Code function: 4x nop then pop esi

28_2_02ED72E0

Networking:

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /twy/?pPX=elx0UibK+4/Nbm+qsvCMZ/KEfRavAHzyccJHHIU1h6WwAO+M5fT0/YOmYv0X1fYwTcwa&Hp=V6AHd0O0h HTTP/1.1Host: www.landingberg.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic

Source: unknown

DNS traffic detected: queries for: 01677937777.burrow.io

Source: Sleaford Medical Group.exe, 00000016.00000002.567348461.0000000000899000.00000004.00000020.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: Sleaford Medical Group.exe, 00000016.00000002.567348461.0000000000899000.00000004.00000020.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: Sleaford Medical Group.exe, 00000016.00000002.567348461.0000000000899000.00000004.00000020.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: explorer.exe, 00000018.00000003.559663205.000000000F57C000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Sleaford Medical Group.exe, 00000016.00000002.567348461.0000000000899000.00000004.00000020.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX
Source: Sleaford Medical Group.exe, 00000016.00000002.567348461.0000000000899000.00000004.00000020.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Sleaford Medical Group.exe, 00000016.00000002.567348461.0000000000899000.00000004.00000020.sdmp	String found in binary or memory: http://r3.i.lencr.org/0
Source: Sleaford Medical Group.exe, 00000016.00000002.567348461.0000000000899000.00000004.00000020.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Sleaford Medical Group.exe, 00000016.00000002.566373992.0000000000870000.00000004.00000020.sdmp	String found in binary or memory: https://01677937777.burrow.io/XzsF
Source: Sleaford Medical Group.exe	String found in binary or memory: https://01677937777.burrow.io/spark/binwhyte_utZnZr121.bin
Source: Sleaford Medical Group.exe, 00000016.00000002.565857663.0000000000858000.00000004.00000020.sdmp	String found in binary or memory: https://01677937777.burrow.io/spark/binwhyte_utZnZr121.bin38
Source: Sleaford Medical Group.exe, 00000016.00000002.566373992.0000000000870000.00000004.00000020.sdmp	String found in binary or memory: https://01677937777.burrow.io/spark/binwhyte_utZnZr121.binT
Source: Sleaford Medical Group.exe, 00000016.00000002.566373992.0000000000870000.00000004.00000020.sdmp	String found in binary or memory: https://01677937777.burrow.io/uzTF
Source: help.exe, 0000001C.00000002.736924910.00000000041BF000.00000004.00000001.sdmp	String found in binary or memory: https://www.landingberg.com/twy/?pPX=elx0UibK

Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown

HTTPS traffic detected: 159.203.144.58:443 -> 192.168.2.3:49734 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: Sleaford Medical Group.exe, 00000000.00000002.459341616.000000000067A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 0000001C.00000002.731485750.0000000003530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.731784931.0000000003560000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.551412840.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.584974843.000000001E150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.730784207.0000000002EC0000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 0000001C.00000002.731485750.0000000003530000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001C.00000002.731485750.0000000003530000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.731784931.0000000003560000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001C.00000002.731784931.0000000003560000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.551412840.00000000000A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000002.551412840.00000000000A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.731169512.000000000333D000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000001C.00000002.736741312.0000000003CCF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000016.00000002.584974843.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000002.584974843.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.730784207.0000000002EC0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001C.00000002.730784207.0000000002EC0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.exe	Process Stats: CPU usage > 98%
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9660 NtAllocateVirtualMemory,LdrInitializeThunk,	22_2_1E3D9660
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D96E0 NtFreeVirtualMemory,LdrInitializeThunk,	22_2_1E3D96E0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9710 NtQueryInformationToken,LdrInitializeThunk,	22_2_1E3D9710
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D97A0 NtUnmapViewOfSection,LdrInitializeThunk,	22_2_1E3D97A0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9780 NtMapViewOfSection,LdrInitializeThunk,	22_2_1E3D9780
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9540 NtReadFile,LdrInitializeThunk,	22_2_1E3D9540
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D95D0 NtClose,LdrInitializeThunk,	22_2_1E3D95D0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9A20 NtResumeThread,LdrInitializeThunk,	22_2_1E3D9A20
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9A00 NtProtectVirtualMemory,LdrInitializeThunk,	22_2_1E3D9A00
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9A50 NtCreateFile,LdrInitializeThunk,	22_2_1E3D9A50
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9860 NtQuerySystemInformation,LdrInitializeThunk,	22_2_1E3D9860
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9840 NtDelayExecution,LdrInitializeThunk,	22_2_1E3D9840
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D98F0 NtReadVirtualMemory,LdrInitializeThunk,	22_2_1E3D98F0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	22_2_1E3D9910
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D99A0 NtCreateSection,LdrInitializeThunk,	22_2_1E3D99A0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9610 NtEnumerateValueKey,	22_2_1E3D9610
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9670 NtQueryInformationProcess,	22_2_1E3D9670
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9650 NtQueryValueKey,	22_2_1E3D9650
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D96D0 NtCreateKey,	22_2_1E3D96D0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9730 NtQueryVirtualMemory,	22_2_1E3D9730
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3DA710 NtOpenProcessToken,	22_2_1E3DA710
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3DA770 NtOpenThread,	22_2_1E3DA770
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9770 NtSetInformationFile,	22_2_1E3D9770
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9760 NtOpenProcess,	22_2_1E3D9760
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9FE0 NtCreateMutant,	22_2_1E3D9FE0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3DAD30 NtSetContextThread,	22_2_1E3DAD30
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9520 NtWaitForSingleObject,	22_2_1E3D9520
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9560 NtWriteFile,	22_2_1E3D9560
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D95F0 NtQueryInformationFile,	22_2_1E3D95F0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9A10 NtQuerySection,	22_2_1E3D9A10
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9A80 NtOpenDirectoryObject,	22_2_1E3D9A80
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9B00 NtSetValueKey,	22_2_1E3D9B00
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3DA3B0 NtGetContextThread,	22_2_1E3DA3B0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9820 NtEnumerateKey,	22_2_1E3D9820
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3DB040 NtSuspendThread,	22_2_1E3DB040
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D98A0 NtWriteVirtualMemory,	22_2_1E3D98A0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9950 NtQueueApcThread,	22_2_1E3D9950
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D99D0 NtCreateProcessEx,	22_2_1E3D99D0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_00566BBD NtProtectVirtualMemory,	22_2_00566BBD
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809A50 NtCreateFile,LdrInitializeThunk,	28_2_03809A50
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038099A0 NtCreateSection,LdrInitializeThunk,	28_2_038099A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809910 NtAdjustPrivilegesToken,LdrInitializeThunk,	28_2_03809910
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809840 NtDelayExecution,LdrInitializeThunk,	28_2_03809840
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809860 NtQuerySystemInformation,LdrInitializeThunk,	28_2_03809860
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809780 NtMapViewOfSection,LdrInitializeThunk,	28_2_03809780
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809FE0 NtCreateMutant,LdrInitializeThunk,	28_2_03809FE0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809710 NtQueryInformationToken,LdrInitializeThunk,	28_2_03809710
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038096D0 NtCreateKey,LdrInitializeThunk,	28_2_038096D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038096E0 NtFreeVirtualMemory,LdrInitializeThunk,	28_2_038096E0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809650 NtQueryValueKey,LdrInitializeThunk,	28_2_03809650
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809660 NtAllocateVirtualMemory,LdrInitializeThunk,	28_2_03809660
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038095D0 NtClose,LdrInitializeThunk,	28_2_038095D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809540 NtReadFile,LdrInitializeThunk,	28_2_03809540
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0380A3B0 NtGetContextThread,	28_2_0380A3B0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809B00 NtSetValueKey,	28_2_03809B00
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809A80 NtOpenDirectoryObject,	28_2_03809A80
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809A00 NtProtectVirtualMemory,	28_2_03809A00
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809A10 NtQuerySection,	28_2_03809A10
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809A20 NtResumeThread,	28_2_03809A20
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038099D0 NtCreateProcessEx,	28_2_038099D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809950 NtQueueApcThread,	28_2_03809950
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038098A0 NtWriteVirtualMemory,	28_2_038098A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038098F0 NtReadVirtualMemory,	28_2_038098F0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809820 NtEnumerateKey,	28_2_03809820
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0380B040 NtSuspendThread,	28_2_0380B040
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038097A0 NtUnmapViewOfSection,	28_2_038097A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0380A710 NtOpenProcessToken,	28_2_0380A710
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809730 NtQueryVirtualMemory,	28_2_03809730
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809760 NtOpenProcess,	28_2_03809760
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0380A770 NtOpenThread,	28_2_0380A770
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809770 NtSetInformationFile,	28_2_03809770
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809610 NtEnumerateValueKey,	28_2_03809610
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809670 NtQueryInformationProcess,	28_2_03809670
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038095F0 NtQueryInformationFile,	28_2_038095F0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809520 NtWaitForSingleObject,	28_2_03809520
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0380AD30 NtSetContextThread,	28_2_0380AD30
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809560 NtWriteFile,	28_2_03809560
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02ED9EA0 NtClose,	28_2_02ED9EA0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02ED9E20 NtReadFile,	28_2_02ED9E20
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02ED9F50 NtAllocateVirtualMemory,	28_2_02ED9F50
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02ED9D70 NtCreateFile,	28_2_02ED9D70
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02ED9E9C NtClose,	28_2_02ED9E9C
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02ED9F4A NtAllocateVirtualMemory,	28_2_02ED9F4A

Detected potential crypto function

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 0_2_0040663D	0_2_0040663D
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 0_2_0040CAF0	0_2_0040CAF0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 0_2_0040912A	0_2_0040912A
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3B6E30	22_2_1E3B6E30
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E45D616	22_2_1E45D616
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E462EF7	22_2_1E462EF7
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E46DFCE	22_2_1E46DFCE
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E461FF1	22_2_1E461FF1
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E45D466	22_2_1E45D466
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A841F	22_2_1E3A841F
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E461D55	22_2_1E461D55
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E390D20	22_2_1E390D20
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E462D07	22_2_1E462D07
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E4625DD	22_2_1E4625DD
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C2581	22_2_1E3C2581
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3AD5E0	22_2_1E3AD5E0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E4622AE	22_2_1E4622AE
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E462B28	22_2_1E462B28
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3CEBB0	22_2_1E3CEBB0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E45DBD2	22_2_1E45DBD2
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E4503DA	22_2_1E4503DA
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E451002	22_2_1E451002
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E46E824	22_2_1E46E824
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C20A0	22_2_1E3C20A0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3AB090	22_2_1E3AB090
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E4628EC	22_2_1E4628EC
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E4620A8	22_2_1E4620A8
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3B4120	22_2_1E3B4120
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E39F900	22_2_1E39F900
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EAB40	28_2_037EAB40
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038803DA	28_2_038803DA
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0388DBD2	28_2_0388DBD2
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03892B28	28_2_03892B28
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037FEBB0	28_2_037FEBB0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038922AE	28_2_038922AE
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0387FA2B	28_2_0387FA2B
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037E4120	28_2_037E4120
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037CF900	28_2_037CF900
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038920A8	28_2_038920A8
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EA830	28_2_037EA830
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038928EC	28_2_038928EC
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03881002	28_2_03881002
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0389E824	28_2_0389E824
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F20A0	28_2_037F20A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037DB090	28_2_037DB090
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0389DFCE	28_2_0389DFCE
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03891FF1	28_2_03891FF1
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037E6E30	28_2_037E6E30
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03892EF7	28_2_03892EF7
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0388D616	28_2_0388D616
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038925DD	28_2_038925DD
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C0D20	28_2_037C0D20
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03892D07	28_2_03892D07
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037DD5E0	28_2_037DD5E0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03891D55	28_2_03891D55
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F2581	28_2_037F2581
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D841F	28_2_037D841F
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0388D466	28_2_0388D466
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02EDE23F	28_2_02EDE23F
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02EDD1F5	28_2_02EDD1F5
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02EC9E40	28_2_02EC9E40
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02EDE61C	28_2_02EDE61C
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02EDCFB6	28_2_02EDCFB6
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02EC2FB0	28_2_02EC2FB0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02EDD5F1	28_2_02EDD5F1
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02EC2D90	28_2_02EC2D90

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\help.exe	Code function: String function: 037CB150 appears 54 times
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: String function: 1E39B150 appears 45 times

Sample file is different than original file name gathered from version info

Source: Sleaford Medical Group.exe, 00000000.00000002.458812048.0000000000419000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSEMICALCINED.exe vs Sleaford Medical Group.exe
Source: Sleaford Medical Group.exe, 00000016.00000002.584862109.000000001DEF0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Sleaford Medical Group.exe
Source: Sleaford Medical Group.exe, 00000016.00000000.457893775.0000000000419000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSEMICALCINED.exe vs Sleaford Medical Group.exe
Source: Sleaford Medical Group.exe, 00000016.00000002.587041727.000000001E61F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Sleaford Medical Group.exe
Source: Sleaford Medical Group.exe, 00000016.00000003.549281302.00000000008CD000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameHelp.Exej% vs Sleaford Medical Group.exe
Source: Sleaford Medical Group.exe, 00000016.00000002.584793888.000000001DD80000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs Sleaford Medical Group.exe
Source: Sleaford Medical Group.exe	Binary or memory string: OriginalFilenameSEMICALCINED.exe vs Sleaford Medical Group.exe

Uses 32bit PE files

Source: Sleaford Medical Group.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Yara signature match

Source: 0000001C.00000002.731485750.0000000003530000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001C.00000002.731485750.0000000003530000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.731784931.0000000003560000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001C.00000002.731784931.0000000003560000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.551412840.00000000000A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000002.551412840.00000000000A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.731169512.000000000333D000.00000004.00000020.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000001C.00000002.736741312.0000000003CCF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000016.00000002.584974843.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000002.584974843.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.730784207.0000000002EC0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001C.00000002.730784207.0000000002EC0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@10/2@3/2

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4880:120:WilError_01

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe

File created: C:\Users\user\AppData\Local\Temp\~DF2124B0C9C8814512.TMP

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.vbs'

Source: Sleaford Medical Group.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll			Jump to behavior

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Sleaford Medical Group.exe	Virustotal: Detection: 47%
Source: Sleaford Medical Group.exe	ReversingLabs: Detection: 10%

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe

File read: C:\Users\user\Desktop\Sleaford Medical Group.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Sleaford Medical Group.exe 'C:\Users\user\Desktop\Sleaford Medical Group.exe'
Source: unknown	Process created: C:\Users\user\Desktop\Sleaford Medical Group.exe 'C:\Users\user\Desktop\Sleaford Medical Group.exe'
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.vbs'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.exe C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.exe
Source: unknown	Process created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Sleaford Medical Group.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Process created: C:\Users\user\Desktop\Sleaford Medical Group.exe 'C:\Users\user\Desktop\Sleaford Medical Group.exe'	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.exe C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.exe	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Sleaford Medical Group.exe'	Jump to behavior

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000018.00000000.528248843.000000000E1C0000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: Sleaford Medical Group.exe, 00000016.00000003.497880207.000000001E1D0000.00000004.00000001.sdmp, help.exe, 0000001C.00000002.734476074.00000000038BF000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Sleaford Medical Group.exe, help.exe
Source:	Binary string: help.pdbGCTL source: Sleaford Medical Group.exe, 00000016.00000002.558311091.00000000000D0000.00000040.00000001.sdmp
Source:	Binary string: help.pdb source: Sleaford Medical Group.exe, 00000016.00000002.558311091.00000000000D0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000018.00000000.528248843.000000000E1C0000.00000002.00000001.sdmp

Data Obfuscation:

Yara detected GuLoader

Source: Yara match	File source: Process Memory Space: Sleaford Medical Group.exe PID: 5356, type: MEMORY
Source: Yara match	File source: Process Memory Space: oversad.exe PID: 6316, type: MEMORY

Yara detected VB6 Downloader Generic

Source: Yara match	File source: Process Memory Space: Sleaford Medical Group.exe PID: 5356, type: MEMORY
Source: Yara match	File source: Process Memory Space: oversad.exe PID: 6316, type: MEMORY

PE file contains an invalid checksum

Source: Sleaford Medical Group.exe	Static PE information: real checksum: 0x1de61 should be: 0x2872b
Source: oversad.exe.22.dr	Static PE information: real checksum: 0x1de61 should be: 0x2872b

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 0_2_0040566B push 80B1BCC2h; iretd	0_2_00405671
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 0_2_0040C272 push eax; retf 0040h	0_2_0040C289
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 0_2_00402603 push 0000001Ch; ret	0_2_00402605
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 0_2_0040B41D push edi; iretd	0_2_0040B41E
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 0_2_00402434 push esp; iretd	0_2_00402435
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 0_2_0040583C push eax; ret	0_2_0040583E
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 0_2_0040BCC5 push edi; iretd	0_2_0040BCC6
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 0_2_0040C28C pushad ; retf 0040h	0_2_0040C28D
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 0_2_0040857A push edi; ret	0_2_0040857F
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 0_2_0040C39C push 7C00700Ch; retf	0_2_0040C3A1
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3ED0D1 push ecx; ret	22_2_1E3ED0E4
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_00563DA9 push 0000002Dh; retn 0008h	22_2_00563DC7
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0381D0D1 push ecx; ret	28_2_0381D0E4
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02ED6AAA push ebx; ret	28_2_02ED6ABC
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02ECE3A1 push edi; retf	28_2_02ECE3C1
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02EDE35B push esi; ret	28_2_02EDE376
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02ED68DE push 79CB813Ch; retf	28_2_02ED68E4
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02ED6999 push edx; ret	28_2_02ED699A
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02EDCEC5 push eax; ret	28_2_02EDCF18
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02ECDF98 push cs; ret	28_2_02ECDF9F
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02EDCF7C push eax; ret	28_2_02EDCF82
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02EDCF1B push eax; ret	28_2_02EDCF82
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02EDCF12 push eax; ret	28_2_02EDCF18
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02EC6DA1 push ebp; retf	28_2_02EC6DA6

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe

File created: C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.exe

Jump to dropped file

Boot Survival:

Creates autostart registry keys with suspicious values (likely registry only malware)

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Tolerances6 C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.vbs			Jump to behavior
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Tolerances6 C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.vbs			Jump to behavior

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Tolerances6	Jump to behavior
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Tolerances6	Jump to behavior
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Tolerances6	Jump to behavior
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Tolerances6	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x81 0x1E 0xEB

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_00563AC4 InternetOpenA,InternetOpenUrlA,	22_2_00563AC4
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_00562CA9	22_2_00562CA9
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_00562D5A	22_2_00562D5A
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_00562D02	22_2_00562D02
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_005629FB	22_2_005629FB
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_00562993	22_2_00562993
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_00562A7B	22_2_00562A7B
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_0056661B	22_2_0056661B
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_00562AD1	22_2_00562AD1
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_00563AC7 InternetOpenA,InternetOpenUrlA,	22_2_00563AC7
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_00562AE5	22_2_00562AE5
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_00562AB2	22_2_00562AB2
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_00562B67	22_2_00562B67
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_00563B11 InternetOpenUrlA,	22_2_00563B11
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_00562B1D	22_2_00562B1D
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_00562BE4	22_2_00562BE4

