Analysis Report IRS_Covid-19_Relief_Payment_Notice_pdf.exe

Overview

General Information

Sample Name: IRS_Covid-19_Relief_Payment_Notice_pdf.exe
Analysis ID: 341752
MD5: 5525bb8a978d3ac15812c8d8ca9b8a57
SHA1: dcb9549ff9c290e056f83639ad546b03206a0806
SHA256: 21f49ea6e105c22882a9fb0065803deee18eddb76767a30ddade2e2725eb65d9
Tags: COVID19exeGuLoaderIRS

Most interesting Screenshot:

Detection

GuLoader
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Executable has a suspicious name (potential lure to open the executable)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Compliance:

barindex
Uses 32bit PE files
Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Uses secure TLS version for HTTPS connections
Source: unknown HTTPS traffic detected: 162.0.209.179:443 -> 192.168.2.3:49725 version: TLS 1.2
Binary contains paths to debug symbols
Source: Binary string: wntdll.pdbUGP source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe, 00000004.00000002.612139646.000000001E59F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe

Networking:

barindex
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown DNS traffic detected: queries for: chengsolution.com
Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe String found in binary or memory: https://chengsolution.com/vr/tembin_AbNFdk131.bin
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown HTTPS traffic detected: 162.0.209.179:443 -> 192.168.2.3:49725 version: TLS 1.2

System Summary:

barindex
Executable has a suspicious name (potential lure to open the executable)
Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe Static file information: Suspicious name
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: IRS_Covid-19_Relief_Payment_Notice_pdf.exe
Source: initial sample Static PE information: Filename: IRS_Covid-19_Relief_Payment_Notice_pdf.exe
Contains functionality to call native functions
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E8B05 NtProtectVirtualMemory, 0_2_020E8B05
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E907C LoadLibraryA,NtUnmapViewOfSection, 0_2_020E907C
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E08BF EnumWindows,NtSetInformationThread, 0_2_020E08BF
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E4EE3 NtWriteVirtualMemory,LoadLibraryA, 0_2_020E4EE3
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E0A0D NtSetInformationThread, 0_2_020E0A0D
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E9202 NtUnmapViewOfSection, 0_2_020E9202
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E9215 NtUnmapViewOfSection, 0_2_020E9215
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E3A2E NtWriteVirtualMemory, 0_2_020E3A2E
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E923E NtUnmapViewOfSection, 0_2_020E923E
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E0A4D NtSetInformationThread, 0_2_020E0A4D
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E9271 NtUnmapViewOfSection, 0_2_020E9271
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E3A88 NtWriteVirtualMemory, 0_2_020E3A88
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E2294 NtSetInformationThread,NtWriteVirtualMemory, 0_2_020E2294
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E92AA NtUnmapViewOfSection, 0_2_020E92AA
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E3AF6 NtWriteVirtualMemory, 0_2_020E3AF6
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E932C NtUnmapViewOfSection, 0_2_020E932C
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E7B5F NtSetInformationThread, 0_2_020E7B5F
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E9369 NtUnmapViewOfSection, 0_2_020E9369
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E3B61 NtWriteVirtualMemory, 0_2_020E3B61
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E9396 NtUnmapViewOfSection, 0_2_020E9396
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E3BB6 NtWriteVirtualMemory, 0_2_020E3BB6
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E93D4 NtUnmapViewOfSection, 0_2_020E93D4
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E53E5 NtWriteVirtualMemory, 0_2_020E53E5
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E3819 NtWriteVirtualMemory, 0_2_020E3819
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E3868 NtWriteVirtualMemory, 0_2_020E3868
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E9082 NtWriteVirtualMemory,NtUnmapViewOfSection, 0_2_020E9082
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E90D4 NtUnmapViewOfSection, 0_2_020E90D4
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E38E0 NtWriteVirtualMemory, 0_2_020E38E0
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E9128 NtUnmapViewOfSection, 0_2_020E9128
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E3929 NtWriteVirtualMemory, 0_2_020E3929
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E094D NtSetInformationThread, 0_2_020E094D
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E0943 NtSetInformationThread, 0_2_020E0943
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E3980 NtWriteVirtualMemory, 0_2_020E3980
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E09BE NtSetInformationThread, 0_2_020E09BE
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E91D6 NtUnmapViewOfSection, 0_2_020E91D6
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E39D1 NtWriteVirtualMemory, 0_2_020E39D1
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E9608 NtUnmapViewOfSection, 0_2_020E9608
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E3E07 NtWriteVirtualMemory, 0_2_020E3E07
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E963E NtUnmapViewOfSection, 0_2_020E963E
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E3E34 NtWriteVirtualMemory, 0_2_020E3E34
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E3E4E NtWriteVirtualMemory, 0_2_020E3E4E
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E96A5 NtUnmapViewOfSection, 0_2_020E96A5
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E96D4 NtUnmapViewOfSection, 0_2_020E96D4
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E36ED NtWriteVirtualMemory, 0_2_020E36ED
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E9711 NtUnmapViewOfSection, 0_2_020E9711
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E3745 NtWriteVirtualMemory, 0_2_020E3745
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E37BD NtWriteVirtualMemory, 0_2_020E37BD
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E945D NtUnmapViewOfSection, 0_2_020E945D
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E3C56 NtWriteVirtualMemory, 0_2_020E3C56
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E3CE4 NtWriteVirtualMemory, 0_2_020E3CE4
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E94FA NtUnmapViewOfSection, 0_2_020E94FA
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E9531 NtUnmapViewOfSection, 0_2_020E9531
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E9571 NtUnmapViewOfSection, 0_2_020E9571
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E3D8E NtWriteVirtualMemory, 0_2_020E3D8E
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E3DD9 NtWriteVirtualMemory, 0_2_020E3DD9
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E95E5 NtUnmapViewOfSection, 0_2_020E95E5
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4E9660 NtAllocateVirtualMemory,LdrInitializeThunk, 4_2_1E4E9660
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4E96E0 NtFreeVirtualMemory,LdrInitializeThunk, 4_2_1E4E96E0
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4E9860 NtQuerySystemInformation,LdrInitializeThunk, 4_2_1E4E9860
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4E9650 NtQueryValueKey, 4_2_1E4E9650
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4E9A50 NtCreateFile, 4_2_1E4E9A50
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4E9670 NtQueryInformationProcess, 4_2_1E4E9670
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4E9A00 NtProtectVirtualMemory, 4_2_1E4E9A00
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4E9610 NtEnumerateValueKey, 4_2_1E4E9610
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4E9A10 NtQuerySection, 4_2_1E4E9A10
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4E9A20 NtResumeThread, 4_2_1E4E9A20
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4E96D0 NtCreateKey, 4_2_1E4E96D0
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4E9A80 NtOpenDirectoryObject, 4_2_1E4E9A80
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4E9760 NtOpenProcess, 4_2_1E4E9760
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4E9770 NtSetInformationFile, 4_2_1E4E9770
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4EA770 NtOpenThread, 4_2_1E4EA770
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4E9B00 NtSetValueKey, 4_2_1E4E9B00
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4EA710 NtOpenProcessToken, 4_2_1E4EA710
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4E9710 NtQueryInformationToken, 4_2_1E4E9710
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4E9730 NtQueryVirtualMemory, 4_2_1E4E9730
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4E9FE0 NtCreateMutant, 4_2_1E4E9FE0
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4E9780 NtMapViewOfSection, 4_2_1E4E9780
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4E97A0 NtUnmapViewOfSection, 4_2_1E4E97A0
