Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report IRS_Covid-19_Relief_Payment_Notice_pdf.exe

Overview

General Information

Sample Name:IRS_Covid-19_Relief_Payment_Notice_pdf.exe
Analysis ID:341752
MD5:5525bb8a978d3ac15812c8d8ca9b8a57
SHA1:dcb9549ff9c290e056f83639ad546b03206a0806
SHA256:21f49ea6e105c22882a9fb0065803deee18eddb76767a30ddade2e2725eb65d9
Tags:COVID19exeGuLoaderIRS

Most interesting Screenshot:

Detection

GuLoader
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Executable has a suspicious name (potential lure to open the executable)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: IRS_Covid-19_Relief_Payment_Notice_pdf.exe PID: 5348JoeSecurity_GenericDropperYara detected Generic DropperJoe Security
    Process Memory Space: IRS_Covid-19_Relief_Payment_Notice_pdf.exe PID: 5348JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
      Process Memory Space: IRS_Covid-19_Relief_Payment_Notice_pdf.exe PID: 5348JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
        Process Memory Space: IRS_Covid-19_Relief_Payment_Notice_pdf.exe PID: 6124JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
          Process Memory Space: IRS_Covid-19_Relief_Payment_Notice_pdf.exe PID: 6124JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            Compliance:

            barindex
            Uses 32bit PE filesShow sources
            Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Uses secure TLS version for HTTPS connectionsShow sources
            Source: unknownHTTPS traffic detected: 162.0.209.179:443 -> 192.168.2.3:49725 version: TLS 1.2
            Binary contains paths to debug symbolsShow sources
            Source: Binary string: wntdll.pdbUGP source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe, 00000004.00000002.612139646.000000001E59F000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: unknownDNS traffic detected: queries for: chengsolution.com
            Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exeString found in binary or memory: https://chengsolution.com/vr/tembin_AbNFdk131.bin
            Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
            Source: unknownHTTPS traffic detected: 162.0.209.179:443 -> 192.168.2.3:49725 version: TLS 1.2

            System Summary:

