Loading ...

Play interactive tourEdit tour

Analysis Report IRS Notice Letter pdf document.exe

Overview

General Information

Sample Name:IRS Notice Letter pdf document.exe
Analysis ID:338078
MD5:3fc4d64f320d7fae4bb46f6a735ab853
SHA1:b77666ebd649350f21ee41e0e902c9b95e008e3c
SHA256:ec8b3d104a7fc416aab07329a5f0ecab1b7fd181ffbd2d7ac31af51e532add07

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Executable has a suspicious name (potential lure to open the executable)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: CMSTP Execution Process Creation
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a Windows Living Off The Land Binaries (LOL bins)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • IRS Notice Letter pdf document.exe (PID: 6092 cmdline: 'C:\Users\user\Desktop\IRS Notice Letter pdf document.exe' MD5: 3FC4D64F320D7FAE4BB46F6A735AB853)
    • IRS Notice Letter pdf document.exe (PID: 3788 cmdline: 'C:\Users\user\Desktop\IRS Notice Letter pdf document.exe' MD5: 3FC4D64F320D7FAE4BB46F6A735AB853)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmstp.exe (PID: 2860 cmdline: C:\Windows\SysWOW64\cmstp.exe MD5: 4833E65ED211C7F118D4A11E6FB58A09)
          • cmd.exe (PID: 4972 cmdline: /c del 'C:\Users\user\Desktop\IRS Notice Letter pdf document.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.1021169489.0000000000D60000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000002.1021169489.0000000000D60000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000003.00000002.1021169489.0000000000D60000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    00000003.00000002.1022334778.0000000005467000.00000004.00000001.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
    • 0x3a74:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
    00000003.00000002.1021417062.00000000030C0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      Click to see the 15 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: CMSTP Execution Process CreationShow sources
      Source: Process startedAuthor: Nik Seetharaman: Data: Command: /c del 'C:\Users\user\Desktop\IRS Notice Letter pdf document.exe', CommandLine: /c del 'C:\Users\user\Desktop\IRS Notice Letter pdf document.exe', CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\cmstp.exe, ParentImage: C:\Windows\SysWOW64\cmstp.exe, ParentProcessId: 2860, ProcessCommandLine: /c del 'C:\Users\user\Desktop\IRS Notice Letter pdf document.exe', ProcessId: 4972

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000003.00000002.1021169489.0000000000D60000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.1021417062.00000000030C0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.754908908.000000001DFF0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.751064707.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: IRS Notice Letter pdf document.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: Binary string: cmstp.pdbGCTL source: IRS Notice Letter pdf document.exe, 00000001.00000003.750269972.000000000093F000.00000004.00000001.sdmp
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000000.730789316.0000000005A00000.00000002.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: IRS Notice Letter pdf document.exe, 00000001.00000002.755014575.000000001E210000.00000040.00000001.sdmp, cmstp.exe, 00000003.00000002.1021841767.0000000004F30000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: IRS Notice Letter pdf document.exe, cmstp.exe
      Source: Binary string: cmstp.pdb source: IRS Notice Letter pdf document.exe, 00000001.00000003.750269972.000000000093F000.00000004.00000001.sdmp
      Source: Binary string: wscui.pdb source: explorer.exe, 00000002.00000000.730789316.0000000005A00000.00000002.00000001.sdmp
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop edi3_2_030D62B3
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop esi3_2_030D582F

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49735 -> 172.67.209.95:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49735 -> 172.67.209.95:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49735 -> 172.67.209.95:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49736 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49736 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49736 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49737 -> 147.255.30.94:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49737 -> 147.255.30.94:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49737 -> 147.255.30.94:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49738 -> 153.126.209.136:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49738 -> 153.126.209.136:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49738 -> 153.126.209.136:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49739 -> 216.58.207.179:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49739 -> 216.58.207.179:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49739 -> 216.58.207.179:80
      Source: global trafficHTTP traffic detected: GET /09rb/?Jt78=boggCF0+VtvWGkPjuCU1AaxF3fKHqCWZ16CI7xOuJOi/WrjAR/MJUlDlafE5AdeUJQBT&pN9=EXX8_N6xKpqxS HTTP/1.1Host: www.emuprising.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /09rb/?Jt78=5Fl0Gne6++jCyaX7Drm8Xn32HTt8H/jqBsF3NSEqn1nDC6nrfbel4dCYEQQYkDcDl2++&pN9=EXX8_N6xKpqxS HTTP/1.1Host: www.myaarpdentalpln.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /09rb/?Jt78=kPRwpjmi7xHhdB/QktvvK7WyLyDr49juN0w/BSnfKghxj4qCtVdYSmPoUBccxdfkW2C+&pN9=EXX8_N6xKpqxS HTTP/1.1Host: www.alessandrabortolussi.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /09rb/?Jt78=29jYSSE1VYVkBCRV1XAvE7TBMmL4MadGzLcVh0Ks/tFMQ0j4Ha2R4yorJjHtPNwOuGsI&pN9=EXX8_N6xKpqxS HTTP/1.1Host: www.kobumsnetwork.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /09rb/?Jt78=GzMG1eSemGLMBHrXmbkE5oZCgXo7nbeyHhmTYulGjAFIODDsopduu5ndU/Um1KPjDO6l&pN9=EXX8_N6xKpqxS HTTP/1.1Host: www.rednbot.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /09rb/?Jt78=fd7Pr27tD73tirRUHLPhwKiuhRBsBtIJKGnPU16/EYze1BREDS5LbMsrasNXGEl7bB1Y&pN9=EXX8_N6xKpqxS HTTP/1.1Host: www.aksaystudios.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /09rb/?Jt78=nAgyAFuV8j6ec0qd9dJQyz40Go8ypkE1WIwLRMRPEn1ZOiBWoUM4woT6qKfb9Xt5A1xV&pN9=EXX8_N6xKpqxS HTTP/1.1Host: www.aizimov.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /09rb/?Jt78=tK5SHJ/B9VkSEfSQE3soaE4uMhY2LrE6ZvvxVQcBFq9KYH6DfuOZHLVl1n1LVl7A3A7r&pN9=EXX8_N6xKpqxS HTTP/1.1Host: www.thebuzztraders.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /09rb/?Jt78=boggCF0+VtvWGkPjuCU1AaxF3fKHqCWZ16CI7xOuJOi/WrjAR/MJUlDlafE5AdeUJQBT&pN9=EXX8_N6xKpqxS HTTP/1.1Host: www.emuprising.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: Joe Sandbox ViewIP Address: 199.59.242.153 199.59.242.153
