Analysis Report IRS_Covid_19_Relief_Grant_Document_docx.exe

Overview

General Information

Sample Name: IRS_Covid_19_Relief_Grant_Document_docx.exe
Analysis ID: 343212
MD5: 5f85963ecc2a1c3354c2e705f3e8d038
SHA1: a97cc41833fae623ff219c2dada84733329c8963
SHA256: b76b24380c31d4be4dfc1d584d5799e1897277828ff523969f123a86f49a37db

Most interesting Screenshot:

Detection

GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Executable has a suspicious name (potential lure to open the executable)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for domain / URL
Source: https://chengsolution.com/vr/xdark_mkDaCZ89.bin Virustotal: Detection: 12% Perma Link
Multi AV Scanner detection for submitted file
Source: IRS_Covid_19_Relief_Grant_Document_docx.exe Virustotal: Detection: 29% Perma Link

Compliance:

barindex
Uses 32bit PE files
Source: IRS_Covid_19_Relief_Grant_Document_docx.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Uses secure TLS version for HTTPS connections
Source: unknown HTTPS traffic detected: 162.0.209.179:443 -> 192.168.2.3:49722 version: TLS 1.2
Binary contains paths to debug symbols
Source: Binary string: wntdll.pdbUGP source: IRS_Covid_19_Relief_Grant_Document_docx.exe, 00000001.00000002.621518286.000000001E35F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: IRS_Covid_19_Relief_Grant_Document_docx.exe

Networking:

barindex
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_00568C48 InternetReadFile, 1_2_00568C48
Source: unknown DNS traffic detected: queries for: chengsolution.com
Source: IRS_Covid_19_Relief_Grant_Document_docx.exe, 00000001.00000002.614207915.0000000000562000.00000040.00000001.sdmp String found in binary or memory: https://chengsolution.com/vr/xdark_mkDaCZ89.bin
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown HTTPS traffic detected: 162.0.209.179:443 -> 192.168.2.3:49722 version: TLS 1.2

System Summary:

barindex
Executable has a suspicious name (potential lure to open the executable)
Source: IRS_Covid_19_Relief_Grant_Document_docx.exe Static file information: Suspicious name
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: IRS_Covid_19_Relief_Grant_Document_docx.exe
Contains functionality to call native functions
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2A9660 NtAllocateVirtualMemory,LdrInitializeThunk, 1_2_1E2A9660
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2A96E0 NtFreeVirtualMemory,LdrInitializeThunk, 1_2_1E2A96E0
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2A9860 NtQuerySystemInformation,LdrInitializeThunk, 1_2_1E2A9860
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2A9610 NtEnumerateValueKey, 1_2_1E2A9610
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2A9670 NtQueryInformationProcess, 1_2_1E2A9670
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2A9650 NtQueryValueKey, 1_2_1E2A9650
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2A96D0 NtCreateKey, 1_2_1E2A96D0
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2A9730 NtQueryVirtualMemory, 1_2_1E2A9730
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2AA710 NtOpenProcessToken, 1_2_1E2AA710
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2A9710 NtQueryInformationToken, 1_2_1E2A9710
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2A9760 NtOpenProcess, 1_2_1E2A9760
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2AA770 NtOpenThread, 1_2_1E2AA770
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2A9770 NtSetInformationFile, 1_2_1E2A9770
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2A97A0 NtUnmapViewOfSection, 1_2_1E2A97A0
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2A9780 NtMapViewOfSection, 1_2_1E2A9780
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2A9FE0 NtCreateMutant, 1_2_1E2A9FE0
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2A9520 NtWaitForSingleObject, 1_2_1E2A9520
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2AAD30 NtSetContextThread, 1_2_1E2AAD30
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2A9560 NtWriteFile, 1_2_1E2A9560
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2A9540 NtReadFile, 1_2_1E2A9540
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2A95F0 NtQueryInformationFile, 1_2_1E2A95F0
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2A95D0 NtClose, 1_2_1E2A95D0
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2A9A20 NtResumeThread, 1_2_1E2A9A20
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2A9A00 NtProtectVirtualMemory, 1_2_1E2A9A00
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2A9A10 NtQuerySection, 1_2_1E2A9A10
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2A9A50 NtCreateFile, 1_2_1E2A9A50
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2A9A80 NtOpenDirectoryObject, 1_2_1E2A9A80
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2A9B00 NtSetValueKey, 1_2_1E2A9B00
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2AA3B0 NtGetContextThread, 1_2_1E2AA3B0
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2A9820 NtEnumerateKey, 1_2_1E2A9820
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2AB040 NtSuspendThread, 1_2_1E2AB040
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2A9840 NtDelayExecution, 1_2_1E2A9840
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2A98A0 NtWriteVirtualMemory, 1_2_1E2A98A0
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2A98F0 NtReadVirtualMemory, 1_2_1E2A98F0
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2A9910 NtAdjustPrivilegesToken, 1_2_1E2A9910
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2A9950 NtQueueApcThread, 1_2_1E2A9950
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2A99A0 NtCreateSection, 1_2_1E2A99A0
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2A99D0 NtCreateProcessEx, 1_2_1E2A99D0
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_00568723 NtProtectVirtualMemory, 1_2_00568723
Detected potential crypto function
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E286E30 1_2_1E286E30
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E32D616 1_2_1E32D616
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E332EF7 1_2_1E332EF7
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E331FF1 1_2_1E331FF1
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E33DFCE 1_2_1E33DFCE
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E27841F 1_2_1E27841F
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E32D466 1_2_1E32D466
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E260D20 1_2_1E260D20
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E332D07 1_2_1E332D07
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E331D55 1_2_1E331D55
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E292581 1_2_1E292581
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E27D5E0 1_2_1E27D5E0
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E3325DD 1_2_1E3325DD
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E31FA2B 1_2_1E31FA2B
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E3322AE 1_2_1E3322AE
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E332B28 1_2_1E332B28
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E28AB40 1_2_1E28AB40
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E29EBB0 1_2_1E29EBB0
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E32DBD2 1_2_1E32DBD2
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E3203DA 1_2_1E3203DA
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E33E824 1_2_1E33E824
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E28A830 1_2_1E28A830
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E321002 1_2_1E321002
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2920A0 1_2_1E2920A0
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E3320A8 1_2_1E3320A8
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E27B090 1_2_1E27B090
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E3328EC 1_2_1E3328EC
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E284120 1_2_1E284120
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E26F900 1_2_1E26F900
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2899BF 1_2_1E2899BF
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: String function: 1E26B150 appears 72 times
Sample file is different than original file name gathered from version info
Source: IRS_Covid_19_Relief_Grant_Document_docx.exe, 00000000.00000002.242404679.0000000000415000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamelutrin.exe vs IRS_Covid_19_Relief_Grant_Document_docx.exe
Source: IRS_Covid_19_Relief_Grant_Document_docx.exe, 00000000.00000002.248906191.00000000021B0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs IRS_Covid_19_Relief_Grant_Document_docx.exe
Source: IRS_Covid_19_Relief_Grant_Document_docx.exe, 00000001.00000002.621190063.000000001DDB0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs IRS_Covid_19_Relief_Grant_Document_docx.exe
Source: IRS_Covid_19_Relief_Grant_Document_docx.exe, 00000001.00000002.621518286.000000001E35F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs IRS_Covid_19_Relief_Grant_Document_docx.exe
Source: IRS_Covid_19_Relief_Grant_Document_docx.exe, 00000001.00000000.240109538.0000000000415000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamelutrin.exe vs IRS_Covid_19_Relief_Grant_Document_docx.exe
Source: IRS_Covid_19_Relief_Grant_Document_docx.exe, 00000001.00000002.621140002.000000001DC60000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemswsock.dll.muij% vs IRS_Covid_19_Relief_Grant_Document_docx.exe
Source: IRS_Covid_19_Relief_Grant_Document_docx.exe Binary or memory string: OriginalFilenamelutrin.exe vs IRS_Covid_19_Relief_Grant_Document_docx.exe
Uses 32bit PE files
Source: IRS_Covid_19_Relief_Grant_Document_docx.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/0@1/1
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe File created: C:\Users\user\AppData\Local\Temp\~DF1BB46D3EBC25FFB7.TMP Jump to behavior
Source: IRS_Covid_19_Relief_Grant_Document_docx.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: IRS_Covid_19_Relief_Grant_Document_docx.exe Virustotal: Detection: 29%
Source: unknown Process created: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe 'C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe'
Source: unknown Process created: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe 'C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe'
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Process created: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe 'C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe' Jump to behavior
Source: Binary string: wntdll.pdbUGP source: IRS_Covid_19_Relief_Grant_Document_docx.exe, 00000001.00000002.621518286.000000001E35F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: IRS_Covid_19_Relief_Grant_Document_docx.exe