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	RDTSC instruction interceptor: First address: 000000000042616B second address: 00000000004253F5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, 00000539h 0x0000000f push esi 0x00000010 mov esi, A893C8D1h 0x00000015 cmp esi, A893C8D1h 0x0000001b jne 00007F08D0B0C1FBh 0x00000021 pop esi 0x00000022 mov ecx, dword ptr [ebp+1Ch] 0x00000025 mov edx, 8802EDACh 0x0000002a call 00007F08D0B10EABh 0x0000002f jmp 00007F08D0B11CCAh 0x00000031 nop 0x00000032 push esi 0x00000033 push edx 0x00000034 jmp 00007F08D0B11CCAh 0x00000036 test ch, ch 0x00000038 push ecx 0x00000039 cmp eax, 00000539h 0x0000003e jne 00007F08D0B11E08h 0x00000044 jmp 00007F08D0B11CCAh 0x00000046 pushad 0x00000047 mov edx, 000000C2h 0x0000004c rdtsc
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	RDTSC instruction interceptor: First address: 0000000000425EF7 second address: 0000000000425EF7 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F08D0937E38h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d jmp 00007F08D0937E4Ah 0x0000001f nop 0x00000020 cmp al, al 0x00000022 add edi, edx 0x00000024 dec dword ptr [ebp+000000F8h] 0x0000002a cmp dword ptr [ebp+000000F8h], 00000000h 0x00000031 jne 00007F08D0937DFBh 0x00000033 cmp cl, cl 0x00000035 cmp ah, bh 0x00000037 call 00007F08D0937E8Fh 0x0000003c call 00007F08D0937E48h 0x00000041 lfence 0x00000044 mov edx, dword ptr [7FFE0014h] 0x0000004a lfence 0x0000004d ret 0x0000004e mov esi, edx 0x00000050 pushad 0x00000051 rdtsc
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	RDTSC instruction interceptor: First address: 0000000000424202 second address: 0000000000424202 instructions:
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	RDTSC instruction interceptor: First address: 0000000000560F5E second address: 0000000000560F5E instructions:
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	RDTSC instruction interceptor: First address: 0000000000565BB0 second address: 00000000005639A3 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a retn 0010h 0x0000000d cmp edx, edx 0x0000000f push dword ptr [ebp+000000B4h] 0x00000015 pop dword ptr [ebp+00000134h] 0x0000001b jmp 00007F08D0B11CCAh 0x0000001d jmp 00007F08D0B11D00h 0x0000001f push dword ptr [ebp+68h] 0x00000022 push dword ptr [ebp+00000134h] 0x00000028 call 00007F08D0B142D5h 0x0000002d pushad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	RDTSC instruction interceptor: First address: 00000000005639A3 second address: 00000000005639A3 instructions:
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	RDTSC instruction interceptor: First address: 0000000000563C6D second address: 0000000000563CC2 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a push esi 0x0000000b mov esi, CDC9E0AFh 0x00000010 cmp esi, CDC9E0AFh 0x00000016 jne 00007F08D0B0E6FEh 0x0000001c pop esi 0x0000001d mov eax, ebp 0x0000001f add eax, 000000F0h 0x00000024 jmp 00007F08D0B11CCAh 0x00000026 test cx, cx 0x00000029 mov ebx, dword ptr [ebp+000000E4h] 0x0000002f cmp edx, edx 0x00000031 mov ecx, dword ptr [ebp+000000F4h] 0x00000037 pushad 0x00000038 mov ecx, 000000EBh 0x0000003d rdtsc

Tries to detect Any.run

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Sleaford Medical Group.exe, oversad.exe, 0000001A.00000002.730357636.0000000000420000.00000040.00000001.sdmp

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	RDTSC instruction interceptor: First address: 0000000000401C79 second address: 0000000000401C79 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, 2Dh 0x00000005 cmp ebx, 06h 0x00000008 cmp edi, 02EAFF40h 0x0000000e movd mm1, ebx 0x00000011 movd mm1, ebx 0x00000014 paddusw xmm0, xmm3 0x00000018 fdivp st(6), st(0) 0x0000001a jmp 00007F08D0937E89h 0x0000001c movd mm1, ebx 0x0000001f movd mm1, ebx 0x00000022 jne 00007F08D0937D4Fh 0x00000028 inc edi 0x00000029 pslld mm5, 09h 0x0000002d fsubp st(1), st(0) 0x0000002f jmp 00007F08D0937E89h 0x00000031 cmp eax, 1Dh 0x00000034 cmp eax, 000000A3h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	RDTSC instruction interceptor: First address: 000000000042616B second address: 00000000004253F5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, 00000539h 0x0000000f push esi 0x00000010 mov esi, A893C8D1h 0x00000015 cmp esi, A893C8D1h 0x0000001b jne 00007F08D0B0C1FBh 0x00000021 pop esi 0x00000022 mov ecx, dword ptr [ebp+1Ch] 0x00000025 mov edx, 8802EDACh 0x0000002a call 00007F08D0B10EABh 0x0000002f jmp 00007F08D0B11CCAh 0x00000031 nop 0x00000032 push esi 0x00000033 push edx 0x00000034 jmp 00007F08D0B11CCAh 0x00000036 test ch, ch 0x00000038 push ecx 0x00000039 cmp eax, 00000539h 0x0000003e jne 00007F08D0B11E08h 0x00000044 jmp 00007F08D0B11CCAh 0x00000046 pushad 0x00000047 mov edx, 000000C2h 0x0000004c rdtsc
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	RDTSC instruction interceptor: First address: 0000000000425EF7 second address: 0000000000425EF7 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F08D0937E38h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d jmp 00007F08D0937E4Ah 0x0000001f nop 0x00000020 cmp al, al 0x00000022 add edi, edx 0x00000024 dec dword ptr [ebp+000000F8h] 0x0000002a cmp dword ptr [ebp+000000F8h], 00000000h 0x00000031 jne 00007F08D0937DFBh 0x00000033 cmp cl, cl 0x00000035 cmp ah, bh 0x00000037 call 00007F08D0937E8Fh 0x0000003c call 00007F08D0937E48h 0x00000041 lfence 0x00000044 mov edx, dword ptr [7FFE0014h] 0x0000004a lfence 0x0000004d ret 0x0000004e mov esi, edx 0x00000050 pushad 0x00000051 rdtsc
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	RDTSC instruction interceptor: First address: 0000000000425F57 second address: 0000000000425F57 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F08D0B1225Ch 0x0000001d popad 0x0000001e call 00007F08D0B11DEBh 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	RDTSC instruction interceptor: First address: 00000000004205B7 second address: 00000000004253F5 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b jmp 00007F08D093BC3Bh 0x00000010 call 00007F08D093402Ah 0x00000015 jmp 00007F08D0937E4Ah 0x00000017 cmp ebx, edx 0x00000019 pop ecx 0x0000001a mov dword ptr [ebp+18h], ecx 0x0000001d cmp dh, dh 0x0000001f mov eax, 00000539h 0x00000024 mov edx, 60AF076Dh 0x00000029 call 00007F08D093CBCDh 0x0000002e jmp 00007F08D0937E4Ah 0x00000030 nop 0x00000031 push esi 0x00000032 push edx 0x00000033 jmp 00007F08D0937E4Ah 0x00000035 test ch, ch 0x00000037 push ecx 0x00000038 cmp eax, 00000539h 0x0000003d jne 00007F08D0937F88h 0x00000043 jmp 00007F08D0937E4Ah 0x00000045 pushad 0x00000046 mov edx, 000000C2h 0x0000004b rdtsc
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	RDTSC instruction interceptor: First address: 0000000000424202 second address: 0000000000424202 instructions:
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	RDTSC instruction interceptor: First address: 0000000000565F57 second address: 0000000000565F57 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F08D09383DCh 0x0000001d popad 0x0000001e call 00007F08D0937F6Bh 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	RDTSC instruction interceptor: First address: 00000000005605B7 second address: 00000000005653F5 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b jmp 00007F08D0B15ABBh 0x00000010 call 00007F08D0B0DEAAh 0x00000015 jmp 00007F08D0B11CCAh 0x00000017 cmp ebx, edx 0x00000019 pop ecx 0x0000001a mov dword ptr [ebp+18h], ecx 0x0000001d cmp dh, dh 0x0000001f mov eax, 00000539h 0x00000024 mov edx, 60AF076Dh 0x00000029 call 00007F08D0B16A4Dh 0x0000002e jmp 00007F08D0B11CCAh 0x00000030 nop 0x00000031 push esi 0x00000032 push edx 0x00000033 jmp 00007F08D0B11CCAh 0x00000035 test ch, ch 0x00000037 push ecx 0x00000038 cmp eax, 00000539h 0x0000003d jne 00007F08D0B11E08h 0x00000043 jmp 00007F08D0B11CCAh 0x00000045 pushad 0x00000046 mov edx, 000000C2h 0x0000004b rdtsc
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	RDTSC instruction interceptor: First address: 0000000000560F5E second address: 0000000000560F5E instructions:
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	RDTSC instruction interceptor: First address: 0000000000565BB0 second address: 00000000005639A3 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a retn 0010h 0x0000000d cmp edx, edx 0x0000000f push dword ptr [ebp+000000B4h] 0x00000015 pop dword ptr [ebp+00000134h] 0x0000001b jmp 00007F08D0B11CCAh 0x0000001d jmp 00007F08D0B11D00h 0x0000001f push dword ptr [ebp+68h] 0x00000022 push dword ptr [ebp+00000134h] 0x00000028 call 00007F08D0B142D5h 0x0000002d pushad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	RDTSC instruction interceptor: First address: 00000000005639A3 second address: 00000000005639A3 instructions:
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	RDTSC instruction interceptor: First address: 0000000000563C6D second address: 0000000000563CC2 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a push esi 0x0000000b mov esi, CDC9E0AFh 0x00000010 cmp esi, CDC9E0AFh 0x00000016 jne 00007F08D0B0E6FEh 0x0000001c pop esi 0x0000001d mov eax, ebp 0x0000001f add eax, 000000F0h 0x00000024 jmp 00007F08D0B11CCAh 0x00000026 test cx, cx 0x00000029 mov ebx, dword ptr [ebp+000000E4h] 0x0000002f cmp edx, edx 0x00000031 mov ecx, dword ptr [ebp+000000F4h] 0x00000037 pushad 0x00000038 mov ecx, 000000EBh 0x0000003d rdtsc
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.exe	RDTSC instruction interceptor: First address: 0000000000401C79 second address: 0000000000401C79 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, 2Dh 0x00000005 cmp ebx, 06h 0x00000008 cmp edi, 02EAFF40h 0x0000000e movd mm1, ebx 0x00000011 movd mm1, ebx 0x00000014 paddusw xmm0, xmm3 0x00000018 fdivp st(6), st(0) 0x0000001a jmp 00007F08D0937E89h 0x0000001c movd mm1, ebx 0x0000001f movd mm1, ebx 0x00000022 jne 00007F08D0937D4Fh 0x00000028 inc edi 0x00000029 pslld mm5, 09h 0x0000002d fsubp st(1), st(0) 0x0000002f jmp 00007F08D0937E89h 0x00000031 cmp eax, 1Dh 0x00000034 cmp eax, 000000A3h 0x00000039 rdtsc
Source: C:\Windows\SysWOW64\help.exe	RDTSC instruction interceptor: First address: 0000000002EC98E4 second address: 0000000002EC98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\help.exe	RDTSC instruction interceptor: First address: 0000000002EC9B5E second address: 0000000002EC9B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe

Code function: 0_2_00401C31 rdtsc

0_2_00401C31

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 7004	Thread sleep time: -46000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\help.exe TID: 6336	Thread sleep time: -40000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: explorer.exe, 00000018.00000000.524058813.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000018.00000000.524058813.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000018.00000000.523652219.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000018.00000000.523858105.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Sleaford Medical Group.exe, 00000016.00000002.567348461.0000000000899000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000018.00000000.512900592.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 00000018.00000000.524058813.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000018.00000000.524058813.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000018.00000000.524127788.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000018.00000000.512927052.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000018.00000000.523652219.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Sleaford Medical Group.exe, oversad.exe, 0000001A.00000002.730357636.0000000000420000.00000040.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: Sleaford Medical Group.exe, 00000016.00000002.566373992.0000000000870000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW`g
Source: explorer.exe, 00000018.00000000.523652219.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000018.00000000.524783667.00000000089C9000.00000004.00000001.sdmp	Binary or memory string: qeMusic
Source: explorer.exe, 00000018.00000000.523652219.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Hides threads from debuggers

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Thread information set: HideFromDebugger	Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process queried: DebugPort	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe

Code function: 0_2_00401C31 rdtsc

0_2_00401C31

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe

Code function: 22_2_1E3D967A LdrInitializeThunk,

22_2_1E3D967A

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E45AE44 mov eax, dword ptr fs:[00000030h]	22_2_1E45AE44
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E45AE44 mov eax, dword ptr fs:[00000030h]	22_2_1E45AE44
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E39E620 mov eax, dword ptr fs:[00000030h]	22_2_1E39E620
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3CA61C mov eax, dword ptr fs:[00000030h]	22_2_1E3CA61C
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3CA61C mov eax, dword ptr fs:[00000030h]	22_2_1E3CA61C
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E39C600 mov eax, dword ptr fs:[00000030h]	22_2_1E39C600
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E39C600 mov eax, dword ptr fs:[00000030h]	22_2_1E39C600
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E39C600 mov eax, dword ptr fs:[00000030h]	22_2_1E39C600
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C8E00 mov eax, dword ptr fs:[00000030h]	22_2_1E3C8E00
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3BAE73 mov eax, dword ptr fs:[00000030h]	22_2_1E3BAE73
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3BAE73 mov eax, dword ptr fs:[00000030h]	22_2_1E3BAE73
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3BAE73 mov eax, dword ptr fs:[00000030h]	22_2_1E3BAE73
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3BAE73 mov eax, dword ptr fs:[00000030h]	22_2_1E3BAE73
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3BAE73 mov eax, dword ptr fs:[00000030h]	22_2_1E3BAE73
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E451608 mov eax, dword ptr fs:[00000030h]	22_2_1E451608
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A766D mov eax, dword ptr fs:[00000030h]	22_2_1E3A766D
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E44FE3F mov eax, dword ptr fs:[00000030h]	22_2_1E44FE3F
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A7E41 mov eax, dword ptr fs:[00000030h]	22_2_1E3A7E41
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A7E41 mov eax, dword ptr fs:[00000030h]	22_2_1E3A7E41
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A7E41 mov eax, dword ptr fs:[00000030h]	22_2_1E3A7E41
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A7E41 mov eax, dword ptr fs:[00000030h]	22_2_1E3A7E41
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A7E41 mov eax, dword ptr fs:[00000030h]	22_2_1E3A7E41
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A7E41 mov eax, dword ptr fs:[00000030h]	22_2_1E3A7E41
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E44FEC0 mov eax, dword ptr fs:[00000030h]	22_2_1E44FEC0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E468ED6 mov eax, dword ptr fs:[00000030h]	22_2_1E468ED6
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E42FE87 mov eax, dword ptr fs:[00000030h]	22_2_1E42FE87
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A76E2 mov eax, dword ptr fs:[00000030h]	22_2_1E3A76E2
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C16E0 mov ecx, dword ptr fs:[00000030h]	22_2_1E3C16E0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E460EA5 mov eax, dword ptr fs:[00000030h]	22_2_1E460EA5
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E460EA5 mov eax, dword ptr fs:[00000030h]	22_2_1E460EA5
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E460EA5 mov eax, dword ptr fs:[00000030h]	22_2_1E460EA5
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E4146A7 mov eax, dword ptr fs:[00000030h]	22_2_1E4146A7
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C36CC mov eax, dword ptr fs:[00000030h]	22_2_1E3C36CC
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D8EC7 mov eax, dword ptr fs:[00000030h]	22_2_1E3D8EC7
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3CE730 mov eax, dword ptr fs:[00000030h]	22_2_1E3CE730
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E394F2E mov eax, dword ptr fs:[00000030h]	22_2_1E394F2E
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E394F2E mov eax, dword ptr fs:[00000030h]	22_2_1E394F2E
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E468F6A mov eax, dword ptr fs:[00000030h]	22_2_1E468F6A
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3BF716 mov eax, dword ptr fs:[00000030h]	22_2_1E3BF716
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3CA70E mov eax, dword ptr fs:[00000030h]	22_2_1E3CA70E
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3CA70E mov eax, dword ptr fs:[00000030h]	22_2_1E3CA70E
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E46070D mov eax, dword ptr fs:[00000030h]	22_2_1E46070D
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E46070D mov eax, dword ptr fs:[00000030h]	22_2_1E46070D
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E42FF10 mov eax, dword ptr fs:[00000030h]	22_2_1E42FF10
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E42FF10 mov eax, dword ptr fs:[00000030h]	22_2_1E42FF10
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3AFF60 mov eax, dword ptr fs:[00000030h]	22_2_1E3AFF60
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3AEF40 mov eax, dword ptr fs:[00000030h]	22_2_1E3AEF40
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A8794 mov eax, dword ptr fs:[00000030h]	22_2_1E3A8794
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D37F5 mov eax, dword ptr fs:[00000030h]	22_2_1E3D37F5
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E417794 mov eax, dword ptr fs:[00000030h]	22_2_1E417794
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E417794 mov eax, dword ptr fs:[00000030h]	22_2_1E417794
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E417794 mov eax, dword ptr fs:[00000030h]	22_2_1E417794
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3CBC2C mov eax, dword ptr fs:[00000030h]	22_2_1E3CBC2C
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E42C450 mov eax, dword ptr fs:[00000030h]	22_2_1E42C450
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E42C450 mov eax, dword ptr fs:[00000030h]	22_2_1E42C450
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E451C06 mov eax, dword ptr fs:[00000030h]	22_2_1E451C06
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E451C06 mov eax, dword ptr fs:[00000030h]	22_2_1E451C06
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E451C06 mov eax, dword ptr fs:[00000030h]	22_2_1E451C06
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E451C06 mov eax, dword ptr fs:[00000030h]	22_2_1E451C06
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E451C06 mov eax, dword ptr fs:[00000030h]	22_2_1E451C06
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E451C06 mov eax, dword ptr fs:[00000030h]	22_2_1E451C06
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E451C06 mov eax, dword ptr fs:[00000030h]	22_2_1E451C06
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E451C06 mov eax, dword ptr fs:[00000030h]	22_2_1E451C06
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E451C06 mov eax, dword ptr fs:[00000030h]	22_2_1E451C06
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E451C06 mov eax, dword ptr fs:[00000030h]	22_2_1E451C06
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E451C06 mov eax, dword ptr fs:[00000030h]	22_2_1E451C06
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E451C06 mov eax, dword ptr fs:[00000030h]	22_2_1E451C06
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E451C06 mov eax, dword ptr fs:[00000030h]	22_2_1E451C06
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E451C06 mov eax, dword ptr fs:[00000030h]	22_2_1E451C06
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E46740D mov eax, dword ptr fs:[00000030h]	22_2_1E46740D
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E46740D mov eax, dword ptr fs:[00000030h]	22_2_1E46740D
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E46740D mov eax, dword ptr fs:[00000030h]	22_2_1E46740D
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E416C0A mov eax, dword ptr fs:[00000030h]	22_2_1E416C0A
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E416C0A mov eax, dword ptr fs:[00000030h]	22_2_1E416C0A
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E416C0A mov eax, dword ptr fs:[00000030h]	22_2_1E416C0A
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E416C0A mov eax, dword ptr fs:[00000030h]	22_2_1E416C0A
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3B746D mov eax, dword ptr fs:[00000030h]	22_2_1E3B746D
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3CA44B mov eax, dword ptr fs:[00000030h]	22_2_1E3CA44B
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E468CD6 mov eax, dword ptr fs:[00000030h]	22_2_1E468CD6
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A849B mov eax, dword ptr fs:[00000030h]	22_2_1E3A849B
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E416CF0 mov eax, dword ptr fs:[00000030h]	22_2_1E416CF0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E416CF0 mov eax, dword ptr fs:[00000030h]	22_2_1E416CF0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E416CF0 mov eax, dword ptr fs:[00000030h]	22_2_1E416CF0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E4514FB mov eax, dword ptr fs:[00000030h]	22_2_1E4514FB
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E413540 mov eax, dword ptr fs:[00000030h]	22_2_1E413540
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E443D40 mov eax, dword ptr fs:[00000030h]	22_2_1E443D40
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C4D3B mov eax, dword ptr fs:[00000030h]	22_2_1E3C4D3B
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C4D3B mov eax, dword ptr fs:[00000030h]	22_2_1E3C4D3B
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C4D3B mov eax, dword ptr fs:[00000030h]	22_2_1E3C4D3B
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E39AD30 mov eax, dword ptr fs:[00000030h]	22_2_1E39AD30
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]	22_2_1E3A3D34
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]	22_2_1E3A3D34
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]	22_2_1E3A3D34
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]	22_2_1E3A3D34
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]	22_2_1E3A3D34
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]	22_2_1E3A3D34
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]	22_2_1E3A3D34
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]	22_2_1E3A3D34
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]	22_2_1E3A3D34
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]	22_2_1E3A3D34
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]	22_2_1E3A3D34
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]	22_2_1E3A3D34
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]	22_2_1E3A3D34
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3BC577 mov eax, dword ptr fs:[00000030h]	22_2_1E3BC577
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3BC577 mov eax, dword ptr fs:[00000030h]	22_2_1E3BC577
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3B7D50 mov eax, dword ptr fs:[00000030h]	22_2_1E3B7D50
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E468D34 mov eax, dword ptr fs:[00000030h]	22_2_1E468D34
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E41A537 mov eax, dword ptr fs:[00000030h]	22_2_1E41A537
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E45E539 mov eax, dword ptr fs:[00000030h]	22_2_1E45E539
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D3D43 mov eax, dword ptr fs:[00000030h]	22_2_1E3D3D43
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E416DC9 mov eax, dword ptr fs:[00000030h]	22_2_1E416DC9
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E416DC9 mov eax, dword ptr fs:[00000030h]	22_2_1E416DC9
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E416DC9 mov eax, dword ptr fs:[00000030h]	22_2_1E416DC9
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E416DC9 mov ecx, dword ptr fs:[00000030h]	22_2_1E416DC9
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E416DC9 mov eax, dword ptr fs:[00000030h]	22_2_1E416DC9
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E416DC9 mov eax, dword ptr fs:[00000030h]	22_2_1E416DC9
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C1DB5 mov eax, dword ptr fs:[00000030h]	22_2_1E3C1DB5
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C1DB5 mov eax, dword ptr fs:[00000030h]	22_2_1E3C1DB5
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C1DB5 mov eax, dword ptr fs:[00000030h]	22_2_1E3C1DB5
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C35A1 mov eax, dword ptr fs:[00000030h]	22_2_1E3C35A1
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3CFD9B mov eax, dword ptr fs:[00000030h]	22_2_1E3CFD9B
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3CFD9B mov eax, dword ptr fs:[00000030h]	22_2_1E3CFD9B
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E45FDE2 mov eax, dword ptr fs:[00000030h]	22_2_1E45FDE2
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E45FDE2 mov eax, dword ptr fs:[00000030h]	22_2_1E45FDE2
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E45FDE2 mov eax, dword ptr fs:[00000030h]	22_2_1E45FDE2
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E45FDE2 mov eax, dword ptr fs:[00000030h]	22_2_1E45FDE2
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E392D8A mov eax, dword ptr fs:[00000030h]	22_2_1E392D8A
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E392D8A mov eax, dword ptr fs:[00000030h]	22_2_1E392D8A
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E392D8A mov eax, dword ptr fs:[00000030h]	22_2_1E392D8A
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E392D8A mov eax, dword ptr fs:[00000030h]	22_2_1E392D8A
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E392D8A mov eax, dword ptr fs:[00000030h]	22_2_1E392D8A
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E448DF1 mov eax, dword ptr fs:[00000030h]	22_2_1E448DF1
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C2581 mov eax, dword ptr fs:[00000030h]	22_2_1E3C2581
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C2581 mov eax, dword ptr fs:[00000030h]	22_2_1E3C2581
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C2581 mov eax, dword ptr fs:[00000030h]	22_2_1E3C2581
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C2581 mov eax, dword ptr fs:[00000030h]	22_2_1E3C2581
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3AD5E0 mov eax, dword ptr fs:[00000030h]	22_2_1E3AD5E0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3AD5E0 mov eax, dword ptr fs:[00000030h]	22_2_1E3AD5E0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E4605AC mov eax, dword ptr fs:[00000030h]	22_2_1E4605AC
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E4605AC mov eax, dword ptr fs:[00000030h]	22_2_1E4605AC
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E45EA55 mov eax, dword ptr fs:[00000030h]	22_2_1E45EA55
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D4A2C mov eax, dword ptr fs:[00000030h]	22_2_1E3D4A2C
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D4A2C mov eax, dword ptr fs:[00000030h]	22_2_1E3D4A2C
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E424257 mov eax, dword ptr fs:[00000030h]	22_2_1E424257
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E44B260 mov eax, dword ptr fs:[00000030h]	22_2_1E44B260
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E44B260 mov eax, dword ptr fs:[00000030h]	22_2_1E44B260
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E468A62 mov eax, dword ptr fs:[00000030h]	22_2_1E468A62
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3B3A1C mov eax, dword ptr fs:[00000030h]	22_2_1E3B3A1C
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E395210 mov eax, dword ptr fs:[00000030h]	22_2_1E395210
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E395210 mov ecx, dword ptr fs:[00000030h]	22_2_1E395210
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E395210 mov eax, dword ptr fs:[00000030h]	22_2_1E395210
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E395210 mov eax, dword ptr fs:[00000030h]	22_2_1E395210
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E39AA16 mov eax, dword ptr fs:[00000030h]	22_2_1E39AA16
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E39AA16 mov eax, dword ptr fs:[00000030h]	22_2_1E39AA16
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A8A0A mov eax, dword ptr fs:[00000030h]	22_2_1E3A8A0A
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D927A mov eax, dword ptr fs:[00000030h]	22_2_1E3D927A
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E45AA16 mov eax, dword ptr fs:[00000030h]	22_2_1E45AA16
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E45AA16 mov eax, dword ptr fs:[00000030h]	22_2_1E45AA16
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E399240 mov eax, dword ptr fs:[00000030h]	22_2_1E399240
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E399240 mov eax, dword ptr fs:[00000030h]	22_2_1E399240
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E399240 mov eax, dword ptr fs:[00000030h]	22_2_1E399240
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E399240 mov eax, dword ptr fs:[00000030h]	22_2_1E399240
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3AAAB0 mov eax, dword ptr fs:[00000030h]	22_2_1E3AAAB0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3AAAB0 mov eax, dword ptr fs:[00000030h]	22_2_1E3AAAB0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3CFAB0 mov eax, dword ptr fs:[00000030h]	22_2_1E3CFAB0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3952A5 mov eax, dword ptr fs:[00000030h]	22_2_1E3952A5
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3952A5 mov eax, dword ptr fs:[00000030h]	22_2_1E3952A5
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3952A5 mov eax, dword ptr fs:[00000030h]	22_2_1E3952A5
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3952A5 mov eax, dword ptr fs:[00000030h]	22_2_1E3952A5
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3952A5 mov eax, dword ptr fs:[00000030h]	22_2_1E3952A5
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3CD294 mov eax, dword ptr fs:[00000030h]	22_2_1E3CD294
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3CD294 mov eax, dword ptr fs:[00000030h]	22_2_1E3CD294
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C2AE4 mov eax, dword ptr fs:[00000030h]	22_2_1E3C2AE4
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C2ACB mov eax, dword ptr fs:[00000030h]	22_2_1E3C2ACB
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E468B58 mov eax, dword ptr fs:[00000030h]	22_2_1E468B58
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C3B7A mov eax, dword ptr fs:[00000030h]	22_2_1E3C3B7A
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C3B7A mov eax, dword ptr fs:[00000030h]	22_2_1E3C3B7A
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E39DB60 mov ecx, dword ptr fs:[00000030h]	22_2_1E39DB60
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E45131B mov eax, dword ptr fs:[00000030h]	22_2_1E45131B
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E39F358 mov eax, dword ptr fs:[00000030h]	22_2_1E39F358
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E39DB40 mov eax, dword ptr fs:[00000030h]	22_2_1E39DB40
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E4153CA mov eax, dword ptr fs:[00000030h]	22_2_1E4153CA
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E4153CA mov eax, dword ptr fs:[00000030h]	22_2_1E4153CA
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C4BAD mov eax, dword ptr fs:[00000030h]	22_2_1E3C4BAD
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C4BAD mov eax, dword ptr fs:[00000030h]	22_2_1E3C4BAD
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C4BAD mov eax, dword ptr fs:[00000030h]	22_2_1E3C4BAD
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C2397 mov eax, dword ptr fs:[00000030h]	22_2_1E3C2397
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3CB390 mov eax, dword ptr fs:[00000030h]	22_2_1E3CB390
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A1B8F mov eax, dword ptr fs:[00000030h]	22_2_1E3A1B8F
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A1B8F mov eax, dword ptr fs:[00000030h]	22_2_1E3A1B8F
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E44D380 mov ecx, dword ptr fs:[00000030h]	22_2_1E44D380
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E45138A mov eax, dword ptr fs:[00000030h]	22_2_1E45138A
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3BDBE9 mov eax, dword ptr fs:[00000030h]	22_2_1E3BDBE9
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C03E2 mov eax, dword ptr fs:[00000030h]	22_2_1E3C03E2
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C03E2 mov eax, dword ptr fs:[00000030h]	22_2_1E3C03E2
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C03E2 mov eax, dword ptr fs:[00000030h]	22_2_1E3C03E2
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C03E2 mov eax, dword ptr fs:[00000030h]	22_2_1E3C03E2
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C03E2 mov eax, dword ptr fs:[00000030h]	22_2_1E3C03E2
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C03E2 mov eax, dword ptr fs:[00000030h]	22_2_1E3C03E2
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E465BA5 mov eax, dword ptr fs:[00000030h]	22_2_1E465BA5
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3AB02A mov eax, dword ptr fs:[00000030h]	22_2_1E3AB02A
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3AB02A mov eax, dword ptr fs:[00000030h]	22_2_1E3AB02A
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3AB02A mov eax, dword ptr fs:[00000030h]	22_2_1E3AB02A
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3AB02A mov eax, dword ptr fs:[00000030h]	22_2_1E3AB02A
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C002D mov eax, dword ptr fs:[00000030h]	22_2_1E3C002D
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C002D mov eax, dword ptr fs:[00000030h]	22_2_1E3C002D
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C002D mov eax, dword ptr fs:[00000030h]	22_2_1E3C002D
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C002D mov eax, dword ptr fs:[00000030h]	22_2_1E3C002D
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C002D mov eax, dword ptr fs:[00000030h]	22_2_1E3C002D
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E461074 mov eax, dword ptr fs:[00000030h]	22_2_1E461074
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E452073 mov eax, dword ptr fs:[00000030h]	22_2_1E452073
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E464015 mov eax, dword ptr fs:[00000030h]	22_2_1E464015
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E464015 mov eax, dword ptr fs:[00000030h]	22_2_1E464015
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E417016 mov eax, dword ptr fs:[00000030h]	22_2_1E417016
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E417016 mov eax, dword ptr fs:[00000030h]	22_2_1E417016
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E417016 mov eax, dword ptr fs:[00000030h]	22_2_1E417016
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3B0050 mov eax, dword ptr fs:[00000030h]	22_2_1E3B0050
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3B0050 mov eax, dword ptr fs:[00000030h]	22_2_1E3B0050
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3CF0BF mov ecx, dword ptr fs:[00000030h]	22_2_1E3CF0BF
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3CF0BF mov eax, dword ptr fs:[00000030h]	22_2_1E3CF0BF
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3CF0BF mov eax, dword ptr fs:[00000030h]	22_2_1E3CF0BF
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D90AF mov eax, dword ptr fs:[00000030h]	22_2_1E3D90AF
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E42B8D0 mov eax, dword ptr fs:[00000030h]	22_2_1E42B8D0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E42B8D0 mov ecx, dword ptr fs:[00000030h]	22_2_1E42B8D0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E42B8D0 mov eax, dword ptr fs:[00000030h]	22_2_1E42B8D0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E42B8D0 mov eax, dword ptr fs:[00000030h]	22_2_1E42B8D0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E42B8D0 mov eax, dword ptr fs:[00000030h]	22_2_1E42B8D0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E42B8D0 mov eax, dword ptr fs:[00000030h]	22_2_1E42B8D0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C20A0 mov eax, dword ptr fs:[00000030h]	22_2_1E3C20A0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C20A0 mov eax, dword ptr fs:[00000030h]	22_2_1E3C20A0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C20A0 mov eax, dword ptr fs:[00000030h]	22_2_1E3C20A0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C20A0 mov eax, dword ptr fs:[00000030h]	22_2_1E3C20A0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C20A0 mov eax, dword ptr fs:[00000030h]	22_2_1E3C20A0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C20A0 mov eax, dword ptr fs:[00000030h]	22_2_1E3C20A0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E399080 mov eax, dword ptr fs:[00000030h]	22_2_1E399080
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E413884 mov eax, dword ptr fs:[00000030h]	22_2_1E413884
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E413884 mov eax, dword ptr fs:[00000030h]	22_2_1E413884
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3958EC mov eax, dword ptr fs:[00000030h]	22_2_1E3958EC
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3940E1 mov eax, dword ptr fs:[00000030h]	22_2_1E3940E1
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3940E1 mov eax, dword ptr fs:[00000030h]	22_2_1E3940E1
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3940E1 mov eax, dword ptr fs:[00000030h]	22_2_1E3940E1
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C513A mov eax, dword ptr fs:[00000030h]	22_2_1E3C513A
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C513A mov eax, dword ptr fs:[00000030h]	22_2_1E3C513A
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3B4120 mov eax, dword ptr fs:[00000030h]	22_2_1E3B4120
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3B4120 mov eax, dword ptr fs:[00000030h]	22_2_1E3B4120
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3B4120 mov eax, dword ptr fs:[00000030h]	22_2_1E3B4120
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3B4120 mov eax, dword ptr fs:[00000030h]	22_2_1E3B4120
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3B4120 mov ecx, dword ptr fs:[00000030h]	22_2_1E3B4120
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E399100 mov eax, dword ptr fs:[00000030h]	22_2_1E399100
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E399100 mov eax, dword ptr fs:[00000030h]	22_2_1E399100
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E399100 mov eax, dword ptr fs:[00000030h]	22_2_1E399100
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E39B171 mov eax, dword ptr fs:[00000030h]	22_2_1E39B171
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E39B171 mov eax, dword ptr fs:[00000030h]	22_2_1E39B171
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E39C962 mov eax, dword ptr fs:[00000030h]	22_2_1E39C962
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3BB944 mov eax, dword ptr fs:[00000030h]	22_2_1E3BB944
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3BB944 mov eax, dword ptr fs:[00000030h]	22_2_1E3BB944
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C61A0 mov eax, dword ptr fs:[00000030h]	22_2_1E3C61A0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C61A0 mov eax, dword ptr fs:[00000030h]	22_2_1E3C61A0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E4241E8 mov eax, dword ptr fs:[00000030h]	22_2_1E4241E8
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C2990 mov eax, dword ptr fs:[00000030h]	22_2_1E3C2990
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3BC182 mov eax, dword ptr fs:[00000030h]	22_2_1E3BC182
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3CA185 mov eax, dword ptr fs:[00000030h]	22_2_1E3CA185
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E39B1E1 mov eax, dword ptr fs:[00000030h]	22_2_1E39B1E1
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E39B1E1 mov eax, dword ptr fs:[00000030h]	22_2_1E39B1E1
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E39B1E1 mov eax, dword ptr fs:[00000030h]	22_2_1E39B1E1
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E4549A4 mov eax, dword ptr fs:[00000030h]	22_2_1E4549A4
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E4549A4 mov eax, dword ptr fs:[00000030h]	22_2_1E4549A4
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E4549A4 mov eax, dword ptr fs:[00000030h]	22_2_1E4549A4
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E4549A4 mov eax, dword ptr fs:[00000030h]	22_2_1E4549A4
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E4169A6 mov eax, dword ptr fs:[00000030h]	22_2_1E4169A6
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E4151BE mov eax, dword ptr fs:[00000030h]	22_2_1E4151BE
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E4151BE mov eax, dword ptr fs:[00000030h]	22_2_1E4151BE
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E4151BE mov eax, dword ptr fs:[00000030h]	22_2_1E4151BE
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E4151BE mov eax, dword ptr fs:[00000030h]	22_2_1E4151BE
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_0056661B mov eax, dword ptr fs:[00000030h]	22_2_0056661B
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_00566601 mov eax, dword ptr fs:[00000030h]	22_2_00566601
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_0056662E mov eax, dword ptr fs:[00000030h]	22_2_0056662E
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_00563282 mov eax, dword ptr fs:[00000030h]	22_2_00563282
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_0056532B mov eax, dword ptr fs:[00000030h]	22_2_0056532B
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_00565BDE mov eax, dword ptr fs:[00000030h]	22_2_00565BDE
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0388138A mov eax, dword ptr fs:[00000030h]	28_2_0388138A
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F3B7A mov eax, dword ptr fs:[00000030h]	28_2_037F3B7A
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F3B7A mov eax, dword ptr fs:[00000030h]	28_2_037F3B7A
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0387D380 mov ecx, dword ptr fs:[00000030h]	28_2_0387D380
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037CDB60 mov ecx, dword ptr fs:[00000030h]	28_2_037CDB60
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037CF358 mov eax, dword ptr fs:[00000030h]	28_2_037CF358
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03895BA5 mov eax, dword ptr fs:[00000030h]	28_2_03895BA5
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037CDB40 mov eax, dword ptr fs:[00000030h]	28_2_037CDB40
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038453CA mov eax, dword ptr fs:[00000030h]	28_2_038453CA
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038453CA mov eax, dword ptr fs:[00000030h]	28_2_038453CA
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0388131B mov eax, dword ptr fs:[00000030h]	28_2_0388131B
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EDBE9 mov eax, dword ptr fs:[00000030h]	28_2_037EDBE9
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F03E2 mov eax, dword ptr fs:[00000030h]	28_2_037F03E2
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F03E2 mov eax, dword ptr fs:[00000030h]	28_2_037F03E2
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F03E2 mov eax, dword ptr fs:[00000030h]	28_2_037F03E2
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F03E2 mov eax, dword ptr fs:[00000030h]	28_2_037F03E2
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F03E2 mov eax, dword ptr fs:[00000030h]	28_2_037F03E2
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F03E2 mov eax, dword ptr fs:[00000030h]	28_2_037F03E2
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03898B58 mov eax, dword ptr fs:[00000030h]	28_2_03898B58
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F4BAD mov eax, dword ptr fs:[00000030h]	28_2_037F4BAD
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F4BAD mov eax, dword ptr fs:[00000030h]	28_2_037F4BAD
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F4BAD mov eax, dword ptr fs:[00000030h]	28_2_037F4BAD
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F2397 mov eax, dword ptr fs:[00000030h]	28_2_037F2397
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037FB390 mov eax, dword ptr fs:[00000030h]	28_2_037FB390
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D1B8F mov eax, dword ptr fs:[00000030h]	28_2_037D1B8F
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D1B8F mov eax, dword ptr fs:[00000030h]	28_2_037D1B8F
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C9240 mov eax, dword ptr fs:[00000030h]	28_2_037C9240
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C9240 mov eax, dword ptr fs:[00000030h]	28_2_037C9240
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C9240 mov eax, dword ptr fs:[00000030h]	28_2_037C9240
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C9240 mov eax, dword ptr fs:[00000030h]	28_2_037C9240
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EA229 mov eax, dword ptr fs:[00000030h]	28_2_037EA229
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EA229 mov eax, dword ptr fs:[00000030h]	28_2_037EA229
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EA229 mov eax, dword ptr fs:[00000030h]	28_2_037EA229
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EA229 mov eax, dword ptr fs:[00000030h]	28_2_037EA229
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EA229 mov eax, dword ptr fs:[00000030h]	28_2_037EA229
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EA229 mov eax, dword ptr fs:[00000030h]	28_2_037EA229
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EA229 mov eax, dword ptr fs:[00000030h]	28_2_037EA229
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EA229 mov eax, dword ptr fs:[00000030h]	28_2_037EA229
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EA229 mov eax, dword ptr fs:[00000030h]	28_2_037EA229
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037E3A1C mov eax, dword ptr fs:[00000030h]	28_2_037E3A1C
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037CAA16 mov eax, dword ptr fs:[00000030h]	28_2_037CAA16
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037CAA16 mov eax, dword ptr fs:[00000030h]	28_2_037CAA16
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C5210 mov eax, dword ptr fs:[00000030h]	28_2_037C5210
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C5210 mov ecx, dword ptr fs:[00000030h]	28_2_037C5210
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C5210 mov eax, dword ptr fs:[00000030h]	28_2_037C5210
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C5210 mov eax, dword ptr fs:[00000030h]	28_2_037C5210
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D8A0A mov eax, dword ptr fs:[00000030h]	28_2_037D8A0A
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F2AE4 mov eax, dword ptr fs:[00000030h]	28_2_037F2AE4
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0388AA16 mov eax, dword ptr fs:[00000030h]	28_2_0388AA16
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0388AA16 mov eax, dword ptr fs:[00000030h]	28_2_0388AA16
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03804A2C mov eax, dword ptr fs:[00000030h]	28_2_03804A2C
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03804A2C mov eax, dword ptr fs:[00000030h]	28_2_03804A2C
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F2ACB mov eax, dword ptr fs:[00000030h]	28_2_037F2ACB
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037DAAB0 mov eax, dword ptr fs:[00000030h]	28_2_037DAAB0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037DAAB0 mov eax, dword ptr fs:[00000030h]	28_2_037DAAB0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037FFAB0 mov eax, dword ptr fs:[00000030h]	28_2_037FFAB0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03854257 mov eax, dword ptr fs:[00000030h]	28_2_03854257
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C52A5 mov eax, dword ptr fs:[00000030h]	28_2_037C52A5
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C52A5 mov eax, dword ptr fs:[00000030h]	28_2_037C52A5
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C52A5 mov eax, dword ptr fs:[00000030h]	28_2_037C52A5
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C52A5 mov eax, dword ptr fs:[00000030h]	28_2_037C52A5
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C52A5 mov eax, dword ptr fs:[00000030h]	28_2_037C52A5
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0388EA55 mov eax, dword ptr fs:[00000030h]	28_2_0388EA55
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0387B260 mov eax, dword ptr fs:[00000030h]	28_2_0387B260
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0387B260 mov eax, dword ptr fs:[00000030h]	28_2_0387B260
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037FD294 mov eax, dword ptr fs:[00000030h]	28_2_037FD294
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037FD294 mov eax, dword ptr fs:[00000030h]	28_2_037FD294
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03898A62 mov eax, dword ptr fs:[00000030h]	28_2_03898A62
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0380927A mov eax, dword ptr fs:[00000030h]	28_2_0380927A
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037CB171 mov eax, dword ptr fs:[00000030h]	28_2_037CB171
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037CB171 mov eax, dword ptr fs:[00000030h]	28_2_037CB171
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037CC962 mov eax, dword ptr fs:[00000030h]	28_2_037CC962
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038469A6 mov eax, dword ptr fs:[00000030h]	28_2_038469A6
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038849A4 mov eax, dword ptr fs:[00000030h]	28_2_038849A4
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038849A4 mov eax, dword ptr fs:[00000030h]	28_2_038849A4
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038849A4 mov eax, dword ptr fs:[00000030h]	28_2_038849A4
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038849A4 mov eax, dword ptr fs:[00000030h]	28_2_038849A4
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EB944 mov eax, dword ptr fs:[00000030h]	28_2_037EB944
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EB944 mov eax, dword ptr fs:[00000030h]	28_2_037EB944
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038451BE mov eax, dword ptr fs:[00000030h]	28_2_038451BE
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038451BE mov eax, dword ptr fs:[00000030h]	28_2_038451BE
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038451BE mov eax, dword ptr fs:[00000030h]	28_2_038451BE
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038451BE mov eax, dword ptr fs:[00000030h]	28_2_038451BE
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F513A mov eax, dword ptr fs:[00000030h]	28_2_037F513A
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F513A mov eax, dword ptr fs:[00000030h]	28_2_037F513A
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037E4120 mov eax, dword ptr fs:[00000030h]	28_2_037E4120
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037E4120 mov eax, dword ptr fs:[00000030h]	28_2_037E4120
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037E4120 mov eax, dword ptr fs:[00000030h]	28_2_037E4120
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037E4120 mov eax, dword ptr fs:[00000030h]	28_2_037E4120
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037E4120 mov ecx, dword ptr fs:[00000030h]	28_2_037E4120
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038541E8 mov eax, dword ptr fs:[00000030h]	28_2_038541E8
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C9100 mov eax, dword ptr fs:[00000030h]	28_2_037C9100
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C9100 mov eax, dword ptr fs:[00000030h]	28_2_037C9100
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C9100 mov eax, dword ptr fs:[00000030h]	28_2_037C9100
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037CB1E1 mov eax, dword ptr fs:[00000030h]	28_2_037CB1E1
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037CB1E1 mov eax, dword ptr fs:[00000030h]	28_2_037CB1E1
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037CB1E1 mov eax, dword ptr fs:[00000030h]	28_2_037CB1E1
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F61A0 mov eax, dword ptr fs:[00000030h]	28_2_037F61A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F61A0 mov eax, dword ptr fs:[00000030h]	28_2_037F61A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F2990 mov eax, dword ptr fs:[00000030h]	28_2_037F2990
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037FA185 mov eax, dword ptr fs:[00000030h]	28_2_037FA185
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EC182 mov eax, dword ptr fs:[00000030h]	28_2_037EC182
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03843884 mov eax, dword ptr fs:[00000030h]	28_2_03843884
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03843884 mov eax, dword ptr fs:[00000030h]	28_2_03843884
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037E0050 mov eax, dword ptr fs:[00000030h]	28_2_037E0050
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037E0050 mov eax, dword ptr fs:[00000030h]	28_2_037E0050
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038090AF mov eax, dword ptr fs:[00000030h]	28_2_038090AF
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EA830 mov eax, dword ptr fs:[00000030h]	28_2_037EA830
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EA830 mov eax, dword ptr fs:[00000030h]	28_2_037EA830
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EA830 mov eax, dword ptr fs:[00000030h]	28_2_037EA830
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EA830 mov eax, dword ptr fs:[00000030h]	28_2_037EA830
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F002D mov eax, dword ptr fs:[00000030h]	28_2_037F002D
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F002D mov eax, dword ptr fs:[00000030h]	28_2_037F002D
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F002D mov eax, dword ptr fs:[00000030h]	28_2_037F002D
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F002D mov eax, dword ptr fs:[00000030h]	28_2_037F002D
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F002D mov eax, dword ptr fs:[00000030h]	28_2_037F002D
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0385B8D0 mov eax, dword ptr fs:[00000030h]	28_2_0385B8D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0385B8D0 mov ecx, dword ptr fs:[00000030h]	28_2_0385B8D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0385B8D0 mov eax, dword ptr fs:[00000030h]	28_2_0385B8D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0385B8D0 mov eax, dword ptr fs:[00000030h]	28_2_0385B8D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0385B8D0 mov eax, dword ptr fs:[00000030h]	28_2_0385B8D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0385B8D0 mov eax, dword ptr fs:[00000030h]	28_2_0385B8D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037DB02A mov eax, dword ptr fs:[00000030h]	28_2_037DB02A
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037DB02A mov eax, dword ptr fs:[00000030h]	28_2_037DB02A
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037DB02A mov eax, dword ptr fs:[00000030h]	28_2_037DB02A
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037DB02A mov eax, dword ptr fs:[00000030h]	28_2_037DB02A
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C58EC mov eax, dword ptr fs:[00000030h]	28_2_037C58EC
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03847016 mov eax, dword ptr fs:[00000030h]	28_2_03847016
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03847016 mov eax, dword ptr fs:[00000030h]	28_2_03847016
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03847016 mov eax, dword ptr fs:[00000030h]	28_2_03847016
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03894015 mov eax, dword ptr fs:[00000030h]	28_2_03894015
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03894015 mov eax, dword ptr fs:[00000030h]	28_2_03894015
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C40E1 mov eax, dword ptr fs:[00000030h]	28_2_037C40E1
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C40E1 mov eax, dword ptr fs:[00000030h]	28_2_037C40E1
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C40E1 mov eax, dword ptr fs:[00000030h]	28_2_037C40E1
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037FF0BF mov ecx, dword ptr fs:[00000030h]	28_2_037FF0BF
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037FF0BF mov eax, dword ptr fs:[00000030h]	28_2_037FF0BF
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037FF0BF mov eax, dword ptr fs:[00000030h]	28_2_037FF0BF
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F20A0 mov eax, dword ptr fs:[00000030h]	28_2_037F20A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F20A0 mov eax, dword ptr fs:[00000030h]	28_2_037F20A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F20A0 mov eax, dword ptr fs:[00000030h]	28_2_037F20A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F20A0 mov eax, dword ptr fs:[00000030h]	28_2_037F20A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F20A0 mov eax, dword ptr fs:[00000030h]	28_2_037F20A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F20A0 mov eax, dword ptr fs:[00000030h]	28_2_037F20A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03882073 mov eax, dword ptr fs:[00000030h]	28_2_03882073
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C9080 mov eax, dword ptr fs:[00000030h]	28_2_037C9080
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03891074 mov eax, dword ptr fs:[00000030h]	28_2_03891074
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03847794 mov eax, dword ptr fs:[00000030h]	28_2_03847794
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03847794 mov eax, dword ptr fs:[00000030h]	28_2_03847794
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03847794 mov eax, dword ptr fs:[00000030h]	28_2_03847794
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037DFF60 mov eax, dword ptr fs:[00000030h]	28_2_037DFF60
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037DEF40 mov eax, dword ptr fs:[00000030h]	28_2_037DEF40
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037FE730 mov eax, dword ptr fs:[00000030h]	28_2_037FE730
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C4F2E mov eax, dword ptr fs:[00000030h]	28_2_037C4F2E
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C4F2E mov eax, dword ptr fs:[00000030h]	28_2_037C4F2E
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EF716 mov eax, dword ptr fs:[00000030h]	28_2_037EF716
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037FA70E mov eax, dword ptr fs:[00000030h]	28_2_037FA70E
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037FA70E mov eax, dword ptr fs:[00000030h]	28_2_037FA70E
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038037F5 mov eax, dword ptr fs:[00000030h]	28_2_038037F5
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0389070D mov eax, dword ptr fs:[00000030h]	28_2_0389070D
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0389070D mov eax, dword ptr fs:[00000030h]	28_2_0389070D
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0385FF10 mov eax, dword ptr fs:[00000030h]	28_2_0385FF10
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0385FF10 mov eax, dword ptr fs:[00000030h]	28_2_0385FF10
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03898F6A mov eax, dword ptr fs:[00000030h]	28_2_03898F6A
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D8794 mov eax, dword ptr fs:[00000030h]	28_2_037D8794
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0385FE87 mov eax, dword ptr fs:[00000030h]	28_2_0385FE87
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EAE73 mov eax, dword ptr fs:[00000030h]	28_2_037EAE73
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EAE73 mov eax, dword ptr fs:[00000030h]	28_2_037EAE73
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EAE73 mov eax, dword ptr fs:[00000030h]	28_2_037EAE73
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EAE73 mov eax, dword ptr fs:[00000030h]	28_2_037EAE73
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EAE73 mov eax, dword ptr fs:[00000030h]	28_2_037EAE73
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D766D mov eax, dword ptr fs:[00000030h]	28_2_037D766D
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038446A7 mov eax, dword ptr fs:[00000030h]	28_2_038446A7
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03890EA5 mov eax, dword ptr fs:[00000030h]	28_2_03890EA5
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03890EA5 mov eax, dword ptr fs:[00000030h]	28_2_03890EA5
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03890EA5 mov eax, dword ptr fs:[00000030h]	28_2_03890EA5
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D7E41 mov eax, dword ptr fs:[00000030h]	28_2_037D7E41
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D7E41 mov eax, dword ptr fs:[00000030h]	28_2_037D7E41
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D7E41 mov eax, dword ptr fs:[00000030h]	28_2_037D7E41
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D7E41 mov eax, dword ptr fs:[00000030h]	28_2_037D7E41
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D7E41 mov eax, dword ptr fs:[00000030h]	28_2_037D7E41
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D7E41 mov eax, dword ptr fs:[00000030h]	28_2_037D7E41
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03808EC7 mov eax, dword ptr fs:[00000030h]	28_2_03808EC7
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0387FEC0 mov eax, dword ptr fs:[00000030h]	28_2_0387FEC0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037CE620 mov eax, dword ptr fs:[00000030h]	28_2_037CE620
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03898ED6 mov eax, dword ptr fs:[00000030h]	28_2_03898ED6
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037FA61C mov eax, dword ptr fs:[00000030h]	28_2_037FA61C
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037FA61C mov eax, dword ptr fs:[00000030h]	28_2_037FA61C
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037CC600 mov eax, dword ptr fs:[00000030h]	28_2_037CC600
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037CC600 mov eax, dword ptr fs:[00000030h]	28_2_037CC600
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037CC600 mov eax, dword ptr fs:[00000030h]	28_2_037CC600
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F8E00 mov eax, dword ptr fs:[00000030h]	28_2_037F8E00
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03881608 mov eax, dword ptr fs:[00000030h]	28_2_03881608
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F16E0 mov ecx, dword ptr fs:[00000030h]	28_2_037F16E0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D76E2 mov eax, dword ptr fs:[00000030h]	28_2_037D76E2
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F36CC mov eax, dword ptr fs:[00000030h]	28_2_037F36CC
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0387FE3F mov eax, dword ptr fs:[00000030h]	28_2_0387FE3F
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0388AE44 mov eax, dword ptr fs:[00000030h]	28_2_0388AE44
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0388AE44 mov eax, dword ptr fs:[00000030h]	28_2_0388AE44
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EC577 mov eax, dword ptr fs:[00000030h]	28_2_037EC577
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EC577 mov eax, dword ptr fs:[00000030h]	28_2_037EC577
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038905AC mov eax, dword ptr fs:[00000030h]	28_2_038905AC
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038905AC mov eax, dword ptr fs:[00000030h]	28_2_038905AC
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037E7D50 mov eax, dword ptr fs:[00000030h]	28_2_037E7D50
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F4D3B mov eax, dword ptr fs:[00000030h]	28_2_037F4D3B
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F4D3B mov eax, dword ptr fs:[00000030h]	28_2_037F4D3B
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F4D3B mov eax, dword ptr fs:[00000030h]	28_2_037F4D3B
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D3D34 mov eax, dword ptr fs:[00000030h]	28_2_037D3D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D3D34 mov eax, dword ptr fs:[00000030h]	28_2_037D3D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D3D34 mov eax, dword ptr fs:[00000030h]	28_2_037D3D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D3D34 mov eax, dword ptr fs:[00000030h]	28_2_037D3D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D3D34 mov eax, dword ptr fs:[00000030h]	28_2_037D3D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D3D34 mov eax, dword ptr fs:[00000030h]	28_2_037D3D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D3D34 mov eax, dword ptr fs:[00000030h]	28_2_037D3D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D3D34 mov eax, dword ptr fs:[00000030h]	28_2_037D3D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D3D34 mov eax, dword ptr fs:[00000030h]	28_2_037D3D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D3D34 mov eax, dword ptr fs:[00000030h]	28_2_037D3D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D3D34 mov eax, dword ptr fs:[00000030h]	28_2_037D3D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D3D34 mov eax, dword ptr fs:[00000030h]	28_2_037D3D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D3D34 mov eax, dword ptr fs:[00000030h]	28_2_037D3D34