            barindex
            Executable has a suspicious name (potential lure to open the executable)Show sources
            Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exeStatic file information: Suspicious name
            Initial sample is a PE file and has a suspicious nameShow sources
            Source: initial sampleStatic PE information: Filename: IRS_Covid-19_Relief_Payment_Notice_pdf.exe
            Source: initial sampleStatic PE information: Filename: IRS_Covid-19_Relief_Payment_Notice_pdf.exe
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E8B05 NtProtectVirtualMemory,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E907C LoadLibraryA,NtUnmapViewOfSection,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E08BF EnumWindows,NtSetInformationThread,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E4EE3 NtWriteVirtualMemory,LoadLibraryA,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E0A0D NtSetInformationThread,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E9202 NtUnmapViewOfSection,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E9215 NtUnmapViewOfSection,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E3A2E NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E923E NtUnmapViewOfSection,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E0A4D NtSetInformationThread,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E9271 NtUnmapViewOfSection,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E3A88 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E2294 NtSetInformationThread,NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E92AA NtUnmapViewOfSection,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E3AF6 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E932C NtUnmapViewOfSection,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E7B5F NtSetInformationThread,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E9369 NtUnmapViewOfSection,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E3B61 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E9396 NtUnmapViewOfSection,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E3BB6 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E93D4 NtUnmapViewOfSection,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E53E5 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E3819 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E3868 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E9082 NtWriteVirtualMemory,NtUnmapViewOfSection,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E90D4 NtUnmapViewOfSection,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E38E0 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E9128 NtUnmapViewOfSection,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E3929 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E094D NtSetInformationThread,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E0943 NtSetInformationThread,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E3980 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E09BE NtSetInformationThread,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E91D6 NtUnmapViewOfSection,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E39D1 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E9608 NtUnmapViewOfSection,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E3E07 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E963E NtUnmapViewOfSection,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E3E34 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E3E4E NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E96A5 NtUnmapViewOfSection,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E96D4 NtUnmapViewOfSection,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E36ED NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E9711 NtUnmapViewOfSection,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E3745 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E37BD NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E945D NtUnmapViewOfSection,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E3C56 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E3CE4 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E94FA NtUnmapViewOfSection,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E9531 NtUnmapViewOfSection,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E9571 NtUnmapViewOfSection,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E3D8E NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E3DD9 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E95E5 NtUnmapViewOfSection,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4E9660 NtAllocateVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4E96E0 NtFreeVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4E9860 NtQuerySystemInformation,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4E9650 NtQueryValueKey,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4E9A50 NtCreateFile,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4E9670 NtQueryInformationProcess,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4E9A00 NtProtectVirtualMemory,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4E9610 NtEnumerateValueKey,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4E9A10 NtQuerySection,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4E9A20 NtResumeThread,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4E96D0 NtCreateKey,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4E9A80 NtOpenDirectoryObject,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4E9760 NtOpenProcess,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4E9770 NtSetInformationFile,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4EA770 NtOpenThread,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4E9B00 NtSetValueKey,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4EA710 NtOpenProcessToken,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4E9710 NtQueryInformationToken,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4E9730 NtQueryVirtualMemory,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4E9FE0 NtCreateMutant,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4E9780 NtMapViewOfSection,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4E97A0 NtUnmapViewOfSection,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4EA3B0 NtGetContextThread,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4E9840 NtDelayExecution,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4EB040 NtSuspendThread,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4E9820 NtEnumerateKey,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4E98F0 NtReadVirtualMemory,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4E98A0 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4E9540 NtReadFile,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4E9950 NtQueueApcThread,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4E9560 NtWriteFile,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4E9910 NtAdjustPrivilegesToken,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4E9520 NtWaitForSingleObject,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4EAD30 NtSetContextThread,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4E99D0 NtCreateProcessEx,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4E95D0 NtClose,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4E95F0 NtQueryInformationFile,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4E99A0 NtCreateSection,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_0056907C LoadLibraryA,NtSetInformationThread,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_00568B05 NtProtectVirtualMemory,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_0056945D NtSetInformationThread,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_005690D4 NtSetInformationThread,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_005694FA NtSetInformationThread,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_00569082 NtSetInformationThread,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_00569571 NtSetInformationThread,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_00569531 NtSetInformationThread,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_00569128 NtSetInformationThread,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_005691D6 NtSetInformationThread,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_005695E5 NtSetInformationThread,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_00569271 NtSetInformationThread,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_00569215 NtSetInformationThread,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_00569202 NtSetInformationThread,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_00569608 NtSetInformationThread,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_0056923E NtSetInformationThread,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_0056963E NtSetInformationThread,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_005696D4 NtSetInformationThread,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_005696A5 NtSetInformationThread,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_005692AA NtSetInformationThread,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_00569369 NtSetInformationThread,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_00569711 NtSetInformationThread,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_0056932C NtSetInformationThread,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_005693D4 NtSetInformationThread,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_00569396 NtSetInformationThread,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_0040187B
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_0040422B
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4C6E30
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4DEBB0
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E561002
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4B841F
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4BB090
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E571D55
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4AF900
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4A0D20
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4C4120
            Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe, 00000000.00000002.268828421.0000000000415000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameauricular.exe vs IRS_Covid-19_Relief_Payment_Notice_pdf.exe
            Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe, 00000000.00000002.269061784.00000000020B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs IRS_Covid-19_Relief_Payment_Notice_pdf.exe
            Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe, 00000004.00000002.611516666.000000001DFF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs IRS_Covid-19_Relief_Payment_Notice_pdf.exe
            Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe, 00000004.00000000.267938949.0000000000415000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameauricular.exe vs IRS_Covid-19_Relief_Payment_Notice_pdf.exe
            Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe, 00000004.00000002.612139646.000000001E59F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs IRS_Covid-19_Relief_Payment_Notice_pdf.exe
            Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe, 00000004.00000002.611449120.000000001DEA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs IRS_Covid-19_Relief_Payment_Notice_pdf.exe
            Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exeBinary or memory string: OriginalFilenameauricular.exe vs IRS_Covid-19_Relief_Payment_Notice_pdf.exe
            Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: classification engineClassification label: mal96.troj.spyw.evad.winEXE@3/0@1/1
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\~DF4F27D81AB326C3CA.TMPJump to behavior
            Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe 'C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe'
            Source: unknownProcess created: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe 'C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe'
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeProcess created: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe 'C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe'
            Source: Binary string: wntdll.pdbUGP source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe, 00000004.00000002.612139646.000000001E59F000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: Process Memory Space: IRS_Covid-19_Relief_Payment_Notice_pdf.exe PID: 5348, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: IRS_Covid-19_Relief_Payment_Notice_pdf.exe PID: 6124, type: MEMORY
            Yara detected VB6 Downloader GenericShow sources
            Source: Yara matchFile source: Process Memory Space: IRS_Covid-19_Relief_Payment_Notice_pdf.exe PID: 5348, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: IRS_Covid-19_Relief_Payment_Notice_pdf.exe PID: 6124, type: MEMORY
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E5B5E push edi; retf
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4FD0D1 push ecx; ret
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E4EE3 NtWriteVirtualMemory,LoadLibraryA,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E2294 NtSetInformationThread,NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E838A
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E36DF
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_0056907C LoadLibraryA,NtSetInformationThread,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_0056838A
            Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeRDTSC instruction interceptor: First address: 00000000020E7D79 second address: 00000000020E7D79 instructions:
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeRDTSC instruction interceptor: First address: 00000000005617E4 second address: 0000000000567569 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a pop dword ptr [ebp+000000B4h] 0x00000010 cmp ax, bx 0x00000013 jmp 00007FCBD4A32CA6h 0x00000015 test ecx, 108D7A16h 0x0000001b test dh, bh 0x0000001d push dword ptr [ebp+64h] 0x00000020 test ah, FFFFFFE3h 0x00000023 push 00000367h 0x00000028 push ecx 0x00000029 mov ecx, 22739622h 0x0000002e cmp ecx, 22739622h 0x00000034 jne 00007FCBD4A31D71h 0x0000003a pop ecx 0x0000003b push 00000031h 0x0000003d cmp dl, bl 0x0000003f push dword ptr [ebp+000000B4h] 0x00000045 call 00007FCBD4A38978h 0x0000004a cmp ebx, ecx 0x0000004c cmp dl, FFFFFFF3h 0x0000004f mov edx, dword ptr [esp+04h] 0x00000053 test ebx, edx 0x00000055 mov ecx, dword ptr [esp+08h] 0x00000059 test al, 1Eh 0x0000005b add edx, ecx 0x0000005d neg ecx 0x0000005f mov ebx, dword ptr [esp+0Ch] 0x00000063 cmp edx, F9C1C0D7h 0x00000069 mov eax, dword ptr [esp+10h] 0x0000006d pushad 0x0000006e rdtsc
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeRDTSC instruction interceptor: First address: 0000000000567569 second address: 0000000000567569 instructions:
            Tries to detect Any.runShow sources
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeFile opened: C:\Program Files\qga\qga.exe
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeFile opened: C:\Program Files\qga\qga.exe
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeRDTSC instruction interceptor: First address: 00000000020E7D79 second address: 00000000020E7D79 instructions:
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeRDTSC instruction interceptor: First address: 00000000020E870B second address: 00000000020E870B instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b inc ecx 0x0000000c inc ebx 0x0000000d cmp dword ptr [ebx], 9090C350h 0x00000013 jne 00007FCBD4A32CC3h 0x00000015 cmp edx, dword ptr [ebx] 0x00000017 jne 00007FCBD4A32C98h 0x00000019 cmp byte ptr [ebx], FFFFFFE8h 0x0000001c jne 00007FCBD4A32D3Ah 0x00000022 cmp byte ptr [ebx], FFFFFFB8h 0x00000025 jne 00007FCBD4A32CCEh 0x00000027 cmp ecx, 00002000h 0x0000002d jne 00007FCBD4A32AF8h 0x00000033 pushad 0x00000034 lfence 0x00000037 rdtsc
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeRDTSC instruction interceptor: First address: 000000000056870B second address: 000000000056870B instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b inc ecx 0x0000000c inc ebx 0x0000000d cmp dword ptr [ebx], 9090C350h 0x00000013 jne 00007FCBD4A3A5F3h 0x00000015 cmp edx, dword ptr [ebx] 0x00000017 jne 00007FCBD4A3A5C8h 0x00000019 cmp byte ptr [ebx], FFFFFFE8h 0x0000001c jne 00007FCBD4A3A66Ah 0x00000022 cmp byte ptr [ebx], FFFFFFB8h 0x00000025 jne 00007FCBD4A3A5FEh 0x00000027 cmp ecx, 00002000h 0x0000002d jne 00007FCBD4A3A428h 0x00000033 pushad 0x00000034 lfence 0x00000037 rdtsc
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeRDTSC instruction interceptor: First address: 00000000005617E4 second address: 0000000000567569 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a pop dword ptr [ebp+000000B4h] 0x00000010 cmp ax, bx 0x00000013 jmp 00007FCBD4A32CA6h 0x00000015 test ecx, 108D7A16h 0x0000001b test dh, bh 0x0000001d push dword ptr [ebp+64h] 0x00000020 test ah, FFFFFFE3h 0x00000023 push 00000367h 0x00000028 push ecx 0x00000029 mov ecx, 22739622h 0x0000002e cmp ecx, 22739622h 0x00000034 jne 00007FCBD4A31D71h 0x0000003a pop ecx 0x0000003b push 00000031h 0x0000003d cmp dl, bl 0x0000003f push dword ptr [ebp+000000B4h] 0x00000045 call 00007FCBD4A38978h 0x0000004a cmp ebx, ecx 0x0000004c cmp dl, FFFFFFF3h 0x0000004f mov edx, dword ptr [esp+04h] 0x00000053 test ebx, edx 0x00000055 mov ecx, dword ptr [esp+08h] 0x00000059 test al, 1Eh 0x0000005b add edx, ecx 0x0000005d neg ecx 0x0000005f mov ebx, dword ptr [esp+0Ch] 0x00000063 cmp edx, F9C1C0D7h 0x00000069 mov eax, dword ptr [esp+10h] 0x0000006d pushad 0x0000006e rdtsc
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeRDTSC instruction interceptor: First address: 0000000000567569 second address: 0000000000567569 instructions:
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E0BA5 rdtsc
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeWindow / User API: threadDelayed 9577
            Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeProcess information queried: ProcessInformation