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4EA3B0 NtGetContextThread, 4_2_1E4EA3B0
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4E9840 NtDelayExecution, 4_2_1E4E9840
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4EB040 NtSuspendThread, 4_2_1E4EB040
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4E9820 NtEnumerateKey, 4_2_1E4E9820
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4E98F0 NtReadVirtualMemory, 4_2_1E4E98F0
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4E98A0 NtWriteVirtualMemory, 4_2_1E4E98A0
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4E9540 NtReadFile, 4_2_1E4E9540
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4E9950 NtQueueApcThread, 4_2_1E4E9950
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4E9560 NtWriteFile, 4_2_1E4E9560
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4E9910 NtAdjustPrivilegesToken, 4_2_1E4E9910
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4E9520 NtWaitForSingleObject, 4_2_1E4E9520
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4EAD30 NtSetContextThread, 4_2_1E4EAD30
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4E99D0 NtCreateProcessEx, 4_2_1E4E99D0
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4E95D0 NtClose, 4_2_1E4E95D0
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4E95F0 NtQueryInformationFile, 4_2_1E4E95F0
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4E99A0 NtCreateSection, 4_2_1E4E99A0
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_0056907C LoadLibraryA,NtSetInformationThread, 4_2_0056907C
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_00568B05 NtProtectVirtualMemory, 4_2_00568B05
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_0056945D NtSetInformationThread, 4_2_0056945D
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_005690D4 NtSetInformationThread, 4_2_005690D4
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_005694FA NtSetInformationThread, 4_2_005694FA
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_00569082 NtSetInformationThread, 4_2_00569082
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_00569571 NtSetInformationThread, 4_2_00569571
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_00569531 NtSetInformationThread, 4_2_00569531
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_00569128 NtSetInformationThread, 4_2_00569128
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_005691D6 NtSetInformationThread, 4_2_005691D6
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_005695E5 NtSetInformationThread, 4_2_005695E5
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_00569271 NtSetInformationThread, 4_2_00569271
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_00569215 NtSetInformationThread, 4_2_00569215
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_00569202 NtSetInformationThread, 4_2_00569202
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_00569608 NtSetInformationThread, 4_2_00569608
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_0056923E NtSetInformationThread, 4_2_0056923E
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_0056963E NtSetInformationThread, 4_2_0056963E
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_005696D4 NtSetInformationThread, 4_2_005696D4
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_005696A5 NtSetInformationThread, 4_2_005696A5
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_005692AA NtSetInformationThread, 4_2_005692AA
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_00569369 NtSetInformationThread, 4_2_00569369
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_00569711 NtSetInformationThread, 4_2_00569711
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_0056932C NtSetInformationThread, 4_2_0056932C
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_005693D4 NtSetInformationThread, 4_2_005693D4
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_00569396 NtSetInformationThread, 4_2_00569396
Detected potential crypto function
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_0040187B 0_2_0040187B
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_0040422B 0_2_0040422B
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4C6E30 4_2_1E4C6E30
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4DEBB0 4_2_1E4DEBB0
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E561002 4_2_1E561002
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4B841F 4_2_1E4B841F
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4BB090 4_2_1E4BB090
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E571D55 4_2_1E571D55
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4AF900 4_2_1E4AF900
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4A0D20 4_2_1E4A0D20
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4C4120 4_2_1E4C4120
Sample file is different than original file name gathered from version info
Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe, 00000000.00000002.268828421.0000000000415000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameauricular.exe vs IRS_Covid-19_Relief_Payment_Notice_pdf.exe
Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe, 00000000.00000002.269061784.00000000020B0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs IRS_Covid-19_Relief_Payment_Notice_pdf.exe
Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe, 00000004.00000002.611516666.000000001DFF0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs IRS_Covid-19_Relief_Payment_Notice_pdf.exe
Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe, 00000004.00000000.267938949.0000000000415000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameauricular.exe vs IRS_Covid-19_Relief_Payment_Notice_pdf.exe
Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe, 00000004.00000002.612139646.000000001E59F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs IRS_Covid-19_Relief_Payment_Notice_pdf.exe
Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe, 00000004.00000002.611449120.000000001DEA0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemswsock.dll.muij% vs IRS_Covid-19_Relief_Payment_Notice_pdf.exe
Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe Binary or memory string: OriginalFilenameauricular.exe vs IRS_Covid-19_Relief_Payment_Notice_pdf.exe
Uses 32bit PE files
Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal96.troj.spyw.evad.winEXE@3/0@1/1
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe File created: C:\Users\user\AppData\Local\Temp\~DF4F27D81AB326C3CA.TMP Jump to behavior
Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe 'C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe'
Source: unknown Process created: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe 'C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe'
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Process created: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe 'C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe' Jump to behavior
Source: Binary string: wntdll.pdbUGP source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe, 00000004.00000002.612139646.000000001E59F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: Process Memory Space: IRS_Covid-19_Relief_Payment_Notice_pdf.exe PID: 5348, type: MEMORY
Source: Yara match File source: Process Memory Space: IRS_Covid-19_Relief_Payment_Notice_pdf.exe PID: 6124, type: MEMORY
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: IRS_Covid-19_Relief_Payment_Notice_pdf.exe PID: 5348, type: MEMORY
Source: Yara match File source: Process Memory Space: IRS_Covid-19_Relief_Payment_Notice_pdf.exe PID: 6124, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E5B5E push edi; retf 0_2_020E5B5F
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4FD0D1 push ecx; ret 4_2_1E4FD0E4

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E4EE3 NtWriteVirtualMemory,LoadLibraryA, 0_2_020E4EE3
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E2294 NtSetInformationThread,NtWriteVirtualMemory, 0_2_020E2294
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E838A 0_2_020E838A
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E36DF 0_2_020E36DF
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_0056907C LoadLibraryA,NtSetInformationThread, 4_2_0056907C
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_0056838A 4_2_0056838A
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe RDTSC instruction interceptor: First address: 00000000020E7D79 second address: 00000000020E7D79 instructions:
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe RDTSC instruction interceptor: First address: 00000000005617E4 second address: 0000000000567569 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a pop dword ptr [ebp+000000B4h] 0x00000010 cmp ax, bx 0x00000013 jmp 00007FCBD4A32CA6h 0x00000015 test ecx, 108D7A16h 0x0000001b test dh, bh 0x0000001d push dword ptr [ebp+64h] 0x00000020 test ah, FFFFFFE3h 0x00000023 push 00000367h 0x00000028 push ecx 0x00000029 mov ecx, 22739622h 0x0000002e cmp ecx, 22739622h 0x00000034 jne 00007FCBD4A31D71h 0x0000003a pop ecx 0x0000003b push 00000031h 0x0000003d cmp dl, bl 0x0000003f push dword ptr [ebp+000000B4h] 0x00000045 call 00007FCBD4A38978h 0x0000004a cmp ebx, ecx 0x0000004c cmp dl, FFFFFFF3h 0x0000004f mov edx, dword ptr [esp+04h] 0x00000053 test ebx, edx 0x00000055 mov ecx, dword ptr [esp+08h] 0x00000059 test al, 1Eh 0x0000005b add edx, ecx 0x0000005d neg ecx 0x0000005f mov ebx, dword ptr [esp+0Ch] 0x00000063 cmp edx, F9C1C0D7h 0x00000069 mov eax, dword ptr [esp+10h] 0x0000006d pushad 0x0000006e rdtsc
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe RDTSC instruction interceptor: First address: 0000000000567569 second address: 0000000000567569 instructions:
Tries to detect Any.run
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe RDTSC instruction interceptor: First address: 00000000020E7D79 second address: 00000000020E7D79 instructions:
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe RDTSC instruction interceptor: First address: 00000000020E870B second address: 00000000020E870B instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b inc ecx 0x0000000c inc ebx 0x0000000d cmp dword ptr [ebx], 9090C350h 0x00000013 jne 00007FCBD4A32CC3h 0x00000015 cmp edx, dword ptr [ebx] 0x00000017 jne 00007FCBD4A32C98h 0x00000019 cmp byte ptr [ebx], FFFFFFE8h 0x0000001c jne 00007FCBD4A32D3Ah 0x00000022 cmp byte ptr [ebx], FFFFFFB8h 0x00000025 jne 00007FCBD4A32CCEh 0x00000027 cmp ecx, 00002000h 0x0000002d jne 00007FCBD4A32AF8h 0x00000033 pushad 0x00000034 lfence 0x00000037 rdtsc
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe RDTSC instruction interceptor: First address: 000000000056870B second address: 000000000056870B instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b inc ecx 0x0000000c inc ebx 0x0000000d cmp dword ptr [ebx], 9090C350h 0x00000013 jne 00007FCBD4A3A5F3h 0x00000015 cmp edx, dword ptr [ebx] 0x00000017 jne 00007FCBD4A3A5C8h 0x00000019 cmp byte ptr [ebx], FFFFFFE8h 0x0000001c jne 00007FCBD4A3A66Ah 0x00000022 cmp byte ptr [ebx], FFFFFFB8h 0x00000025 jne 00007FCBD4A3A5FEh 0x00000027 cmp ecx, 00002000h 0x0000002d jne 00007FCBD4A3A428h 0x00000033 pushad 0x00000034 lfence 0x00000037 rdtsc
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe RDTSC instruction interceptor: First address: 00000000005617E4 second address: 0000000000567569 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a pop dword ptr [ebp+000000B4h] 0x00000010 cmp ax, bx 0x00000013 jmp 00007FCBD4A32CA6h 0x00000015 test ecx, 108D7A16h 0x0000001b test dh, bh 0x0000001d push dword ptr [ebp+64h] 0x00000020 test ah, FFFFFFE3h 0x00000023 push 00000367h 0x00000028 push ecx 0x00000029 mov ecx, 22739622h 0x0000002e cmp ecx, 22739622h 0x00000034 jne 00007FCBD4A31D71h 0x0000003a pop ecx 0x0000003b push 00000031h 0x0000003d cmp dl, bl 0x0000003f push dword ptr [ebp+000000B4h] 0x00000045 call 00007FCBD4A38978h 0x0000004a cmp ebx, ecx 0x0000004c cmp dl, FFFFFFF3h 0x0000004f mov edx, dword ptr [esp+04h] 0x00000053 test ebx, edx 0x00000055 mov ecx, dword ptr [esp+08h] 0x00000059 test al, 1Eh 0x0000005b add edx, ecx 0x0000005d neg ecx 0x0000005f mov ebx, dword ptr [esp+0Ch] 0x00000063 cmp edx, F9C1C0D7h 0x00000069 mov eax, dword ptr [esp+10h] 0x0000006d pushad 0x0000006e rdtsc
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe RDTSC instruction interceptor: First address: 0000000000567569 second address: 0000000000567569 instructions:
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E0BA5 rdtsc 0_2_020E0BA5
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Window / User API: threadDelayed 9577 Jump to behavior
Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E08BF NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,? 0_2_020E08BF
Hides threads from debuggers
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E0BA5 rdtsc 0_2_020E0BA5
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E4A2D LdrInitializeThunk, 0_2_020E4A2D
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E2294 mov eax, dword ptr fs:[00000030h] 0_2_020E2294
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E838A mov eax, dword ptr fs:[00000030h] 0_2_020E838A
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E83B9 mov eax, dword ptr fs:[00000030h] 0_2_020E83B9
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E3017 mov eax, dword ptr fs:[00000030h] 0_2_020E3017
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E3020 mov eax, dword ptr fs:[00000030h] 0_2_020E3020
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E3096 mov eax, dword ptr fs:[00000030h] 0_2_020E3096
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E30AE mov eax, dword ptr fs:[00000030h] 0_2_020E30AE
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E6924 mov eax, dword ptr fs:[00000030h] 0_2_020E6924
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E41E9 mov eax, dword ptr fs:[00000030h] 0_2_020E41E9
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E7632 mov eax, dword ptr fs:[00000030h] 0_2_020E7632
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E8402 mov eax, dword ptr fs:[00000030h] 0_2_020E8402
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E841F mov eax, dword ptr fs:[00000030h] 0_2_020E841F
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E845E mov eax, dword ptr fs:[00000030h] 0_2_020E845E
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 0_2_020E2D1A mov eax, dword ptr fs:[00000030h] 0_2_020E2D1A
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4A9240 mov eax, dword ptr fs:[00000030h] 4_2_1E4A9240
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4A9240 mov eax, dword ptr fs:[00000030h] 4_2_1E4A9240
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4A9240 mov eax, dword ptr fs:[00000030h] 4_2_1E4A9240
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4A9240 mov eax, dword ptr fs:[00000030h] 4_2_1E4A9240
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4B7E41 mov eax, dword ptr fs:[00000030h] 4_2_1E4B7E41
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4B7E41 mov eax, dword ptr fs:[00000030h] 4_2_1E4B7E41
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4B7E41 mov eax, dword ptr fs:[00000030h] 4_2_1E4B7E41
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4B7E41 mov eax, dword ptr fs:[00000030h] 4_2_1E4B7E41
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4B7E41 mov eax, dword ptr fs:[00000030h] 4_2_1E4B7E41
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4B7E41 mov eax, dword ptr fs:[00000030h] 4_2_1E4B7E41
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4B766D mov eax, dword ptr fs:[00000030h] 4_2_1E4B766D
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4E927A mov eax, dword ptr fs:[00000030h] 4_2_1E4E927A
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E55B260 mov eax, dword ptr fs:[00000030h] 4_2_1E55B260
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E55B260 mov eax, dword ptr fs:[00000030h] 4_2_1E55B260
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E578A62 mov eax, dword ptr fs:[00000030h] 4_2_1E578A62
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4CAE73 mov eax, dword ptr fs:[00000030h] 4_2_1E4CAE73
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4CAE73 mov eax, dword ptr fs:[00000030h] 4_2_1E4CAE73
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4CAE73 mov eax, dword ptr fs:[00000030h] 4_2_1E4CAE73
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4CAE73 mov eax, dword ptr fs:[00000030h] 4_2_1E4CAE73
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4CAE73 mov eax, dword ptr fs:[00000030h] 4_2_1E4CAE73
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4AC600 mov eax, dword ptr fs:[00000030h] 4_2_1E4AC600
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4AC600 mov eax, dword ptr fs:[00000030h] 4_2_1E4AC600
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4AC600 mov eax, dword ptr fs:[00000030h] 4_2_1E4AC600
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4C3A1C mov eax, dword ptr fs:[00000030h] 4_2_1E4C3A1C
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E55FE3F mov eax, dword ptr fs:[00000030h] 4_2_1E55FE3F
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4AE620 mov eax, dword ptr fs:[00000030h] 4_2_1E4AE620
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E578ED6 mov eax, dword ptr fs:[00000030h] 4_2_1E578ED6
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4D36CC mov eax, dword ptr fs:[00000030h] 4_2_1E4D36CC
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4E8EC7 mov eax, dword ptr fs:[00000030h] 4_2_1E4E8EC7
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E55FEC0 mov eax, dword ptr fs:[00000030h] 4_2_1E55FEC0
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4B76E2 mov eax, dword ptr fs:[00000030h] 4_2_1E4B76E2
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4D16E0 mov ecx, dword ptr fs:[00000030h] 4_2_1E4D16E0
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E53FE87 mov eax, dword ptr fs:[00000030h] 4_2_1E53FE87
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4DD294 mov eax, dword ptr fs:[00000030h] 4_2_1E4DD294
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4DD294 mov eax, dword ptr fs:[00000030h] 4_2_1E4DD294
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4A52A5 mov eax, dword ptr fs:[00000030h] 4_2_1E4A52A5
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4A52A5 mov eax, dword ptr fs:[00000030h] 4_2_1E4A52A5
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4A52A5 mov eax, dword ptr fs:[00000030h] 4_2_1E4A52A5
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4A52A5 mov eax, dword ptr fs:[00000030h] 4_2_1E4A52A5
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4A52A5 mov eax, dword ptr fs:[00000030h] 4_2_1E4A52A5
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E570EA5 mov eax, dword ptr fs:[00000030h] 4_2_1E570EA5
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E570EA5 mov eax, dword ptr fs:[00000030h] 4_2_1E570EA5
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E570EA5 mov eax, dword ptr fs:[00000030h] 4_2_1E570EA5
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E5246A7 mov eax, dword ptr fs:[00000030h] 4_2_1E5246A7
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4DFAB0 mov eax, dword ptr fs:[00000030h] 4_2_1E4DFAB0
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4ADB40 mov eax, dword ptr fs:[00000030h] 4_2_1E4ADB40
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4BEF40 mov eax, dword ptr fs:[00000030h] 4_2_1E4BEF40
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E578B58 mov eax, dword ptr fs:[00000030h] 4_2_1E578B58
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4AF358 mov eax, dword ptr fs:[00000030h] 4_2_1E4AF358
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4ADB60 mov ecx, dword ptr fs:[00000030h] 4_2_1E4ADB60
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4BFF60 mov eax, dword ptr fs:[00000030h] 4_2_1E4BFF60
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4D3B7A mov eax, dword ptr fs:[00000030h] 4_2_1E4D3B7A
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4D3B7A mov eax, dword ptr fs:[00000030h] 4_2_1E4D3B7A
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E578F6A mov eax, dword ptr fs:[00000030h] 4_2_1E578F6A
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E53FF10 mov eax, dword ptr fs:[00000030h] 4_2_1E53FF10
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E53FF10 mov eax, dword ptr fs:[00000030h] 4_2_1E53FF10
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E56131B mov eax, dword ptr fs:[00000030h] 4_2_1E56131B
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E57070D mov eax, dword ptr fs:[00000030h] 4_2_1E57070D
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E57070D mov eax, dword ptr fs:[00000030h] 4_2_1E57070D
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4A4F2E mov eax, dword ptr fs:[00000030h] 4_2_1E4A4F2E
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4A4F2E mov eax, dword ptr fs:[00000030h] 4_2_1E4A4F2E
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4DE730 mov eax, dword ptr fs:[00000030h] 4_2_1E4DE730
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4B1B8F mov eax, dword ptr fs:[00000030h] 4_2_1E4B1B8F
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4B1B8F mov eax, dword ptr fs:[00000030h] 4_2_1E4B1B8F
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E527794 mov eax, dword ptr fs:[00000030h] 4_2_1E527794
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E527794 mov eax, dword ptr fs:[00000030h] 4_2_1E527794
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E527794 mov eax, dword ptr fs:[00000030h] 4_2_1E527794
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E55D380 mov ecx, dword ptr fs:[00000030h] 4_2_1E55D380
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E56138A mov eax, dword ptr fs:[00000030h] 4_2_1E56138A
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E575BA5 mov eax, dword ptr fs:[00000030h] 4_2_1E575BA5
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E53C450 mov eax, dword ptr fs:[00000030h] 4_2_1E53C450
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E53C450 mov eax, dword ptr fs:[00000030h] 4_2_1E53C450
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4C0050 mov eax, dword ptr fs:[00000030h] 4_2_1E4C0050
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4C0050 mov eax, dword ptr fs:[00000030h] 4_2_1E4C0050
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4C746D mov eax, dword ptr fs:[00000030h] 4_2_1E4C746D
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E571074 mov eax, dword ptr fs:[00000030h] 4_2_1E571074
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E562073 mov eax, dword ptr fs:[00000030h] 4_2_1E562073
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E574015 mov eax, dword ptr fs:[00000030h] 4_2_1E574015
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E574015 mov eax, dword ptr fs:[00000030h] 4_2_1E574015
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E527016 mov eax, dword ptr fs:[00000030h] 4_2_1E527016
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E527016 mov eax, dword ptr fs:[00000030h] 4_2_1E527016
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E527016 mov eax, dword ptr fs:[00000030h] 4_2_1E527016
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E561C06 mov eax, dword ptr fs:[00000030h] 4_2_1E561C06
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E561C06 mov eax, dword ptr fs:[00000030h] 4_2_1E561C06
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E561C06 mov eax, dword ptr fs:[00000030h] 4_2_1E561C06
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E561C06 mov eax, dword ptr fs:[00000030h] 4_2_1E561C06
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E561C06 mov eax, dword ptr fs:[00000030h] 4_2_1E561C06
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E561C06 mov eax, dword ptr fs:[00000030h] 4_2_1E561C06
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E561C06 mov eax, dword ptr fs:[00000030h] 4_2_1E561C06
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E561C06 mov eax, dword ptr fs:[00000030h] 4_2_1E561C06
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E561C06 mov eax, dword ptr fs:[00000030h] 4_2_1E561C06
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E561C06 mov eax, dword ptr fs:[00000030h] 4_2_1E561C06
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E561C06 mov eax, dword ptr fs:[00000030h] 4_2_1E561C06
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E561C06 mov eax, dword ptr fs:[00000030h] 4_2_1E561C06
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E561C06 mov eax, dword ptr fs:[00000030h] 4_2_1E561C06
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E561C06 mov eax, dword ptr fs:[00000030h] 4_2_1E561C06
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E526C0A mov eax, dword ptr fs:[00000030h] 4_2_1E526C0A
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E526C0A mov eax, dword ptr fs:[00000030h] 4_2_1E526C0A
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E526C0A mov eax, dword ptr fs:[00000030h] 4_2_1E526C0A
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E526C0A mov eax, dword ptr fs:[00000030h] 4_2_1E526C0A
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E57740D mov eax, dword ptr fs:[00000030h] 4_2_1E57740D
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E57740D mov eax, dword ptr fs:[00000030h] 4_2_1E57740D
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E57740D mov eax, dword ptr fs:[00000030h] 4_2_1E57740D
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4BB02A mov eax, dword ptr fs:[00000030h] 4_2_1E4BB02A
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4BB02A mov eax, dword ptr fs:[00000030h] 4_2_1E4BB02A
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4BB02A mov eax, dword ptr fs:[00000030h] 4_2_1E4BB02A
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4BB02A mov eax, dword ptr fs:[00000030h] 4_2_1E4BB02A
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4DBC2C mov eax, dword ptr fs:[00000030h] 4_2_1E4DBC2C
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E578CD6 mov eax, dword ptr fs:[00000030h] 4_2_1E578CD6
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E53B8D0 mov eax, dword ptr fs:[00000030h] 4_2_1E53B8D0
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E53B8D0 mov ecx, dword ptr fs:[00000030h] 4_2_1E53B8D0
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E53B8D0 mov eax, dword ptr fs:[00000030h] 4_2_1E53B8D0
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E53B8D0 mov eax, dword ptr fs:[00000030h] 4_2_1E53B8D0
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E53B8D0 mov eax, dword ptr fs:[00000030h] 4_2_1E53B8D0
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E53B8D0 mov eax, dword ptr fs:[00000030h] 4_2_1E53B8D0
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E526CF0 mov eax, dword ptr fs:[00000030h] 4_2_1E526CF0
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E526CF0 mov eax, dword ptr fs:[00000030h] 4_2_1E526CF0
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E526CF0 mov eax, dword ptr fs:[00000030h] 4_2_1E526CF0
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E5614FB mov eax, dword ptr fs:[00000030h] 4_2_1E5614FB
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4A9080 mov eax, dword ptr fs:[00000030h] 4_2_1E4A9080
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E523884 mov eax, dword ptr fs:[00000030h] 4_2_1E523884
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E523884 mov eax, dword ptr fs:[00000030h] 4_2_1E523884
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4E90AF mov eax, dword ptr fs:[00000030h] 4_2_1E4E90AF
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4DF0BF mov ecx, dword ptr fs:[00000030h] 4_2_1E4DF0BF
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4DF0BF mov eax, dword ptr fs:[00000030h] 4_2_1E4DF0BF
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4DF0BF mov eax, dword ptr fs:[00000030h] 4_2_1E4DF0BF
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4CB944 mov eax, dword ptr fs:[00000030h] 4_2_1E4CB944
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4CB944 mov eax, dword ptr fs:[00000030h] 4_2_1E4CB944
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4E3D43 mov eax, dword ptr fs:[00000030h] 4_2_1E4E3D43
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E523540 mov eax, dword ptr fs:[00000030h] 4_2_1E523540
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4C7D50 mov eax, dword ptr fs:[00000030h] 4_2_1E4C7D50
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4AB171 mov eax, dword ptr fs:[00000030h] 4_2_1E4AB171
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4AB171 mov eax, dword ptr fs:[00000030h] 4_2_1E4AB171
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4CC577 mov eax, dword ptr fs:[00000030h] 4_2_1E4CC577
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4CC577 mov eax, dword ptr fs:[00000030h] 4_2_1E4CC577
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4A9100 mov eax, dword ptr fs:[00000030h] 4_2_1E4A9100
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4A9100 mov eax, dword ptr fs:[00000030h] 4_2_1E4A9100
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4A9100 mov eax, dword ptr fs:[00000030h] 4_2_1E4A9100
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E578D34 mov eax, dword ptr fs:[00000030h] 4_2_1E578D34
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4C4120 mov eax, dword ptr fs:[00000030h] 4_2_1E4C4120
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4C4120 mov eax, dword ptr fs:[00000030h] 4_2_1E4C4120
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4C4120 mov eax, dword ptr fs:[00000030h] 4_2_1E4C4120
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4C4120 mov eax, dword ptr fs:[00000030h] 4_2_1E4C4120
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4C4120 mov ecx, dword ptr fs:[00000030h] 4_2_1E4C4120
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4D4D3B mov eax, dword ptr fs:[00000030h] 4_2_1E4D4D3B
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4D4D3B mov eax, dword ptr fs:[00000030h] 4_2_1E4D4D3B
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4D4D3B mov eax, dword ptr fs:[00000030h] 4_2_1E4D4D3B
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4D513A mov eax, dword ptr fs:[00000030h] 4_2_1E4D513A
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4D513A mov eax, dword ptr fs:[00000030h] 4_2_1E4D513A
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4AAD30 mov eax, dword ptr fs:[00000030h] 4_2_1E4AAD30
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4B3D34 mov eax, dword ptr fs:[00000030h] 4_2_1E4B3D34
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4B3D34 mov eax, dword ptr fs:[00000030h] 4_2_1E4B3D34
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4B3D34 mov eax, dword ptr fs:[00000030h] 4_2_1E4B3D34
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4B3D34 mov eax, dword ptr fs:[00000030h] 4_2_1E4B3D34
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4B3D34 mov eax, dword ptr fs:[00000030h] 4_2_1E4B3D34
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4B3D34 mov eax, dword ptr fs:[00000030h] 4_2_1E4B3D34
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4B3D34 mov eax, dword ptr fs:[00000030h] 4_2_1E4B3D34
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4B3D34 mov eax, dword ptr fs:[00000030h] 4_2_1E4B3D34
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4B3D34 mov eax, dword ptr fs:[00000030h] 4_2_1E4B3D34
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4B3D34 mov eax, dword ptr fs:[00000030h] 4_2_1E4B3D34
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4B3D34 mov eax, dword ptr fs:[00000030h] 4_2_1E4B3D34
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4B3D34 mov eax, dword ptr fs:[00000030h] 4_2_1E4B3D34
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4B3D34 mov eax, dword ptr fs:[00000030h] 4_2_1E4B3D34
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E558DF1 mov eax, dword ptr fs:[00000030h] 4_2_1E558DF1
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4AB1E1 mov eax, dword ptr fs:[00000030h] 4_2_1E4AB1E1
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4AB1E1 mov eax, dword ptr fs:[00000030h] 4_2_1E4AB1E1
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4AB1E1 mov eax, dword ptr fs:[00000030h] 4_2_1E4AB1E1
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4A2D8A mov eax, dword ptr fs:[00000030h] 4_2_1E4A2D8A
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4A2D8A mov eax, dword ptr fs:[00000030h] 4_2_1E4A2D8A
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4A2D8A mov eax, dword ptr fs:[00000030h] 4_2_1E4A2D8A
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4A2D8A mov eax, dword ptr fs:[00000030h] 4_2_1E4A2D8A
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4A2D8A mov eax, dword ptr fs:[00000030h] 4_2_1E4A2D8A
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4DA185 mov eax, dword ptr fs:[00000030h] 4_2_1E4DA185
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4CC182 mov eax, dword ptr fs:[00000030h] 4_2_1E4CC182
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4DFD9B mov eax, dword ptr fs:[00000030h] 4_2_1E4DFD9B
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4DFD9B mov eax, dword ptr fs:[00000030h] 4_2_1E4DFD9B
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_1E4D35A1 mov eax, dword ptr fs:[00000030h] 4_2_1E4D35A1
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_0056845E mov eax, dword ptr fs:[00000030h] 4_2_0056845E
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_0056841F mov eax, dword ptr fs:[00000030h] 4_2_0056841F
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_00568402 mov eax, dword ptr fs:[00000030h] 4_2_00568402
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_00566924 mov eax, dword ptr fs:[00000030h] 4_2_00566924
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_005641D5 mov eax, dword ptr fs:[00000030h] 4_2_005641D5
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_00567632 mov eax, dword ptr fs:[00000030h] 4_2_00567632
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_0056838A mov eax, dword ptr fs:[00000030h] 4_2_0056838A
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Code function: 4_2_005683B9 mov eax, dword ptr fs:[00000030h] 4_2_005683B9