      Source: Joe Sandbox ViewIP Address: 34.102.136.180 34.102.136.180
      Source: Joe Sandbox ViewASN Name: BODIS-NJUS BODIS-NJUS
      Source: Joe Sandbox ViewASN Name: SAKURA-ASAKURAInternetIncJP SAKURA-ASAKURAInternetIncJP
      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
      Source: global trafficHTTP traffic detected: GET /vc/xdark_GOaIsqF182.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: adojetson.comCache-Control: no-cache
      Source: C:\Windows\explorer.exeCode function: 2_2_04DBA302 getaddrinfo,setsockopt,recv,2_2_04DBA302
      Source: global trafficHTTP traffic detected: GET /vc/xdark_GOaIsqF182.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: adojetson.comCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /09rb/?Jt78=boggCF0+VtvWGkPjuCU1AaxF3fKHqCWZ16CI7xOuJOi/WrjAR/MJUlDlafE5AdeUJQBT&pN9=EXX8_N6xKpqxS HTTP/1.1Host: www.emuprising.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /09rb/?Jt78=5Fl0Gne6++jCyaX7Drm8Xn32HTt8H/jqBsF3NSEqn1nDC6nrfbel4dCYEQQYkDcDl2++&pN9=EXX8_N6xKpqxS HTTP/1.1Host: www.myaarpdentalpln.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /09rb/?Jt78=kPRwpjmi7xHhdB/QktvvK7WyLyDr49juN0w/BSnfKghxj4qCtVdYSmPoUBccxdfkW2C+&pN9=EXX8_N6xKpqxS HTTP/1.1Host: www.alessandrabortolussi.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /09rb/?Jt78=29jYSSE1VYVkBCRV1XAvE7TBMmL4MadGzLcVh0Ks/tFMQ0j4Ha2R4yorJjHtPNwOuGsI&pN9=EXX8_N6xKpqxS HTTP/1.1Host: www.kobumsnetwork.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /09rb/?Jt78=GzMG1eSemGLMBHrXmbkE5oZCgXo7nbeyHhmTYulGjAFIODDsopduu5ndU/Um1KPjDO6l&pN9=EXX8_N6xKpqxS HTTP/1.1Host: www.rednbot.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /09rb/?Jt78=fd7Pr27tD73tirRUHLPhwKiuhRBsBtIJKGnPU16/EYze1BREDS5LbMsrasNXGEl7bB1Y&pN9=EXX8_N6xKpqxS HTTP/1.1Host: www.aksaystudios.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /09rb/?Jt78=nAgyAFuV8j6ec0qd9dJQyz40Go8ypkE1WIwLRMRPEn1ZOiBWoUM4woT6qKfb9Xt5A1xV&pN9=EXX8_N6xKpqxS HTTP/1.1Host: www.aizimov.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /09rb/?Jt78=tK5SHJ/B9VkSEfSQE3soaE4uMhY2LrE6ZvvxVQcBFq9KYH6DfuOZHLVl1n1LVl7A3A7r&pN9=EXX8_N6xKpqxS HTTP/1.1Host: www.thebuzztraders.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /09rb/?Jt78=boggCF0+VtvWGkPjuCU1AaxF3fKHqCWZ16CI7xOuJOi/WrjAR/MJUlDlafE5AdeUJQBT&pN9=EXX8_N6xKpqxS HTTP/1.1Host: www.emuprising.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: unknownDNS traffic detected: queries for: adojetson.com
      Source: IRS Notice Letter pdf document.exe, 00000001.00000002.751120614.0000000000562000.00000040.00000001.sdmpString found in binary or memory: http://adojetson.com/vc/xdark_GOaIsqF182.bin
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: explorer.exe, 00000002.00000002.1022320807.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: cmstp.exe, 00000003.00000002.1022387283.00000000055E2000.00000004.00000001.sdmpString found in binary or memory: https://cdn.jsdelivr.net/npm/popper.js
      Source: cmstp.exe, 00000003.00000002.1022387283.00000000055E2000.00000004.00000001.sdmpString found in binary or memory: https://code.jquery.com/jquery-3.5.1.slim.min.js
      Source: cmstp.exe, 00000003.00000002.1022387283.00000000055E2000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/js/bootstrap.min.js
      Source: C:\Windows\explorer.exeCode function: 2_2_04DB3EB2 OpenClipboard,2_2_04DB3EB2

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000003.00000002.1021169489.0000000000D60000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.1021417062.00000000030C0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.754908908.000000001DFF0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.751064707.00000000000A0000.00000040.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000003.00000002.1021169489.0000000000D60000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000003.00000002.1021169489.0000000000D60000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000003.00000002.1022334778.0000000005467000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000003.00000002.1021417062.00000000030C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000003.00000002.1021417062.00000000030C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000001.00000002.754908908.000000001DFF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000001.00000002.754908908.000000001DFF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000003.00000002.1021594863.000000000322D000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000001.00000002.751064707.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000001.00000002.751064707.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Executable has a suspicious name (potential lure to open the executable)Show sources
      Source: IRS Notice Letter pdf document.exeStatic file information: Suspicious name
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: IRS Notice Letter pdf document.exe
      Source: initial sampleStatic PE information: Filename: IRS Notice Letter pdf document.exe
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D34AF NtWriteVirtualMemory,0_2_021D34AF
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D4BFA NtSetInformationThread,0_2_021D4BFA
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D0840 EnumWindows,NtSetInformationThread,0_2_021D0840
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D8FAC NtResumeThread,0_2_021D8FAC
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9209 NtResumeThread,0_2_021D9209
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9235 NtResumeThread,0_2_021D9235
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9229 NtResumeThread,0_2_021D9229
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9226 NtResumeThread,0_2_021D9226
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9254 NtResumeThread,0_2_021D9254
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9241 NtResumeThread,0_2_021D9241
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D926A NtResumeThread,0_2_021D926A
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9295 NtResumeThread,0_2_021D9295
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D528E NtSetInformationThread,0_2_021D528E
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9289 NtResumeThread,0_2_021D9289
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D92BD NtResumeThread,0_2_021D92BD
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D92B4 NtResumeThread,0_2_021D92B4