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: Process Memory Space: IRS_Covid_19_Relief_Grant_Document_docx.exe PID: 4952, type: MEMORY
Source: Yara match File source: Process Memory Space: IRS_Covid_19_Relief_Grant_Document_docx.exe PID: 2220, type: MEMORY
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: IRS_Covid_19_Relief_Grant_Document_docx.exe PID: 4952, type: MEMORY
Source: Yara match File source: Process Memory Space: IRS_Covid_19_Relief_Grant_Document_docx.exe PID: 2220, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 0_2_0040822E push esp; ret 0_2_00408235
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 0_2_00406096 push esp; iretd 0_2_00406097
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 0_2_004061B4 push ebx; iretd 0_2_00406247
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 0_2_02A982F8 push eax; ret 0_2_02A982F9
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 0_2_02A91250 push edi; ret 0_2_02A91252
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 0_2_02A993B0 pushfd ; iretd 0_2_02A993B1
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2BD0D1 push ecx; ret 1_2_1E2BD0E4
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_005657D0 push 00000057h; ret 1_2_005657E6
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 0_2_02A9226A 0_2_02A9226A
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 0_2_02A92319 0_2_02A92319
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 0_2_02A9235E 0_2_02A9235E
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 0_2_02A9226A 0_2_02A9226A
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 0_2_02A929A2 0_2_02A929A2
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 0_2_02A9297A 0_2_02A9297A
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 0_2_02A92975 0_2_02A92975
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_0056334D 1_2_0056334D
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_005633A5 1_2_005633A5
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_0056347E 1_2_0056347E
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_0056342A 1_2_0056342A
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_005634CE 1_2_005634CE
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_00563572 1_2_00563572
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_00563526 1_2_00563526
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_005635C2 1_2_005635C2
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_005635E7 1_2_005635E7
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_00563635 1_2_00563635
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_005636DA 1_2_005636DA
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_005636A2 1_2_005636A2
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_00567FDD LoadLibraryA, 1_2_00567FDD
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe RDTSC instruction interceptor: First address: 0000000002A90525 second address: 0000000002A90525 instructions:
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe RDTSC instruction interceptor: First address: 0000000002A97A71 second address: 0000000002A97A71 instructions:
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe RDTSC instruction interceptor: First address: 0000000002A93503 second address: 0000000002A93503 instructions:
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe RDTSC instruction interceptor: First address: 0000000002A9611E second address: 0000000002A9611E instructions:
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe RDTSC instruction interceptor: First address: 0000000002A9371E second address: 0000000002A9371E instructions:
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe RDTSC instruction interceptor: First address: 00000000005622E9 second address: 00000000005622E9 instructions:
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe RDTSC instruction interceptor: First address: 00000000005623B2 second address: 00000000005623B2 instructions:
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe RDTSC instruction interceptor: First address: 0000000000562545 second address: 0000000000562545 instructions:
Tries to detect Any.run
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: IRS_Covid_19_Relief_Grant_Document_docx.exe Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe RDTSC instruction interceptor: First address: 0000000002A90525 second address: 0000000002A90525 instructions:
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe RDTSC instruction interceptor: First address: 0000000002A97A71 second address: 0000000002A97A71 instructions:
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe RDTSC instruction interceptor: First address: 0000000002A93503 second address: 0000000002A93503 instructions:
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe RDTSC instruction interceptor: First address: 0000000002A9611E second address: 0000000002A9611E instructions:
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe RDTSC instruction interceptor: First address: 0000000002A9371E second address: 0000000002A9371E instructions:
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe RDTSC instruction interceptor: First address: 00000000005622E9 second address: 00000000005622E9 instructions:
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe RDTSC instruction interceptor: First address: 00000000005623B2 second address: 00000000005623B2 instructions:
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe RDTSC instruction interceptor: First address: 0000000000562545 second address: 0000000000562545 instructions:
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe RDTSC instruction interceptor: First address: 0000000000562A3F second address: 0000000000562A9B instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov dword ptr [eax+20h], ecx 0x00000006 test cx, ax 0x00000009 mov esi, dword ptr [edi+00000800h] 0x0000000f mov dword ptr [eax+18h], esi 0x00000012 add esi, dword ptr [edi+00000850h] 0x00000018 mov dword ptr [eax+1Ch], esi 0x0000001b test al, al 0x0000001d cmp ax, cx 0x00000020 cmp edx, edx 0x00000022 cmp dword ptr [ebp+70h], 01h 0x00000026 je 00007F01FCB6CE2Dh 0x0000002c jmp 00007F01FCB6CC96h 0x0000002e test bl, al 0x00000030 cmp ch, bh 0x00000032 pushad 0x00000033 mov ebx, 00000065h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe RDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 0_2_02A972AB rdtsc 0_2_02A972AB
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Window / User API: threadDelayed 9727 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe API coverage: 2.6 %
Source: IRS_Covid_19_Relief_Grant_Document_docx.exe Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 0_2_02A972AB rdtsc 0_2_02A972AB
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2A9660 NtAllocateVirtualMemory,LdrInitializeThunk, 1_2_1E2A9660
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 0_2_02A972AB mov eax, dword ptr fs:[00000030h] 0_2_02A972AB
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 0_2_02A9226A mov eax, dword ptr fs:[00000030h] 0_2_02A9226A
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 0_2_02A9226A mov eax, dword ptr fs:[00000030h] 0_2_02A9226A
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 0_2_02A92CA2 mov eax, dword ptr fs:[00000030h] 0_2_02A92CA2
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 0_2_02A92CB1 mov eax, dword ptr fs:[00000030h] 0_2_02A92CB1
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 0_2_02A9689D mov eax, dword ptr fs:[00000030h] 0_2_02A9689D
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 0_2_02A92CF5 mov eax, dword ptr fs:[00000030h] 0_2_02A92CF5
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 0_2_02A929A2 mov eax, dword ptr fs:[00000030h] 0_2_02A929A2
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 0_2_02A93D68 mov eax, dword ptr fs:[00000030h] 0_2_02A93D68
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 0_2_02A9297A mov eax, dword ptr fs:[00000030h] 0_2_02A9297A
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 0_2_02A92975 mov eax, dword ptr fs:[00000030h] 0_2_02A92975
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E26E620 mov eax, dword ptr fs:[00000030h] 1_2_1E26E620
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E31FE3F mov eax, dword ptr fs:[00000030h] 1_2_1E31FE3F
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E26C600 mov eax, dword ptr fs:[00000030h] 1_2_1E26C600
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E26C600 mov eax, dword ptr fs:[00000030h] 1_2_1E26C600
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E26C600 mov eax, dword ptr fs:[00000030h] 1_2_1E26C600
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E298E00 mov eax, dword ptr fs:[00000030h] 1_2_1E298E00
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E29A61C mov eax, dword ptr fs:[00000030h] 1_2_1E29A61C
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E29A61C mov eax, dword ptr fs:[00000030h] 1_2_1E29A61C
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E321608 mov eax, dword ptr fs:[00000030h] 1_2_1E321608
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E27766D mov eax, dword ptr fs:[00000030h] 1_2_1E27766D
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E28AE73 mov eax, dword ptr fs:[00000030h] 1_2_1E28AE73
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E28AE73 mov eax, dword ptr fs:[00000030h] 1_2_1E28AE73
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E28AE73 mov eax, dword ptr fs:[00000030h] 1_2_1E28AE73
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E28AE73 mov eax, dword ptr fs:[00000030h] 1_2_1E28AE73
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E28AE73 mov eax, dword ptr fs:[00000030h] 1_2_1E28AE73
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E277E41 mov eax, dword ptr fs:[00000030h] 1_2_1E277E41
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E277E41 mov eax, dword ptr fs:[00000030h] 1_2_1E277E41
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E277E41 mov eax, dword ptr fs:[00000030h] 1_2_1E277E41
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E277E41 mov eax, dword ptr fs:[00000030h] 1_2_1E277E41
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E277E41 mov eax, dword ptr fs:[00000030h] 1_2_1E277E41
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E277E41 mov eax, dword ptr fs:[00000030h] 1_2_1E277E41
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E32AE44 mov eax, dword ptr fs:[00000030h] 1_2_1E32AE44
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E32AE44 mov eax, dword ptr fs:[00000030h] 1_2_1E32AE44
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2E46A7 mov eax, dword ptr fs:[00000030h] 1_2_1E2E46A7
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E330EA5 mov eax, dword ptr fs:[00000030h] 1_2_1E330EA5
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E330EA5 mov eax, dword ptr fs:[00000030h] 1_2_1E330EA5
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E330EA5 mov eax, dword ptr fs:[00000030h] 1_2_1E330EA5
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2FFE87 mov eax, dword ptr fs:[00000030h] 1_2_1E2FFE87
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2776E2 mov eax, dword ptr fs:[00000030h] 1_2_1E2776E2
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2916E0 mov ecx, dword ptr fs:[00000030h] 1_2_1E2916E0
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E338ED6 mov eax, dword ptr fs:[00000030h] 1_2_1E338ED6
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2936CC mov eax, dword ptr fs:[00000030h] 1_2_1E2936CC
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2A8EC7 mov eax, dword ptr fs:[00000030h] 1_2_1E2A8EC7
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E31FEC0 mov eax, dword ptr fs:[00000030h] 1_2_1E31FEC0
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E264F2E mov eax, dword ptr fs:[00000030h] 1_2_1E264F2E
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E264F2E mov eax, dword ptr fs:[00000030h] 1_2_1E264F2E
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E28B73D mov eax, dword ptr fs:[00000030h] 1_2_1E28B73D
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E28B73D mov eax, dword ptr fs:[00000030h] 1_2_1E28B73D
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E29E730 mov eax, dword ptr fs:[00000030h] 1_2_1E29E730
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E29A70E mov eax, dword ptr fs:[00000030h] 1_2_1E29A70E
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E29A70E mov eax, dword ptr fs:[00000030h] 1_2_1E29A70E
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E33070D mov eax, dword ptr fs:[00000030h] 1_2_1E33070D
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E33070D mov eax, dword ptr fs:[00000030h] 1_2_1E33070D
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E28F716 mov eax, dword ptr fs:[00000030h] 1_2_1E28F716
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2FFF10 mov eax, dword ptr fs:[00000030h] 1_2_1E2FFF10
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2FFF10 mov eax, dword ptr fs:[00000030h] 1_2_1E2FFF10
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E27FF60 mov eax, dword ptr fs:[00000030h] 1_2_1E27FF60
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E338F6A mov eax, dword ptr fs:[00000030h] 1_2_1E338F6A
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E27EF40 mov eax, dword ptr fs:[00000030h] 1_2_1E27EF40
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E278794 mov eax, dword ptr fs:[00000030h] 1_2_1E278794
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2E7794 mov eax, dword ptr fs:[00000030h] 1_2_1E2E7794
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2E7794 mov eax, dword ptr fs:[00000030h] 1_2_1E2E7794
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2E7794 mov eax, dword ptr fs:[00000030h] 1_2_1E2E7794
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2A37F5 mov eax, dword ptr fs:[00000030h] 1_2_1E2A37F5
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E29BC2C mov eax, dword ptr fs:[00000030h] 1_2_1E29BC2C
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2E6C0A mov eax, dword ptr fs:[00000030h] 1_2_1E2E6C0A
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2E6C0A mov eax, dword ptr fs:[00000030h] 1_2_1E2E6C0A
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2E6C0A mov eax, dword ptr fs:[00000030h] 1_2_1E2E6C0A
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2E6C0A mov eax, dword ptr fs:[00000030h] 1_2_1E2E6C0A
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E321C06 mov eax, dword ptr fs:[00000030h] 1_2_1E321C06
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E321C06 mov eax, dword ptr fs:[00000030h] 1_2_1E321C06
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E321C06 mov eax, dword ptr fs:[00000030h] 1_2_1E321C06
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E321C06 mov eax, dword ptr fs:[00000030h] 1_2_1E321C06
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E321C06 mov eax, dword ptr fs:[00000030h] 1_2_1E321C06
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E321C06 mov eax, dword ptr fs:[00000030h] 1_2_1E321C06
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E321C06 mov eax, dword ptr fs:[00000030h] 1_2_1E321C06
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E321C06 mov eax, dword ptr fs:[00000030h] 1_2_1E321C06
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E321C06 mov eax, dword ptr fs:[00000030h] 1_2_1E321C06
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E321C06 mov eax, dword ptr fs:[00000030h] 1_2_1E321C06
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E321C06 mov eax, dword ptr fs:[00000030h] 1_2_1E321C06
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E321C06 mov eax, dword ptr fs:[00000030h] 1_2_1E321C06
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E321C06 mov eax, dword ptr fs:[00000030h] 1_2_1E321C06
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E321C06 mov eax, dword ptr fs:[00000030h] 1_2_1E321C06
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E33740D mov eax, dword ptr fs:[00000030h] 1_2_1E33740D
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E33740D mov eax, dword ptr fs:[00000030h] 1_2_1E33740D
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E33740D mov eax, dword ptr fs:[00000030h] 1_2_1E33740D
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E28746D mov eax, dword ptr fs:[00000030h] 1_2_1E28746D
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E29A44B mov eax, dword ptr fs:[00000030h] 1_2_1E29A44B
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2FC450 mov eax, dword ptr fs:[00000030h] 1_2_1E2FC450
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2FC450 mov eax, dword ptr fs:[00000030h] 1_2_1E2FC450
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E27849B mov eax, dword ptr fs:[00000030h] 1_2_1E27849B
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E3214FB mov eax, dword ptr fs:[00000030h] 1_2_1E3214FB
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2E6CF0 mov eax, dword ptr fs:[00000030h] 1_2_1E2E6CF0
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2E6CF0 mov eax, dword ptr fs:[00000030h] 1_2_1E2E6CF0
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2E6CF0 mov eax, dword ptr fs:[00000030h] 1_2_1E2E6CF0
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E338CD6 mov eax, dword ptr fs:[00000030h] 1_2_1E338CD6
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E338D34 mov eax, dword ptr fs:[00000030h] 1_2_1E338D34
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E32E539 mov eax, dword ptr fs:[00000030h] 1_2_1E32E539
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E294D3B mov eax, dword ptr fs:[00000030h] 1_2_1E294D3B
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E294D3B mov eax, dword ptr fs:[00000030h] 1_2_1E294D3B
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E294D3B mov eax, dword ptr fs:[00000030h] 1_2_1E294D3B
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E273D34 mov eax, dword ptr fs:[00000030h] 1_2_1E273D34
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E273D34 mov eax, dword ptr fs:[00000030h] 1_2_1E273D34
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E273D34 mov eax, dword ptr fs:[00000030h] 1_2_1E273D34
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E273D34 mov eax, dword ptr fs:[00000030h] 1_2_1E273D34
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E273D34 mov eax, dword ptr fs:[00000030h] 1_2_1E273D34
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E273D34 mov eax, dword ptr fs:[00000030h] 1_2_1E273D34
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E273D34 mov eax, dword ptr fs:[00000030h] 1_2_1E273D34
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E273D34 mov eax, dword ptr fs:[00000030h] 1_2_1E273D34
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E273D34 mov eax, dword ptr fs:[00000030h] 1_2_1E273D34
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E273D34 mov eax, dword ptr fs:[00000030h] 1_2_1E273D34
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E273D34 mov eax, dword ptr fs:[00000030h] 1_2_1E273D34
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E273D34 mov eax, dword ptr fs:[00000030h] 1_2_1E273D34
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E273D34 mov eax, dword ptr fs:[00000030h] 1_2_1E273D34
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E26AD30 mov eax, dword ptr fs:[00000030h] 1_2_1E26AD30
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2EA537 mov eax, dword ptr fs:[00000030h] 1_2_1E2EA537
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E28C577 mov eax, dword ptr fs:[00000030h] 1_2_1E28C577
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E28C577 mov eax, dword ptr fs:[00000030h] 1_2_1E28C577
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2A3D43 mov eax, dword ptr fs:[00000030h] 1_2_1E2A3D43
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2E3540 mov eax, dword ptr fs:[00000030h] 1_2_1E2E3540
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E313D40 mov eax, dword ptr fs:[00000030h] 1_2_1E313D40
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E287D50 mov eax, dword ptr fs:[00000030h] 1_2_1E287D50
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2935A1 mov eax, dword ptr fs:[00000030h] 1_2_1E2935A1
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E291DB5 mov eax, dword ptr fs:[00000030h] 1_2_1E291DB5
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E291DB5 mov eax, dword ptr fs:[00000030h] 1_2_1E291DB5
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E291DB5 mov eax, dword ptr fs:[00000030h] 1_2_1E291DB5
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E3305AC mov eax, dword ptr fs:[00000030h] 1_2_1E3305AC
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E3305AC mov eax, dword ptr fs:[00000030h] 1_2_1E3305AC
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E292581 mov eax, dword ptr fs:[00000030h] 1_2_1E292581
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E292581 mov eax, dword ptr fs:[00000030h] 1_2_1E292581
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E292581 mov eax, dword ptr fs:[00000030h] 1_2_1E292581
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E292581 mov eax, dword ptr fs:[00000030h] 1_2_1E292581
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E262D8A mov eax, dword ptr fs:[00000030h] 1_2_1E262D8A
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E262D8A mov eax, dword ptr fs:[00000030h] 1_2_1E262D8A
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E262D8A mov eax, dword ptr fs:[00000030h] 1_2_1E262D8A
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E262D8A mov eax, dword ptr fs:[00000030h] 1_2_1E262D8A
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E262D8A mov eax, dword ptr fs:[00000030h] 1_2_1E262D8A
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E29FD9B mov eax, dword ptr fs:[00000030h] 1_2_1E29FD9B
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E29FD9B mov eax, dword ptr fs:[00000030h] 1_2_1E29FD9B
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E318DF1 mov eax, dword ptr fs:[00000030h] 1_2_1E318DF1
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E27D5E0 mov eax, dword ptr fs:[00000030h] 1_2_1E27D5E0
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E27D5E0 mov eax, dword ptr fs:[00000030h] 1_2_1E27D5E0
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E32FDE2 mov eax, dword ptr fs:[00000030h] 1_2_1E32FDE2
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E32FDE2 mov eax, dword ptr fs:[00000030h] 1_2_1E32FDE2
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E32FDE2 mov eax, dword ptr fs:[00000030h] 1_2_1E32FDE2
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E32FDE2 mov eax, dword ptr fs:[00000030h] 1_2_1E32FDE2
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2E6DC9 mov eax, dword ptr fs:[00000030h] 1_2_1E2E6DC9
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2E6DC9 mov eax, dword ptr fs:[00000030h] 1_2_1E2E6DC9
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2E6DC9 mov eax, dword ptr fs:[00000030h] 1_2_1E2E6DC9
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2E6DC9 mov ecx, dword ptr fs:[00000030h] 1_2_1E2E6DC9
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2E6DC9 mov eax, dword ptr fs:[00000030h] 1_2_1E2E6DC9
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2E6DC9 mov eax, dword ptr fs:[00000030h] 1_2_1E2E6DC9
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E28A229 mov eax, dword ptr fs:[00000030h] 1_2_1E28A229
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E28A229 mov eax, dword ptr fs:[00000030h] 1_2_1E28A229
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E28A229 mov eax, dword ptr fs:[00000030h] 1_2_1E28A229
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E28A229 mov eax, dword ptr fs:[00000030h] 1_2_1E28A229
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E28A229 mov eax, dword ptr fs:[00000030h] 1_2_1E28A229
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E28A229 mov eax, dword ptr fs:[00000030h] 1_2_1E28A229
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E28A229 mov eax, dword ptr fs:[00000030h] 1_2_1E28A229
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E28A229 mov eax, dword ptr fs:[00000030h] 1_2_1E28A229
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E28A229 mov eax, dword ptr fs:[00000030h] 1_2_1E28A229
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2A4A2C mov eax, dword ptr fs:[00000030h] 1_2_1E2A4A2C
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2A4A2C mov eax, dword ptr fs:[00000030h] 1_2_1E2A4A2C
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E32AA16 mov eax, dword ptr fs:[00000030h] 1_2_1E32AA16
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E32AA16 mov eax, dword ptr fs:[00000030h] 1_2_1E32AA16
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E278A0A mov eax, dword ptr fs:[00000030h] 1_2_1E278A0A
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E26AA16 mov eax, dword ptr fs:[00000030h] 1_2_1E26AA16
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E26AA16 mov eax, dword ptr fs:[00000030h] 1_2_1E26AA16
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E283A1C mov eax, dword ptr fs:[00000030h] 1_2_1E283A1C
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E265210 mov eax, dword ptr fs:[00000030h] 1_2_1E265210
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E265210 mov ecx, dword ptr fs:[00000030h] 1_2_1E265210
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E265210 mov eax, dword ptr fs:[00000030h] 1_2_1E265210
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E265210 mov eax, dword ptr fs:[00000030h] 1_2_1E265210
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2A927A mov eax, dword ptr fs:[00000030h] 1_2_1E2A927A
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E31B260 mov eax, dword ptr fs:[00000030h] 1_2_1E31B260
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E31B260 mov eax, dword ptr fs:[00000030h] 1_2_1E31B260
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E338A62 mov eax, dword ptr fs:[00000030h] 1_2_1E338A62
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E269240 mov eax, dword ptr fs:[00000030h] 1_2_1E269240
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E269240 mov eax, dword ptr fs:[00000030h] 1_2_1E269240
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E269240 mov eax, dword ptr fs:[00000030h] 1_2_1E269240
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E269240 mov eax, dword ptr fs:[00000030h] 1_2_1E269240
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E32EA55 mov eax, dword ptr fs:[00000030h] 1_2_1E32EA55
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2F4257 mov eax, dword ptr fs:[00000030h] 1_2_1E2F4257
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2652A5 mov eax, dword ptr fs:[00000030h] 1_2_1E2652A5
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2652A5 mov eax, dword ptr fs:[00000030h] 1_2_1E2652A5
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2652A5 mov eax, dword ptr fs:[00000030h] 1_2_1E2652A5
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2652A5 mov eax, dword ptr fs:[00000030h] 1_2_1E2652A5
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2652A5 mov eax, dword ptr fs:[00000030h] 1_2_1E2652A5
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E27AAB0 mov eax, dword ptr fs:[00000030h] 1_2_1E27AAB0
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E27AAB0 mov eax, dword ptr fs:[00000030h] 1_2_1E27AAB0
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E29FAB0 mov eax, dword ptr fs:[00000030h] 1_2_1E29FAB0
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E29D294 mov eax, dword ptr fs:[00000030h] 1_2_1E29D294
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E29D294 mov eax, dword ptr fs:[00000030h] 1_2_1E29D294
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E292AE4 mov eax, dword ptr fs:[00000030h] 1_2_1E292AE4
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E292ACB mov eax, dword ptr fs:[00000030h] 1_2_1E292ACB
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E32131B mov eax, dword ptr fs:[00000030h] 1_2_1E32131B
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E26DB60 mov ecx, dword ptr fs:[00000030h] 1_2_1E26DB60
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E293B7A mov eax, dword ptr fs:[00000030h] 1_2_1E293B7A
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E293B7A mov eax, dword ptr fs:[00000030h] 1_2_1E293B7A
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E26DB40 mov eax, dword ptr fs:[00000030h] 1_2_1E26DB40
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E338B58 mov eax, dword ptr fs:[00000030h] 1_2_1E338B58
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E26F358 mov eax, dword ptr fs:[00000030h] 1_2_1E26F358
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E294BAD mov eax, dword ptr fs:[00000030h] 1_2_1E294BAD
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E294BAD mov eax, dword ptr fs:[00000030h] 1_2_1E294BAD
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E294BAD mov eax, dword ptr fs:[00000030h] 1_2_1E294BAD
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E335BA5 mov eax, dword ptr fs:[00000030h] 1_2_1E335BA5
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E271B8F mov eax, dword ptr fs:[00000030h] 1_2_1E271B8F
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E271B8F mov eax, dword ptr fs:[00000030h] 1_2_1E271B8F
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E31D380 mov ecx, dword ptr fs:[00000030h] 1_2_1E31D380
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E32138A mov eax, dword ptr fs:[00000030h] 1_2_1E32138A
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E29B390 mov eax, dword ptr fs:[00000030h] 1_2_1E29B390
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E292397 mov eax, dword ptr fs:[00000030h] 1_2_1E292397
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E28DBE9 mov eax, dword ptr fs:[00000030h] 1_2_1E28DBE9
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2903E2 mov eax, dword ptr fs:[00000030h] 1_2_1E2903E2
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2903E2 mov eax, dword ptr fs:[00000030h] 1_2_1E2903E2
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2903E2 mov eax, dword ptr fs:[00000030h] 1_2_1E2903E2
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2903E2 mov eax, dword ptr fs:[00000030h] 1_2_1E2903E2
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2903E2 mov eax, dword ptr fs:[00000030h] 1_2_1E2903E2
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2903E2 mov eax, dword ptr fs:[00000030h] 1_2_1E2903E2
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2E53CA mov eax, dword ptr fs:[00000030h] 1_2_1E2E53CA
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2E53CA mov eax, dword ptr fs:[00000030h] 1_2_1E2E53CA
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E29002D mov eax, dword ptr fs:[00000030h] 1_2_1E29002D
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E29002D mov eax, dword ptr fs:[00000030h] 1_2_1E29002D
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E29002D mov eax, dword ptr fs:[00000030h] 1_2_1E29002D
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E29002D mov eax, dword ptr fs:[00000030h] 1_2_1E29002D
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E29002D mov eax, dword ptr fs:[00000030h] 1_2_1E29002D
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E27B02A mov eax, dword ptr fs:[00000030h] 1_2_1E27B02A
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E27B02A mov eax, dword ptr fs:[00000030h] 1_2_1E27B02A
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E27B02A mov eax, dword ptr fs:[00000030h] 1_2_1E27B02A
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E27B02A mov eax, dword ptr fs:[00000030h] 1_2_1E27B02A
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E28A830 mov eax, dword ptr fs:[00000030h] 1_2_1E28A830
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E28A830 mov eax, dword ptr fs:[00000030h] 1_2_1E28A830
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E28A830 mov eax, dword ptr fs:[00000030h] 1_2_1E28A830
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E28A830 mov eax, dword ptr fs:[00000030h] 1_2_1E28A830
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E334015 mov eax, dword ptr fs:[00000030h] 1_2_1E334015
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E334015 mov eax, dword ptr fs:[00000030h] 1_2_1E334015
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2E7016 mov eax, dword ptr fs:[00000030h] 1_2_1E2E7016
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2E7016 mov eax, dword ptr fs:[00000030h] 1_2_1E2E7016
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2E7016 mov eax, dword ptr fs:[00000030h] 1_2_1E2E7016
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E322073 mov eax, dword ptr fs:[00000030h] 1_2_1E322073
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E331074 mov eax, dword ptr fs:[00000030h] 1_2_1E331074
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E280050 mov eax, dword ptr fs:[00000030h] 1_2_1E280050
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E280050 mov eax, dword ptr fs:[00000030h] 1_2_1E280050
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2A90AF mov eax, dword ptr fs:[00000030h] 1_2_1E2A90AF
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2920A0 mov eax, dword ptr fs:[00000030h] 1_2_1E2920A0
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2920A0 mov eax, dword ptr fs:[00000030h] 1_2_1E2920A0
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2920A0 mov eax, dword ptr fs:[00000030h] 1_2_1E2920A0
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2920A0 mov eax, dword ptr fs:[00000030h] 1_2_1E2920A0
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2920A0 mov eax, dword ptr fs:[00000030h] 1_2_1E2920A0
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2920A0 mov eax, dword ptr fs:[00000030h] 1_2_1E2920A0
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E29F0BF mov ecx, dword ptr fs:[00000030h] 1_2_1E29F0BF
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E29F0BF mov eax, dword ptr fs:[00000030h] 1_2_1E29F0BF
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E29F0BF mov eax, dword ptr fs:[00000030h] 1_2_1E29F0BF
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E269080 mov eax, dword ptr fs:[00000030h] 1_2_1E269080
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2E3884 mov eax, dword ptr fs:[00000030h] 1_2_1E2E3884
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2E3884 mov eax, dword ptr fs:[00000030h] 1_2_1E2E3884
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2640E1 mov eax, dword ptr fs:[00000030h] 1_2_1E2640E1
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2640E1 mov eax, dword ptr fs:[00000030h] 1_2_1E2640E1
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2640E1 mov eax, dword ptr fs:[00000030h] 1_2_1E2640E1
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2658EC mov eax, dword ptr fs:[00000030h] 1_2_1E2658EC
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E28B8E4 mov eax, dword ptr fs:[00000030h] 1_2_1E28B8E4
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E28B8E4 mov eax, dword ptr fs:[00000030h] 1_2_1E28B8E4
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2FB8D0 mov eax, dword ptr fs:[00000030h] 1_2_1E2FB8D0
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2FB8D0 mov ecx, dword ptr fs:[00000030h] 1_2_1E2FB8D0
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2FB8D0 mov eax, dword ptr fs:[00000030h] 1_2_1E2FB8D0
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2FB8D0 mov eax, dword ptr fs:[00000030h] 1_2_1E2FB8D0
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2FB8D0 mov eax, dword ptr fs:[00000030h] 1_2_1E2FB8D0
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2FB8D0 mov eax, dword ptr fs:[00000030h] 1_2_1E2FB8D0
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E284120 mov eax, dword ptr fs:[00000030h] 1_2_1E284120
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E284120 mov eax, dword ptr fs:[00000030h] 1_2_1E284120
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E284120 mov eax, dword ptr fs:[00000030h] 1_2_1E284120
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E284120 mov eax, dword ptr fs:[00000030h] 1_2_1E284120
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E284120 mov ecx, dword ptr fs:[00000030h] 1_2_1E284120
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E29513A mov eax, dword ptr fs:[00000030h] 1_2_1E29513A
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E29513A mov eax, dword ptr fs:[00000030h] 1_2_1E29513A
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E269100 mov eax, dword ptr fs:[00000030h] 1_2_1E269100
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E269100 mov eax, dword ptr fs:[00000030h] 1_2_1E269100
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E269100 mov eax, dword ptr fs:[00000030h] 1_2_1E269100
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E26C962 mov eax, dword ptr fs:[00000030h] 1_2_1E26C962
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E26B171 mov eax, dword ptr fs:[00000030h] 1_2_1E26B171
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E26B171 mov eax, dword ptr fs:[00000030h] 1_2_1E26B171
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E28B944 mov eax, dword ptr fs:[00000030h] 1_2_1E28B944
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E28B944 mov eax, dword ptr fs:[00000030h] 1_2_1E28B944
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2E69A6 mov eax, dword ptr fs:[00000030h] 1_2_1E2E69A6
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2961A0 mov eax, dword ptr fs:[00000030h] 1_2_1E2961A0
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2961A0 mov eax, dword ptr fs:[00000030h] 1_2_1E2961A0
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2E51BE mov eax, dword ptr fs:[00000030h] 1_2_1E2E51BE
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2E51BE mov eax, dword ptr fs:[00000030h] 1_2_1E2E51BE
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2E51BE mov eax, dword ptr fs:[00000030h] 1_2_1E2E51BE
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2E51BE mov eax, dword ptr fs:[00000030h] 1_2_1E2E51BE
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E3249A4 mov eax, dword ptr fs:[00000030h] 1_2_1E3249A4
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E3249A4 mov eax, dword ptr fs:[00000030h] 1_2_1E3249A4
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E3249A4 mov eax, dword ptr fs:[00000030h] 1_2_1E3249A4
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E3249A4 mov eax, dword ptr fs:[00000030h] 1_2_1E3249A4
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2899BF mov ecx, dword ptr fs:[00000030h] 1_2_1E2899BF
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2899BF mov ecx, dword ptr fs:[00000030h] 1_2_1E2899BF
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2899BF mov eax, dword ptr fs:[00000030h] 1_2_1E2899BF
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2899BF mov ecx, dword ptr fs:[00000030h] 1_2_1E2899BF
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2899BF mov ecx, dword ptr fs:[00000030h] 1_2_1E2899BF
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2899BF mov eax, dword ptr fs:[00000030h] 1_2_1E2899BF
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2899BF mov ecx, dword ptr fs:[00000030h] 1_2_1E2899BF
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2899BF mov ecx, dword ptr fs:[00000030h] 1_2_1E2899BF
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2899BF mov eax, dword ptr fs:[00000030h] 1_2_1E2899BF
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2899BF mov ecx, dword ptr fs:[00000030h] 1_2_1E2899BF
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2899BF mov ecx, dword ptr fs:[00000030h] 1_2_1E2899BF
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2899BF mov eax, dword ptr fs:[00000030h] 1_2_1E2899BF
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E28C182 mov eax, dword ptr fs:[00000030h] 1_2_1E28C182
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E29A185 mov eax, dword ptr fs:[00000030h] 1_2_1E29A185
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E292990 mov eax, dword ptr fs:[00000030h] 1_2_1E292990
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E2F41E8 mov eax, dword ptr fs:[00000030h] 1_2_1E2F41E8
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E26B1E1 mov eax, dword ptr fs:[00000030h] 1_2_1E26B1E1
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E26B1E1 mov eax, dword ptr fs:[00000030h] 1_2_1E26B1E1
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_1E26B1E1 mov eax, dword ptr fs:[00000030h] 1_2_1E26B1E1
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_00568059 mov eax, dword ptr fs:[00000030h] 1_2_00568059
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_0056801E mov eax, dword ptr fs:[00000030h] 1_2_0056801E
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_0056689D mov eax, dword ptr fs:[00000030h] 1_2_0056689D
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_00568089 mov eax, dword ptr fs:[00000030h] 1_2_00568089
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_005672AB mov eax, dword ptr fs:[00000030h] 1_2_005672AB
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_00563D64 mov eax, dword ptr fs:[00000030h] 1_2_00563D64
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_00567FDD mov eax, dword ptr fs:[00000030h] 1_2_00567FDD
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_00567FE2 mov eax, dword ptr fs:[00000030h] 1_2_00567FE2

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Process created: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe 'C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe' Jump to behavior
Source: IRS_Covid_19_Relief_Grant_Document_docx.exe, 00000001.00000002.614978525.0000000000DC0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: IRS_Covid_19_Relief_Grant_Document_docx.exe, 00000001.00000002.614978525.0000000000DC0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: IRS_Covid_19_Relief_Grant_Document_docx.exe, 00000001.00000002.614978525.0000000000DC0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: IRS_Covid_19_Relief_Grant_Document_docx.exe, 00000001.00000002.614978525.0000000000DC0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\IRS_Covid_19_Relief_Grant_Document_docx.exe Code function: 1_2_005670B5 cpuid 1_2_005670B5

Stealing of Sensitive Information:

barindex
Yara detected Generic Dropper
Source: Yara match File source: Process Memory Space: IRS_Covid_19_Relief_Grant_Document_docx.exe PID: 2220, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 343212 Sample: IRS_Covid_19_Relief_Grant_D... Startdate: 22/01/2021 Architecture: WINDOWS Score: 100 15 Multi AV Scanner detection for domain / URL 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Yara detected GuLoader 2->19 21 5 other signatures 2->21 6 IRS_Covid_19_Relief_Grant_Document_docx.exe 1 2->6         started        process3 signatures4 23 Contains functionality to detect hardware virtualization (CPUID execution measurement) 6->23 25 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 6->25 27 Tries to detect Any.run 6->27 29 2 other signatures 6->29 9 IRS_Covid_19_Relief_Grant_Document_docx.exe 6 6->9         started        process5 dnsIp6 13 chengsolution.com 162.0.209.179, 443, 49722 ACPCA Canada 9->13 31 Tries to detect Any.run 9->31 33 Hides threads from debuggers 9->33 signatures7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
162.0.209.179
 unknown Canada
35893 ACPCA false

Contacted Domains

Name IP Active
chengsolution.com 162.0.209.179 true