Enables debug privileges

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Network Connect: 104.21.89.82 80

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Section loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Section loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Thread register set: target process: 3388			Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Thread register set: target process: 3388			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe

Section unmapped: C:\Windows\SysWOW64\help.exe base address: E60000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Process created: C:\Users\user\Desktop\Sleaford Medical Group.exe 'C:\Users\user\Desktop\Sleaford Medical Group.exe'	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.exe C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.exe	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Sleaford Medical Group.exe'	Jump to behavior

Source: explorer.exe, 00000018.00000000.501184741.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000018.00000002.734973768.0000000001980000.00000002.00000001.sdmp, oversad.exe, 0000001A.00000002.732448844.0000000000C40000.00000002.00000001.sdmp, help.exe, 0000001C.00000002.737092327.0000000004C30000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000018.00000000.524058813.000000000871F000.00000004.00000001.sdmp, oversad.exe, 0000001A.00000002.732448844.0000000000C40000.00000002.00000001.sdmp, help.exe, 0000001C.00000002.737092327.0000000004C30000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000018.00000002.734973768.0000000001980000.00000002.00000001.sdmp, oversad.exe, 0000001A.00000002.732448844.0000000000C40000.00000002.00000001.sdmp, help.exe, 0000001C.00000002.737092327.0000000004C30000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000018.00000002.734973768.0000000001980000.00000002.00000001.sdmp, oversad.exe, 0000001A.00000002.732448844.0000000000C40000.00000002.00000001.sdmp, help.exe, 0000001C.00000002.737092327.0000000004C30000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 0000001C.00000002.731485750.0000000003530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.731784931.0000000003560000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.551412840.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.584974843.000000001E150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.730784207.0000000002EC0000.00000040.00000001.sdmp, type: MEMORY

Yara detected Generic Dropper

Source: Yara match	File source: Process Memory Space: help.exe PID: 6328, type: MEMORY
Source: Yara match	File source: Process Memory Space: Sleaford Medical Group.exe PID: 5356, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 0000001C.00000002.731485750.0000000003530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.731784931.0000000003560000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.551412840.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.584974843.000000001E150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.730784207.0000000002EC0000.00000040.00000001.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
159.203.144.58	unknown	United States		14061	DIGITALOCEAN-ASNUS	false
104.21.89.82	unknown	United States		13335	CLOUDFLARENETUS	true

Contacted Domains

Name	IP	Active
01677937777.burrow.io	159.203.144.58	true
www.landingberg.com	104.21.89.82	true
waymakers.site	184.168.131.241	true
www.waymakers.site	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.landingberg.com/twy/?pPX=elx0UibK+4/Nbm+qsvCMZ/KEfRavAHzyccJHHIU1h6WwAO+M5fT0/YOmYv0X1fYwTcwa&Hp=V6AHd0O0h	true	Avira URL Cloud: safe	unknown

AV Detection:

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.exe

ReversingLabs: Detection: 10%

Multi AV Scanner detection for submitted file

Source: Sleaford Medical Group.exe	Virustotal: Detection: 47%			Perma Link
Source: Sleaford Medical Group.exe	ReversingLabs: Detection: 10%

Yara detected FormBook

Source: Yara match	File source: 0000001C.00000002.731485750.0000000003530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.731784931.0000000003560000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.551412840.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.584974843.000000001E150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.730784207.0000000002EC0000.00000040.00000001.sdmp, type: MEMORY

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Sleaford Medical Group.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 22.3.Sleaford Medical Group.exe.8cfbb0.0.unpack

Avira: Label: TR/Patched.Gen

Compliance:

Uses 32bit PE files

Source: Sleaford Medical Group.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 159.203.144.58:443 -> 192.168.2.3:49734 version: TLS 1.2