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D92A1 NtResumeThread,0_2_021D92A1
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D92DD NtResumeThread,0_2_021D92DD
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D92D5 NtResumeThread,0_2_021D92D5
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D92C9 NtResumeThread,0_2_021D92C9
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D92F5 NtResumeThread,0_2_021D92F5
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D92E9 NtResumeThread,0_2_021D92E9
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D931D NtResumeThread,0_2_021D931D
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D2317 NtWriteVirtualMemory,0_2_021D2317
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9311 NtResumeThread,0_2_021D9311
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9305 NtResumeThread,0_2_021D9305
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9334 NtResumeThread,0_2_021D9334
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9356 NtResumeThread,0_2_021D9356
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9345 NtResumeThread,0_2_021D9345
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D936E NtResumeThread,0_2_021D936E
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9398 NtResumeThread,0_2_021D9398
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9381 NtResumeThread,0_2_021D9381
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D93A9 NtResumeThread,0_2_021D93A9
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D93DD NtResumeThread,0_2_021D93DD
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D93FD NtResumeThread,0_2_021D93FD
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D93F4 NtResumeThread,0_2_021D93F4
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9019 NtResumeThread,0_2_021D9019
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D5010 NtSetInformationThread,0_2_021D5010
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9010 NtResumeThread,0_2_021D9010
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9031 NtResumeThread,0_2_021D9031
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9025 NtResumeThread,0_2_021D9025
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9055 NtResumeThread,0_2_021D9055
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D2057 NtSetInformationThread,0_2_021D2057
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9049 NtResumeThread,0_2_021D9049
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9040 NtResumeThread,0_2_021D9040
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9075 NtResumeThread,0_2_021D9075
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9069 NtResumeThread,0_2_021D9069
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9061 NtResumeThread,0_2_021D9061
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D909D NtResumeThread,0_2_021D909D
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9091 NtResumeThread,0_2_021D9091
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9081 NtResumeThread,0_2_021D9081
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D90BD NtResumeThread,0_2_021D90BD
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D90BA NtResumeThread,0_2_021D90BA
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D90A9 NtResumeThread,0_2_021D90A9
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D90D5 NtResumeThread,0_2_021D90D5
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D90C9 NtResumeThread,0_2_021D90C9
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D90FD NtResumeThread,0_2_021D90FD
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D90F1 NtResumeThread,0_2_021D90F1
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D90E5 NtResumeThread,0_2_021D90E5
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D8119 NtSetInformationThread,0_2_021D8119
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9115 NtResumeThread,0_2_021D9115
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D5111 NtSetInformationThread,0_2_021D5111
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D912D NtResumeThread,0_2_021D912D
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9121 NtResumeThread,0_2_021D9121
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9159 NtResumeThread,0_2_021D9159
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D914D NtResumeThread,0_2_021D914D
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9141 NtResumeThread,0_2_021D9141
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9175 NtResumeThread,0_2_021D9175
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9172 NtResumeThread,0_2_021D9172
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D919C NtResumeThread,0_2_021D919C
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D918D NtResumeThread,0_2_021D918D
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9181 NtResumeThread,0_2_021D9181
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D91AD NtResumeThread,0_2_021D91AD
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3605 NtWriteVirtualMemory,0_2_021D3605
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9604 NtResumeThread,0_2_021D9604
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D365E NtWriteVirtualMemory,0_2_021D365E
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3648 NtWriteVirtualMemory,0_2_021D3648
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D36A6 NtWriteVirtualMemory,0_2_021D36A6
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3705 NtWriteVirtualMemory,0_2_021D3705
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3722 NtWriteVirtualMemory,0_2_021D3722
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3759 NtWriteVirtualMemory,0_2_021D3759
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D374D NtWriteVirtualMemory,0_2_021D374D
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3765 NtWriteVirtualMemory,0_2_021D3765
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3795 NtWriteVirtualMemory,0_2_021D3795
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D37BE NtWriteVirtualMemory,0_2_021D37BE
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D37D2 NtWriteVirtualMemory,0_2_021D37D2
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D37E5 NtWriteVirtualMemory,0_2_021D37E5
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9415 NtResumeThread,0_2_021D9415
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9409 NtResumeThread,0_2_021D9409
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9435 NtResumeThread,0_2_021D9435
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9429 NtResumeThread,0_2_021D9429
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D1451 NtWriteVirtualMemory,0_2_021D1451
