Edit tour

Windows Analysis Report
installeasyassist.exe

Overview

General Information

Sample name:	installeasyassist.exe
Analysis ID:	1581999
MD5:	a9289858a27b07386e9bb49d3b671f5f
SHA1:	fc4aebae645ca4ebc72d8d30e3df3e033a0d40e4
SHA256:	851b35a437331f82cd3e878ae4265b52332a2857cbc02ba9f9ff6c6cbd8730aa
Tags:	Copyrightc2024TheEasyAssistSoftwareTrustEasyAssistexesignedTSULoaderuser-NDA0E
Infos:

Detection

Score:	40
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	52
Range:	0 - 100

Signatures

Antivirus detection for dropped file

Multi AV Scanner detection for submitted file

AI detected landing page (webpage, office document or email)

Document contains an embedded VBA macro which may execute processes

Document contains an embedded VBA macro with suspicious strings

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Document contains an embedded VBA with functions possibly related to HTTP operations

Sigma detected: Files With System Process Name In Unsuspected Locations

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

installeasyassist.exe (PID: 3336 cmdline: "C:\Users\user\Desktop\installeasyassist.exe" MD5: A9289858A27B07386E9BB49D3B671F5F)

easyassistupdate.exe (PID: 7036 cmdline: "C:\EasyAssist\Data\easyassistupdate.exe" /q MD5: 9017DF9DF3C847E35C3A4C67C4ADA376)

GA.exe (PID: 5948 cmdline: "C:\EasyAssist\GA.exe" A S-1-1-0 C:\ProgramData\safclic.dat MD5: A5F642A79BF4B107DD9AEDD98BF4ED8C)

easyassist.exe (PID: 4228 cmdline: "C:\EasyAssist\EasyAssist.exe" MD5: 7CEFF07109C71FDEC5E1D448E91618A1)

EXCEL.EXE (PID: 6888 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding MD5: 4A871771235598812032C822E6F68F19)

chrome.exe (PID: 1640 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://www.easyassist.com.au/order.html MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 5080 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=2032,i,3937009319632882698,9883249847199975624,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

splwow64.exe (PID: 6860 cmdline: C:\Windows\splwow64.exe 8192 MD5: 77DE7761B037061C7C112FD3C5B91E73)

cleanup

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\installeasyassist.exe, ProcessId: 3336, TargetFilename: C:\ProgramData\Uninstall\{2090D83E-40F9-4913-AE8D-37F9A9D66031}\x86\regsvr32.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\ProgramData\Uninstall\{2090D83E-40F9-4913-AE8D-37F9A9D66031}\x64\regsvr32.exe	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\ProgramData\Uninstall\{F8824354-EC9D-47BC-B225-046A8FB25755}\x64\regsvr32.exe	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\Tsu87CBF1E9.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\ProgramData\Uninstall\{2090D83E-40F9-4913-AE8D-37F9A9D66031}\Tsu.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\ProgramData\Uninstall\{F8824354-EC9D-47BC-B225-046A8FB25755}\Tsu.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\Tsu7AC6F35D.dll	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen

Multi AV Scanner detection for submitted file

Source: installeasyassist.exe	Virustotal: Detection: 35%			Perma Link
Source: installeasyassist.exe	ReversingLabs: Detection: 39%

Phishing

AI detected landing page (webpage, office document or email)

Source: Screenshot id: 23	Joe Sandbox AI: Screenshot id: 23 contains prominent button: 'click here to order or renew a license for easyassist or enter an activation code.'
Source: Screenshot id: 22	Joe Sandbox AI: Screenshot id: 22 contains prominent button: 'click here to order or renew a license for easyassist or enter an activation code.'

Compliance

Uses 32bit PE files

Source: installeasyassist.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Creates a software uninstall entry

Source: C:\Users\user\Desktop\installeasyassist.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2090D83E-40F9-4913-AE8D-37F9A9D66031}

Jump to behavior

Creates install or setup log file

Source: C:\Users\user\Desktop\installeasyassist.exe

File created: C:\Users\user\AppData\Local\Temp\installeasyassist4905AB61.log

Jump to behavior

Creates license or readme file

Source: C:\Users\user\Desktop\installeasyassist.exe	File created: C:\Users\user\AppData\Local\Temp\225BF656\Readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	File created: C:\ProgramData\Uninstall\{2090D83E-40F9-4913-AE8D-37F9A9D66031}\Readme.txt	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	File created: C:\Users\user\AppData\Local\Temp\1220E79C\Readme.txt	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	File created: C:\ProgramData\Uninstall\{F8824354-EC9D-47BC-B225-046A8FB25755}\Readme.txt	Jump to behavior

PE / OLE file has a valid certificate

Source: installeasyassist.exe

Static PE information: certificate valid

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 173.222.162.32:443 -> 192.168.2.4:49750 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: installeasyassist.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: D:\Dev\Tin9\InstallDir\vc80x86u\_TinDel.pdb source: installeasyassist.exe, 00000000.00000003.1665934166.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1851222334.0000000002C47000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\Dev\Tin9\InstallDir\vc80x86u\TsuDll.pdb source: installeasyassist.exe, 00000000.00000003.1665934166.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1851222334.0000000002C47000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:D:\Dev\SysUtils\InstallDir\vc80-win32u\GA.pdb source: installeasyassist.exe, 00000000.00000003.1837855240.00000000057F3000.00000004.00000020.00020000.00000000.sdmp, GA.exe, 00000006.00000002.1949911288.0000000000402000.00000002.00000001.01000000.0000000E.sdmp, GA.exe, 00000006.00000000.1949497625.0000000000402000.00000002.00000001.01000000.0000000E.sdmp, GA.exe._tm.0.dr
Source:	Binary string: D:\Dev\SysUtils\InstallDir\vc80-win32u\GA.pdb source: installeasyassist.exe, 00000000.00000003.1837855240.00000000057F3000.00000004.00000020.00020000.00000000.sdmp, GA.exe, 00000006.00000002.1949911288.0000000000402000.00000002.00000001.01000000.0000000E.sdmp, GA.exe, 00000006.00000000.1949497625.0000000000402000.00000002.00000001.01000000.0000000E.sdmp, GA.exe._tm.0.dr
Source:	Binary string: D:\Dev\Tin9\InstallDir\vc80x64u\_TinReg.pdb source: installeasyassist.exe, 00000000.00000003.1665934166.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1851222334.0000000002C47000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe0.0.dr
Source:	Binary string: D:\Dev\Tin9\InstallDir\vc80x86u\Setup.pdb source: installeasyassist.exe, 00000000.00000003.1837855240.00000000057BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\Dev\Tin9\InstallDir\vc80x86u\Loader.pdb source: installeasyassist.exe, easyassistupdate.exe._tm.0.dr
Source:	Binary string: D:\Dev\Tin9\InstallDir\vc80x86u\_TinReg.pdb source: installeasyassist.exe, 00000000.00000003.1665934166.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1851222334.0000000002C47000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe.0.dr, regsvr32.exe.2.dr

Spreading

Source: C:\EasyAssist\GA.exe

Code function: 6_2_00401567 LocalAlloc,LookupAccountNameW,GetLastError,FindFirstFileW,FindNextFileW,FindClose,MessageBoxW,LocalFree,

6_2_00401567

Software Vulnerabilities

Source: excel.exe

Memory has grown: Private usage: 2MB later: 105MB

Networking

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 192.229.221.25 192.229.221.25
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View	IP Address: 151.101.65.21 151.101.65.21

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.38.233
Source: unknown	TCP traffic detected without corresponding DNS query: 172.64.149.23
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.38.233
Source: unknown	TCP traffic detected without corresponding DNS query: 172.64.149.23
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /order.html HTTP/1.1Host: www.easyassist.com.auConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /easyassist_default.css HTTP/1.1Host: www.easyassist.com.auConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://www.easyassist.com.au/order.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /images/easyassistgraphic704x124.jpg HTTP/1.1Host: www.easyassist.com.auConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.easyassist.com.au/order.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /images/backgradient.jpg HTTP/1.1Host: www.easyassist.com.auConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.easyassist.com.au/easyassist_default.cssAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /images/easyassistgraphic704x124.jpg HTTP/1.1Host: www.easyassist.com.auConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /paymentinstructions.html HTTP/1.1Host: www.easyassist.com.auConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: https://www.easyassist.com.au/order.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /images/favicon.ico HTTP/1.1Host: www.easyassist.com.auConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.easyassist.com.au/order.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /images/backgradient.jpg HTTP/1.1Host: www.easyassist.com.auConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /en_AU/i/btn/btn_buynow_SM.gif HTTP/1.1Host: www.paypal.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.easyassist.com.au/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /en_AU/i/scr/pixel.gif HTTP/1.1Host: www.paypal.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.easyassist.com.au/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /en_AU/i/btn/btn_buynow_SM.gif HTTP/1.1Host: www.paypalobjects.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.easyassist.com.au/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /en_AU/i/scr/pixel.gif HTTP/1.1Host: www.paypalobjects.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.easyassist.com.au/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /images/favicon.ico HTTP/1.1Host: www.easyassist.com.auConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.easyassist.com.au/paymentinstructions.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /en_AU/i/btn/btn_buynow_SM.gif HTTP/1.1Host: www.paypalobjects.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /en_AU/i/scr/pixel.gif HTTP/1.1Host: www.paypalobjects.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /images/favicon.ico HTTP/1.1Host: www.easyassist.com.auConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /order.html HTTP/1.1Host: www.easyassist.com.auConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: www.easyassist.com.au
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: www.paypal.com
Source: global traffic	DNS traffic detected: DNS query: www.paypalobjects.com

Source: installeasyassist.exe, regsvr32.exe.0.dr, regsvr32.exe.2.dr, easyassistupdate.exe._tm.0.dr, regsvr32.exe0.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: easyassistupdate.exe, 00000002.00000003.1853495167.00000000011CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrusted
Source: installeasyassist.exe, regsvr32.exe.0.dr, regsvr32.exe.2.dr, easyassistupdate.exe._tm.0.dr, regsvr32.exe0.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: installeasyassist.exe, regsvr32.exe.0.dr, regsvr32.exe.2.dr, easyassistupdate.exe._tm.0.dr, regsvr32.exe0.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: easyassist.exe._tm.0.dr	String found in binary or memory: http://cpap.com.br/orlando/
Source: installeasyassist.exe, regsvr32.exe.0.dr, regsvr32.exe.2.dr, easyassistupdate.exe._tm.0.dr, regsvr32.exe0.0.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: installeasyassist.exe, 00000000.00000003.1665934166.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, installeasyassist.exe, 00000000.00000003.1665934166.0000000002F25000.00000004.00000020.00020000.00000000.sdmp, installeasyassist.exe, 00000000.00000003.1825353000.0000000004059000.00000004.00000020.00020000.00000000.sdmp, installeasyassist.exe, 00000000.00000003.1665903316.000000000141D000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1857718574.0000000003571000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1851222334.0000000002CC3000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1851222334.0000000002C47000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe.0.dr, regsvr32.exe.2.dr, regsvr32.exe0.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: installeasyassist.exe, easyassistupdate.exe._tm.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: installeasyassist.exe, regsvr32.exe.0.dr, regsvr32.exe.2.dr, easyassistupdate.exe._tm.0.dr, regsvr32.exe0.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: installeasyassist.exe, regsvr32.exe.0.dr, regsvr32.exe.2.dr, easyassistupdate.exe._tm.0.dr, regsvr32.exe0.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: installeasyassist.exe, regsvr32.exe.0.dr, regsvr32.exe.2.dr, easyassistupdate.exe._tm.0.dr, regsvr32.exe0.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: easyassistupdate.exe, 00000002.00000003.1853495167.00000000011CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RYS
Source: installeasyassist.exe, regsvr32.exe.0.dr, regsvr32.exe.2.dr, easyassistupdate.exe._tm.0.dr, regsvr32.exe0.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: installeasyassist.exe, 00000000.00000003.1665934166.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, installeasyassist.exe, 00000000.00000003.1665934166.0000000002F25000.00000004.00000020.00020000.00000000.sdmp, installeasyassist.exe, 00000000.00000003.1825353000.0000000004059000.00000004.00000020.00020000.00000000.sdmp, installeasyassist.exe, 00000000.00000003.1665903316.000000000141D000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1857718574.0000000003571000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1851222334.0000000002CC3000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1851222334.0000000002C47000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe.0.dr, regsvr32.exe.2.dr, regsvr32.exe0.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: installeasyassist.exe, easyassistupdate.exe._tm.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: installeasyassist.exe, regsvr32.exe.0.dr, regsvr32.exe.2.dr, easyassistupdate.exe._tm.0.dr, regsvr32.exe0.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: installeasyassist.exe, regsvr32.exe.0.dr, regsvr32.exe.2.dr, easyassistupdate.exe._tm.0.dr, regsvr32.exe0.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: installeasyassist.exe, regsvr32.exe.0.dr, regsvr32.exe.2.dr, easyassistupdate.exe._tm.0.dr, regsvr32.exe0.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: installeasyassist.exe, regsvr32.exe.0.dr, regsvr32.exe.2.dr, easyassistupdate.exe._tm.0.dr, regsvr32.exe0.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: installeasyassist.exe, regsvr32.exe.0.dr, regsvr32.exe.2.dr, easyassistupdate.exe._tm.0.dr, regsvr32.exe0.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: installeasyassist.exe, regsvr32.exe.0.dr, regsvr32.exe.2.dr, easyassistupdate.exe._tm.0.dr, regsvr32.exe0.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: installeasyassist.exe, 00000000.00000003.1665934166.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, installeasyassist.exe, 00000000.00000003.1665934166.0000000002F25000.00000004.00000020.00020000.00000000.sdmp, installeasyassist.exe, 00000000.00000003.1825353000.0000000004059000.00000004.00000020.00020000.00000000.sdmp, installeasyassist.exe, 00000000.00000003.1665903316.000000000141D000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1857718574.0000000003571000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1851222334.0000000002CC3000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1851222334.0000000002C47000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe.0.dr, regsvr32.exe.2.dr, regsvr32.exe0.0.dr	String found in binary or memory: http://ocsp.sectigo.com0&
Source: Readme.txt0.2.dr, easyassistupdate.exe._tm.0.dr	String found in binary or memory: http://www.easyassist.com.au
Source: installeasyassist.exe, 00000000.00000003.1837855240.00000000057F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.easyassist.com.au/
Source: installeasyassist.exe, 00000000.00000003.1837855240.00000000057F3000.00000004.00000020.00020000.00000000.sdmp, installeasyassist.exe, 00000000.00000003.1838590487.000000000143C000.00000004.00000020.00020000.00000000.sdmp, installeasyassist.exe, 00000000.00000002.1993312778.000000000143C000.00000004.00000020.00020000.00000000.sdmp, installeasyassist.exe, 00000000.00000003.1991533000.000000000143C000.00000004.00000020.00020000.00000000.sdmp, installeasyassist.exe, 00000000.00000003.1989885214.0000000004088000.00000004.00000020.00020000.00000000.sdmp, Uninstall.dat.0.dr	String found in binary or memory: http://www.easyassist.com.au/downloadprogram.html
Source: installeasyassist.exe, 00000000.00000003.1989885214.0000000004088000.00000004.00000020.00020000.00000000.sdmp, Uninstall.dat.0.dr	String found in binary or memory: http://www.easyassist.com.au/downloadprogram.htmlc010W
Source: installeasyassist.exe, 00000000.00000003.1837855240.00000000057BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.easyassist.com.au/downloadprogram.htmlsymb
Source: installeasyassist.exe, 00000000.00000003.1837855240.00000000057F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.easyassist.com.au/downloadschedules.html
Source: installeasyassist.exe, 00000000.00000003.1837855240.00000000057F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.easyassist.com.au/links.html
Source: installeasyassist.exe, 00000000.00000003.1837855240.00000000057F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.easyassist.com.au/links.htmlyX
Source: installeasyassist.exe, 00000000.00000003.1837855240.00000000057F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.easyassist.com.au/order.html
Source: installeasyassist.exe, 00000000.00000003.1837855240.00000000057F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.easyassist.com.au/redirect_ama.html
Source: installeasyassist.exe, 00000000.00000003.1837855240.00000000057F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.easyassist.com.au/redirect_item_51318.html
Source: installeasyassist.exe, 00000000.00000003.1837855240.00000000057F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.easyassist.com.au/redirect_tac.html
Source: installeasyassist.exe, 00000000.00000003.1837855240.00000000057F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.easyassist.com.au/redirect_workcover_nsw.html
Source: installeasyassist.exe, 00000000.00000003.1837855240.00000000057F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.easyassist.com.au/redirect_workcover_wa.html
Source: installeasyassist.exe, 00000000.00000003.1837855240.00000000057F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.easyassist.com.au/redirect_worksafe_victoria.html
Source: installeasyassist.exe, 00000000.00000002.1992958555.0000000001137000.00000004.00000010.00020000.00000000.sdmp, installeasyassist.exe, 00000000.00000003.1837855240.00000000057F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.easyassist.com.au/whatsnew.html
Source: installeasyassist.exe, 00000000.00000003.1837855240.00000000057BC000.00000004.00000020.00020000.00000000.sdmp, installeasyassist.exe, 00000000.00000003.1825088207.0000000004059000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.easyassist.com.au/whatsnew.htmlPA
Source: installeasyassist.exe, easyassistupdate.exe._tm.0.dr	String found in binary or memory: http://www.easyassist.com.au0
Source: Uninstall.dat.0.dr	String found in binary or memory: http://www.easyassist.com.aua201z
Source: easyassistupdate.exe, 00000002.00000003.1936194362.0000000003572000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.easyassist.com.aufile
Source: easyassistupdate.exe, 00000002.00000003.1934602677.000000000122C000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1932108045.000000000122C000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1859131202.000000000122C000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1938066099.000000000122C000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1937449364.000000000122C000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1862716154.000000000122C000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1936355043.000000000122C000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000002.1947922056.000000000122C000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1940038296.000000000122C000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1940172958.000000000122C000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1862043641.000000000122C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.easyassist.com.aufile?yc%
Source: installeasyassist.exe, 00000000.00000003.1837855240.00000000057BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.easyassist.com.aufldr
Source: chromecache_1112.13.dr	String found in binary or memory: http://www.skaro.net
Source: installeasyassist.exe, 00000000.00000003.1837855240.00000000057F3000.00000004.00000020.00020000.00000000.sdmp, GA.exe, 00000006.00000000.1949523229.0000000000404000.00000002.00000001.01000000.0000000E.sdmp, GA.exe._tm.0.dr	String found in binary or memory: http://www.tarma.com/6
Source: installeasyassist.exe, 00000000.00000003.1665934166.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, installeasyassist.exe, 00000000.00000003.1825353000.0000000004059000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1857718574.0000000003571000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1851222334.0000000002C47000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe.0.dr, regsvr32.exe.2.dr, regsvr32.exe0.0.dr	String found in binary or memory: http://www.tarma.com0
Source: installeasyassist.exe, 00000000.00000003.1837855240.00000000057F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www/easyassist.com.au/downloadprogram.html1
Source: installeasyassist.exe, 00000000.00000003.1837855240.00000000057F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www/easyassist.com.au/downloadprogram.html1Not
Source: installeasyassist.exe, 00000000.00000003.1837855240.00000000057F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www9.health.gov.a
Source: installeasyassist.exe, 00000000.00000003.1837855240.00000000057F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www9.health.gov.au/mbs/search.cfm?q=
Source: installeasyassist.exe, regsvr32.exe.0.dr, regsvr32.exe.2.dr, easyassistupdate.exe._tm.0.dr, regsvr32.exe0.0.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: installeasyassist.exe, 00000000.00000003.1665934166.0000000002F25000.00000004.00000020.00020000.00000000.sdmp, installeasyassist.exe, 00000000.00000003.1825353000.0000000004059000.00000004.00000020.00020000.00000000.sdmp, installeasyassist.exe, 00000000.00000003.1665903316.000000000141D000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1853523241.00000000011E3000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1857718574.0000000003571000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1851222334.0000000002CC3000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1853495167.00000000011CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tarma.com
Source: installeasyassist.exe, 00000000.00000003.1665934166.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, installeasyassist.exe, 00000000.00000003.1825353000.0000000004059000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1857718574.0000000003571000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1851222334.0000000002C47000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe.0.dr, regsvr32.exe.2.dr, regsvr32.exe0.0.dr	String found in binary or memory: https://tarma.com/D
Source: installeasyassist.exe, 00000000.00000003.1665934166.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1851222334.0000000002C47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tarma.com/support/im9/setup/cmdline.htmhelpresumeregisterremoveinstall%s
Source: chromecache_1112.13.dr	String found in binary or memory: https://www.easyassist.com.au/
Source: chromecache_1112.13.dr	String found in binary or memory: https://www.easyassist.com.au/cgi-bin/formmail/uniformmail.pl?params=order.params&subject=EasyAs
Source: chromecache_1112.13.dr	String found in binary or memory: https://www.easyassist.com.au/cgi-bin/formmail/uniformmail.pl?params=order.params&from=
Source: chromecache_1112.13.dr	String found in binary or memory: https://www.easyassist.com.au/paymentinstructions.html

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49901
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49901 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 173.222.162.32:443 -> 192.168.2.4:49750 version: TLS 1.2

System Summary

Document contains an embedded VBA macro which may execute processes

Source: easyassist.xls._tm.0.dr	OLE, VBA macro line: Call Shell("hh.exe " & ThisWorkbook.Path & "\ea_help.chm::/eahelp_whatisit.html", vbNormalFocus)
Source: easyassist.xls._tm.0.dr	OLE, VBA macro line: Call Shell("hh.exe " & ThisWorkbook.Path & "\ea_help.chm::/eahelp_mynumbers.html", vbNormalFocus)
Source: easyassist.xls._tm.0.dr	OLE, VBA macro line: Call Shell("hh.exe " & ThisWorkbook.Path & "\ea_help.chm::/eahelp_estimateoffees.html", vbNormalFocus)
Source: easyassist.xls._tm.0.dr	OLE, VBA macro line: Call Shell("hh.exe " & ThisWorkbook.Path & "\ea_help.chm::/eahelp_options.html", vbNormalFocus)