Binary contains paths to debug symbols

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000018.00000000.528248843.000000000E1C0000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: Sleaford Medical Group.exe, 00000016.00000003.497880207.000000001E1D0000.00000004.00000001.sdmp, help.exe, 0000001C.00000002.734476074.00000000038BF000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Sleaford Medical Group.exe, help.exe
Source:	Binary string: help.pdbGCTL source: Sleaford Medical Group.exe, 00000016.00000002.558311091.00000000000D0000.00000040.00000001.sdmp
Source:	Binary string: help.pdb source: Sleaford Medical Group.exe, 00000016.00000002.558311091.00000000000D0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000018.00000000.528248843.000000000E1C0000.00000002.00000001.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\help.exe

Code function: 4x nop then pop esi

28_2_02ED72E0

Networking:

HTTP GET or POST without a user agent

Source: global traffic

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic

Source: unknown

DNS traffic detected: queries for: 01677937777.burrow.io

Source: Sleaford Medical Group.exe, 00000016.00000002.567348461.0000000000899000.00000004.00000020.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: Sleaford Medical Group.exe, 00000016.00000002.567348461.0000000000899000.00000004.00000020.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: Sleaford Medical Group.exe, 00000016.00000002.567348461.0000000000899000.00000004.00000020.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: explorer.exe, 00000018.00000003.559663205.000000000F57C000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Sleaford Medical Group.exe, 00000016.00000002.567348461.0000000000899000.00000004.00000020.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX
Source: Sleaford Medical Group.exe, 00000016.00000002.567348461.0000000000899000.00000004.00000020.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Sleaford Medical Group.exe, 00000016.00000002.567348461.0000000000899000.00000004.00000020.sdmp	String found in binary or memory: http://r3.i.lencr.org/0
Source: Sleaford Medical Group.exe, 00000016.00000002.567348461.0000000000899000.00000004.00000020.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Sleaford Medical Group.exe, 00000016.00000002.566373992.0000000000870000.00000004.00000020.sdmp	String found in binary or memory: https://01677937777.burrow.io/XzsF
Source: Sleaford Medical Group.exe	String found in binary or memory: https://01677937777.burrow.io/spark/binwhyte_utZnZr121.bin
Source: Sleaford Medical Group.exe, 00000016.00000002.565857663.0000000000858000.00000004.00000020.sdmp	String found in binary or memory: https://01677937777.burrow.io/spark/binwhyte_utZnZr121.bin38
Source: Sleaford Medical Group.exe, 00000016.00000002.566373992.0000000000870000.00000004.00000020.sdmp	String found in binary or memory: https://01677937777.burrow.io/spark/binwhyte_utZnZr121.binT
Source: Sleaford Medical Group.exe, 00000016.00000002.566373992.0000000000870000.00000004.00000020.sdmp	String found in binary or memory: https://01677937777.burrow.io/uzTF
Source: help.exe, 0000001C.00000002.736924910.00000000041BF000.00000004.00000001.sdmp	String found in binary or memory: https://www.landingberg.com/twy/?pPX=elx0UibK

Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown

HTTPS traffic detected: 159.203.144.58:443 -> 192.168.2.3:49734 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: Sleaford Medical Group.exe, 00000000.00000002.459341616.000000000067A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 0000001C.00000002.731485750.0000000003530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.731784931.0000000003560000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.551412840.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.584974843.000000001E150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.730784207.0000000002EC0000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 0000001C.00000002.731485750.0000000003530000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001C.00000002.731485750.0000000003530000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.731784931.0000000003560000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001C.00000002.731784931.0000000003560000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.551412840.00000000000A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000002.551412840.00000000000A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.731169512.000000000333D000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000001C.00000002.736741312.0000000003CCF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000016.00000002.584974843.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000002.584974843.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.730784207.0000000002EC0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001C.00000002.730784207.0000000002EC0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Abnormal high CPU Usage

Source: C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.exe	Process Stats: CPU usage > 98%
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9660 NtAllocateVirtualMemory,LdrInitializeThunk,	22_2_1E3D9660
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D96E0 NtFreeVirtualMemory,LdrInitializeThunk,	22_2_1E3D96E0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9710 NtQueryInformationToken,LdrInitializeThunk,	22_2_1E3D9710
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D97A0 NtUnmapViewOfSection,LdrInitializeThunk,	22_2_1E3D97A0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9780 NtMapViewOfSection,LdrInitializeThunk,	22_2_1E3D9780
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9540 NtReadFile,LdrInitializeThunk,	22_2_1E3D9540
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D95D0 NtClose,LdrInitializeThunk,	22_2_1E3D95D0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9A20 NtResumeThread,LdrInitializeThunk,	22_2_1E3D9A20
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9A00 NtProtectVirtualMemory,LdrInitializeThunk,	22_2_1E3D9A00
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9A50 NtCreateFile,LdrInitializeThunk,	22_2_1E3D9A50
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9860 NtQuerySystemInformation,LdrInitializeThunk,	22_2_1E3D9860
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9840 NtDelayExecution,LdrInitializeThunk,	22_2_1E3D9840
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D98F0 NtReadVirtualMemory,LdrInitializeThunk,	22_2_1E3D98F0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	22_2_1E3D9910
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D99A0 NtCreateSection,LdrInitializeThunk,	22_2_1E3D99A0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9610 NtEnumerateValueKey,	22_2_1E3D9610
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9670 NtQueryInformationProcess,	22_2_1E3D9670
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9650 NtQueryValueKey,	22_2_1E3D9650
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D96D0 NtCreateKey,	22_2_1E3D96D0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9730 NtQueryVirtualMemory,	22_2_1E3D9730
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3DA710 NtOpenProcessToken,	22_2_1E3DA710
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3DA770 NtOpenThread,	22_2_1E3DA770
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9770 NtSetInformationFile,	22_2_1E3D9770
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9760 NtOpenProcess,	22_2_1E3D9760
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9FE0 NtCreateMutant,	22_2_1E3D9FE0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3DAD30 NtSetContextThread,	22_2_1E3DAD30
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9520 NtWaitForSingleObject,	22_2_1E3D9520
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9560 NtWriteFile,	22_2_1E3D9560
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D95F0 NtQueryInformationFile,	22_2_1E3D95F0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9A10 NtQuerySection,	22_2_1E3D9A10
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9A80 NtOpenDirectoryObject,	22_2_1E3D9A80
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9B00 NtSetValueKey,	22_2_1E3D9B00
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3DA3B0 NtGetContextThread,	22_2_1E3DA3B0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9820 NtEnumerateKey,	22_2_1E3D9820
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3DB040 NtSuspendThread,	22_2_1E3DB040
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D98A0 NtWriteVirtualMemory,	22_2_1E3D98A0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D9950 NtQueueApcThread,	22_2_1E3D9950
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D99D0 NtCreateProcessEx,	22_2_1E3D99D0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_00566BBD NtProtectVirtualMemory,	22_2_00566BBD
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809A50 NtCreateFile,LdrInitializeThunk,	28_2_03809A50
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038099A0 NtCreateSection,LdrInitializeThunk,	28_2_038099A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809910 NtAdjustPrivilegesToken,LdrInitializeThunk,	28_2_03809910
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809840 NtDelayExecution,LdrInitializeThunk,	28_2_03809840
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809860 NtQuerySystemInformation,LdrInitializeThunk,	28_2_03809860
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809780 NtMapViewOfSection,LdrInitializeThunk,	28_2_03809780
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809FE0 NtCreateMutant,LdrInitializeThunk,	28_2_03809FE0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809710 NtQueryInformationToken,LdrInitializeThunk,	28_2_03809710
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038096D0 NtCreateKey,LdrInitializeThunk,	28_2_038096D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038096E0 NtFreeVirtualMemory,LdrInitializeThunk,	28_2_038096E0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809650 NtQueryValueKey,LdrInitializeThunk,	28_2_03809650
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809660 NtAllocateVirtualMemory,LdrInitializeThunk,	28_2_03809660
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038095D0 NtClose,LdrInitializeThunk,	28_2_038095D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809540 NtReadFile,LdrInitializeThunk,	28_2_03809540
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0380A3B0 NtGetContextThread,	28_2_0380A3B0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809B00 NtSetValueKey,	28_2_03809B00
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809A80 NtOpenDirectoryObject,	28_2_03809A80
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809A00 NtProtectVirtualMemory,	28_2_03809A00
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809A10 NtQuerySection,	28_2_03809A10
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809A20 NtResumeThread,	28_2_03809A20
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038099D0 NtCreateProcessEx,	28_2_038099D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809950 NtQueueApcThread,	28_2_03809950
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038098A0 NtWriteVirtualMemory,	28_2_038098A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038098F0 NtReadVirtualMemory,	28_2_038098F0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809820 NtEnumerateKey,	28_2_03809820
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0380B040 NtSuspendThread,	28_2_0380B040
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038097A0 NtUnmapViewOfSection,	28_2_038097A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0380A710 NtOpenProcessToken,	28_2_0380A710
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809730 NtQueryVirtualMemory,	28_2_03809730
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809760 NtOpenProcess,	28_2_03809760
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0380A770 NtOpenThread,	28_2_0380A770
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809770 NtSetInformationFile,	28_2_03809770
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809610 NtEnumerateValueKey,	28_2_03809610
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809670 NtQueryInformationProcess,	28_2_03809670
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038095F0 NtQueryInformationFile,	28_2_038095F0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809520 NtWaitForSingleObject,	28_2_03809520
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0380AD30 NtSetContextThread,	28_2_0380AD30
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03809560 NtWriteFile,	28_2_03809560
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02ED9EA0 NtClose,	28_2_02ED9EA0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02ED9E20 NtReadFile,	28_2_02ED9E20
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02ED9F50 NtAllocateVirtualMemory,	28_2_02ED9F50
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02ED9D70 NtCreateFile,	28_2_02ED9D70
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02ED9E9C NtClose,	28_2_02ED9E9C
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02ED9F4A NtAllocateVirtualMemory,	28_2_02ED9F4A

Detected potential crypto function

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 0_2_0040663D	0_2_0040663D
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 0_2_0040CAF0	0_2_0040CAF0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 0_2_0040912A	0_2_0040912A
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3B6E30	22_2_1E3B6E30
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E45D616	22_2_1E45D616
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E462EF7	22_2_1E462EF7
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E46DFCE	22_2_1E46DFCE
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E461FF1	22_2_1E461FF1
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E45D466	22_2_1E45D466
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A841F	22_2_1E3A841F
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E461D55	22_2_1E461D55
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E390D20	22_2_1E390D20
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E462D07	22_2_1E462D07
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E4625DD	22_2_1E4625DD
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C2581	22_2_1E3C2581
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3AD5E0	22_2_1E3AD5E0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E4622AE	22_2_1E4622AE
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E462B28	22_2_1E462B28
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3CEBB0	22_2_1E3CEBB0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E45DBD2	22_2_1E45DBD2
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E4503DA	22_2_1E4503DA
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E451002	22_2_1E451002
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E46E824	22_2_1E46E824
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C20A0	22_2_1E3C20A0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3AB090	22_2_1E3AB090
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E4628EC	22_2_1E4628EC
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E4620A8	22_2_1E4620A8
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3B4120	22_2_1E3B4120
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E39F900	22_2_1E39F900
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EAB40	28_2_037EAB40
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038803DA	28_2_038803DA
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0388DBD2	28_2_0388DBD2
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03892B28	28_2_03892B28
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037FEBB0	28_2_037FEBB0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038922AE	28_2_038922AE
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0387FA2B	28_2_0387FA2B
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037E4120	28_2_037E4120
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037CF900	28_2_037CF900
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038920A8	28_2_038920A8
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EA830	28_2_037EA830
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038928EC	28_2_038928EC
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03881002	28_2_03881002
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0389E824	28_2_0389E824
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F20A0	28_2_037F20A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037DB090	28_2_037DB090
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0389DFCE	28_2_0389DFCE
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03891FF1	28_2_03891FF1
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037E6E30	28_2_037E6E30
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03892EF7	28_2_03892EF7
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0388D616	28_2_0388D616
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038925DD	28_2_038925DD
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C0D20	28_2_037C0D20
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03892D07	28_2_03892D07
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037DD5E0	28_2_037DD5E0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03891D55	28_2_03891D55
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F2581	28_2_037F2581
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D841F	28_2_037D841F
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0388D466	28_2_0388D466
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02EDE23F	28_2_02EDE23F
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02EDD1F5	28_2_02EDD1F5
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02EC9E40	28_2_02EC9E40
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02EDE61C	28_2_02EDE61C
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02EDCFB6	28_2_02EDCFB6
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02EC2FB0	28_2_02EC2FB0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02EDD5F1	28_2_02EDD5F1
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02EC2D90	28_2_02EC2D90

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\help.exe	Code function: String function: 037CB150 appears 54 times
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: String function: 1E39B150 appears 45 times

Sample file is different than original file name gathered from version info

Source: Sleaford Medical Group.exe, 00000000.00000002.458812048.0000000000419000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSEMICALCINED.exe vs Sleaford Medical Group.exe
Source: Sleaford Medical Group.exe, 00000016.00000002.584862109.000000001DEF0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Sleaford Medical Group.exe
Source: Sleaford Medical Group.exe, 00000016.00000000.457893775.0000000000419000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSEMICALCINED.exe vs Sleaford Medical Group.exe
Source: Sleaford Medical Group.exe, 00000016.00000002.587041727.000000001E61F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Sleaford Medical Group.exe
Source: Sleaford Medical Group.exe, 00000016.00000003.549281302.00000000008CD000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameHelp.Exej% vs Sleaford Medical Group.exe
Source: Sleaford Medical Group.exe, 00000016.00000002.584793888.000000001DD80000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs Sleaford Medical Group.exe
Source: Sleaford Medical Group.exe	Binary or memory string: OriginalFilenameSEMICALCINED.exe vs Sleaford Medical Group.exe

Uses 32bit PE files

Source: Sleaford Medical Group.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Yara signature match

Source: 0000001C.00000002.731485750.0000000003530000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001C.00000002.731485750.0000000003530000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.731784931.0000000003560000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001C.00000002.731784931.0000000003560000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.551412840.00000000000A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000002.551412840.00000000000A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.731169512.000000000333D000.00000004.00000020.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000001C.00000002.736741312.0000000003CCF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000016.00000002.584974843.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000002.584974843.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.730784207.0000000002EC0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001C.00000002.730784207.0000000002EC0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@10/2@3/2

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4880:120:WilError_01

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe

File created: C:\Users\user\AppData\Local\Temp\~DF2124B0C9C8814512.TMP

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.vbs'

Source: Sleaford Medical Group.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll			Jump to behavior

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Sleaford Medical Group.exe	Virustotal: Detection: 47%
Source: Sleaford Medical Group.exe	ReversingLabs: Detection: 10%

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe

File read: C:\Users\user\Desktop\Sleaford Medical Group.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Sleaford Medical Group.exe 'C:\Users\user\Desktop\Sleaford Medical Group.exe'
Source: unknown	Process created: C:\Users\user\Desktop\Sleaford Medical Group.exe 'C:\Users\user\Desktop\Sleaford Medical Group.exe'
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.vbs'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.exe C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.exe
Source: unknown	Process created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Sleaford Medical Group.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Process created: C:\Users\user\Desktop\Sleaford Medical Group.exe 'C:\Users\user\Desktop\Sleaford Medical Group.exe'	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.exe C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.exe	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Sleaford Medical Group.exe'	Jump to behavior

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000018.00000000.528248843.000000000E1C0000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: Sleaford Medical Group.exe, 00000016.00000003.497880207.000000001E1D0000.00000004.00000001.sdmp, help.exe, 0000001C.00000002.734476074.00000000038BF000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Sleaford Medical Group.exe, help.exe
Source:	Binary string: help.pdbGCTL source: Sleaford Medical Group.exe, 00000016.00000002.558311091.00000000000D0000.00000040.00000001.sdmp
Source:	Binary string: help.pdb source: Sleaford Medical Group.exe, 00000016.00000002.558311091.00000000000D0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000018.00000000.528248843.000000000E1C0000.00000002.00000001.sdmp

Data Obfuscation:

Yara detected GuLoader

Source: Yara match	File source: Process Memory Space: Sleaford Medical Group.exe PID: 5356, type: MEMORY
Source: Yara match	File source: Process Memory Space: oversad.exe PID: 6316, type: MEMORY

Yara detected VB6 Downloader Generic

Source: Yara match	File source: Process Memory Space: Sleaford Medical Group.exe PID: 5356, type: MEMORY
Source: Yara match	File source: Process Memory Space: oversad.exe PID: 6316, type: MEMORY

PE file contains an invalid checksum

Source: Sleaford Medical Group.exe	Static PE information: real checksum: 0x1de61 should be: 0x2872b
Source: oversad.exe.22.dr	Static PE information: real checksum: 0x1de61 should be: 0x2872b

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 0_2_0040566B push 80B1BCC2h; iretd	0_2_00405671
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 0_2_0040C272 push eax; retf 0040h	0_2_0040C289
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 0_2_00402603 push 0000001Ch; ret	0_2_00402605
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 0_2_0040B41D push edi; iretd	0_2_0040B41E
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 0_2_00402434 push esp; iretd	0_2_00402435
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 0_2_0040583C push eax; ret	0_2_0040583E
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 0_2_0040BCC5 push edi; iretd	0_2_0040BCC6
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 0_2_0040C28C pushad ; retf 0040h	0_2_0040C28D
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 0_2_0040857A push edi; ret	0_2_0040857F
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 0_2_0040C39C push 7C00700Ch; retf	0_2_0040C3A1
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3ED0D1 push ecx; ret	22_2_1E3ED0E4
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_00563DA9 push 0000002Dh; retn 0008h	22_2_00563DC7
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0381D0D1 push ecx; ret	28_2_0381D0E4
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02ED6AAA push ebx; ret	28_2_02ED6ABC
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02ECE3A1 push edi; retf	28_2_02ECE3C1
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02EDE35B push esi; ret	28_2_02EDE376
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02ED68DE push 79CB813Ch; retf	28_2_02ED68E4
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02ED6999 push edx; ret	28_2_02ED699A
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02EDCEC5 push eax; ret	28_2_02EDCF18
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02ECDF98 push cs; ret	28_2_02ECDF9F
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02EDCF7C push eax; ret	28_2_02EDCF82
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02EDCF1B push eax; ret	28_2_02EDCF82
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02EDCF12 push eax; ret	28_2_02EDCF18
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_02EC6DA1 push ebp; retf	28_2_02EC6DA6

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe

File created: C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.exe

Jump to dropped file

Boot Survival:

Creates autostart registry keys with suspicious values (likely registry only malware)

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Tolerances6 C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.vbs			Jump to behavior
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Tolerances6 C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.vbs			Jump to behavior

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Tolerances6	Jump to behavior
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Tolerances6	Jump to behavior
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Tolerances6	Jump to behavior
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Tolerances6	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x81 0x1E 0xEB

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_00563AC4 InternetOpenA,InternetOpenUrlA,	22_2_00563AC4
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_00562CA9	22_2_00562CA9
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_00562D5A	22_2_00562D5A
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_00562D02	22_2_00562D02
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_005629FB	22_2_005629FB
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_00562993	22_2_00562993
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_00562A7B	22_2_00562A7B
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_0056661B	22_2_0056661B
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_00562AD1	22_2_00562AD1
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_00563AC7 InternetOpenA,InternetOpenUrlA,	22_2_00563AC7
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_00562AE5	22_2_00562AE5
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_00562AB2	22_2_00562AB2
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_00562B67	22_2_00562B67
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_00563B11 InternetOpenUrlA,	22_2_00563B11
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_00562B1D	22_2_00562B1D
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_00562BE4	22_2_00562BE4