            Anti Debugging:

            barindex
            Contains functionality to hide a thread from the debuggerShow sources
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E08BF NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?
            Hides threads from debuggersShow sources
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeThread information set: HideFromDebugger
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeThread information set: HideFromDebugger
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeThread information set: HideFromDebugger
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeProcess queried: DebugPort
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeProcess queried: DebugPort
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeProcess queried: DebugPort
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E0BA5 rdtsc
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E4A2D LdrInitializeThunk,
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E2294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E838A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E83B9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E3017 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E3020 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E3096 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E30AE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E6924 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E41E9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E7632 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E8402 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E841F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E845E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 0_2_020E2D1A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4A9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4A9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4A9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4A9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4B7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4B7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4B7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4B7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4B7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4B7E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4B766D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4E927A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E55B260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E55B260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E578A62 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4CAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4CAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4CAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4CAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4CAE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4AC600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4AC600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4AC600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4C3A1C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E55FE3F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4AE620 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E578ED6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4D36CC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4E8EC7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E55FEC0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4B76E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4D16E0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E53FE87 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4DD294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4DD294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4A52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4A52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4A52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4A52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4A52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E570EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E570EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E570EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E5246A7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4DFAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4ADB40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4BEF40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E578B58 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4AF358 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4ADB60 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4BFF60 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4D3B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4D3B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E578F6A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E53FF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E53FF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E56131B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E57070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E57070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4A4F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4A4F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4DE730 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4B1B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4B1B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E527794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E527794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E527794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E55D380 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E56138A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E575BA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E53C450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E53C450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4C0050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4C0050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4C746D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E571074 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E562073 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E574015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E574015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E527016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E527016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E527016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E561C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E561C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E561C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E561C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E561C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E561C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E561C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E561C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E561C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E561C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E561C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E561C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E561C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E561C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E526C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E526C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E526C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E526C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E57740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E57740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E57740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4BB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4BB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4BB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4BB02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4DBC2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E578CD6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E53B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E53B8D0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E53B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E53B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E53B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E53B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E526CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E526CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E526CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E5614FB mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4A9080 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E523884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E523884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4E90AF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4DF0BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4DF0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4DF0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4CB944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4CB944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4E3D43 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E523540 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4C7D50 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4AB171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4AB171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4CC577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4CC577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4A9100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4A9100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4A9100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E578D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4C4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4C4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4C4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4C4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4C4120 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4D4D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4D4D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4D4D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4D513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4D513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4AAD30 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4B3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4B3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4B3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4B3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4B3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4B3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4B3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4B3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4B3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4B3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4B3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4B3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4B3D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E558DF1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4AB1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4AB1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4AB1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4A2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4A2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4A2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4A2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4A2D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4DA185 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4CC182 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4DFD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4DFD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_1E4D35A1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_0056845E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_0056841F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_00568402 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_00566924 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_005641D5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_00567632 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_0056838A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeCode function: 4_2_005683B9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exeProcess created: C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe 'C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe'
            Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe, 00000004.00000002.606260056.0000000001030000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe, 00000004.00000002.606260056.0000000001030000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe, 00000004.00000002.606260056.0000000001030000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: IRS_Covid-19_Relief_Payment_Notice_pdf.exe, 00000004.00000002.606260056.0000000001030000.00000002.00000001.sdmpBinary or memory string: Progmanlock