Document contains an embedded VBA macro with suspicious strings

Source: easyassist.xls._tm.0.dr	OLE, VBA macro line: ElseIf Not Environ("ALLUSERSPROFILE") = "" Then
Source: easyassist.xls._tm.0.dr	OLE, VBA macro line: licenseFileDir = Environ("ALLUSERSPROFILE") & "\"
Source: easyassist.xls._tm.0.dr	OLE, VBA macro line: ElseIf Not Environ("PROGRAMDATA") = "" Then
Source: easyassist.xls._tm.0.dr	OLE, VBA macro line: licenseFileDir = Environ("PROGRAMDATA") & "\"
Source: easyassist.xls._tm.0.dr	OLE, VBA macro line: Private Declare PtrSafe Function GlobalUnlock Lib "kernel32" (ByVal hMem As LongPtr) As LongPtr
Source: easyassist.xls._tm.0.dr	OLE, VBA macro line: Private Declare PtrSafe Function GlobalLock Lib "kernel32" (ByVal hMem As LongPtr) As LongPtr
Source: easyassist.xls._tm.0.dr	OLE, VBA macro line: Private Declare PtrSafe Function GlobalAlloc Lib "kernel32" (ByVal wFlags As LongPtr, ByVal dwBytes As LongPtr) As LongPtr
Source: easyassist.xls._tm.0.dr	OLE, VBA macro line: Private Declare PtrSafe Function lstrcpy Lib "kernel32" (ByVal lpString1 As Any, ByVal lpString2 As Any) As LongPtr
Source: easyassist.xls._tm.0.dr	OLE, VBA macro line: Private Declare Function GlobalUnlock Lib "kernel32" (ByVal hMem As Long) As Long
Source: easyassist.xls._tm.0.dr	OLE, VBA macro line: Private Declare Function GlobalLock Lib "kernel32" (ByVal hMem As Long) As Long
Source: easyassist.xls._tm.0.dr	OLE, VBA macro line: Private Declare Function GlobalAlloc Lib "kernel32" (ByVal wFlags As Long, ByVal dwBytes As Long) As Long
Source: easyassist.xls._tm.0.dr	OLE, VBA macro line: Private Declare Function lstrcpy Lib "kernel32" (ByVal lpString1 As Any, ByVal lpString2 As Any) As Long
Source: easyassist.xls._tm.0.dr	OLE, VBA macro line: Application.Quit
Source: easyassist.xls._tm.0.dr	OLE, VBA macro line: Set oXMLHTTP = CreateObject("MSXML2.ServerXMLHTTP") 'to the right was the old one but didn't update in same session -> ("Microsoft.XMLHTTP")

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Source: easyassist.xls._tm.0.dr	Stream path '_VBA_PROJECT_CUR/VBA/Module6' : found possibly 'ADODB.Stream' functions open, read, write
Source: easyassist.xls._tm.0.dr	Stream path '_VBA_PROJECT_CUR/VBA/Sheet6' : found possibly 'ADODB.Stream' functions mode, open, write
Source: easyassist.xls._tm.0.dr	Stream path '_VBA_PROJECT_CUR/VBA/ThisWorkbook' : found possibly 'ADODB.Stream' functions mode, position, open, write

Document contains an embedded VBA with functions possibly related to HTTP operations

Source: easyassist.xls._tm.0.dr	Stream path '_VBA_PROJECT_CUR/VBA/Module15' : found possibly 'XMLHttpRequest' functions status, open, send
Source: easyassist.xls._tm.0.dr	Stream path '_VBA_PROJECT_CUR/VBA/Module6' : found possibly 'XMLHttpRequest' functions readystate, response, responsebody, status, open, send

Detected potential crypto function

Source: C:\EasyAssist\easyassist.exe	Code function: 7_2_00410C44		7_2_00410C44
Source: C:\EasyAssist\easyassist.exe	Code function: 7_2_004014D6		7_2_004014D6

Document contains an embedded VBA macro which executes code when the document is opened / closed

Source: easyassist.xls._tm.0.dr	OLE, VBA macro line: Private Sub Workbook_BeforeClose(Cancel As Boolean)
Source: easyassist.xls._tm.0.dr	OLE, VBA macro line: Private Sub Workbook_Open()

Found potential string decryption / allocating functions

Source: C:\EasyAssist\easyassist.exe	Code function: String function: 00402230 appears 45 times
Source: C:\EasyAssist\easyassist.exe	Code function: String function: 00402212 appears 101 times

PE file contains executable resources (Code or Archives)

Source: Tsu87CBF1E9.dll.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: Tsu87CBF1E9.dll.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: Tsu87CBF1E9.dll.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (GUI) x86-64, for MS Windows
Source: _Setup.dll.0.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: _Setup.dll.0.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: _Setup.dll.0.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: _Setup.dll.0.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: _Setup.dll.0.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: _Setup.dll.0.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: _Setup.dll.0.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: _Setup.dll.0.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: _Setup.dll.0.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: _Setup.dll.0.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: _Setup.dll.0.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: _Setup.dll.0.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: _Setup.dll0.0.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: _Setup.dll0.0.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: _Setup.dll0.0.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: _Setup.dll0.0.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: _Setup.dll0.0.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: _Setup.dll0.0.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: _Setup.dll0.0.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: _Setup.dll0.0.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: _Setup.dll0.0.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: _Setup.dll0.0.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: _Setup.dll0.0.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: _Setup.dll0.0.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: Tsu.dll.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: Tsu.dll.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: Tsu.dll.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (GUI) x86-64, for MS Windows
Source: Tsu7AC6F35D.dll.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: Tsu7AC6F35D.dll.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: Tsu7AC6F35D.dll.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (GUI) x86-64, for MS Windows
Source: _Setup.dll.2.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: _Setup.dll.2.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: _Setup.dll.2.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: _Setup.dll.2.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: _Setup.dll.2.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: _Setup.dll.2.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: _Setup.dll.2.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: _Setup.dll.2.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: _Setup.dll.2.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: _Setup.dll.2.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: _Setup.dll.2.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: _Setup.dll.2.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: _Setup.dll0.2.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: _Setup.dll0.2.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: _Setup.dll0.2.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: _Setup.dll0.2.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: _Setup.dll0.2.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: _Setup.dll0.2.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: _Setup.dll0.2.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: _Setup.dll0.2.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: _Setup.dll0.2.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: _Setup.dll0.2.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: _Setup.dll0.2.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: _Setup.dll0.2.dr	Static PE information: Resource name: None type: DOS executable (COM)
Source: Tsu.dll.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: Tsu.dll.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: Tsu.dll.2.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (GUI) x86-64, for MS Windows

PE file does not import any functions

Source: _Setup.dll0.2.dr	Static PE information: No import functions for PE file found
Source: _Setup.dll0.0.dr	Static PE information: No import functions for PE file found
Source: _Setup.dll.2.dr	Static PE information: No import functions for PE file found
Source: _Setup.dll.0.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: installeasyassist.exe	Binary or memory string: OriginalFilename vs installeasyassist.exe
Source: installeasyassist.exe, 00000000.00000003.1665934166.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_TinDel.exeP vs installeasyassist.exe
Source: installeasyassist.exe, 00000000.00000003.1665934166.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameREGSVR32.EXEP vs installeasyassist.exe
Source: installeasyassist.exe, 00000000.00000003.1665934166.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTsu.dllP vs installeasyassist.exe
Source: installeasyassist.exe, 00000000.00000003.1837855240.00000000057BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSetup.exe, vs installeasyassist.exe
Source: installeasyassist.exe, 00000000.00000003.1825353000.0000000004059000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTsu.dllP vs installeasyassist.exe
Source: installeasyassist.exe, 00000000.00000003.1837855240.00000000057F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasyassistupdate.exe4 vs installeasyassist.exe
Source: installeasyassist.exe, 00000000.00000003.1837855240.00000000057F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExcelFre.exe vs installeasyassist.exe
Source: installeasyassist.exe, 00000000.00000003.1837855240.00000000057F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGA.EXED vs installeasyassist.exe

Uses 32bit PE files

Source: installeasyassist.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: regsvr32.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: regsvr32.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: installeasyassist.exe	Static PE information: Section: .tsustub ZLIB complexity 0.9978348581414473
Source: easyassistupdate.exe._tm.0.dr	Static PE information: Section: .tsustub ZLIB complexity 0.9978348581414473

Source: classification engine

Classification label: mal40.expl.winEXE@24/384@16/6

Source: C:\Users\user\Desktop\installeasyassist.exe

File created: C:\Users\Public\Desktop\EasyAssist Invoice Generator.lnk

Jump to behavior

Source: C:\EasyAssist\easyassist.exe	Mutant created: NULL
Source: C:\EasyAssist\Data\easyassistupdate.exe	Mutant created: \Sessions\1\BaseNamedObjects\{8379BE59-E4D4-4CD8-0F2A-D5BCF2DAD76F}
Source: C:\Users\user\Desktop\installeasyassist.exe	Mutant created: \Sessions\1\BaseNamedObjects\{B097CA39-FA22-4F80-0C72-CB4AC134A30F}

Source: C:\Users\user\Desktop\installeasyassist.exe

File created: C:\Users\user\AppData\Local\Temp\Tsu87CBF1E9.dll

Jump to behavior

Source: installeasyassist.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\installeasyassist.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\installeasyassist.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: installeasyassist.exe	Virustotal: Detection: 35%
Source: installeasyassist.exe	ReversingLabs: Detection: 39%

Source: easyassist.exe

String found in binary or memory: /AddToMRU

Source: C:\Users\user\Desktop\installeasyassist.exe

File read: C:\Users\user\Desktop\installeasyassist.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\installeasyassist.exe "C:\Users\user\Desktop\installeasyassist.exe"
Source: C:\Users\user\Desktop\installeasyassist.exe	Process created: C:\EasyAssist\Data\easyassistupdate.exe "C:\EasyAssist\Data\easyassistupdate.exe" /q
Source: C:\Users\user\Desktop\installeasyassist.exe	Process created: C:\EasyAssist\GA.exe "C:\EasyAssist\GA.exe" A S-1-1-0 C:\ProgramData\safclic.dat
Source: unknown	Process created: C:\EasyAssist\easyassist.exe "C:\EasyAssist\EasyAssist.exe"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://www.easyassist.com.au/order.html
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=2032,i,3937009319632882698,9883249847199975624,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 8192
Source: C:\Users\user\Desktop\installeasyassist.exe	Process created: C:\EasyAssist\Data\easyassistupdate.exe "C:\EasyAssist\Data\easyassistupdate.exe" /q	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Process created: C:\EasyAssist\GA.exe "C:\EasyAssist\GA.exe" A S-1-1-0 C:\ProgramData\safclic.dat	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://www.easyassist.com.au/order.html	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 8192	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=2032,i,3937009319632882698,9883249847199975624,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: globinputhost.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	Section loaded: version.dll	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	Section loaded: version.dll	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\EasyAssist\GA.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\EasyAssist\easyassist.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\EasyAssist\easyassist.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\EasyAssist\easyassist.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\EasyAssist\easyassist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\EasyAssist\easyassist.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\EasyAssist\easyassist.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\EasyAssist\easyassist.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\installeasyassist.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32

Jump to behavior

Source: EasyAssist Guide and What's New.lnk.0.dr	LNK file: ..\..\..\..\..\..\EasyAssist\EasyAssist Guide and What's New.URL
Source: EasyAssist.lnk.0.dr	LNK file: ..\..\..\..\..\..\EasyAssist\easyassist.exe
Source: EasyAssist Help.lnk.0.dr	LNK file: ..\..\..\..\..\..\EasyAssist\ea_help.chm
Source: EasyAssist - alternate loader.lnk.0.dr	LNK file: ..\..\..\..\..\..\EasyAssist\easyassist.xls
Source: EasyAssist (normal window).lnk.0.dr	LNK file: ..\..\..\..\..\..\EasyAssist\easyassist.exe
Source: EasyAssist Invoice Generator.lnk.0.dr	LNK file: ..\..\..\..\..\..\EasyAssist\invoice.xls
Source: EasyAssist Invoice Generator.lnk0.0.dr	LNK file: ..\..\..\EasyAssist\invoice.xls
Source: EasyAssist.lnk0.0.dr	LNK file: ..\..\..\EasyAssist\easyassist.exe

Found GUI installer (many successful clicks)

Source: C:\Users\user\Desktop\installeasyassist.exe	Automated click: Next >
Source: C:\Users\user\Desktop\installeasyassist.exe	Automated click: Next >
Source: C:\Users\user\Desktop\installeasyassist.exe	Automated click: I agree to these terms and conditions
Source: C:\Users\user\Desktop\installeasyassist.exe	Automated click: Next >
Source: C:\Users\user\Desktop\installeasyassist.exe	Automated click: Install
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Automated click: OK

Uses Rich Edit Controls

Source: C:\Users\user\Desktop\installeasyassist.exe

File opened: C:\Windows\SysWOW64\msftedit.dll

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Checks if Microsoft Office is installed

Source: C:\Users\user\Desktop\installeasyassist.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Office\32.0\Common\InstallRoot

Jump to behavior

Creates a software uninstall entry

Source: C:\Users\user\Desktop\installeasyassist.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2090D83E-40F9-4913-AE8D-37F9A9D66031}

Jump to behavior

PE / OLE file has a valid certificate

Source: installeasyassist.exe

Static PE information: certificate valid

Submission file is bigger than most known malware samples

Source: installeasyassist.exe

Static file information: File size 3185096 > 1048576

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

PE file has a big raw section

Source: installeasyassist.exe

Static PE information: Raw size of .tsuarch is bigger than: 0x100000 < 0x2dbc00

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: installeasyassist.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

PE file contains a debug data directory

Source: installeasyassist.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: D:\Dev\Tin9\InstallDir\vc80x86u\_TinDel.pdb source: installeasyassist.exe, 00000000.00000003.1665934166.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1851222334.0000000002C47000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\Dev\Tin9\InstallDir\vc80x86u\TsuDll.pdb source: installeasyassist.exe, 00000000.00000003.1665934166.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1851222334.0000000002C47000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:D:\Dev\SysUtils\InstallDir\vc80-win32u\GA.pdb source: installeasyassist.exe, 00000000.00000003.1837855240.00000000057F3000.00000004.00000020.00020000.00000000.sdmp, GA.exe, 00000006.00000002.1949911288.0000000000402000.00000002.00000001.01000000.0000000E.sdmp, GA.exe, 00000006.00000000.1949497625.0000000000402000.00000002.00000001.01000000.0000000E.sdmp, GA.exe._tm.0.dr
Source:	Binary string: D:\Dev\SysUtils\InstallDir\vc80-win32u\GA.pdb source: installeasyassist.exe, 00000000.00000003.1837855240.00000000057F3000.00000004.00000020.00020000.00000000.sdmp, GA.exe, 00000006.00000002.1949911288.0000000000402000.00000002.00000001.01000000.0000000E.sdmp, GA.exe, 00000006.00000000.1949497625.0000000000402000.00000002.00000001.01000000.0000000E.sdmp, GA.exe._tm.0.dr
Source:	Binary string: D:\Dev\Tin9\InstallDir\vc80x64u\_TinReg.pdb source: installeasyassist.exe, 00000000.00000003.1665934166.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1851222334.0000000002C47000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe0.0.dr
Source:	Binary string: D:\Dev\Tin9\InstallDir\vc80x86u\Setup.pdb source: installeasyassist.exe, 00000000.00000003.1837855240.00000000057BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\Dev\Tin9\InstallDir\vc80x86u\Loader.pdb source: installeasyassist.exe, easyassistupdate.exe._tm.0.dr
Source:	Binary string: D:\Dev\Tin9\InstallDir\vc80x86u\_TinReg.pdb source: installeasyassist.exe, 00000000.00000003.1665934166.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1851222334.0000000002C47000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe.0.dr, regsvr32.exe.2.dr

Data Obfuscation

PE file contains an invalid checksum

Source: _Setup.dll0.2.dr	Static PE information: real checksum: 0xcce7 should be: 0x18e11
Source: _Setup.dll0.0.dr	Static PE information: real checksum: 0xcce7 should be: 0x1e454
Source: Setup.exe.2.dr	Static PE information: real checksum: 0x13e5e should be: 0xf0b3
Source: GA.exe._tm.0.dr	Static PE information: real checksum: 0x0 should be: 0x7036
Source: Setup.exe0.0.dr	Static PE information: real checksum: 0x1328d should be: 0x661b
Source: Setup.exe0.2.dr	Static PE information: real checksum: 0x13e5e should be: 0xf0b3
Source: _Setup.dll.2.dr	Static PE information: real checksum: 0xcce7 should be: 0x18e11
Source: _Setup.dll.0.dr	Static PE information: real checksum: 0xcce7 should be: 0x1e454
Source: Setup.exe.0.dr	Static PE information: real checksum: 0x1328d should be: 0x661b

PE file contains sections with non-standard names

Source: installeasyassist.exe	Static PE information: section name: .tsustub
Source: installeasyassist.exe	Static PE information: section name: .tsuarch
Source: Tsu87CBF1E9.dll.0.dr	Static PE information: section name: _bss
Source: Tsu87CBF1E9.dll.0.dr	Static PE information: section name: _xdata
Source: Tsu.dll.0.dr	Static PE information: section name: _bss
Source: Tsu.dll.0.dr	Static PE information: section name: _xdata
Source: easyassistupdate.exe._tm.0.dr	Static PE information: section name: .tsustub
Source: easyassistupdate.exe._tm.0.dr	Static PE information: section name: .tsuarch
Source: Tsu7AC6F35D.dll.2.dr	Static PE information: section name: _bss
Source: Tsu7AC6F35D.dll.2.dr	Static PE information: section name: _xdata
Source: Tsu.dll.2.dr	Static PE information: section name: _bss
Source: Tsu.dll.2.dr	Static PE information: section name: _xdata

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\installeasyassist.exe	Code function: 0_3_0147D360 push eax; iretd	0_3_0147D36D
Source: C:\Users\user\Desktop\installeasyassist.exe	Code function: 0_3_0147D360 push eax; iretd	0_3_0147D36D
Source: C:\Users\user\Desktop\installeasyassist.exe	Code function: 0_3_0147D360 push eax; iretd	0_3_0147D36D
Source: C:\Users\user\Desktop\installeasyassist.exe	Code function: 0_3_0147D360 push eax; iretd	0_3_0147D36D
Source: C:\Users\user\Desktop\installeasyassist.exe	Code function: 0_3_0147D360 push eax; iretd	0_3_0147D36D
Source: C:\Users\user\Desktop\installeasyassist.exe	Code function: 0_3_0147D360 push eax; iretd	0_3_0147D36D
Source: C:\Users\user\Desktop\installeasyassist.exe	Code function: 0_3_0147D360 push eax; iretd	0_3_0147D36D
Source: C:\Users\user\Desktop\installeasyassist.exe	Code function: 0_3_0147D360 push eax; iretd	0_3_0147D36D
Source: C:\Users\user\Desktop\installeasyassist.exe	Code function: 0_3_0147D360 push eax; iretd	0_3_0147D36D
Source: C:\Users\user\Desktop\installeasyassist.exe	Code function: 0_3_0147D360 push eax; iretd	0_3_0147D36D
Source: C:\Users\user\Desktop\installeasyassist.exe	Code function: 0_3_0147D360 push eax; iretd	0_3_0147D36D
Source: C:\Users\user\Desktop\installeasyassist.exe	Code function: 0_3_0147D360 push eax; iretd	0_3_0147D36D
Source: C:\Users\user\Desktop\installeasyassist.exe	Code function: 0_3_0147D360 push eax; iretd	0_3_0147D36D
Source: C:\Users\user\Desktop\installeasyassist.exe	Code function: 0_3_0147D360 push eax; iretd	0_3_0147D36D
Source: C:\Users\user\Desktop\installeasyassist.exe	Code function: 0_3_0147D360 push eax; iretd	0_3_0147D36D
Source: C:\Users\user\Desktop\installeasyassist.exe	Code function: 0_3_0147D360 push eax; iretd	0_3_0147D36D
Source: C:\Users\user\Desktop\installeasyassist.exe	Code function: 0_3_0147D360 push eax; iretd	0_3_0147D36D
Source: C:\Users\user\Desktop\installeasyassist.exe	Code function: 0_3_0147D360 push eax; iretd	0_3_0147D36D
Source: C:\Users\user\Desktop\installeasyassist.exe	Code function: 0_3_0147D360 push eax; iretd	0_3_0147D36D
Source: C:\Users\user\Desktop\installeasyassist.exe	Code function: 0_3_0147D360 push eax; iretd	0_3_0147D36D
Source: C:\Users\user\Desktop\installeasyassist.exe	Code function: 0_3_0147D360 push eax; iretd	0_3_0147D36D
Source: C:\Users\user\Desktop\installeasyassist.exe	Code function: 0_3_0147D360 push eax; iretd	0_3_0147D36D
Source: C:\Users\user\Desktop\installeasyassist.exe	Code function: 0_3_0147D360 push eax; iretd	0_3_0147D36D
Source: C:\Users\user\Desktop\installeasyassist.exe	Code function: 0_3_0147D360 push eax; iretd	0_3_0147D36D
Source: C:\Users\user\Desktop\installeasyassist.exe	Code function: 0_2_003CCAE1 push ds; iretd	0_2_003CCAE9
Source: C:\EasyAssist\Data\easyassistupdate.exe	Code function: 2_3_01231D20 push edx; retn 0000h	2_3_01231D3F
Source: C:\EasyAssist\Data\easyassistupdate.exe	Code function: 2_3_01231D20 push edx; retn 0000h	2_3_01231D3F
Source: C:\EasyAssist\Data\easyassistupdate.exe	Code function: 2_3_01231D20 push edx; retn 0000h	2_3_01231D3F
Source: C:\EasyAssist\Data\easyassistupdate.exe	Code function: 2_3_01231D20 push edx; retn 0000h	2_3_01231D3F
Source: C:\EasyAssist\Data\easyassistupdate.exe	Code function: 2_3_01231D20 push edx; retn 0000h	2_3_01231D3F
Source: C:\EasyAssist\Data\easyassistupdate.exe	Code function: 2_3_01231D20 push edx; retn 0000h	2_3_01231D3F

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\installeasyassist.exe	File created: C:\ProgramData\Uninstall\{2090D83E-40F9-4913-AE8D-37F9A9D66031}\x86\regsvr32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\installeasyassist.exe	File created: C:\ProgramData\Uninstall\{2090D83E-40F9-4913-AE8D-37F9A9D66031}\Tsu.dll	Jump to dropped file
Source: C:\EasyAssist\Data\easyassistupdate.exe	File created: C:\ProgramData\Uninstall\{F8824354-EC9D-47BC-B225-046A8FB25755}\x64\regsvr32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\installeasyassist.exe	File created: C:\EasyAssist\easyassist.exe._tm	Jump to dropped file
Source: C:\Users\user\Desktop\installeasyassist.exe	File created: C:\EasyAssist\GA.exe (copy)	Jump to dropped file
Source: C:\EasyAssist\Data\easyassistupdate.exe	File created: C:\Users\user\AppData\Local\Temp\Tsu7AC6F35D.dll	Jump to dropped file
Source: C:\Users\user\Desktop\installeasyassist.exe	File created: C:\ProgramData\Uninstall\{2090D83E-40F9-4913-AE8D-37F9A9D66031}\Setup.exe	Jump to dropped file
Source: C:\EasyAssist\Data\easyassistupdate.exe	File created: C:\ProgramData\Uninstall\{F8824354-EC9D-47BC-B225-046A8FB25755}\_Setup.dll	Jump to dropped file
Source: C:\EasyAssist\Data\easyassistupdate.exe	File created: C:\ProgramData\Uninstall\{F8824354-EC9D-47BC-B225-046A8FB25755}\Tsu.dll	Jump to dropped file
Source: C:\EasyAssist\Data\easyassistupdate.exe	File created: C:\Users\user\AppData\Local\Temp\1220E79C\Setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\installeasyassist.exe	File created: C:\ProgramData\Uninstall\{2090D83E-40F9-4913-AE8D-37F9A9D66031}\_Setup.dll	Jump to dropped file
Source: C:\Users\user\Desktop\installeasyassist.exe	File created: C:\EasyAssist\easyassist.exe (copy)	Jump to dropped file
Source: C:\EasyAssist\Data\easyassistupdate.exe	File created: C:\Users\user\AppData\Local\Temp\1220E79C\_Setup.dll	Jump to dropped file
Source: C:\EasyAssist\Data\easyassistupdate.exe	File created: C:\ProgramData\Uninstall\{F8824354-EC9D-47BC-B225-046A8FB25755}\Setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\installeasyassist.exe	File created: C:\ProgramData\Uninstall\{2090D83E-40F9-4913-AE8D-37F9A9D66031}\x64\regsvr32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\installeasyassist.exe	File created: C:\EasyAssist\Data\easyassistupdate.exe._tm	Jump to dropped file
Source: C:\EasyAssist\Data\easyassistupdate.exe	File created: C:\ProgramData\Uninstall\{F8824354-EC9D-47BC-B225-046A8FB25755}\x86\regsvr32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\installeasyassist.exe	File created: C:\Users\user\AppData\Local\Temp\225BF656\_Setup.dll	Jump to dropped file
Source: C:\Users\user\Desktop\installeasyassist.exe	File created: C:\Users\user\AppData\Local\Temp\225BF656\Setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\installeasyassist.exe	File created: C:\EasyAssist\GA.exe._tm	Jump to dropped file
Source: C:\Users\user\Desktop\installeasyassist.exe	File created: C:\EasyAssist\Data\easyassistupdate.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\installeasyassist.exe	File created: C:\Users\user\AppData\Local\Temp\Tsu87CBF1E9.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\installeasyassist.exe	File created: C:\ProgramData\Uninstall\{2090D83E-40F9-4913-AE8D-37F9A9D66031}\x86\regsvr32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\installeasyassist.exe	File created: C:\ProgramData\Uninstall\{2090D83E-40F9-4913-AE8D-37F9A9D66031}\Tsu.dll	Jump to dropped file
Source: C:\EasyAssist\Data\easyassistupdate.exe	File created: C:\ProgramData\Uninstall\{F8824354-EC9D-47BC-B225-046A8FB25755}\x64\regsvr32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\installeasyassist.exe	File created: C:\ProgramData\Uninstall\{2090D83E-40F9-4913-AE8D-37F9A9D66031}\Setup.exe	Jump to dropped file
Source: C:\EasyAssist\Data\easyassistupdate.exe	File created: C:\ProgramData\Uninstall\{F8824354-EC9D-47BC-B225-046A8FB25755}\_Setup.dll	Jump to dropped file
Source: C:\EasyAssist\Data\easyassistupdate.exe	File created: C:\ProgramData\Uninstall\{F8824354-EC9D-47BC-B225-046A8FB25755}\Tsu.dll	Jump to dropped file
Source: C:\Users\user\Desktop\installeasyassist.exe	File created: C:\ProgramData\Uninstall\{2090D83E-40F9-4913-AE8D-37F9A9D66031}\_Setup.dll	Jump to dropped file
Source: C:\EasyAssist\Data\easyassistupdate.exe	File created: C:\ProgramData\Uninstall\{F8824354-EC9D-47BC-B225-046A8FB25755}\Setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\installeasyassist.exe	File created: C:\ProgramData\Uninstall\{2090D83E-40F9-4913-AE8D-37F9A9D66031}\x64\regsvr32.exe	Jump to dropped file
Source: C:\EasyAssist\Data\easyassistupdate.exe	File created: C:\ProgramData\Uninstall\{F8824354-EC9D-47BC-B225-046A8FB25755}\x86\regsvr32.exe	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\Desktop\installeasyassist.exe	File created: C:\EasyAssist\Data\easyassistupdate.exe._tm	Jump to dropped file
Source: C:\Users\user\Desktop\installeasyassist.exe	File created: C:\EasyAssist\easyassist.exe._tm	Jump to dropped file
Source: C:\Users\user\Desktop\installeasyassist.exe	File created: C:\EasyAssist\GA.exe._tm	Jump to dropped file

Creates install or setup log file

Source: C:\Users\user\Desktop\installeasyassist.exe

File created: C:\Users\user\AppData\Local\Temp\installeasyassist4905AB61.log

Jump to behavior

Creates license or readme file

Source: C:\Users\user\Desktop\installeasyassist.exe	File created: C:\Users\user\AppData\Local\Temp\225BF656\Readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	File created: C:\ProgramData\Uninstall\{2090D83E-40F9-4913-AE8D-37F9A9D66031}\Readme.txt	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	File created: C:\Users\user\AppData\Local\Temp\1220E79C\Readme.txt	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	File created: C:\ProgramData\Uninstall\{F8824354-EC9D-47BC-B225-046A8FB25755}\Readme.txt	Jump to behavior

Boot Survival

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\installeasyassist.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EasyAssist	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EasyAssist\EasyAssist Guide and What's New.lnk	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EasyAssist\EasyAssist.lnk	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EasyAssist\EasyAssist Help.lnk	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EasyAssist\EasyAssist - alternate loader.lnk	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EasyAssist\EasyAssist (normal window).lnk	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EasyAssist\EasyAssist Invoice Generator.lnk	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\EasyAssist\easyassist.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\installeasyassist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\EasyAssist\easyassist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\EasyAssist\easyassist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\EasyAssist\easyassist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\EasyAssist\easyassist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\EasyAssist\easyassist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\EasyAssist\easyassist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\EasyAssist\easyassist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\EasyAssist\easyassist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\EasyAssist\easyassist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\EasyAssist\easyassist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\EasyAssist\easyassist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\EasyAssist\easyassist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\EasyAssist\easyassist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\EasyAssist\easyassist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\EasyAssist\easyassist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\installeasyassist.exe	Dropped PE file which has not been started: C:\ProgramData\Uninstall\{2090D83E-40F9-4913-AE8D-37F9A9D66031}\x86\regsvr32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\installeasyassist.exe	Dropped PE file which has not been started: C:\ProgramData\Uninstall\{2090D83E-40F9-4913-AE8D-37F9A9D66031}\Tsu.dll	Jump to dropped file
Source: C:\EasyAssist\Data\easyassistupdate.exe	Dropped PE file which has not been started: C:\ProgramData\Uninstall\{F8824354-EC9D-47BC-B225-046A8FB25755}\x64\regsvr32.exe	Jump to dropped file
Source: C:\EasyAssist\Data\easyassistupdate.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Tsu7AC6F35D.dll	Jump to dropped file
Source: C:\Users\user\Desktop\installeasyassist.exe	Dropped PE file which has not been started: C:\ProgramData\Uninstall\{2090D83E-40F9-4913-AE8D-37F9A9D66031}\Setup.exe	Jump to dropped file
Source: C:\EasyAssist\Data\easyassistupdate.exe	Dropped PE file which has not been started: C:\ProgramData\Uninstall\{F8824354-EC9D-47BC-B225-046A8FB25755}\_Setup.dll	Jump to dropped file
Source: C:\EasyAssist\Data\easyassistupdate.exe	Dropped PE file which has not been started: C:\ProgramData\Uninstall\{F8824354-EC9D-47BC-B225-046A8FB25755}\Tsu.dll	Jump to dropped file
Source: C:\EasyAssist\Data\easyassistupdate.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1220E79C\Setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\installeasyassist.exe	Dropped PE file which has not been started: C:\ProgramData\Uninstall\{2090D83E-40F9-4913-AE8D-37F9A9D66031}\_Setup.dll	Jump to dropped file
Source: C:\EasyAssist\Data\easyassistupdate.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1220E79C\_Setup.dll	Jump to dropped file
Source: C:\EasyAssist\Data\easyassistupdate.exe	Dropped PE file which has not been started: C:\ProgramData\Uninstall\{F8824354-EC9D-47BC-B225-046A8FB25755}\Setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\installeasyassist.exe	Dropped PE file which has not been started: C:\ProgramData\Uninstall\{2090D83E-40F9-4913-AE8D-37F9A9D66031}\x64\regsvr32.exe	Jump to dropped file
Source: C:\EasyAssist\Data\easyassistupdate.exe	Dropped PE file which has not been started: C:\ProgramData\Uninstall\{F8824354-EC9D-47BC-B225-046A8FB25755}\x86\regsvr32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\installeasyassist.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\225BF656\_Setup.dll	Jump to dropped file
Source: C:\Users\user\Desktop\installeasyassist.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\225BF656\Setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\installeasyassist.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Tsu87CBF1E9.dll	Jump to dropped file

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\splwow64.exe	Last function: Thread delayed
Source: C:\Windows\splwow64.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\installeasyassist.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\EasyAssist\Data\easyassistupdate.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\EasyAssist\GA.exe

Code function: 6_2_00401567 LocalAlloc,LookupAccountNameW,GetLastError,FindFirstFileW,FindNextFileW,FindClose,MessageBoxW,LocalFree,

6_2_00401567

Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000
Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000

Source: C:\Users\user\Desktop\installeasyassist.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\installeasyassist.exe

Code function: 0_2_00211920 GetProcessHeap,RtlFreeHeap,

0_2_00211920

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\installeasyassist.exe	Process created: C:\EasyAssist\Data\easyassistupdate.exe "C:\EasyAssist\Data\easyassistupdate.exe" /q			Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Process created: C:\EasyAssist\GA.exe "C:\EasyAssist\GA.exe" A S-1-1-0 C:\ProgramData\safclic.dat			Jump to behavior

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\installeasyassist.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\installeasyassist.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\installeasyassist.exe

Code function: 0_2_002115AD EntryPoint,GetCurrentProcessId,GetVersionExW,GetSystemTimeAsFileTime,GetCurrentThreadId,GetTickCount,GetModuleFileNameW,GetLastError,GetModuleHandleW,GetTempPathW,GetLastError,wsprintfW,wsprintfW,LoadLibraryExW,GetLastError,GetProcAddress,GetLastError,lstrlenW,wsprintfW,KiUserCallbackDispatcher,FreeLibrary,GetLastError,GetFileAttributesW,SetFileAttributesW,DeleteFileW,GetLastError,Sleep,ExitProcess,

0_2_002115AD

Source: C:\EasyAssist\GA.exe

Code function: 6_2_00401567 LocalAlloc,LookupAccountNameW,GetLastError,FindFirstFileW,FindNextFileW,FindClose,MessageBoxW,LocalFree,

6_2_00401567

Source: C:\Users\user\Desktop\installeasyassist.exe

0_2_002115AD

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	41 Scripting	Valid Accounts	2 Command and Scripting Interpreter	41 Scripting	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Extra Window Memory Injection	2 Obfuscated Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	Data from Removable Media	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Windows Service	1 Windows Service	2 Software Packing	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Browser Extensions	11 Process Injection	1 DLL Side-Loading	NTDS	15 System Information Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	1 Extra Window Memory Injection	LSA Secrets	1 Query Registry	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	1 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Virtualization/Sandbox Evasion	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	1 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
installeasyassist.exe	36%	Virustotal		Browse
installeasyassist.exe	39%	ReversingLabs	Win32.Infostealer.Babar