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	RDTSC instruction interceptor: First address: 000000000042616B second address: 00000000004253F5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, 00000539h 0x0000000f push esi 0x00000010 mov esi, A893C8D1h 0x00000015 cmp esi, A893C8D1h 0x0000001b jne 00007F08D0B0C1FBh 0x00000021 pop esi 0x00000022 mov ecx, dword ptr [ebp+1Ch] 0x00000025 mov edx, 8802EDACh 0x0000002a call 00007F08D0B10EABh 0x0000002f jmp 00007F08D0B11CCAh 0x00000031 nop 0x00000032 push esi 0x00000033 push edx 0x00000034 jmp 00007F08D0B11CCAh 0x00000036 test ch, ch 0x00000038 push ecx 0x00000039 cmp eax, 00000539h 0x0000003e jne 00007F08D0B11E08h 0x00000044 jmp 00007F08D0B11CCAh 0x00000046 pushad 0x00000047 mov edx, 000000C2h 0x0000004c rdtsc
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	RDTSC instruction interceptor: First address: 0000000000425EF7 second address: 0000000000425EF7 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F08D0937E38h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d jmp 00007F08D0937E4Ah 0x0000001f nop 0x00000020 cmp al, al 0x00000022 add edi, edx 0x00000024 dec dword ptr [ebp+000000F8h] 0x0000002a cmp dword ptr [ebp+000000F8h], 00000000h 0x00000031 jne 00007F08D0937DFBh 0x00000033 cmp cl, cl 0x00000035 cmp ah, bh 0x00000037 call 00007F08D0937E8Fh 0x0000003c call 00007F08D0937E48h 0x00000041 lfence 0x00000044 mov edx, dword ptr [7FFE0014h] 0x0000004a lfence 0x0000004d ret 0x0000004e mov esi, edx 0x00000050 pushad 0x00000051 rdtsc
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	RDTSC instruction interceptor: First address: 0000000000424202 second address: 0000000000424202 instructions:
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	RDTSC instruction interceptor: First address: 0000000000560F5E second address: 0000000000560F5E instructions:
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	RDTSC instruction interceptor: First address: 0000000000565BB0 second address: 00000000005639A3 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a retn 0010h 0x0000000d cmp edx, edx 0x0000000f push dword ptr [ebp+000000B4h] 0x00000015 pop dword ptr [ebp+00000134h] 0x0000001b jmp 00007F08D0B11CCAh 0x0000001d jmp 00007F08D0B11D00h 0x0000001f push dword ptr [ebp+68h] 0x00000022 push dword ptr [ebp+00000134h] 0x00000028 call 00007F08D0B142D5h 0x0000002d pushad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	RDTSC instruction interceptor: First address: 00000000005639A3 second address: 00000000005639A3 instructions:
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	RDTSC instruction interceptor: First address: 0000000000563C6D second address: 0000000000563CC2 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a push esi 0x0000000b mov esi, CDC9E0AFh 0x00000010 cmp esi, CDC9E0AFh 0x00000016 jne 00007F08D0B0E6FEh 0x0000001c pop esi 0x0000001d mov eax, ebp 0x0000001f add eax, 000000F0h 0x00000024 jmp 00007F08D0B11CCAh 0x00000026 test cx, cx 0x00000029 mov ebx, dword ptr [ebp+000000E4h] 0x0000002f cmp edx, edx 0x00000031 mov ecx, dword ptr [ebp+000000F4h] 0x00000037 pushad 0x00000038 mov ecx, 000000EBh 0x0000003d rdtsc

Tries to detect Any.run

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Sleaford Medical Group.exe, oversad.exe, 0000001A.00000002.730357636.0000000000420000.00000040.00000001.sdmp

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	RDTSC instruction interceptor: First address: 0000000000401C79 second address: 0000000000401C79 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, 2Dh 0x00000005 cmp ebx, 06h 0x00000008 cmp edi, 02EAFF40h 0x0000000e movd mm1, ebx 0x00000011 movd mm1, ebx 0x00000014 paddusw xmm0, xmm3 0x00000018 fdivp st(6), st(0) 0x0000001a jmp 00007F08D0937E89h 0x0000001c movd mm1, ebx 0x0000001f movd mm1, ebx 0x00000022 jne 00007F08D0937D4Fh 0x00000028 inc edi 0x00000029 pslld mm5, 09h 0x0000002d fsubp st(1), st(0) 0x0000002f jmp 00007F08D0937E89h 0x00000031 cmp eax, 1Dh 0x00000034 cmp eax, 000000A3h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	RDTSC instruction interceptor: First address: 000000000042616B second address: 00000000004253F5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, 00000539h 0x0000000f push esi 0x00000010 mov esi, A893C8D1h 0x00000015 cmp esi, A893C8D1h 0x0000001b jne 00007F08D0B0C1FBh 0x00000021 pop esi 0x00000022 mov ecx, dword ptr [ebp+1Ch] 0x00000025 mov edx, 8802EDACh 0x0000002a call 00007F08D0B10EABh 0x0000002f jmp 00007F08D0B11CCAh 0x00000031 nop 0x00000032 push esi 0x00000033 push edx 0x00000034 jmp 00007F08D0B11CCAh 0x00000036 test ch, ch 0x00000038 push ecx 0x00000039 cmp eax, 00000539h 0x0000003e jne 00007F08D0B11E08h 0x00000044 jmp 00007F08D0B11CCAh 0x00000046 pushad 0x00000047 mov edx, 000000C2h 0x0000004c rdtsc
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	RDTSC instruction interceptor: First address: 0000000000425EF7 second address: 0000000000425EF7 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F08D0937E38h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d jmp 00007F08D0937E4Ah 0x0000001f nop 0x00000020 cmp al, al 0x00000022 add edi, edx 0x00000024 dec dword ptr [ebp+000000F8h] 0x0000002a cmp dword ptr [ebp+000000F8h], 00000000h 0x00000031 jne 00007F08D0937DFBh 0x00000033 cmp cl, cl 0x00000035 cmp ah, bh 0x00000037 call 00007F08D0937E8Fh 0x0000003c call 00007F08D0937E48h 0x00000041 lfence 0x00000044 mov edx, dword ptr [7FFE0014h] 0x0000004a lfence 0x0000004d ret 0x0000004e mov esi, edx 0x00000050 pushad 0x00000051 rdtsc
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	RDTSC instruction interceptor: First address: 0000000000425F57 second address: 0000000000425F57 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F08D0B1225Ch 0x0000001d popad 0x0000001e call 00007F08D0B11DEBh 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	RDTSC instruction interceptor: First address: 00000000004205B7 second address: 00000000004253F5 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b jmp 00007F08D093BC3Bh 0x00000010 call 00007F08D093402Ah 0x00000015 jmp 00007F08D0937E4Ah 0x00000017 cmp ebx, edx 0x00000019 pop ecx 0x0000001a mov dword ptr [ebp+18h], ecx 0x0000001d cmp dh, dh 0x0000001f mov eax, 00000539h 0x00000024 mov edx, 60AF076Dh 0x00000029 call 00007F08D093CBCDh 0x0000002e jmp 00007F08D0937E4Ah 0x00000030 nop 0x00000031 push esi 0x00000032 push edx 0x00000033 jmp 00007F08D0937E4Ah 0x00000035 test ch, ch 0x00000037 push ecx 0x00000038 cmp eax, 00000539h 0x0000003d jne 00007F08D0937F88h 0x00000043 jmp 00007F08D0937E4Ah 0x00000045 pushad 0x00000046 mov edx, 000000C2h 0x0000004b rdtsc
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	RDTSC instruction interceptor: First address: 0000000000424202 second address: 0000000000424202 instructions:
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	RDTSC instruction interceptor: First address: 0000000000565F57 second address: 0000000000565F57 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F08D09383DCh 0x0000001d popad 0x0000001e call 00007F08D0937F6Bh 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	RDTSC instruction interceptor: First address: 00000000005605B7 second address: 00000000005653F5 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b jmp 00007F08D0B15ABBh 0x00000010 call 00007F08D0B0DEAAh 0x00000015 jmp 00007F08D0B11CCAh 0x00000017 cmp ebx, edx 0x00000019 pop ecx 0x0000001a mov dword ptr [ebp+18h], ecx 0x0000001d cmp dh, dh 0x0000001f mov eax, 00000539h 0x00000024 mov edx, 60AF076Dh 0x00000029 call 00007F08D0B16A4Dh 0x0000002e jmp 00007F08D0B11CCAh 0x00000030 nop 0x00000031 push esi 0x00000032 push edx 0x00000033 jmp 00007F08D0B11CCAh 0x00000035 test ch, ch 0x00000037 push ecx 0x00000038 cmp eax, 00000539h 0x0000003d jne 00007F08D0B11E08h 0x00000043 jmp 00007F08D0B11CCAh 0x00000045 pushad 0x00000046 mov edx, 000000C2h 0x0000004b rdtsc
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	RDTSC instruction interceptor: First address: 0000000000560F5E second address: 0000000000560F5E instructions:
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	RDTSC instruction interceptor: First address: 0000000000565BB0 second address: 00000000005639A3 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a retn 0010h 0x0000000d cmp edx, edx 0x0000000f push dword ptr [ebp+000000B4h] 0x00000015 pop dword ptr [ebp+00000134h] 0x0000001b jmp 00007F08D0B11CCAh 0x0000001d jmp 00007F08D0B11D00h 0x0000001f push dword ptr [ebp+68h] 0x00000022 push dword ptr [ebp+00000134h] 0x00000028 call 00007F08D0B142D5h 0x0000002d pushad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	RDTSC instruction interceptor: First address: 00000000005639A3 second address: 00000000005639A3 instructions:
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	RDTSC instruction interceptor: First address: 0000000000563C6D second address: 0000000000563CC2 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a push esi 0x0000000b mov esi, CDC9E0AFh 0x00000010 cmp esi, CDC9E0AFh 0x00000016 jne 00007F08D0B0E6FEh 0x0000001c pop esi 0x0000001d mov eax, ebp 0x0000001f add eax, 000000F0h 0x00000024 jmp 00007F08D0B11CCAh 0x00000026 test cx, cx 0x00000029 mov ebx, dword ptr [ebp+000000E4h] 0x0000002f cmp edx, edx 0x00000031 mov ecx, dword ptr [ebp+000000F4h] 0x00000037 pushad 0x00000038 mov ecx, 000000EBh 0x0000003d rdtsc
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.exe	RDTSC instruction interceptor: First address: 0000000000401C79 second address: 0000000000401C79 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, 2Dh 0x00000005 cmp ebx, 06h 0x00000008 cmp edi, 02EAFF40h 0x0000000e movd mm1, ebx 0x00000011 movd mm1, ebx 0x00000014 paddusw xmm0, xmm3 0x00000018 fdivp st(6), st(0) 0x0000001a jmp 00007F08D0937E89h 0x0000001c movd mm1, ebx 0x0000001f movd mm1, ebx 0x00000022 jne 00007F08D0937D4Fh 0x00000028 inc edi 0x00000029 pslld mm5, 09h 0x0000002d fsubp st(1), st(0) 0x0000002f jmp 00007F08D0937E89h 0x00000031 cmp eax, 1Dh 0x00000034 cmp eax, 000000A3h 0x00000039 rdtsc
Source: C:\Windows\SysWOW64\help.exe	RDTSC instruction interceptor: First address: 0000000002EC98E4 second address: 0000000002EC98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\help.exe	RDTSC instruction interceptor: First address: 0000000002EC9B5E second address: 0000000002EC9B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe

Code function: 0_2_00401C31 rdtsc

0_2_00401C31

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 7004	Thread sleep time: -46000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\help.exe TID: 6336	Thread sleep time: -40000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: explorer.exe, 00000018.00000000.524058813.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000018.00000000.524058813.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000018.00000000.523652219.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000018.00000000.523858105.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Sleaford Medical Group.exe, 00000016.00000002.567348461.0000000000899000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000018.00000000.512900592.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 00000018.00000000.524058813.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000018.00000000.524058813.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000018.00000000.524127788.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000018.00000000.512927052.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000018.00000000.523652219.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Sleaford Medical Group.exe, oversad.exe, 0000001A.00000002.730357636.0000000000420000.00000040.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: Sleaford Medical Group.exe, 00000016.00000002.566373992.0000000000870000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW`g
Source: explorer.exe, 00000018.00000000.523652219.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000018.00000000.524783667.00000000089C9000.00000004.00000001.sdmp	Binary or memory string: qeMusic
Source: explorer.exe, 00000018.00000000.523652219.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Hides threads from debuggers

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Thread information set: HideFromDebugger	Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process queried: DebugPort	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe

Code function: 0_2_00401C31 rdtsc

0_2_00401C31

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe

Code function: 22_2_1E3D967A LdrInitializeThunk,

22_2_1E3D967A

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E45AE44 mov eax, dword ptr fs:[00000030h]	22_2_1E45AE44
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E45AE44 mov eax, dword ptr fs:[00000030h]	22_2_1E45AE44
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E39E620 mov eax, dword ptr fs:[00000030h]	22_2_1E39E620
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3CA61C mov eax, dword ptr fs:[00000030h]	22_2_1E3CA61C
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3CA61C mov eax, dword ptr fs:[00000030h]	22_2_1E3CA61C
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E39C600 mov eax, dword ptr fs:[00000030h]	22_2_1E39C600
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E39C600 mov eax, dword ptr fs:[00000030h]	22_2_1E39C600
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E39C600 mov eax, dword ptr fs:[00000030h]	22_2_1E39C600
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C8E00 mov eax, dword ptr fs:[00000030h]	22_2_1E3C8E00
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3BAE73 mov eax, dword ptr fs:[00000030h]	22_2_1E3BAE73
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3BAE73 mov eax, dword ptr fs:[00000030h]	22_2_1E3BAE73
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3BAE73 mov eax, dword ptr fs:[00000030h]	22_2_1E3BAE73
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3BAE73 mov eax, dword ptr fs:[00000030h]	22_2_1E3BAE73
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3BAE73 mov eax, dword ptr fs:[00000030h]	22_2_1E3BAE73
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E451608 mov eax, dword ptr fs:[00000030h]	22_2_1E451608
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A766D mov eax, dword ptr fs:[00000030h]	22_2_1E3A766D
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E44FE3F mov eax, dword ptr fs:[00000030h]	22_2_1E44FE3F
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A7E41 mov eax, dword ptr fs:[00000030h]	22_2_1E3A7E41
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A7E41 mov eax, dword ptr fs:[00000030h]	22_2_1E3A7E41
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A7E41 mov eax, dword ptr fs:[00000030h]	22_2_1E3A7E41
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A7E41 mov eax, dword ptr fs:[00000030h]	22_2_1E3A7E41
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A7E41 mov eax, dword ptr fs:[00000030h]	22_2_1E3A7E41
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A7E41 mov eax, dword ptr fs:[00000030h]	22_2_1E3A7E41
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E44FEC0 mov eax, dword ptr fs:[00000030h]	22_2_1E44FEC0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E468ED6 mov eax, dword ptr fs:[00000030h]	22_2_1E468ED6
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E42FE87 mov eax, dword ptr fs:[00000030h]	22_2_1E42FE87
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A76E2 mov eax, dword ptr fs:[00000030h]	22_2_1E3A76E2
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C16E0 mov ecx, dword ptr fs:[00000030h]	22_2_1E3C16E0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E460EA5 mov eax, dword ptr fs:[00000030h]	22_2_1E460EA5
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E460EA5 mov eax, dword ptr fs:[00000030h]	22_2_1E460EA5
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E460EA5 mov eax, dword ptr fs:[00000030h]	22_2_1E460EA5
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E4146A7 mov eax, dword ptr fs:[00000030h]	22_2_1E4146A7
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C36CC mov eax, dword ptr fs:[00000030h]	22_2_1E3C36CC
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D8EC7 mov eax, dword ptr fs:[00000030h]	22_2_1E3D8EC7
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3CE730 mov eax, dword ptr fs:[00000030h]	22_2_1E3CE730
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E394F2E mov eax, dword ptr fs:[00000030h]	22_2_1E394F2E
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E394F2E mov eax, dword ptr fs:[00000030h]	22_2_1E394F2E
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E468F6A mov eax, dword ptr fs:[00000030h]	22_2_1E468F6A
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3BF716 mov eax, dword ptr fs:[00000030h]	22_2_1E3BF716
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3CA70E mov eax, dword ptr fs:[00000030h]	22_2_1E3CA70E
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3CA70E mov eax, dword ptr fs:[00000030h]	22_2_1E3CA70E
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E46070D mov eax, dword ptr fs:[00000030h]	22_2_1E46070D
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E46070D mov eax, dword ptr fs:[00000030h]	22_2_1E46070D
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E42FF10 mov eax, dword ptr fs:[00000030h]	22_2_1E42FF10
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E42FF10 mov eax, dword ptr fs:[00000030h]	22_2_1E42FF10
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3AFF60 mov eax, dword ptr fs:[00000030h]	22_2_1E3AFF60
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3AEF40 mov eax, dword ptr fs:[00000030h]	22_2_1E3AEF40
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A8794 mov eax, dword ptr fs:[00000030h]	22_2_1E3A8794
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D37F5 mov eax, dword ptr fs:[00000030h]	22_2_1E3D37F5
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E417794 mov eax, dword ptr fs:[00000030h]	22_2_1E417794
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E417794 mov eax, dword ptr fs:[00000030h]	22_2_1E417794
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E417794 mov eax, dword ptr fs:[00000030h]	22_2_1E417794
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3CBC2C mov eax, dword ptr fs:[00000030h]	22_2_1E3CBC2C
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E42C450 mov eax, dword ptr fs:[00000030h]	22_2_1E42C450
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E42C450 mov eax, dword ptr fs:[00000030h]	22_2_1E42C450
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E451C06 mov eax, dword ptr fs:[00000030h]	22_2_1E451C06
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E451C06 mov eax, dword ptr fs:[00000030h]	22_2_1E451C06
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E451C06 mov eax, dword ptr fs:[00000030h]	22_2_1E451C06
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E451C06 mov eax, dword ptr fs:[00000030h]	22_2_1E451C06
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E451C06 mov eax, dword ptr fs:[00000030h]	22_2_1E451C06
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E451C06 mov eax, dword ptr fs:[00000030h]	22_2_1E451C06
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E451C06 mov eax, dword ptr fs:[00000030h]	22_2_1E451C06
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E451C06 mov eax, dword ptr fs:[00000030h]	22_2_1E451C06
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E451C06 mov eax, dword ptr fs:[00000030h]	22_2_1E451C06
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E451C06 mov eax, dword ptr fs:[00000030h]	22_2_1E451C06
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E451C06 mov eax, dword ptr fs:[00000030h]	22_2_1E451C06
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E451C06 mov eax, dword ptr fs:[00000030h]	22_2_1E451C06
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E451C06 mov eax, dword ptr fs:[00000030h]	22_2_1E451C06
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E451C06 mov eax, dword ptr fs:[00000030h]	22_2_1E451C06
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E46740D mov eax, dword ptr fs:[00000030h]	22_2_1E46740D
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E46740D mov eax, dword ptr fs:[00000030h]	22_2_1E46740D
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E46740D mov eax, dword ptr fs:[00000030h]	22_2_1E46740D
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E416C0A mov eax, dword ptr fs:[00000030h]	22_2_1E416C0A
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E416C0A mov eax, dword ptr fs:[00000030h]	22_2_1E416C0A
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E416C0A mov eax, dword ptr fs:[00000030h]	22_2_1E416C0A
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E416C0A mov eax, dword ptr fs:[00000030h]	22_2_1E416C0A
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3B746D mov eax, dword ptr fs:[00000030h]	22_2_1E3B746D
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3CA44B mov eax, dword ptr fs:[00000030h]	22_2_1E3CA44B
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E468CD6 mov eax, dword ptr fs:[00000030h]	22_2_1E468CD6
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A849B mov eax, dword ptr fs:[00000030h]	22_2_1E3A849B
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E416CF0 mov eax, dword ptr fs:[00000030h]	22_2_1E416CF0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E416CF0 mov eax, dword ptr fs:[00000030h]	22_2_1E416CF0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E416CF0 mov eax, dword ptr fs:[00000030h]	22_2_1E416CF0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E4514FB mov eax, dword ptr fs:[00000030h]	22_2_1E4514FB
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E413540 mov eax, dword ptr fs:[00000030h]	22_2_1E413540
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E443D40 mov eax, dword ptr fs:[00000030h]	22_2_1E443D40
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C4D3B mov eax, dword ptr fs:[00000030h]	22_2_1E3C4D3B
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C4D3B mov eax, dword ptr fs:[00000030h]	22_2_1E3C4D3B
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C4D3B mov eax, dword ptr fs:[00000030h]	22_2_1E3C4D3B
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E39AD30 mov eax, dword ptr fs:[00000030h]	22_2_1E39AD30
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]	22_2_1E3A3D34
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]	22_2_1E3A3D34
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]	22_2_1E3A3D34
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]	22_2_1E3A3D34
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]	22_2_1E3A3D34
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]	22_2_1E3A3D34
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]	22_2_1E3A3D34
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]	22_2_1E3A3D34
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]	22_2_1E3A3D34
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]	22_2_1E3A3D34
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]	22_2_1E3A3D34
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]	22_2_1E3A3D34
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]	22_2_1E3A3D34
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3BC577 mov eax, dword ptr fs:[00000030h]	22_2_1E3BC577
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3BC577 mov eax, dword ptr fs:[00000030h]	22_2_1E3BC577
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3B7D50 mov eax, dword ptr fs:[00000030h]	22_2_1E3B7D50
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E468D34 mov eax, dword ptr fs:[00000030h]	22_2_1E468D34
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E41A537 mov eax, dword ptr fs:[00000030h]	22_2_1E41A537
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E45E539 mov eax, dword ptr fs:[00000030h]	22_2_1E45E539
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D3D43 mov eax, dword ptr fs:[00000030h]	22_2_1E3D3D43
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E416DC9 mov eax, dword ptr fs:[00000030h]	22_2_1E416DC9
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E416DC9 mov eax, dword ptr fs:[00000030h]	22_2_1E416DC9
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E416DC9 mov eax, dword ptr fs:[00000030h]	22_2_1E416DC9
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E416DC9 mov ecx, dword ptr fs:[00000030h]	22_2_1E416DC9
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E416DC9 mov eax, dword ptr fs:[00000030h]	22_2_1E416DC9
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E416DC9 mov eax, dword ptr fs:[00000030h]	22_2_1E416DC9
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C1DB5 mov eax, dword ptr fs:[00000030h]	22_2_1E3C1DB5
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C1DB5 mov eax, dword ptr fs:[00000030h]	22_2_1E3C1DB5
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C1DB5 mov eax, dword ptr fs:[00000030h]	22_2_1E3C1DB5
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C35A1 mov eax, dword ptr fs:[00000030h]	22_2_1E3C35A1
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3CFD9B mov eax, dword ptr fs:[00000030h]	22_2_1E3CFD9B
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3CFD9B mov eax, dword ptr fs:[00000030h]	22_2_1E3CFD9B
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E45FDE2 mov eax, dword ptr fs:[00000030h]	22_2_1E45FDE2
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E45FDE2 mov eax, dword ptr fs:[00000030h]	22_2_1E45FDE2
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E45FDE2 mov eax, dword ptr fs:[00000030h]	22_2_1E45FDE2
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E45FDE2 mov eax, dword ptr fs:[00000030h]	22_2_1E45FDE2
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E392D8A mov eax, dword ptr fs:[00000030h]	22_2_1E392D8A
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E392D8A mov eax, dword ptr fs:[00000030h]	22_2_1E392D8A
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E392D8A mov eax, dword ptr fs:[00000030h]	22_2_1E392D8A
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E392D8A mov eax, dword ptr fs:[00000030h]	22_2_1E392D8A
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E392D8A mov eax, dword ptr fs:[00000030h]	22_2_1E392D8A
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E448DF1 mov eax, dword ptr fs:[00000030h]	22_2_1E448DF1
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C2581 mov eax, dword ptr fs:[00000030h]	22_2_1E3C2581
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C2581 mov eax, dword ptr fs:[00000030h]	22_2_1E3C2581
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C2581 mov eax, dword ptr fs:[00000030h]	22_2_1E3C2581
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C2581 mov eax, dword ptr fs:[00000030h]	22_2_1E3C2581
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3AD5E0 mov eax, dword ptr fs:[00000030h]	22_2_1E3AD5E0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3AD5E0 mov eax, dword ptr fs:[00000030h]	22_2_1E3AD5E0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E4605AC mov eax, dword ptr fs:[00000030h]	22_2_1E4605AC
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E4605AC mov eax, dword ptr fs:[00000030h]	22_2_1E4605AC
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E45EA55 mov eax, dword ptr fs:[00000030h]	22_2_1E45EA55
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D4A2C mov eax, dword ptr fs:[00000030h]	22_2_1E3D4A2C
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D4A2C mov eax, dword ptr fs:[00000030h]	22_2_1E3D4A2C
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E424257 mov eax, dword ptr fs:[00000030h]	22_2_1E424257
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E44B260 mov eax, dword ptr fs:[00000030h]	22_2_1E44B260
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E44B260 mov eax, dword ptr fs:[00000030h]	22_2_1E44B260
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E468A62 mov eax, dword ptr fs:[00000030h]	22_2_1E468A62
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3B3A1C mov eax, dword ptr fs:[00000030h]	22_2_1E3B3A1C
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E395210 mov eax, dword ptr fs:[00000030h]	22_2_1E395210
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E395210 mov ecx, dword ptr fs:[00000030h]	22_2_1E395210
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E395210 mov eax, dword ptr fs:[00000030h]	22_2_1E395210
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E395210 mov eax, dword ptr fs:[00000030h]	22_2_1E395210
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E39AA16 mov eax, dword ptr fs:[00000030h]	22_2_1E39AA16
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E39AA16 mov eax, dword ptr fs:[00000030h]	22_2_1E39AA16
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A8A0A mov eax, dword ptr fs:[00000030h]	22_2_1E3A8A0A
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D927A mov eax, dword ptr fs:[00000030h]	22_2_1E3D927A
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E45AA16 mov eax, dword ptr fs:[00000030h]	22_2_1E45AA16
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E45AA16 mov eax, dword ptr fs:[00000030h]	22_2_1E45AA16
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E399240 mov eax, dword ptr fs:[00000030h]	22_2_1E399240
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E399240 mov eax, dword ptr fs:[00000030h]	22_2_1E399240
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E399240 mov eax, dword ptr fs:[00000030h]	22_2_1E399240
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E399240 mov eax, dword ptr fs:[00000030h]	22_2_1E399240
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3AAAB0 mov eax, dword ptr fs:[00000030h]	22_2_1E3AAAB0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3AAAB0 mov eax, dword ptr fs:[00000030h]	22_2_1E3AAAB0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3CFAB0 mov eax, dword ptr fs:[00000030h]	22_2_1E3CFAB0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3952A5 mov eax, dword ptr fs:[00000030h]	22_2_1E3952A5
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3952A5 mov eax, dword ptr fs:[00000030h]	22_2_1E3952A5
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3952A5 mov eax, dword ptr fs:[00000030h]	22_2_1E3952A5
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3952A5 mov eax, dword ptr fs:[00000030h]	22_2_1E3952A5
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3952A5 mov eax, dword ptr fs:[00000030h]	22_2_1E3952A5
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3CD294 mov eax, dword ptr fs:[00000030h]	22_2_1E3CD294
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3CD294 mov eax, dword ptr fs:[00000030h]	22_2_1E3CD294
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C2AE4 mov eax, dword ptr fs:[00000030h]	22_2_1E3C2AE4
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C2ACB mov eax, dword ptr fs:[00000030h]	22_2_1E3C2ACB
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E468B58 mov eax, dword ptr fs:[00000030h]	22_2_1E468B58
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C3B7A mov eax, dword ptr fs:[00000030h]	22_2_1E3C3B7A
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C3B7A mov eax, dword ptr fs:[00000030h]	22_2_1E3C3B7A
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E39DB60 mov ecx, dword ptr fs:[00000030h]	22_2_1E39DB60
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E45131B mov eax, dword ptr fs:[00000030h]	22_2_1E45131B
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E39F358 mov eax, dword ptr fs:[00000030h]	22_2_1E39F358
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E39DB40 mov eax, dword ptr fs:[00000030h]	22_2_1E39DB40
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E4153CA mov eax, dword ptr fs:[00000030h]	22_2_1E4153CA
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E4153CA mov eax, dword ptr fs:[00000030h]	22_2_1E4153CA
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C4BAD mov eax, dword ptr fs:[00000030h]	22_2_1E3C4BAD
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C4BAD mov eax, dword ptr fs:[00000030h]	22_2_1E3C4BAD
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C4BAD mov eax, dword ptr fs:[00000030h]	22_2_1E3C4BAD
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C2397 mov eax, dword ptr fs:[00000030h]	22_2_1E3C2397
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3CB390 mov eax, dword ptr fs:[00000030h]	22_2_1E3CB390
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A1B8F mov eax, dword ptr fs:[00000030h]	22_2_1E3A1B8F
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3A1B8F mov eax, dword ptr fs:[00000030h]	22_2_1E3A1B8F
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E44D380 mov ecx, dword ptr fs:[00000030h]	22_2_1E44D380
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E45138A mov eax, dword ptr fs:[00000030h]	22_2_1E45138A
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3BDBE9 mov eax, dword ptr fs:[00000030h]	22_2_1E3BDBE9
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C03E2 mov eax, dword ptr fs:[00000030h]	22_2_1E3C03E2
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C03E2 mov eax, dword ptr fs:[00000030h]	22_2_1E3C03E2
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C03E2 mov eax, dword ptr fs:[00000030h]	22_2_1E3C03E2
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C03E2 mov eax, dword ptr fs:[00000030h]	22_2_1E3C03E2
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C03E2 mov eax, dword ptr fs:[00000030h]	22_2_1E3C03E2
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C03E2 mov eax, dword ptr fs:[00000030h]	22_2_1E3C03E2
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E465BA5 mov eax, dword ptr fs:[00000030h]	22_2_1E465BA5
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3AB02A mov eax, dword ptr fs:[00000030h]	22_2_1E3AB02A
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3AB02A mov eax, dword ptr fs:[00000030h]	22_2_1E3AB02A
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3AB02A mov eax, dword ptr fs:[00000030h]	22_2_1E3AB02A
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3AB02A mov eax, dword ptr fs:[00000030h]	22_2_1E3AB02A
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C002D mov eax, dword ptr fs:[00000030h]	22_2_1E3C002D
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C002D mov eax, dword ptr fs:[00000030h]	22_2_1E3C002D
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C002D mov eax, dword ptr fs:[00000030h]	22_2_1E3C002D
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C002D mov eax, dword ptr fs:[00000030h]	22_2_1E3C002D
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C002D mov eax, dword ptr fs:[00000030h]	22_2_1E3C002D
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E461074 mov eax, dword ptr fs:[00000030h]	22_2_1E461074
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E452073 mov eax, dword ptr fs:[00000030h]	22_2_1E452073
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E464015 mov eax, dword ptr fs:[00000030h]	22_2_1E464015
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E464015 mov eax, dword ptr fs:[00000030h]	22_2_1E464015
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E417016 mov eax, dword ptr fs:[00000030h]	22_2_1E417016
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E417016 mov eax, dword ptr fs:[00000030h]	22_2_1E417016
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E417016 mov eax, dword ptr fs:[00000030h]	22_2_1E417016
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3B0050 mov eax, dword ptr fs:[00000030h]	22_2_1E3B0050
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3B0050 mov eax, dword ptr fs:[00000030h]	22_2_1E3B0050
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3CF0BF mov ecx, dword ptr fs:[00000030h]	22_2_1E3CF0BF
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3CF0BF mov eax, dword ptr fs:[00000030h]	22_2_1E3CF0BF
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3CF0BF mov eax, dword ptr fs:[00000030h]	22_2_1E3CF0BF
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3D90AF mov eax, dword ptr fs:[00000030h]	22_2_1E3D90AF
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E42B8D0 mov eax, dword ptr fs:[00000030h]	22_2_1E42B8D0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E42B8D0 mov ecx, dword ptr fs:[00000030h]	22_2_1E42B8D0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E42B8D0 mov eax, dword ptr fs:[00000030h]	22_2_1E42B8D0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E42B8D0 mov eax, dword ptr fs:[00000030h]	22_2_1E42B8D0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E42B8D0 mov eax, dword ptr fs:[00000030h]	22_2_1E42B8D0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E42B8D0 mov eax, dword ptr fs:[00000030h]	22_2_1E42B8D0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C20A0 mov eax, dword ptr fs:[00000030h]	22_2_1E3C20A0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C20A0 mov eax, dword ptr fs:[00000030h]	22_2_1E3C20A0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C20A0 mov eax, dword ptr fs:[00000030h]	22_2_1E3C20A0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C20A0 mov eax, dword ptr fs:[00000030h]	22_2_1E3C20A0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C20A0 mov eax, dword ptr fs:[00000030h]	22_2_1E3C20A0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C20A0 mov eax, dword ptr fs:[00000030h]	22_2_1E3C20A0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E399080 mov eax, dword ptr fs:[00000030h]	22_2_1E399080
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E413884 mov eax, dword ptr fs:[00000030h]	22_2_1E413884
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E413884 mov eax, dword ptr fs:[00000030h]	22_2_1E413884
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3958EC mov eax, dword ptr fs:[00000030h]	22_2_1E3958EC
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3940E1 mov eax, dword ptr fs:[00000030h]	22_2_1E3940E1
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3940E1 mov eax, dword ptr fs:[00000030h]	22_2_1E3940E1
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3940E1 mov eax, dword ptr fs:[00000030h]	22_2_1E3940E1
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C513A mov eax, dword ptr fs:[00000030h]	22_2_1E3C513A
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C513A mov eax, dword ptr fs:[00000030h]	22_2_1E3C513A
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3B4120 mov eax, dword ptr fs:[00000030h]	22_2_1E3B4120
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3B4120 mov eax, dword ptr fs:[00000030h]	22_2_1E3B4120
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3B4120 mov eax, dword ptr fs:[00000030h]	22_2_1E3B4120
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3B4120 mov eax, dword ptr fs:[00000030h]	22_2_1E3B4120
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3B4120 mov ecx, dword ptr fs:[00000030h]	22_2_1E3B4120
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E399100 mov eax, dword ptr fs:[00000030h]	22_2_1E399100
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E399100 mov eax, dword ptr fs:[00000030h]	22_2_1E399100
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E399100 mov eax, dword ptr fs:[00000030h]	22_2_1E399100
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E39B171 mov eax, dword ptr fs:[00000030h]	22_2_1E39B171
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E39B171 mov eax, dword ptr fs:[00000030h]	22_2_1E39B171
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E39C962 mov eax, dword ptr fs:[00000030h]	22_2_1E39C962
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3BB944 mov eax, dword ptr fs:[00000030h]	22_2_1E3BB944
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3BB944 mov eax, dword ptr fs:[00000030h]	22_2_1E3BB944
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C61A0 mov eax, dword ptr fs:[00000030h]	22_2_1E3C61A0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C61A0 mov eax, dword ptr fs:[00000030h]	22_2_1E3C61A0
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E4241E8 mov eax, dword ptr fs:[00000030h]	22_2_1E4241E8
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3C2990 mov eax, dword ptr fs:[00000030h]	22_2_1E3C2990
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3BC182 mov eax, dword ptr fs:[00000030h]	22_2_1E3BC182
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E3CA185 mov eax, dword ptr fs:[00000030h]	22_2_1E3CA185
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E39B1E1 mov eax, dword ptr fs:[00000030h]	22_2_1E39B1E1
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E39B1E1 mov eax, dword ptr fs:[00000030h]	22_2_1E39B1E1
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E39B1E1 mov eax, dword ptr fs:[00000030h]	22_2_1E39B1E1
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E4549A4 mov eax, dword ptr fs:[00000030h]	22_2_1E4549A4
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E4549A4 mov eax, dword ptr fs:[00000030h]	22_2_1E4549A4
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E4549A4 mov eax, dword ptr fs:[00000030h]	22_2_1E4549A4
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E4549A4 mov eax, dword ptr fs:[00000030h]	22_2_1E4549A4
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E4169A6 mov eax, dword ptr fs:[00000030h]	22_2_1E4169A6
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E4151BE mov eax, dword ptr fs:[00000030h]	22_2_1E4151BE
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E4151BE mov eax, dword ptr fs:[00000030h]	22_2_1E4151BE
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E4151BE mov eax, dword ptr fs:[00000030h]	22_2_1E4151BE
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_1E4151BE mov eax, dword ptr fs:[00000030h]	22_2_1E4151BE
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_0056661B mov eax, dword ptr fs:[00000030h]	22_2_0056661B
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_00566601 mov eax, dword ptr fs:[00000030h]	22_2_00566601
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_0056662E mov eax, dword ptr fs:[00000030h]	22_2_0056662E
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_00563282 mov eax, dword ptr fs:[00000030h]	22_2_00563282
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_0056532B mov eax, dword ptr fs:[00000030h]	22_2_0056532B
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Code function: 22_2_00565BDE mov eax, dword ptr fs:[00000030h]	22_2_00565BDE
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0388138A mov eax, dword ptr fs:[00000030h]	28_2_0388138A
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F3B7A mov eax, dword ptr fs:[00000030h]	28_2_037F3B7A
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F3B7A mov eax, dword ptr fs:[00000030h]	28_2_037F3B7A
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0387D380 mov ecx, dword ptr fs:[00000030h]	28_2_0387D380
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037CDB60 mov ecx, dword ptr fs:[00000030h]	28_2_037CDB60
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037CF358 mov eax, dword ptr fs:[00000030h]	28_2_037CF358
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03895BA5 mov eax, dword ptr fs:[00000030h]	28_2_03895BA5
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037CDB40 mov eax, dword ptr fs:[00000030h]	28_2_037CDB40
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038453CA mov eax, dword ptr fs:[00000030h]	28_2_038453CA
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038453CA mov eax, dword ptr fs:[00000030h]	28_2_038453CA
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0388131B mov eax, dword ptr fs:[00000030h]	28_2_0388131B
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EDBE9 mov eax, dword ptr fs:[00000030h]	28_2_037EDBE9
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F03E2 mov eax, dword ptr fs:[00000030h]	28_2_037F03E2
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F03E2 mov eax, dword ptr fs:[00000030h]	28_2_037F03E2
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F03E2 mov eax, dword ptr fs:[00000030h]	28_2_037F03E2
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F03E2 mov eax, dword ptr fs:[00000030h]	28_2_037F03E2
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F03E2 mov eax, dword ptr fs:[00000030h]	28_2_037F03E2
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F03E2 mov eax, dword ptr fs:[00000030h]	28_2_037F03E2
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03898B58 mov eax, dword ptr fs:[00000030h]	28_2_03898B58
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F4BAD mov eax, dword ptr fs:[00000030h]	28_2_037F4BAD
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F4BAD mov eax, dword ptr fs:[00000030h]	28_2_037F4BAD
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F4BAD mov eax, dword ptr fs:[00000030h]	28_2_037F4BAD
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F2397 mov eax, dword ptr fs:[00000030h]	28_2_037F2397
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037FB390 mov eax, dword ptr fs:[00000030h]	28_2_037FB390
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D1B8F mov eax, dword ptr fs:[00000030h]	28_2_037D1B8F
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D1B8F mov eax, dword ptr fs:[00000030h]	28_2_037D1B8F
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C9240 mov eax, dword ptr fs:[00000030h]	28_2_037C9240
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C9240 mov eax, dword ptr fs:[00000030h]	28_2_037C9240
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C9240 mov eax, dword ptr fs:[00000030h]	28_2_037C9240
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C9240 mov eax, dword ptr fs:[00000030h]	28_2_037C9240
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EA229 mov eax, dword ptr fs:[00000030h]	28_2_037EA229
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EA229 mov eax, dword ptr fs:[00000030h]	28_2_037EA229
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EA229 mov eax, dword ptr fs:[00000030h]	28_2_037EA229
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EA229 mov eax, dword ptr fs:[00000030h]	28_2_037EA229
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EA229 mov eax, dword ptr fs:[00000030h]	28_2_037EA229
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EA229 mov eax, dword ptr fs:[00000030h]	28_2_037EA229
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EA229 mov eax, dword ptr fs:[00000030h]	28_2_037EA229
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EA229 mov eax, dword ptr fs:[00000030h]	28_2_037EA229
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EA229 mov eax, dword ptr fs:[00000030h]	28_2_037EA229
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037E3A1C mov eax, dword ptr fs:[00000030h]	28_2_037E3A1C
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037CAA16 mov eax, dword ptr fs:[00000030h]	28_2_037CAA16
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037CAA16 mov eax, dword ptr fs:[00000030h]	28_2_037CAA16
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C5210 mov eax, dword ptr fs:[00000030h]	28_2_037C5210
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C5210 mov ecx, dword ptr fs:[00000030h]	28_2_037C5210
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C5210 mov eax, dword ptr fs:[00000030h]	28_2_037C5210
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C5210 mov eax, dword ptr fs:[00000030h]	28_2_037C5210
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D8A0A mov eax, dword ptr fs:[00000030h]	28_2_037D8A0A
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F2AE4 mov eax, dword ptr fs:[00000030h]	28_2_037F2AE4
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0388AA16 mov eax, dword ptr fs:[00000030h]	28_2_0388AA16
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0388AA16 mov eax, dword ptr fs:[00000030h]	28_2_0388AA16
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03804A2C mov eax, dword ptr fs:[00000030h]	28_2_03804A2C
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03804A2C mov eax, dword ptr fs:[00000030h]	28_2_03804A2C
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F2ACB mov eax, dword ptr fs:[00000030h]	28_2_037F2ACB
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037DAAB0 mov eax, dword ptr fs:[00000030h]	28_2_037DAAB0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037DAAB0 mov eax, dword ptr fs:[00000030h]	28_2_037DAAB0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037FFAB0 mov eax, dword ptr fs:[00000030h]	28_2_037FFAB0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03854257 mov eax, dword ptr fs:[00000030h]	28_2_03854257
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C52A5 mov eax, dword ptr fs:[00000030h]	28_2_037C52A5
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C52A5 mov eax, dword ptr fs:[00000030h]	28_2_037C52A5
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C52A5 mov eax, dword ptr fs:[00000030h]	28_2_037C52A5
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C52A5 mov eax, dword ptr fs:[00000030h]	28_2_037C52A5
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C52A5 mov eax, dword ptr fs:[00000030h]	28_2_037C52A5
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0388EA55 mov eax, dword ptr fs:[00000030h]	28_2_0388EA55
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0387B260 mov eax, dword ptr fs:[00000030h]	28_2_0387B260
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0387B260 mov eax, dword ptr fs:[00000030h]	28_2_0387B260
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037FD294 mov eax, dword ptr fs:[00000030h]	28_2_037FD294
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037FD294 mov eax, dword ptr fs:[00000030h]	28_2_037FD294
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03898A62 mov eax, dword ptr fs:[00000030h]	28_2_03898A62
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0380927A mov eax, dword ptr fs:[00000030h]	28_2_0380927A
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037CB171 mov eax, dword ptr fs:[00000030h]	28_2_037CB171
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037CB171 mov eax, dword ptr fs:[00000030h]	28_2_037CB171
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037CC962 mov eax, dword ptr fs:[00000030h]	28_2_037CC962
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038469A6 mov eax, dword ptr fs:[00000030h]	28_2_038469A6
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038849A4 mov eax, dword ptr fs:[00000030h]	28_2_038849A4
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038849A4 mov eax, dword ptr fs:[00000030h]	28_2_038849A4
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038849A4 mov eax, dword ptr fs:[00000030h]	28_2_038849A4
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038849A4 mov eax, dword ptr fs:[00000030h]	28_2_038849A4
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EB944 mov eax, dword ptr fs:[00000030h]	28_2_037EB944
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EB944 mov eax, dword ptr fs:[00000030h]	28_2_037EB944
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038451BE mov eax, dword ptr fs:[00000030h]	28_2_038451BE
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038451BE mov eax, dword ptr fs:[00000030h]	28_2_038451BE
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038451BE mov eax, dword ptr fs:[00000030h]	28_2_038451BE
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038451BE mov eax, dword ptr fs:[00000030h]	28_2_038451BE
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F513A mov eax, dword ptr fs:[00000030h]	28_2_037F513A
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F513A mov eax, dword ptr fs:[00000030h]	28_2_037F513A
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037E4120 mov eax, dword ptr fs:[00000030h]	28_2_037E4120
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037E4120 mov eax, dword ptr fs:[00000030h]	28_2_037E4120
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037E4120 mov eax, dword ptr fs:[00000030h]	28_2_037E4120
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037E4120 mov eax, dword ptr fs:[00000030h]	28_2_037E4120
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037E4120 mov ecx, dword ptr fs:[00000030h]	28_2_037E4120
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038541E8 mov eax, dword ptr fs:[00000030h]	28_2_038541E8
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C9100 mov eax, dword ptr fs:[00000030h]	28_2_037C9100
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C9100 mov eax, dword ptr fs:[00000030h]	28_2_037C9100
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C9100 mov eax, dword ptr fs:[00000030h]	28_2_037C9100
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037CB1E1 mov eax, dword ptr fs:[00000030h]	28_2_037CB1E1
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037CB1E1 mov eax, dword ptr fs:[00000030h]	28_2_037CB1E1
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037CB1E1 mov eax, dword ptr fs:[00000030h]	28_2_037CB1E1
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F61A0 mov eax, dword ptr fs:[00000030h]	28_2_037F61A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F61A0 mov eax, dword ptr fs:[00000030h]	28_2_037F61A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F2990 mov eax, dword ptr fs:[00000030h]	28_2_037F2990
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037FA185 mov eax, dword ptr fs:[00000030h]	28_2_037FA185
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EC182 mov eax, dword ptr fs:[00000030h]	28_2_037EC182
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03843884 mov eax, dword ptr fs:[00000030h]	28_2_03843884
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03843884 mov eax, dword ptr fs:[00000030h]	28_2_03843884
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037E0050 mov eax, dword ptr fs:[00000030h]	28_2_037E0050
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037E0050 mov eax, dword ptr fs:[00000030h]	28_2_037E0050
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038090AF mov eax, dword ptr fs:[00000030h]	28_2_038090AF
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EA830 mov eax, dword ptr fs:[00000030h]	28_2_037EA830
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EA830 mov eax, dword ptr fs:[00000030h]	28_2_037EA830
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EA830 mov eax, dword ptr fs:[00000030h]	28_2_037EA830
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EA830 mov eax, dword ptr fs:[00000030h]	28_2_037EA830
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F002D mov eax, dword ptr fs:[00000030h]	28_2_037F002D
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F002D mov eax, dword ptr fs:[00000030h]	28_2_037F002D
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F002D mov eax, dword ptr fs:[00000030h]	28_2_037F002D
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F002D mov eax, dword ptr fs:[00000030h]	28_2_037F002D
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F002D mov eax, dword ptr fs:[00000030h]	28_2_037F002D
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0385B8D0 mov eax, dword ptr fs:[00000030h]	28_2_0385B8D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0385B8D0 mov ecx, dword ptr fs:[00000030h]	28_2_0385B8D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0385B8D0 mov eax, dword ptr fs:[00000030h]	28_2_0385B8D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0385B8D0 mov eax, dword ptr fs:[00000030h]	28_2_0385B8D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0385B8D0 mov eax, dword ptr fs:[00000030h]	28_2_0385B8D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0385B8D0 mov eax, dword ptr fs:[00000030h]	28_2_0385B8D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037DB02A mov eax, dword ptr fs:[00000030h]	28_2_037DB02A
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037DB02A mov eax, dword ptr fs:[00000030h]	28_2_037DB02A
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037DB02A mov eax, dword ptr fs:[00000030h]	28_2_037DB02A
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037DB02A mov eax, dword ptr fs:[00000030h]	28_2_037DB02A
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C58EC mov eax, dword ptr fs:[00000030h]	28_2_037C58EC
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03847016 mov eax, dword ptr fs:[00000030h]	28_2_03847016
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03847016 mov eax, dword ptr fs:[00000030h]	28_2_03847016
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03847016 mov eax, dword ptr fs:[00000030h]	28_2_03847016
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03894015 mov eax, dword ptr fs:[00000030h]	28_2_03894015
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03894015 mov eax, dword ptr fs:[00000030h]	28_2_03894015
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C40E1 mov eax, dword ptr fs:[00000030h]	28_2_037C40E1
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C40E1 mov eax, dword ptr fs:[00000030h]	28_2_037C40E1
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C40E1 mov eax, dword ptr fs:[00000030h]	28_2_037C40E1
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037FF0BF mov ecx, dword ptr fs:[00000030h]	28_2_037FF0BF
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037FF0BF mov eax, dword ptr fs:[00000030h]	28_2_037FF0BF
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037FF0BF mov eax, dword ptr fs:[00000030h]	28_2_037FF0BF
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F20A0 mov eax, dword ptr fs:[00000030h]	28_2_037F20A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F20A0 mov eax, dword ptr fs:[00000030h]	28_2_037F20A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F20A0 mov eax, dword ptr fs:[00000030h]	28_2_037F20A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F20A0 mov eax, dword ptr fs:[00000030h]	28_2_037F20A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F20A0 mov eax, dword ptr fs:[00000030h]	28_2_037F20A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F20A0 mov eax, dword ptr fs:[00000030h]	28_2_037F20A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03882073 mov eax, dword ptr fs:[00000030h]	28_2_03882073
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C9080 mov eax, dword ptr fs:[00000030h]	28_2_037C9080
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03891074 mov eax, dword ptr fs:[00000030h]	28_2_03891074
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03847794 mov eax, dword ptr fs:[00000030h]	28_2_03847794
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03847794 mov eax, dword ptr fs:[00000030h]	28_2_03847794
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03847794 mov eax, dword ptr fs:[00000030h]	28_2_03847794
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037DFF60 mov eax, dword ptr fs:[00000030h]	28_2_037DFF60
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037DEF40 mov eax, dword ptr fs:[00000030h]	28_2_037DEF40
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037FE730 mov eax, dword ptr fs:[00000030h]	28_2_037FE730
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C4F2E mov eax, dword ptr fs:[00000030h]	28_2_037C4F2E
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037C4F2E mov eax, dword ptr fs:[00000030h]	28_2_037C4F2E
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EF716 mov eax, dword ptr fs:[00000030h]	28_2_037EF716
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037FA70E mov eax, dword ptr fs:[00000030h]	28_2_037FA70E
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037FA70E mov eax, dword ptr fs:[00000030h]	28_2_037FA70E
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038037F5 mov eax, dword ptr fs:[00000030h]	28_2_038037F5
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0389070D mov eax, dword ptr fs:[00000030h]	28_2_0389070D
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0389070D mov eax, dword ptr fs:[00000030h]	28_2_0389070D
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0385FF10 mov eax, dword ptr fs:[00000030h]	28_2_0385FF10
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0385FF10 mov eax, dword ptr fs:[00000030h]	28_2_0385FF10
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03898F6A mov eax, dword ptr fs:[00000030h]	28_2_03898F6A
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D8794 mov eax, dword ptr fs:[00000030h]	28_2_037D8794
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0385FE87 mov eax, dword ptr fs:[00000030h]	28_2_0385FE87
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EAE73 mov eax, dword ptr fs:[00000030h]	28_2_037EAE73
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EAE73 mov eax, dword ptr fs:[00000030h]	28_2_037EAE73
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EAE73 mov eax, dword ptr fs:[00000030h]	28_2_037EAE73
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EAE73 mov eax, dword ptr fs:[00000030h]	28_2_037EAE73
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EAE73 mov eax, dword ptr fs:[00000030h]	28_2_037EAE73
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D766D mov eax, dword ptr fs:[00000030h]	28_2_037D766D
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038446A7 mov eax, dword ptr fs:[00000030h]	28_2_038446A7
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03890EA5 mov eax, dword ptr fs:[00000030h]	28_2_03890EA5
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03890EA5 mov eax, dword ptr fs:[00000030h]	28_2_03890EA5
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03890EA5 mov eax, dword ptr fs:[00000030h]	28_2_03890EA5
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D7E41 mov eax, dword ptr fs:[00000030h]	28_2_037D7E41
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D7E41 mov eax, dword ptr fs:[00000030h]	28_2_037D7E41
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D7E41 mov eax, dword ptr fs:[00000030h]	28_2_037D7E41
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D7E41 mov eax, dword ptr fs:[00000030h]	28_2_037D7E41
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D7E41 mov eax, dword ptr fs:[00000030h]	28_2_037D7E41
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D7E41 mov eax, dword ptr fs:[00000030h]	28_2_037D7E41
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03808EC7 mov eax, dword ptr fs:[00000030h]	28_2_03808EC7
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0387FEC0 mov eax, dword ptr fs:[00000030h]	28_2_0387FEC0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037CE620 mov eax, dword ptr fs:[00000030h]	28_2_037CE620
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03898ED6 mov eax, dword ptr fs:[00000030h]	28_2_03898ED6
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037FA61C mov eax, dword ptr fs:[00000030h]	28_2_037FA61C
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037FA61C mov eax, dword ptr fs:[00000030h]	28_2_037FA61C
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037CC600 mov eax, dword ptr fs:[00000030h]	28_2_037CC600
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037CC600 mov eax, dword ptr fs:[00000030h]	28_2_037CC600
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037CC600 mov eax, dword ptr fs:[00000030h]	28_2_037CC600
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F8E00 mov eax, dword ptr fs:[00000030h]	28_2_037F8E00
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_03881608 mov eax, dword ptr fs:[00000030h]	28_2_03881608
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F16E0 mov ecx, dword ptr fs:[00000030h]	28_2_037F16E0
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D76E2 mov eax, dword ptr fs:[00000030h]	28_2_037D76E2
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F36CC mov eax, dword ptr fs:[00000030h]	28_2_037F36CC
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0387FE3F mov eax, dword ptr fs:[00000030h]	28_2_0387FE3F
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0388AE44 mov eax, dword ptr fs:[00000030h]	28_2_0388AE44
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_0388AE44 mov eax, dword ptr fs:[00000030h]	28_2_0388AE44
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EC577 mov eax, dword ptr fs:[00000030h]	28_2_037EC577
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037EC577 mov eax, dword ptr fs:[00000030h]	28_2_037EC577
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038905AC mov eax, dword ptr fs:[00000030h]	28_2_038905AC
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_038905AC mov eax, dword ptr fs:[00000030h]	28_2_038905AC
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037E7D50 mov eax, dword ptr fs:[00000030h]	28_2_037E7D50
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F4D3B mov eax, dword ptr fs:[00000030h]	28_2_037F4D3B
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F4D3B mov eax, dword ptr fs:[00000030h]	28_2_037F4D3B
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037F4D3B mov eax, dword ptr fs:[00000030h]	28_2_037F4D3B
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D3D34 mov eax, dword ptr fs:[00000030h]	28_2_037D3D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D3D34 mov eax, dword ptr fs:[00000030h]	28_2_037D3D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D3D34 mov eax, dword ptr fs:[00000030h]	28_2_037D3D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D3D34 mov eax, dword ptr fs:[00000030h]	28_2_037D3D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D3D34 mov eax, dword ptr fs:[00000030h]	28_2_037D3D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D3D34 mov eax, dword ptr fs:[00000030h]	28_2_037D3D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D3D34 mov eax, dword ptr fs:[00000030h]	28_2_037D3D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D3D34 mov eax, dword ptr fs:[00000030h]	28_2_037D3D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D3D34 mov eax, dword ptr fs:[00000030h]	28_2_037D3D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D3D34 mov eax, dword ptr fs:[00000030h]	28_2_037D3D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D3D34 mov eax, dword ptr fs:[00000030h]	28_2_037D3D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D3D34 mov eax, dword ptr fs:[00000030h]	28_2_037D3D34
Source: C:\Windows\SysWOW64\help.exe	Code function: 28_2_037D3D34 mov eax, dword ptr fs:[00000030h]	28_2_037D3D34