            Stealing of Sensitive Information:

            barindex
            Yara detected Generic DropperShow sources
            Source: Yara matchFile source: Process Memory Space: IRS_Covid-19_Relief_Payment_Notice_pdf.exe PID: 5348, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection12Virtualization/Sandbox Evasion21OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection12LSASS MemorySecurity Software Discovery721Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerVirtualization/Sandbox Evasion21SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery31Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            No Antivirus matches

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://chengsolution.com/vr/tembin_AbNFdk131.bin0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            chengsolution.com
            		162.0.209.179
            		truefalse
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://chengsolution.com/vr/tembin_AbNFdk131.binIRS_Covid-19_Relief_Payment_Notice_pdf.exefalse
              • Avira URL Cloud: safe
              		unknown

              Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public

              IPDomainCountryFlagASNASN NameMalicious
              162.0.209.179
              		unknownCanada
              		35893ACPCAfalse

              General Information

              Joe Sandbox Version:31.0.0 Red Diamond
              Analysis ID:341752
              Start date:19.01.2021
              Start time:19:04:07
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 7m 19s
              Hypervisor based Inspection enabled:false
              Report type:light
              Sample file name:IRS_Covid-19_Relief_Payment_Notice_pdf.exe
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:33
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal96.troj.spyw.evad.winEXE@3/0@1/1
              EGA Information:Failed
              HDC Information:
              • Successful, ratio: 27.1% (good quality ratio 21.4%)
              • Quality average: 62.4%
              • Quality standard deviation: 37.7%
              HCA Information:
              • Successful, ratio: 60%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Adjust boot time
              • Enable AMSI
              • Found application associated with file extension: .exe
              Warnings:
              Show All
              • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe
              • TCP Packets have been reduced to 100
              • Excluded IPs from analysis (whitelisted): 104.43.139.144, 104.43.193.48, 52.255.188.83, 2.18.68.82, 51.11.168.160, 2.20.142.210, 2.20.142.209, 92.122.213.194, 92.122.213.247, 20.54.26.129, 52.254.96.93, 52.251.11.100
              • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, bn2eap.displaycatalog.md.mp.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • VT rate limit hit for: /opt/package/joesandbox/database/analysis/341752/sample/IRS_Covid-19_Relief_Payment_Notice_pdf.exe

              Simulations

              Behavior and APIs

              No simulations

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASN

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              ACPCALRGjZ3F0AO.exeGet hashmaliciousBrowse
              • 162.0.219.122
              Busan Korea.exeGet hashmaliciousBrowse
              • 162.0.213.60
              mssecsvc.exeGet hashmaliciousBrowse
              • 162.36.93.137
              SCAN_20210115140930669.exeGet hashmaliciousBrowse
              • 162.0.213.203
              Order (2021.01.06).exeGet hashmaliciousBrowse
              • 162.0.213.203
              https://vodafone-bill-failed.comGet hashmaliciousBrowse
              • 162.0.215.120
              UF14VE7MF3.htmGet hashmaliciousBrowse
              • 162.0.209.142
              https://verify-requests.com/HSBC/Get hashmaliciousBrowse
              • 162.0.209.141
              46M2B7IIGN.htmGet hashmaliciousBrowse
              • 162.0.209.142
              http://recp.mkt91.net/ctt?m=804040&r=Njg0NjYxMDU1NQS2&b=0&j=NjAwMDczOTg3S0&k=NCLogo&kx=1&kt=12&kd=https://ahlhealth.com/Wednesday5029kl%23mark.tryniski@cbna.comGet hashmaliciousBrowse
              • 162.0.209.130
              https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fin0038847990.sn.am%2flfCk7ZE6GWq&c=E,1,XbwqZlmKwFAf_trFhDdV9wkuU6vutPEIQqN4IhE8jUbxLD3wnPPXDvKp8Jibjk9HngPAI5iRQWnG4vU_DQMKfMGkzgCqkZ-4BfRprMNSl9Nr7VoPQEtWNft5&typo=1Get hashmaliciousBrowse
              • 162.0.209.25
              https://joom.ag/qJFCGet hashmaliciousBrowse
              • 162.0.209.115
              https://faxdocuments.sn.am/la0TEIilIWqGet hashmaliciousBrowse
              • 162.0.209.144
              https://securedoc.sn.am/lZnSrsZICGqGet hashmaliciousBrowse
              • 162.0.209.144
              https://faxdocument.sn.am/lZgQs0mCCuqGet hashmaliciousBrowse
              • 162.0.209.115
              https://rmnboxvoices.website/Get hashmaliciousBrowse
              • 162.0.209.142
              https://bodyfexeen.ga/000/index.phpGet hashmaliciousBrowse
              • 162.0.209.25
              vnaSKDMnLG.dllGet hashmaliciousBrowse
              • 162.0.213.230
              Yarranton.co.uk.htmGet hashmaliciousBrowse
              • 162.0.209.27
              MIT-MULTA5600415258.msiGet hashmaliciousBrowse
              • 162.0.209.72

              JA3 Fingerprints

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              37f463bf4616ecd445d4a1937da06e19Qt_1186.xlsGet hashmaliciousBrowse
              • 162.0.209.179
              INV-4215.xlsGet hashmaliciousBrowse
              • 162.0.209.179
              wp-cryn.dllGet hashmaliciousBrowse
              • 162.0.209.179
              P8ob8zaRpi.exeGet hashmaliciousBrowse
              • 162.0.209.179
              Jcantele.HTMGet hashmaliciousBrowse
              • 162.0.209.179
              Payment Confirmation Paper - Customer Copy_pdf.exeGet hashmaliciousBrowse
              • 162.0.209.179
              1_cr.exeGet hashmaliciousBrowse
              • 162.0.209.179
              Symptomaticshon5.exeGet hashmaliciousBrowse
              • 162.0.209.179
              1_cr.exeGet hashmaliciousBrowse
              • 162.0.209.179
              PO-00172020.htmlGet hashmaliciousBrowse
              • 162.0.209.179
              atikmdag-patcher 1.4.7.exeGet hashmaliciousBrowse
              • 162.0.209.179
              Dboom.HTMGet hashmaliciousBrowse
              • 162.0.209.179
              vS8yVO8py0.exeGet hashmaliciousBrowse
              • 162.0.209.179
              DOCUMENT FILE.exeGet hashmaliciousBrowse
              • 162.0.209.179
              6VEoBuy32f.xlsGet hashmaliciousBrowse
              • 162.0.209.179
              Uh7eQhnS1m.docGet hashmaliciousBrowse
              • 162.0.209.179
              6fAjRmbM4P.exeGet hashmaliciousBrowse
              • 162.0.209.179
              5IpRu2zSfu.dllGet hashmaliciousBrowse
              • 162.0.209.179
              zuwmbstItB.dllGet hashmaliciousBrowse
              • 162.0.209.179
              HPScanner_1889752021_Signed_jpg.exeGet hashmaliciousBrowse
              • 162.0.209.179

              Dropped Files

              No context

              Created / dropped Files

              No created / dropped files found

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows
              Entropy (8bit):5.442072374572181
              TrID:
              • Win32 Executable (generic) a (10002005/4) 99.15%
              • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:IRS_Covid-19_Relief_Payment_Notice_pdf.exe
              File size:86016
              MD5:5525bb8a978d3ac15812c8d8ca9b8a57
              SHA1:dcb9549ff9c290e056f83639ad546b03206a0806
              SHA256:21f49ea6e105c22882a9fb0065803deee18eddb76767a30ddade2e2725eb65d9
              SHA512:0e5504ee2fc22ce87c1cac663e0c4cd76227025da20c2903d63ddafc0fc8a270d56a90b89c31d8ee448a61f881ace27037beb623f4409b9d1020a6b2a0a9f35b
              SSDEEP:768:bwSsRk+UMfhoeoCm0TI4Y4az55+mGMZkNS8+EMaybN1hBuKYR6mTLktPV9lIBtyd:JzTMoCnbO5+mG4ietbzhBuKYT3yVQm
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L...5..`................. ...0...............0....@................

              File Icon

              Icon Hash:c0c4c26270faec04

              Static PE Info

              General

              Entrypoint:0x401498
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              DLL Characteristics:
              Time Stamp:0x6006B035 [Tue Jan 19 10:11:01 2021 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:98834e8b1c22ed6d1484c39b625780c4

              Entrypoint Preview

              Instruction
              push 00401AD0h
              call 00007FCBD493E363h
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              xor byte ptr [eax], al
              add byte ptr [eax], al
              dec eax
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [edx], cl
              inc ecx
              hlt
              or cl, 00000019h
              fimul word ptr [ecx-53h]
              out dx, eax
              adc dword ptr [edi-2Fh], 0Dh
              mov al, byte ptr [000000DBh]
              add byte ptr [eax], al
              add byte ptr [ecx], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax+61h], ch
              outsb
              insb
              imul ebp, dword ptr [esi+67h], 6E616C70h
              jc 00007FCBD493E3E1h
              add byte ptr [eax], ch
              js 00007FCBD493E3AAh
              sub dword ptr [edx+00h], ebx
              add byte ptr [eax], al
              add bh, bh
              int3
              xor dword ptr [eax], eax
              or dword ptr [edx+3ADED508h], esp
              or ecx, dword ptr [edx-6Ch]
              pop ds
              pop ds
              xchg eax, ecx
              les ebp, fword ptr [esi]
              retf
              xor al, 10h
              inc esi
              cmp dword ptr [ebx+69h], edi
              mov eax, dword ptr [AD989B4Ch]
              cmp cl, byte ptr [ecx]
              test eax, 4F3AF830h
              lodsd
              xor ebx, dword ptr [ecx-48EE309Ah]
              or al, 00h
              stosb
              add byte ptr [eax-2Dh], ah
              xchg eax, ebx
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              fiadd word ptr [eax+eax]
              add byte ptr [eax+03h], dl
              add byte ptr [eax], al
              add byte ptr [edi], al
              add byte ptr [esi+69h], al
              arpl word ptr [ebp+73h], si
              jnc 00007FCBD493E373h
              or eax, 00000801h

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x129b40x28.text
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x150000x614.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
              IMAGE_DIRECTORY_ENTRY_IAT0x10000x128.text
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x11ebc0x12000False0.396335177951data5.91456759437IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              .data0x130000x11c00x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
              .rsrc0x150000x6140x1000False0.159423828125data1.53535569768IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              RT_ICON0x1532c0x2e8data
              RT_GROUP_ICON0x153180x14data
              RT_VERSION0x150f00x228dataEnglishUnited States

              Imports

              DLLImport
              MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryVar, __vbaAryDestruct, __vbaLateMemSt, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, _CIsin, __vbaErase, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaObjVar, _adj_fpatan, __vbaLateIdCallLd, __vbaRedim, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaErrorOverflow, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaDerefAry1, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarDup, __vbaVarCopy, __vbaLateMemCallLd, _CIatan, __vbaStrMove, __vbaAryCopy, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

              Version Infos

              DescriptionData
              Translation0x0409 0x04b0
              InternalNameauricular
              FileVersion2.00
              CompanyNameViralCherry
              ProductNameViralCherry
              ProductVersion2.00
              OriginalFilenameauricular.exe

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Jan 19, 2021 19:05:35.671945095 CET49725443192.168.2.3162.0.209.179
              Jan 19, 2021 19:05:35.867238998 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:35.867331982 CET49725443192.168.2.3162.0.209.179
              Jan 19, 2021 19:05:35.897017956 CET49725443192.168.2.3162.0.209.179
              Jan 19, 2021 19:05:36.090732098 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:36.090768099 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:36.090789080 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:36.090804100 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:36.090816975 CET49725443192.168.2.3162.0.209.179
              Jan 19, 2021 19:05:36.090857029 CET49725443192.168.2.3162.0.209.179
              Jan 19, 2021 19:05:36.090892076 CET49725443192.168.2.3162.0.209.179
              Jan 19, 2021 19:05:36.096060991 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:36.096149921 CET49725443192.168.2.3162.0.209.179
              Jan 19, 2021 19:05:36.224873066 CET49725443192.168.2.3162.0.209.179
              Jan 19, 2021 19:05:36.421293020 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:36.421397924 CET49725443192.168.2.3162.0.209.179
              Jan 19, 2021 19:05:36.454593897 CET49725443192.168.2.3162.0.209.179
              Jan 19, 2021 19:05:36.653346062 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:36.653410912 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:36.653438091 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:36.653461933 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:36.653487921 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:36.653507948 CET49725443192.168.2.3162.0.209.179
              Jan 19, 2021 19:05:36.653512001 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:36.653536081 CET49725443192.168.2.3162.0.209.179
              Jan 19, 2021 19:05:36.653548002 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:36.653572083 CET49725443192.168.2.3162.0.209.179
              Jan 19, 2021 19:05:36.653573990 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:36.653599024 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:36.653600931 CET49725443192.168.2.3162.0.209.179
              Jan 19, 2021 19:05:36.653635979 CET49725443192.168.2.3162.0.209.179
              Jan 19, 2021 19:05:36.653666973 CET49725443192.168.2.3162.0.209.179
              Jan 19, 2021 19:05:36.653703928 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:36.654711962 CET49725443192.168.2.3162.0.209.179
              Jan 19, 2021 19:05:36.846869946 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:36.846916914 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:36.846936941 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:36.846961975 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:36.846986055 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:36.847009897 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:36.847035885 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:36.847062111 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:36.847079039 CET49725443192.168.2.3162.0.209.179
              Jan 19, 2021 19:05:36.847088099 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:36.847115993 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:36.847141981 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:36.847167015 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:36.847166061 CET49725443192.168.2.3162.0.209.179
              Jan 19, 2021 19:05:36.847188950 CET49725443192.168.2.3162.0.209.179
              Jan 19, 2021 19:05:36.847193956 CET49725443192.168.2.3162.0.209.179
              Jan 19, 2021 19:05:36.847224951 CET49725443192.168.2.3162.0.209.179
              Jan 19, 2021 19:05:36.848038912 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:36.848081112 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:36.848133087 CET49725443192.168.2.3162.0.209.179
              Jan 19, 2021 19:05:37.040530920 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:37.040569067 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:37.040591002 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:37.040607929 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:37.040622950 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:37.040638924 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:37.040637970 CET49725443192.168.2.3162.0.209.179
              Jan 19, 2021 19:05:37.040656090 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:37.040667057 CET49725443192.168.2.3162.0.209.179
              Jan 19, 2021 19:05:37.040672064 CET49725443192.168.2.3162.0.209.179
              Jan 19, 2021 19:05:37.040673971 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:37.040693045 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:37.040707111 CET49725443192.168.2.3162.0.209.179
              Jan 19, 2021 19:05:37.040712118 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:37.040729046 CET49725443192.168.2.3162.0.209.179
              Jan 19, 2021 19:05:37.040730953 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:37.040749073 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:37.040759087 CET49725443192.168.2.3162.0.209.179
              Jan 19, 2021 19:05:37.040766001 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:37.040782928 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:37.040787935 CET49725443192.168.2.3162.0.209.179
              Jan 19, 2021 19:05:37.040801048 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:37.040817022 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:37.040819883 CET49725443192.168.2.3162.0.209.179
              Jan 19, 2021 19:05:37.040833950 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:37.040838957 CET49725443192.168.2.3162.0.209.179
              Jan 19, 2021 19:05:37.040868044 CET49725443192.168.2.3162.0.209.179
              Jan 19, 2021 19:05:37.040965080 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:37.040982962 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:37.041003942 CET49725443192.168.2.3162.0.209.179
              Jan 19, 2021 19:05:37.041033983 CET49725443192.168.2.3162.0.209.179
              Jan 19, 2021 19:05:37.234117031 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:37.234184027 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:37.234226942 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:37.234272003 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:37.234301090 CET49725443192.168.2.3162.0.209.179
              Jan 19, 2021 19:05:37.234313011 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:37.234343052 CET49725443192.168.2.3162.0.209.179
              Jan 19, 2021 19:05:37.234357119 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:37.234380007 CET49725443192.168.2.3162.0.209.179
              Jan 19, 2021 19:05:37.234401941 CET49725443192.168.2.3162.0.209.179
              Jan 19, 2021 19:05:37.234400988 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:37.234445095 CET49725443192.168.2.3162.0.209.179
              Jan 19, 2021 19:05:37.234452963 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:37.234503984 CET44349725162.0.209.179192.168.2.3
              Jan 19, 2021 19:05:37.234546900 CET44349725162.0.209.179192.168.2.3

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Jan 19, 2021 19:04:57.162681103 CET5836153192.168.2.38.8.8.8
              Jan 19, 2021 19:04:57.221368074 CET53583618.8.8.8192.168.2.3
              Jan 19, 2021 19:04:58.217526913 CET6349253192.168.2.38.8.8.8
              Jan 19, 2021 19:04:58.268284082 CET53634928.8.8.8192.168.2.3
              Jan 19, 2021 19:04:59.531814098 CET6083153192.168.2.38.8.8.8
              Jan 19, 2021 19:04:59.582775116 CET53608318.8.8.8192.168.2.3
              Jan 19, 2021 19:05:00.658184052 CET6010053192.168.2.38.8.8.8
              Jan 19, 2021 19:05:00.709003925 CET53601008.8.8.8192.168.2.3
              Jan 19, 2021 19:05:05.854151011 CET5319553192.168.2.38.8.8.8
              Jan 19, 2021 19:05:05.902390957 CET53531958.8.8.8192.168.2.3
              Jan 19, 2021 19:05:06.835242987 CET5014153192.168.2.38.8.8.8
              Jan 19, 2021 19:05:06.886193991 CET53501418.8.8.8192.168.2.3
              Jan 19, 2021 19:05:07.624830008 CET5302353192.168.2.38.8.8.8
              Jan 19, 2021 19:05:07.672684908 CET53530238.8.8.8192.168.2.3
              Jan 19, 2021 19:05:08.424705982 CET4956353192.168.2.38.8.8.8
              Jan 19, 2021 19:05:08.472641945 CET53495638.8.8.8192.168.2.3
              Jan 19, 2021 19:05:09.410857916 CET5135253192.168.2.38.8.8.8
              Jan 19, 2021 19:05:09.467432022 CET53513528.8.8.8192.168.2.3
              Jan 19, 2021 19:05:10.623665094 CET5934953192.168.2.38.8.8.8
              Jan 19, 2021 19:05:10.671462059 CET53593498.8.8.8192.168.2.3
              Jan 19, 2021 19:05:11.406970978 CET5708453192.168.2.38.8.8.8
              Jan 19, 2021 19:05:11.455020905 CET53570848.8.8.8192.168.2.3
              Jan 19, 2021 19:05:12.216387033 CET5882353192.168.2.38.8.8.8
              Jan 19, 2021 19:05:12.264552116 CET53588238.8.8.8192.168.2.3
              Jan 19, 2021 19:05:26.185189962 CET5756853192.168.2.38.8.8.8
              Jan 19, 2021 19:05:26.243479013 CET53575688.8.8.8192.168.2.3
              Jan 19, 2021 19:05:35.571042061 CET5054053192.168.2.38.8.8.8
              Jan 19, 2021 19:05:35.634639025 CET53505408.8.8.8192.168.2.3
              Jan 19, 2021 19:05:41.281246901 CET5436653192.168.2.38.8.8.8
              Jan 19, 2021 19:05:41.329204082 CET53543668.8.8.8192.168.2.3
              Jan 19, 2021 19:05:46.049727917 CET5303453192.168.2.38.8.8.8
              Jan 19, 2021 19:05:46.112493992 CET53530348.8.8.8192.168.2.3
              Jan 19, 2021 19:05:47.226560116 CET5776253192.168.2.38.8.8.8
              Jan 19, 2021 19:05:47.282752991 CET53577628.8.8.8192.168.2.3
              Jan 19, 2021 19:05:47.602919102 CET5543553192.168.2.38.8.8.8
              Jan 19, 2021 19:05:47.661106110 CET53554358.8.8.8192.168.2.3
              Jan 19, 2021 19:06:02.330107927 CET5071353192.168.2.38.8.8.8
              Jan 19, 2021 19:06:02.389588118 CET53507138.8.8.8192.168.2.3
              Jan 19, 2021 19:06:15.829989910 CET5613253192.168.2.38.8.8.8
              Jan 19, 2021 19:06:15.880850077 CET53561328.8.8.8192.168.2.3
              Jan 19, 2021 19:06:19.428741932 CET5898753192.168.2.38.8.8.8
              Jan 19, 2021 19:06:19.486742020 CET53589878.8.8.8192.168.2.3
              Jan 19, 2021 19:06:51.298798084 CET5657953192.168.2.38.8.8.8
              Jan 19, 2021 19:06:51.346765995 CET53565798.8.8.8192.168.2.3
              Jan 19, 2021 19:06:53.023474932 CET6063353192.168.2.38.8.8.8
              Jan 19, 2021 19:06:53.079869986 CET53606338.8.8.8192.168.2.3
              Jan 19, 2021 19:07:45.461467981 CET6129253192.168.2.38.8.8.8
              Jan 19, 2021 19:07:45.517836094 CET53612928.8.8.8192.168.2.3
              Jan 19, 2021 19:07:46.513546944 CET6361953192.168.2.38.8.8.8
              Jan 19, 2021 19:07:46.575645924 CET53636198.8.8.8192.168.2.3
              Jan 19, 2021 19:07:47.870642900 CET6493853192.168.2.38.8.8.8
              Jan 19, 2021 19:07:47.929498911 CET53649388.8.8.8192.168.2.3
              Jan 19, 2021 19:07:49.383142948 CET6194653192.168.2.38.8.8.8
              Jan 19, 2021 19:07:49.447613001 CET53619468.8.8.8192.168.2.3
              Jan 19, 2021 19:07:50.286160946 CET6491053192.168.2.38.8.8.8
              Jan 19, 2021 19:07:50.342813969 CET53649108.8.8.8192.168.2.3
              Jan 19, 2021 19:07:51.322047949 CET5212353192.168.2.38.8.8.8
              Jan 19, 2021 19:07:51.383259058 CET53521238.8.8.8192.168.2.3
              Jan 19, 2021 19:07:53.507177114 CET5613053192.168.2.38.8.8.8
              Jan 19, 2021 19:07:53.566209078 CET53561308.8.8.8192.168.2.3
              Jan 19, 2021 19:07:56.467189074 CET5633853192.168.2.38.8.8.8
              Jan 19, 2021 19:07:56.523395061 CET53563388.8.8.8192.168.2.3
              Jan 19, 2021 19:07:58.288005114 CET5942053192.168.2.38.8.8.8
              Jan 19, 2021 19:07:58.349138975 CET53594208.8.8.8192.168.2.3
              Jan 19, 2021 19:07:59.514334917 CET5878453192.168.2.38.8.8.8
              Jan 19, 2021 19:07:59.562504053 CET53587848.8.8.8192.168.2.3

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
              Jan 19, 2021 19:05:35.571042061 CET192.168.2.38.8.8.80xc302Standard query (0)chengsolution.comA (IP address)IN (0x0001)

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
              Jan 19, 2021 19:05:35.634639025 CET8.8.8.8192.168.2.30xc302No error (0)chengsolution.com162.0.209.179A (IP address)IN (0x0001)

              HTTPS Packets

              TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
              Jan 19, 2021 19:05:36.096060991 CET162.0.209.179443192.168.2.349725CN=chengsolution.com CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USCN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBSat Jan 09 01:00:00 CET 2021 Fri Nov 02 01:00:00 CET 2018 Tue Mar 12 01:00:00 CET 2019Tue Jan 04 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2031 Mon Jan 01 00:59:59 CET 2029771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
              CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GBCN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USFri Nov 02 01:00:00 CET 2018Wed Jan 01 00:59:59 CET 2031
              CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USCN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBTue Mar 12 01:00:00 CET 2019Mon Jan 01 00:59:59 CET 2029

              Code Manipulations

              Statistics

              Behavior

              Click to jump to process

              System Behavior

              Analysis Process: IRS_Covid-19_Relief_Payment_Notice_pdf.exe PID: 6124 Parent PID: 5596

              General

              Start time:19:05:02
              Start date:19/01/2021
              Path:C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe
              Wow64 process (32bit):true
              Commandline:'C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe'
              Imagebase:0x400000
              File size:86016 bytes
              MD5 hash:5525BB8A978D3AC15812C8D8CA9B8A57
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:Visual Basic
              Reputation:low

              Analysis Process: IRS_Covid-19_Relief_Payment_Notice_pdf.exe PID: 5348 Parent PID: 6124

              General

              Start time:19:05:25
              Start date:19/01/2021
              Path:C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe
              Wow64 process (32bit):true
              Commandline:'C:\Users\user\Desktop\IRS_Covid-19_Relief_Payment_Notice_pdf.exe'
              Imagebase:0x7ff7ca4e0000
              File size:86016 bytes
              MD5 hash:5525BB8A978D3AC15812C8D8CA9B8A57
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low

              Disassembly

              Code Analysis

              Reset < >