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\Uninstall\{2090D83E-40F9-4913-AE8D-37F9A9D66031}\x64\regsvr32.exe	100%	Avira	TR/Crypt.ZPACK.Gen
C:\ProgramData\Uninstall\{F8824354-EC9D-47BC-B225-046A8FB25755}\x64\regsvr32.exe	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\Temp\Tsu87CBF1E9.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\ProgramData\Uninstall\{2090D83E-40F9-4913-AE8D-37F9A9D66031}\Tsu.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\ProgramData\Uninstall\{F8824354-EC9D-47BC-B225-046A8FB25755}\Tsu.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\Temp\Tsu7AC6F35D.dll	100%	Avira	TR/Crypt.ZPACK.Gen
C:\EasyAssist\Data\easyassistupdate.exe (copy)	8%	ReversingLabs
C:\EasyAssist\Data\easyassistupdate.exe._tm	8%	ReversingLabs
C:\EasyAssist\GA.exe (copy)	0%	ReversingLabs
C:\EasyAssist\GA.exe._tm	0%	ReversingLabs
C:\EasyAssist\easyassist.exe (copy)	3%	ReversingLabs
C:\EasyAssist\easyassist.exe._tm	3%	ReversingLabs
C:\ProgramData\Uninstall\{2090D83E-40F9-4913-AE8D-37F9A9D66031}\Setup.exe	0%	ReversingLabs
C:\ProgramData\Uninstall\{2090D83E-40F9-4913-AE8D-37F9A9D66031}\Tsu.dll	0%	ReversingLabs
C:\ProgramData\Uninstall\{2090D83E-40F9-4913-AE8D-37F9A9D66031}\_Setup.dll	0%	ReversingLabs
C:\ProgramData\Uninstall\{2090D83E-40F9-4913-AE8D-37F9A9D66031}\x64\regsvr32.exe	0%	ReversingLabs
C:\ProgramData\Uninstall\{2090D83E-40F9-4913-AE8D-37F9A9D66031}\x86\regsvr32.exe	0%	ReversingLabs
C:\ProgramData\Uninstall\{F8824354-EC9D-47BC-B225-046A8FB25755}\Setup.exe	0%	ReversingLabs
C:\ProgramData\Uninstall\{F8824354-EC9D-47BC-B225-046A8FB25755}\Tsu.dll	0%	ReversingLabs
C:\ProgramData\Uninstall\{F8824354-EC9D-47BC-B225-046A8FB25755}\_Setup.dll	0%	ReversingLabs
C:\ProgramData\Uninstall\{F8824354-EC9D-47BC-B225-046A8FB25755}\x64\regsvr32.exe	0%	ReversingLabs
C:\ProgramData\Uninstall\{F8824354-EC9D-47BC-B225-046A8FB25755}\x86\regsvr32.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\1220E79C\Setup.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\1220E79C\_Setup.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\225BF656\Setup.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\225BF656\_Setup.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Tsu7AC6F35D.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Tsu87CBF1E9.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://www.easyassist.com.au/images/backgradient.jpg	0%	Avira URL Cloud	safe
https://www.easyassist.com.au/cgi-bin/formmail/uniformmail.pl?params=order.params&from=	0%	Avira URL Cloud	safe
http://www.easyassist.com.au/redirect_ama.html	0%	Avira URL Cloud	safe
https://www.easyassist.com.au/	0%	Avira URL Cloud	safe
http://www.easyassist.com.au/redirect_workcover_wa.html	0%	Avira URL Cloud	safe
http://www.easyassist.com.aua201z	0%	Avira URL Cloud	safe
http://www.tarma.com0	0%	Avira URL Cloud	safe
http://www9.health.gov.a	0%	Avira URL Cloud	safe
http://www.easyassist.com.au/downloadprogram.html	0%	Avira URL Cloud	safe
http://www.easyassist.com.au/whatsnew.htmlPA	0%	Avira URL Cloud	safe
http://www.easyassist.com.aufile	0%	Avira URL Cloud	safe
http://www.easyassist.com.au/downloadschedules.html	0%	Avira URL Cloud	safe
https://tarma.com/D	0%	Avira URL Cloud	safe
http://cpap.com.br/orlando/	0%	Avira URL Cloud	safe
https://www.easyassist.com.au/images/favicon.ico	0%	Avira URL Cloud	safe
http://www.easyassist.com.au/redirect_workcover_nsw.html	0%	Avira URL Cloud	safe
https://www.easyassist.com.au/cgi-bin/formmail/uniformmail.pl?params=order.params&subject=EasyAs	0%	Avira URL Cloud	safe
http://www.easyassist.com.aufldr	0%	Avira URL Cloud	safe
http://www.easyassist.com.au/downloadprogram.htmlsymb	0%	Avira URL Cloud	safe
http://www.easyassist.com.au/order.html	0%	Avira URL Cloud	safe
http://www.easyassist.com.au/	0%	Avira URL Cloud	safe
http://www.easyassist.com.au/links.htmlyX	0%	Avira URL Cloud	safe
http://www.easyassist.com.au0	0%	Avira URL Cloud	safe
https://www.easyassist.com.au/easyassist_default.css	0%	Avira URL Cloud	safe
http://www.easyassist.com.au/redirect_worksafe_victoria.html	0%	Avira URL Cloud	safe
http://www.easyassist.com.au/whatsnew.html	0%	Avira URL Cloud	safe
http://ocsp.sectigo.com0&	0%	Avira URL Cloud	safe
http://www.easyassist.com.au	0%	Avira URL Cloud	safe
http://www.easyassist.com.au/links.html	0%	Avira URL Cloud	safe
http://www.easyassist.com.au/redirect_item_51318.html	0%	Avira URL Cloud	safe
http://www9.health.gov.au/mbs/search.cfm?q=	0%	Avira URL Cloud	safe
http://www/easyassist.com.au/downloadprogram.html1Not	0%	Avira URL Cloud	safe
http://www.easyassist.com.au/downloadprogram.htmlc010W	0%	Avira URL Cloud	safe
https://tarma.com/support/im9/setup/cmdline.htmhelpresumeregisterremoveinstall%s	0%	Avira URL Cloud	safe
http://www.skaro.net	0%	Avira URL Cloud	safe
https://www.easyassist.com.au/images/easyassistgraphic704x124.jpg	0%	Avira URL Cloud	safe
http://www.easyassist.com.aufile?yc%	0%	Avira URL Cloud	safe
http://www.tarma.com/6	0%	Avira URL Cloud	safe
http://www/easyassist.com.au/downloadprogram.html1	0%	Avira URL Cloud	safe
https://tarma.com	0%	Avira URL Cloud	safe
http://www.easyassist.com.au/redirect_tac.html	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
easyassist.com.au	43.250.142.31	true	false	unknown
cs1150.wpc.betacdn.net	192.229.221.25	true	false	high
paypal-dynamic.map.fastly.net	151.101.65.21	true	false	high
www.google.com	172.217.21.36	true	false	high
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false	high
www.easyassist.com.au	unknown	unknown	false	unknown
www.paypalobjects.com	unknown	unknown	false	high
www.paypal.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.easyassist.com.au/images/backgradient.jpg	false	Avira URL Cloud: safe	unknown
https://www.easyassist.com.au/images/favicon.ico	false	Avira URL Cloud: safe	unknown
http://www.easyassist.com.au/order.html	false	Avira URL Cloud: safe	unknown
https://www.paypal.com/en_AU/i/btn/btn_buynow_SM.gif	false		high
https://www.easyassist.com.au/paymentinstructions.html	false		unknown
https://www.easyassist.com.au/easyassist_default.css	false	Avira URL Cloud: safe	unknown
https://www.paypalobjects.com/en_AU/i/btn/btn_buynow_SM.gif	false		high
https://www.paypal.com/en_AU/i/scr/pixel.gif	false		high
https://www.easyassist.com.au/order.html	false		unknown
https://www.easyassist.com.au/images/easyassistgraphic704x124.jpg	false	Avira URL Cloud: safe	unknown
https://www.paypalobjects.com/en_AU/i/scr/pixel.gif	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.easyassist.com.au/cgi-bin/formmail/uniformmail.pl?params=order.params&from=	chromecache_1112.13.dr	false	Avira URL Cloud: safe	unknown
http://www.easyassist.com.aua201z	Uninstall.dat.0.dr	false	Avira URL Cloud: safe	unknown
http://www.easyassist.com.au/redirect_workcover_wa.html	installeasyassist.exe, 00000000.00000003.1837855240.00000000057F3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	installeasyassist.exe, regsvr32.exe.0.dr, regsvr32.exe.2.dr, easyassistupdate.exe._tm.0.dr, regsvr32.exe0.0.dr	false		high
http://ocsp.sectigo.com0	installeasyassist.exe, regsvr32.exe.0.dr, regsvr32.exe.2.dr, easyassistupdate.exe._tm.0.dr, regsvr32.exe0.0.dr	false		high
http://www.easyassist.com.au/redirect_ama.html	installeasyassist.exe, 00000000.00000003.1837855240.00000000057F3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	installeasyassist.exe, 00000000.00000003.1665934166.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, installeasyassist.exe, 00000000.00000003.1665934166.0000000002F25000.00000004.00000020.00020000.00000000.sdmp, installeasyassist.exe, 00000000.00000003.1825353000.0000000004059000.00000004.00000020.00020000.00000000.sdmp, installeasyassist.exe, 00000000.00000003.1665903316.000000000141D000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1857718574.0000000003571000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1851222334.0000000002CC3000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1851222334.0000000002C47000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe.0.dr, regsvr32.exe.2.dr, regsvr32.exe0.0.dr	false		high
https://www.easyassist.com.au/	chromecache_1112.13.dr	false	Avira URL Cloud: safe	unknown
http://www.easyassist.com.au/downloadprogram.html	installeasyassist.exe, 00000000.00000003.1837855240.00000000057F3000.00000004.00000020.00020000.00000000.sdmp, installeasyassist.exe, 00000000.00000003.1838590487.000000000143C000.00000004.00000020.00020000.00000000.sdmp, installeasyassist.exe, 00000000.00000002.1993312778.000000000143C000.00000004.00000020.00020000.00000000.sdmp, installeasyassist.exe, 00000000.00000003.1991533000.000000000143C000.00000004.00000020.00020000.00000000.sdmp, installeasyassist.exe, 00000000.00000003.1989885214.0000000004088000.00000004.00000020.00020000.00000000.sdmp, Uninstall.dat.0.dr	false	Avira URL Cloud: safe	unknown
http://www.tarma.com0	installeasyassist.exe, 00000000.00000003.1665934166.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, installeasyassist.exe, 00000000.00000003.1825353000.0000000004059000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1857718574.0000000003571000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1851222334.0000000002C47000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe.0.dr, regsvr32.exe.2.dr, regsvr32.exe0.0.dr	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	installeasyassist.exe, regsvr32.exe.0.dr, regsvr32.exe.2.dr, easyassistupdate.exe._tm.0.dr, regsvr32.exe0.0.dr	false		high
http://www9.health.gov.a	installeasyassist.exe, 00000000.00000003.1837855240.00000000057F3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.easyassist.com.au/whatsnew.htmlPA	installeasyassist.exe, 00000000.00000003.1837855240.00000000057BC000.00000004.00000020.00020000.00000000.sdmp, installeasyassist.exe, 00000000.00000003.1825088207.0000000004059000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.easyassist.com.au/redirect_workcover_nsw.html	installeasyassist.exe, 00000000.00000003.1837855240.00000000057F3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.easyassist.com.aufile	easyassistupdate.exe, 00000002.00000003.1936194362.0000000003572000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://tarma.com/D	installeasyassist.exe, 00000000.00000003.1665934166.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, installeasyassist.exe, 00000000.00000003.1825353000.0000000004059000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1857718574.0000000003571000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1851222334.0000000002C47000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe.0.dr, regsvr32.exe.2.dr, regsvr32.exe0.0.dr	false	Avira URL Cloud: safe	unknown
http://www.easyassist.com.au/downloadschedules.html	installeasyassist.exe, 00000000.00000003.1837855240.00000000057F3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.easyassist.com.aufldr	installeasyassist.exe, 00000000.00000003.1837855240.00000000057BC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.easyassist.com.au/cgi-bin/formmail/uniformmail.pl?params=order.params&subject=EasyAs	chromecache_1112.13.dr	false	Avira URL Cloud: safe	unknown
http://cpap.com.br/orlando/	easyassist.exe._tm.0.dr	false	Avira URL Cloud: safe	unknown
http://www.easyassist.com.au/downloadprogram.htmlsymb	installeasyassist.exe, 00000000.00000003.1837855240.00000000057BC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	installeasyassist.exe, 00000000.00000003.1665934166.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, installeasyassist.exe, 00000000.00000003.1665934166.0000000002F25000.00000004.00000020.00020000.00000000.sdmp, installeasyassist.exe, 00000000.00000003.1825353000.0000000004059000.00000004.00000020.00020000.00000000.sdmp, installeasyassist.exe, 00000000.00000003.1665903316.000000000141D000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1857718574.0000000003571000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1851222334.0000000002CC3000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1851222334.0000000002C47000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe.0.dr, regsvr32.exe.2.dr, regsvr32.exe0.0.dr	false		high
http://www.easyassist.com.au/	installeasyassist.exe, 00000000.00000003.1837855240.00000000057F3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.easyassist.com.au/links.htmlyX	installeasyassist.exe, 00000000.00000003.1837855240.00000000057F3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.easyassist.com.au0	installeasyassist.exe, easyassistupdate.exe._tm.0.dr	false	Avira URL Cloud: safe	unknown
http://www.easyassist.com.au/redirect_worksafe_victoria.html	installeasyassist.exe, 00000000.00000003.1837855240.00000000057F3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	installeasyassist.exe, regsvr32.exe.0.dr, regsvr32.exe.2.dr, easyassistupdate.exe._tm.0.dr, regsvr32.exe0.0.dr	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	installeasyassist.exe, easyassistupdate.exe._tm.0.dr	false		high
http://www.easyassist.com.au/whatsnew.html	installeasyassist.exe, 00000000.00000002.1992958555.0000000001137000.00000004.00000010.00020000.00000000.sdmp, installeasyassist.exe, 00000000.00000003.1837855240.00000000057F3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.easyassist.com.au	Readme.txt0.2.dr, easyassistupdate.exe._tm.0.dr	false	Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0&	installeasyassist.exe, 00000000.00000003.1665934166.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, installeasyassist.exe, 00000000.00000003.1665934166.0000000002F25000.00000004.00000020.00020000.00000000.sdmp, installeasyassist.exe, 00000000.00000003.1825353000.0000000004059000.00000004.00000020.00020000.00000000.sdmp, installeasyassist.exe, 00000000.00000003.1665903316.000000000141D000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1857718574.0000000003571000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1851222334.0000000002CC3000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1851222334.0000000002C47000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe.0.dr, regsvr32.exe.2.dr, regsvr32.exe0.0.dr	false	Avira URL Cloud: safe	unknown
http://www.easyassist.com.au/links.html	installeasyassist.exe, 00000000.00000003.1837855240.00000000057F3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.easyassist.com.au/redirect_item_51318.html	installeasyassist.exe, 00000000.00000003.1837855240.00000000057F3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www9.health.gov.au/mbs/search.cfm?q=	installeasyassist.exe, 00000000.00000003.1837855240.00000000057F3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www/easyassist.com.au/downloadprogram.html1Not	installeasyassist.exe, 00000000.00000003.1837855240.00000000057F3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://tarma.com/support/im9/setup/cmdline.htmhelpresumeregisterremoveinstall%s	installeasyassist.exe, 00000000.00000003.1665934166.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1851222334.0000000002C47000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	installeasyassist.exe, easyassistupdate.exe._tm.0.dr	false		high
http://www.easyassist.com.au/downloadprogram.htmlc010W	installeasyassist.exe, 00000000.00000003.1989885214.0000000004088000.00000004.00000020.00020000.00000000.sdmp, Uninstall.dat.0.dr	false	Avira URL Cloud: safe	unknown
http://www.tarma.com/6	installeasyassist.exe, 00000000.00000003.1837855240.00000000057F3000.00000004.00000020.00020000.00000000.sdmp, GA.exe, 00000006.00000000.1949523229.0000000000404000.00000002.00000001.01000000.0000000E.sdmp, GA.exe._tm.0.dr	false	Avira URL Cloud: safe	unknown
http://www.easyassist.com.aufile?yc%	easyassistupdate.exe, 00000002.00000003.1934602677.000000000122C000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1932108045.000000000122C000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1859131202.000000000122C000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1938066099.000000000122C000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1937449364.000000000122C000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1862716154.000000000122C000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1936355043.000000000122C000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000002.1947922056.000000000122C000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1940038296.000000000122C000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1940172958.000000000122C000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1862043641.000000000122C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.skaro.net	chromecache_1112.13.dr	false	Avira URL Cloud: safe	unknown
http://www/easyassist.com.au/downloadprogram.html1	installeasyassist.exe, 00000000.00000003.1837855240.00000000057F3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://tarma.com	installeasyassist.exe, 00000000.00000003.1665934166.0000000002F25000.00000004.00000020.00020000.00000000.sdmp, installeasyassist.exe, 00000000.00000003.1825353000.0000000004059000.00000004.00000020.00020000.00000000.sdmp, installeasyassist.exe, 00000000.00000003.1665903316.000000000141D000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1853523241.00000000011E3000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1857718574.0000000003571000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1851222334.0000000002CC3000.00000004.00000020.00020000.00000000.sdmp, easyassistupdate.exe, 00000002.00000003.1853495167.00000000011CC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.easyassist.com.au/redirect_tac.html	installeasyassist.exe, 00000000.00000003.1837855240.00000000057F3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
43.250.142.31	easyassist.com.au	Australia	45638	SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAU	false
192.229.221.25	cs1150.wpc.betacdn.net	United States	15133	EDGECASTUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
151.101.65.21	paypal-dynamic.map.fastly.net	United States	54113	FASTLYUS	false
172.217.21.36	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.4

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581999
Start date and time:	2024-12-29 14:27:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	installeasyassist.exe
Detection:	MAL
Classification:	mal40.expl.winEXE@24/384@16/6
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 33 Number of non-executed functions: 46
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 199.232.214.172, 192.229.221.95, 52.109.28.46, 52.109.89.19, 52.113.194.132, 23.218.208.109, 104.208.16.91, 172.217.21.35, 172.217.19.238, 173.194.220.84, 172.217.17.46, 142.250.181.106, 172.217.19.234, 142.250.181.74, 172.217.21.42, 172.217.19.170, 172.217.17.42, 172.217.19.202, 172.217.17.74, 172.217.19.10, 142.250.181.10, 142.250.181.138, 172.217.17.35, 4.175.87.197, 20.190.147.8, 13.107.246.63
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.afd.azureedge.net, weu-azsc-000.roaming.officeapps.live.com, clientservices.googleapis.com, eur.roaming1.live.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, ecs-office.s-0005.s-msedge.net, onedscolprdcus17.centralus.cloudapp.azure.com, roaming.officeapps.live.com, osiprod-weu-buff-azsc-000.westeurope.cloudapp.azure.com, clients2.google.com, ocsp.digicert.com, redirector.gvt1.com, login.live.com, e16604.g.akamaiedge.net, update.googleapis.com, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, edgedl.me.gvt1.co
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:29:35	API Interceptor	256x Sleep call for process: splwow64.exe modified

LLM Input / Output

Input	Output
URL: https://easyassist.com.au Model: Joe Sandbox AI	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": false, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": false, "brand_spoofing_attempt": false, "third_party_hosting": false }
URL: https://easyassist.com.au
URL: https://www.easyassist.com.au/order.html... Model: Joe Sandbox AI	{ "risk_score": 3, "reasoning": "The provided JavaScript snippet appears to be a simple implementation of passing the query string parameters from the current URL to a hidden form field. This is a common practice for passing contextual information, such as a 'computercode' parameter, to a server-side application. While the use of `document.write()` is generally discouraged due to potential issues, the overall behavior of this snippet is relatively benign and does not exhibit any high-risk indicators." }
document.write('<input type="hidden" name="computercode" id="computercode" value="' + document.URL.substring(document.URL.indexOf("?")+1) + '">');
URL: https://www.easyassist.com.au/order.html... Model: Joe Sandbox AI	{ "risk_score": 3, "reasoning": "The provided JavaScript snippet appears to be a form validation script designed for use with the 'uniformmail.pl' Perl program. It does not contain any high-risk indicators such as dynamic code execution, data exfiltration, or redirects to malicious domains. The script primarily focuses on form validation and highlighting, which is a common and legitimate practice. While it uses some legacy APIs like `XDomainRequest`, these pose minor risks and are not inherently malicious. Overall, the script seems to be a benign utility with no clear signs of malicious intent, so it is assigned a low-risk score of 3." }
//<![CDATA[ function setOrderFormAction() { document.orderform.action='https://www.easyassist.com.au/cgi-bin/formmail/uniformmail.pl?params=order.params&from=' + document.orderform.firstname.value + ' ' + document.orderform.lastname.value + '<' + document.orderform.email.value + '>' + '&return=' + document.orderform.email.value + '&subject=EasyAssist Order for ' + document.orderform.firstname.value + ' ' + document.orderform.lastname.value; return true; } ////////////////////////////////////////////////////////////////////////////////////////////// /// /// Form validation script designed for use with the perl program 'uniformmail.pl' /// /// Copyright James D H Turner 2004 /// Published by Cathonian Software and SKARO.NET /// http://www.skaro.net /// /// This script is only available as part of the 'Uniform Mail' package. You are, therefore, /// bound by the licence terms of that package. /// You may use this script without the perl program 'uniformmail.pl' but a link to skaro.net /// if still required. It should read something like /// 'form validation by skaro.net' /// or /// 'validation script by skaro.net' /// /// You may modify this script but you may not redistribute original or modified versions. /// /// This script may not be suitable for interactive forms that make use of the following events :- /// onclick, onchange, onkeydown /// These events are used for clearing error-highlighting. /// Generally, events should be handled correctly but thorough testing is advised. /// /// This notice must not be modified or deleted. You may remove other comments. /// ////////////////////////////////////////////////////////////////////////////////////////////// // Testing flag var UFM_TESTING = false; // Highlighting colors. If a label is found it is highlighted, otherwise the control is highlighted. // Also see ufm_highlightControl var UFM_HL_COLOR = ''; // text color of control var UFM_HL_COLOR_LABEL = ''; // text color of label var UFM_HL_BACKGROUND = '#ffa6a6'; // background color of control. I changed colours from the default var UFM_HL_BACKGROUND_LABEL = '#ffa6a6'; // background color of label function ufm_highlightControl(ctrl,hl,focusCtrl) // Highlight specified control. // hl is a boolean. Highlighting is set if hl is true and cleared if false. // If focusCtrl is true the control is focused. // Looks for an associated label and colors it red. The label must wrap around the control. // If no label is found :- // the control is colored red // for some browser/control combinations this may have no effect e.g. Firefox/radio/checkbox // // If a control requires special handling, assign a handler to the event ufm_onhighlight { // If necessary and possible, focus the control if (focusCtrl && ctrl.focus) ctrl.focus(); // If assigned, call the custom handler for this control if (ctrl.ufm_onhighlight) return ctrl.ufm_onhighlight(hl); // Look for a label var tmp = ctrl.parentNode; var LABEL = false; if ((tmp) && (tmp.nodeName) && (tmp.nodeName.toLowerCase() == 'label')) { ctrl = tmp; LABEL = true; // If necessary and possible, bring the label into view if (focusCtrl && ctrl.scrollIntoView) ctrl.scrollIntoView(true); } with (ctrl.style) if (hl) { if (LABEL) { color = UFM_HL_COLOR_LABEL; backgroundColor = UFM_HL_BACKGROUND_LABEL } else { color = UFM_HL_COLOR; backgroundColor = UFM_HL_BACKGROUND } } else { color = ''; backgroundColor = '' } } function ufm_ungrabEvent() // Clear highlight, restore grabbed event. // Unless false is passed as a parameter, the original event is called if one was assigned. { ufm_highlightControl(this,false); var tmp = 'this.' + this.ufm_grabbedName; eval(tmp + ' = this.ufm
URL: https://www.easyassist.com.au/order.html Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: https://www.easyassist.com.au/paymentinstructions.html Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "IMPORTANT - after you have completed your payment you should receive an email with a link to obtain your Activation Code. If you do not receive this email please check your junk mail folder.", "prominent_button_name": "Buy Now", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": true, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: https://www.easyassist.com.au/order.html Model: Joe Sandbox AI	{ "brands": [ "Easy Assist" ] }
	{ "brands": [ "Easy Assist" ] }
URL: https://www.easyassist.com.au/paymentinstructions.html Model: Joe Sandbox AI	{ "brands": [ "EasyAssist" ] }
	{ "brands": [ "EasyAssist" ] }
URL: Screenshot id: 14 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 17 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Type the Medicare Benefits Schedule item number for the operation here and press Enter.", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 16 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Enter Activation Code", "prominent_button_name": "OK", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 15 Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 23 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "ACA Health Benefits Fund Access Gap Cover", "prominent_button_name": "Click HERE to order or renew a license for EasyAssist or enter an Activation Code.", "text_input_field_labels": [ "Enter an Item Number for the Procedure" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 22 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "ACA Health Benefits Fund Access Gap Cover", "prominent_button_name": "Click HERE to order or renew a license for EasyAssist or enter an Activation Code.", "text_input_field_labels": [ "Enter an Item Number for the Procedure", "Type the Medicare Benefits Schedule item number for the operation here and press Enter." ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: Screenshot id: 14 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 17 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 16 Model: Joe Sandbox AI	{ "brands": [ "EasyAssist" ] }
	{ "brands": [ "EasyAssist" ] }
URL: Screenshot id: 15 Model: Joe Sandbox AI	{ "brands": "unknown" }
	{ "brands": "unknown" }
URL: Screenshot id: 23 Model: Joe Sandbox AI	{ "brands": [ "EasyAssist" ] }
	{ "brands": [ "EasyAssist" ] }
URL: Screenshot id: 22 Model: Joe Sandbox AI	{ "brands": [ "EasyAssist" ] }
	{ "brands": [ "EasyAssist" ] }

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
192.229.221.25	https://contractnerds.com/	Get hash	malicious	Unknown	Browse
	https://www.paypal.com/signin/?returnUri=%2Fmyaccount%2Ftransfer%2FpayRequest%2FU-7DW79067WM944534C%2FU-3RN06382B68072443%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq&id=mv2NVEuUR9VvkcyUJ89EG.tzUFO5CbJFQUTSWg&expId=p2p&onboardData=%7B%22signUpRequest%22%3A%7B%22method%22%3A%22get%22%2C%22url%22%3A%22https%3A%2F%2Fwww.paypal.com%2Fmyaccount%2Ftransfer%2FguestLogin%2FpayRequest%2FU-7DW79067WM944534C%2FU-3RN06382B68072443%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq%26id%3Dmv2NVEuUR9VvkcyUJ89EG.tzUFO5CbJFQUTSWg%22%7D%7D&flowContextData=3VhkG6GfeMFpPs0RyY94VfaPuu2gnDuZkT0vO2-Owy5Q0TLELhHoBl0C3rYOuScB-P1puLFiHoe8q1yHNkorMrsQ-kVAt54br43PgY3iTrhwRm0aS_TYpgjIbliH5dfDJJr3q03bJkAa9vLd7Cr3oAjCQ5rfmoQCALWFn-qszHw7Rd_aj20-SECud0ZSxh-oKENUYjnmdRqAckr48r-ddvc-Vgo4zQnu7JkI5YB_1CxdutYkC-X7iD96T-7aDJhAmyxkfGKQ53prsK5Kys2hLiVrkCjSURM1RSmWzlwznlByQzHhv1R0VrGdaW03mCZt_U0pKOeWAwiNac8f&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000186&utm_unptid=16a0a3c3-b960-11ef-862e-f3094488c6dd&ppid=RT000186&cnac=US&rsta=en_US%28en-US%29&unptid=16a0a3c3-b960-11ef-862e-f3094488c6dd&calc=f53338153f55e&unp_tpcid=requestmoney-notifications-requestee&page=main%3Aemail%3ART000186&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.295.0&tenant_name=&xt=145585%2C150948%2C104038&link_ref=www.paypal.com_signin	Get hash	malicious	Unknown	Browse
	https://www.paypal.com/signin/?returnUri=%2Fmyaccount%2Ftransfer%2FpayRequest%2FU-28V552122R769381L%2FU-9FX296329A817750Y%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq&id=5qLXPqTuQhupi40uiyjfsgz5IGEJYuHctFy29w&expId=p2pGuestTesla&onboardData=%7B%22signUpRequest%22%3A%7B%22method%22%3A%22get%22%2C%22url%22%3A%22https%3A%2F%2Fwww.paypal.com%2Fmyaccount%2Ftransfer%2FguestLogin%2FpayRequest%2FU-28V552122R769381L%2FU-9FX296329A817750Y%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq%26id%3D5qLXPqTuQhupi40uiyjfsgz5IGEJYuHctFy29w%22%7D%7D&flowContextData=W58KV1fhgiV_-p6TmOnneAd3pqRwh89Uhs4nETqYgEciadinFvE9jhmCkm7cdS_dog5IstycO3uCeUP_fQvJGb2CyrXWo1FAcV7pf2HjOlGJnjX-3TcP_Kr96BnUqBXJTigKvgCmlKpHJdV1cj2DzXB0hguAYEiUIg9m9RdD4qaHMBzBLcVwygEiNxwxkozO_z0SwgJxNPt8O4MHkVy2NY7qoPv_3Qc2wClzrugADG-NhMNqbj3Hc7kBOJYLRna0_RTgDo2VtDqetkbvf00Dw7Z1NgHN2eMtByMS8uM3oO2yZ1XiigiIC6xt56W3JkKVnZbqlDxq6DTjyjnZ&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000186&utm_unptid=5f308ca0-b964-11ef-bd32-dbf3023831b4&ppid=RT000186&cnac=US&rsta=en_US%28en-US%29&unptid=5f308ca0-b964-11ef-bd32-dbf3023831b4&calc=f639462de6a7c&unp_tpcid=requestmoney-notifications-requestee&page=main%3Aemail%3ART000186&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.295.0&tenant_name=&xt=145585%2C150948%2C104038&link_ref=www.paypal.com_signin	Get hash	malicious	Unknown	Browse
	http://get-derila.com	Get hash	malicious	Unknown	Browse
	message__86_4F_17774_8082F476_ccg01mail04_.eml	Get hash	malicious	Unknown	Browse
	https://github.com/greenshot/greenshot/releases/download/Greenshot-RELEASE-1.2.10.6/Greenshot-INSTALLER-1.2.10.6-RELEASE.exe	Get hash	malicious	Unknown	Browse
	https://www.paypal.com/signin/?returnUri=%2Fmyaccount%2Ftransfer%2FpayRequest%2FU-09584045BD498740V%2FU-5R763959NX153980F%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq&id=OoO85MXTLVUkAlgY4sey9A8h.NxxqjO.iYbAWg&expId=p2p&onboardData=%7B%22signUpRequest%22%3A%7B%22method%22%3A%22get%22%2C%22url%22%3A%22https%3A%2F%2Fwww.paypal.com%2Fmyaccount%2Ftransfer%2FguestLogin%2FpayRequest%2FU-09584045BD498740V%2FU-5R763959NX153980F%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq%26id%3DOoO85MXTLVUkAlgY4sey9A8h.NxxqjO.iYbAWg%22%7D%7D&flowContextData=F7WdIOgJmH6-07KTJ7GpdWXhkdDQxLohB4l-G7vuWGaUsw9VWkH3unndZA7YlCRgtETWTIDn9hNnR_R_XfGvdxeCRkDmtXLc6qqtXR9sC3Gp-59lNBELQtpM5xEv0i4rCTpJiBcP2uf4VFrJLL1b5u1XG7JtP5TfW7CNqxSVOxEb9_duKrmtDgpztBtl32bVeoc8BgW5poXyk9lJHcKrYdvBHSdT0mosqrrmaGj2a5uNQdBK70Mwpn9Zddmj0KI1GIZrXWvFcpnuRbvbli2inkizkeV4nR1uyKnBSzFqdPDcK4t7K9B6YiFhb5sS8DaQd7F6oWzSe-J8gPxVURmdwwOxFn1ycN09t9caUdBz1XMuv96GDJywuv2feJdoAI73PNjro1a2cFEKAWnCgtoHqxdBD3A1mVV3OiytkjtEUDdvp0GL3CNOAV9zIrunX_DmbTO6KOe21dniBkeG&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000186&utm_unptid=09b8bd50-b31d-11ef-9fd6-7b2e619a4883&ppid=RT000186&cnac=US&rsta=en_US%28en-US%29&unptid=09b8bd50-b31d-11ef-9fd6-7b2e619a4883&calc=f8278373e34b4&unp_tpcid=requestmoney-notifications-requestee&page=main%3Aemail%3ART000186&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.294.0&tenant_name=&xt=145585%2C150948%2C104038&link_ref=www.paypal.com_signin	Get hash	malicious	Unknown	Browse
	https://www.paypal.com/signin/?returnUri=%2Fmyaccount%2Ftransfer%2FpayRequest%2FU-09584045BD498740V%2FU-7AK40048SY131414Y%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq&id=UJ8cMtNtnR8osXBu987dZoV1KMO8Kn.CKcv6ZA&expId=p2p&onboardData=%7B%22signUpRequest%22%3A%7B%22method%22%3A%22get%22%2C%22url%22%3A%22https%3A%2F%2Fwww.paypal.com%2Fmyaccount%2Ftransfer%2FguestLogin%2FpayRequest%2FU-09584045BD498740V%2FU-7AK40048SY131414Y%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq%26id%3DUJ8cMtNtnR8osXBu987dZoV1KMO8Kn.CKcv6ZA%22%7D%7D&flowContextData=k3KkNbgd2F3whUTyipi2CMJLh_A_-ZYRjnLUkRjoT_j0HNsy89M3Jq9pftpBPMtxKyazfBl41ygLF6L-3nSQM3yKD_1JSLMZUnm3gJtmC_GW6MtRMZgxxLdzhM2UidzudErvOhqzUKOKhl1Uolhas5WHE4v4p4McejHNxcZVkLh-Y4orpy9guCt5hhIB4GnzEz4SubWTdzvc3cAY2OwiaKLLHK8NR5mzXmQp5fVf3iIsNKSvq_9V0izgPURkU3T8RWrY5gGBkFdWln_xY5pl8zRv8lmUI-keUYe0DqQBvKVK8GwV8qiU_5p8qjPHJVW9i-G3ZBZuZum2FKJqczC5erDfF4QBe8JLLYzKBGyYHnHI7fFyBoEDubHGzh8R01uh4xAe-iAkcUj76XG_hnIoA0TzvY15PrfT8E9VdnaJhGuNJ5c8GhmekMGGnVwrlvOcZBIva0&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000186&utm_unptid=3bf303f1-b31d-11ef-81c6-bffe125023d8&ppid=RT000186&cnac=US&rsta=en_US%28en-US%29&unptid=3bf303f1-b31d-11ef-81c6-bffe125023d8&calc=f7859995fbf4b&unp_tpcid=requestmoney-notifications-requestee&page=main%3Aemail%3ART000186&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.294.0&tenant_name=&xt=145585%2C150948%2C104038&link_ref=www.paypal.com_signin	Get hash	malicious	Unknown	Browse
	https://www.paypal.com/signin/?returnUri=%2Fmyaccount%2Ftransfer%2FpayRequest%2FU-73L43097YS920471H%2FU-21916088VG929353V%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq&id=oSTQ2KyhBfzKABJBD3SmDi49NoivW60lzQASFQ&expId=p2p&onboardData=%7B%22signUpRequest%22%3A%7B%22method%22%3A%22get%22%2C%22url%22%3A%22https%3A%2F%2Fwww.paypal.com%2Fmyaccount%2Ftransfer%2FguestLogin%2FpayRequest%2FU-73L43097YS920471H%2FU-21916088VG929353V%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq%26id%3DoSTQ2KyhBfzKABJBD3SmDi49NoivW60lzQASFQ%22%7D%7D&flowContextData=RDl_AZcF1sl5Rb_6LCOad8Ablnu-W7AxB_i5FzkmY9ljbd6ElIlIteG0y31awgymrSFY-NEhR9oodKgi2Jr_54nHRHUI22A5btXBAz58pUBlVy_icxhdiCyvbxtKkJbyvPwAFXZm9Hu-TuP8fUbi3kD9SI3uQE-nXU-1T6hk9yNEcfLwmQ9q2oXw0Nu89DKUwRZZ-hEgdjZhl4tqKDQiASbkdXigxUyjHWAPt-vOaJzbzisp0scQXF4UF-J1Rto6RYCxskkLambqbUPNkjVq_ZtnTRrfcOFs6AdzgjQZxFjLXCq1M3EW1Aiq9DSZcmtteoSiOkL-Yl_4s2YOFo6jNRRQrcEHNylGYTBCyHc65n4_85NWbx-ikEWoVlI4LXcJW4dftTovp8EWo5xXhEORiceFOjZRVbk5MVtSKHu91b7gPLC3F3USPVAc68XpKKXL_xvsUAp1wPS1patgsMBTMQo3Gwa68P9HfAfTWEjlQ1Yf3yTIWtRpNF8qyyGgAUBLgrJVAT_OmXFJJrX08CV-vxGPkepVr0r1FVRxwTmimvKh55xYEKkfPK5XJKmenbfgUa9CbfH9d_FpW5yVigO-oMpueUaWL8bSCYMeFYr8B1GfpUn9ASsdqnfnFqtpUGY0Y4MI9f0bvAFH6gYvW7ZTeYh_jKu&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000186&utm_unptid=c038b022-b182-11ef-83cc-0118134ab4bf&ppid=RT000186&cnac=US&rsta=en_US%28en-US%29&unptid=c038b022-b182-11ef-83cc-0118134ab4bf&calc=f826437c02759&unp_tpcid=requestmoney-notifications-requestee&page=main%3Aemail%3ART000186&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.294.0&tenant_name=&xt=145585%2C150948%2C104038&link_ref=www.paypal.com_signin	Get hash	malicious	Unknown	Browse
	https://www.paypal.com/signin/?returnUri=2Fmyaccount2Ftransfer2FpayRequest2FU-06C88558L1014094C2FU-2DM00000BR77214333FclassicUrl3D2FUS2Fcgi-bin2F3Fcmd3D_prq&id=Ry38v2FrK0UjF72A307PSNceYxU8e31AX6KM7A&expId=p2p&onboardData=7B22signUpRequest223A7B22method223A22get222C22url223A22https3A2F2Fwww.paypal.com2Fmyaccount2Ftransfer2FguestLogin2FpayRequest2FU-06C88558L1014094C2FU-2DM00000BR77214333FclassicUrl3D2FUS2Fcgi-bin2F3Fcmd3D_prq26id3DRy38v2FrK0UjF72A307PSNceYxU8e31AX6KM7A227D7D&flowContextData=EPipLgYQkcQiPC6xPmHLsMuav-qVcafyzQ_WyOueO1YLprxlMy2pR71HozTcXvF3gDlTVCnYOiGO1RH-x7AipFN1b_fXcnymzC7htRa-Up9txf3z7YS5D19T0nlKma78-VkCV-TQDV5CW84rr3rCJNYe1-fM_jtU4E9Padf_oYXGfzDmevT97BhWrEB2gc-cCgFZtePLBN_tEqZ2EXbR1HfEixVltCquJW08dhO4loCGR0Fw-i9hA2gm89p74lOnm_ylvkeMAFpn0MW2giVYeRb3X0Q993Fc-WNeqYIyYpEqnx8lWPo6TeIWhqhOu3HF3VENmMaY6Nw84pRr3Et2JJaxNrKrdwGltz9Bbxuv5CKbKgj5FHLgD4yz3AaxBVHUmdApOlWCmLbKHzdVBa3Y_WNm9O8_MwExtGHJFp8NDUJAXIhZaK7XQl16wX5aXhnY7INelm&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000186&utm_unptid=edc46c96-b18e-11ef-a3e7-1b67a4a59178&ppid=RT000186&cnac=US&rsta=en_US28en-US29&unptid=edc46c96-b18e-11ef-a3e7-1b67a4a59178&calc=f66544940b4b2&unp_tpcid=requestmoney-notifications-requestee&page=main3Aemail3ART000186&pgrp=main3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.294.0&tenant_name=&xt=1455852C150948*2C104038&link_ref=www.paypal.com_signin__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJQ!!E09OEw!ZFlf8dyv9p4m5TistHOCu6FtN37v8zWP5-QyGJsZhABWsjDIA2M-dGUPzMmvyOWcAxfX3C0KPvNI8A$	Get hash	malicious	Unknown	Browse
239.255.255.250	GPU-Z.exe	Get hash	malicious	LummaC, DarkTortilla, LummaC Stealer	Browse
	T1#U52a9#U624b1.0.1.exe	Get hash	malicious	Unknown	Browse
	T1#U52a9#U624b1.0.1.exe	Get hash	malicious	Unknown	Browse
	Tool_Unlock_v1.2.exe	Get hash	malicious	Vidar	Browse
	https://gtgyhtrgerftrgr.blob.core.windows.net/frhvhgse/vsgwhk.html	Get hash	malicious	Unknown	Browse
	https://its.piquedigital.com.br/maryland.gov/&adfs/ls/client-request-id=7c724&wa=wsignin10.html	Get hash	malicious	Unknown	Browse
	https://belasting.online-factuur.com	Get hash	malicious	Unknown	Browse
	https://kn0wbe4.compromisedblog.com/XZHJISTcycW1tZkROWG92Y2ZEc21laS80dzNTR2N0eEsvTDFRWGFNODdGaGtjNGo5VzRyMFRUQmFLM0grcGxUbnBSTVFhMEg2Smd3UkovaXVjaUpIcG1hZG5CQnh5aFlZTXNqNldTdm84cE5CMUtld0dCZzN4ZUFRK2lvL1FWTG92NUJsMnJ3OHFGckdTNFhnMkFUTFZFZTdKRnVJaTRuRGFKdXVyeUdCVytuQzdnMEV1ZExSMnlwWi9RPT0tLTdnZjhxQVZPbUdTdFZXVUEtLXA0bHNCNGxmeTdrdmlkWWRVcmRXRWc9PQ==?cid=2310423310	Get hash	malicious	KnowBe4	Browse
	FB.html	Get hash	malicious	Unknown	Browse
	https://app.slintel-privacy.com/links/J95tSop4o/SS6JytVVw/qm84IUL58/GFC-9kqk1-	Get hash	malicious	Unknown	Browse
151.101.65.21	https://feji.us/m266he	Get hash	malicious	Unknown	Browse
	http://get-derila.com	Get hash	malicious	Unknown	Browse
	message__86_4F_17774_8082F476_ccg01mail04_.eml	Get hash	malicious	Unknown	Browse
	https://www.paypal.com/signin/?returnUri=%2Fmyaccount%2Ftransfer%2FpayRequest%2FU-8FB07512G02736728%2FU-8UU1421709629722J%3FclassicUrl%3D%2FCA%2Fcgi-bin%2F%3Fcmd%3D_prq&id=bCWb7axPkTBIYo2JytQu3Yqi-gfJnEsVyEvflA&expId=p2p&onboardData=%7B%22signUpRequest%22%3A%7B%22method%22%3A%22get%22%2C%22url%22%3A%22https%3A%2F%2Fwww.paypal.com%2Fmyaccount%2Ftransfer%2FguestLogin%2FpayRequest%2FU-8FB07512G02736728%2FU-8UU1421709629722J%3FclassicUrl%3D%2FCA%2Fcgi-bin%2F%3Fcmd%3D_prq%26id%3DbCWb7axPkTBIYo2JytQu3Yqi-gfJnEsVyEvflA%22%7D%7D&flowContextData=FhBIPUN7sGX6UXoVcVvHCc0r-kHt8NxPVJdCtufc2-5wJ8xNtYMzwoEItubAbMHSR-Brfj8WYHXSOJOLB7I_xgIcpSMJwP4YtpfCnYEHRE07uUgtzs-5O1p746JYB5MV7Eta_TiVNNWomtvJrK-nZectqmXCVhjzKoLtEhBGgiIcrB-f7ABGIKrBF_pVh3U-k_zBQ_s0uP7jrErg8qUDd9XQNWR77W6gQyiq4pCR6_PvxoaobXaVHTSKv7VEUp-cXHG2cUkCFxRjiQ1tpsfqdUWJRD9Tvzt_P29zQm26DHKsAIdR5Mhbc68zZDkGx4I1cAE6E938r_GFpPcFuCWKTQX5lJdg8-IccRRGQgXdLu7DY98wAWY7-AdsB7zacLPYw3yI9P4HmAif8vysbLkh4amfLfRnxL3D32w9Y7V0HwwB820AtwWjXaNVfz-wisVe6yv1R7ax6xWoLQNM&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000186&utm_unptid=28b8c20f-b0c4-11ef-8528-d7dddebdc1bf&ppid=RT000186&cnac=CA&rsta=en_US%28en-CA%29&unptid=28b8c20f-b0c4-11ef-8528-d7dddebdc1bf&calc=f298458bd0c86&unp_tpcid=requestmoney-notifications-requestee&page=main%3Aemail%3ART000186&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.294.0&tenant_name=&xt=145585%2C154413%2C104038&link_ref=www.paypal.com_signin	Get hash	malicious	Unknown	Browse
	https://nischatalks.lt.acemlna.com/Prod/link-tracker?redirectUrl=aHR0cHMlM0ElMkYlMkZkZmwwLnVzJTJGcyUyRmM0MTJmMDEzJTNGZW0lM0RkaWxpcC5tYXRoZXclNDBjYXNhLmdvdi5hdQ==&sig=F28J3VAL72g8YRkFLWUvhqFSBag5sKdkQKwMeDdTvDbT&iat=1732885424&a=%7C%7C226329423%7C%7C&account=nischatalks.activehosted.com&email=4Tp4HabxiWO4pvz6roguRO3SDqvOBrDfqzRC3S4QX3U%3D&s=075f541518f72bd1137bd07bd6bf86a5&i=444A374A1A2736	Get hash	malicious	Unknown	Browse
	http://comgeotetra.sytes.net	Get hash	malicious	HTMLPhisher	Browse
	http://theluckyhouse.vn/dnkdl	Get hash	malicious	Unknown	Browse
	http://deepai.org	Get hash	malicious	LiteHTTP Bot	Browse
	https://www.paypal.com/invoice/payerView/details/INV2-N92X-T2Z2-AHQ9-TKQH?locale.x=en_US&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000238&utm_unptid=3863e735-915a-11ef-98e8-79ac3b3090e7&ppid=RT000238&cnac=US&rsta=en_US%28en-US%29&unptid=3863e735-915a-11ef-98e8-79ac3b3090e7&calc=f264059569334&unp_tpcid=invoice-buyer-notification&page=main%3Aemail%3ART000238&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.287.1&tenant_name=&xt=145585%2C134644%2C150948%2C104038&link_ref=details_inv2-n92x-t2z2-ahq9-tkqh	Get hash	malicious	Unknown	Browse
	https://link.edgepilot.com/s/a87a8c67/R8ziiM5L9EqrFhZqAjyPWg?u=https://debbydollar.com/	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cs1150.wpc.betacdn.net	https://contractnerds.com/	Get hash	malicious	Unknown	Browse	192.229.221.25
	https://www.paypal.com/signin/?returnUri=%2Fmyaccount%2Ftransfer%2FpayRequest%2FU-7DW79067WM944534C%2FU-3RN06382B68072443%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq&id=mv2NVEuUR9VvkcyUJ89EG.tzUFO5CbJFQUTSWg&expId=p2p&onboardData=%7B%22signUpRequest%22%3A%7B%22method%22%3A%22get%22%2C%22url%22%3A%22https%3A%2F%2Fwww.paypal.com%2Fmyaccount%2Ftransfer%2FguestLogin%2FpayRequest%2FU-7DW79067WM944534C%2FU-3RN06382B68072443%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq%26id%3Dmv2NVEuUR9VvkcyUJ89EG.tzUFO5CbJFQUTSWg%22%7D%7D&flowContextData=3VhkG6GfeMFpPs0RyY94VfaPuu2gnDuZkT0vO2-Owy5Q0TLELhHoBl0C3rYOuScB-P1puLFiHoe8q1yHNkorMrsQ-kVAt54br43PgY3iTrhwRm0aS_TYpgjIbliH5dfDJJr3q03bJkAa9vLd7Cr3oAjCQ5rfmoQCALWFn-qszHw7Rd_aj20-SECud0ZSxh-oKENUYjnmdRqAckr48r-ddvc-Vgo4zQnu7JkI5YB_1CxdutYkC-X7iD96T-7aDJhAmyxkfGKQ53prsK5Kys2hLiVrkCjSURM1RSmWzlwznlByQzHhv1R0VrGdaW03mCZt_U0pKOeWAwiNac8f&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000186&utm_unptid=16a0a3c3-b960-11ef-862e-f3094488c6dd&ppid=RT000186&cnac=US&rsta=en_US%28en-US%29&unptid=16a0a3c3-b960-11ef-862e-f3094488c6dd&calc=f53338153f55e&unp_tpcid=requestmoney-notifications-requestee&page=main%3Aemail%3ART000186&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.295.0&tenant_name=&xt=145585%2C150948%2C104038&link_ref=www.paypal.com_signin	Get hash	malicious	Unknown	Browse	192.229.221.25
	https://www.paypal.com/signin/?returnUri=%2Fmyaccount%2Ftransfer%2FpayRequest%2FU-28V552122R769381L%2FU-9FX296329A817750Y%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq&id=5qLXPqTuQhupi40uiyjfsgz5IGEJYuHctFy29w&expId=p2pGuestTesla&onboardData=%7B%22signUpRequest%22%3A%7B%22method%22%3A%22get%22%2C%22url%22%3A%22https%3A%2F%2Fwww.paypal.com%2Fmyaccount%2Ftransfer%2FguestLogin%2FpayRequest%2FU-28V552122R769381L%2FU-9FX296329A817750Y%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq%26id%3D5qLXPqTuQhupi40uiyjfsgz5IGEJYuHctFy29w%22%7D%7D&flowContextData=W58KV1fhgiV_-p6TmOnneAd3pqRwh89Uhs4nETqYgEciadinFvE9jhmCkm7cdS_dog5IstycO3uCeUP_fQvJGb2CyrXWo1FAcV7pf2HjOlGJnjX-3TcP_Kr96BnUqBXJTigKvgCmlKpHJdV1cj2DzXB0hguAYEiUIg9m9RdD4qaHMBzBLcVwygEiNxwxkozO_z0SwgJxNPt8O4MHkVy2NY7qoPv_3Qc2wClzrugADG-NhMNqbj3Hc7kBOJYLRna0_RTgDo2VtDqetkbvf00Dw7Z1NgHN2eMtByMS8uM3oO2yZ1XiigiIC6xt56W3JkKVnZbqlDxq6DTjyjnZ&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000186&utm_unptid=5f308ca0-b964-11ef-bd32-dbf3023831b4&ppid=RT000186&cnac=US&rsta=en_US%28en-US%29&unptid=5f308ca0-b964-11ef-bd32-dbf3023831b4&calc=f639462de6a7c&unp_tpcid=requestmoney-notifications-requestee&page=main%3Aemail%3ART000186&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.295.0&tenant_name=&xt=145585%2C150948%2C104038&link_ref=www.paypal.com_signin	Get hash	malicious	Unknown	Browse	192.229.221.25
	http://get-derila.com	Get hash	malicious	Unknown	Browse	192.229.221.25
	message__86_4F_17774_8082F476_ccg01mail04_.eml	Get hash	malicious	Unknown	Browse	192.229.221.25
	https://github.com/greenshot/greenshot/releases/download/Greenshot-RELEASE-1.2.10.6/Greenshot-INSTALLER-1.2.10.6-RELEASE.exe	Get hash	malicious	Unknown	Browse	192.229.221.25
	https://www.paypal.com/signin/?returnUri=%2Fmyaccount%2Ftransfer%2FpayRequest%2FU-09584045BD498740V%2FU-5R763959NX153980F%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq&id=OoO85MXTLVUkAlgY4sey9A8h.NxxqjO.iYbAWg&expId=p2p&onboardData=%7B%22signUpRequest%22%3A%7B%22method%22%3A%22get%22%2C%22url%22%3A%22https%3A%2F%2Fwww.paypal.com%2Fmyaccount%2Ftransfer%2FguestLogin%2FpayRequest%2FU-09584045BD498740V%2FU-5R763959NX153980F%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq%26id%3DOoO85MXTLVUkAlgY4sey9A8h.NxxqjO.iYbAWg%22%7D%7D&flowContextData=F7WdIOgJmH6-07KTJ7GpdWXhkdDQxLohB4l-G7vuWGaUsw9VWkH3unndZA7YlCRgtETWTIDn9hNnR_R_XfGvdxeCRkDmtXLc6qqtXR9sC3Gp-59lNBELQtpM5xEv0i4rCTpJiBcP2uf4VFrJLL1b5u1XG7JtP5TfW7CNqxSVOxEb9_duKrmtDgpztBtl32bVeoc8BgW5poXyk9lJHcKrYdvBHSdT0mosqrrmaGj2a5uNQdBK70Mwpn9Zddmj0KI1GIZrXWvFcpnuRbvbli2inkizkeV4nR1uyKnBSzFqdPDcK4t7K9B6YiFhb5sS8DaQd7F6oWzSe-J8gPxVURmdwwOxFn1ycN09t9caUdBz1XMuv96GDJywuv2feJdoAI73PNjro1a2cFEKAWnCgtoHqxdBD3A1mVV3OiytkjtEUDdvp0GL3CNOAV9zIrunX_DmbTO6KOe21dniBkeG&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000186&utm_unptid=09b8bd50-b31d-11ef-9fd6-7b2e619a4883&ppid=RT000186&cnac=US&rsta=en_US%28en-US%29&unptid=09b8bd50-b31d-11ef-9fd6-7b2e619a4883&calc=f8278373e34b4&unp_tpcid=requestmoney-notifications-requestee&page=main%3Aemail%3ART000186&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.294.0&tenant_name=&xt=145585%2C150948%2C104038&link_ref=www.paypal.com_signin	Get hash	malicious	Unknown	Browse	192.229.221.25
	https://www.paypal.com/signin/?returnUri=%2Fmyaccount%2Ftransfer%2FpayRequest%2FU-09584045BD498740V%2FU-7AK40048SY131414Y%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq&id=UJ8cMtNtnR8osXBu987dZoV1KMO8Kn.CKcv6ZA&expId=p2p&onboardData=%7B%22signUpRequest%22%3A%7B%22method%22%3A%22get%22%2C%22url%22%3A%22https%3A%2F%2Fwww.paypal.com%2Fmyaccount%2Ftransfer%2FguestLogin%2FpayRequest%2FU-09584045BD498740V%2FU-7AK40048SY131414Y%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq%26id%3DUJ8cMtNtnR8osXBu987dZoV1KMO8Kn.CKcv6ZA%22%7D%7D&flowContextData=k3KkNbgd2F3whUTyipi2CMJLh_A_-ZYRjnLUkRjoT_j0HNsy89M3Jq9pftpBPMtxKyazfBl41ygLF6L-3nSQM3yKD_1JSLMZUnm3gJtmC_GW6MtRMZgxxLdzhM2UidzudErvOhqzUKOKhl1Uolhas5WHE4v4p4McejHNxcZVkLh-Y4orpy9guCt5hhIB4GnzEz4SubWTdzvc3cAY2OwiaKLLHK8NR5mzXmQp5fVf3iIsNKSvq_9V0izgPURkU3T8RWrY5gGBkFdWln_xY5pl8zRv8lmUI-keUYe0DqQBvKVK8GwV8qiU_5p8qjPHJVW9i-G3ZBZuZum2FKJqczC5erDfF4QBe8JLLYzKBGyYHnHI7fFyBoEDubHGzh8R01uh4xAe-iAkcUj76XG_hnIoA0TzvY15PrfT8E9VdnaJhGuNJ5c8GhmekMGGnVwrlvOcZBIva0&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000186&utm_unptid=3bf303f1-b31d-11ef-81c6-bffe125023d8&ppid=RT000186&cnac=US&rsta=en_US%28en-US%29&unptid=3bf303f1-b31d-11ef-81c6-bffe125023d8&calc=f7859995fbf4b&unp_tpcid=requestmoney-notifications-requestee&page=main%3Aemail%3ART000186&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.294.0&tenant_name=&xt=145585%2C150948%2C104038&link_ref=www.paypal.com_signin	Get hash	malicious	Unknown	Browse	192.229.221.25
	https://www.paypal.com/signin/?returnUri=%2Fmyaccount%2Ftransfer%2FpayRequest%2FU-73L43097YS920471H%2FU-21916088VG929353V%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq&id=oSTQ2KyhBfzKABJBD3SmDi49NoivW60lzQASFQ&expId=p2p&onboardData=%7B%22signUpRequest%22%3A%7B%22method%22%3A%22get%22%2C%22url%22%3A%22https%3A%2F%2Fwww.paypal.com%2Fmyaccount%2Ftransfer%2FguestLogin%2FpayRequest%2FU-73L43097YS920471H%2FU-21916088VG929353V%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq%26id%3DoSTQ2KyhBfzKABJBD3SmDi49NoivW60lzQASFQ%22%7D%7D&flowContextData=RDl_AZcF1sl5Rb_6LCOad8Ablnu-W7AxB_i5FzkmY9ljbd6ElIlIteG0y31awgymrSFY-NEhR9oodKgi2Jr_54nHRHUI22A5btXBAz58pUBlVy_icxhdiCyvbxtKkJbyvPwAFXZm9Hu-TuP8fUbi3kD9SI3uQE-nXU-1T6hk9yNEcfLwmQ9q2oXw0Nu89DKUwRZZ-hEgdjZhl4tqKDQiASbkdXigxUyjHWAPt-vOaJzbzisp0scQXF4UF-J1Rto6RYCxskkLambqbUPNkjVq_ZtnTRrfcOFs6AdzgjQZxFjLXCq1M3EW1Aiq9DSZcmtteoSiOkL-Yl_4s2YOFo6jNRRQrcEHNylGYTBCyHc65n4_85NWbx-ikEWoVlI4LXcJW4dftTovp8EWo5xXhEORiceFOjZRVbk5MVtSKHu91b7gPLC3F3USPVAc68XpKKXL_xvsUAp1wPS1patgsMBTMQo3Gwa68P9HfAfTWEjlQ1Yf3yTIWtRpNF8qyyGgAUBLgrJVAT_OmXFJJrX08CV-vxGPkepVr0r1FVRxwTmimvKh55xYEKkfPK5XJKmenbfgUa9CbfH9d_FpW5yVigO-oMpueUaWL8bSCYMeFYr8B1GfpUn9ASsdqnfnFqtpUGY0Y4MI9f0bvAFH6gYvW7ZTeYh_jKu&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000186&utm_unptid=c038b022-b182-11ef-83cc-0118134ab4bf&ppid=RT000186&cnac=US&rsta=en_US%28en-US%29&unptid=c038b022-b182-11ef-83cc-0118134ab4bf&calc=f826437c02759&unp_tpcid=requestmoney-notifications-requestee&page=main%3Aemail%3ART000186&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.294.0&tenant_name=&xt=145585%2C150948%2C104038&link_ref=www.paypal.com_signin	Get hash	malicious	Unknown	Browse	192.229.221.25
	https://www.paypal.com/signin/?returnUri=2Fmyaccount2Ftransfer2FpayRequest2FU-06C88558L1014094C2FU-2DM00000BR77214333FclassicUrl3D2FUS2Fcgi-bin2F3Fcmd3D_prq&id=Ry38v2FrK0UjF72A307PSNceYxU8e31AX6KM7A&expId=p2p&onboardData=7B22signUpRequest223A7B22method223A22get222C22url223A22https3A2F2Fwww.paypal.com2Fmyaccount2Ftransfer2FguestLogin2FpayRequest2FU-06C88558L1014094C2FU-2DM00000BR77214333FclassicUrl3D2FUS2Fcgi-bin2F3Fcmd3D_prq26id3DRy38v2FrK0UjF72A307PSNceYxU8e31AX6KM7A227D7D&flowContextData=EPipLgYQkcQiPC6xPmHLsMuav-qVcafyzQ_WyOueO1YLprxlMy2pR71HozTcXvF3gDlTVCnYOiGO1RH-x7AipFN1b_fXcnymzC7htRa-Up9txf3z7YS5D19T0nlKma78-VkCV-TQDV5CW84rr3rCJNYe1-fM_jtU4E9Padf_oYXGfzDmevT97BhWrEB2gc-cCgFZtePLBN_tEqZ2EXbR1HfEixVltCquJW08dhO4loCGR0Fw-i9hA2gm89p74lOnm_ylvkeMAFpn0MW2giVYeRb3X0Q993Fc-WNeqYIyYpEqnx8lWPo6TeIWhqhOu3HF3VENmMaY6Nw84pRr3Et2JJaxNrKrdwGltz9Bbxuv5CKbKgj5FHLgD4yz3AaxBVHUmdApOlWCmLbKHzdVBa3Y_WNm9O8_MwExtGHJFp8NDUJAXIhZaK7XQl16wX5aXhnY7INelm&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000186&utm_unptid=edc46c96-b18e-11ef-a3e7-1b67a4a59178&ppid=RT000186&cnac=US&rsta=en_US28en-US29&unptid=edc46c96-b18e-11ef-a3e7-1b67a4a59178&calc=f66544940b4b2&unp_tpcid=requestmoney-notifications-requestee&page=main3Aemail3ART000186&pgrp=main3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.294.0&tenant_name=&xt=1455852C150948*2C104038&link_ref=www.paypal.com_signin__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJQ!!E09OEw!ZFlf8dyv9p4m5TistHOCu6FtN37v8zWP5-QyGJsZhABWsjDIA2M-dGUPzMmvyOWcAxfX3C0KPvNI8A$	Get hash	malicious	Unknown	Browse	192.229.221.25
s-part-0035.t-0009.t-msedge.net	T1#U52a9#U624b1.0.1.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	T1#U52a9#U624b1.0.1.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	installer64v5.2.7.msi	Get hash	malicious	Unknown	Browse	13.107.246.63
	installer64v3.2.6.msi	Get hash	malicious	Unknown	Browse	13.107.246.63
	Tool_Unlock_v1.2.exe	Get hash	malicious	Vidar	Browse	13.107.246.63
	http://track.rbfcu.org/y.z?l=https://google.com/amp/s/t.ly/5SpZS&r=14387614172&d=18473&p=2&t=h	Get hash	malicious	HTMLPhisher	Browse	13.107.246.63
	l0zocrLiVW.exe	Get hash	malicious	LummaC	Browse	13.107.246.63
	TdloJt4gY3.exe	Get hash	malicious	LummaC	Browse	13.107.246.63
	QfBhv404w4.exe	Get hash	malicious	Phorpiex	Browse	13.107.246.63
	726odELDs8.exe	Get hash	malicious	LummaC	Browse	13.107.246.63
paypal-dynamic.map.fastly.net	https://contractnerds.com/	Get hash	malicious	Unknown	Browse	151.101.1.21
	https://jkqbjwq.maxiite.com	Get hash	malicious	HTMLPhisher	Browse	151.101.65.21
	http://www.kukaj-to.chat/sedo	Get hash	malicious	Unknown	Browse	151.101.1.21
	https://www.paypal.com/signin/?returnUri=%2Fmyaccount%2Ftransfer%2FpayRequest%2FU-7DW79067WM944534C%2FU-3RN06382B68072443%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq&id=mv2NVEuUR9VvkcyUJ89EG.tzUFO5CbJFQUTSWg&expId=p2p&onboardData=%7B%22signUpRequest%22%3A%7B%22method%22%3A%22get%22%2C%22url%22%3A%22https%3A%2F%2Fwww.paypal.com%2Fmyaccount%2Ftransfer%2FguestLogin%2FpayRequest%2FU-7DW79067WM944534C%2FU-3RN06382B68072443%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq%26id%3Dmv2NVEuUR9VvkcyUJ89EG.tzUFO5CbJFQUTSWg%22%7D%7D&flowContextData=3VhkG6GfeMFpPs0RyY94VfaPuu2gnDuZkT0vO2-Owy5Q0TLELhHoBl0C3rYOuScB-P1puLFiHoe8q1yHNkorMrsQ-kVAt54br43PgY3iTrhwRm0aS_TYpgjIbliH5dfDJJr3q03bJkAa9vLd7Cr3oAjCQ5rfmoQCALWFn-qszHw7Rd_aj20-SECud0ZSxh-oKENUYjnmdRqAckr48r-ddvc-Vgo4zQnu7JkI5YB_1CxdutYkC-X7iD96T-7aDJhAmyxkfGKQ53prsK5Kys2hLiVrkCjSURM1RSmWzlwznlByQzHhv1R0VrGdaW03mCZt_U0pKOeWAwiNac8f&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000186&utm_unptid=16a0a3c3-b960-11ef-862e-f3094488c6dd&ppid=RT000186&cnac=US&rsta=en_US%28en-US%29&unptid=16a0a3c3-b960-11ef-862e-f3094488c6dd&calc=f53338153f55e&unp_tpcid=requestmoney-notifications-requestee&page=main%3Aemail%3ART000186&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.295.0&tenant_name=&xt=145585%2C150948%2C104038&link_ref=www.paypal.com_signin	Get hash	malicious	Unknown	Browse	151.101.193.21
	https://www.paypal.com/signin/?returnUri=%2Fmyaccount%2Ftransfer%2FpayRequest%2FU-28V552122R769381L%2FU-9FX296329A817750Y%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq&id=5qLXPqTuQhupi40uiyjfsgz5IGEJYuHctFy29w&expId=p2pGuestTesla&onboardData=%7B%22signUpRequest%22%3A%7B%22method%22%3A%22get%22%2C%22url%22%3A%22https%3A%2F%2Fwww.paypal.com%2Fmyaccount%2Ftransfer%2FguestLogin%2FpayRequest%2FU-28V552122R769381L%2FU-9FX296329A817750Y%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq%26id%3D5qLXPqTuQhupi40uiyjfsgz5IGEJYuHctFy29w%22%7D%7D&flowContextData=W58KV1fhgiV_-p6TmOnneAd3pqRwh89Uhs4nETqYgEciadinFvE9jhmCkm7cdS_dog5IstycO3uCeUP_fQvJGb2CyrXWo1FAcV7pf2HjOlGJnjX-3TcP_Kr96BnUqBXJTigKvgCmlKpHJdV1cj2DzXB0hguAYEiUIg9m9RdD4qaHMBzBLcVwygEiNxwxkozO_z0SwgJxNPt8O4MHkVy2NY7qoPv_3Qc2wClzrugADG-NhMNqbj3Hc7kBOJYLRna0_RTgDo2VtDqetkbvf00Dw7Z1NgHN2eMtByMS8uM3oO2yZ1XiigiIC6xt56W3JkKVnZbqlDxq6DTjyjnZ&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000186&utm_unptid=5f308ca0-b964-11ef-bd32-dbf3023831b4&ppid=RT000186&cnac=US&rsta=en_US%28en-US%29&unptid=5f308ca0-b964-11ef-bd32-dbf3023831b4&calc=f639462de6a7c&unp_tpcid=requestmoney-notifications-requestee&page=main%3Aemail%3ART000186&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.295.0&tenant_name=&xt=145585%2C150948%2C104038&link_ref=www.paypal.com_signin	Get hash	malicious	Unknown	Browse	151.101.193.21
	https://feji.us/m266he	Get hash	malicious	Unknown	Browse	151.101.1.21
	http://get-derila.com	Get hash	malicious	Unknown	Browse	151.101.193.21
	message__86_4F_17774_8082F476_ccg01mail04_.eml	Get hash	malicious	Unknown	Browse	151.101.1.21
	https://www.paypal.com/signin/?returnUri=%2Fmyaccount%2Ftransfer%2FpayRequest%2FU-09584045BD498740V%2FU-5R763959NX153980F%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq&id=OoO85MXTLVUkAlgY4sey9A8h.NxxqjO.iYbAWg&expId=p2p&onboardData=%7B%22signUpRequest%22%3A%7B%22method%22%3A%22get%22%2C%22url%22%3A%22https%3A%2F%2Fwww.paypal.com%2Fmyaccount%2Ftransfer%2FguestLogin%2FpayRequest%2FU-09584045BD498740V%2FU-5R763959NX153980F%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq%26id%3DOoO85MXTLVUkAlgY4sey9A8h.NxxqjO.iYbAWg%22%7D%7D&flowContextData=F7WdIOgJmH6-07KTJ7GpdWXhkdDQxLohB4l-G7vuWGaUsw9VWkH3unndZA7YlCRgtETWTIDn9hNnR_R_XfGvdxeCRkDmtXLc6qqtXR9sC3Gp-59lNBELQtpM5xEv0i4rCTpJiBcP2uf4VFrJLL1b5u1XG7JtP5TfW7CNqxSVOxEb9_duKrmtDgpztBtl32bVeoc8BgW5poXyk9lJHcKrYdvBHSdT0mosqrrmaGj2a5uNQdBK70Mwpn9Zddmj0KI1GIZrXWvFcpnuRbvbli2inkizkeV4nR1uyKnBSzFqdPDcK4t7K9B6YiFhb5sS8DaQd7F6oWzSe-J8gPxVURmdwwOxFn1ycN09t9caUdBz1XMuv96GDJywuv2feJdoAI73PNjro1a2cFEKAWnCgtoHqxdBD3A1mVV3OiytkjtEUDdvp0GL3CNOAV9zIrunX_DmbTO6KOe21dniBkeG&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000186&utm_unptid=09b8bd50-b31d-11ef-9fd6-7b2e619a4883&ppid=RT000186&cnac=US&rsta=en_US%28en-US%29&unptid=09b8bd50-b31d-11ef-9fd6-7b2e619a4883&calc=f8278373e34b4&unp_tpcid=requestmoney-notifications-requestee&page=main%3Aemail%3ART000186&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.294.0&tenant_name=&xt=145585%2C150948%2C104038&link_ref=www.paypal.com_signin	Get hash	malicious	Unknown	Browse	151.101.1.21
	https://www.paypal.com/signin/?returnUri=%2Fmyaccount%2Ftransfer%2FpayRequest%2FU-09584045BD498740V%2FU-7AK40048SY131414Y%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq&id=UJ8cMtNtnR8osXBu987dZoV1KMO8Kn.CKcv6ZA&expId=p2p&onboardData=%7B%22signUpRequest%22%3A%7B%22method%22%3A%22get%22%2C%22url%22%3A%22https%3A%2F%2Fwww.paypal.com%2Fmyaccount%2Ftransfer%2FguestLogin%2FpayRequest%2FU-09584045BD498740V%2FU-7AK40048SY131414Y%3FclassicUrl%3D%2FUS%2Fcgi-bin%2F%3Fcmd%3D_prq%26id%3DUJ8cMtNtnR8osXBu987dZoV1KMO8Kn.CKcv6ZA%22%7D%7D&flowContextData=k3KkNbgd2F3whUTyipi2CMJLh_A_-ZYRjnLUkRjoT_j0HNsy89M3Jq9pftpBPMtxKyazfBl41ygLF6L-3nSQM3yKD_1JSLMZUnm3gJtmC_GW6MtRMZgxxLdzhM2UidzudErvOhqzUKOKhl1Uolhas5WHE4v4p4McejHNxcZVkLh-Y4orpy9guCt5hhIB4GnzEz4SubWTdzvc3cAY2OwiaKLLHK8NR5mzXmQp5fVf3iIsNKSvq_9V0izgPURkU3T8RWrY5gGBkFdWln_xY5pl8zRv8lmUI-keUYe0DqQBvKVK8GwV8qiU_5p8qjPHJVW9i-G3ZBZuZum2FKJqczC5erDfF4QBe8JLLYzKBGyYHnHI7fFyBoEDubHGzh8R01uh4xAe-iAkcUj76XG_hnIoA0TzvY15PrfT8E9VdnaJhGuNJ5c8GhmekMGGnVwrlvOcZBIva0&v=1&utm_source=unp&utm_medium=email&utm_campaign=RT000186&utm_unptid=3bf303f1-b31d-11ef-81c6-bffe125023d8&ppid=RT000186&cnac=US&rsta=en_US%28en-US%29&unptid=3bf303f1-b31d-11ef-81c6-bffe125023d8&calc=f7859995fbf4b&unp_tpcid=requestmoney-notifications-requestee&page=main%3Aemail%3ART000186&pgrp=main%3Aemail&e=cl&mchn=em&s=ci&mail=sys&appVersion=1.294.0&tenant_name=&xt=145585%2C150948%2C104038&link_ref=www.paypal.com_signin	Get hash	malicious	Unknown	Browse	151.101.193.21

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
EDGECASTUS	T1#U52a9#U624b1.0.1.exe	Get hash	malicious	Unknown	Browse	152.199.21.175
	T1#U52a9#U624b1.0.1.exe	Get hash	malicious	Unknown	Browse	152.199.21.175
	db0fa4b8db0333367e9bda3ab68b8042.i686.elf	Get hash	malicious	Mirai, Gafgyt	Browse	152.195.101.222
	http://track.rbfcu.org/y.z?l=https://google.com/amp/s/t.ly/5SpZS&r=14387614172&d=18473&p=2&t=h	Get hash	malicious	HTMLPhisher	Browse	152.199.21.175
	http://track.rbfcu.org/y.z?l=https://google.com/amp/s/t.ly/5SpZS&r=14387614172&d=18473&p=2&t=h	Get hash	malicious	HTMLPhisher	Browse	152.199.21.175
	https://contractnerds.com/	Get hash	malicious	Unknown	Browse	192.229.221.25
	http://assets.website-files.com/65efffe8d4e10d26910f0543/65f65633ab8b2f021b357c18_64146967722.pdf	Get hash	malicious	Unknown	Browse	152.195.15.58
	Audio02837498.html	Get hash	malicious	HTMLPhisher	Browse	152.199.21.175
	https://en.newsnowbangla.com/archives/69912	Get hash	malicious	HTMLPhisher, TechSupportScam	Browse	152.199.21.175
	http://usps.com-trackilw.top/us	Get hash	malicious	Unknown	Browse	192.229.221.165
FASTLYUS	https://gtgyhtrgerftrgr.blob.core.windows.net/frhvhgse/vsgwhk.html	Get hash	malicious	Unknown	Browse	151.101.129.44
	http://track.rbfcu.org/y.z?l=https://google.com/amp/s/t.ly/5SpZS&r=14387614172&d=18473&p=2&t=h	Get hash	malicious	HTMLPhisher	Browse	151.101.194.137
	fxsound_setup.exe	Get hash	malicious	Unknown	Browse	185.199.109.133
	Hwacaj.exe	Get hash	malicious	Darkbot	Browse	151.101.66.137
	rpDOUhuBC5.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	rpDOUhuBC5.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	https://www.dropbox.com/scl/fi/lncgsm76k7l5ix7fuu5t6/2024-OK-House-Outreach.pdf?rlkey=o4qr50zpdw1z14o6ikdg6zjt8&st=lrloyzlo&dl=0	Get hash	malicious	Unknown	Browse	151.101.1.229
	http://track.rbfcu.org/y.z?l=https://google.com/amp/s/t.ly/5SpZS&r=14387614172&d=18473&p=2&t=h	Get hash	malicious	HTMLPhisher	Browse	151.101.66.137
	http://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=N_pyUL0QJkeR_KiXHZsVlyTB1Qoy7S9IkE8Ogzl8coFUMFBJSDkxQ0w3VVZMNFJFUlNDRVkyU05CUi4u	Get hash	malicious	HTMLPhisher	Browse	151.101.194.137
	Electrum-bch-4.4.2-x86_64.AppImage.elf	Get hash	malicious	Unknown	Browse	185.199.111.133
SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAU	INVOICE-0098.pdf ... .lnk.lnk.d.lnk	Get hash	malicious	Unknown	Browse	43.250.142.7
	alWUxZvrvU.exe	Get hash	malicious	FormBook	Browse	103.42.108.46
	https://tiotapas.com.au	Get hash	malicious	Unknown	Browse	110.232.143.44
	Shipping report#Cargo Handling.exe	Get hash	malicious	FormBook	Browse	103.42.108.46
	PO76389.exe	Get hash	malicious	FormBook	Browse	103.42.108.46
	SHIPPING DOC MBL+HBL.exe	Get hash	malicious	FormBook	Browse	103.42.108.46
	r3T-ENQ-O-2024-10856.exe	Get hash	malicious	FormBook	Browse	103.42.108.46
	3T-ENQ-O-2024-10856.exe	Get hash	malicious	FormBook	Browse	103.42.108.46
	New Purchase Order.exe	Get hash	malicious	FormBook	Browse	103.42.108.46
	Scan 00093847.exe	Get hash	malicious	FormBook	Browse	103.42.108.46

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	search.hta	Get hash	malicious	Unknown	Browse	173.222.162.32
	Canvas of Kings_N6xC-S2.exe	Get hash	malicious	Unknown	Browse	173.222.162.32
	Violated Heroine_91zbZ-1.exe	Get hash	malicious	Unknown	Browse	173.222.162.32
	jqplot.hta	Get hash	malicious	Unknown	Browse	173.222.162.32
	http://aselog24x7.cl/	Get hash	malicious	HTMLPhisher	Browse	173.222.162.32
	cB1ItKbbhY.msi	Get hash	malicious	Unknown	Browse	173.222.162.32
	PVKDyWHOaX.exe	Get hash	malicious	Unknown	Browse	173.222.162.32
	RcFBMph6zu.exe	Get hash	malicious	Unknown	Browse	173.222.162.32
	http://senalongley.com	Get hash	malicious	Unknown	Browse	173.222.162.32
	ghostspider.7z	Get hash	malicious	Unknown	Browse	173.222.162.32

Dropped Files

⊘No context

Process:	C:\EasyAssist\Data\easyassistupdate.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	4767
Entropy (8bit):	4.608091639177324
Encrypted:	false
SSDEEP:	96:/WrkEB55v+b/D15Af5dU3+4mbLuhoGfkPIaJImx:/WwEBrNgmJj
MD5:	AE537DF383D1A9F4F9620C077B6D60EA
SHA1:	93816A73E0E2474A3DC11B759BD10673B4FEEE91
SHA-256:	8A93B1B66A7E02F375D1408B6F931F1452B2A51E30D607A04224D81E75BA7AA7
SHA-512:	7EA43ED4C6F8426FD53126113FD2336BA7D30D836AC8D398D397D2CEB8C389A3F329607BFDB1CC022F12E73C13C46245822117D7357E02D8D34B80F03EE40E48
Malicious:	false
Reputation:	low
Preview:	Fund,FundCode,Schedule,51300,51303,51306,51309,51312,51315,51318,Valid_from,Valid_to,Schedule,Threshold,ColumnNumber,MultipleOp2,MultipleOp3,Threshold2,Update Date,,,,,,,ThisUpdate..AHSA ACT,AHSA_ACT,MBSFee,120.5,1.421,174.1,1.421,1.421,380.4,251.2,1/11/2011,31/10/2012,MBSFee,547.9,4,0.5,0.25,,1/11/2011,,,,,,,20120101..AHSA NSW,AHSA_NSW,MBSFee,119.5,1.409,172.9,1.409,1.409,377.4,249,1/11/2011,31/10/2012,DVAFee,547.9,5,0.5,0.25,,1/11/2011,,,,,,,ThisRevision..AHSA NT,AHSA_NT,MBSFee,118.1,1.392,170.7,1.392,1.392,372.4,246,1/11/2011,31/10/2012,QCOMPFee,547.9,6,0.75,0.75,,1/12/2011,,,,,,,3..AHSA QLD,AHSA_QLD,MBSFee,119.5,1.409,172.9,1.409,1.409,377.4,249,1/11/2011,31/10/2012,NIBFee,0,7,0,0,,1/11/2011,,,,,,,..AHSA SA,AHSA_SA,MBSFee,119.5,1.41,172.9,1.41,1.41,377.6,249.1,1/11/2011,31/10/2012,WorkSafeVicFee,0,8,0,0,,1/11/2011,,,,,,,..AHSA TAS,AHSA_TAS,MBSFee,118.6,1.396,171.1,1.396,1.396,373.9,246.5,1/11/2011,31/10/2012,WorkCoverSAFee,846,9,0.5,0.25,,1/07/2011,,,,,,,..AHSA VIC,AHSA_VIC,MBSFee,

Process:	C:\Users\user\Desktop\installeasyassist.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2478576
Entropy (8bit):	7.998844161911654
Encrypted:	true
SSDEEP:	49152:bDbchky+yXXNRpdtF/OAZCszXHOmpN9B/roFdA/YZ5AzWDVLWvAlvj6:bvcqXyX9R1F2AZCszXhrToFdAgvkuV6
MD5:	9017DF9DF3C847E35C3A4C67C4ADA376
SHA1:	37FFD874A9EC4D9480D2649FA89DA2C88EFDDA9C
SHA-256:	29C2417F2FCA9ECA8769D91EE3283D60564E9F7CD3D01BEFCDFE199B19D2E388
SHA-512:	EF67825AFFC631E841971A6DB1EF4961C1012334B0A3DD3DB814DBB0ABBB7BE299CFCA157B01788DCB06C53BBECEBF0E5E99C270BAED8EA24B0494DAF1DE5E5A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.o.9...9...9...0...;......:...9........#l.:....#}.8...9...8....#y.8...Rich9...................PE..L......f................. ....%..............0....@...........................%.......&...@.................................43..<....P...#............%..+...........0...............................................0...............................text...$........ .................. ..`.rdata.......0.......$..............@..@.data........@......................@....rsrc....#...P...$...,..............@..@.reloc..t............P..............@..B.tsustubH^.......`...R..............@..B.tsuarch..".......".................@..B........................................................................................................................................................................................................................................................

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	10
Entropy (8bit):	2.9219280948873623
Encrypted:	false
SSDEEP:	3:OQ7gv:OQMv
MD5:	B2FC3D85CBBC9206DF4A19BA50BCB0AF
SHA1:	531031643C04985F30FB4302C54B48DBFEED7680
SHA-256:	1093A1D83D01A820112BABA0E130D9E305C6469A6F505122DD39233F2E77B936
SHA-512:	808595D1CF21036F759C8431BCEE48528525D645D4A7E32CC29DF7DFA5AEACD3815D572CB35E8164056261621B43F0C7C2627C5160467FBF13CC89BCC786B8F7
Malicious:	false
Preview:	12548028..

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	dropped
Size (bytes):	43
Entropy (8bit):	3.16293190511019
Encrypted:	false
SSDEEP:	3:CUmExltxlHh/:Jb/
MD5:	FC94FB0C3ED8A8F909DBC7630A0987FF
SHA1:	56D45F8A17F5078A20AF9962C992CA4678450765
SHA-256:	2DFE28CBDB83F01C940DE6A88AB86200154FD772D568035AC568664E52068363
SHA-512:	C87BF81FD70CF6434CA3A6C05AD6E9BD3F1D96F77DDDAD8D45EE043B126B2CB07A5CF23B4137B9D8462CD8A9ADF2B463AB6DE2B38C93DB72D2D511CA60E3B57E
Malicious:	false
Preview:	GIF89a.............!.......,...........D..;

Entrypoint:	0x4015ad
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66D81E88 [Wed Sep 4 08:47:04 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	20c4b14b5064e66d073d37066475b11c

Signature Valid:	true
Signature Issuer:	CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	01/03/2023 19:00:00 01/03/2026 18:59:59
Subject Chain	CN=EasyAssist Software, O=EasyAssist Software, S=Queensland, C=AU
Version:	3
Thumbprint MD5:	A4A63454ED0AAA872E62F0C03C243383
Thumbprint SHA-1:	B9B3CE0C67F88DAC412D78B5D92DFA178A9474C7
Thumbprint SHA-256:	7F06698E1884AA330C7DC867CD19EC5B425ABAD02F864AF29C7CBD1CCF15041D
Serial:	57D0B2545FB481939C7AA7E5594E83E8

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3334	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5000	0x2394	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x306e00	0x2bc8	.tsuarch
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8000	0xd8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x30b0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3000	0xa8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1f24	0x2000	0c6295d43e7b7bbcaa9ecc3108085c04	False	0.611083984375	data	6.407948648862609	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x3000	0x70f	0x800	6430f05d997ea4a1fa624c1602610abc	False	0.482421875	data	4.720719325122854	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x4000	0x410	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5000	0x2394	0x2400	8f3e5960b23b9c024f0131228594333e	False	0.3319227430555556	data	4.569321928887825	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8000	0x174	0x200	0e109f2ae39d20fdea549b1a04660bf8	False	0.453125	data	3.339167376222123	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.tsustub	0x9000	0x25e48	0x26000	c29c18ff173e3de09434f5ff0a77d97d	False	0.9978348581414473	data	7.997304860335062	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.tsuarch	0x2f000	0x2dbc00	0x2dbc00	124bf75507863c71987925944efde55e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x5190	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	0.4637096774193548
RT_ICON	0x5478	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	0.5777027027027027
RT_ICON	0x55a0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688	0.26545842217484006
RT_GROUP_ICON	0x6448	0x30	data	0.9583333333333334
RT_VERSION	0x6478	0x920	data	0.2851027397260274
RT_MANIFEST	0x6d98	0x5fb	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.45787067276290006

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 29, 2024 14:28:20.903167009 CET	138	138	192.168.2.4	192.168.2.255
Dec 29, 2024 14:28:46.942507982 CET	63605	53	192.168.2.4	1.1.1.1
Dec 29, 2024 14:28:46.943001986 CET	65447	53	192.168.2.4	1.1.1.1
Dec 29, 2024 14:28:47.080030918 CET	53	64232	1.1.1.1	192.168.2.4
Dec 29, 2024 14:28:47.084223986 CET	53	53259	1.1.1.1	192.168.2.4
Dec 29, 2024 14:28:47.958466053 CET	52222	53	192.168.2.4	1.1.1.1
Dec 29, 2024 14:28:47.958614111 CET	49234	53	192.168.2.4	1.1.1.1
Dec 29, 2024 14:28:49.312496901 CET	53	49234	1.1.1.1	192.168.2.4
Dec 29, 2024 14:28:49.312783003 CET	53	65447	1.1.1.1	192.168.2.4
Dec 29, 2024 14:28:49.313527107 CET	53	63605	1.1.1.1	192.168.2.4
Dec 29, 2024 14:28:49.314306974 CET	53	52222	1.1.1.1	192.168.2.4
Dec 29, 2024 14:28:49.911268950 CET	53	59686	1.1.1.1	192.168.2.4
Dec 29, 2024 14:28:51.032331944 CET	63553	53	192.168.2.4	1.1.1.1
Dec 29, 2024 14:28:51.032601118 CET	49919	53	192.168.2.4	1.1.1.1
Dec 29, 2024 14:28:51.170932055 CET	53	63553	1.1.1.1	192.168.2.4
Dec 29, 2024 14:28:51.171694040 CET	53	49919	1.1.1.1	192.168.2.4
Dec 29, 2024 14:28:51.518688917 CET	64030	53	192.168.2.4	1.1.1.1
Dec 29, 2024 14:28:51.518856049 CET	58586	53	192.168.2.4	1.1.1.1
Dec 29, 2024 14:28:51.657541990 CET	53	58586	1.1.1.1	192.168.2.4
Dec 29, 2024 14:28:51.657748938 CET	53	64030	1.1.1.1	192.168.2.4
Dec 29, 2024 14:28:56.856837988 CET	58579	53	192.168.2.4	1.1.1.1
Dec 29, 2024 14:28:56.857331991 CET	63472	53	192.168.2.4	1.1.1.1
Dec 29, 2024 14:28:56.935336113 CET	53	54555	1.1.1.1	192.168.2.4
Dec 29, 2024 14:28:56.996398926 CET	53	58579	1.1.1.1	192.168.2.4
Dec 29, 2024 14:28:56.997772932 CET	53	63472	1.1.1.1	192.168.2.4
Dec 29, 2024 14:29:02.204364061 CET	57140	53	192.168.2.4	1.1.1.1
Dec 29, 2024 14:29:02.204463959 CET	62983	53	192.168.2.4	1.1.1.1
Dec 29, 2024 14:29:02.343218088 CET	53	57140	1.1.1.1	192.168.2.4
Dec 29, 2024 14:29:02.420317888 CET	53	62983	1.1.1.1	192.168.2.4
Dec 29, 2024 14:29:04.175755978 CET	63846	53	192.168.2.4	1.1.1.1
Dec 29, 2024 14:29:04.176193953 CET	49171	53	192.168.2.4	1.1.1.1
Dec 29, 2024 14:29:04.313910961 CET	53	63846	1.1.1.1	192.168.2.4
Dec 29, 2024 14:29:04.315541983 CET	53	49171	1.1.1.1	192.168.2.4
Dec 29, 2024 14:29:06.701478958 CET	49934	53	192.168.2.4	1.1.1.1
Dec 29, 2024 14:29:06.701725006 CET	60449	53	192.168.2.4	1.1.1.1
Dec 29, 2024 14:29:06.840559006 CET	53	60449	1.1.1.1	192.168.2.4
Dec 29, 2024 14:29:06.840598106 CET	53	49934	1.1.1.1	192.168.2.4
Dec 29, 2024 14:29:08.326222897 CET	53	58146	1.1.1.1	192.168.2.4
Dec 29, 2024 14:29:28.319269896 CET	53	61668	1.1.1.1	192.168.2.4
Dec 29, 2024 14:29:46.972126007 CET	53	52410	1.1.1.1	192.168.2.4
Dec 29, 2024 14:29:51.893223047 CET	53	50258	1.1.1.1	192.168.2.4

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Dec 29, 2024 14:28:49.314414024 CET	192.168.2.4	1.1.1.1	c209	(Port unreachable)	Destination Unreachable
Dec 29, 2024 14:29:02.422764063 CET	192.168.2.4	1.1.1.1	c25f	(Port unreachable)	Destination Unreachable

Timestamp	Bytes transferred	Direction	Data
Dec 29, 2024 14:28:49.435561895 CET	446	OUT	GET /order.html HTTP/1.1 Host: www.easyassist.com.au Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9
Dec 29, 2024 14:28:51.028667927 CET	1066	IN	HTTP/1.1 302 Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 content-type: text/html content-length: 771 date: Sun, 29 Dec 2024 13:28:50 GMT server: LiteSpeed cache-control: no-cache, no-store, must-revalidate, max-age=0 location: https://www.easyassist.com.au/order.html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">302</h1><h2 style="margin-top:20px;font-size: 30px;">Found</h2><p>The document has been temporarily moved.</p></div></div></body></html>

Timestamp	Bytes transferred	Direction	Data
2024-12-29 13:28:52 UTC	674	OUT	GET /order.html HTTP/1.1 Host: www.easyassist.com.au Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-29 13:28:53 UTC	388	IN	HTTP/1.1 200 OK Connection: close content-type: text/html last-modified: Thu, 20 Aug 2020 02:00:34 GMT accept-ranges: bytes content-length: 24806 date: Sun, 29 Dec 2024 13:28:53 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-12-29 13:28:53 UTC	16384	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 61 73 79 41 73 73 69 73 74 20 2d 20 54 68 65 20 53 75 72 67 69 63 61 6c 20 41 73 73 69 73 74 61 6e 74 20 46 65 65 20 43 61 6c 63 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head> <title>EasyAssist - The Surgical Assistant Fee Calc
2024-12-29 13:28:53 UTC	8422	IN	Data Raw: 47 75 69 64 65 3c 2f 61 3e 3c 2f 70 3e 0a 0a 20 20 20 20 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 6e 61 76 62 61 72 22 3e 3c 61 20 63 6c 61 73 73 3d 22 6e 61 76 62 61 72 22 20 68 72 65 66 3d 22 63 6f 6e 74 61 63 74 2e 68 74 6d 6c 22 3e 43 6f 6e 74 61 63 74 20 55 73 3c 2f 61 3e 3c 2f 70 3e 0a 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 72 69 67 68 74 22 20 73 74 79 6c 65 3d 22 76 69 73 69 62 69 6c 69 74 79 3a 20 68 69 64 64 65 6e 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 33 3e 4f 72 64 65 72 20 61 6e 20 45 61 73 79 41 73 73 69 73 74 20 6c 69 63 65 6e 63 65 3c 2f 68 33 3e 0a 0a 20 20 20 20 20 20 20 20 3c 70 3e 59 6f 75 20 63 61 6e 20 6f 72 64 65 72 20 61 20 6c 69 63 65 6e 63 65 20 74 6f 20 75 73 65 20 45 61 73 79 41 Data Ascii: Guide</a></p> <p class="navbar"><a class="navbar" href="contact.html">Contact Us</a></p> </div> <div id="right" style="visibility: hidden"> <h3>Order an EasyAssist licence</h3> <p>You can order a licence to use EasyA

Timestamp	Bytes transferred	Direction	Data
2024-12-29 13:28:55 UTC	573	OUT	GET /easyassist_default.css HTTP/1.1 Host: www.easyassist.com.au Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: text/css,/;q=0.1 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: style Referer: https://www.easyassist.com.au/order.html Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-29 13:28:56 UTC	465	IN	HTTP/1.1 200 OK Connection: close cache-control: public, max-age=604800 expires: Sun, 05 Jan 2025 13:28:56 GMT content-type: text/css last-modified: Fri, 10 Jul 2020 06:14:22 GMT accept-ranges: bytes content-length: 3354 date: Sun, 29 Dec 2024 13:28:56 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-12-29 13:28:56 UTC	3354	IN	Data Raw: 61 3a 68 6f 76 65 72 20 7b 0d 0a 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 75 6e 64 65 72 6c 69 6e 65 3b 0d 0a 7d 0d 0a 0d 0a 61 2e 63 75 72 72 65 6e 74 70 61 67 65 62 69 6c 6c 69 6e 67 67 75 69 64 65 20 7b 0d 0a 20 20 20 63 6f 6c 6f 72 3a 20 6e 61 76 79 3b 0d 0a 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 72 69 67 68 74 3b 0d 0a 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0d 0a 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 75 6e 64 65 72 6c 69 6e 65 3b 0d 0a 7d 0d 0a 0d 0a 62 6f 64 79 20 7b 0d 0a 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0d 0a 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 20 75 72 6c 28 69 6d 61 67 65 73 2f 62 61 63 6b 67 72 61 64 69 65 6e 74 2e 6a Data Ascii: a:hover { text-decoration: underline;}a.currentpagebillingguide { color: navy; text-align: right; font-weight: bold; text-decoration: underline;}body { text-align: center; background-image: url(images/backgradient.j