Enables debug privileges

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Network Connect: 104.21.89.82 80

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Section loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Section loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Thread register set: target process: 3388			Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Thread register set: target process: 3388			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe

Section unmapped: C:\Windows\SysWOW64\help.exe base address: E60000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Sleaford Medical Group.exe	Process created: C:\Users\user\Desktop\Sleaford Medical Group.exe 'C:\Users\user\Desktop\Sleaford Medical Group.exe'	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.exe C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.exe	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Sleaford Medical Group.exe'	Jump to behavior

Source: explorer.exe, 00000018.00000000.501184741.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000018.00000002.734973768.0000000001980000.00000002.00000001.sdmp, oversad.exe, 0000001A.00000002.732448844.0000000000C40000.00000002.00000001.sdmp, help.exe, 0000001C.00000002.737092327.0000000004C30000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000018.00000000.524058813.000000000871F000.00000004.00000001.sdmp, oversad.exe, 0000001A.00000002.732448844.0000000000C40000.00000002.00000001.sdmp, help.exe, 0000001C.00000002.737092327.0000000004C30000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000018.00000002.734973768.0000000001980000.00000002.00000001.sdmp, oversad.exe, 0000001A.00000002.732448844.0000000000C40000.00000002.00000001.sdmp, help.exe, 0000001C.00000002.737092327.0000000004C30000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000018.00000002.734973768.0000000001980000.00000002.00000001.sdmp, oversad.exe, 0000001A.00000002.732448844.0000000000C40000.00000002.00000001.sdmp, help.exe, 0000001C.00000002.737092327.0000000004C30000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 0000001C.00000002.731485750.0000000003530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.731784931.0000000003560000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.551412840.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.584974843.000000001E150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.730784207.0000000002EC0000.00000040.00000001.sdmp, type: MEMORY

Yara detected Generic Dropper

Source: Yara match	File source: Process Memory Space: help.exe PID: 6328, type: MEMORY
Source: Yara match	File source: Process Memory Space: Sleaford Medical Group.exe PID: 5356, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 0000001C.00000002.731485750.0000000003530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.731784931.0000000003560000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.551412840.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.584974843.000000001E150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.730784207.0000000002EC0000.00000040.00000001.sdmp, type: MEMORY

ID:	358420
Product:	CloudBasic
Start time:	15:42:17
Start date:	25.02.2021
Sample:	Sleaford Medical Group.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	dde7e39d025b75849184c077517030ae
SHA1:	6350e468239b6099421676fb6ff289a27f8cda5a
SHA256:	ba1ae604539b6cde921342baaceb3eb82149b0f15c369b77020b38254a586629
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.exe	PE32 executable (GUI) Intel 80386, for MS Windows	DDE7E39D025B75849184C077517030AE	6350E468239B6099421676FB6FF289A27F8CDA5A	BA1AE604539B6CDE921342BAACEB3EB82149B0F15C369B77020B38254A586629
C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.vbs	ASCII text, with CRLF line terminators	A0E46FC6089CF4C41E77819A9F42A5C3	24C0E7BFBE9A7C3E255F781FC5664CA5DCA70EEF	8A37873731D9BB641F08AB5DA52BA395480F7A77CA4C0F8AAC489EE5832A9527

Analysis Report Sleaford Medical Group.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs