Loading ...

Play interactive tourEdit tour

Windows Analysis Report NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe

Overview

General Information

Sample Name:NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe
Analysis ID:482590
MD5:e8bceea59b2074bd08bf68ab55ecdf3e
SHA1:8b62bf811b03fe25924ef6ff4d4afd89c902f7cd
SHA256:0b4684d82509a6e7e0c1cb63174bf68d182ccff75a3d19f16821127605d636b8
Tags:exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
GuLoader behavior detected
Yara detected GuLoader
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Tries to detect Any.run
C2 URLs / IPs found in malware configuration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Detected potential crypto function
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Abnormal high CPU Usage

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://www.paulassinkarchitect.nl/bin_fDiyu115.bin"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000017.00000002.783554447.0000000000560000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000001.00000002.544066668.00000000024E0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

      Sigma Overview

      No Sigma rule has matched

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeMalware Configuration Extractor: GuLoader {"Payload URL": "https://www.paulassinkarchitect.nl/bin_fDiyu115.bin"}
      Multi AV Scanner detection for submitted fileShow sources
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeVirustotal: Detection: 25%Perma Link
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeReversingLabs: Detection: 18%
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

      Networking:

      barindex
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: https://www.paulassinkarchitect.nl/bin_fDiyu115.bin

      System Summary:

      barindex
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 00000001.00000002.543921353.0000000002240000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamesmedesvende.exeFE2XKareo vs NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 00000001.00000000.260934793.0000000000448000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamesmedesvende.exe vs NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 00000017.00000000.542692130.0000000000448000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamesmedesvende.exe vs NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeBinary or memory string: OriginalFilenamesmedesvende.exe vs NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E1055
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024EF4F6
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024F3504
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024EB52A
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E75D7
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024EA83B
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E1EEB
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E6259
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E1278
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E2218
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E6218
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9214
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E423D
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E62DC
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E22D8
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E92D0
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E12EF
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E228D
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9295
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E92B8
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E92B4
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E136C
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E5360
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E2338
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9339
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E5330
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E63DD
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E13D5
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E6389
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E93A8
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E23B8
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024EA058
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E6059
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E3050
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E907D
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024EC03F
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024EA03A
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E90CD
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E2098
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024EC0B4
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9144
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E6140
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E211D
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024EC1D8
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E41E7
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E81E4
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E11E1
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E21A0
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024EC1BD
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E2640
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E766D
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9668
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E6671
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024EB628
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E5635
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E76C9
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E96E9
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E56F1
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E26A0
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024EB6A0
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E575F
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E7758
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E6754
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E2770
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E6701
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E2715
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E77C4
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E17D9
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E57D5
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E27ED
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E67FD
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E47F9
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E07F1
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9783
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E47A4
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E07BB
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E6459
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E1453
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E8461
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E242C
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E6434
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9431
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E24EE
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E64FC
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E8490
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024EB491
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E64A9
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E84BB
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E24B8
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E94B9
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9560
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E752F
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9537
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E55D9
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E65E8
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E25E9
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E75F9
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E6589
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024EB5BC
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024EFA5F
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E8A7C
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9A21
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E2A34
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9AC7
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E8AE1
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9A94
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E2AA4
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E8B54
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9B7C
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E2B1B
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9B14
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024EEBE8
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9BF8
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E0B90
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E7849
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E185B
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E2855
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E6868
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E4865
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E682C
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9829
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E0834
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E28CC
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E58DD
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E68DD
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E089F
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E5895
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E98A0
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024F0960
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E0979
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E990D
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E0903
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E991F
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E293C
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E89FB
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E89F9
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E89AC
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E99BC
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E29B1
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9E69
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024F2E7A
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9E00
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E8E29
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024EBE34
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E5EAC
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E1EA8
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E8EA0
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024EBEBC
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E4EBB
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E5F4D
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024EBF4B
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9F54
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E1F6C
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024EBF61
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E8F7D
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024EBF01
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E1F10
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E8F11
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E5FE4
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E1FFC
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9FF4
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9FAA
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E6FA9
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E0C4D
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E8C45
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9C60
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E2C10
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E0C2A
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E0CD0
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E2CED
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E2C88
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9CA0
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E8CB8
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9D49
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E8D40
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E0D5C
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024EBD69
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_0056B52A
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00561055
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_0056985D
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_0056185B
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_0056A058
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_0056907D
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00564865
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00569011
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00560834
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_0056A83B
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_005698D1
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_005690CD
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_0056089F
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_005670B5
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00569175
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00560979
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00570960
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_0056991F
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00560903
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_0056990D
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00567136
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_005691D1
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_005689F9
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_005641E7
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_005681E4
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_005611E1
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00568984
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00569A51
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_0056FA5F
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00568A7C
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00561278
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00569214
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00568A01
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_0056423D
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_005692D0
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00569AC7
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00568AF1
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_005612EF
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00569295
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_005692B4
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_005692B8
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00568B54
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00565348
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00569B7C
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_0056136C
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00569339
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_005673CC
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_0056EBE8
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00560B90
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_005693A8
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00568C45
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00560C4D
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_0056147D
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00569C11
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00561405
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00569431
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00560C2A
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00560CD0
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_0056F4F6
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_005694F3
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_005614E5
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00569CE9
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_0056549F
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00568CB8
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00560D5C
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00568D40
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00569D49
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00569560
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_0056DD10
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00573504
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00567509
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00560D2C
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_005655D9
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00568DC5
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00569DCC
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_005675F9
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00569675
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00572E7A
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00569E00
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00568E29
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00568EC5
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00569EF9
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00569E9D
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00569F54
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00569742
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00568F3D
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_005617D9
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_005607F1
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_005647F9
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00569795
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00568FB1
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_005607BB
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_005697B9
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_005647A4
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00569FAA
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024EF4F6 NtWriteVirtualMemory,LoadLibraryA,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024EB52A NtAllocateVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E75D7 NtWriteVirtualMemory,LoadLibraryA,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024EA83B NtWriteVirtualMemory,LoadLibraryA,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024F2D4E NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024EA250 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024EA27C NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9214 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E92D0 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9295 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E92B8 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E92B4 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024EA364 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9339 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E93A8 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024EA058 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E907D NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024EA03A NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E90CD NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024EA0D4 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9144 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024EA135 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024EA1B4 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9668 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024EB628 NtAllocateVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E96E9 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024EB6A0 NtAllocateVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024EB71C NtAllocateVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024EB789 NtAllocateVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9783 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9431 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024EB491 NtAllocateVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E94B9 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9560 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9537 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024EB5BC NtAllocateVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E8A7C NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9A21 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9AC7 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E8AE1 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9A94 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E8B54 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9B7C NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9B14 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9BF8 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E185B NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9829 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E98A0 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E990D NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E991F NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E89FB NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E89AC NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E99BC NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9E69 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9E00 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E8E29 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E5EAC NtWriteVirtualMemory,LoadLibraryA,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E8EA0 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9F54 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E8F7D NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E8F11 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9FF4 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9FAA NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E8C45 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9C60 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9CA0 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E8CB8 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E9D49 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E8D40 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024EBD69 NtWriteVirtualMemory,LoadLibraryA,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_0056B52A NtAllocateVirtualMemory,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeProcess Stats: CPU usage > 98%
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeVirustotal: Detection: 25%
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeReversingLabs: Detection: 18%
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
      Source: unknownProcess created: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe'
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeProcess created: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe'
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeProcess created: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe'
      Source: classification engineClassification label: mal92.troj.evad.winEXE@3/0@0/0

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: 00000017.00000002.783554447.0000000000560000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.544066668.00000000024E0000.00000040.00000001.sdmp, type: MEMORY
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeStatic PE information: real checksum: 0x791f7 should be: 0x73bc1
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_004064C4 push ebp; iretd
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_0040A8F6 push esi; ret
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_00403171 push ds; ret
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_00404979 push esi; ret
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_00407B84 push es; ret
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E089F push 2FA9C30Eh; ret
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E99BC push FFFFFF85h; retf 0805h
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_0056089F push 2FA9C30Eh; ret
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_005615FD push 00000039h; ret
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00565744 push esp; retf
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Tries to detect Any.runShow sources
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeFile opened: C:\Program Files\qga\qga.exe
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 00000001.00000002.543939100.0000000002380000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 00000001.00000002.543939100.0000000002380000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00570682 rdtsc
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeSystem information queried: ModuleInformation
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 00000001.00000002.543939100.0000000002380000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 00000001.00000002.543939100.0000000002380000.00000004.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

      Anti Debugging:

      barindex
      Hides threads from debuggersShow sources
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E75D7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E752F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E75F9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024F18D3 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024E5EAC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024EEF53 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024EFCF5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_005718D3 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_0056FCF5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_0056AD21 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_0056EF53 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 23_2_00570682 rdtsc
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 1_2_024ECE61 LdrInitializeThunk,
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeProcess created: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe'
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 00000017.00000002.784485876.0000000000EC0000.00000002.00020000.sdmpBinary or memory string: uProgram Manager
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 00000017.00000002.784485876.0000000000EC0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 00000017.00000002.784485876.0000000000EC0000.00000002.00020000.sdmpBinary or memory string: Progman
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 00000017.00000002.784485876.0000000000EC0000.00000002.00020000.sdmpBinary or memory string: Progmanlock

      Stealing of Sensitive Information:

      barindex
      GuLoader behavior detectedShow sources
      Source: Initial fileSignature Results: GuLoader behavior

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection12Virtualization/Sandbox Evasion21OS Credential DumpingSecurity Software Discovery321Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection12LSASS MemoryVirtualization/Sandbox Evasion21Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe25%VirustotalBrowse
      NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe18%ReversingLabsWin32.Trojan.Mucc

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://www.paulassinkarchitect.nl/bin_fDiyu115.bin0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      No contacted domains info

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://www.paulassinkarchitect.nl/bin_fDiyu115.bintrue
      • Avira URL Cloud: safe
      unknown

      Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox Version:33.0.0 White Diamond
      Analysis ID:482590
      Start date:13.09.2021
      Start time:22:41:49
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 8m 56s
      Hypervisor based Inspection enabled:false
      Report type:light
      Sample file name:NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:25
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal92.troj.evad.winEXE@3/0@0/0
      EGA Information:Failed
      HDC Information:
      • Successful, ratio: 24.1% (good quality ratio 15.1%)
      • Quality average: 29.8%
      • Quality standard deviation: 27.1%
      HCA Information:
      • Successful, ratio: 88%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Adjust boot time
      • Enable AMSI
      • Found application associated with file extension: .exe
      • Override analysis time to 240s for sample files taking high CPU consumption
      Warnings:
      Show All
      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
      • Not all processes where analyzed, report is missing behavior information
      • Report size exceeded maximum capacity and may have missing disassembly code.

      Simulations

      Behavior and APIs

      No simulations

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASN

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      No created / dropped files found

      Static File Info

      General

      File type:PE32 executable (GUI) Intel 80386, for MS Windows
      Entropy (8bit):4.255614019053077
      TrID:
      • Win32 Executable (generic) a (10002005/4) 99.15%
      • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
      • Generic Win/DOS Executable (2004/3) 0.02%
      • DOS Executable Generic (2002/1) 0.02%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
      File name:NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe
      File size:466944
      MD5:e8bceea59b2074bd08bf68ab55ecdf3e
      SHA1:8b62bf811b03fe25924ef6ff4d4afd89c902f7cd
      SHA256:0b4684d82509a6e7e0c1cb63174bf68d182ccff75a3d19f16821127605d636b8
      SHA512:405f00ffa49ecb3131f0a16afa2b4488c8580c2c8161a0bd4384b9218c9dc74a21812fe6a86f49c16f08959b4743d9f19bb07f7524ce63e6ed339ab01679add1
      SSDEEP:12288:8HLEuNNNNN6NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNGvNNNNNNasgTJ4KJ1Z:8HY2csg9h1Z
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6...W...W...W...K...W...u...W...q...W..Rich.W..........................PE..L....f=L.................P..........H........`....@

      File Icon

      Icon Hash:70f0a231b3b2f071

      Static PE Info

      General

      Entrypoint:0x401448
      Entrypoint Section:.text
      Digitally signed:false
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      DLL Characteristics:
      Time Stamp:0x4C3D6691 [Wed Jul 14 07:26:09 2010 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:4
      OS Version Minor:0
      File Version Major:4
      File Version Minor:0
      Subsystem Version Major:4
      Subsystem Version Minor:0
      Import Hash:01b006fd37878659f6f60ca0efdc2460

      Entrypoint Preview

      Instruction
      push 00418BE4h
      call 00007F0304A13965h
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      xor byte ptr [eax], al
      add byte ptr [eax], al
      inc eax
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [ebx-460B11FDh], bh
      sbb al, C4h
      dec edi
      mov al, byte ptr [9131EA78h]
      pop edx
      mov edi, 00000000h
      add byte ptr [eax], al
      add dword ptr [eax], eax
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      push ebx
      push 00000074h
      jc 00007F0304A139DDh
      imul esp, dword ptr [ebp+6Eh], 64h
      jnc 00007F0304A13973h
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add bh, bh
      int3
      xor dword ptr [eax], eax
      push cs
      psubd mm4, mm7
      xchg eax, ecx

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x459f40x28.text
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x480000x2a156.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2380x20
      IMAGE_DIRECTORY_ENTRY_IAT0x10000x134.text
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000x44f280x45000False0.271176545516data4.83437034271IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      .data0x460000x148c0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
      .rsrc0x480000x2a1560x2b000False0.161876589753data3.15995554576IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

      Resources

      NameRVASizeTypeLanguageCountry
      RT_ICON0x71bee0x568GLS_BINARY_LSB_FIRST
      RT_ICON0x717860x468GLS_BINARY_LSB_FIRST
      RT_ICON0x710be0x6c8data
      RT_ICON0x707360x988data
      RT_ICON0x6fe8e0x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0
      RT_ICON0x6ede60x10a8data
      RT_ICON0x6df3e0xea8data
      RT_ICON0x6b9960x25a8data
      RT_ICON0x6776e0x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 16711679, next used block 4294934272
      RT_ICON0x622e60x5488data
      RT_ICON0x58e3e0x94a8data
      RT_ICON0x486160x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
      RT_GROUP_ICON0x485680xaedata
      RT_VERSION0x483000x268MS Windows COFF Motorola 68000 object fileEnglishUnited States

      Imports

      DLLImport
      MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarTstLt, _CIsin, __vbaErase, __vbaChkstk, EVENT_SINK_AddRef, __vbaObjVar, DllFunctionCall, _adj_fpatan, __vbaRedim, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaDateVar, _CIlog, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, __vbaDerefAry1, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaVarAdd, __vbaVarDup, __vbaStrToAnsi, __vbaVarCopy, __vbaLateMemCallLd, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

      Version Infos

      DescriptionData
      Translation0x0409 0x04b0
      InternalNamesmedesvende
      FileVersion1.00
      CompanyNameKareo
      CommentsKareo
      ProductNameKareo
      ProductVersion1.00
      FileDescriptionKareo
      OriginalFilenamesmedesvende.exe

      Possible Origin

      Language of compilation systemCountry where language is spokenMap
      EnglishUnited States

      Network Behavior

      No network behavior found

      Code Manipulations

      Statistics

      Behavior

      Click to jump to process

      System Behavior

      General

      Start time:22:42:54
      Start date:13/09/2021
      Path:C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe
      Wow64 process (32bit):true
      Commandline:'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe'
      Imagebase:0x400000
      File size:466944 bytes
      MD5 hash:E8BCEEA59B2074BD08BF68AB55ECDF3E
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Visual Basic
      Yara matches:
      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.544066668.00000000024E0000.00000040.00000001.sdmp, Author: Joe Security
      Reputation:low

      General

      Start time:22:45:05
      Start date:13/09/2021
      Path:C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe
      Wow64 process (32bit):true
      Commandline:'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe'
      Imagebase:0x400000
      File size:466944 bytes
      MD5 hash:E8BCEEA59B2074BD08BF68AB55ECDF3E
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Yara matches:
      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000017.00000002.783554447.0000000000560000.00000040.00000001.sdmp, Author: Joe Security
      Reputation:low

      Disassembly

      Code Analysis

      Reset < >