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe Process created: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe 'C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe' Jump to behavior
Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe, 00000004.00000002.606260056.0000000001030000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe, 00000004.00000002.606260056.0000000001030000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe, 00000004.00000002.606260056.0000000001030000.00000002.00000001.sdmp Binary or memory string: Progman
Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe, 00000004.00000002.606260056.0000000001030000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Stealing of Sensitive Information:

barindex
Yara detected Generic Dropper
Source: Yara match File source: Process Memory Space: IRS_Covid-19_Relief_Payment_Notice_pdf.exe PID: 5348, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 341752 Sample: IRS_Covid-19_Relief_Payment... Startdate: 19/01/2021 Architecture: WINDOWS Score: 96 15 Yara detected GuLoader 2->15 17 Yara detected Generic Dropper 2->17 19 Executable has a suspicious name (potential lure to open the executable) 2->19 21 3 other signatures 2->21 6 IRS_Covid-19_Relief_Payment_Notice_pdf.exe 1 2->6         started        process3 signatures4 23 Contains functionality to detect hardware virtualization (CPUID execution measurement) 6->23 25 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 6->25 27 Tries to detect Any.run 6->27 29 3 other signatures 6->29 9 IRS_Covid-19_Relief_Payment_Notice_pdf.exe 6 6->9         started        process5 dnsIp6 13 chengsolution.com 162.0.209.179, 443, 49725 ACPCA Canada 9->13 31 Tries to detect Any.run 9->31 33 Hides threads from debuggers 9->33 signatures7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
162.0.209.179
 unknown Canada
35893 ACPCA false

Contacted Domains

Name IP Active
chengsolution.com 162.0.209.179 true