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9441 NtResumeThread,0_2_021D9441
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9491 NtResumeThread,0_2_021D9491
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D94BD NtResumeThread,0_2_021D94BD
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D34B4 NtWriteVirtualMemory,0_2_021D34B4
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D94B1 NtResumeThread,0_2_021D94B1
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D94A5 NtResumeThread,0_2_021D94A5
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D94D9 NtResumeThread,0_2_021D94D9
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D34D1 NtWriteVirtualMemory,0_2_021D34D1
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D94CD NtResumeThread,0_2_021D94CD
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D34FD NtWriteVirtualMemory,0_2_021D34FD
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D94F9 NtResumeThread,0_2_021D94F9
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D34FA NtWriteVirtualMemory,0_2_021D34FA
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D94F6 NtResumeThread,0_2_021D94F6
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D94E5 NtResumeThread,0_2_021D94E5
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3515 NtWriteVirtualMemory,0_2_021D3515
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9511 NtResumeThread,0_2_021D9511
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3509 NtWriteVirtualMemory,0_2_021D3509
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9505 NtResumeThread,0_2_021D9505
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D953E NtResumeThread,0_2_021D953E
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D952D NtResumeThread,0_2_021D952D
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D955E NtResumeThread,0_2_021D955E
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3559 NtWriteVirtualMemory,0_2_021D3559
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D354D NtWriteVirtualMemory,0_2_021D354D
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D354A NtWriteVirtualMemory,0_2_021D354A
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9579 NtResumeThread,0_2_021D9579
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D956D NtResumeThread,0_2_021D956D
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3565 NtWriteVirtualMemory,0_2_021D3565
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9561 NtResumeThread,0_2_021D9561
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9598 NtResumeThread,0_2_021D9598
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D35BD NtWriteVirtualMemory,0_2_021D35BD
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D95B5 NtResumeThread,0_2_021D95B5
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D35AC NtWriteVirtualMemory,0_2_021D35AC
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D95A9 NtResumeThread,0_2_021D95A9
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D95D5 NtResumeThread,0_2_021D95D5
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D35C9 NtWriteVirtualMemory,0_2_021D35C9
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D95C9 NtResumeThread,0_2_021D95C9
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D95C6 NtResumeThread,0_2_021D95C6
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D35F9 NtWriteVirtualMemory,0_2_021D35F9
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D35ED NtWriteVirtualMemory,0_2_021D35ED
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D95E1 NtResumeThread,0_2_021D95E1
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D8A1C NtProtectVirtualMemory,0_2_021D8A1C
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D0A15 NtSetInformationThread,0_2_021D0A15
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D0A09 NtSetInformationThread,0_2_021D0A09
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3A36 NtWriteVirtualMemory,0_2_021D3A36
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3A25 NtWriteVirtualMemory,0_2_021D3A25
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D8A25 NtProtectVirtualMemory,0_2_021D8A25
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3A95 NtWriteVirtualMemory,0_2_021D3A95
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3AAD NtWriteVirtualMemory,0_2_021D3AAD
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3AA1 NtWriteVirtualMemory,0_2_021D3AA1
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3AD4 NtWriteVirtualMemory,0_2_021D3AD4
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3AF1 NtWriteVirtualMemory,0_2_021D3AF1
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3AE5 NtWriteVirtualMemory,0_2_021D3AE5
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3B1D NtWriteVirtualMemory,0_2_021D3B1D
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3B14 NtWriteVirtualMemory,0_2_021D3B14
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D7B3A NtSetInformationThread,0_2_021D7B3A
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3B35 NtWriteVirtualMemory,0_2_021D3B35
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3B29 NtWriteVirtualMemory,0_2_021D3B29
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3819 NtWriteVirtualMemory,0_2_021D3819
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D382A NtWriteVirtualMemory,0_2_021D382A
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3879 NtWriteVirtualMemory,0_2_021D3879
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3868 NtWriteVirtualMemory,0_2_021D3868
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3885 NtWriteVirtualMemory,0_2_021D3885
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D38BC NtWriteVirtualMemory,0_2_021D38BC
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D38D9 NtWriteVirtualMemory,0_2_021D38D9
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D38CD NtWriteVirtualMemory,0_2_021D38CD
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D08F5 NtSetInformationThread,0_2_021D08F5
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D393D NtWriteVirtualMemory,0_2_021D393D
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D093E NtSetInformationThread,0_2_021D093E
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3931 NtWriteVirtualMemory,0_2_021D3931
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D092D NtSetInformationThread,0_2_021D092D
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D392E NtWriteVirtualMemory,0_2_021D392E
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3949 NtWriteVirtualMemory,0_2_021D3949
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D397C NtWriteVirtualMemory,0_2_021D397C
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D0975 NtSetInformationThread,0_2_021D0975
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3999 NtWriteVirtualMemory,0_2_021D3999
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D098D NtSetInformationThread,0_2_021D098D
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D398D NtWriteVirtualMemory,0_2_021D398D
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D0981 NtSetInformationThread,0_2_021D0981
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D8982 NtProtectVirtualMemory,0_2_021D8982
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D39D9 NtWriteVirtualMemory,0_2_021D39D9
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D09D9 NtSetInformationThread,0_2_021D09D9
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D39CD NtWriteVirtualMemory,0_2_021D39CD
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D89FC NtProtectVirtualMemory,0_2_021D89FC
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D39E5 NtWriteVirtualMemory,0_2_021D39E5
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D1E10 NtWriteVirtualMemory,0_2_021D1E10
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D1E57 NtWriteVirtualMemory,0_2_021D1E57
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D8FCD NtResumeThread,0_2_021D8FCD
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D8FF9 NtResumeThread,0_2_021D8FF9
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D8FED NtResumeThread,0_2_021D8FED
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D8FE1 NtResumeThread,0_2_021D8FE1
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_1E279660
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2796E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_1E2796E0
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279710 NtQueryInformationToken,LdrInitializeThunk,1_2_1E279710
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2797A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_1E2797A0
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279780 NtMapViewOfSection,LdrInitializeThunk,1_2_1E279780
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279FE0 NtCreateMutant,LdrInitializeThunk,1_2_1E279FE0
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279540 NtReadFile,LdrInitializeThunk,1_2_1E279540
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2795D0 NtClose,LdrInitializeThunk,1_2_1E2795D0
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279A20 NtResumeThread,LdrInitializeThunk,1_2_1E279A20
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_1E279A00
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279A50 NtCreateFile,LdrInitializeThunk,1_2_1E279A50
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279860 NtQuerySystemInformation,LdrInitializeThunk,1_2_1E279860
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279840 NtDelayExecution,LdrInitializeThunk,1_2_1E279840
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2798F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_1E2798F0
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_1E279910
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2799A0 NtCreateSection,LdrInitializeThunk,1_2_1E2799A0
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279610 NtEnumerateValueKey,1_2_1E279610
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279670 NtQueryInformationProcess,1_2_1E279670
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279650 NtQueryValueKey,1_2_1E279650
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2796D0 NtCreateKey,1_2_1E2796D0
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279730 NtQueryVirtualMemory,1_2_1E279730
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E27A710 NtOpenProcessToken,1_2_1E27A710
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279760 NtOpenProcess,1_2_1E279760
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E27A770 NtOpenThread,1_2_1E27A770
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279770 NtSetInformationFile,1_2_1E279770
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279520 NtWaitForSingleObject,1_2_1E279520
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E27AD30 NtSetContextThread,1_2_1E27AD30
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279560 NtWriteFile,1_2_1E279560
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2795F0 NtQueryInformationFile,1_2_1E2795F0
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279A10 NtQuerySection,1_2_1E279A10
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279A80 NtOpenDirectoryObject,1_2_1E279A80
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279B00 NtSetValueKey,1_2_1E279B00
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E27A3B0 NtGetContextThread,1_2_1E27A3B0
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279820 NtEnumerateKey,1_2_1E279820
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E27B040 NtSuspendThread,1_2_1E27B040
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2798A0 NtWriteVirtualMemory,1_2_1E2798A0
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279950 NtQueueApcThread,1_2_1E279950
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2799D0 NtCreateProcessEx,1_2_1E2799D0
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00568FAC NtQueryInformationProcess,1_2_00568FAC
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569055 NtQueryInformationProcess,1_2_00569055
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569040 NtQueryInformationProcess,1_2_00569040
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569049 NtQueryInformationProcess,1_2_00569049
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569075 NtQueryInformationProcess,1_2_00569075
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569061 NtQueryInformationProcess,1_2_00569061
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569069 NtQueryInformationProcess,1_2_00569069
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569010 NtQueryInformationProcess,1_2_00569010
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569019 NtQueryInformationProcess,1_2_00569019
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569031 NtQueryInformationProcess,1_2_00569031
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569025 NtQueryInformationProcess,1_2_00569025
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005690D5 NtQueryInformationProcess,1_2_005690D5
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005690C9 NtQueryInformationProcess,1_2_005690C9
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005690F1 NtQueryInformationProcess,1_2_005690F1
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005690FD NtQueryInformationProcess,1_2_005690FD
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005690E5 NtQueryInformationProcess,1_2_005690E5
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569091 NtQueryInformationProcess,1_2_00569091
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_0056909D NtQueryInformationProcess,1_2_0056909D
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569081 NtQueryInformationProcess,1_2_00569081
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005690BD NtQueryInformationProcess,1_2_005690BD
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005690BA NtQueryInformationProcess,1_2_005690BA
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005690A9 NtQueryInformationProcess,1_2_005690A9
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569159 NtQueryInformationProcess,1_2_00569159
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569141 NtQueryInformationProcess,1_2_00569141
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_0056914D NtQueryInformationProcess,1_2_0056914D
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569175 NtQueryInformationProcess,1_2_00569175
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569172 NtQueryInformationProcess,1_2_00569172
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569115 NtQueryInformationProcess,1_2_00569115
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569121 NtQueryInformationProcess,1_2_00569121
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_0056912D NtQueryInformationProcess,1_2_0056912D
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005689FC NtProtectVirtualMemory,1_2_005689FC
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_0056919C NtQueryInformationProcess,1_2_0056919C
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00568982 NtProtectVirtualMemory,1_2_00568982
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569181 NtQueryInformationProcess,1_2_00569181
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_0056918D NtQueryInformationProcess,1_2_0056918D
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005691AD NtQueryInformationProcess,1_2_005691AD
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569254 NtQueryInformationProcess,1_2_00569254
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569241 NtQueryInformationProcess,1_2_00569241
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_0056926A NtQueryInformationProcess,1_2_0056926A
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00568A1C NtProtectVirtualMemory,1_2_00568A1C
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569209 NtQueryInformationProcess,1_2_00569209
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569235 NtQueryInformationProcess,1_2_00569235
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569226 NtQueryInformationProcess,1_2_00569226
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00568A25 NtProtectVirtualMemory,1_2_00568A25
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569229 NtQueryInformationProcess,1_2_00569229
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005692D5 NtQueryInformationProcess,1_2_005692D5
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005692DD NtQueryInformationProcess,1_2_005692DD
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005692C9 NtQueryInformationProcess,1_2_005692C9
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005692F5 NtQueryInformationProcess,1_2_005692F5
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005692E9 NtQueryInformationProcess,1_2_005692E9
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569295 NtQueryInformationProcess,1_2_00569295
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569289 NtQueryInformationProcess,1_2_00569289
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005692B4 NtQueryInformationProcess,1_2_005692B4
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005692BD NtQueryInformationProcess,1_2_005692BD
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005692A1 NtQueryInformationProcess,1_2_005692A1
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569356 NtQueryInformationProcess,1_2_00569356
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569345 NtQueryInformationProcess,1_2_00569345
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_0056936E NtQueryInformationProcess,1_2_0056936E
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569311 NtQueryInformationProcess,1_2_00569311
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_0056931D NtQueryInformationProcess,1_2_0056931D
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569305 NtQueryInformationProcess,1_2_00569305
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569334 NtQueryInformationProcess,1_2_00569334
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005693DD NtQueryInformationProcess,1_2_005693DD
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005693F4 NtQueryInformationProcess,1_2_005693F4
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005693FD NtQueryInformationProcess,1_2_005693FD
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569398 NtQueryInformationProcess,1_2_00569398
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569381 NtQueryInformationProcess,1_2_00569381
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005693A9 NtQueryInformationProcess,1_2_005693A9
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569441 NtQueryInformationProcess,1_2_00569441
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569415 NtQueryInformationProcess,1_2_00569415
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569409 NtQueryInformationProcess,1_2_00569409
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569435 NtQueryInformationProcess,1_2_00569435
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569429 NtQueryInformationProcess,1_2_00569429
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005694D9 NtQueryInformationProcess,1_2_005694D9
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005694CD NtQueryInformationProcess,1_2_005694CD
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005694F6 NtQueryInformationProcess,1_2_005694F6
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005694F9 NtQueryInformationProcess,1_2_005694F9
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005694E5 NtQueryInformationProcess,1_2_005694E5
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569491 NtQueryInformationProcess,1_2_00569491
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005694B1 NtQueryInformationProcess,1_2_005694B1
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005694BD NtQueryInformationProcess,1_2_005694BD
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005694A5 NtQueryInformationProcess,1_2_005694A5
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_0056955E NtQueryInformationProcess,1_2_0056955E
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569579 NtQueryInformationProcess,1_2_00569579
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569561 NtQueryInformationProcess,1_2_00569561
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_0056956D NtQueryInformationProcess,1_2_0056956D
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569511 NtQueryInformationProcess,1_2_00569511
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569505 NtQueryInformationProcess,1_2_00569505
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_0056953E NtQueryInformationProcess,1_2_0056953E
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_0056952D NtQueryInformationProcess,1_2_0056952D
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005695D5 NtQueryInformationProcess,1_2_005695D5
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005695C6 NtQueryInformationProcess,1_2_005695C6
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005695C9 NtQueryInformationProcess,1_2_005695C9
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005695E1 NtQueryInformationProcess,1_2_005695E1
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569598 NtQueryInformationProcess,1_2_00569598
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005695B5 NtQueryInformationProcess,1_2_005695B5
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005695A9 NtQueryInformationProcess,1_2_005695A9
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569604 NtQueryInformationProcess,1_2_00569604
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00568FCD NtQueryInformationProcess,1_2_00568FCD
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00568FF9 NtQueryInformationProcess,1_2_00568FF9
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00568FE1 NtQueryInformationProcess,1_2_00568FE1
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00568FED NtQueryInformationProcess,1_2_00568FED
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F995D0 NtClose,LdrInitializeThunk,3_2_04F995D0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99540 NtReadFile,LdrInitializeThunk,3_2_04F99540
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F996E0 NtFreeVirtualMemory,LdrInitializeThunk,3_2_04F996E0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F996D0 NtCreateKey,LdrInitializeThunk,3_2_04F996D0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99660 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_04F99660
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99650 NtQueryValueKey,LdrInitializeThunk,3_2_04F99650
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99FE0 NtCreateMutant,LdrInitializeThunk,3_2_04F99FE0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99780 NtMapViewOfSection,LdrInitializeThunk,3_2_04F99780
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99710 NtQueryInformationToken,LdrInitializeThunk,3_2_04F99710
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99860 NtQuerySystemInformation,LdrInitializeThunk,3_2_04F99860
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99840 NtDelayExecution,LdrInitializeThunk,3_2_04F99840
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F999A0 NtCreateSection,LdrInitializeThunk,3_2_04F999A0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99910 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_04F99910
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99A50 NtCreateFile,LdrInitializeThunk,3_2_04F99A50
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F995F0 NtQueryInformationFile,3_2_04F995F0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99560 NtWriteFile,3_2_04F99560
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F9AD30 NtSetContextThread,3_2_04F9AD30
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99520 NtWaitForSingleObject,3_2_04F99520
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99670 NtQueryInformationProcess,3_2_04F99670
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99610 NtEnumerateValueKey,3_2_04F99610
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F997A0 NtUnmapViewOfSection,3_2_04F997A0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F9A770 NtOpenThread,3_2_04F9A770
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99770 NtSetInformationFile,3_2_04F99770
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99760 NtOpenProcess,3_2_04F99760
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99730 NtQueryVirtualMemory,3_2_04F99730
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F9A710 NtOpenProcessToken,3_2_04F9A710
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F998F0 NtReadVirtualMemory,3_2_04F998F0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F998A0 NtWriteVirtualMemory,3_2_04F998A0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F9B040 NtSuspendThread,3_2_04F9B040
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99820 NtEnumerateKey,3_2_04F99820
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F999D0 NtCreateProcessEx,3_2_04F999D0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99950 NtQueueApcThread,3_2_04F99950
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99A80 NtOpenDirectoryObject,3_2_04F99A80
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99A20 NtResumeThread,3_2_04F99A20
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99A10 NtQuerySection,3_2_04F99A10
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99A00 NtProtectVirtualMemory,3_2_04F99A00
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F9A3B0 NtGetContextThread,3_2_04F9A3B0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99B00 NtSetValueKey,3_2_04F99B00
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_030D8390 NtAllocateVirtualMemory,3_2_030D8390
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_030D8260 NtReadFile,3_2_030D8260
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_030D82E0 NtClose,3_2_030D82E0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_030D81B0 NtCreateFile,3_2_030D81B0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_030D825B NtReadFile,3_2_030D825B
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_030D82DB NtClose,3_2_030D82DB
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_030D81AA NtCreateFile,3_2_030D81AA
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_004042820_2_00404282
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_00408AB10_2_00408AB1
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E256E301_2_1E256E30
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2FD6161_2_1E2FD616
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E302EF71_2_1E302EF7
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E301FF11_2_1E301FF1
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E30DFCE1_2_1E30DFCE
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E24841F1_2_1E24841F
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2FD4661_2_1E2FD466
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25B4771_2_1E25B477
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F44961_2_1E2F4496
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E230D201_2_1E230D20
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E302D071_2_1E302D07
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E301D551_2_1E301D55
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2625811_2_1E262581
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F2D821_2_1E2F2D82
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E24D5E01_2_1E24D5E0
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E3025DD1_2_1E3025DD
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2EFA2B1_2_1E2EFA2B
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25B2361_2_1E25B236
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E3022AE1_2_1E3022AE
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F4AEF1_2_1E2F4AEF
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E302B281_2_1E302B28
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25A3091_2_1E25A309
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2DCB4F1_2_1E2DCB4F
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25AB401_2_1E25AB40
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E26EBB01_2_1E26EBB0
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E26138B1_2_1E26138B
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2E23E31_2_1E2E23E3
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F03DA1_2_1E2F03DA
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2FDBD21_2_1E2FDBD2
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E26ABD81_2_1E26ABD8
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E30E8241_2_1E30E824
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25A8301_2_1E25A830
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F10021_2_1E2F1002
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2620A01_2_1E2620A0
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E3020A81_2_1E3020A8
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E24B0901_2_1E24B090
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E3028EC1_2_1E3028EC
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2541201_2_1E254120
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E23F9001_2_1E23F900
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2599BF1_2_1E2599BF
      Source: C:\Windows\explorer.exeCode function: 2_2_04DB28F92_2_04DB28F9
      Source: C:\Windows\explorer.exeCode function: 2_2_04DB52FF2_2_04DB52FF
      Source: C:\Windows\explorer.exeCode function: 2_2_04DB70622_2_04DB7062
      Source: C:\Windows\explorer.exeCode function: 2_2_04DB87C72_2_04DB87C7
      Source: C:\Windows\explorer.exeCode function: 2_2_04DB95B22_2_04DB95B2
      Source: C:\Windows\explorer.exeCode function: 2_2_04DB33622_2_04DB3362
      Source: C:\Windows\explorer.exeCode function: 2_2_04DB29022_2_04DB2902
      Source: C:\Windows\explorer.exeCode function: 2_2_04DB53022_2_04DB5302
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_05022D073_2_05022D07
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_05021D553_2_05021D55
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_050225DD3_2_050225DD
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F6841F3_2_04F6841F
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F6D5E03_2_04F6D5E0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_0501D4663_2_0501D466
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F825813_2_04F82581
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F50D203_2_04F50D20
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F76E303_2_04F76E30
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_0502DFCE3_2_0502DFCE
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_05021FF13_2_05021FF1
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_0501D6163_2_0501D616
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_05022EF73_2_05022EF7
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F820A03_2_04F820A0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F6B0903_2_04F6B090
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F7A8303_2_04F7A830
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_050110023_2_05011002
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_0502E8243_2_0502E824
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F799BF3_2_04F799BF
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_050220A83_2_050220A8
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F741203_2_04F74120
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_050228EC3_2_050228EC
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F5F9003_2_04F5F900
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_05022B283_2_05022B28
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_0501DBD23_2_0501DBD2
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_050103DA3_2_050103DA
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_0500FA2B3_2_0500FA2B
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F8EBB03_2_04F8EBB0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_050222AE3_2_050222AE
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F7AB403_2_04F7AB40
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_030C2FB03_2_030C2FB0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_030C2D8A3_2_030C2D8A
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_030C2D903_2_030C2D90
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_030DC5A03_2_030DC5A0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_030C8C4B3_2_030C8C4B
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_030C8C503_2_030C8C50
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: String function: 1E23B150 appears 136 times
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 04F5B150 appears 72 times
      Source: IRS Notice Letter pdf document.exe, 00000000.00000002.693272578.000000000041A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameklogelig.exe vs IRS Notice Letter pdf document.exe
      Source: IRS Notice Letter pdf document.exe, 00000000.00000002.693439941.00000000021A0000.00000002.0