Timestamp	Bytes transferred	Direction	Data
2024-12-29 13:28:55 UTC	632	OUT	GET /images/easyassistgraphic704x124.jpg HTTP/1.1 Host: www.easyassist.com.au Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://www.easyassist.com.au/order.html Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-29 13:28:56 UTC	468	IN	HTTP/1.1 200 OK Connection: close cache-control: public, max-age=604800 expires: Sun, 05 Jan 2025 13:28:56 GMT content-type: image/jpeg last-modified: Fri, 10 Jul 2020 06:29:48 GMT accept-ranges: bytes content-length: 27205 date: Sun, 29 Dec 2024 13:28:56 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-12-29 13:28:56 UTC	16384	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 48 00 48 00 00 ff db 00 43 00 03 02 02 03 02 02 03 03 03 03 04 03 03 04 05 08 05 05 04 04 05 0a 07 07 06 08 0c 0a 0c 0c 0b 0a 0b 0b 0d 0e 12 10 0d 0e 11 0e 0b 0b 10 16 10 11 13 14 15 15 15 0c 0f 17 18 16 14 18 12 14 15 14 ff db 00 43 01 03 04 04 05 04 05 09 05 05 09 14 0d 0b 0d 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 ff c0 00 11 08 00 7c 02 c0 03 01 22 00 02 11 01 03 11 01 ff c4 00 1d 00 00 02 03 01 01 01 01 01 00 00 00 00 00 00 00 00 00 07 05 06 08 04 03 09 02 01 ff c4 00 5f 10 00 01 03 03 03 01 05 04 06 03 06 0f 0c 09 05 00 01 02 03 04 00 05 06 07 11 12 21 08 13 31 41 61 14 22 51 71 15 23 32 42 81 91 Data Ascii: JFIFHHCC\|"_!1Aa"Qq#2B
2024-12-29 13:28:56 UTC	10821	IN	Data Raw: f2 bd 2a 52 b8 63 17 96 57 95 e3 0d 93 b2 63 72 73 8c e8 88 1e 49 4b aa 43 a9 48 f0 0e 9a 90 63 b3 33 85 58 ca b0 6a 9d 4c ee 97 1f 95 a7 28 a2 8a 65 59 22 8a 28 a1 0b f0 eb a8 61 a5 b8 e2 d2 db 68 05 4a 5a 8e c1 20 78 92 6b 3d dd f2 d3 ac 99 7d 8e f1 6e 61 d6 b0 db 19 7a 44 09 8f a7 82 ae 92 9c 6c b4 1f 6d 07 aa 59 43 4b 79 29 52 b6 2e 17 79 01 c5 29 52 dc 1a a1 8f cc cb 34 d3 2d b1 db d6 1b 9f 73 b4 4b 85 1d 6a 3b 04 b8 e3 2b 42 0e ff 00 35 0a 49 e2 5a 83 8f 5d ac 11 16 8b 84 4b 7b cd 36 96 64 5b e4 bc 96 9e 86 ea 40 0b 65 c4 12 0a 16 83 d0 82 3c aa 65 34 61 ee 24 f2 59 5f 68 2b 25 a5 81 ac 8c 68 fb 82 7a 76 f9 ab 6d 15 15 fa 59 63 ff 00 7e 6d ff 00 e5 48 ff 00 6d 1f a5 96 3f f7 e6 df fe 54 8f f6 d5 97 08 2f 37 f1 0e e8 a2 b2 4d 3f 66 f5 92 5b 72 4b 7d Data Ascii: *RcWcrsIKCHc3XjL(eY"(ahJZ xk=}nazDlmYCKy)R.y)R4-sKj;+B5IZ]K{6d[@e<e4a$Y_h+%hzvmYc~mHm?T/7M?f[rK}

Timestamp	Bytes transferred	Direction	Data
2024-12-29 13:28:58 UTC	632	OUT	GET /images/backgradient.jpg HTTP/1.1 Host: www.easyassist.com.au Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://www.easyassist.com.au/easyassist_default.css Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-29 13:28:59 UTC	466	IN	HTTP/1.1 200 OK Connection: close cache-control: public, max-age=604800 expires: Sun, 05 Jan 2025 13:28:58 GMT content-type: image/jpeg last-modified: Fri, 10 Jul 2020 06:29:48 GMT accept-ranges: bytes content-length: 461 date: Sun, 29 Dec 2024 13:28:58 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-12-29 13:28:59 UTC	461	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 03 02 02 03 02 02 03 03 03 03 04 03 03 04 05 08 05 05 04 04 05 0a 07 07 06 08 0c 0a 0c 0c 0b 0a 0b 0b 0d 0e 12 10 0d 0e 11 0e 0b 0b 10 16 10 11 13 14 15 15 15 0c 0f 17 18 16 14 18 12 14 15 14 ff db 00 43 01 03 04 04 05 04 05 09 05 05 09 14 0d 0b 0d 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 ff c0 00 11 08 02 ce 00 01 03 01 22 00 02 11 01 03 11 01 ff c4 00 17 00 01 01 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 02 01 08 ff c4 00 17 10 01 01 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 11 12 01 ff c4 00 19 01 01 01 01 01 01 01 00 00 00 00 00 00 00 00 00 00 02 03 00 01 06 08 ff Data Ascii: JFIFCC"

Timestamp	Bytes transferred	Direction	Data
2024-12-29 13:29:01 UTC	726	OUT	GET /paymentinstructions.html HTTP/1.1 Host: www.easyassist.com.au Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-Dest: document Referer: https://www.easyassist.com.au/order.html Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-29 13:29:01 UTC	388	IN	HTTP/1.1 200 OK Connection: close content-type: text/html last-modified: Thu, 06 Jul 2023 04:31:31 GMT accept-ranges: bytes content-length: 10571 date: Sun, 29 Dec 2024 13:29:01 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-12-29 13:29:01 UTC	10571	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0d 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0d 3c 68 65 61 64 3e 0d 20 20 3c 74 69 74 6c 65 3e 45 61 73 79 41 73 73 69 73 74 20 2d 20 54 68 65 20 53 75 72 67 69 63 61 6c 20 41 73 73 69 73 74 61 6e 74 20 46 65 65 20 43 61 6c 63 75 6c 61 74 6f 72 3c 2f 74 69 74 6c Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head> <title>EasyAssist - The Surgical Assistant Fee Calculator</titl

Timestamp	Bytes transferred	Direction	Data
2024-12-29 13:29:01 UTC	615	OUT	GET /images/favicon.ico HTTP/1.1 Host: www.easyassist.com.au Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://www.easyassist.com.au/order.html Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-29 13:29:01 UTC	468	IN	HTTP/1.1 200 OK Connection: close cache-control: public, max-age=604800 expires: Sun, 05 Jan 2025 13:29:01 GMT content-type: image/x-icon last-modified: Fri, 10 Jul 2020 06:29:50 GMT accept-ranges: bytes content-length: 894 date: Sun, 29 Dec 2024 13:29:01 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-12-29 13:29:01 UTC	894	IN	Data Raw: 00 00 01 00 01 00 10 10 00 00 01 00 18 00 68 03 00 00 16 00 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 18 00 00 00 00 00 00 00 00 00 48 00 00 00 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6e 6e 6e bf bf bf 70 70 70 6b 6b 6b 67 67 67 63 63 63 65 65 65 55 55 55 3f 3f 3f 28 28 28 12 12 12 01 01 01 00 00 00 00 00 00 00 00 00 00 00 00 8d 8d 8d 6f 9b c7 3f 6f 9e 39 63 8c 33 56 7a 2c 4a 68 ad ad ad c6 c6 bb 4a 4a 41 4e 4e 4e fc fc fc f6 f6 f6 6e 6e 6e 76 76 76 5a 5a 5a 00 00 00 a3 a3 a3 7f bf ff 61 b0 ff 61 b0 ff 61 b0 ff 61 b0 fe a9 ab ac ff ff b5 ff ff 7d 69 69 38 db db db f8 f8 dc c9 c9 64 b8 b8 87 66 66 66 00 Data Ascii: h( HHnnnpppkkkgggccceeeUUU???(((o?o9c3Vz,JhJJANNNnnnvvvZZZaaaa}ii8dfff

Timestamp	Bytes transferred	Direction	Data
2024-12-29 13:29:03 UTC	608	OUT	GET /en_AU/i/btn/btn_buynow_SM.gif HTTP/1.1 Host: www.paypal.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://www.easyassist.com.au/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-29 13:29:04 UTC	1359	IN	HTTP/1.1 301 Moved Permanently Connection: close Content-Length: 0 Accept-Ch: Sec-CH-UA-Full Cache-Control: max-age=0, no-cache, no-store, must-revalidate Location: https://www.paypalobjects.com/en_AU/i/btn/btn_buynow_SM.gif Origin-Trial: AmF3SS0NWoXo3HaojgmIVVXavukRnZH597u+xZNXRCiKWzSKzfNPHw9NC32GmblY12+HXpkCEYeYGyvRBNkkJg0AAABbeyJvcmlnaW4iOiJodHRwczovL3BheXBhbC5jb206NDQzIiwiZmVhdHVyZSI6IlRwY2QiLCJleHBpcnkiOjE3MzUzNDM5OTksImlzU3ViZG9tYWluIjp0cnVlfQ== Paypal-Debug-Id: f851954dfc4f8 Set-Cookie: ts=vreXpYrS%3D1767014943%26vteXpYrS%3D1735480743%26vr%3D129b20a31940ad1098a6f963f0e58267%26vt%3D129b20a31940ad1098a6f963f0e58266%26vtyp%3Dnew; Path=/; Domain=paypal.com; Expires=Mon, 29 Dec 2025 13:29:03 GMT; HttpOnly; Secure; SameSite=None Set-Cookie: ts_c=vr%3D129b20a31940ad1098a6f963f0e58267%26vt%3D129b20a31940ad1098a6f963f0e58266; Path=/; Domain=paypal.com; Expires=Mon, 29 Dec 2025 13:29:03 GMT; Secure; SameSite=None Traceparent: 00-0000000000000000000f851954dfc4f8-0f1fce128141e68f-01 DC: ccg11-origin-www-1.paypal.com Accept-Ranges: bytes Via: 1.1 varnish, 1.1 varnish, 1.1 varnish Date: Sun, 29 Dec 2024 13:29:03 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains; preload X-Served-By: cache-iad-kiad7000164-IAD, cache-nyc-kteb1890052-NYC, cache-nyc-kteb1890052-NYC X-Cache: MISS, MISS, MISS X-Cache-Hits: 0, 0, 0
2024-12-29 13:29:04 UTC	101	IN	Data Raw: 58 2d 54 69 6d 65 72 3a 20 53 31 37 33 35 34 37 38 39 34 34 2e 38 36 38 31 39 31 2c 56 53 30 2c 56 45 36 37 0d 0a 53 65 72 76 65 72 2d 54 69 6d 69 6e 67 3a 20 63 6f 6e 74 65 6e 74 2d 65 6e 63 6f 64 69 6e 67 3b 64 65 73 63 3d 22 22 2c 78 2d 63 64 6e 3b 64 65 73 63 3d 22 66 61 73 74 6c 79 22 0d 0a 0d 0a Data Ascii: X-Timer: S1735478944.868191,VS0,VE67Server-Timing: content-encoding;desc="",x-cdn;desc="fastly"

Timestamp	Bytes transferred	Direction	Data
2024-12-29 13:29:03 UTC	600	OUT	GET /en_AU/i/scr/pixel.gif HTTP/1.1 Host: www.paypal.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://www.easyassist.com.au/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-29 13:29:04 UTC	1351	IN	HTTP/1.1 301 Moved Permanently Connection: close Content-Length: 0 Accept-Ch: Sec-CH-UA-Full Cache-Control: max-age=0, no-cache, no-store, must-revalidate Location: https://www.paypalobjects.com/en_AU/i/scr/pixel.gif Origin-Trial: AmF3SS0NWoXo3HaojgmIVVXavukRnZH597u+xZNXRCiKWzSKzfNPHw9NC32GmblY12+HXpkCEYeYGyvRBNkkJg0AAABbeyJvcmlnaW4iOiJodHRwczovL3BheXBhbC5jb206NDQzIiwiZmVhdHVyZSI6IlRwY2QiLCJleHBpcnkiOjE3MzUzNDM5OTksImlzU3ViZG9tYWluIjp0cnVlfQ== Paypal-Debug-Id: f851954bf5182 Set-Cookie: ts=vreXpYrS%3D1767014943%26vteXpYrS%3D1735480743%26vr%3D129b20d11940a550c81fdd18f16ac147%26vt%3D129b20d11940a550c81fdd18f16ac146%26vtyp%3Dnew; Path=/; Domain=paypal.com; Expires=Mon, 29 Dec 2025 13:29:03 GMT; HttpOnly; Secure; SameSite=None Set-Cookie: ts_c=vr%3D129b20d11940a550c81fdd18f16ac147%26vt%3D129b20d11940a550c81fdd18f16ac146; Path=/; Domain=paypal.com; Expires=Mon, 29 Dec 2025 13:29:03 GMT; Secure; SameSite=None Traceparent: 00-0000000000000000000f851954bf5182-18165fae9d7ba4ff-01 DC: ccg11-origin-www-1.paypal.com Accept-Ranges: bytes Via: 1.1 varnish, 1.1 varnish, 1.1 varnish Date: Sun, 29 Dec 2024 13:29:03 GMT Strict-Transport-Security: max-age=63072000; includeSubDomains; preload X-Served-By: cache-iad-kiad7000139-IAD, cache-ewr-kewr1740033-EWR, cache-ewr-kewr1740033-EWR X-Cache: MISS, MISS, MISS X-Cache-Hits: 0, 0, 0
2024-12-29 13:29:04 UTC	101	IN	Data Raw: 58 2d 54 69 6d 65 72 3a 20 53 31 37 33 35 34 37 38 39 34 34 2e 39 31 32 31 33 38 2c 56 53 30 2c 56 45 37 33 0d 0a 53 65 72 76 65 72 2d 54 69 6d 69 6e 67 3a 20 63 6f 6e 74 65 6e 74 2d 65 6e 63 6f 64 69 6e 67 3b 64 65 73 63 3d 22 22 2c 78 2d 63 64 6e 3b 64 65 73 63 3d 22 66 61 73 74 6c 79 22 0d 0a 0d 0a Data Ascii: X-Timer: S1735478944.912138,VS0,VE73Server-Timing: content-encoding;desc="",x-cdn;desc="fastly"

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report installeasyassist.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\EasyAssist\Data\20120101_03_funds.csv (copy)

C:\EasyAssist\Data\20120101_03_funds.csv._tm

C:\EasyAssist\Data\20120101_03_schedules.csv (copy)

C:\EasyAssist\Data\20120101_03_schedules.csv._tm

C:\EasyAssist\Data\20120301_04_funds.csv (copy)

C:\EasyAssist\Data\20120301_04_funds.csv._tm

C:\EasyAssist\Data\20120301_04_schedules.csv (copy)

C:\EasyAssist\Data\20120301_04_schedules.csv._tm

C:\EasyAssist\Data\20120701_02_funds.csv (copy)

C:\EasyAssist\Data\20120701_02_funds.csv._tm

C:\EasyAssist\Data\20120701_02_schedules.csv (copy)

C:\EasyAssist\Data\20120701_02_schedules.csv._tm

C:\EasyAssist\Data\20121101_01_funds.csv (copy)

C:\EasyAssist\Data\20121101_01_funds.csv._tm

C:\EasyAssist\Data\20121101_01_schedules.csv (copy)

Windows Analysis Report
installeasyassist.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-29 13:29:06 UTC	615	OUT	GET /en_AU/i/btn/btn_buynow_SM.gif HTTP/1.1 Host: www.paypalobjects.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://www.easyassist.com.au/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-29 13:29:06 UTC	666	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Cache-Control: s-maxage=31536000, public,max-age=3600 Content-Type: image/gif Date: Sun, 29 Dec 2024 13:29:06 GMT DC: ccg11-origin-www-1.paypal.com Etag: "643edd22-62d" Expires: Sun, 29 Dec 2024 14:29:06 GMT Last-Modified: Tue, 18 Apr 2023 18:10:42 GMT Paypal-Debug-Id: edc461fd26e75 Server: ECAcc (lhd/35D6) Strict-Transport-Security: max-age=63072000; includeSubDomains; preload Timing-Allow-Origin: https://www.paypal.com,https://www.sandbox.paypal.com Traceparent: 00-0000000000000000000edc461fd26e75-94a6ba7f3cb54575-01 X-Cache: HIT X-Content-Type-Options: nosniff Content-Length: 1581 Connection: close
2024-12-29 13:29:06 UTC	1581	IN	Data Raw: 47 49 46 38 39 61 56 00 15 00 f7 30 00 ff ac 2d fe e3 af fe e1 a9 fe e0 a4 fe de 9f ff ba 4d ff af 33 ff fc f5 ff ec d0 40 51 56 ff b1 3a 40 5f 78 10 3e 6a ff b4 40 40 51 58 8f 7f 58 10 3b 62 9e 9f 90 ce c2 a1 7f 8a 88 20 49 6e 20 48 6d 9f 7d 3e 50 69 79 7f 89 83 40 55 60 50 6a 7d 40 5e 76 10 3b 64 70 7f 83 50 59 54 60 5f 4e bf 8e 3b 60 73 7b fe b7 47 8e 93 86 80 70 49 ae ac 98 be b5 94 ee d8 aa bf 8b 36 40 5e 74 40 5f 77 20 42 5f 7f 8a 85 60 75 81 df 9a 2e ef a2 2a cf 0b 02 30 54 72 9e 9e 8a be b7 9d 7f 8d 8e ef b2 4f 50 5d 5e 70 67 4a ce 07 02 10 3e 6b ce be 94 af 90 55 30 4a 5b be b5 98 fe b8 4a ee db b1 9e 9f 8d 20 4a 71 cf 95 38 ce c0 9c ee d6 a5 50 6a 7b df a9 50 8e 94 89 50 6b 7f fe d5 8b ee dd b7 20 44 63 ff a9 34 80 77 59 fe b7 4b fe d7 91 fe bc Data Ascii: GIF89aV0-M3@QV:@_x>j@@QXX;b In Hm}>Piy@U`Pj}@^v;dpPYT`_N;`s{GpI6@^t@_w B_`u.*0TrOP]^pgJ>kU0J[J Jq8Pj{PPk Dc4wYK

Timestamp	Bytes transferred	Direction	Data
2024-12-29 13:29:08 UTC	629	OUT	GET /images/favicon.ico HTTP/1.1 Host: www.easyassist.com.au Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://www.easyassist.com.au/paymentinstructions.html Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-29 13:29:09 UTC	468	IN	HTTP/1.1 200 OK Connection: close cache-control: public, max-age=604800 expires: Sun, 05 Jan 2025 13:29:08 GMT content-type: image/x-icon last-modified: Fri, 10 Jul 2020 06:29:50 GMT accept-ranges: bytes content-length: 894 date: Sun, 29 Dec 2024 13:29:08 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-12-29 13:29:09 UTC	894	IN	Data Raw: 00 00 01 00 01 00 10 10 00 00 01 00 18 00 68 03 00 00 16 00 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 18 00 00 00 00 00 00 00 00 00 48 00 00 00 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6e 6e 6e bf bf bf 70 70 70 6b 6b 6b 67 67 67 63 63 63 65 65 65 55 55 55 3f 3f 3f 28 28 28 12 12 12 01 01 01 00 00 00 00 00 00 00 00 00 00 00 00 8d 8d 8d 6f 9b c7 3f 6f 9e 39 63 8c 33 56 7a 2c 4a 68 ad ad ad c6 c6 bb 4a 4a 41 4e 4e 4e fc fc fc f6 f6 f6 6e 6e 6e 76 76 76 5a 5a 5a 00 00 00 a3 a3 a3 7f bf ff 61 b0 ff 61 b0 ff 61 b0 ff 61 b0 fe a9 ab ac ff ff b5 ff ff 7d 69 69 38 db db db f8 f8 dc c9 c9 64 b8 b8 87 66 66 66 00 Data Ascii: h( HHnnnpppkkkgggccceeeUUU???(((o?o9c3Vz,JhJJANNNnnnvvvZZZaaaa}ii8dfff

Timestamp	Bytes transferred	Direction	Data
2024-12-29 13:29:10 UTC	363	OUT	GET /images/favicon.ico HTTP/1.1 Host: www.easyassist.com.au Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-29 13:29:11 UTC	468	IN	HTTP/1.1 200 OK Connection: close cache-control: public, max-age=604800 expires: Sun, 05 Jan 2025 13:29:11 GMT content-type: image/x-icon last-modified: Fri, 10 Jul 2020 06:29:50 GMT accept-ranges: bytes content-length: 894 date: Sun, 29 Dec 2024 13:29:11 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-12-29 13:29:11 UTC	894	IN	Data Raw: 00 00 01 00 01 00 10 10 00 00 01 00 18 00 68 03 00 00 16 00 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 18 00 00 00 00 00 00 00 00 00 48 00 00 00 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6e 6e 6e bf bf bf 70 70 70 6b 6b 6b 67 67 67 63 63 63 65 65 65 55 55 55 3f 3f 3f 28 28 28 12 12 12 01 01 01 00 00 00 00 00 00 00 00 00 00 00 00 8d 8d 8d 6f 9b c7 3f 6f 9e 39 63 8c 33 56 7a 2c 4a 68 ad ad ad c6 c6 bb 4a 4a 41 4e 4e 4e fc fc fc f6 f6 f6 6e 6e 6e 76 76 76 5a 5a 5a 00 00 00 a3 a3 a3 7f bf ff 61 b0 ff 61 b0 ff 61 b0 ff 61 b0 fe a9 ab ac ff ff b5 ff ff 7d 69 69 38 db db db f8 f8 dc c9 c9 64 b8 b8 87 66 66 66 00 Data Ascii: h( HHnnnpppkkkgggccceeeUUU???(((o?o9c3Vz,JhJJANNNnnnvvvZZZaaaa}ii8dfff

Target ID:	0
Start time:	08:27:58
Start date:	29/12/2024
Path:	C:\Users\user\Desktop\installeasyassist.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\installeasyassist.exe"
Imagebase:	0x210000
File size:	3'185'096 bytes
MD5 hash:	A9289858A27B07386E9BB49D3B671F5F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	08:28:16
Start date:	29/12/2024
Path:	C:\EasyAssist\Data\easyassistupdate.exe
Wow64 process (32bit):	true
Commandline:	"C:\EasyAssist\Data\easyassistupdate.exe" /q
Imagebase:	0x3c0000
File size:	2'478'576 bytes
MD5 hash:	9017DF9DF3C847E35C3A4C67C4ADA376
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	6
Start time:	08:28:26
Start date:	29/12/2024
Path:	C:\EasyAssist\GA.exe
Wow64 process (32bit):	true
Commandline:	"C:\EasyAssist\GA.exe" A S-1-1-0 C:\ProgramData\safclic.dat
Imagebase:	0x400000
File size:	8'192 bytes
MD5 hash:	A5F642A79BF4B107DD9AEDD98BF4ED8C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	7
Start time:	08:28:30
Start date:	29/12/2024
Path:	C:\EasyAssist\easyassist.exe
Wow64 process (32bit):	true
Commandline:	"C:\EasyAssist\EasyAssist.exe"
Imagebase:	0x400000
File size:	192'512 bytes
MD5 hash:	7CEFF07109C71FDEC5E1D448E91618A1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	8
Start time:	08:28:31
Start date:	29/12/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
Imagebase:	0xfd0000
File size:	53'161'064 bytes
MD5 hash:	4A871771235598812032C822E6F68F19
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	12
Start time:	08:28:44
Start date:	29/12/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://www.easyassist.com.au/order.html
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	13
Start time:	08:28:46
Start date:	29/12/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=2032,i,3937009319632882698,9883249847199975624,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false